]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blame - test/grsecurity-2.2.2-3.0.7-201110191214.patch
projects / thirdparty / grsecurity-scrape.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-3.0.7-201110191214.patch
CommitLineData
b8c7bece
PK		 1diff -urNp linux-3.0.7/Documentation/dontdiff linux-3.0.7/Documentation/dontdiff
2--- linux-3.0.7/Documentation/dontdiff 2011-07-21 22:17:23.000000000 -0400
3+++ linux-3.0.7/Documentation/dontdiff 2011-10-07 19:07:23.000000000 -0400
4@@ -5,6 +5,7 @@
5 *.cis
6 *.cpio
7 *.csp
8+*.dbg
9 *.dsp
10 *.dvi
11 *.elf
12@@ -48,9 +49,11 @@
13 *.tab.h
14 *.tex
15 *.ver
16+*.vim
17 *.xml
18 *.xz
19 *_MODULES
20+*_reg_safe.h
21 *_vga16.c
22 *~
23 \#*#
24@@ -70,6 +73,7 @@ Kerntypes
25 Module.markers
26 Module.symvers
27 PENDING
28+PERF*
29 SCCS
30 System.map*
31 TAGS
32@@ -98,6 +102,8 @@ bzImage*
33 capability_names.h
34 capflags.c
35 classlist.h*
36+clut_vga16.c
37+common-cmds.h
38 comp*.log
39 compile.h*
40 conf
41@@ -126,12 +132,14 @@ fore200e_pca_fw.c*
42 gconf
43 gconf.glade.h
44 gen-devlist
45+gen-kdb_cmds.c
46 gen_crc32table
47 gen_init_cpio
48 generated
49 genheaders
50 genksyms
51 *_gray256.c
52+hash
53 hpet_example
54 hugepage-mmap
55 hugepage-shm
56@@ -146,7 +154,6 @@ int32.c
57 int4.c
58 int8.c
59 kallsyms
60-kconfig
61 keywords.c
62 ksym.c*
63 ksym.h*
64@@ -154,7 +161,6 @@ kxgettext
65 lkc_defs.h
66 lex.c
67 lex.*.c
68-linux
69 logo_*.c
70 logo_*_clut224.c
71 logo_*_mono.c
72@@ -166,7 +172,6 @@ machtypes.h
73 map
74 map_hugetlb
75 maui_boot.h
76-media
77 mconf
78 miboot*
79 mk_elfconfig
80@@ -174,6 +179,7 @@ mkboot
81 mkbugboot
82 mkcpustr
83 mkdep
84+mkpiggy
85 mkprep
86 mkregtable
87 mktables
88@@ -209,6 +215,7 @@ r300_reg_safe.h
89 r420_reg_safe.h
90 r600_reg_safe.h
91 recordmcount
92+regdb.c
93 relocs
94 rlim_names.h
95 rn50_reg_safe.h
96@@ -219,6 +226,7 @@ setup
97 setup.bin
98 setup.elf
99 sImage
100+slabinfo
101 sm_tbl*
102 split-include
103 syscalltab.h
104@@ -246,7 +254,9 @@ vmlinux
105 vmlinux-*
106 vmlinux.aout
107 vmlinux.bin.all
108+vmlinux.bin.bz2
109 vmlinux.lds
110+vmlinux.relocs
111 vmlinuz
112 voffset.h
113 vsyscall.lds
114@@ -254,6 +264,7 @@ vsyscall_32.lds
115 wanxlfw.inc
116 uImage
117 unifdef
118+utsrelease.h
119 wakeup.bin
120 wakeup.elf
121 wakeup.lds
122diff -urNp linux-3.0.7/Documentation/kernel-parameters.txt linux-3.0.7/Documentation/kernel-parameters.txt
123--- linux-3.0.7/Documentation/kernel-parameters.txt 2011-07-21 22:17:23.000000000 -0400
124+++ linux-3.0.7/Documentation/kernel-parameters.txt 2011-08-23 21:47:55.000000000 -0400
125@@ -1883,6 +1883,13 @@ bytes respectively. Such letter suffixes
126 the specified number of seconds. This is to be used if
127 your oopses keep scrolling off the screen.
128
129+ pax_nouderef [X86] disables UDEREF. Most likely needed under certain
130+ virtualization environments that don't cope well with the
131+ expand down segment used by UDEREF on X86-32 or the frequent
132+ page table updates on X86-64.
133+
134+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
135+
136 pcbit= [HW,ISDN]
137
138 pcd. [PARIDE]
139diff -urNp linux-3.0.7/Makefile linux-3.0.7/Makefile
140--- linux-3.0.7/Makefile 2011-10-17 23:17:08.000000000 -0400
141+++ linux-3.0.7/Makefile 2011-10-17 23:17:19.000000000 -0400
142@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
143
144 HOSTCC = gcc
145 HOSTCXX = g++
146-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
147-HOSTCXXFLAGS = -O2
148+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
149+HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
150+HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
151
152 # Decide whether to build built-in, modular, or both.
153 # Normally, just do built-in.
154@@ -365,10 +366,12 @@ LINUXINCLUDE := -I$(srctree)/arch/$(h
155 KBUILD_CPPFLAGS := -D__KERNEL__
156
157 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
158+ -W -Wno-unused-parameter -Wno-missing-field-initializers \
159 -fno-strict-aliasing -fno-common \
160 -Werror-implicit-function-declaration \
161 -Wno-format-security \
162 -fno-delete-null-pointer-checks
163+KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
164 KBUILD_AFLAGS_KERNEL :=
165 KBUILD_CFLAGS_KERNEL :=
166 KBUILD_AFLAGS := -D__ASSEMBLY__
167@@ -407,8 +410,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
168 # Rules shared between *config targets and build targets
169
170 # Basic helpers built in scripts/
171-PHONY += scripts_basic
172-scripts_basic:
173+PHONY += scripts_basic gcc-plugins
174+scripts_basic: gcc-plugins
175 $(Q)$(MAKE) $(build)=scripts/basic
176 $(Q)rm -f .tmp_quiet_recordmcount
177
178@@ -564,6 +567,36 @@ else
179 KBUILD_CFLAGS += -O2
180 endif
181
182+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
183+CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
184+ifdef CONFIG_PAX_MEMORY_STACKLEAK
185+STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100
186+endif
187+ifdef CONFIG_KALLOCSTAT_PLUGIN
188+KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
189+endif
190+ifdef CONFIG_PAX_KERNEXEC_PLUGIN
191+KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
192+endif
193+ifdef CONFIG_CHECKER_PLUGIN
194+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
195+CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
196+endif
197+endif
198+GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
199+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
200+gcc-plugins:
201+ $(Q)$(MAKE) $(build)=tools/gcc
202+else
203+gcc-plugins:
204+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
205+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
206+else
207+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
208+endif
209+ $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
210+endif
211+
212 include $(srctree)/arch/$(SRCARCH)/Makefile
213
214 ifneq ($(CONFIG_FRAME_WARN),0)
215@@ -708,7 +741,7 @@ export mod_strip_cmd
216
217
218 ifeq ($(KBUILD_EXTMOD),)
219-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
220+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
221
222 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
223 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
224@@ -932,6 +965,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-mai
225
226 # The actual objects are generated when descending,
227 # make sure no implicit rule kicks in
228+$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS)
229 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
230
231 # Handle descending into subdirectories listed in $(vmlinux-dirs)
232@@ -941,7 +975,7 @@ $(sort $(vmlinux-init) $(vmlinux-main))
233 # Error messages still appears in the original language
234
235 PHONY += $(vmlinux-dirs)
236-$(vmlinux-dirs): prepare scripts
237+$(vmlinux-dirs): gcc-plugins prepare scripts
238 $(Q)$(MAKE) $(build)=$@
239
240 # Store (new) KERNELRELASE string in include/config/kernel.release
241@@ -986,6 +1020,7 @@ prepare0: archprepare FORCE
242 $(Q)$(MAKE) $(build)=. missing-syscalls
243
244 # All the preparing..
245+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
246 prepare: prepare0
247
248 # Generate some files
249@@ -1087,6 +1122,7 @@ all: modules
250 # using awk while concatenating to the final file.
251
252 PHONY += modules
253+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
254 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
255 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
256 @$(kecho) ' Building modules, stage 2.';
257@@ -1102,7 +1138,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu
258
259 # Target to prepare building external modules
260 PHONY += modules_prepare
261-modules_prepare: prepare scripts
262+modules_prepare: gcc-plugins prepare scripts
263
264 # Target to install modules
265 PHONY += modules_install
266@@ -1198,7 +1234,7 @@ distclean: mrproper
267 @find $(srctree) $(RCS_FIND_IGNORE) \
268 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
269 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
270- -o -name '.*.rej' -o -size 0 \
271+ -o -name '.*.rej' -o -name '*.so' -o -size 0 \
272 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
273 -type f -print | xargs rm -f
274
275@@ -1359,6 +1395,7 @@ PHONY += $(module-dirs) modules
276 $(module-dirs): crmodverdir $(objtree)/Module.symvers
277 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
278
279+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
280 modules: $(module-dirs)
281 @$(kecho) ' Building modules, stage 2.';
282 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
283@@ -1485,17 +1522,19 @@ else
284 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
285 endif
286
287-%.s: %.c prepare scripts FORCE
288+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
289+%.s: %.c gcc-plugins prepare scripts FORCE
290 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
291 %.i: %.c prepare scripts FORCE
292 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
293-%.o: %.c prepare scripts FORCE
294+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
295+%.o: %.c gcc-plugins prepare scripts FORCE
296 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
297 %.lst: %.c prepare scripts FORCE
298 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
299-%.s: %.S prepare scripts FORCE
300+%.s: %.S gcc-plugins prepare scripts FORCE
301 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
302-%.o: %.S prepare scripts FORCE
303+%.o: %.S gcc-plugins prepare scripts FORCE
304 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
305 %.symtypes: %.c prepare scripts FORCE
306 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
307@@ -1505,11 +1544,13 @@ endif
308 $(cmd_crmodverdir)
309 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
310 $(build)=$(build-dir)
311-%/: prepare scripts FORCE
312+%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
313+%/: gcc-plugins prepare scripts FORCE
314 $(cmd_crmodverdir)
315 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
316 $(build)=$(build-dir)
317-%.ko: prepare scripts FORCE
318+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
319+%.ko: gcc-plugins prepare scripts FORCE
320 $(cmd_crmodverdir)
321 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
322 $(build)=$(build-dir) $(@:.ko=.o)
323diff -urNp linux-3.0.7/arch/alpha/include/asm/elf.h linux-3.0.7/arch/alpha/include/asm/elf.h
324--- linux-3.0.7/arch/alpha/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
325+++ linux-3.0.7/arch/alpha/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
326@@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
327
328 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
329
330+#ifdef CONFIG_PAX_ASLR
331+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
332+
333+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
334+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
335+#endif
336+
337 /* $0 is set by ld.so to a pointer to a function which might be
338 registered using atexit. This provides a mean for the dynamic
339 linker to call DT_FINI functions for shared libraries that have
340diff -urNp linux-3.0.7/arch/alpha/include/asm/pgtable.h linux-3.0.7/arch/alpha/include/asm/pgtable.h
341--- linux-3.0.7/arch/alpha/include/asm/pgtable.h 2011-07-21 22:17:23.000000000 -0400
342+++ linux-3.0.7/arch/alpha/include/asm/pgtable.h 2011-08-23 21:47:55.000000000 -0400
343@@ -101,6 +101,17 @@ struct vm_area_struct;
344 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
345 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
346 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
347+
348+#ifdef CONFIG_PAX_PAGEEXEC
349+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
350+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
351+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
352+#else
353+# define PAGE_SHARED_NOEXEC PAGE_SHARED
354+# define PAGE_COPY_NOEXEC PAGE_COPY
355+# define PAGE_READONLY_NOEXEC PAGE_READONLY
356+#endif
357+
358 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
359
360 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
361diff -urNp linux-3.0.7/arch/alpha/kernel/module.c linux-3.0.7/arch/alpha/kernel/module.c
362--- linux-3.0.7/arch/alpha/kernel/module.c 2011-07-21 22:17:23.000000000 -0400
363+++ linux-3.0.7/arch/alpha/kernel/module.c 2011-08-23 21:47:55.000000000 -0400
364@@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
365
366 /* The small sections were sorted to the end of the segment.
367 The following should definitely cover them. */
368- gp = (u64)me->module_core + me->core_size - 0x8000;
369+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
370 got = sechdrs[me->arch.gotsecindex].sh_addr;
371
372 for (i = 0; i < n; i++) {
373diff -urNp linux-3.0.7/arch/alpha/kernel/osf_sys.c linux-3.0.7/arch/alpha/kernel/osf_sys.c
374--- linux-3.0.7/arch/alpha/kernel/osf_sys.c 2011-07-21 22:17:23.000000000 -0400
375+++ linux-3.0.7/arch/alpha/kernel/osf_sys.c 2011-08-23 21:47:55.000000000 -0400
376@@ -1145,7 +1145,7 @@ arch_get_unmapped_area_1(unsigned long a
377 /* At this point: (!vma || addr < vma->vm_end). */
378 if (limit - len < addr)
379 return -ENOMEM;
380- if (!vma || addr + len <= vma->vm_start)
381+ if (check_heap_stack_gap(vma, addr, len))
382 return addr;
383 addr = vma->vm_end;
384 vma = vma->vm_next;
385@@ -1181,6 +1181,10 @@ arch_get_unmapped_area(struct file *filp
386 merely specific addresses, but regions of memory -- perhaps
387 this feature should be incorporated into all ports? */
388
389+#ifdef CONFIG_PAX_RANDMMAP
390+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
391+#endif
392+
393 if (addr) {
394 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
395 if (addr != (unsigned long) -ENOMEM)
396@@ -1188,8 +1192,8 @@ arch_get_unmapped_area(struct file *filp
397 }
398
399 /* Next, try allocating at TASK_UNMAPPED_BASE. */
400- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
401- len, limit);
402+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
403+
404 if (addr != (unsigned long) -ENOMEM)
405 return addr;
406
407diff -urNp linux-3.0.7/arch/alpha/mm/fault.c linux-3.0.7/arch/alpha/mm/fault.c
408--- linux-3.0.7/arch/alpha/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
409+++ linux-3.0.7/arch/alpha/mm/fault.c 2011-08-23 21:47:55.000000000 -0400
410@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
411 __reload_thread(pcb);
412 }
413
414+#ifdef CONFIG_PAX_PAGEEXEC
415+/*
416+ * PaX: decide what to do with offenders (regs->pc = fault address)
417+ *
418+ * returns 1 when task should be killed
419+ * 2 when patched PLT trampoline was detected
420+ * 3 when unpatched PLT trampoline was detected
421+ */
422+static int pax_handle_fetch_fault(struct pt_regs *regs)
423+{
424+
425+#ifdef CONFIG_PAX_EMUPLT
426+ int err;
427+
428+ do { /* PaX: patched PLT emulation #1 */
429+ unsigned int ldah, ldq, jmp;
430+
431+ err = get_user(ldah, (unsigned int *)regs->pc);
432+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
433+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
434+
435+ if (err)
436+ break;
437+
438+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
439+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
440+ jmp == 0x6BFB0000U)
441+ {
442+ unsigned long r27, addr;
443+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
444+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
445+
446+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
447+ err = get_user(r27, (unsigned long *)addr);
448+ if (err)
449+ break;
450+
451+ regs->r27 = r27;
452+ regs->pc = r27;
453+ return 2;
454+ }
455+ } while (0);
456+
457+ do { /* PaX: patched PLT emulation #2 */
458+ unsigned int ldah, lda, br;
459+
460+ err = get_user(ldah, (unsigned int *)regs->pc);
461+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
462+ err |= get_user(br, (unsigned int *)(regs->pc+8));
463+
464+ if (err)
465+ break;
466+
467+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
468+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
469+ (br & 0xFFE00000U) == 0xC3E00000U)
470+ {
471+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
472+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
473+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
474+
475+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
476+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
477+ return 2;
478+ }
479+ } while (0);
480+
481+ do { /* PaX: unpatched PLT emulation */
482+ unsigned int br;
483+
484+ err = get_user(br, (unsigned int *)regs->pc);
485+
486+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
487+ unsigned int br2, ldq, nop, jmp;
488+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
489+
490+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
491+ err = get_user(br2, (unsigned int *)addr);
492+ err |= get_user(ldq, (unsigned int *)(addr+4));
493+ err |= get_user(nop, (unsigned int *)(addr+8));
494+ err |= get_user(jmp, (unsigned int *)(addr+12));
495+ err |= get_user(resolver, (unsigned long *)(addr+16));
496+
497+ if (err)
498+ break;
499+
500+ if (br2 == 0xC3600000U &&
501+ ldq == 0xA77B000CU &&
502+ nop == 0x47FF041FU &&
503+ jmp == 0x6B7B0000U)
504+ {
505+ regs->r28 = regs->pc+4;
506+ regs->r27 = addr+16;
507+ regs->pc = resolver;
508+ return 3;
509+ }
510+ }
511+ } while (0);
512+#endif
513+
514+ return 1;
515+}
516+
517+void pax_report_insns(void *pc, void *sp)
518+{
519+ unsigned long i;
520+
521+ printk(KERN_ERR "PAX: bytes at PC: ");
522+ for (i = 0; i < 5; i++) {
523+ unsigned int c;
524+ if (get_user(c, (unsigned int *)pc+i))
525+ printk(KERN_CONT "???????? ");
526+ else
527+ printk(KERN_CONT "%08x ", c);
528+ }
529+ printk("\n");
530+}
531+#endif
532
533 /*
534 * This routine handles page faults. It determines the address,
535@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
536 good_area:
537 si_code = SEGV_ACCERR;
538 if (cause < 0) {
539- if (!(vma->vm_flags & VM_EXEC))
540+ if (!(vma->vm_flags & VM_EXEC)) {
541+
542+#ifdef CONFIG_PAX_PAGEEXEC
543+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
544+ goto bad_area;
545+
546+ up_read(&mm->mmap_sem);
547+ switch (pax_handle_fetch_fault(regs)) {
548+
549+#ifdef CONFIG_PAX_EMUPLT
550+ case 2:
551+ case 3:
552+ return;
553+#endif
554+
555+ }
556+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
557+ do_group_exit(SIGKILL);
558+#else
559 goto bad_area;
560+#endif
561+
562+ }
563 } else if (!cause) {
564 /* Allow reads even for write-only mappings */
565 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
566diff -urNp linux-3.0.7/arch/arm/include/asm/elf.h linux-3.0.7/arch/arm/include/asm/elf.h
567--- linux-3.0.7/arch/arm/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
568+++ linux-3.0.7/arch/arm/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
569@@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t
570 the loader. We need to make sure that it is out of the way of the program
571 that it will "exec", and that there is sufficient room for the brk. */
572
573-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
574+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
575+
576+#ifdef CONFIG_PAX_ASLR
577+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
578+
579+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
580+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
581+#endif
582
583 /* When the program starts, a1 contains a pointer to a function to be
584 registered with atexit, as per the SVR4 ABI. A value of 0 means we
585@@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t
586 extern void elf_set_personality(const struct elf32_hdr *);
587 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
588
589-struct mm_struct;
590-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
591-#define arch_randomize_brk arch_randomize_brk
592-
593 extern int vectors_user_mapping(void);
594 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
595 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
596diff -urNp linux-3.0.7/arch/arm/include/asm/kmap_types.h linux-3.0.7/arch/arm/include/asm/kmap_types.h
597--- linux-3.0.7/arch/arm/include/asm/kmap_types.h 2011-07-21 22:17:23.000000000 -0400
598+++ linux-3.0.7/arch/arm/include/asm/kmap_types.h 2011-08-23 21:47:55.000000000 -0400
599@@ -21,6 +21,7 @@ enum km_type {
600 KM_L1_CACHE,
601 KM_L2_CACHE,
602 KM_KDB,
603+ KM_CLEARPAGE,
604 KM_TYPE_NR
605 };
606
607diff -urNp linux-3.0.7/arch/arm/include/asm/uaccess.h linux-3.0.7/arch/arm/include/asm/uaccess.h
608--- linux-3.0.7/arch/arm/include/asm/uaccess.h 2011-07-21 22:17:23.000000000 -0400
609+++ linux-3.0.7/arch/arm/include/asm/uaccess.h 2011-08-23 21:47:55.000000000 -0400
610@@ -22,6 +22,8 @@
611 #define VERIFY_READ 0
612 #define VERIFY_WRITE 1
613
614+extern void check_object_size(const void *ptr, unsigned long n, bool to);
615+
616 /*
617 * The exception table consists of pairs of addresses: the first is the
618 * address of an instruction that is allowed to fault, and the second is
619@@ -387,8 +389,23 @@ do { \
620
621
622 #ifdef CONFIG_MMU
623-extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
624-extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
625+extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
626+extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
627+
628+static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
629+{
630+ if (!__builtin_constant_p(n))
631+ check_object_size(to, n, false);
632+ return ___copy_from_user(to, from, n);
633+}
634+
635+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
636+{
637+ if (!__builtin_constant_p(n))
638+ check_object_size(from, n, true);
639+ return ___copy_to_user(to, from, n);
640+}
641+
642 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
643 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
644 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
645@@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
646
647 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
648 {
649+ if ((long)n < 0)
650+ return n;
651+
652 if (access_ok(VERIFY_READ, from, n))
653 n = __copy_from_user(to, from, n);
654 else /* security hole - plug it */
655@@ -412,6 +432,9 @@ static inline unsigned long __must_check
656
657 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
658 {
659+ if ((long)n < 0)
660+ return n;
661+
662 if (access_ok(VERIFY_WRITE, to, n))
663 n = __copy_to_user(to, from, n);
664 return n;
665diff -urNp linux-3.0.7/arch/arm/kernel/armksyms.c linux-3.0.7/arch/arm/kernel/armksyms.c
666--- linux-3.0.7/arch/arm/kernel/armksyms.c 2011-07-21 22:17:23.000000000 -0400
667+++ linux-3.0.7/arch/arm/kernel/armksyms.c 2011-08-23 21:47:55.000000000 -0400
668@@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
669 #ifdef CONFIG_MMU
670 EXPORT_SYMBOL(copy_page);
671
672-EXPORT_SYMBOL(__copy_from_user);
673-EXPORT_SYMBOL(__copy_to_user);
674+EXPORT_SYMBOL(___copy_from_user);
675+EXPORT_SYMBOL(___copy_to_user);
676 EXPORT_SYMBOL(__clear_user);
677
678 EXPORT_SYMBOL(__get_user_1);
679diff -urNp linux-3.0.7/arch/arm/kernel/process.c linux-3.0.7/arch/arm/kernel/process.c
680--- linux-3.0.7/arch/arm/kernel/process.c 2011-07-21 22:17:23.000000000 -0400
681+++ linux-3.0.7/arch/arm/kernel/process.c 2011-08-23 21:47:55.000000000 -0400
682@@ -28,7 +28,6 @@
683 #include <linux/tick.h>
684 #include <linux/utsname.h>
685 #include <linux/uaccess.h>
686-#include <linux/random.h>
687 #include <linux/hw_breakpoint.h>
688
689 #include <asm/cacheflush.h>
690@@ -479,12 +478,6 @@ unsigned long get_wchan(struct task_stru
691 return 0;
692 }
693
694-unsigned long arch_randomize_brk(struct mm_struct *mm)
695-{
696- unsigned long range_end = mm->brk + 0x02000000;
697- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
698-}
699-
700 #ifdef CONFIG_MMU
701 /*
702 * The vectors page is always readable from user space for the
703diff -urNp linux-3.0.7/arch/arm/kernel/traps.c linux-3.0.7/arch/arm/kernel/traps.c
704--- linux-3.0.7/arch/arm/kernel/traps.c 2011-07-21 22:17:23.000000000 -0400
705+++ linux-3.0.7/arch/arm/kernel/traps.c 2011-08-23 21:48:14.000000000 -0400
706@@ -257,6 +257,8 @@ static int __die(const char *str, int er
707
708 static DEFINE_SPINLOCK(die_lock);
709
710+extern void gr_handle_kernel_exploit(void);
711+
712 /*
713 * This function is protected against re-entrancy.
714 */
715@@ -284,6 +286,9 @@ void die(const char *str, struct pt_regs
716 panic("Fatal exception in interrupt");
717 if (panic_on_oops)
718 panic("Fatal exception");
719+
720+ gr_handle_kernel_exploit();
721+
722 if (ret != NOTIFY_STOP)
723 do_exit(SIGSEGV);
724 }
725diff -urNp linux-3.0.7/arch/arm/lib/copy_from_user.S linux-3.0.7/arch/arm/lib/copy_from_user.S
726--- linux-3.0.7/arch/arm/lib/copy_from_user.S 2011-07-21 22:17:23.000000000 -0400
727+++ linux-3.0.7/arch/arm/lib/copy_from_user.S 2011-08-23 21:47:55.000000000 -0400
728@@ -16,7 +16,7 @@
729 /*
730 * Prototype:
731 *
732- * size_t __copy_from_user(void *to, const void *from, size_t n)
733+ * size_t ___copy_from_user(void *to, const void *from, size_t n)
734 *
735 * Purpose:
736 *
737@@ -84,11 +84,11 @@
738
739 .text
740
741-ENTRY(__copy_from_user)
742+ENTRY(___copy_from_user)
743
744 #include "copy_template.S"
745
746-ENDPROC(__copy_from_user)
747+ENDPROC(___copy_from_user)
748
749 .pushsection .fixup,"ax"
750 .align 0
751diff -urNp linux-3.0.7/arch/arm/lib/copy_to_user.S linux-3.0.7/arch/arm/lib/copy_to_user.S
752--- linux-3.0.7/arch/arm/lib/copy_to_user.S 2011-07-21 22:17:23.000000000 -0400
753+++ linux-3.0.7/arch/arm/lib/copy_to_user.S 2011-08-23 21:47:55.000000000 -0400
754@@ -16,7 +16,7 @@
755 /*
756 * Prototype:
757 *
758- * size_t __copy_to_user(void *to, const void *from, size_t n)
759+ * size_t ___copy_to_user(void *to, const void *from, size_t n)
760 *
761 * Purpose:
762 *
763@@ -88,11 +88,11 @@
764 .text
765
766 ENTRY(__copy_to_user_std)
767-WEAK(__copy_to_user)
768+WEAK(___copy_to_user)
769
770 #include "copy_template.S"
771
772-ENDPROC(__copy_to_user)
773+ENDPROC(___copy_to_user)
774 ENDPROC(__copy_to_user_std)
775
776 .pushsection .fixup,"ax"
777diff -urNp linux-3.0.7/arch/arm/lib/uaccess.S linux-3.0.7/arch/arm/lib/uaccess.S
778--- linux-3.0.7/arch/arm/lib/uaccess.S 2011-07-21 22:17:23.000000000 -0400
779+++ linux-3.0.7/arch/arm/lib/uaccess.S 2011-08-23 21:47:55.000000000 -0400
780@@ -20,7 +20,7 @@
781
782 #define PAGE_SHIFT 12
783
784-/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
785+/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
786 * Purpose : copy a block to user memory from kernel memory
787 * Params : to - user memory
788 * : from - kernel memory
789@@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
790 sub r2, r2, ip
791 b .Lc2u_dest_aligned
792
793-ENTRY(__copy_to_user)
794+ENTRY(___copy_to_user)
795 stmfd sp!, {r2, r4 - r7, lr}
796 cmp r2, #4
797 blt .Lc2u_not_enough
798@@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
799 ldrgtb r3, [r1], #0
800 USER( T(strgtb) r3, [r0], #1) @ May fault
801 b .Lc2u_finished
802-ENDPROC(__copy_to_user)
803+ENDPROC(___copy_to_user)
804
805 .pushsection .fixup,"ax"
806 .align 0
807 9001: ldmfd sp!, {r0, r4 - r7, pc}
808 .popsection
809
810-/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
811+/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
812 * Purpose : copy a block from user memory to kernel memory
813 * Params : to - kernel memory
814 * : from - user memory
815@@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
816 sub r2, r2, ip
817 b .Lcfu_dest_aligned
818
819-ENTRY(__copy_from_user)
820+ENTRY(___copy_from_user)
821 stmfd sp!, {r0, r2, r4 - r7, lr}
822 cmp r2, #4
823 blt .Lcfu_not_enough
824@@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
825 USER( T(ldrgtb) r3, [r1], #1) @ May fault
826 strgtb r3, [r0], #1
827 b .Lcfu_finished
828-ENDPROC(__copy_from_user)
829+ENDPROC(___copy_from_user)
830
831 .pushsection .fixup,"ax"
832 .align 0
833diff -urNp linux-3.0.7/arch/arm/lib/uaccess_with_memcpy.c linux-3.0.7/arch/arm/lib/uaccess_with_memcpy.c
834--- linux-3.0.7/arch/arm/lib/uaccess_with_memcpy.c 2011-07-21 22:17:23.000000000 -0400
835+++ linux-3.0.7/arch/arm/lib/uaccess_with_memcpy.c 2011-08-23 21:47:55.000000000 -0400
836@@ -103,7 +103,7 @@ out:
837 }
838
839 unsigned long
840-__copy_to_user(void __user *to, const void *from, unsigned long n)
841+___copy_to_user(void __user *to, const void *from, unsigned long n)
842 {
843 /*
844 * This test is stubbed out of the main function above to keep
845diff -urNp linux-3.0.7/arch/arm/mach-ux500/mbox-db5500.c linux-3.0.7/arch/arm/mach-ux500/mbox-db5500.c
846--- linux-3.0.7/arch/arm/mach-ux500/mbox-db5500.c 2011-07-21 22:17:23.000000000 -0400
847+++ linux-3.0.7/arch/arm/mach-ux500/mbox-db5500.c 2011-08-23 21:48:14.000000000 -0400
848@@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
849 return sprintf(buf, "0x%X\n", mbox_value);
850 }
851
852-static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
853+static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
854
855 static int mbox_show(struct seq_file *s, void *data)
856 {
857diff -urNp linux-3.0.7/arch/arm/mm/fault.c linux-3.0.7/arch/arm/mm/fault.c
858--- linux-3.0.7/arch/arm/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
859+++ linux-3.0.7/arch/arm/mm/fault.c 2011-08-23 21:47:55.000000000 -0400
860@@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
861 }
862 #endif
863
864+#ifdef CONFIG_PAX_PAGEEXEC
865+ if (fsr & FSR_LNX_PF) {
866+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
867+ do_group_exit(SIGKILL);
868+ }
869+#endif
870+
871 tsk->thread.address = addr;
872 tsk->thread.error_code = fsr;
873 tsk->thread.trap_no = 14;
874@@ -379,6 +386,33 @@ do_page_fault(unsigned long addr, unsign
875 }
876 #endif /* CONFIG_MMU */
877
878+#ifdef CONFIG_PAX_PAGEEXEC
879+void pax_report_insns(void *pc, void *sp)
880+{
881+ long i;
882+
883+ printk(KERN_ERR "PAX: bytes at PC: ");
884+ for (i = 0; i < 20; i++) {
885+ unsigned char c;
886+ if (get_user(c, (__force unsigned char __user *)pc+i))
887+ printk(KERN_CONT "?? ");
888+ else
889+ printk(KERN_CONT "%02x ", c);
890+ }
891+ printk("\n");
892+
893+ printk(KERN_ERR "PAX: bytes at SP-4: ");
894+ for (i = -1; i < 20; i++) {
895+ unsigned long c;
896+ if (get_user(c, (__force unsigned long __user *)sp+i))
897+ printk(KERN_CONT "???????? ");
898+ else
899+ printk(KERN_CONT "%08lx ", c);
900+ }
901+ printk("\n");
902+}
903+#endif
904+
905 /*
906 * First Level Translation Fault Handler
907 *
908diff -urNp linux-3.0.7/arch/arm/mm/mmap.c linux-3.0.7/arch/arm/mm/mmap.c
909--- linux-3.0.7/arch/arm/mm/mmap.c 2011-07-21 22:17:23.000000000 -0400
910+++ linux-3.0.7/arch/arm/mm/mmap.c 2011-08-23 21:47:55.000000000 -0400
911@@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
912 if (len > TASK_SIZE)
913 return -ENOMEM;
914
915+#ifdef CONFIG_PAX_RANDMMAP
916+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
917+#endif
918+
919 if (addr) {
920 if (do_align)
921 addr = COLOUR_ALIGN(addr, pgoff);
922@@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
923 addr = PAGE_ALIGN(addr);
924
925 vma = find_vma(mm, addr);
926- if (TASK_SIZE - len >= addr &&
927- (!vma || addr + len <= vma->vm_start))
928+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
929 return addr;
930 }
931 if (len > mm->cached_hole_size) {
932- start_addr = addr = mm->free_area_cache;
933+ start_addr = addr = mm->free_area_cache;
934 } else {
935- start_addr = addr = TASK_UNMAPPED_BASE;
936- mm->cached_hole_size = 0;
937+ start_addr = addr = mm->mmap_base;
938+ mm->cached_hole_size = 0;
939 }
940 /* 8 bits of randomness in 20 address space bits */
941 if ((current->flags & PF_RANDOMIZE) &&
942@@ -100,14 +103,14 @@ full_search:
943 * Start a new search - just in case we missed
944 * some holes.
945 */
946- if (start_addr != TASK_UNMAPPED_BASE) {
947- start_addr = addr = TASK_UNMAPPED_BASE;
948+ if (start_addr != mm->mmap_base) {
949+ start_addr = addr = mm->mmap_base;
950 mm->cached_hole_size = 0;
951 goto full_search;
952 }
953 return -ENOMEM;
954 }
955- if (!vma || addr + len <= vma->vm_start) {
956+ if (check_heap_stack_gap(vma, addr, len)) {
957 /*
958 * Remember the place where we stopped the search:
959 */
960diff -urNp linux-3.0.7/arch/avr32/include/asm/elf.h linux-3.0.7/arch/avr32/include/asm/elf.h
961--- linux-3.0.7/arch/avr32/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
962+++ linux-3.0.7/arch/avr32/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
963@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
964 the loader. We need to make sure that it is out of the way of the program
965 that it will "exec", and that there is sufficient room for the brk. */
966
967-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
968+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
969
970+#ifdef CONFIG_PAX_ASLR
971+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
972+
973+#define PAX_DELTA_MMAP_LEN 15
974+#define PAX_DELTA_STACK_LEN 15
975+#endif
976
977 /* This yields a mask that user programs can use to figure out what
978 instruction set this CPU supports. This could be done in user space,
979diff -urNp linux-3.0.7/arch/avr32/include/asm/kmap_types.h linux-3.0.7/arch/avr32/include/asm/kmap_types.h
980--- linux-3.0.7/arch/avr32/include/asm/kmap_types.h 2011-07-21 22:17:23.000000000 -0400
981+++ linux-3.0.7/arch/avr32/include/asm/kmap_types.h 2011-08-23 21:47:55.000000000 -0400
982@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
983 D(11) KM_IRQ1,
984 D(12) KM_SOFTIRQ0,
985 D(13) KM_SOFTIRQ1,
986-D(14) KM_TYPE_NR
987+D(14) KM_CLEARPAGE,
988+D(15) KM_TYPE_NR
989 };
990
991 #undef D
992diff -urNp linux-3.0.7/arch/avr32/mm/fault.c linux-3.0.7/arch/avr32/mm/fault.c
993--- linux-3.0.7/arch/avr32/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
994+++ linux-3.0.7/arch/avr32/mm/fault.c 2011-08-23 21:47:55.000000000 -0400
995@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
996
997 int exception_trace = 1;
998
999+#ifdef CONFIG_PAX_PAGEEXEC
1000+void pax_report_insns(void *pc, void *sp)
1001+{
1002+ unsigned long i;
1003+
1004+ printk(KERN_ERR "PAX: bytes at PC: ");
1005+ for (i = 0; i < 20; i++) {
1006+ unsigned char c;
1007+ if (get_user(c, (unsigned char *)pc+i))
1008+ printk(KERN_CONT "???????? ");
1009+ else
1010+ printk(KERN_CONT "%02x ", c);
1011+ }
1012+ printk("\n");
1013+}
1014+#endif
1015+
1016 /*
1017 * This routine handles page faults. It determines the address and the
1018 * problem, and then passes it off to one of the appropriate routines.
1019@@ -156,6 +173,16 @@ bad_area:
1020 up_read(&mm->mmap_sem);
1021
1022 if (user_mode(regs)) {
1023+
1024+#ifdef CONFIG_PAX_PAGEEXEC
1025+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
1026+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
1027+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
1028+ do_group_exit(SIGKILL);
1029+ }
1030+ }
1031+#endif
1032+
1033 if (exception_trace && printk_ratelimit())
1034 printk("%s%s[%d]: segfault at %08lx pc %08lx "
1035 "sp %08lx ecr %lu\n",
1036diff -urNp linux-3.0.7/arch/frv/include/asm/kmap_types.h linux-3.0.7/arch/frv/include/asm/kmap_types.h
1037--- linux-3.0.7/arch/frv/include/asm/kmap_types.h 2011-07-21 22:17:23.000000000 -0400
1038+++ linux-3.0.7/arch/frv/include/asm/kmap_types.h 2011-08-23 21:47:55.000000000 -0400
1039@@ -23,6 +23,7 @@ enum km_type {
1040 KM_IRQ1,
1041 KM_SOFTIRQ0,
1042 KM_SOFTIRQ1,
1043+ KM_CLEARPAGE,
1044 KM_TYPE_NR
1045 };
1046
1047diff -urNp linux-3.0.7/arch/frv/mm/elf-fdpic.c linux-3.0.7/arch/frv/mm/elf-fdpic.c
1048--- linux-3.0.7/arch/frv/mm/elf-fdpic.c 2011-07-21 22:17:23.000000000 -0400
1049+++ linux-3.0.7/arch/frv/mm/elf-fdpic.c 2011-08-23 21:47:55.000000000 -0400
1050@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
1051 if (addr) {
1052 addr = PAGE_ALIGN(addr);
1053 vma = find_vma(current->mm, addr);
1054- if (TASK_SIZE - len >= addr &&
1055- (!vma || addr + len <= vma->vm_start))
1056+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
1057 goto success;
1058 }
1059
1060@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
1061 for (; vma; vma = vma->vm_next) {
1062 if (addr > limit)
1063 break;
1064- if (addr + len <= vma->vm_start)
1065+ if (check_heap_stack_gap(vma, addr, len))
1066 goto success;
1067 addr = vma->vm_end;
1068 }
1069@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
1070 for (; vma; vma = vma->vm_next) {
1071 if (addr > limit)
1072 break;
1073- if (addr + len <= vma->vm_start)
1074+ if (check_heap_stack_gap(vma, addr, len))
1075 goto success;
1076 addr = vma->vm_end;
1077 }
1078diff -urNp linux-3.0.7/arch/ia64/include/asm/elf.h linux-3.0.7/arch/ia64/include/asm/elf.h
1079--- linux-3.0.7/arch/ia64/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
1080+++ linux-3.0.7/arch/ia64/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
1081@@ -42,6 +42,13 @@
1082 */
1083 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1084
1085+#ifdef CONFIG_PAX_ASLR
1086+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1087+
1088+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1089+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1090+#endif
1091+
1092 #define PT_IA_64_UNWIND 0x70000001
1093
1094 /* IA-64 relocations: */
1095diff -urNp linux-3.0.7/arch/ia64/include/asm/pgtable.h linux-3.0.7/arch/ia64/include/asm/pgtable.h
1096--- linux-3.0.7/arch/ia64/include/asm/pgtable.h 2011-07-21 22:17:23.000000000 -0400
1097+++ linux-3.0.7/arch/ia64/include/asm/pgtable.h 2011-08-23 21:47:55.000000000 -0400
1098@@ -12,7 +12,7 @@
1099 * David Mosberger-Tang <davidm@hpl.hp.com>
1100 */
1101
1102-
1103+#include <linux/const.h>
1104 #include <asm/mman.h>
1105 #include <asm/page.h>
1106 #include <asm/processor.h>
1107@@ -143,6 +143,17 @@
1108 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1109 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1110 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1111+
1112+#ifdef CONFIG_PAX_PAGEEXEC
1113+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1114+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1115+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1116+#else
1117+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1118+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1119+# define PAGE_COPY_NOEXEC PAGE_COPY
1120+#endif
1121+
1122 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1123 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1124 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1125diff -urNp linux-3.0.7/arch/ia64/include/asm/spinlock.h linux-3.0.7/arch/ia64/include/asm/spinlock.h
1126--- linux-3.0.7/arch/ia64/include/asm/spinlock.h 2011-07-21 22:17:23.000000000 -0400
1127+++ linux-3.0.7/arch/ia64/include/asm/spinlock.h 2011-08-23 21:47:55.000000000 -0400
1128@@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1129 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1130
1131 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1132- ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1133+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1134 }
1135
1136 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
1137diff -urNp linux-3.0.7/arch/ia64/include/asm/uaccess.h linux-3.0.7/arch/ia64/include/asm/uaccess.h
1138--- linux-3.0.7/arch/ia64/include/asm/uaccess.h 2011-07-21 22:17:23.000000000 -0400
1139+++ linux-3.0.7/arch/ia64/include/asm/uaccess.h 2011-08-23 21:47:55.000000000 -0400
1140@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1141 const void *__cu_from = (from); \
1142 long __cu_len = (n); \
1143 \
1144- if (__access_ok(__cu_to, __cu_len, get_fs())) \
1145+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1146 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1147 __cu_len; \
1148 })
1149@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1150 long __cu_len = (n); \
1151 \
1152 __chk_user_ptr(__cu_from); \
1153- if (__access_ok(__cu_from, __cu_len, get_fs())) \
1154+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1155 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1156 __cu_len; \
1157 })
1158diff -urNp linux-3.0.7/arch/ia64/kernel/module.c linux-3.0.7/arch/ia64/kernel/module.c
1159--- linux-3.0.7/arch/ia64/kernel/module.c 2011-07-21 22:17:23.000000000 -0400
1160+++ linux-3.0.7/arch/ia64/kernel/module.c 2011-08-23 21:47:55.000000000 -0400
1161@@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1162 void
1163 module_free (struct module *mod, void *module_region)
1164 {
1165- if (mod && mod->arch.init_unw_table &&
1166- module_region == mod->module_init) {
1167+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1168 unw_remove_unwind_table(mod->arch.init_unw_table);
1169 mod->arch.init_unw_table = NULL;
1170 }
1171@@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1172 }
1173
1174 static inline int
1175+in_init_rx (const struct module *mod, uint64_t addr)
1176+{
1177+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1178+}
1179+
1180+static inline int
1181+in_init_rw (const struct module *mod, uint64_t addr)
1182+{
1183+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1184+}
1185+
1186+static inline int
1187 in_init (const struct module *mod, uint64_t addr)
1188 {
1189- return addr - (uint64_t) mod->module_init < mod->init_size;
1190+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1191+}
1192+
1193+static inline int
1194+in_core_rx (const struct module *mod, uint64_t addr)
1195+{
1196+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1197+}
1198+
1199+static inline int
1200+in_core_rw (const struct module *mod, uint64_t addr)
1201+{
1202+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1203 }
1204
1205 static inline int
1206 in_core (const struct module *mod, uint64_t addr)
1207 {
1208- return addr - (uint64_t) mod->module_core < mod->core_size;
1209+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1210 }
1211
1212 static inline int
1213@@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1214 break;
1215
1216 case RV_BDREL:
1217- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1218+ if (in_init_rx(mod, val))
1219+ val -= (uint64_t) mod->module_init_rx;
1220+ else if (in_init_rw(mod, val))
1221+ val -= (uint64_t) mod->module_init_rw;
1222+ else if (in_core_rx(mod, val))
1223+ val -= (uint64_t) mod->module_core_rx;
1224+ else if (in_core_rw(mod, val))
1225+ val -= (uint64_t) mod->module_core_rw;
1226 break;
1227
1228 case RV_LTV:
1229@@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1230 * addresses have been selected...
1231 */
1232 uint64_t gp;
1233- if (mod->core_size > MAX_LTOFF)
1234+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1235 /*
1236 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1237 * at the end of the module.
1238 */
1239- gp = mod->core_size - MAX_LTOFF / 2;
1240+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1241 else
1242- gp = mod->core_size / 2;
1243- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1244+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1245+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1246 mod->arch.gp = gp;
1247 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1248 }
1249diff -urNp linux-3.0.7/arch/ia64/kernel/sys_ia64.c linux-3.0.7/arch/ia64/kernel/sys_ia64.c
1250--- linux-3.0.7/arch/ia64/kernel/sys_ia64.c 2011-07-21 22:17:23.000000000 -0400
1251+++ linux-3.0.7/arch/ia64/kernel/sys_ia64.c 2011-08-23 21:47:55.000000000 -0400
1252@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1253 if (REGION_NUMBER(addr) == RGN_HPAGE)
1254 addr = 0;
1255 #endif
1256+
1257+#ifdef CONFIG_PAX_RANDMMAP
1258+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1259+ addr = mm->free_area_cache;
1260+ else
1261+#endif
1262+
1263 if (!addr)
1264 addr = mm->free_area_cache;
1265
1266@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1267 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1268 /* At this point: (!vma || addr < vma->vm_end). */
1269 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1270- if (start_addr != TASK_UNMAPPED_BASE) {
1271+ if (start_addr != mm->mmap_base) {
1272 /* Start a new search --- just in case we missed some holes. */
1273- addr = TASK_UNMAPPED_BASE;
1274+ addr = mm->mmap_base;
1275 goto full_search;
1276 }
1277 return -ENOMEM;
1278 }
1279- if (!vma || addr + len <= vma->vm_start) {
1280+ if (check_heap_stack_gap(vma, addr, len)) {
1281 /* Remember the address where we stopped this search: */
1282 mm->free_area_cache = addr + len;
1283 return addr;
1284diff -urNp linux-3.0.7/arch/ia64/kernel/vmlinux.lds.S linux-3.0.7/arch/ia64/kernel/vmlinux.lds.S
1285--- linux-3.0.7/arch/ia64/kernel/vmlinux.lds.S 2011-07-21 22:17:23.000000000 -0400
1286+++ linux-3.0.7/arch/ia64/kernel/vmlinux.lds.S 2011-08-23 21:47:55.000000000 -0400
1287@@ -199,7 +199,7 @@ SECTIONS {
1288 /* Per-cpu data: */
1289 . = ALIGN(PERCPU_PAGE_SIZE);
1290 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
1291- __phys_per_cpu_start = __per_cpu_load;
1292+ __phys_per_cpu_start = per_cpu_load;
1293 /*
1294 * ensure percpu data fits
1295 * into percpu page size
1296diff -urNp linux-3.0.7/arch/ia64/mm/fault.c linux-3.0.7/arch/ia64/mm/fault.c
1297--- linux-3.0.7/arch/ia64/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
1298+++ linux-3.0.7/arch/ia64/mm/fault.c 2011-08-23 21:47:55.000000000 -0400
1299@@ -73,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
1300 return pte_present(pte);
1301 }
1302
1303+#ifdef CONFIG_PAX_PAGEEXEC
1304+void pax_report_insns(void *pc, void *sp)
1305+{
1306+ unsigned long i;
1307+
1308+ printk(KERN_ERR "PAX: bytes at PC: ");
1309+ for (i = 0; i < 8; i++) {
1310+ unsigned int c;
1311+ if (get_user(c, (unsigned int *)pc+i))
1312+ printk(KERN_CONT "???????? ");
1313+ else
1314+ printk(KERN_CONT "%08x ", c);
1315+ }
1316+ printk("\n");
1317+}
1318+#endif
1319+
1320 void __kprobes
1321 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1322 {
1323@@ -146,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
1324 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1325 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1326
1327- if ((vma->vm_flags & mask) != mask)
1328+ if ((vma->vm_flags & mask) != mask) {
1329+
1330+#ifdef CONFIG_PAX_PAGEEXEC
1331+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1332+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1333+ goto bad_area;
1334+
1335+ up_read(&mm->mmap_sem);
1336+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1337+ do_group_exit(SIGKILL);
1338+ }
1339+#endif
1340+
1341 goto bad_area;
1342
1343+ }
1344+
1345 /*
1346 * If for any reason at all we couldn't handle the fault, make
1347 * sure we exit gracefully rather than endlessly redo the
1348diff -urNp linux-3.0.7/arch/ia64/mm/hugetlbpage.c linux-3.0.7/arch/ia64/mm/hugetlbpage.c
1349--- linux-3.0.7/arch/ia64/mm/hugetlbpage.c 2011-07-21 22:17:23.000000000 -0400
1350+++ linux-3.0.7/arch/ia64/mm/hugetlbpage.c 2011-08-23 21:47:55.000000000 -0400
1351@@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1352 /* At this point: (!vmm || addr < vmm->vm_end). */
1353 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1354 return -ENOMEM;
1355- if (!vmm || (addr + len) <= vmm->vm_start)
1356+ if (check_heap_stack_gap(vmm, addr, len))
1357 return addr;
1358 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1359 }
1360diff -urNp linux-3.0.7/arch/ia64/mm/init.c linux-3.0.7/arch/ia64/mm/init.c
1361--- linux-3.0.7/arch/ia64/mm/init.c 2011-07-21 22:17:23.000000000 -0400
1362+++ linux-3.0.7/arch/ia64/mm/init.c 2011-08-23 21:47:55.000000000 -0400
1363@@ -120,6 +120,19 @@ ia64_init_addr_space (void)
1364 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1365 vma->vm_end = vma->vm_start + PAGE_SIZE;
1366 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1367+
1368+#ifdef CONFIG_PAX_PAGEEXEC
1369+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1370+ vma->vm_flags &= ~VM_EXEC;
1371+
1372+#ifdef CONFIG_PAX_MPROTECT
1373+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
1374+ vma->vm_flags &= ~VM_MAYEXEC;
1375+#endif
1376+
1377+ }
1378+#endif
1379+
1380 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1381 down_write(&current->mm->mmap_sem);
1382 if (insert_vm_struct(current->mm, vma)) {
1383diff -urNp linux-3.0.7/arch/m32r/lib/usercopy.c linux-3.0.7/arch/m32r/lib/usercopy.c
1384--- linux-3.0.7/arch/m32r/lib/usercopy.c 2011-07-21 22:17:23.000000000 -0400
1385+++ linux-3.0.7/arch/m32r/lib/usercopy.c 2011-08-23 21:47:55.000000000 -0400
1386@@ -14,6 +14,9 @@
1387 unsigned long
1388 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1389 {
1390+ if ((long)n < 0)
1391+ return n;
1392+
1393 prefetch(from);
1394 if (access_ok(VERIFY_WRITE, to, n))
1395 __copy_user(to,from,n);
1396@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1397 unsigned long
1398 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1399 {
1400+ if ((long)n < 0)
1401+ return n;
1402+
1403 prefetchw(to);
1404 if (access_ok(VERIFY_READ, from, n))
1405 __copy_user_zeroing(to,from,n);
1406diff -urNp linux-3.0.7/arch/mips/include/asm/elf.h linux-3.0.7/arch/mips/include/asm/elf.h
1407--- linux-3.0.7/arch/mips/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
1408+++ linux-3.0.7/arch/mips/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
1409@@ -372,13 +372,16 @@ extern const char *__elf_platform;
1410 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1411 #endif
1412
1413+#ifdef CONFIG_PAX_ASLR
1414+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1415+
1416+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1417+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1418+#endif
1419+
1420 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1421 struct linux_binprm;
1422 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1423 int uses_interp);
1424
1425-struct mm_struct;
1426-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1427-#define arch_randomize_brk arch_randomize_brk
1428-
1429 #endif /* _ASM_ELF_H */
1430diff -urNp linux-3.0.7/arch/mips/include/asm/page.h linux-3.0.7/arch/mips/include/asm/page.h
1431--- linux-3.0.7/arch/mips/include/asm/page.h 2011-07-21 22:17:23.000000000 -0400
1432+++ linux-3.0.7/arch/mips/include/asm/page.h 2011-08-23 21:47:55.000000000 -0400
1433@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1434 #ifdef CONFIG_CPU_MIPS32
1435 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1436 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1437- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1438+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1439 #else
1440 typedef struct { unsigned long long pte; } pte_t;
1441 #define pte_val(x) ((x).pte)
1442diff -urNp linux-3.0.7/arch/mips/include/asm/system.h linux-3.0.7/arch/mips/include/asm/system.h
1443--- linux-3.0.7/arch/mips/include/asm/system.h 2011-07-21 22:17:23.000000000 -0400
1444+++ linux-3.0.7/arch/mips/include/asm/system.h 2011-08-23 21:47:55.000000000 -0400
1445@@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1446 */
1447 #define __ARCH_WANT_UNLOCKED_CTXSW
1448
1449-extern unsigned long arch_align_stack(unsigned long sp);
1450+#define arch_align_stack(x) ((x) & ~0xfUL)
1451
1452 #endif /* _ASM_SYSTEM_H */
1453diff -urNp linux-3.0.7/arch/mips/kernel/binfmt_elfn32.c linux-3.0.7/arch/mips/kernel/binfmt_elfn32.c
1454--- linux-3.0.7/arch/mips/kernel/binfmt_elfn32.c 2011-07-21 22:17:23.000000000 -0400
1455+++ linux-3.0.7/arch/mips/kernel/binfmt_elfn32.c 2011-08-23 21:47:55.000000000 -0400
1456@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1457 #undef ELF_ET_DYN_BASE
1458 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1459
1460+#ifdef CONFIG_PAX_ASLR
1461+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1462+
1463+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1464+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1465+#endif
1466+
1467 #include <asm/processor.h>
1468 #include <linux/module.h>
1469 #include <linux/elfcore.h>
1470diff -urNp linux-3.0.7/arch/mips/kernel/binfmt_elfo32.c linux-3.0.7/arch/mips/kernel/binfmt_elfo32.c
1471--- linux-3.0.7/arch/mips/kernel/binfmt_elfo32.c 2011-07-21 22:17:23.000000000 -0400
1472+++ linux-3.0.7/arch/mips/kernel/binfmt_elfo32.c 2011-08-23 21:47:55.000000000 -0400
1473@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1474 #undef ELF_ET_DYN_BASE
1475 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1476
1477+#ifdef CONFIG_PAX_ASLR
1478+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1479+
1480+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1481+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1482+#endif
1483+
1484 #include <asm/processor.h>
1485
1486 /*
1487diff -urNp linux-3.0.7/arch/mips/kernel/process.c linux-3.0.7/arch/mips/kernel/process.c
1488--- linux-3.0.7/arch/mips/kernel/process.c 2011-07-21 22:17:23.000000000 -0400
1489+++ linux-3.0.7/arch/mips/kernel/process.c 2011-08-23 21:47:55.000000000 -0400
1490@@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1491 out:
1492 return pc;
1493 }
1494-
1495-/*
1496- * Don't forget that the stack pointer must be aligned on a 8 bytes
1497- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1498- */
1499-unsigned long arch_align_stack(unsigned long sp)
1500-{
1501- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1502- sp -= get_random_int() & ~PAGE_MASK;
1503-
1504- return sp & ALMASK;
1505-}
1506diff -urNp linux-3.0.7/arch/mips/mm/fault.c linux-3.0.7/arch/mips/mm/fault.c
1507--- linux-3.0.7/arch/mips/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
1508+++ linux-3.0.7/arch/mips/mm/fault.c 2011-08-23 21:47:55.000000000 -0400
1509@@ -28,6 +28,23 @@
1510 #include <asm/highmem.h> /* For VMALLOC_END */
1511 #include <linux/kdebug.h>
1512
1513+#ifdef CONFIG_PAX_PAGEEXEC
1514+void pax_report_insns(void *pc, void *sp)
1515+{
1516+ unsigned long i;
1517+
1518+ printk(KERN_ERR "PAX: bytes at PC: ");
1519+ for (i = 0; i < 5; i++) {
1520+ unsigned int c;
1521+ if (get_user(c, (unsigned int *)pc+i))
1522+ printk(KERN_CONT "???????? ");
1523+ else
1524+ printk(KERN_CONT "%08x ", c);
1525+ }
1526+ printk("\n");
1527+}
1528+#endif
1529+
1530 /*
1531 * This routine handles page faults. It determines the address,
1532 * and the problem, and then passes it off to one of the appropriate
1533diff -urNp linux-3.0.7/arch/mips/mm/mmap.c linux-3.0.7/arch/mips/mm/mmap.c
1534--- linux-3.0.7/arch/mips/mm/mmap.c 2011-07-21 22:17:23.000000000 -0400
1535+++ linux-3.0.7/arch/mips/mm/mmap.c 2011-08-23 21:47:55.000000000 -0400
1536@@ -48,14 +48,18 @@ unsigned long arch_get_unmapped_area(str
1537 do_color_align = 0;
1538 if (filp || (flags & MAP_SHARED))
1539 do_color_align = 1;
1540+
1541+#ifdef CONFIG_PAX_RANDMMAP
1542+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1543+#endif
1544+
1545 if (addr) {
1546 if (do_color_align)
1547 addr = COLOUR_ALIGN(addr, pgoff);
1548 else
1549 addr = PAGE_ALIGN(addr);
1550 vmm = find_vma(current->mm, addr);
1551- if (TASK_SIZE - len >= addr &&
1552- (!vmm || addr + len <= vmm->vm_start))
1553+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len))
1554 return addr;
1555 }
1556 addr = current->mm->mmap_base;
1557@@ -68,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
1558 /* At this point: (!vmm || addr < vmm->vm_end). */
1559 if (TASK_SIZE - len < addr)
1560 return -ENOMEM;
1561- if (!vmm || addr + len <= vmm->vm_start)
1562+ if (check_heap_stack_gap(vmm, addr, len))
1563 return addr;
1564 addr = vmm->vm_end;
1565 if (do_color_align)
1566@@ -93,30 +97,3 @@ void arch_pick_mmap_layout(struct mm_str
1567 mm->get_unmapped_area = arch_get_unmapped_area;
1568 mm->unmap_area = arch_unmap_area;
1569 }
1570-
1571-static inline unsigned long brk_rnd(void)
1572-{
1573- unsigned long rnd = get_random_int();
1574-
1575- rnd = rnd << PAGE_SHIFT;
1576- /* 8MB for 32bit, 256MB for 64bit */
1577- if (TASK_IS_32BIT_ADDR)
1578- rnd = rnd & 0x7ffffful;
1579- else
1580- rnd = rnd & 0xffffffful;
1581-
1582- return rnd;
1583-}
1584-
1585-unsigned long arch_randomize_brk(struct mm_struct *mm)
1586-{
1587- unsigned long base = mm->brk;
1588- unsigned long ret;
1589-
1590- ret = PAGE_ALIGN(base + brk_rnd());
1591-
1592- if (ret < mm->brk)
1593- return mm->brk;
1594-
1595- return ret;
1596-}
1597diff -urNp linux-3.0.7/arch/parisc/include/asm/elf.h linux-3.0.7/arch/parisc/include/asm/elf.h
1598--- linux-3.0.7/arch/parisc/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
1599+++ linux-3.0.7/arch/parisc/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
1600@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1601
1602 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1603
1604+#ifdef CONFIG_PAX_ASLR
1605+#define PAX_ELF_ET_DYN_BASE 0x10000UL
1606+
1607+#define PAX_DELTA_MMAP_LEN 16
1608+#define PAX_DELTA_STACK_LEN 16
1609+#endif
1610+
1611 /* This yields a mask that user programs can use to figure out what
1612 instruction set this CPU supports. This could be done in user space,
1613 but it's not easy, and we've already done it here. */
1614diff -urNp linux-3.0.7/arch/parisc/include/asm/pgtable.h linux-3.0.7/arch/parisc/include/asm/pgtable.h
1615--- linux-3.0.7/arch/parisc/include/asm/pgtable.h 2011-07-21 22:17:23.000000000 -0400
1616+++ linux-3.0.7/arch/parisc/include/asm/pgtable.h 2011-08-23 21:47:55.000000000 -0400
1617@@ -210,6 +210,17 @@ struct vm_area_struct;
1618 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1619 #define PAGE_COPY PAGE_EXECREAD
1620 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1621+
1622+#ifdef CONFIG_PAX_PAGEEXEC
1623+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1624+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1625+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1626+#else
1627+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1628+# define PAGE_COPY_NOEXEC PAGE_COPY
1629+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1630+#endif
1631+
1632 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1633 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
1634 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
1635diff -urNp linux-3.0.7/arch/parisc/kernel/module.c linux-3.0.7/arch/parisc/kernel/module.c
1636--- linux-3.0.7/arch/parisc/kernel/module.c 2011-07-21 22:17:23.000000000 -0400
1637+++ linux-3.0.7/arch/parisc/kernel/module.c 2011-08-23 21:47:55.000000000 -0400
1638@@ -98,16 +98,38 @@
1639
1640 /* three functions to determine where in the module core
1641 * or init pieces the location is */
1642+static inline int in_init_rx(struct module *me, void *loc)
1643+{
1644+ return (loc >= me->module_init_rx &&
1645+ loc < (me->module_init_rx + me->init_size_rx));
1646+}
1647+
1648+static inline int in_init_rw(struct module *me, void *loc)
1649+{
1650+ return (loc >= me->module_init_rw &&
1651+ loc < (me->module_init_rw + me->init_size_rw));
1652+}
1653+
1654 static inline int in_init(struct module *me, void *loc)
1655 {
1656- return (loc >= me->module_init &&
1657- loc <= (me->module_init + me->init_size));
1658+ return in_init_rx(me, loc) || in_init_rw(me, loc);
1659+}
1660+
1661+static inline int in_core_rx(struct module *me, void *loc)
1662+{
1663+ return (loc >= me->module_core_rx &&
1664+ loc < (me->module_core_rx + me->core_size_rx));
1665+}
1666+
1667+static inline int in_core_rw(struct module *me, void *loc)
1668+{
1669+ return (loc >= me->module_core_rw &&
1670+ loc < (me->module_core_rw + me->core_size_rw));
1671 }
1672
1673 static inline int in_core(struct module *me, void *loc)
1674 {
1675- return (loc >= me->module_core &&
1676- loc <= (me->module_core + me->core_size));
1677+ return in_core_rx(me, loc) || in_core_rw(me, loc);
1678 }
1679
1680 static inline int in_local(struct module *me, void *loc)
1681@@ -373,13 +395,13 @@ int module_frob_arch_sections(CONST Elf_
1682 }
1683
1684 /* align things a bit */
1685- me->core_size = ALIGN(me->core_size, 16);
1686- me->arch.got_offset = me->core_size;
1687- me->core_size += gots * sizeof(struct got_entry);
1688-
1689- me->core_size = ALIGN(me->core_size, 16);
1690- me->arch.fdesc_offset = me->core_size;
1691- me->core_size += fdescs * sizeof(Elf_Fdesc);
1692+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1693+ me->arch.got_offset = me->core_size_rw;
1694+ me->core_size_rw += gots * sizeof(struct got_entry);
1695+
1696+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1697+ me->arch.fdesc_offset = me->core_size_rw;
1698+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1699
1700 me->arch.got_max = gots;
1701 me->arch.fdesc_max = fdescs;
1702@@ -397,7 +419,7 @@ static Elf64_Word get_got(struct module
1703
1704 BUG_ON(value == 0);
1705
1706- got = me->module_core + me->arch.got_offset;
1707+ got = me->module_core_rw + me->arch.got_offset;
1708 for (i = 0; got[i].addr; i++)
1709 if (got[i].addr == value)
1710 goto out;
1711@@ -415,7 +437,7 @@ static Elf64_Word get_got(struct module
1712 #ifdef CONFIG_64BIT
1713 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1714 {
1715- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1716+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1717
1718 if (!value) {
1719 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1720@@ -433,7 +455,7 @@ static Elf_Addr get_fdesc(struct module
1721
1722 /* Create new one */
1723 fdesc->addr = value;
1724- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1725+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1726 return (Elf_Addr)fdesc;
1727 }
1728 #endif /* CONFIG_64BIT */
1729@@ -857,7 +879,7 @@ register_unwind_table(struct module *me,
1730
1731 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1732 end = table + sechdrs[me->arch.unwind_section].sh_size;
1733- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1734+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1735
1736 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1737 me->arch.unwind_section, table, end, gp);
1738diff -urNp linux-3.0.7/arch/parisc/kernel/sys_parisc.c linux-3.0.7/arch/parisc/kernel/sys_parisc.c
1739--- linux-3.0.7/arch/parisc/kernel/sys_parisc.c 2011-07-21 22:17:23.000000000 -0400
1740+++ linux-3.0.7/arch/parisc/kernel/sys_parisc.c 2011-08-23 21:47:55.000000000 -0400
1741@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1742 /* At this point: (!vma || addr < vma->vm_end). */
1743 if (TASK_SIZE - len < addr)
1744 return -ENOMEM;
1745- if (!vma || addr + len <= vma->vm_start)
1746+ if (check_heap_stack_gap(vma, addr, len))
1747 return addr;
1748 addr = vma->vm_end;
1749 }
1750@@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1751 /* At this point: (!vma || addr < vma->vm_end). */
1752 if (TASK_SIZE - len < addr)
1753 return -ENOMEM;
1754- if (!vma || addr + len <= vma->vm_start)
1755+ if (check_heap_stack_gap(vma, addr, len))
1756 return addr;
1757 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1758 if (addr < vma->vm_end) /* handle wraparound */
1759@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1760 if (flags & MAP_FIXED)
1761 return addr;
1762 if (!addr)
1763- addr = TASK_UNMAPPED_BASE;
1764+ addr = current->mm->mmap_base;
1765
1766 if (filp) {
1767 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1768diff -urNp linux-3.0.7/arch/parisc/kernel/traps.c linux-3.0.7/arch/parisc/kernel/traps.c
1769--- linux-3.0.7/arch/parisc/kernel/traps.c 2011-07-21 22:17:23.000000000 -0400
1770+++ linux-3.0.7/arch/parisc/kernel/traps.c 2011-08-23 21:47:55.000000000 -0400
1771@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1772
1773 down_read(&current->mm->mmap_sem);
1774 vma = find_vma(current->mm,regs->iaoq[0]);
1775- if (vma && (regs->iaoq[0] >= vma->vm_start)
1776- && (vma->vm_flags & VM_EXEC)) {
1777-
1778+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1779 fault_address = regs->iaoq[0];
1780 fault_space = regs->iasq[0];
1781
1782diff -urNp linux-3.0.7/arch/parisc/mm/fault.c linux-3.0.7/arch/parisc/mm/fault.c
1783--- linux-3.0.7/arch/parisc/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
1784+++ linux-3.0.7/arch/parisc/mm/fault.c 2011-08-23 21:47:55.000000000 -0400
1785@@ -15,6 +15,7 @@
1786 #include <linux/sched.h>
1787 #include <linux/interrupt.h>
1788 #include <linux/module.h>
1789+#include <linux/unistd.h>
1790
1791 #include <asm/uaccess.h>
1792 #include <asm/traps.h>
1793@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1794 static unsigned long
1795 parisc_acctyp(unsigned long code, unsigned int inst)
1796 {
1797- if (code == 6 || code == 16)
1798+ if (code == 6 || code == 7 || code == 16)
1799 return VM_EXEC;
1800
1801 switch (inst & 0xf0000000) {
1802@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1803 }
1804 #endif
1805
1806+#ifdef CONFIG_PAX_PAGEEXEC
1807+/*
1808+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1809+ *
1810+ * returns 1 when task should be killed
1811+ * 2 when rt_sigreturn trampoline was detected
1812+ * 3 when unpatched PLT trampoline was detected
1813+ */
1814+static int pax_handle_fetch_fault(struct pt_regs *regs)
1815+{
1816+
1817+#ifdef CONFIG_PAX_EMUPLT
1818+ int err;
1819+
1820+ do { /* PaX: unpatched PLT emulation */
1821+ unsigned int bl, depwi;
1822+
1823+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1824+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1825+
1826+ if (err)
1827+ break;
1828+
1829+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1830+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1831+
1832+ err = get_user(ldw, (unsigned int *)addr);
1833+ err |= get_user(bv, (unsigned int *)(addr+4));
1834+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1835+
1836+ if (err)
1837+ break;
1838+
1839+ if (ldw == 0x0E801096U &&
1840+ bv == 0xEAC0C000U &&
1841+ ldw2 == 0x0E881095U)
1842+ {
1843+ unsigned int resolver, map;
1844+
1845+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1846+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1847+ if (err)
1848+ break;
1849+
1850+ regs->gr[20] = instruction_pointer(regs)+8;
1851+ regs->gr[21] = map;
1852+ regs->gr[22] = resolver;
1853+ regs->iaoq[0] = resolver | 3UL;
1854+ regs->iaoq[1] = regs->iaoq[0] + 4;
1855+ return 3;
1856+ }
1857+ }
1858+ } while (0);
1859+#endif
1860+
1861+#ifdef CONFIG_PAX_EMUTRAMP
1862+
1863+#ifndef CONFIG_PAX_EMUSIGRT
1864+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1865+ return 1;
1866+#endif
1867+
1868+ do { /* PaX: rt_sigreturn emulation */
1869+ unsigned int ldi1, ldi2, bel, nop;
1870+
1871+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1872+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1873+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1874+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1875+
1876+ if (err)
1877+ break;
1878+
1879+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1880+ ldi2 == 0x3414015AU &&
1881+ bel == 0xE4008200U &&
1882+ nop == 0x08000240U)
1883+ {
1884+ regs->gr[25] = (ldi1 & 2) >> 1;
1885+ regs->gr[20] = __NR_rt_sigreturn;
1886+ regs->gr[31] = regs->iaoq[1] + 16;
1887+ regs->sr[0] = regs->iasq[1];
1888+ regs->iaoq[0] = 0x100UL;
1889+ regs->iaoq[1] = regs->iaoq[0] + 4;
1890+ regs->iasq[0] = regs->sr[2];
1891+ regs->iasq[1] = regs->sr[2];
1892+ return 2;
1893+ }
1894+ } while (0);
1895+#endif
1896+
1897+ return 1;
1898+}
1899+
1900+void pax_report_insns(void *pc, void *sp)
1901+{
1902+ unsigned long i;
1903+
1904+ printk(KERN_ERR "PAX: bytes at PC: ");
1905+ for (i = 0; i < 5; i++) {
1906+ unsigned int c;
1907+ if (get_user(c, (unsigned int *)pc+i))
1908+ printk(KERN_CONT "???????? ");
1909+ else
1910+ printk(KERN_CONT "%08x ", c);
1911+ }
1912+ printk("\n");
1913+}
1914+#endif
1915+
1916 int fixup_exception(struct pt_regs *regs)
1917 {
1918 const struct exception_table_entry *fix;
1919@@ -192,8 +303,33 @@ good_area:
1920
1921 acc_type = parisc_acctyp(code,regs->iir);
1922
1923- if ((vma->vm_flags & acc_type) != acc_type)
1924+ if ((vma->vm_flags & acc_type) != acc_type) {
1925+
1926+#ifdef CONFIG_PAX_PAGEEXEC
1927+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1928+ (address & ~3UL) == instruction_pointer(regs))
1929+ {
1930+ up_read(&mm->mmap_sem);
1931+ switch (pax_handle_fetch_fault(regs)) {
1932+
1933+#ifdef CONFIG_PAX_EMUPLT
1934+ case 3:
1935+ return;
1936+#endif
1937+
1938+#ifdef CONFIG_PAX_EMUTRAMP
1939+ case 2:
1940+ return;
1941+#endif
1942+
1943+ }
1944+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1945+ do_group_exit(SIGKILL);
1946+ }
1947+#endif
1948+
1949 goto bad_area;
1950+ }
1951
1952 /*
1953 * If for any reason at all we couldn't handle the fault, make
1954diff -urNp linux-3.0.7/arch/powerpc/include/asm/elf.h linux-3.0.7/arch/powerpc/include/asm/elf.h
1955--- linux-3.0.7/arch/powerpc/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
1956+++ linux-3.0.7/arch/powerpc/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
1957@@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1958 the loader. We need to make sure that it is out of the way of the program
1959 that it will "exec", and that there is sufficient room for the brk. */
1960
1961-extern unsigned long randomize_et_dyn(unsigned long base);
1962-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1963+#define ELF_ET_DYN_BASE (0x20000000)
1964+
1965+#ifdef CONFIG_PAX_ASLR
1966+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1967+
1968+#ifdef __powerpc64__
1969+#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
1970+#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
1971+#else
1972+#define PAX_DELTA_MMAP_LEN 15
1973+#define PAX_DELTA_STACK_LEN 15
1974+#endif
1975+#endif
1976
1977 /*
1978 * Our registers are always unsigned longs, whether we're a 32 bit
1979@@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
1980 (0x7ff >> (PAGE_SHIFT - 12)) : \
1981 (0x3ffff >> (PAGE_SHIFT - 12)))
1982
1983-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1984-#define arch_randomize_brk arch_randomize_brk
1985-
1986 #endif /* __KERNEL__ */
1987
1988 /*
1989diff -urNp linux-3.0.7/arch/powerpc/include/asm/kmap_types.h linux-3.0.7/arch/powerpc/include/asm/kmap_types.h
1990--- linux-3.0.7/arch/powerpc/include/asm/kmap_types.h 2011-07-21 22:17:23.000000000 -0400
1991+++ linux-3.0.7/arch/powerpc/include/asm/kmap_types.h 2011-08-23 21:47:55.000000000 -0400
1992@@ -27,6 +27,7 @@ enum km_type {
1993 KM_PPC_SYNC_PAGE,
1994 KM_PPC_SYNC_ICACHE,
1995 KM_KDB,
1996+ KM_CLEARPAGE,
1997 KM_TYPE_NR
1998 };
1999
2000diff -urNp linux-3.0.7/arch/powerpc/include/asm/mman.h linux-3.0.7/arch/powerpc/include/asm/mman.h
2001--- linux-3.0.7/arch/powerpc/include/asm/mman.h 2011-07-21 22:17:23.000000000 -0400
2002+++ linux-3.0.7/arch/powerpc/include/asm/mman.h 2011-08-23 21:47:55.000000000 -0400
2003@@ -44,7 +44,7 @@ static inline unsigned long arch_calc_vm
2004 }
2005 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
2006
2007-static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
2008+static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
2009 {
2010 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
2011 }
2012diff -urNp linux-3.0.7/arch/powerpc/include/asm/page.h linux-3.0.7/arch/powerpc/include/asm/page.h
2013--- linux-3.0.7/arch/powerpc/include/asm/page.h 2011-07-21 22:17:23.000000000 -0400
2014+++ linux-3.0.7/arch/powerpc/include/asm/page.h 2011-08-23 21:47:55.000000000 -0400
2015@@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2016 * and needs to be executable. This means the whole heap ends
2017 * up being executable.
2018 */
2019-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2020- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2021+#define VM_DATA_DEFAULT_FLAGS32 \
2022+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2023+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2024
2025 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2026 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2027@@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2028 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2029 #endif
2030
2031+#define ktla_ktva(addr) (addr)
2032+#define ktva_ktla(addr) (addr)
2033+
2034 #ifndef __ASSEMBLY__
2035
2036 #undef STRICT_MM_TYPECHECKS
2037diff -urNp linux-3.0.7/arch/powerpc/include/asm/page_64.h linux-3.0.7/arch/powerpc/include/asm/page_64.h
2038--- linux-3.0.7/arch/powerpc/include/asm/page_64.h 2011-07-21 22:17:23.000000000 -0400
2039+++ linux-3.0.7/arch/powerpc/include/asm/page_64.h 2011-08-23 21:47:55.000000000 -0400
2040@@ -155,15 +155,18 @@ do { \
2041 * stack by default, so in the absence of a PT_GNU_STACK program header
2042 * we turn execute permission off.
2043 */
2044-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2045- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2046+#define VM_STACK_DEFAULT_FLAGS32 \
2047+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2048+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2049
2050 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2051 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2052
2053+#ifndef CONFIG_PAX_PAGEEXEC
2054 #define VM_STACK_DEFAULT_FLAGS \
2055 (is_32bit_task() ? \
2056 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2057+#endif
2058
2059 #include <asm-generic/getorder.h>
2060
2061diff -urNp linux-3.0.7/arch/powerpc/include/asm/pgtable.h linux-3.0.7/arch/powerpc/include/asm/pgtable.h
2062--- linux-3.0.7/arch/powerpc/include/asm/pgtable.h 2011-07-21 22:17:23.000000000 -0400
2063+++ linux-3.0.7/arch/powerpc/include/asm/pgtable.h 2011-08-23 21:47:55.000000000 -0400
2064@@ -2,6 +2,7 @@
2065 #define _ASM_POWERPC_PGTABLE_H
2066 #ifdef __KERNEL__
2067
2068+#include <linux/const.h>
2069 #ifndef __ASSEMBLY__
2070 #include <asm/processor.h> /* For TASK_SIZE */
2071 #include <asm/mmu.h>
2072diff -urNp linux-3.0.7/arch/powerpc/include/asm/pte-hash32.h linux-3.0.7/arch/powerpc/include/asm/pte-hash32.h
2073--- linux-3.0.7/arch/powerpc/include/asm/pte-hash32.h 2011-07-21 22:17:23.000000000 -0400
2074+++ linux-3.0.7/arch/powerpc/include/asm/pte-hash32.h 2011-08-23 21:47:55.000000000 -0400
2075@@ -21,6 +21,7 @@
2076 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2077 #define _PAGE_USER 0x004 /* usermode access allowed */
2078 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2079+#define _PAGE_EXEC _PAGE_GUARDED
2080 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2081 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2082 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2083diff -urNp linux-3.0.7/arch/powerpc/include/asm/reg.h linux-3.0.7/arch/powerpc/include/asm/reg.h
2084--- linux-3.0.7/arch/powerpc/include/asm/reg.h 2011-07-21 22:17:23.000000000 -0400
2085+++ linux-3.0.7/arch/powerpc/include/asm/reg.h 2011-08-23 21:47:55.000000000 -0400
2086@@ -209,6 +209,7 @@
2087 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2088 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2089 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2090+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2091 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2092 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2093 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2094diff -urNp linux-3.0.7/arch/powerpc/include/asm/system.h linux-3.0.7/arch/powerpc/include/asm/system.h
2095--- linux-3.0.7/arch/powerpc/include/asm/system.h 2011-07-21 22:17:23.000000000 -0400
2096+++ linux-3.0.7/arch/powerpc/include/asm/system.h 2011-08-23 21:47:55.000000000 -0400
2097@@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2098 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2099 #endif
2100
2101-extern unsigned long arch_align_stack(unsigned long sp);
2102+#define arch_align_stack(x) ((x) & ~0xfUL)
2103
2104 /* Used in very early kernel initialization. */
2105 extern unsigned long reloc_offset(void);
2106diff -urNp linux-3.0.7/arch/powerpc/include/asm/uaccess.h linux-3.0.7/arch/powerpc/include/asm/uaccess.h
2107--- linux-3.0.7/arch/powerpc/include/asm/uaccess.h 2011-07-21 22:17:23.000000000 -0400
2108+++ linux-3.0.7/arch/powerpc/include/asm/uaccess.h 2011-08-23 21:47:55.000000000 -0400
2109@@ -13,6 +13,8 @@
2110 #define VERIFY_READ 0
2111 #define VERIFY_WRITE 1
2112
2113+extern void check_object_size(const void *ptr, unsigned long n, bool to);
2114+
2115 /*
2116 * The fs value determines whether argument validity checking should be
2117 * performed or not. If get_fs() == USER_DS, checking is performed, with
2118@@ -327,52 +329,6 @@ do { \
2119 extern unsigned long __copy_tofrom_user(void __user *to,
2120 const void __user *from, unsigned long size);
2121
2122-#ifndef __powerpc64__
2123-
2124-static inline unsigned long copy_from_user(void *to,
2125- const void __user *from, unsigned long n)
2126-{
2127- unsigned long over;
2128-
2129- if (access_ok(VERIFY_READ, from, n))
2130- return __copy_tofrom_user((__force void __user *)to, from, n);
2131- if ((unsigned long)from < TASK_SIZE) {
2132- over = (unsigned long)from + n - TASK_SIZE;
2133- return __copy_tofrom_user((__force void __user *)to, from,
2134- n - over) + over;
2135- }
2136- return n;
2137-}
2138-
2139-static inline unsigned long copy_to_user(void __user *to,
2140- const void *from, unsigned long n)
2141-{
2142- unsigned long over;
2143-
2144- if (access_ok(VERIFY_WRITE, to, n))
2145- return __copy_tofrom_user(to, (__force void __user *)from, n);
2146- if ((unsigned long)to < TASK_SIZE) {
2147- over = (unsigned long)to + n - TASK_SIZE;
2148- return __copy_tofrom_user(to, (__force void __user *)from,
2149- n - over) + over;
2150- }
2151- return n;
2152-}
2153-
2154-#else /* __powerpc64__ */
2155-
2156-#define __copy_in_user(to, from, size) \
2157- __copy_tofrom_user((to), (from), (size))
2158-
2159-extern unsigned long copy_from_user(void *to, const void __user *from,
2160- unsigned long n);
2161-extern unsigned long copy_to_user(void __user *to, const void *from,
2162- unsigned long n);
2163-extern unsigned long copy_in_user(void __user *to, const void __user *from,
2164- unsigned long n);
2165-
2166-#endif /* __powerpc64__ */
2167-
2168 static inline unsigned long __copy_from_user_inatomic(void *to,
2169 const void __user *from, unsigned long n)
2170 {
2171@@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2172 if (ret == 0)
2173 return 0;
2174 }
2175+
2176+ if (!__builtin_constant_p(n))
2177+ check_object_size(to, n, false);
2178+
2179 return __copy_tofrom_user((__force void __user *)to, from, n);
2180 }
2181
2182@@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2183 if (ret == 0)
2184 return 0;
2185 }
2186+
2187+ if (!__builtin_constant_p(n))
2188+ check_object_size(from, n, true);
2189+
2190 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2191 }
2192
2193@@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2194 return __copy_to_user_inatomic(to, from, size);
2195 }
2196
2197+#ifndef __powerpc64__
2198+
2199+static inline unsigned long __must_check copy_from_user(void *to,
2200+ const void __user *from, unsigned long n)
2201+{
2202+ unsigned long over;
2203+
2204+ if ((long)n < 0)
2205+ return n;
2206+
2207+ if (access_ok(VERIFY_READ, from, n)) {
2208+ if (!__builtin_constant_p(n))
2209+ check_object_size(to, n, false);
2210+ return __copy_tofrom_user((__force void __user *)to, from, n);
2211+ }
2212+ if ((unsigned long)from < TASK_SIZE) {
2213+ over = (unsigned long)from + n - TASK_SIZE;
2214+ if (!__builtin_constant_p(n - over))
2215+ check_object_size(to, n - over, false);
2216+ return __copy_tofrom_user((__force void __user *)to, from,
2217+ n - over) + over;
2218+ }
2219+ return n;
2220+}
2221+
2222+static inline unsigned long __must_check copy_to_user(void __user *to,
2223+ const void *from, unsigned long n)
2224+{
2225+ unsigned long over;
2226+
2227+ if ((long)n < 0)
2228+ return n;
2229+
2230+ if (access_ok(VERIFY_WRITE, to, n)) {
2231+ if (!__builtin_constant_p(n))
2232+ check_object_size(from, n, true);
2233+ return __copy_tofrom_user(to, (__force void __user *)from, n);
2234+ }
2235+ if ((unsigned long)to < TASK_SIZE) {
2236+ over = (unsigned long)to + n - TASK_SIZE;
2237+ if (!__builtin_constant_p(n))
2238+ check_object_size(from, n - over, true);
2239+ return __copy_tofrom_user(to, (__force void __user *)from,
2240+ n - over) + over;
2241+ }
2242+ return n;
2243+}
2244+
2245+#else /* __powerpc64__ */
2246+
2247+#define __copy_in_user(to, from, size) \
2248+ __copy_tofrom_user((to), (from), (size))
2249+
2250+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2251+{
2252+ if ((long)n < 0 || n > INT_MAX)
2253+ return n;
2254+
2255+ if (!__builtin_constant_p(n))
2256+ check_object_size(to, n, false);
2257+
2258+ if (likely(access_ok(VERIFY_READ, from, n)))
2259+ n = __copy_from_user(to, from, n);
2260+ else
2261+ memset(to, 0, n);
2262+ return n;
2263+}
2264+
2265+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2266+{
2267+ if ((long)n < 0 || n > INT_MAX)
2268+ return n;
2269+
2270+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
2271+ if (!__builtin_constant_p(n))
2272+ check_object_size(from, n, true);
2273+ n = __copy_to_user(to, from, n);
2274+ }
2275+ return n;
2276+}
2277+
2278+extern unsigned long copy_in_user(void __user *to, const void __user *from,
2279+ unsigned long n);
2280+
2281+#endif /* __powerpc64__ */
2282+
2283 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2284
2285 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2286diff -urNp linux-3.0.7/arch/powerpc/kernel/exceptions-64e.S linux-3.0.7/arch/powerpc/kernel/exceptions-64e.S
2287--- linux-3.0.7/arch/powerpc/kernel/exceptions-64e.S 2011-07-21 22:17:23.000000000 -0400
2288+++ linux-3.0.7/arch/powerpc/kernel/exceptions-64e.S 2011-08-23 21:47:55.000000000 -0400
2289@@ -567,6 +567,7 @@ storage_fault_common:
2290 std r14,_DAR(r1)
2291 std r15,_DSISR(r1)
2292 addi r3,r1,STACK_FRAME_OVERHEAD
2293+ bl .save_nvgprs
2294 mr r4,r14
2295 mr r5,r15
2296 ld r14,PACA_EXGEN+EX_R14(r13)
2297@@ -576,8 +577,7 @@ storage_fault_common:
2298 cmpdi r3,0
2299 bne- 1f
2300 b .ret_from_except_lite
2301-1: bl .save_nvgprs
2302- mr r5,r3
2303+1: mr r5,r3
2304 addi r3,r1,STACK_FRAME_OVERHEAD
2305 ld r4,_DAR(r1)
2306 bl .bad_page_fault
2307diff -urNp linux-3.0.7/arch/powerpc/kernel/exceptions-64s.S linux-3.0.7/arch/powerpc/kernel/exceptions-64s.S
2308--- linux-3.0.7/arch/powerpc/kernel/exceptions-64s.S 2011-07-21 22:17:23.000000000 -0400
2309+++ linux-3.0.7/arch/powerpc/kernel/exceptions-64s.S 2011-08-23 21:47:55.000000000 -0400
2310@@ -956,10 +956,10 @@ handle_page_fault:
2311 11: ld r4,_DAR(r1)
2312 ld r5,_DSISR(r1)
2313 addi r3,r1,STACK_FRAME_OVERHEAD
2314+ bl .save_nvgprs
2315 bl .do_page_fault
2316 cmpdi r3,0
2317 beq+ 13f
2318- bl .save_nvgprs
2319 mr r5,r3
2320 addi r3,r1,STACK_FRAME_OVERHEAD
2321 lwz r4,_DAR(r1)
2322diff -urNp linux-3.0.7/arch/powerpc/kernel/module.c linux-3.0.7/arch/powerpc/kernel/module.c
2323--- linux-3.0.7/arch/powerpc/kernel/module.c 2011-07-21 22:17:23.000000000 -0400
2324+++ linux-3.0.7/arch/powerpc/kernel/module.c 2011-08-23 21:47:55.000000000 -0400
2325@@ -31,11 +31,24 @@
2326
2327 LIST_HEAD(module_bug_list);
2328
2329+#ifdef CONFIG_PAX_KERNEXEC
2330 void *module_alloc(unsigned long size)
2331 {
2332 if (size == 0)
2333 return NULL;
2334
2335+ return vmalloc(size);
2336+}
2337+
2338+void *module_alloc_exec(unsigned long size)
2339+#else
2340+void *module_alloc(unsigned long size)
2341+#endif
2342+
2343+{
2344+ if (size == 0)
2345+ return NULL;
2346+
2347 return vmalloc_exec(size);
2348 }
2349
2350@@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2351 vfree(module_region);
2352 }
2353
2354+#ifdef CONFIG_PAX_KERNEXEC
2355+void module_free_exec(struct module *mod, void *module_region)
2356+{
2357+ module_free(mod, module_region);
2358+}
2359+#endif
2360+
2361 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2362 const Elf_Shdr *sechdrs,
2363 const char *name)
2364diff -urNp linux-3.0.7/arch/powerpc/kernel/module_32.c linux-3.0.7/arch/powerpc/kernel/module_32.c
2365--- linux-3.0.7/arch/powerpc/kernel/module_32.c 2011-07-21 22:17:23.000000000 -0400
2366+++ linux-3.0.7/arch/powerpc/kernel/module_32.c 2011-08-23 21:47:55.000000000 -0400
2367@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2368 me->arch.core_plt_section = i;
2369 }
2370 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2371- printk("Module doesn't contain .plt or .init.plt sections.\n");
2372+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2373 return -ENOEXEC;
2374 }
2375
2376@@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2377
2378 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2379 /* Init, or core PLT? */
2380- if (location >= mod->module_core
2381- && location < mod->module_core + mod->core_size)
2382+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2383+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2384 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2385- else
2386+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2387+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2388 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2389+ else {
2390+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2391+ return ~0UL;
2392+ }
2393
2394 /* Find this entry, or if that fails, the next avail. entry */
2395 while (entry->jump[0]) {
2396diff -urNp linux-3.0.7/arch/powerpc/kernel/process.c linux-3.0.7/arch/powerpc/kernel/process.c
2397--- linux-3.0.7/arch/powerpc/kernel/process.c 2011-07-21 22:17:23.000000000 -0400
2398+++ linux-3.0.7/arch/powerpc/kernel/process.c 2011-08-23 21:48:14.000000000 -0400
2399@@ -676,8 +676,8 @@ void show_regs(struct pt_regs * regs)
2400 * Lookup NIP late so we have the best change of getting the
2401 * above info out without failing
2402 */
2403- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2404- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2405+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2406+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2407 #endif
2408 show_stack(current, (unsigned long *) regs->gpr[1]);
2409 if (!user_mode(regs))
2410@@ -1183,10 +1183,10 @@ void show_stack(struct task_struct *tsk,
2411 newsp = stack[0];
2412 ip = stack[STACK_FRAME_LR_SAVE];
2413 if (!firstframe || ip != lr) {
2414- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2415+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2416 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2417 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2418- printk(" (%pS)",
2419+ printk(" (%pA)",
2420 (void *)current->ret_stack[curr_frame].ret);
2421 curr_frame--;
2422 }
2423@@ -1206,7 +1206,7 @@ void show_stack(struct task_struct *tsk,
2424 struct pt_regs *regs = (struct pt_regs *)
2425 (sp + STACK_FRAME_OVERHEAD);
2426 lr = regs->link;
2427- printk("--- Exception: %lx at %pS\n LR = %pS\n",
2428+ printk("--- Exception: %lx at %pA\n LR = %pA\n",
2429 regs->trap, (void *)regs->nip, (void *)lr);
2430 firstframe = 1;
2431 }
2432@@ -1281,58 +1281,3 @@ void thread_info_cache_init(void)
2433 }
2434
2435 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2436-
2437-unsigned long arch_align_stack(unsigned long sp)
2438-{
2439- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2440- sp -= get_random_int() & ~PAGE_MASK;
2441- return sp & ~0xf;
2442-}
2443-
2444-static inline unsigned long brk_rnd(void)
2445-{
2446- unsigned long rnd = 0;
2447-
2448- /* 8MB for 32bit, 1GB for 64bit */
2449- if (is_32bit_task())
2450- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2451- else
2452- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2453-
2454- return rnd << PAGE_SHIFT;
2455-}
2456-
2457-unsigned long arch_randomize_brk(struct mm_struct *mm)
2458-{
2459- unsigned long base = mm->brk;
2460- unsigned long ret;
2461-
2462-#ifdef CONFIG_PPC_STD_MMU_64
2463- /*
2464- * If we are using 1TB segments and we are allowed to randomise
2465- * the heap, we can put it above 1TB so it is backed by a 1TB
2466- * segment. Otherwise the heap will be in the bottom 1TB
2467- * which always uses 256MB segments and this may result in a
2468- * performance penalty.
2469- */
2470- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2471- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2472-#endif
2473-
2474- ret = PAGE_ALIGN(base + brk_rnd());
2475-
2476- if (ret < mm->brk)
2477- return mm->brk;
2478-
2479- return ret;
2480-}
2481-
2482-unsigned long randomize_et_dyn(unsigned long base)
2483-{
2484- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2485-
2486- if (ret < base)
2487- return base;
2488-
2489- return ret;
2490-}
2491diff -urNp linux-3.0.7/arch/powerpc/kernel/signal_32.c linux-3.0.7/arch/powerpc/kernel/signal_32.c
2492--- linux-3.0.7/arch/powerpc/kernel/signal_32.c 2011-07-21 22:17:23.000000000 -0400
2493+++ linux-3.0.7/arch/powerpc/kernel/signal_32.c 2011-08-23 21:47:55.000000000 -0400
2494@@ -859,7 +859,7 @@ int handle_rt_signal32(unsigned long sig
2495 /* Save user registers on the stack */
2496 frame = &rt_sf->uc.uc_mcontext;
2497 addr = frame;
2498- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2499+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2500 if (save_user_regs(regs, frame, 0, 1))
2501 goto badframe;
2502 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2503diff -urNp linux-3.0.7/arch/powerpc/kernel/signal_64.c linux-3.0.7/arch/powerpc/kernel/signal_64.c
2504--- linux-3.0.7/arch/powerpc/kernel/signal_64.c 2011-07-21 22:17:23.000000000 -0400
2505+++ linux-3.0.7/arch/powerpc/kernel/signal_64.c 2011-08-23 21:47:55.000000000 -0400
2506@@ -430,7 +430,7 @@ int handle_rt_signal64(int signr, struct
2507 current->thread.fpscr.val = 0;
2508
2509 /* Set up to return from userspace. */
2510- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2511+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2512 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2513 } else {
2514 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2515diff -urNp linux-3.0.7/arch/powerpc/kernel/traps.c linux-3.0.7/arch/powerpc/kernel/traps.c
2516--- linux-3.0.7/arch/powerpc/kernel/traps.c 2011-07-21 22:17:23.000000000 -0400
2517+++ linux-3.0.7/arch/powerpc/kernel/traps.c 2011-08-23 21:48:14.000000000 -0400
2518@@ -98,6 +98,8 @@ static void pmac_backlight_unblank(void)
2519 static inline void pmac_backlight_unblank(void) { }
2520 #endif
2521
2522+extern void gr_handle_kernel_exploit(void);
2523+
2524 int die(const char *str, struct pt_regs *regs, long err)
2525 {
2526 static struct {
2527@@ -171,6 +173,8 @@ int die(const char *str, struct pt_regs
2528 if (panic_on_oops)
2529 panic("Fatal exception");
2530
2531+ gr_handle_kernel_exploit();
2532+
2533 oops_exit();
2534 do_exit(err);
2535
2536diff -urNp linux-3.0.7/arch/powerpc/kernel/vdso.c linux-3.0.7/arch/powerpc/kernel/vdso.c
2537--- linux-3.0.7/arch/powerpc/kernel/vdso.c 2011-07-21 22:17:23.000000000 -0400
2538+++ linux-3.0.7/arch/powerpc/kernel/vdso.c 2011-08-23 21:47:55.000000000 -0400
2539@@ -36,6 +36,7 @@
2540 #include <asm/firmware.h>
2541 #include <asm/vdso.h>
2542 #include <asm/vdso_datapage.h>
2543+#include <asm/mman.h>
2544
2545 #include "setup.h"
2546
2547@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2548 vdso_base = VDSO32_MBASE;
2549 #endif
2550
2551- current->mm->context.vdso_base = 0;
2552+ current->mm->context.vdso_base = ~0UL;
2553
2554 /* vDSO has a problem and was disabled, just don't "enable" it for the
2555 * process
2556@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2557 vdso_base = get_unmapped_area(NULL, vdso_base,
2558 (vdso_pages << PAGE_SHIFT) +
2559 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2560- 0, 0);
2561+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
2562 if (IS_ERR_VALUE(vdso_base)) {
2563 rc = vdso_base;
2564 goto fail_mmapsem;
2565diff -urNp linux-3.0.7/arch/powerpc/lib/usercopy_64.c linux-3.0.7/arch/powerpc/lib/usercopy_64.c
2566--- linux-3.0.7/arch/powerpc/lib/usercopy_64.c 2011-07-21 22:17:23.000000000 -0400
2567+++ linux-3.0.7/arch/powerpc/lib/usercopy_64.c 2011-08-23 21:47:55.000000000 -0400
2568@@ -9,22 +9,6 @@
2569 #include <linux/module.h>
2570 #include <asm/uaccess.h>
2571
2572-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2573-{
2574- if (likely(access_ok(VERIFY_READ, from, n)))
2575- n = __copy_from_user(to, from, n);
2576- else
2577- memset(to, 0, n);
2578- return n;
2579-}
2580-
2581-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2582-{
2583- if (likely(access_ok(VERIFY_WRITE, to, n)))
2584- n = __copy_to_user(to, from, n);
2585- return n;
2586-}
2587-
2588 unsigned long copy_in_user(void __user *to, const void __user *from,
2589 unsigned long n)
2590 {
2591@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2592 return n;
2593 }
2594
2595-EXPORT_SYMBOL(copy_from_user);
2596-EXPORT_SYMBOL(copy_to_user);
2597 EXPORT_SYMBOL(copy_in_user);
2598
2599diff -urNp linux-3.0.7/arch/powerpc/mm/fault.c linux-3.0.7/arch/powerpc/mm/fault.c
2600--- linux-3.0.7/arch/powerpc/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
2601+++ linux-3.0.7/arch/powerpc/mm/fault.c 2011-08-23 21:47:55.000000000 -0400
2602@@ -32,6 +32,10 @@
2603 #include <linux/perf_event.h>
2604 #include <linux/magic.h>
2605 #include <linux/ratelimit.h>
2606+#include <linux/slab.h>
2607+#include <linux/pagemap.h>
2608+#include <linux/compiler.h>
2609+#include <linux/unistd.h>
2610
2611 #include <asm/firmware.h>
2612 #include <asm/page.h>
2613@@ -43,6 +47,7 @@
2614 #include <asm/tlbflush.h>
2615 #include <asm/siginfo.h>
2616 #include <mm/mmu_decl.h>
2617+#include <asm/ptrace.h>
2618
2619 #ifdef CONFIG_KPROBES
2620 static inline int notify_page_fault(struct pt_regs *regs)
2621@@ -66,6 +71,33 @@ static inline int notify_page_fault(stru
2622 }
2623 #endif
2624
2625+#ifdef CONFIG_PAX_PAGEEXEC
2626+/*
2627+ * PaX: decide what to do with offenders (regs->nip = fault address)
2628+ *
2629+ * returns 1 when task should be killed
2630+ */
2631+static int pax_handle_fetch_fault(struct pt_regs *regs)
2632+{
2633+ return 1;
2634+}
2635+
2636+void pax_report_insns(void *pc, void *sp)
2637+{
2638+ unsigned long i;
2639+
2640+ printk(KERN_ERR "PAX: bytes at PC: ");
2641+ for (i = 0; i < 5; i++) {
2642+ unsigned int c;
2643+ if (get_user(c, (unsigned int __user *)pc+i))
2644+ printk(KERN_CONT "???????? ");
2645+ else
2646+ printk(KERN_CONT "%08x ", c);
2647+ }
2648+ printk("\n");
2649+}
2650+#endif
2651+
2652 /*
2653 * Check whether the instruction at regs->nip is a store using
2654 * an update addressing form which will update r1.
2655@@ -136,7 +168,7 @@ int __kprobes do_page_fault(struct pt_re
2656 * indicate errors in DSISR but can validly be set in SRR1.
2657 */
2658 if (trap == 0x400)
2659- error_code &= 0x48200000;
2660+ error_code &= 0x58200000;
2661 else
2662 is_write = error_code & DSISR_ISSTORE;
2663 #else
2664@@ -259,7 +291,7 @@ good_area:
2665 * "undefined". Of those that can be set, this is the only
2666 * one which seems bad.
2667 */
2668- if (error_code & 0x10000000)
2669+ if (error_code & DSISR_GUARDED)
2670 /* Guarded storage error. */
2671 goto bad_area;
2672 #endif /* CONFIG_8xx */
2673@@ -274,7 +306,7 @@ good_area:
2674 * processors use the same I/D cache coherency mechanism
2675 * as embedded.
2676 */
2677- if (error_code & DSISR_PROTFAULT)
2678+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2679 goto bad_area;
2680 #endif /* CONFIG_PPC_STD_MMU */
2681
2682@@ -343,6 +375,23 @@ bad_area:
2683 bad_area_nosemaphore:
2684 /* User mode accesses cause a SIGSEGV */
2685 if (user_mode(regs)) {
2686+
2687+#ifdef CONFIG_PAX_PAGEEXEC
2688+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2689+#ifdef CONFIG_PPC_STD_MMU
2690+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2691+#else
2692+ if (is_exec && regs->nip == address) {
2693+#endif
2694+ switch (pax_handle_fetch_fault(regs)) {
2695+ }
2696+
2697+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2698+ do_group_exit(SIGKILL);
2699+ }
2700+ }
2701+#endif
2702+
2703 _exception(SIGSEGV, regs, code, address);
2704 return 0;
2705 }
2706diff -urNp linux-3.0.7/arch/powerpc/mm/mmap_64.c linux-3.0.7/arch/powerpc/mm/mmap_64.c
2707--- linux-3.0.7/arch/powerpc/mm/mmap_64.c 2011-07-21 22:17:23.000000000 -0400
2708+++ linux-3.0.7/arch/powerpc/mm/mmap_64.c 2011-08-23 21:47:55.000000000 -0400
2709@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2710 */
2711 if (mmap_is_legacy()) {
2712 mm->mmap_base = TASK_UNMAPPED_BASE;
2713+
2714+#ifdef CONFIG_PAX_RANDMMAP
2715+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2716+ mm->mmap_base += mm->delta_mmap;
2717+#endif
2718+
2719 mm->get_unmapped_area = arch_get_unmapped_area;
2720 mm->unmap_area = arch_unmap_area;
2721 } else {
2722 mm->mmap_base = mmap_base();
2723+
2724+#ifdef CONFIG_PAX_RANDMMAP
2725+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2726+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2727+#endif
2728+
2729 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2730 mm->unmap_area = arch_unmap_area_topdown;
2731 }
2732diff -urNp linux-3.0.7/arch/powerpc/mm/slice.c linux-3.0.7/arch/powerpc/mm/slice.c
2733--- linux-3.0.7/arch/powerpc/mm/slice.c 2011-07-21 22:17:23.000000000 -0400
2734+++ linux-3.0.7/arch/powerpc/mm/slice.c 2011-08-23 21:47:55.000000000 -0400
2735@@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2736 if ((mm->task_size - len) < addr)
2737 return 0;
2738 vma = find_vma(mm, addr);
2739- return (!vma || (addr + len) <= vma->vm_start);
2740+ return check_heap_stack_gap(vma, addr, len);
2741 }
2742
2743 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2744@@ -256,7 +256,7 @@ full_search:
2745 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2746 continue;
2747 }
2748- if (!vma || addr + len <= vma->vm_start) {
2749+ if (check_heap_stack_gap(vma, addr, len)) {
2750 /*
2751 * Remember the place where we stopped the search:
2752 */
2753@@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2754 }
2755 }
2756
2757- addr = mm->mmap_base;
2758- while (addr > len) {
2759+ if (mm->mmap_base < len)
2760+ addr = -ENOMEM;
2761+ else
2762+ addr = mm->mmap_base - len;
2763+
2764+ while (!IS_ERR_VALUE(addr)) {
2765 /* Go down by chunk size */
2766- addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
2767+ addr = _ALIGN_DOWN(addr, 1ul << pshift);
2768
2769 /* Check for hit with different page size */
2770 mask = slice_range_to_mask(addr, len);
2771@@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
2772 * return with success:
2773 */
2774 vma = find_vma(mm, addr);
2775- if (!vma || (addr + len) <= vma->vm_start) {
2776+ if (check_heap_stack_gap(vma, addr, len)) {
2777 /* remember the address as a hint for next time */
2778 if (use_cache)
2779 mm->free_area_cache = addr;
2780@@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
2781 mm->cached_hole_size = vma->vm_start - addr;
2782
2783 /* try just below the current vma->vm_start */
2784- addr = vma->vm_start;
2785+ addr = skip_heap_stack_gap(vma, len);
2786 }
2787
2788 /*
2789@@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
2790 if (fixed && addr > (mm->task_size - len))
2791 return -EINVAL;
2792
2793+#ifdef CONFIG_PAX_RANDMMAP
2794+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2795+ addr = 0;
2796+#endif
2797+
2798 /* If hint, make sure it matches our alignment restrictions */
2799 if (!fixed && addr) {
2800 addr = _ALIGN_UP(addr, 1ul << pshift);
2801diff -urNp linux-3.0.7/arch/s390/include/asm/elf.h linux-3.0.7/arch/s390/include/asm/elf.h
2802--- linux-3.0.7/arch/s390/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
2803+++ linux-3.0.7/arch/s390/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
2804@@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
2805 the loader. We need to make sure that it is out of the way of the program
2806 that it will "exec", and that there is sufficient room for the brk. */
2807
2808-extern unsigned long randomize_et_dyn(unsigned long base);
2809-#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
2810+#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2811+
2812+#ifdef CONFIG_PAX_ASLR
2813+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2814+
2815+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2816+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2817+#endif
2818
2819 /* This yields a mask that user programs can use to figure out what
2820 instruction set this CPU supports. */
2821@@ -210,7 +216,4 @@ struct linux_binprm;
2822 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2823 int arch_setup_additional_pages(struct linux_binprm *, int);
2824
2825-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2826-#define arch_randomize_brk arch_randomize_brk
2827-
2828 #endif
2829diff -urNp linux-3.0.7/arch/s390/include/asm/system.h linux-3.0.7/arch/s390/include/asm/system.h
2830--- linux-3.0.7/arch/s390/include/asm/system.h 2011-07-21 22:17:23.000000000 -0400
2831+++ linux-3.0.7/arch/s390/include/asm/system.h 2011-08-23 21:47:55.000000000 -0400
2832@@ -255,7 +255,7 @@ extern void (*_machine_restart)(char *co
2833 extern void (*_machine_halt)(void);
2834 extern void (*_machine_power_off)(void);
2835
2836-extern unsigned long arch_align_stack(unsigned long sp);
2837+#define arch_align_stack(x) ((x) & ~0xfUL)
2838
2839 static inline int tprot(unsigned long addr)
2840 {
2841diff -urNp linux-3.0.7/arch/s390/include/asm/uaccess.h linux-3.0.7/arch/s390/include/asm/uaccess.h
2842--- linux-3.0.7/arch/s390/include/asm/uaccess.h 2011-07-21 22:17:23.000000000 -0400
2843+++ linux-3.0.7/arch/s390/include/asm/uaccess.h 2011-08-23 21:47:55.000000000 -0400
2844@@ -235,6 +235,10 @@ static inline unsigned long __must_check
2845 copy_to_user(void __user *to, const void *from, unsigned long n)
2846 {
2847 might_fault();
2848+
2849+ if ((long)n < 0)
2850+ return n;
2851+
2852 if (access_ok(VERIFY_WRITE, to, n))
2853 n = __copy_to_user(to, from, n);
2854 return n;
2855@@ -260,6 +264,9 @@ copy_to_user(void __user *to, const void
2856 static inline unsigned long __must_check
2857 __copy_from_user(void *to, const void __user *from, unsigned long n)
2858 {
2859+ if ((long)n < 0)
2860+ return n;
2861+
2862 if (__builtin_constant_p(n) && (n <= 256))
2863 return uaccess.copy_from_user_small(n, from, to);
2864 else
2865@@ -294,6 +301,10 @@ copy_from_user(void *to, const void __us
2866 unsigned int sz = __compiletime_object_size(to);
2867
2868 might_fault();
2869+
2870+ if ((long)n < 0)
2871+ return n;
2872+
2873 if (unlikely(sz != -1 && sz < n)) {
2874 copy_from_user_overflow();
2875 return n;
2876diff -urNp linux-3.0.7/arch/s390/kernel/module.c linux-3.0.7/arch/s390/kernel/module.c
2877--- linux-3.0.7/arch/s390/kernel/module.c 2011-07-21 22:17:23.000000000 -0400
2878+++ linux-3.0.7/arch/s390/kernel/module.c 2011-08-23 21:47:55.000000000 -0400
2879@@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2880
2881 /* Increase core size by size of got & plt and set start
2882 offsets for got and plt. */
2883- me->core_size = ALIGN(me->core_size, 4);
2884- me->arch.got_offset = me->core_size;
2885- me->core_size += me->arch.got_size;
2886- me->arch.plt_offset = me->core_size;
2887- me->core_size += me->arch.plt_size;
2888+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
2889+ me->arch.got_offset = me->core_size_rw;
2890+ me->core_size_rw += me->arch.got_size;
2891+ me->arch.plt_offset = me->core_size_rx;
2892+ me->core_size_rx += me->arch.plt_size;
2893 return 0;
2894 }
2895
2896@@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2897 if (info->got_initialized == 0) {
2898 Elf_Addr *gotent;
2899
2900- gotent = me->module_core + me->arch.got_offset +
2901+ gotent = me->module_core_rw + me->arch.got_offset +
2902 info->got_offset;
2903 *gotent = val;
2904 info->got_initialized = 1;
2905@@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2906 else if (r_type == R_390_GOTENT ||
2907 r_type == R_390_GOTPLTENT)
2908 *(unsigned int *) loc =
2909- (val + (Elf_Addr) me->module_core - loc) >> 1;
2910+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2911 else if (r_type == R_390_GOT64 ||
2912 r_type == R_390_GOTPLT64)
2913 *(unsigned long *) loc = val;
2914@@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2915 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2916 if (info->plt_initialized == 0) {
2917 unsigned int *ip;
2918- ip = me->module_core + me->arch.plt_offset +
2919+ ip = me->module_core_rx + me->arch.plt_offset +
2920 info->plt_offset;
2921 #ifndef CONFIG_64BIT
2922 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2923@@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2924 val - loc + 0xffffUL < 0x1ffffeUL) ||
2925 (r_type == R_390_PLT32DBL &&
2926 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2927- val = (Elf_Addr) me->module_core +
2928+ val = (Elf_Addr) me->module_core_rx +
2929 me->arch.plt_offset +
2930 info->plt_offset;
2931 val += rela->r_addend - loc;
2932@@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2933 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2934 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2935 val = val + rela->r_addend -
2936- ((Elf_Addr) me->module_core + me->arch.got_offset);
2937+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2938 if (r_type == R_390_GOTOFF16)
2939 *(unsigned short *) loc = val;
2940 else if (r_type == R_390_GOTOFF32)
2941@@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2942 break;
2943 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2944 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2945- val = (Elf_Addr) me->module_core + me->arch.got_offset +
2946+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2947 rela->r_addend - loc;
2948 if (r_type == R_390_GOTPC)
2949 *(unsigned int *) loc = val;
2950diff -urNp linux-3.0.7/arch/s390/kernel/process.c linux-3.0.7/arch/s390/kernel/process.c
2951--- linux-3.0.7/arch/s390/kernel/process.c 2011-07-21 22:17:23.000000000 -0400
2952+++ linux-3.0.7/arch/s390/kernel/process.c 2011-08-23 21:47:55.000000000 -0400
2953@@ -319,39 +319,3 @@ unsigned long get_wchan(struct task_stru
2954 }
2955 return 0;
2956 }
2957-
2958-unsigned long arch_align_stack(unsigned long sp)
2959-{
2960- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2961- sp -= get_random_int() & ~PAGE_MASK;
2962- return sp & ~0xf;
2963-}
2964-
2965-static inline unsigned long brk_rnd(void)
2966-{
2967- /* 8MB for 32bit, 1GB for 64bit */
2968- if (is_32bit_task())
2969- return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
2970- else
2971- return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
2972-}
2973-
2974-unsigned long arch_randomize_brk(struct mm_struct *mm)
2975-{
2976- unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
2977-
2978- if (ret < mm->brk)
2979- return mm->brk;
2980- return ret;
2981-}
2982-
2983-unsigned long randomize_et_dyn(unsigned long base)
2984-{
2985- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2986-
2987- if (!(current->flags & PF_RANDOMIZE))
2988- return base;
2989- if (ret < base)
2990- return base;
2991- return ret;
2992-}
2993diff -urNp linux-3.0.7/arch/s390/kernel/setup.c linux-3.0.7/arch/s390/kernel/setup.c
2994--- linux-3.0.7/arch/s390/kernel/setup.c 2011-07-21 22:17:23.000000000 -0400
2995+++ linux-3.0.7/arch/s390/kernel/setup.c 2011-08-23 21:47:55.000000000 -0400
2996@@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
2997 }
2998 early_param("mem", early_parse_mem);
2999
3000-unsigned int user_mode = HOME_SPACE_MODE;
3001+unsigned int user_mode = SECONDARY_SPACE_MODE;
3002 EXPORT_SYMBOL_GPL(user_mode);
3003
3004 static int set_amode_and_uaccess(unsigned long user_amode,
3005diff -urNp linux-3.0.7/arch/s390/mm/mmap.c linux-3.0.7/arch/s390/mm/mmap.c
3006--- linux-3.0.7/arch/s390/mm/mmap.c 2011-07-21 22:17:23.000000000 -0400
3007+++ linux-3.0.7/arch/s390/mm/mmap.c 2011-08-23 21:47:55.000000000 -0400
3008@@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
3009 */
3010 if (mmap_is_legacy()) {
3011 mm->mmap_base = TASK_UNMAPPED_BASE;
3012+
3013+#ifdef CONFIG_PAX_RANDMMAP
3014+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3015+ mm->mmap_base += mm->delta_mmap;
3016+#endif
3017+
3018 mm->get_unmapped_area = arch_get_unmapped_area;
3019 mm->unmap_area = arch_unmap_area;
3020 } else {
3021 mm->mmap_base = mmap_base();
3022+
3023+#ifdef CONFIG_PAX_RANDMMAP
3024+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3025+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3026+#endif
3027+
3028 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3029 mm->unmap_area = arch_unmap_area_topdown;
3030 }
3031@@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
3032 */
3033 if (mmap_is_legacy()) {
3034 mm->mmap_base = TASK_UNMAPPED_BASE;
3035+
3036+#ifdef CONFIG_PAX_RANDMMAP
3037+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3038+ mm->mmap_base += mm->delta_mmap;
3039+#endif
3040+
3041 mm->get_unmapped_area = s390_get_unmapped_area;
3042 mm->unmap_area = arch_unmap_area;
3043 } else {
3044 mm->mmap_base = mmap_base();
3045+
3046+#ifdef CONFIG_PAX_RANDMMAP
3047+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3048+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3049+#endif
3050+
3051 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3052 mm->unmap_area = arch_unmap_area_topdown;
3053 }
3054diff -urNp linux-3.0.7/arch/score/include/asm/system.h linux-3.0.7/arch/score/include/asm/system.h
3055--- linux-3.0.7/arch/score/include/asm/system.h 2011-07-21 22:17:23.000000000 -0400
3056+++ linux-3.0.7/arch/score/include/asm/system.h 2011-08-23 21:47:55.000000000 -0400
3057@@ -17,7 +17,7 @@ do { \
3058 #define finish_arch_switch(prev) do {} while (0)
3059
3060 typedef void (*vi_handler_t)(void);
3061-extern unsigned long arch_align_stack(unsigned long sp);
3062+#define arch_align_stack(x) (x)
3063
3064 #define mb() barrier()
3065 #define rmb() barrier()
3066diff -urNp linux-3.0.7/arch/score/kernel/process.c linux-3.0.7/arch/score/kernel/process.c
3067--- linux-3.0.7/arch/score/kernel/process.c 2011-07-21 22:17:23.000000000 -0400
3068+++ linux-3.0.7/arch/score/kernel/process.c 2011-08-23 21:47:55.000000000 -0400
3069@@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3070
3071 return task_pt_regs(task)->cp0_epc;
3072 }
3073-
3074-unsigned long arch_align_stack(unsigned long sp)
3075-{
3076- return sp;
3077-}
3078diff -urNp linux-3.0.7/arch/sh/mm/mmap.c linux-3.0.7/arch/sh/mm/mmap.c
3079--- linux-3.0.7/arch/sh/mm/mmap.c 2011-07-21 22:17:23.000000000 -0400
3080+++ linux-3.0.7/arch/sh/mm/mmap.c 2011-08-23 21:47:55.000000000 -0400
3081@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3082 addr = PAGE_ALIGN(addr);
3083
3084 vma = find_vma(mm, addr);
3085- if (TASK_SIZE - len >= addr &&
3086- (!vma || addr + len <= vma->vm_start))
3087+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3088 return addr;
3089 }
3090
3091@@ -106,7 +105,7 @@ full_search:
3092 }
3093 return -ENOMEM;
3094 }
3095- if (likely(!vma || addr + len <= vma->vm_start)) {
3096+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3097 /*
3098 * Remember the place where we stopped the search:
3099 */
3100@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3101 addr = PAGE_ALIGN(addr);
3102
3103 vma = find_vma(mm, addr);
3104- if (TASK_SIZE - len >= addr &&
3105- (!vma || addr + len <= vma->vm_start))
3106+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3107 return addr;
3108 }
3109
3110@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3111 /* make sure it can fit in the remaining address space */
3112 if (likely(addr > len)) {
3113 vma = find_vma(mm, addr-len);
3114- if (!vma || addr <= vma->vm_start) {
3115+ if (check_heap_stack_gap(vma, addr - len, len)) {
3116 /* remember the address as a hint for next time */
3117 return (mm->free_area_cache = addr-len);
3118 }
3119@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3120 if (unlikely(mm->mmap_base < len))
3121 goto bottomup;
3122
3123- addr = mm->mmap_base-len;
3124- if (do_colour_align)
3125- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3126+ addr = mm->mmap_base - len;
3127
3128 do {
3129+ if (do_colour_align)
3130+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3131 /*
3132 * Lookup failure means no vma is above this address,
3133 * else if new region fits below vma->vm_start,
3134 * return with success:
3135 */
3136 vma = find_vma(mm, addr);
3137- if (likely(!vma || addr+len <= vma->vm_start)) {
3138+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3139 /* remember the address as a hint for next time */
3140 return (mm->free_area_cache = addr);
3141 }
3142@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3143 mm->cached_hole_size = vma->vm_start - addr;
3144
3145 /* try just below the current vma->vm_start */
3146- addr = vma->vm_start-len;
3147- if (do_colour_align)
3148- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3149- } while (likely(len < vma->vm_start));
3150+ addr = skip_heap_stack_gap(vma, len);
3151+ } while (!IS_ERR_VALUE(addr));
3152
3153 bottomup:
3154 /*
3155diff -urNp linux-3.0.7/arch/sparc/Makefile linux-3.0.7/arch/sparc/Makefile
3156--- linux-3.0.7/arch/sparc/Makefile 2011-07-21 22:17:23.000000000 -0400
3157+++ linux-3.0.7/arch/sparc/Makefile 2011-08-23 21:48:14.000000000 -0400
3158@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
3159 # Export what is needed by arch/sparc/boot/Makefile
3160 export VMLINUX_INIT VMLINUX_MAIN
3161 VMLINUX_INIT := $(head-y) $(init-y)
3162-VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
3163+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
3164 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
3165 VMLINUX_MAIN += $(drivers-y) $(net-y)
3166
3167diff -urNp linux-3.0.7/arch/sparc/include/asm/atomic_64.h linux-3.0.7/arch/sparc/include/asm/atomic_64.h
3168--- linux-3.0.7/arch/sparc/include/asm/atomic_64.h 2011-07-21 22:17:23.000000000 -0400
3169+++ linux-3.0.7/arch/sparc/include/asm/atomic_64.h 2011-08-23 21:48:14.000000000 -0400
3170@@ -14,18 +14,40 @@
3171 #define ATOMIC64_INIT(i) { (i) }
3172
3173 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3174+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3175+{
3176+ return v->counter;
3177+}
3178 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3179+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3180+{
3181+ return v->counter;
3182+}
3183
3184 #define atomic_set(v, i) (((v)->counter) = i)
3185+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3186+{
3187+ v->counter = i;
3188+}
3189 #define atomic64_set(v, i) (((v)->counter) = i)
3190+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3191+{
3192+ v->counter = i;
3193+}
3194
3195 extern void atomic_add(int, atomic_t *);
3196+extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3197 extern void atomic64_add(long, atomic64_t *);
3198+extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3199 extern void atomic_sub(int, atomic_t *);
3200+extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3201 extern void atomic64_sub(long, atomic64_t *);
3202+extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3203
3204 extern int atomic_add_ret(int, atomic_t *);
3205+extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3206 extern long atomic64_add_ret(long, atomic64_t *);
3207+extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3208 extern int atomic_sub_ret(int, atomic_t *);
3209 extern long atomic64_sub_ret(long, atomic64_t *);
3210
3211@@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
3212 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3213
3214 #define atomic_inc_return(v) atomic_add_ret(1, v)
3215+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3216+{
3217+ return atomic_add_ret_unchecked(1, v);
3218+}
3219 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3220+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3221+{
3222+ return atomic64_add_ret_unchecked(1, v);
3223+}
3224
3225 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3226 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3227
3228 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3229+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3230+{
3231+ return atomic_add_ret_unchecked(i, v);
3232+}
3233 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3234+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
3235+{
3236+ return atomic64_add_ret_unchecked(i, v);
3237+}
3238
3239 /*
3240 * atomic_inc_and_test - increment and test
3241@@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
3242 * other cases.
3243 */
3244 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3245+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
3246+{
3247+ return atomic_inc_return_unchecked(v) == 0;
3248+}
3249 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3250
3251 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3252@@ -59,30 +101,65 @@ extern long atomic64_sub_ret(long, atomi
3253 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3254
3255 #define atomic_inc(v) atomic_add(1, v)
3256+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3257+{
3258+ atomic_add_unchecked(1, v);
3259+}
3260 #define atomic64_inc(v) atomic64_add(1, v)
3261+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3262+{
3263+ atomic64_add_unchecked(1, v);
3264+}
3265
3266 #define atomic_dec(v) atomic_sub(1, v)
3267+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3268+{
3269+ atomic_sub_unchecked(1, v);
3270+}
3271 #define atomic64_dec(v) atomic64_sub(1, v)
3272+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3273+{
3274+ atomic64_sub_unchecked(1, v);
3275+}
3276
3277 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3278 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3279
3280 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3281+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
3282+{
3283+ return cmpxchg(&v->counter, old, new);
3284+}
3285 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3286+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
3287+{
3288+ return xchg(&v->counter, new);
3289+}
3290
3291 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3292 {
3293- int c, old;
3294+ int c, old, new;
3295 c = atomic_read(v);
3296 for (;;) {
3297- if (unlikely(c == (u)))
3298+ if (unlikely(c == u))
3299 break;
3300- old = atomic_cmpxchg((v), c, c + (a));
3301+
3302+ asm volatile("addcc %2, %0, %0\n"
3303+
3304+#ifdef CONFIG_PAX_REFCOUNT
3305+ "tvs %%icc, 6\n"
3306+#endif
3307+
3308+ : "=r" (new)
3309+ : "0" (c), "ir" (a)
3310+ : "cc");
3311+
3312+ old = atomic_cmpxchg(v, c, new);
3313 if (likely(old == c))
3314 break;
3315 c = old;
3316 }
3317- return c != (u);
3318+ return c != u;
3319 }
3320
3321 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3322@@ -90,20 +167,35 @@ static inline int atomic_add_unless(atom
3323 #define atomic64_cmpxchg(v, o, n) \
3324 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
3325 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
3326+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
3327+{
3328+ return xchg(&v->counter, new);
3329+}
3330
3331 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3332 {
3333- long c, old;
3334+ long c, old, new;
3335 c = atomic64_read(v);
3336 for (;;) {
3337- if (unlikely(c == (u)))
3338+ if (unlikely(c == u))
3339 break;
3340- old = atomic64_cmpxchg((v), c, c + (a));
3341+
3342+ asm volatile("addcc %2, %0, %0\n"
3343+
3344+#ifdef CONFIG_PAX_REFCOUNT
3345+ "tvs %%xcc, 6\n"
3346+#endif
3347+
3348+ : "=r" (new)
3349+ : "0" (c), "ir" (a)
3350+ : "cc");
3351+
3352+ old = atomic64_cmpxchg(v, c, new);
3353 if (likely(old == c))
3354 break;
3355 c = old;
3356 }
3357- return c != (u);
3358+ return c != u;
3359 }
3360
3361 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3362diff -urNp linux-3.0.7/arch/sparc/include/asm/cache.h linux-3.0.7/arch/sparc/include/asm/cache.h
3363--- linux-3.0.7/arch/sparc/include/asm/cache.h 2011-07-21 22:17:23.000000000 -0400
3364+++ linux-3.0.7/arch/sparc/include/asm/cache.h 2011-08-23 21:47:55.000000000 -0400
3365@@ -10,7 +10,7 @@
3366 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
3367
3368 #define L1_CACHE_SHIFT 5
3369-#define L1_CACHE_BYTES 32
3370+#define L1_CACHE_BYTES 32UL
3371
3372 #ifdef CONFIG_SPARC32
3373 #define SMP_CACHE_BYTES_SHIFT 5
3374diff -urNp linux-3.0.7/arch/sparc/include/asm/elf_32.h linux-3.0.7/arch/sparc/include/asm/elf_32.h
3375--- linux-3.0.7/arch/sparc/include/asm/elf_32.h 2011-07-21 22:17:23.000000000 -0400
3376+++ linux-3.0.7/arch/sparc/include/asm/elf_32.h 2011-08-23 21:47:55.000000000 -0400
3377@@ -114,6 +114,13 @@ typedef struct {
3378
3379 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3380
3381+#ifdef CONFIG_PAX_ASLR
3382+#define PAX_ELF_ET_DYN_BASE 0x10000UL
3383+
3384+#define PAX_DELTA_MMAP_LEN 16
3385+#define PAX_DELTA_STACK_LEN 16
3386+#endif
3387+
3388 /* This yields a mask that user programs can use to figure out what
3389 instruction set this cpu supports. This can NOT be done in userspace
3390 on Sparc. */
3391diff -urNp linux-3.0.7/arch/sparc/include/asm/elf_64.h linux-3.0.7/arch/sparc/include/asm/elf_64.h
3392--- linux-3.0.7/arch/sparc/include/asm/elf_64.h 2011-09-02 18:11:21.000000000 -0400
3393+++ linux-3.0.7/arch/sparc/include/asm/elf_64.h 2011-08-23 21:47:55.000000000 -0400
3394@@ -180,6 +180,13 @@ typedef struct {
3395 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3396 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3397
3398+#ifdef CONFIG_PAX_ASLR
3399+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3400+
3401+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3402+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3403+#endif
3404+
3405 extern unsigned long sparc64_elf_hwcap;
3406 #define ELF_HWCAP sparc64_elf_hwcap
3407
3408diff -urNp linux-3.0.7/arch/sparc/include/asm/pgtable_32.h linux-3.0.7/arch/sparc/include/asm/pgtable_32.h
3409--- linux-3.0.7/arch/sparc/include/asm/pgtable_32.h 2011-07-21 22:17:23.000000000 -0400
3410+++ linux-3.0.7/arch/sparc/include/asm/pgtable_32.h 2011-08-23 21:47:55.000000000 -0400
3411@@ -45,6 +45,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3412 BTFIXUPDEF_INT(page_none)
3413 BTFIXUPDEF_INT(page_copy)
3414 BTFIXUPDEF_INT(page_readonly)
3415+
3416+#ifdef CONFIG_PAX_PAGEEXEC
3417+BTFIXUPDEF_INT(page_shared_noexec)
3418+BTFIXUPDEF_INT(page_copy_noexec)
3419+BTFIXUPDEF_INT(page_readonly_noexec)
3420+#endif
3421+
3422 BTFIXUPDEF_INT(page_kernel)
3423
3424 #define PMD_SHIFT SUN4C_PMD_SHIFT
3425@@ -66,6 +73,16 @@ extern pgprot_t PAGE_SHARED;
3426 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3427 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3428
3429+#ifdef CONFIG_PAX_PAGEEXEC
3430+extern pgprot_t PAGE_SHARED_NOEXEC;
3431+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3432+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3433+#else
3434+# define PAGE_SHARED_NOEXEC PAGE_SHARED
3435+# define PAGE_COPY_NOEXEC PAGE_COPY
3436+# define PAGE_READONLY_NOEXEC PAGE_READONLY
3437+#endif
3438+
3439 extern unsigned long page_kernel;
3440
3441 #ifdef MODULE
3442diff -urNp linux-3.0.7/arch/sparc/include/asm/pgtsrmmu.h linux-3.0.7/arch/sparc/include/asm/pgtsrmmu.h
3443--- linux-3.0.7/arch/sparc/include/asm/pgtsrmmu.h 2011-07-21 22:17:23.000000000 -0400
3444+++ linux-3.0.7/arch/sparc/include/asm/pgtsrmmu.h 2011-08-23 21:47:55.000000000 -0400
3445@@ -115,6 +115,13 @@
3446 SRMMU_EXEC | SRMMU_REF)
3447 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3448 SRMMU_EXEC | SRMMU_REF)
3449+
3450+#ifdef CONFIG_PAX_PAGEEXEC
3451+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3452+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3453+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3454+#endif
3455+
3456 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3457 SRMMU_DIRTY | SRMMU_REF)
3458
3459diff -urNp linux-3.0.7/arch/sparc/include/asm/spinlock_64.h linux-3.0.7/arch/sparc/include/asm/spinlock_64.h
3460--- linux-3.0.7/arch/sparc/include/asm/spinlock_64.h 2011-10-16 21:54:53.000000000 -0400
3461+++ linux-3.0.7/arch/sparc/include/asm/spinlock_64.h 2011-10-16 21:55:27.000000000 -0400
3462@@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
3463
3464 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
3465
3466-static void inline arch_read_lock(arch_rwlock_t *lock)
3467+static inline void arch_read_lock(arch_rwlock_t *lock)
3468 {
3469 unsigned long tmp1, tmp2;
3470
3471 __asm__ __volatile__ (
3472 "1: ldsw [%2], %0\n"
3473 " brlz,pn %0, 2f\n"
3474-"4: add %0, 1, %1\n"
3475+"4: addcc %0, 1, %1\n"
3476+
3477+#ifdef CONFIG_PAX_REFCOUNT
3478+" tvs %%icc, 6\n"
3479+#endif
3480+
3481 " cas [%2], %0, %1\n"
3482 " cmp %0, %1\n"
3483 " bne,pn %%icc, 1b\n"
3484@@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
3485 " .previous"
3486 : "=&r" (tmp1), "=&r" (tmp2)
3487 : "r" (lock)
3488- : "memory");
3489+ : "memory", "cc");
3490 }
3491
3492-static int inline arch_read_trylock(arch_rwlock_t *lock)
3493+static inline int arch_read_trylock(arch_rwlock_t *lock)
3494 {
3495 int tmp1, tmp2;
3496
3497@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3498 "1: ldsw [%2], %0\n"
3499 " brlz,a,pn %0, 2f\n"
3500 " mov 0, %0\n"
3501-" add %0, 1, %1\n"
3502+" addcc %0, 1, %1\n"
3503+
3504+#ifdef CONFIG_PAX_REFCOUNT
3505+" tvs %%icc, 6\n"
3506+#endif
3507+
3508 " cas [%2], %0, %1\n"
3509 " cmp %0, %1\n"
3510 " bne,pn %%icc, 1b\n"
3511@@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
3512 return tmp1;
3513 }
3514
3515-static void inline arch_read_unlock(arch_rwlock_t *lock)
3516+static inline void arch_read_unlock(arch_rwlock_t *lock)
3517 {
3518 unsigned long tmp1, tmp2;
3519
3520 __asm__ __volatile__(
3521 "1: lduw [%2], %0\n"
3522-" sub %0, 1, %1\n"
3523+" subcc %0, 1, %1\n"
3524+
3525+#ifdef CONFIG_PAX_REFCOUNT
3526+" tvs %%icc, 6\n"
3527+#endif
3528+
3529 " cas [%2], %0, %1\n"
3530 " cmp %0, %1\n"
3531 " bne,pn %%xcc, 1b\n"
3532@@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
3533 : "memory");
3534 }
3535
3536-static void inline arch_write_lock(arch_rwlock_t *lock)
3537+static inline void arch_write_lock(arch_rwlock_t *lock)
3538 {
3539 unsigned long mask, tmp1, tmp2;
3540
3541@@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
3542 : "memory");
3543 }
3544
3545-static void inline arch_write_unlock(arch_rwlock_t *lock)
3546+static inline void arch_write_unlock(arch_rwlock_t *lock)
3547 {
3548 __asm__ __volatile__(
3549 " stw %%g0, [%0]"
3550@@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
3551 : "memory");
3552 }
3553
3554-static int inline arch_write_trylock(arch_rwlock_t *lock)
3555+static inline int arch_write_trylock(arch_rwlock_t *lock)
3556 {
3557 unsigned long mask, tmp1, tmp2, result;
3558
3559diff -urNp linux-3.0.7/arch/sparc/include/asm/thread_info_32.h linux-3.0.7/arch/sparc/include/asm/thread_info_32.h
3560--- linux-3.0.7/arch/sparc/include/asm/thread_info_32.h 2011-07-21 22:17:23.000000000 -0400
3561+++ linux-3.0.7/arch/sparc/include/asm/thread_info_32.h 2011-08-23 21:47:55.000000000 -0400
3562@@ -50,6 +50,8 @@ struct thread_info {
3563 unsigned long w_saved;
3564
3565 struct restart_block restart_block;
3566+
3567+ unsigned long lowest_stack;
3568 };
3569
3570 /*
3571diff -urNp linux-3.0.7/arch/sparc/include/asm/thread_info_64.h linux-3.0.7/arch/sparc/include/asm/thread_info_64.h
3572--- linux-3.0.7/arch/sparc/include/asm/thread_info_64.h 2011-07-21 22:17:23.000000000 -0400
3573+++ linux-3.0.7/arch/sparc/include/asm/thread_info_64.h 2011-08-23 21:47:55.000000000 -0400
3574@@ -63,6 +63,8 @@ struct thread_info {
3575 struct pt_regs *kern_una_regs;
3576 unsigned int kern_una_insn;
3577
3578+ unsigned long lowest_stack;
3579+
3580 unsigned long fpregs[0] __attribute__ ((aligned(64)));
3581 };
3582
3583diff -urNp linux-3.0.7/arch/sparc/include/asm/uaccess.h linux-3.0.7/arch/sparc/include/asm/uaccess.h
3584--- linux-3.0.7/arch/sparc/include/asm/uaccess.h 2011-07-21 22:17:23.000000000 -0400
3585+++ linux-3.0.7/arch/sparc/include/asm/uaccess.h 2011-08-23 21:47:55.000000000 -0400
3586@@ -1,5 +1,13 @@
3587 #ifndef ___ASM_SPARC_UACCESS_H
3588 #define ___ASM_SPARC_UACCESS_H
3589+
3590+#ifdef __KERNEL__
3591+#ifndef __ASSEMBLY__
3592+#include <linux/types.h>
3593+extern void check_object_size(const void *ptr, unsigned long n, bool to);
3594+#endif
3595+#endif
3596+
3597 #if defined(__sparc__) && defined(__arch64__)
3598 #include <asm/uaccess_64.h>
3599 #else
3600diff -urNp linux-3.0.7/arch/sparc/include/asm/uaccess_32.h linux-3.0.7/arch/sparc/include/asm/uaccess_32.h
3601--- linux-3.0.7/arch/sparc/include/asm/uaccess_32.h 2011-07-21 22:17:23.000000000 -0400
3602+++ linux-3.0.7/arch/sparc/include/asm/uaccess_32.h 2011-08-23 21:47:55.000000000 -0400
3603@@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3604
3605 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3606 {
3607- if (n && __access_ok((unsigned long) to, n))
3608+ if ((long)n < 0)
3609+ return n;
3610+
3611+ if (n && __access_ok((unsigned long) to, n)) {
3612+ if (!__builtin_constant_p(n))
3613+ check_object_size(from, n, true);
3614 return __copy_user(to, (__force void __user *) from, n);
3615- else
3616+ } else
3617 return n;
3618 }
3619
3620 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3621 {
3622+ if ((long)n < 0)
3623+ return n;
3624+
3625+ if (!__builtin_constant_p(n))
3626+ check_object_size(from, n, true);
3627+
3628 return __copy_user(to, (__force void __user *) from, n);
3629 }
3630
3631 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3632 {
3633- if (n && __access_ok((unsigned long) from, n))
3634+ if ((long)n < 0)
3635+ return n;
3636+
3637+ if (n && __access_ok((unsigned long) from, n)) {
3638+ if (!__builtin_constant_p(n))
3639+ check_object_size(to, n, false);
3640 return __copy_user((__force void __user *) to, from, n);
3641- else
3642+ } else
3643 return n;
3644 }
3645
3646 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3647 {
3648+ if ((long)n < 0)
3649+ return n;
3650+
3651 return __copy_user((__force void __user *) to, from, n);
3652 }
3653
3654diff -urNp linux-3.0.7/arch/sparc/include/asm/uaccess_64.h linux-3.0.7/arch/sparc/include/asm/uaccess_64.h
3655--- linux-3.0.7/arch/sparc/include/asm/uaccess_64.h 2011-07-21 22:17:23.000000000 -0400
3656+++ linux-3.0.7/arch/sparc/include/asm/uaccess_64.h 2011-08-23 21:47:55.000000000 -0400
3657@@ -10,6 +10,7 @@
3658 #include <linux/compiler.h>
3659 #include <linux/string.h>
3660 #include <linux/thread_info.h>
3661+#include <linux/kernel.h>
3662 #include <asm/asi.h>
3663 #include <asm/system.h>
3664 #include <asm/spitfire.h>
3665@@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3666 static inline unsigned long __must_check
3667 copy_from_user(void *to, const void __user *from, unsigned long size)
3668 {
3669- unsigned long ret = ___copy_from_user(to, from, size);
3670+ unsigned long ret;
3671
3672+ if ((long)size < 0 || size > INT_MAX)
3673+ return size;
3674+
3675+ if (!__builtin_constant_p(size))
3676+ check_object_size(to, size, false);
3677+
3678+ ret = ___copy_from_user(to, from, size);
3679 if (unlikely(ret))
3680 ret = copy_from_user_fixup(to, from, size);
3681
3682@@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
3683 static inline unsigned long __must_check
3684 copy_to_user(void __user *to, const void *from, unsigned long size)
3685 {
3686- unsigned long ret = ___copy_to_user(to, from, size);
3687+ unsigned long ret;
3688+
3689+ if ((long)size < 0 || size > INT_MAX)
3690+ return size;
3691+
3692+ if (!__builtin_constant_p(size))
3693+ check_object_size(from, size, true);
3694
3695+ ret = ___copy_to_user(to, from, size);
3696 if (unlikely(ret))
3697 ret = copy_to_user_fixup(to, from, size);
3698 return ret;
3699diff -urNp linux-3.0.7/arch/sparc/kernel/Makefile linux-3.0.7/arch/sparc/kernel/Makefile
3700--- linux-3.0.7/arch/sparc/kernel/Makefile 2011-10-16 21:54:53.000000000 -0400
3701+++ linux-3.0.7/arch/sparc/kernel/Makefile 2011-10-16 21:55:27.000000000 -0400
3702@@ -3,7 +3,7 @@
3703 #
3704
3705 asflags-y := -ansi
3706-ccflags-y := -Werror
3707+#ccflags-y := -Werror
3708
3709 extra-y := head_$(BITS).o
3710 extra-y += init_task.o
3711diff -urNp linux-3.0.7/arch/sparc/kernel/process_32.c linux-3.0.7/arch/sparc/kernel/process_32.c
3712--- linux-3.0.7/arch/sparc/kernel/process_32.c 2011-07-21 22:17:23.000000000 -0400
3713+++ linux-3.0.7/arch/sparc/kernel/process_32.c 2011-08-23 21:48:14.000000000 -0400
3714@@ -204,7 +204,7 @@ void __show_backtrace(unsigned long fp)
3715 rw->ins[4], rw->ins[5],
3716 rw->ins[6],
3717 rw->ins[7]);
3718- printk("%pS\n", (void *) rw->ins[7]);
3719+ printk("%pA\n", (void *) rw->ins[7]);
3720 rw = (struct reg_window32 *) rw->ins[6];
3721 }
3722 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
3723@@ -271,14 +271,14 @@ void show_regs(struct pt_regs *r)
3724
3725 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
3726 r->psr, r->pc, r->npc, r->y, print_tainted());
3727- printk("PC: <%pS>\n", (void *) r->pc);
3728+ printk("PC: <%pA>\n", (void *) r->pc);
3729 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3730 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
3731 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
3732 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3733 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
3734 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
3735- printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
3736+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
3737
3738 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3739 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
3740@@ -313,7 +313,7 @@ void show_stack(struct task_struct *tsk,
3741 rw = (struct reg_window32 *) fp;
3742 pc = rw->ins[7];
3743 printk("[%08lx : ", pc);
3744- printk("%pS ] ", (void *) pc);
3745+ printk("%pA ] ", (void *) pc);
3746 fp = rw->ins[6];
3747 } while (++count < 16);
3748 printk("\n");
3749diff -urNp linux-3.0.7/arch/sparc/kernel/process_64.c linux-3.0.7/arch/sparc/kernel/process_64.c
3750--- linux-3.0.7/arch/sparc/kernel/process_64.c 2011-07-21 22:17:23.000000000 -0400
3751+++ linux-3.0.7/arch/sparc/kernel/process_64.c 2011-08-23 21:48:14.000000000 -0400
3752@@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
3753 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
3754 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
3755 if (regs->tstate & TSTATE_PRIV)
3756- printk("I7: <%pS>\n", (void *) rwk->ins[7]);
3757+ printk("I7: <%pA>\n", (void *) rwk->ins[7]);
3758 }
3759
3760 void show_regs(struct pt_regs *regs)
3761 {
3762 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
3763 regs->tpc, regs->tnpc, regs->y, print_tainted());
3764- printk("TPC: <%pS>\n", (void *) regs->tpc);
3765+ printk("TPC: <%pA>\n", (void *) regs->tpc);
3766 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
3767 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
3768 regs->u_regs[3]);
3769@@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
3770 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
3771 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
3772 regs->u_regs[15]);
3773- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
3774+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
3775 show_regwindow(regs);
3776 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
3777 }
3778@@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
3779 ((tp && tp->task) ? tp->task->pid : -1));
3780
3781 if (gp->tstate & TSTATE_PRIV) {
3782- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
3783+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
3784 (void *) gp->tpc,
3785 (void *) gp->o7,
3786 (void *) gp->i7,
3787diff -urNp linux-3.0.7/arch/sparc/kernel/sys_sparc_32.c linux-3.0.7/arch/sparc/kernel/sys_sparc_32.c
3788--- linux-3.0.7/arch/sparc/kernel/sys_sparc_32.c 2011-07-21 22:17:23.000000000 -0400
3789+++ linux-3.0.7/arch/sparc/kernel/sys_sparc_32.c 2011-08-23 21:47:55.000000000 -0400
3790@@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
3791 if (ARCH_SUN4C && len > 0x20000000)
3792 return -ENOMEM;
3793 if (!addr)
3794- addr = TASK_UNMAPPED_BASE;
3795+ addr = current->mm->mmap_base;
3796
3797 if (flags & MAP_SHARED)
3798 addr = COLOUR_ALIGN(addr);
3799@@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
3800 }
3801 if (TASK_SIZE - PAGE_SIZE - len < addr)
3802 return -ENOMEM;
3803- if (!vmm || addr + len <= vmm->vm_start)
3804+ if (check_heap_stack_gap(vmm, addr, len))
3805 return addr;
3806 addr = vmm->vm_end;
3807 if (flags & MAP_SHARED)
3808diff -urNp linux-3.0.7/arch/sparc/kernel/sys_sparc_64.c linux-3.0.7/arch/sparc/kernel/sys_sparc_64.c
3809--- linux-3.0.7/arch/sparc/kernel/sys_sparc_64.c 2011-07-21 22:17:23.000000000 -0400
3810+++ linux-3.0.7/arch/sparc/kernel/sys_sparc_64.c 2011-08-23 21:47:55.000000000 -0400
3811@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3812 /* We do not accept a shared mapping if it would violate
3813 * cache aliasing constraints.
3814 */
3815- if ((flags & MAP_SHARED) &&
3816+ if ((filp || (flags & MAP_SHARED)) &&
3817 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3818 return -EINVAL;
3819 return addr;
3820@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
3821 if (filp || (flags & MAP_SHARED))
3822 do_color_align = 1;
3823
3824+#ifdef CONFIG_PAX_RANDMMAP
3825+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3826+#endif
3827+
3828 if (addr) {
3829 if (do_color_align)
3830 addr = COLOUR_ALIGN(addr, pgoff);
3831@@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
3832 addr = PAGE_ALIGN(addr);
3833
3834 vma = find_vma(mm, addr);
3835- if (task_size - len >= addr &&
3836- (!vma || addr + len <= vma->vm_start))
3837+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3838 return addr;
3839 }
3840
3841 if (len > mm->cached_hole_size) {
3842- start_addr = addr = mm->free_area_cache;
3843+ start_addr = addr = mm->free_area_cache;
3844 } else {
3845- start_addr = addr = TASK_UNMAPPED_BASE;
3846+ start_addr = addr = mm->mmap_base;
3847 mm->cached_hole_size = 0;
3848 }
3849
3850@@ -174,14 +177,14 @@ full_search:
3851 vma = find_vma(mm, VA_EXCLUDE_END);
3852 }
3853 if (unlikely(task_size < addr)) {
3854- if (start_addr != TASK_UNMAPPED_BASE) {
3855- start_addr = addr = TASK_UNMAPPED_BASE;
3856+ if (start_addr != mm->mmap_base) {
3857+ start_addr = addr = mm->mmap_base;
3858 mm->cached_hole_size = 0;
3859 goto full_search;
3860 }
3861 return -ENOMEM;
3862 }
3863- if (likely(!vma || addr + len <= vma->vm_start)) {
3864+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3865 /*
3866 * Remember the place where we stopped the search:
3867 */
3868@@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
3869 /* We do not accept a shared mapping if it would violate
3870 * cache aliasing constraints.
3871 */
3872- if ((flags & MAP_SHARED) &&
3873+ if ((filp || (flags & MAP_SHARED)) &&
3874 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3875 return -EINVAL;
3876 return addr;
3877@@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
3878 addr = PAGE_ALIGN(addr);
3879
3880 vma = find_vma(mm, addr);
3881- if (task_size - len >= addr &&
3882- (!vma || addr + len <= vma->vm_start))
3883+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3884 return addr;
3885 }
3886
3887@@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
3888 /* make sure it can fit in the remaining address space */
3889 if (likely(addr > len)) {
3890 vma = find_vma(mm, addr-len);
3891- if (!vma || addr <= vma->vm_start) {
3892+ if (check_heap_stack_gap(vma, addr - len, len)) {
3893 /* remember the address as a hint for next time */
3894 return (mm->free_area_cache = addr-len);
3895 }
3896@@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
3897 if (unlikely(mm->mmap_base < len))
3898 goto bottomup;
3899
3900- addr = mm->mmap_base-len;
3901- if (do_color_align)
3902- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3903+ addr = mm->mmap_base - len;
3904
3905 do {
3906+ if (do_color_align)
3907+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3908 /*
3909 * Lookup failure means no vma is above this address,
3910 * else if new region fits below vma->vm_start,
3911 * return with success:
3912 */
3913 vma = find_vma(mm, addr);
3914- if (likely(!vma || addr+len <= vma->vm_start)) {
3915+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3916 /* remember the address as a hint for next time */
3917 return (mm->free_area_cache = addr);
3918 }
3919@@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
3920 mm->cached_hole_size = vma->vm_start - addr;
3921
3922 /* try just below the current vma->vm_start */
3923- addr = vma->vm_start-len;
3924- if (do_color_align)
3925- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3926- } while (likely(len < vma->vm_start));
3927+ addr = skip_heap_stack_gap(vma, len);
3928+ } while (!IS_ERR_VALUE(addr));
3929
3930 bottomup:
3931 /*
3932@@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
3933 gap == RLIM_INFINITY ||
3934 sysctl_legacy_va_layout) {
3935 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3936+
3937+#ifdef CONFIG_PAX_RANDMMAP
3938+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3939+ mm->mmap_base += mm->delta_mmap;
3940+#endif
3941+
3942 mm->get_unmapped_area = arch_get_unmapped_area;
3943 mm->unmap_area = arch_unmap_area;
3944 } else {
3945@@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
3946 gap = (task_size / 6 * 5);
3947
3948 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3949+
3950+#ifdef CONFIG_PAX_RANDMMAP
3951+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3952+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3953+#endif
3954+
3955 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3956 mm->unmap_area = arch_unmap_area_topdown;
3957 }
3958diff -urNp linux-3.0.7/arch/sparc/kernel/traps_32.c linux-3.0.7/arch/sparc/kernel/traps_32.c
3959--- linux-3.0.7/arch/sparc/kernel/traps_32.c 2011-07-21 22:17:23.000000000 -0400
3960+++ linux-3.0.7/arch/sparc/kernel/traps_32.c 2011-08-23 21:48:14.000000000 -0400
3961@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
3962 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
3963 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
3964
3965+extern void gr_handle_kernel_exploit(void);
3966+
3967 void die_if_kernel(char *str, struct pt_regs *regs)
3968 {
3969 static int die_counter;
3970@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
3971 count++ < 30 &&
3972 (((unsigned long) rw) >= PAGE_OFFSET) &&
3973 !(((unsigned long) rw) & 0x7)) {
3974- printk("Caller[%08lx]: %pS\n", rw->ins[7],
3975+ printk("Caller[%08lx]: %pA\n", rw->ins[7],
3976 (void *) rw->ins[7]);
3977 rw = (struct reg_window32 *)rw->ins[6];
3978 }
3979 }
3980 printk("Instruction DUMP:");
3981 instruction_dump ((unsigned long *) regs->pc);
3982- if(regs->psr & PSR_PS)
3983+ if(regs->psr & PSR_PS) {
3984+ gr_handle_kernel_exploit();
3985 do_exit(SIGKILL);
3986+ }
3987 do_exit(SIGSEGV);
3988 }
3989
3990diff -urNp linux-3.0.7/arch/sparc/kernel/traps_64.c linux-3.0.7/arch/sparc/kernel/traps_64.c
3991--- linux-3.0.7/arch/sparc/kernel/traps_64.c 2011-07-21 22:17:23.000000000 -0400
3992+++ linux-3.0.7/arch/sparc/kernel/traps_64.c 2011-08-23 21:48:14.000000000 -0400
3993@@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
3994 i + 1,
3995 p->trapstack[i].tstate, p->trapstack[i].tpc,
3996 p->trapstack[i].tnpc, p->trapstack[i].tt);
3997- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
3998+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
3999 }
4000 }
4001
4002@@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4003
4004 lvl -= 0x100;
4005 if (regs->tstate & TSTATE_PRIV) {
4006+
4007+#ifdef CONFIG_PAX_REFCOUNT
4008+ if (lvl == 6)
4009+ pax_report_refcount_overflow(regs);
4010+#endif
4011+
4012 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4013 die_if_kernel(buffer, regs);
4014 }
4015@@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4016 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4017 {
4018 char buffer[32];
4019-
4020+
4021 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4022 0, lvl, SIGTRAP) == NOTIFY_STOP)
4023 return;
4024
4025+#ifdef CONFIG_PAX_REFCOUNT
4026+ if (lvl == 6)
4027+ pax_report_refcount_overflow(regs);
4028+#endif
4029+
4030 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4031
4032 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4033@@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4034 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4035 printk("%s" "ERROR(%d): ",
4036 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4037- printk("TPC<%pS>\n", (void *) regs->tpc);
4038+ printk("TPC<%pA>\n", (void *) regs->tpc);
4039 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4040 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4041 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4042@@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4043 smp_processor_id(),
4044 (type & 0x1) ? 'I' : 'D',
4045 regs->tpc);
4046- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4047+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4048 panic("Irrecoverable Cheetah+ parity error.");
4049 }
4050
4051@@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4052 smp_processor_id(),
4053 (type & 0x1) ? 'I' : 'D',
4054 regs->tpc);
4055- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4056+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4057 }
4058
4059 struct sun4v_error_entry {
4060@@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4061
4062 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4063 regs->tpc, tl);
4064- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4065+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4066 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4067- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4068+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4069 (void *) regs->u_regs[UREG_I7]);
4070 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4071 "pte[%lx] error[%lx]\n",
4072@@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4073
4074 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4075 regs->tpc, tl);
4076- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4077+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4078 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4079- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4080+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4081 (void *) regs->u_regs[UREG_I7]);
4082 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4083 "pte[%lx] error[%lx]\n",
4084@@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
4085 fp = (unsigned long)sf->fp + STACK_BIAS;
4086 }
4087
4088- printk(" [%016lx] %pS\n", pc, (void *) pc);
4089+ printk(" [%016lx] %pA\n", pc, (void *) pc);
4090 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4091 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4092 int index = tsk->curr_ret_stack;
4093 if (tsk->ret_stack && index >= graph) {
4094 pc = tsk->ret_stack[index - graph].ret;
4095- printk(" [%016lx] %pS\n", pc, (void *) pc);
4096+ printk(" [%016lx] %pA\n", pc, (void *) pc);
4097 graph++;
4098 }
4099 }
4100@@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
4101 return (struct reg_window *) (fp + STACK_BIAS);
4102 }
4103
4104+extern void gr_handle_kernel_exploit(void);
4105+
4106 void die_if_kernel(char *str, struct pt_regs *regs)
4107 {
4108 static int die_counter;
4109@@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
4110 while (rw &&
4111 count++ < 30 &&
4112 kstack_valid(tp, (unsigned long) rw)) {
4113- printk("Caller[%016lx]: %pS\n", rw->ins[7],
4114+ printk("Caller[%016lx]: %pA\n", rw->ins[7],
4115 (void *) rw->ins[7]);
4116
4117 rw = kernel_stack_up(rw);
4118@@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
4119 }
4120 user_instruction_dump ((unsigned int __user *) regs->tpc);
4121 }
4122- if (regs->tstate & TSTATE_PRIV)
4123+ if (regs->tstate & TSTATE_PRIV) {
4124+ gr_handle_kernel_exploit();
4125 do_exit(SIGKILL);
4126+ }
4127 do_exit(SIGSEGV);
4128 }
4129 EXPORT_SYMBOL(die_if_kernel);
4130diff -urNp linux-3.0.7/arch/sparc/kernel/unaligned_64.c linux-3.0.7/arch/sparc/kernel/unaligned_64.c
4131--- linux-3.0.7/arch/sparc/kernel/unaligned_64.c 2011-09-02 18:11:21.000000000 -0400
4132+++ linux-3.0.7/arch/sparc/kernel/unaligned_64.c 2011-08-23 21:48:14.000000000 -0400
4133@@ -279,7 +279,7 @@ static void log_unaligned(struct pt_regs
4134 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4135
4136 if (__ratelimit(&ratelimit)) {
4137- printk("Kernel unaligned access at TPC[%lx] %pS\n",
4138+ printk("Kernel unaligned access at TPC[%lx] %pA\n",
4139 regs->tpc, (void *) regs->tpc);
4140 }
4141 }
4142diff -urNp linux-3.0.7/arch/sparc/lib/Makefile linux-3.0.7/arch/sparc/lib/Makefile
4143--- linux-3.0.7/arch/sparc/lib/Makefile 2011-09-02 18:11:21.000000000 -0400
4144+++ linux-3.0.7/arch/sparc/lib/Makefile 2011-08-23 21:47:55.000000000 -0400
4145@@ -2,7 +2,7 @@
4146 #
4147
4148 asflags-y := -ansi -DST_DIV0=0x02
4149-ccflags-y := -Werror
4150+#ccflags-y := -Werror
4151
4152 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
4153 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
4154diff -urNp linux-3.0.7/arch/sparc/lib/atomic_64.S linux-3.0.7/arch/sparc/lib/atomic_64.S
4155--- linux-3.0.7/arch/sparc/lib/atomic_64.S 2011-07-21 22:17:23.000000000 -0400
4156+++ linux-3.0.7/arch/sparc/lib/atomic_64.S 2011-08-23 21:47:55.000000000 -0400
4157@@ -18,7 +18,12 @@
4158 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4159 BACKOFF_SETUP(%o2)
4160 1: lduw [%o1], %g1
4161- add %g1, %o0, %g7
4162+ addcc %g1, %o0, %g7
4163+
4164+#ifdef CONFIG_PAX_REFCOUNT
4165+ tvs %icc, 6
4166+#endif
4167+
4168 cas [%o1], %g1, %g7
4169 cmp %g1, %g7
4170 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4171@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4172 2: BACKOFF_SPIN(%o2, %o3, 1b)
4173 .size atomic_add, .-atomic_add
4174
4175+ .globl atomic_add_unchecked
4176+ .type atomic_add_unchecked,#function
4177+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4178+ BACKOFF_SETUP(%o2)
4179+1: lduw [%o1], %g1
4180+ add %g1, %o0, %g7
4181+ cas [%o1], %g1, %g7
4182+ cmp %g1, %g7
4183+ bne,pn %icc, 2f
4184+ nop
4185+ retl
4186+ nop
4187+2: BACKOFF_SPIN(%o2, %o3, 1b)
4188+ .size atomic_add_unchecked, .-atomic_add_unchecked
4189+
4190 .globl atomic_sub
4191 .type atomic_sub,#function
4192 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4193 BACKOFF_SETUP(%o2)
4194 1: lduw [%o1], %g1
4195- sub %g1, %o0, %g7
4196+ subcc %g1, %o0, %g7
4197+
4198+#ifdef CONFIG_PAX_REFCOUNT
4199+ tvs %icc, 6
4200+#endif
4201+
4202 cas [%o1], %g1, %g7
4203 cmp %g1, %g7
4204 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4205@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4206 2: BACKOFF_SPIN(%o2, %o3, 1b)
4207 .size atomic_sub, .-atomic_sub
4208
4209+ .globl atomic_sub_unchecked
4210+ .type atomic_sub_unchecked,#function
4211+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4212+ BACKOFF_SETUP(%o2)
4213+1: lduw [%o1], %g1
4214+ sub %g1, %o0, %g7
4215+ cas [%o1], %g1, %g7
4216+ cmp %g1, %g7
4217+ bne,pn %icc, 2f
4218+ nop
4219+ retl
4220+ nop
4221+2: BACKOFF_SPIN(%o2, %o3, 1b)
4222+ .size atomic_sub_unchecked, .-atomic_sub_unchecked
4223+
4224 .globl atomic_add_ret
4225 .type atomic_add_ret,#function
4226 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4227 BACKOFF_SETUP(%o2)
4228 1: lduw [%o1], %g1
4229- add %g1, %o0, %g7
4230+ addcc %g1, %o0, %g7
4231+
4232+#ifdef CONFIG_PAX_REFCOUNT
4233+ tvs %icc, 6
4234+#endif
4235+
4236 cas [%o1], %g1, %g7
4237 cmp %g1, %g7
4238 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4239@@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4240 2: BACKOFF_SPIN(%o2, %o3, 1b)
4241 .size atomic_add_ret, .-atomic_add_ret
4242
4243+ .globl atomic_add_ret_unchecked
4244+ .type atomic_add_ret_unchecked,#function
4245+atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4246+ BACKOFF_SETUP(%o2)
4247+1: lduw [%o1], %g1
4248+ addcc %g1, %o0, %g7
4249+ cas [%o1], %g1, %g7
4250+ cmp %g1, %g7
4251+ bne,pn %icc, 2f
4252+ add %g7, %o0, %g7
4253+ sra %g7, 0, %o0
4254+ retl
4255+ nop
4256+2: BACKOFF_SPIN(%o2, %o3, 1b)
4257+ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4258+
4259 .globl atomic_sub_ret
4260 .type atomic_sub_ret,#function
4261 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4262 BACKOFF_SETUP(%o2)
4263 1: lduw [%o1], %g1
4264- sub %g1, %o0, %g7
4265+ subcc %g1, %o0, %g7
4266+
4267+#ifdef CONFIG_PAX_REFCOUNT
4268+ tvs %icc, 6
4269+#endif
4270+
4271 cas [%o1], %g1, %g7
4272 cmp %g1, %g7
4273 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4274@@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4275 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4276 BACKOFF_SETUP(%o2)
4277 1: ldx [%o1], %g1
4278- add %g1, %o0, %g7
4279+ addcc %g1, %o0, %g7
4280+
4281+#ifdef CONFIG_PAX_REFCOUNT
4282+ tvs %xcc, 6
4283+#endif
4284+
4285 casx [%o1], %g1, %g7
4286 cmp %g1, %g7
4287 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4288@@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4289 2: BACKOFF_SPIN(%o2, %o3, 1b)
4290 .size atomic64_add, .-atomic64_add
4291
4292+ .globl atomic64_add_unchecked
4293+ .type atomic64_add_unchecked,#function
4294+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4295+ BACKOFF_SETUP(%o2)
4296+1: ldx [%o1], %g1
4297+ addcc %g1, %o0, %g7
4298+ casx [%o1], %g1, %g7
4299+ cmp %g1, %g7
4300+ bne,pn %xcc, 2f
4301+ nop
4302+ retl
4303+ nop
4304+2: BACKOFF_SPIN(%o2, %o3, 1b)
4305+ .size atomic64_add_unchecked, .-atomic64_add_unchecked
4306+
4307 .globl atomic64_sub
4308 .type atomic64_sub,#function
4309 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4310 BACKOFF_SETUP(%o2)
4311 1: ldx [%o1], %g1
4312- sub %g1, %o0, %g7
4313+ subcc %g1, %o0, %g7
4314+
4315+#ifdef CONFIG_PAX_REFCOUNT
4316+ tvs %xcc, 6
4317+#endif
4318+
4319 casx [%o1], %g1, %g7
4320 cmp %g1, %g7
4321 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4322@@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4323 2: BACKOFF_SPIN(%o2, %o3, 1b)
4324 .size atomic64_sub, .-atomic64_sub
4325
4326+ .globl atomic64_sub_unchecked
4327+ .type atomic64_sub_unchecked,#function
4328+atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4329+ BACKOFF_SETUP(%o2)
4330+1: ldx [%o1], %g1
4331+ subcc %g1, %o0, %g7
4332+ casx [%o1], %g1, %g7
4333+ cmp %g1, %g7
4334+ bne,pn %xcc, 2f
4335+ nop
4336+ retl
4337+ nop
4338+2: BACKOFF_SPIN(%o2, %o3, 1b)
4339+ .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4340+
4341 .globl atomic64_add_ret
4342 .type atomic64_add_ret,#function
4343 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4344 BACKOFF_SETUP(%o2)
4345 1: ldx [%o1], %g1
4346- add %g1, %o0, %g7
4347+ addcc %g1, %o0, %g7
4348+
4349+#ifdef CONFIG_PAX_REFCOUNT
4350+ tvs %xcc, 6
4351+#endif
4352+
4353 casx [%o1], %g1, %g7
4354 cmp %g1, %g7
4355 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4356@@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4357 2: BACKOFF_SPIN(%o2, %o3, 1b)
4358 .size atomic64_add_ret, .-atomic64_add_ret
4359
4360+ .globl atomic64_add_ret_unchecked
4361+ .type atomic64_add_ret_unchecked,#function
4362+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4363+ BACKOFF_SETUP(%o2)
4364+1: ldx [%o1], %g1
4365+ addcc %g1, %o0, %g7
4366+ casx [%o1], %g1, %g7
4367+ cmp %g1, %g7
4368+ bne,pn %xcc, 2f
4369+ add %g7, %o0, %g7
4370+ mov %g7, %o0
4371+ retl
4372+ nop
4373+2: BACKOFF_SPIN(%o2, %o3, 1b)
4374+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4375+
4376 .globl atomic64_sub_ret
4377 .type atomic64_sub_ret,#function
4378 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4379 BACKOFF_SETUP(%o2)
4380 1: ldx [%o1], %g1
4381- sub %g1, %o0, %g7
4382+ subcc %g1, %o0, %g7
4383+
4384+#ifdef CONFIG_PAX_REFCOUNT
4385+ tvs %xcc, 6
4386+#endif
4387+
4388 casx [%o1], %g1, %g7
4389 cmp %g1, %g7
4390 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4391diff -urNp linux-3.0.7/arch/sparc/lib/ksyms.c linux-3.0.7/arch/sparc/lib/ksyms.c
4392--- linux-3.0.7/arch/sparc/lib/ksyms.c 2011-07-21 22:17:23.000000000 -0400
4393+++ linux-3.0.7/arch/sparc/lib/ksyms.c 2011-08-23 21:48:14.000000000 -0400
4394@@ -142,12 +142,18 @@ EXPORT_SYMBOL(__downgrade_write);
4395
4396 /* Atomic counter implementation. */
4397 EXPORT_SYMBOL(atomic_add);
4398+EXPORT_SYMBOL(atomic_add_unchecked);
4399 EXPORT_SYMBOL(atomic_add_ret);
4400+EXPORT_SYMBOL(atomic_add_ret_unchecked);
4401 EXPORT_SYMBOL(atomic_sub);
4402+EXPORT_SYMBOL(atomic_sub_unchecked);
4403 EXPORT_SYMBOL(atomic_sub_ret);
4404 EXPORT_SYMBOL(atomic64_add);
4405+EXPORT_SYMBOL(atomic64_add_unchecked);
4406 EXPORT_SYMBOL(atomic64_add_ret);
4407+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4408 EXPORT_SYMBOL(atomic64_sub);
4409+EXPORT_SYMBOL(atomic64_sub_unchecked);
4410 EXPORT_SYMBOL(atomic64_sub_ret);
4411
4412 /* Atomic bit operations. */
4413diff -urNp linux-3.0.7/arch/sparc/mm/Makefile linux-3.0.7/arch/sparc/mm/Makefile
4414--- linux-3.0.7/arch/sparc/mm/Makefile 2011-07-21 22:17:23.000000000 -0400
4415+++ linux-3.0.7/arch/sparc/mm/Makefile 2011-08-23 21:47:55.000000000 -0400
4416@@ -2,7 +2,7 @@
4417 #
4418
4419 asflags-y := -ansi
4420-ccflags-y := -Werror
4421+#ccflags-y := -Werror
4422
4423 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
4424 obj-y += fault_$(BITS).o
4425diff -urNp linux-3.0.7/arch/sparc/mm/fault_32.c linux-3.0.7/arch/sparc/mm/fault_32.c
4426--- linux-3.0.7/arch/sparc/mm/fault_32.c 2011-07-21 22:17:23.000000000 -0400
4427+++ linux-3.0.7/arch/sparc/mm/fault_32.c 2011-08-23 21:47:55.000000000 -0400
4428@@ -22,6 +22,9 @@
4429 #include <linux/interrupt.h>
4430 #include <linux/module.h>
4431 #include <linux/kdebug.h>
4432+#include <linux/slab.h>
4433+#include <linux/pagemap.h>
4434+#include <linux/compiler.h>
4435
4436 #include <asm/system.h>
4437 #include <asm/page.h>
4438@@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4439 return safe_compute_effective_address(regs, insn);
4440 }
4441
4442+#ifdef CONFIG_PAX_PAGEEXEC
4443+#ifdef CONFIG_PAX_DLRESOLVE
4444+static void pax_emuplt_close(struct vm_area_struct *vma)
4445+{
4446+ vma->vm_mm->call_dl_resolve = 0UL;
4447+}
4448+
4449+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4450+{
4451+ unsigned int *kaddr;
4452+
4453+ vmf->page = alloc_page(GFP_HIGHUSER);
4454+ if (!vmf->page)
4455+ return VM_FAULT_OOM;
4456+
4457+ kaddr = kmap(vmf->page);
4458+ memset(kaddr, 0, PAGE_SIZE);
4459+ kaddr[0] = 0x9DE3BFA8U; /* save */
4460+ flush_dcache_page(vmf->page);
4461+ kunmap(vmf->page);
4462+ return VM_FAULT_MAJOR;
4463+}
4464+
4465+static const struct vm_operations_struct pax_vm_ops = {
4466+ .close = pax_emuplt_close,
4467+ .fault = pax_emuplt_fault
4468+};
4469+
4470+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4471+{
4472+ int ret;
4473+
4474+ INIT_LIST_HEAD(&vma->anon_vma_chain);
4475+ vma->vm_mm = current->mm;
4476+ vma->vm_start = addr;
4477+ vma->vm_end = addr + PAGE_SIZE;
4478+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4479+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4480+ vma->vm_ops = &pax_vm_ops;
4481+
4482+ ret = insert_vm_struct(current->mm, vma);
4483+ if (ret)
4484+ return ret;
4485+
4486+ ++current->mm->total_vm;
4487+ return 0;
4488+}
4489+#endif
4490+
4491+/*
4492+ * PaX: decide what to do with offenders (regs->pc = fault address)
4493+ *
4494+ * returns 1 when task should be killed
4495+ * 2 when patched PLT trampoline was detected
4496+ * 3 when unpatched PLT trampoline was detected
4497+ */
4498+static int pax_handle_fetch_fault(struct pt_regs *regs)
4499+{
4500+
4501+#ifdef CONFIG_PAX_EMUPLT
4502+ int err;
4503+
4504+ do { /* PaX: patched PLT emulation #1 */
4505+ unsigned int sethi1, sethi2, jmpl;
4506+
4507+ err = get_user(sethi1, (unsigned int *)regs->pc);
4508+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4509+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4510+
4511+ if (err)
4512+ break;
4513+
4514+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4515+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4516+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4517+ {
4518+ unsigned int addr;
4519+
4520+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4521+ addr = regs->u_regs[UREG_G1];
4522+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4523+ regs->pc = addr;
4524+ regs->npc = addr+4;
4525+ return 2;
4526+ }
4527+ } while (0);
4528+
4529+ { /* PaX: patched PLT emulation #2 */
4530+ unsigned int ba;
4531+
4532+ err = get_user(ba, (unsigned int *)regs->pc);
4533+
4534+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4535+ unsigned int addr;
4536+
4537+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4538+ regs->pc = addr;
4539+ regs->npc = addr+4;
4540+ return 2;
4541+ }
4542+ }
4543+
4544+ do { /* PaX: patched PLT emulation #3 */
4545+ unsigned int sethi, jmpl, nop;
4546+
4547+ err = get_user(sethi, (unsigned int *)regs->pc);
4548+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4549+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4550+
4551+ if (err)
4552+ break;
4553+
4554+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4555+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4556+ nop == 0x01000000U)
4557+ {
4558+ unsigned int addr;
4559+
4560+ addr = (sethi & 0x003FFFFFU) << 10;
4561+ regs->u_regs[UREG_G1] = addr;
4562+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4563+ regs->pc = addr;
4564+ regs->npc = addr+4;
4565+ return 2;
4566+ }
4567+ } while (0);
4568+
4569+ do { /* PaX: unpatched PLT emulation step 1 */
4570+ unsigned int sethi, ba, nop;
4571+
4572+ err = get_user(sethi, (unsigned int *)regs->pc);
4573+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
4574+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4575+
4576+ if (err)
4577+ break;
4578+
4579+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4580+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4581+ nop == 0x01000000U)
4582+ {
4583+ unsigned int addr, save, call;
4584+
4585+ if ((ba & 0xFFC00000U) == 0x30800000U)
4586+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4587+ else
4588+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4589+
4590+ err = get_user(save, (unsigned int *)addr);
4591+ err |= get_user(call, (unsigned int *)(addr+4));
4592+ err |= get_user(nop, (unsigned int *)(addr+8));
4593+ if (err)
4594+ break;
4595+
4596+#ifdef CONFIG_PAX_DLRESOLVE
4597+ if (save == 0x9DE3BFA8U &&
4598+ (call & 0xC0000000U) == 0x40000000U &&
4599+ nop == 0x01000000U)
4600+ {
4601+ struct vm_area_struct *vma;
4602+ unsigned long call_dl_resolve;
4603+
4604+ down_read(&current->mm->mmap_sem);
4605+ call_dl_resolve = current->mm->call_dl_resolve;
4606+ up_read(&current->mm->mmap_sem);
4607+ if (likely(call_dl_resolve))
4608+ goto emulate;
4609+
4610+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4611+
4612+ down_write(&current->mm->mmap_sem);
4613+ if (current->mm->call_dl_resolve) {
4614+ call_dl_resolve = current->mm->call_dl_resolve;
4615+ up_write(&current->mm->mmap_sem);
4616+ if (vma)
4617+ kmem_cache_free(vm_area_cachep, vma);
4618+ goto emulate;
4619+ }
4620+
4621+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4622+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4623+ up_write(&current->mm->mmap_sem);
4624+ if (vma)
4625+ kmem_cache_free(vm_area_cachep, vma);
4626+ return 1;
4627+ }
4628+
4629+ if (pax_insert_vma(vma, call_dl_resolve)) {
4630+ up_write(&current->mm->mmap_sem);
4631+ kmem_cache_free(vm_area_cachep, vma);
4632+ return 1;
4633+ }
4634+
4635+ current->mm->call_dl_resolve = call_dl_resolve;
4636+ up_write(&current->mm->mmap_sem);
4637+
4638+emulate:
4639+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4640+ regs->pc = call_dl_resolve;
4641+ regs->npc = addr+4;
4642+ return 3;
4643+ }
4644+#endif
4645+
4646+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4647+ if ((save & 0xFFC00000U) == 0x05000000U &&
4648+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4649+ nop == 0x01000000U)
4650+ {
4651+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4652+ regs->u_regs[UREG_G2] = addr + 4;
4653+ addr = (save & 0x003FFFFFU) << 10;
4654+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4655+ regs->pc = addr;
4656+ regs->npc = addr+4;
4657+ return 3;
4658+ }
4659+ }
4660+ } while (0);
4661+
4662+ do { /* PaX: unpatched PLT emulation step 2 */
4663+ unsigned int save, call, nop;
4664+
4665+ err = get_user(save, (unsigned int *)(regs->pc-4));
4666+ err |= get_user(call, (unsigned int *)regs->pc);
4667+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
4668+ if (err)
4669+ break;
4670+
4671+ if (save == 0x9DE3BFA8U &&
4672+ (call & 0xC0000000U) == 0x40000000U &&
4673+ nop == 0x01000000U)
4674+ {
4675+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4676+
4677+ regs->u_regs[UREG_RETPC] = regs->pc;
4678+ regs->pc = dl_resolve;
4679+ regs->npc = dl_resolve+4;
4680+ return 3;
4681+ }
4682+ } while (0);
4683+#endif
4684+
4685+ return 1;
4686+}
4687+
4688+void pax_report_insns(void *pc, void *sp)
4689+{
4690+ unsigned long i;
4691+
4692+ printk(KERN_ERR "PAX: bytes at PC: ");
4693+ for (i = 0; i < 8; i++) {
4694+ unsigned int c;
4695+ if (get_user(c, (unsigned int *)pc+i))
4696+ printk(KERN_CONT "???????? ");
4697+ else
4698+ printk(KERN_CONT "%08x ", c);
4699+ }
4700+ printk("\n");
4701+}
4702+#endif
4703+
4704 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4705 int text_fault)
4706 {
4707@@ -281,6 +546,24 @@ good_area:
4708 if(!(vma->vm_flags & VM_WRITE))
4709 goto bad_area;
4710 } else {
4711+
4712+#ifdef CONFIG_PAX_PAGEEXEC
4713+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4714+ up_read(&mm->mmap_sem);
4715+ switch (pax_handle_fetch_fault(regs)) {
4716+
4717+#ifdef CONFIG_PAX_EMUPLT
4718+ case 2:
4719+ case 3:
4720+ return;
4721+#endif
4722+
4723+ }
4724+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4725+ do_group_exit(SIGKILL);
4726+ }
4727+#endif
4728+
4729 /* Allow reads even for write-only mappings */
4730 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4731 goto bad_area;
4732diff -urNp linux-3.0.7/arch/sparc/mm/fault_64.c linux-3.0.7/arch/sparc/mm/fault_64.c
4733--- linux-3.0.7/arch/sparc/mm/fault_64.c 2011-07-21 22:17:23.000000000 -0400
4734+++ linux-3.0.7/arch/sparc/mm/fault_64.c 2011-08-23 21:48:14.000000000 -0400
4735@@ -21,6 +21,9 @@
4736 #include <linux/kprobes.h>
4737 #include <linux/kdebug.h>
4738 #include <linux/percpu.h>
4739+#include <linux/slab.h>
4740+#include <linux/pagemap.h>
4741+#include <linux/compiler.h>
4742
4743 #include <asm/page.h>
4744 #include <asm/pgtable.h>
4745@@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
4746 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
4747 regs->tpc);
4748 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
4749- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
4750+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
4751 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
4752 dump_stack();
4753 unhandled_fault(regs->tpc, current, regs);
4754@@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4755 show_regs(regs);
4756 }
4757
4758+#ifdef CONFIG_PAX_PAGEEXEC
4759+#ifdef CONFIG_PAX_DLRESOLVE
4760+static void pax_emuplt_close(struct vm_area_struct *vma)
4761+{
4762+ vma->vm_mm->call_dl_resolve = 0UL;
4763+}
4764+
4765+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4766+{
4767+ unsigned int *kaddr;
4768+
4769+ vmf->page = alloc_page(GFP_HIGHUSER);
4770+ if (!vmf->page)
4771+ return VM_FAULT_OOM;
4772+
4773+ kaddr = kmap(vmf->page);
4774+ memset(kaddr, 0, PAGE_SIZE);
4775+ kaddr[0] = 0x9DE3BFA8U; /* save */
4776+ flush_dcache_page(vmf->page);
4777+ kunmap(vmf->page);
4778+ return VM_FAULT_MAJOR;
4779+}
4780+
4781+static const struct vm_operations_struct pax_vm_ops = {
4782+ .close = pax_emuplt_close,
4783+ .fault = pax_emuplt_fault
4784+};
4785+
4786+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4787+{
4788+ int ret;
4789+
4790+ INIT_LIST_HEAD(&vma->anon_vma_chain);
4791+ vma->vm_mm = current->mm;
4792+ vma->vm_start = addr;
4793+ vma->vm_end = addr + PAGE_SIZE;
4794+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4795+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4796+ vma->vm_ops = &pax_vm_ops;
4797+
4798+ ret = insert_vm_struct(current->mm, vma);
4799+ if (ret)
4800+ return ret;
4801+
4802+ ++current->mm->total_vm;
4803+ return 0;
4804+}
4805+#endif
4806+
4807+/*
4808+ * PaX: decide what to do with offenders (regs->tpc = fault address)
4809+ *
4810+ * returns 1 when task should be killed
4811+ * 2 when patched PLT trampoline was detected
4812+ * 3 when unpatched PLT trampoline was detected
4813+ */
4814+static int pax_handle_fetch_fault(struct pt_regs *regs)
4815+{
4816+
4817+#ifdef CONFIG_PAX_EMUPLT
4818+ int err;
4819+
4820+ do { /* PaX: patched PLT emulation #1 */
4821+ unsigned int sethi1, sethi2, jmpl;
4822+
4823+ err = get_user(sethi1, (unsigned int *)regs->tpc);
4824+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4825+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4826+
4827+ if (err)
4828+ break;
4829+
4830+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4831+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4832+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4833+ {
4834+ unsigned long addr;
4835+
4836+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4837+ addr = regs->u_regs[UREG_G1];
4838+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4839+
4840+ if (test_thread_flag(TIF_32BIT))
4841+ addr &= 0xFFFFFFFFUL;
4842+
4843+ regs->tpc = addr;
4844+ regs->tnpc = addr+4;
4845+ return 2;
4846+ }
4847+ } while (0);
4848+
4849+ { /* PaX: patched PLT emulation #2 */
4850+ unsigned int ba;
4851+
4852+ err = get_user(ba, (unsigned int *)regs->tpc);
4853+
4854+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4855+ unsigned long addr;
4856+
4857+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4858+
4859+ if (test_thread_flag(TIF_32BIT))
4860+ addr &= 0xFFFFFFFFUL;
4861+
4862+ regs->tpc = addr;
4863+ regs->tnpc = addr+4;
4864+ return 2;
4865+ }
4866+ }
4867+
4868+ do { /* PaX: patched PLT emulation #3 */
4869+ unsigned int sethi, jmpl, nop;
4870+
4871+ err = get_user(sethi, (unsigned int *)regs->tpc);
4872+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4873+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4874+
4875+ if (err)
4876+ break;
4877+
4878+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4879+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4880+ nop == 0x01000000U)
4881+ {
4882+ unsigned long addr;
4883+
4884+ addr = (sethi & 0x003FFFFFU) << 10;
4885+ regs->u_regs[UREG_G1] = addr;
4886+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4887+
4888+ if (test_thread_flag(TIF_32BIT))
4889+ addr &= 0xFFFFFFFFUL;
4890+
4891+ regs->tpc = addr;
4892+ regs->tnpc = addr+4;
4893+ return 2;
4894+ }
4895+ } while (0);
4896+
4897+ do { /* PaX: patched PLT emulation #4 */
4898+ unsigned int sethi, mov1, call, mov2;
4899+
4900+ err = get_user(sethi, (unsigned int *)regs->tpc);
4901+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4902+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
4903+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4904+
4905+ if (err)
4906+ break;
4907+
4908+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4909+ mov1 == 0x8210000FU &&
4910+ (call & 0xC0000000U) == 0x40000000U &&
4911+ mov2 == 0x9E100001U)
4912+ {
4913+ unsigned long addr;
4914+
4915+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4916+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4917+
4918+ if (test_thread_flag(TIF_32BIT))
4919+ addr &= 0xFFFFFFFFUL;
4920+
4921+ regs->tpc = addr;
4922+ regs->tnpc = addr+4;
4923+ return 2;
4924+ }
4925+ } while (0);
4926+
4927+ do { /* PaX: patched PLT emulation #5 */
4928+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
4929+
4930+ err = get_user(sethi, (unsigned int *)regs->tpc);
4931+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4932+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4933+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4934+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4935+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4936+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4937+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
4938+
4939+ if (err)
4940+ break;
4941+
4942+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4943+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
4944+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4945+ (or1 & 0xFFFFE000U) == 0x82106000U &&
4946+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
4947+ sllx == 0x83287020U &&
4948+ jmpl == 0x81C04005U &&
4949+ nop == 0x01000000U)
4950+ {
4951+ unsigned long addr;
4952+
4953+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4954+ regs->u_regs[UREG_G1] <<= 32;
4955+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4956+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4957+ regs->tpc = addr;
4958+ regs->tnpc = addr+4;
4959+ return 2;
4960+ }
4961+ } while (0);
4962+
4963+ do { /* PaX: patched PLT emulation #6 */
4964+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
4965+
4966+ err = get_user(sethi, (unsigned int *)regs->tpc);
4967+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4968+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4969+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4970+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
4971+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4972+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
4973+
4974+ if (err)
4975+ break;
4976+
4977+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4978+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
4979+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4980+ sllx == 0x83287020U &&
4981+ (or & 0xFFFFE000U) == 0x8A116000U &&
4982+ jmpl == 0x81C04005U &&
4983+ nop == 0x01000000U)
4984+ {
4985+ unsigned long addr;
4986+
4987+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4988+ regs->u_regs[UREG_G1] <<= 32;
4989+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4990+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4991+ regs->tpc = addr;
4992+ regs->tnpc = addr+4;
4993+ return 2;
4994+ }
4995+ } while (0);
4996+
4997+ do { /* PaX: unpatched PLT emulation step 1 */
4998+ unsigned int sethi, ba, nop;
4999+
5000+ err = get_user(sethi, (unsigned int *)regs->tpc);
5001+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5002+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5003+
5004+ if (err)
5005+ break;
5006+
5007+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5008+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5009+ nop == 0x01000000U)
5010+ {
5011+ unsigned long addr;
5012+ unsigned int save, call;
5013+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5014+
5015+ if ((ba & 0xFFC00000U) == 0x30800000U)
5016+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5017+ else
5018+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5019+
5020+ if (test_thread_flag(TIF_32BIT))
5021+ addr &= 0xFFFFFFFFUL;
5022+
5023+ err = get_user(save, (unsigned int *)addr);
5024+ err |= get_user(call, (unsigned int *)(addr+4));
5025+ err |= get_user(nop, (unsigned int *)(addr+8));
5026+ if (err)
5027+ break;
5028+
5029+#ifdef CONFIG_PAX_DLRESOLVE
5030+ if (save == 0x9DE3BFA8U &&
5031+ (call & 0xC0000000U) == 0x40000000U &&
5032+ nop == 0x01000000U)
5033+ {
5034+ struct vm_area_struct *vma;
5035+ unsigned long call_dl_resolve;
5036+
5037+ down_read(&current->mm->mmap_sem);
5038+ call_dl_resolve = current->mm->call_dl_resolve;
5039+ up_read(&current->mm->mmap_sem);
5040+ if (likely(call_dl_resolve))
5041+ goto emulate;
5042+
5043+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5044+
5045+ down_write(&current->mm->mmap_sem);
5046+ if (current->mm->call_dl_resolve) {
5047+ call_dl_resolve = current->mm->call_dl_resolve;
5048+ up_write(&current->mm->mmap_sem);
5049+ if (vma)
5050+ kmem_cache_free(vm_area_cachep, vma);
5051+ goto emulate;
5052+ }
5053+
5054+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5055+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5056+ up_write(&current->mm->mmap_sem);
5057+ if (vma)
5058+ kmem_cache_free(vm_area_cachep, vma);
5059+ return 1;
5060+ }
5061+
5062+ if (pax_insert_vma(vma, call_dl_resolve)) {
5063+ up_write(&current->mm->mmap_sem);
5064+ kmem_cache_free(vm_area_cachep, vma);
5065+ return 1;
5066+ }
5067+
5068+ current->mm->call_dl_resolve = call_dl_resolve;
5069+ up_write(&current->mm->mmap_sem);
5070+
5071+emulate:
5072+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5073+ regs->tpc = call_dl_resolve;
5074+ regs->tnpc = addr+4;
5075+ return 3;
5076+ }
5077+#endif
5078+
5079+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5080+ if ((save & 0xFFC00000U) == 0x05000000U &&
5081+ (call & 0xFFFFE000U) == 0x85C0A000U &&
5082+ nop == 0x01000000U)
5083+ {
5084+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5085+ regs->u_regs[UREG_G2] = addr + 4;
5086+ addr = (save & 0x003FFFFFU) << 10;
5087+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5088+
5089+ if (test_thread_flag(TIF_32BIT))
5090+ addr &= 0xFFFFFFFFUL;
5091+
5092+ regs->tpc = addr;
5093+ regs->tnpc = addr+4;
5094+ return 3;
5095+ }
5096+
5097+ /* PaX: 64-bit PLT stub */
5098+ err = get_user(sethi1, (unsigned int *)addr);
5099+ err |= get_user(sethi2, (unsigned int *)(addr+4));
5100+ err |= get_user(or1, (unsigned int *)(addr+8));
5101+ err |= get_user(or2, (unsigned int *)(addr+12));
5102+ err |= get_user(sllx, (unsigned int *)(addr+16));
5103+ err |= get_user(add, (unsigned int *)(addr+20));
5104+ err |= get_user(jmpl, (unsigned int *)(addr+24));
5105+ err |= get_user(nop, (unsigned int *)(addr+28));
5106+ if (err)
5107+ break;
5108+
5109+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5110+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5111+ (or1 & 0xFFFFE000U) == 0x88112000U &&
5112+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
5113+ sllx == 0x89293020U &&
5114+ add == 0x8A010005U &&
5115+ jmpl == 0x89C14000U &&
5116+ nop == 0x01000000U)
5117+ {
5118+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5119+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5120+ regs->u_regs[UREG_G4] <<= 32;
5121+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5122+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5123+ regs->u_regs[UREG_G4] = addr + 24;
5124+ addr = regs->u_regs[UREG_G5];
5125+ regs->tpc = addr;
5126+ regs->tnpc = addr+4;
5127+ return 3;
5128+ }
5129+ }
5130+ } while (0);
5131+
5132+#ifdef CONFIG_PAX_DLRESOLVE
5133+ do { /* PaX: unpatched PLT emulation step 2 */
5134+ unsigned int save, call, nop;
5135+
5136+ err = get_user(save, (unsigned int *)(regs->tpc-4));
5137+ err |= get_user(call, (unsigned int *)regs->tpc);
5138+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5139+ if (err)
5140+ break;
5141+
5142+ if (save == 0x9DE3BFA8U &&
5143+ (call & 0xC0000000U) == 0x40000000U &&
5144+ nop == 0x01000000U)
5145+ {
5146+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5147+
5148+ if (test_thread_flag(TIF_32BIT))
5149+ dl_resolve &= 0xFFFFFFFFUL;
5150+
5151+ regs->u_regs[UREG_RETPC] = regs->tpc;
5152+ regs->tpc = dl_resolve;
5153+ regs->tnpc = dl_resolve+4;
5154+ return 3;
5155+ }
5156+ } while (0);
5157+#endif
5158+
5159+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5160+ unsigned int sethi, ba, nop;
5161+
5162+ err = get_user(sethi, (unsigned int *)regs->tpc);
5163+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5164+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5165+
5166+ if (err)
5167+ break;
5168+
5169+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5170+ (ba & 0xFFF00000U) == 0x30600000U &&
5171+ nop == 0x01000000U)
5172+ {
5173+ unsigned long addr;
5174+
5175+ addr = (sethi & 0x003FFFFFU) << 10;
5176+ regs->u_regs[UREG_G1] = addr;
5177+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5178+
5179+ if (test_thread_flag(TIF_32BIT))
5180+ addr &= 0xFFFFFFFFUL;
5181+
5182+ regs->tpc = addr;
5183+ regs->tnpc = addr+4;
5184+ return 2;
5185+ }
5186+ } while (0);
5187+
5188+#endif
5189+
5190+ return 1;
5191+}
5192+
5193+void pax_report_insns(void *pc, void *sp)
5194+{
5195+ unsigned long i;
5196+
5197+ printk(KERN_ERR "PAX: bytes at PC: ");
5198+ for (i = 0; i < 8; i++) {
5199+ unsigned int c;
5200+ if (get_user(c, (unsigned int *)pc+i))
5201+ printk(KERN_CONT "???????? ");
5202+ else
5203+ printk(KERN_CONT "%08x ", c);
5204+ }
5205+ printk("\n");
5206+}
5207+#endif
5208+
5209 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5210 {
5211 struct mm_struct *mm = current->mm;
5212@@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5213 if (!vma)
5214 goto bad_area;
5215
5216+#ifdef CONFIG_PAX_PAGEEXEC
5217+ /* PaX: detect ITLB misses on non-exec pages */
5218+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5219+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5220+ {
5221+ if (address != regs->tpc)
5222+ goto good_area;
5223+
5224+ up_read(&mm->mmap_sem);
5225+ switch (pax_handle_fetch_fault(regs)) {
5226+
5227+#ifdef CONFIG_PAX_EMUPLT
5228+ case 2:
5229+ case 3:
5230+ return;
5231+#endif
5232+
5233+ }
5234+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5235+ do_group_exit(SIGKILL);
5236+ }
5237+#endif
5238+
5239 /* Pure DTLB misses do not tell us whether the fault causing
5240 * load/store/atomic was a write or not, it only says that there
5241 * was no match. So in such a case we (carefully) read the
5242diff -urNp linux-3.0.7/arch/sparc/mm/hugetlbpage.c linux-3.0.7/arch/sparc/mm/hugetlbpage.c
5243--- linux-3.0.7/arch/sparc/mm/hugetlbpage.c 2011-07-21 22:17:23.000000000 -0400
5244+++ linux-3.0.7/arch/sparc/mm/hugetlbpage.c 2011-08-23 21:47:55.000000000 -0400
5245@@ -68,7 +68,7 @@ full_search:
5246 }
5247 return -ENOMEM;
5248 }
5249- if (likely(!vma || addr + len <= vma->vm_start)) {
5250+ if (likely(check_heap_stack_gap(vma, addr, len))) {
5251 /*
5252 * Remember the place where we stopped the search:
5253 */
5254@@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5255 /* make sure it can fit in the remaining address space */
5256 if (likely(addr > len)) {
5257 vma = find_vma(mm, addr-len);
5258- if (!vma || addr <= vma->vm_start) {
5259+ if (check_heap_stack_gap(vma, addr - len, len)) {
5260 /* remember the address as a hint for next time */
5261 return (mm->free_area_cache = addr-len);
5262 }
5263@@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
5264 if (unlikely(mm->mmap_base < len))
5265 goto bottomup;
5266
5267- addr = (mm->mmap_base-len) & HPAGE_MASK;
5268+ addr = mm->mmap_base - len;
5269
5270 do {
5271+ addr &= HPAGE_MASK;
5272 /*
5273 * Lookup failure means no vma is above this address,
5274 * else if new region fits below vma->vm_start,
5275 * return with success:
5276 */
5277 vma = find_vma(mm, addr);
5278- if (likely(!vma || addr+len <= vma->vm_start)) {
5279+ if (likely(check_heap_stack_gap(vma, addr, len))) {
5280 /* remember the address as a hint for next time */
5281 return (mm->free_area_cache = addr);
5282 }
5283@@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
5284 mm->cached_hole_size = vma->vm_start - addr;
5285
5286 /* try just below the current vma->vm_start */
5287- addr = (vma->vm_start-len) & HPAGE_MASK;
5288- } while (likely(len < vma->vm_start));
5289+ addr = skip_heap_stack_gap(vma, len);
5290+ } while (!IS_ERR_VALUE(addr));
5291
5292 bottomup:
5293 /*
5294@@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
5295 if (addr) {
5296 addr = ALIGN(addr, HPAGE_SIZE);
5297 vma = find_vma(mm, addr);
5298- if (task_size - len >= addr &&
5299- (!vma || addr + len <= vma->vm_start))
5300+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5301 return addr;
5302 }
5303 if (mm->get_unmapped_area == arch_get_unmapped_area)
5304diff -urNp linux-3.0.7/arch/sparc/mm/init_32.c linux-3.0.7/arch/sparc/mm/init_32.c
5305--- linux-3.0.7/arch/sparc/mm/init_32.c 2011-07-21 22:17:23.000000000 -0400
5306+++ linux-3.0.7/arch/sparc/mm/init_32.c 2011-08-23 21:47:55.000000000 -0400
5307@@ -316,6 +316,9 @@ extern void device_scan(void);
5308 pgprot_t PAGE_SHARED __read_mostly;
5309 EXPORT_SYMBOL(PAGE_SHARED);
5310
5311+pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5312+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5313+
5314 void __init paging_init(void)
5315 {
5316 switch(sparc_cpu_model) {
5317@@ -344,17 +347,17 @@ void __init paging_init(void)
5318
5319 /* Initialize the protection map with non-constant, MMU dependent values. */
5320 protection_map[0] = PAGE_NONE;
5321- protection_map[1] = PAGE_READONLY;
5322- protection_map[2] = PAGE_COPY;
5323- protection_map[3] = PAGE_COPY;
5324+ protection_map[1] = PAGE_READONLY_NOEXEC;
5325+ protection_map[2] = PAGE_COPY_NOEXEC;
5326+ protection_map[3] = PAGE_COPY_NOEXEC;
5327 protection_map[4] = PAGE_READONLY;
5328 protection_map[5] = PAGE_READONLY;
5329 protection_map[6] = PAGE_COPY;
5330 protection_map[7] = PAGE_COPY;
5331 protection_map[8] = PAGE_NONE;
5332- protection_map[9] = PAGE_READONLY;
5333- protection_map[10] = PAGE_SHARED;
5334- protection_map[11] = PAGE_SHARED;
5335+ protection_map[9] = PAGE_READONLY_NOEXEC;
5336+ protection_map[10] = PAGE_SHARED_NOEXEC;
5337+ protection_map[11] = PAGE_SHARED_NOEXEC;
5338 protection_map[12] = PAGE_READONLY;
5339 protection_map[13] = PAGE_READONLY;
5340 protection_map[14] = PAGE_SHARED;
5341diff -urNp linux-3.0.7/arch/sparc/mm/srmmu.c linux-3.0.7/arch/sparc/mm/srmmu.c
5342--- linux-3.0.7/arch/sparc/mm/srmmu.c 2011-07-21 22:17:23.000000000 -0400
5343+++ linux-3.0.7/arch/sparc/mm/srmmu.c 2011-08-23 21:47:55.000000000 -0400
5344@@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5345 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5346 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5347 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5348+
5349+#ifdef CONFIG_PAX_PAGEEXEC
5350+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5351+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5352+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5353+#endif
5354+
5355 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5356 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5357
5358diff -urNp linux-3.0.7/arch/um/include/asm/kmap_types.h linux-3.0.7/arch/um/include/asm/kmap_types.h
5359--- linux-3.0.7/arch/um/include/asm/kmap_types.h 2011-07-21 22:17:23.000000000 -0400
5360+++ linux-3.0.7/arch/um/include/asm/kmap_types.h 2011-08-23 21:47:55.000000000 -0400
5361@@ -23,6 +23,7 @@ enum km_type {
5362 KM_IRQ1,
5363 KM_SOFTIRQ0,
5364 KM_SOFTIRQ1,
5365+ KM_CLEARPAGE,
5366 KM_TYPE_NR
5367 };
5368
5369diff -urNp linux-3.0.7/arch/um/include/asm/page.h linux-3.0.7/arch/um/include/asm/page.h
5370--- linux-3.0.7/arch/um/include/asm/page.h 2011-07-21 22:17:23.000000000 -0400
5371+++ linux-3.0.7/arch/um/include/asm/page.h 2011-08-23 21:47:55.000000000 -0400
5372@@ -14,6 +14,9 @@
5373 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5374 #define PAGE_MASK (~(PAGE_SIZE-1))
5375
5376+#define ktla_ktva(addr) (addr)
5377+#define ktva_ktla(addr) (addr)
5378+
5379 #ifndef __ASSEMBLY__
5380
5381 struct page;
5382diff -urNp linux-3.0.7/arch/um/kernel/process.c linux-3.0.7/arch/um/kernel/process.c
5383--- linux-3.0.7/arch/um/kernel/process.c 2011-07-21 22:17:23.000000000 -0400
5384+++ linux-3.0.7/arch/um/kernel/process.c 2011-08-23 21:47:55.000000000 -0400
5385@@ -404,22 +404,6 @@ int singlestepping(void * t)
5386 return 2;
5387 }
5388
5389-/*
5390- * Only x86 and x86_64 have an arch_align_stack().
5391- * All other arches have "#define arch_align_stack(x) (x)"
5392- * in their asm/system.h
5393- * As this is included in UML from asm-um/system-generic.h,
5394- * we can use it to behave as the subarch does.
5395- */
5396-#ifndef arch_align_stack
5397-unsigned long arch_align_stack(unsigned long sp)
5398-{
5399- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5400- sp -= get_random_int() % 8192;
5401- return sp & ~0xf;
5402-}
5403-#endif
5404-
5405 unsigned long get_wchan(struct task_struct *p)
5406 {
5407 unsigned long stack_page, sp, ip;
5408diff -urNp linux-3.0.7/arch/um/sys-i386/syscalls.c linux-3.0.7/arch/um/sys-i386/syscalls.c
5409--- linux-3.0.7/arch/um/sys-i386/syscalls.c 2011-07-21 22:17:23.000000000 -0400
5410+++ linux-3.0.7/arch/um/sys-i386/syscalls.c 2011-08-23 21:47:55.000000000 -0400
5411@@ -11,6 +11,21 @@
5412 #include "asm/uaccess.h"
5413 #include "asm/unistd.h"
5414
5415+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5416+{
5417+ unsigned long pax_task_size = TASK_SIZE;
5418+
5419+#ifdef CONFIG_PAX_SEGMEXEC
5420+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5421+ pax_task_size = SEGMEXEC_TASK_SIZE;
5422+#endif
5423+
5424+ if (len > pax_task_size || addr > pax_task_size - len)
5425+ return -EINVAL;
5426+
5427+ return 0;
5428+}
5429+
5430 /*
5431 * The prototype on i386 is:
5432 *
5433diff -urNp linux-3.0.7/arch/x86/Kconfig linux-3.0.7/arch/x86/Kconfig
5434--- linux-3.0.7/arch/x86/Kconfig 2011-07-21 22:17:23.000000000 -0400
5435+++ linux-3.0.7/arch/x86/Kconfig 2011-09-17 00:58:36.000000000 -0400
5436@@ -229,7 +229,7 @@ config X86_HT
5437
5438 config X86_32_LAZY_GS
5439 def_bool y
5440- depends on X86_32 && !CC_STACKPROTECTOR
5441+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
5442
5443 config ARCH_HWEIGHT_CFLAGS
5444 string
5445@@ -1018,7 +1018,7 @@ choice
5446
5447 config NOHIGHMEM
5448 bool "off"
5449- depends on !X86_NUMAQ
5450+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
5451 ---help---
5452 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
5453 However, the address space of 32-bit x86 processors is only 4
5454@@ -1055,7 +1055,7 @@ config NOHIGHMEM
5455
5456 config HIGHMEM4G
5457 bool "4GB"
5458- depends on !X86_NUMAQ
5459+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
5460 ---help---
5461 Select this if you have a 32-bit processor and between 1 and 4
5462 gigabytes of physical RAM.
5463@@ -1109,7 +1109,7 @@ config PAGE_OFFSET
5464 hex
5465 default 0xB0000000 if VMSPLIT_3G_OPT
5466 default 0x80000000 if VMSPLIT_2G
5467- default 0x78000000 if VMSPLIT_2G_OPT
5468+ default 0x70000000 if VMSPLIT_2G_OPT
5469 default 0x40000000 if VMSPLIT_1G
5470 default 0xC0000000
5471 depends on X86_32
5472@@ -1483,6 +1483,7 @@ config SECCOMP
5473
5474 config CC_STACKPROTECTOR
5475 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
5476+ depends on X86_64 || !PAX_MEMORY_UDEREF
5477 ---help---
5478 This option turns on the -fstack-protector GCC feature. This
5479 feature puts, at the beginning of functions, a canary value on
5480@@ -1540,6 +1541,7 @@ config KEXEC_JUMP
5481 config PHYSICAL_START
5482 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
5483 default "0x1000000"
5484+ range 0x400000 0x40000000
5485 ---help---
5486 This gives the physical address where the kernel is loaded.
5487
5488@@ -1603,6 +1605,7 @@ config X86_NEED_RELOCS
5489 config PHYSICAL_ALIGN
5490 hex "Alignment value to which kernel should be aligned" if X86_32
5491 default "0x1000000"
5492+ range 0x400000 0x1000000 if PAX_KERNEXEC
5493 range 0x2000 0x1000000
5494 ---help---
5495 This value puts the alignment restrictions on physical address
5496@@ -1634,9 +1637,10 @@ config HOTPLUG_CPU
5497 Say N if you want to disable CPU hotplug.
5498
5499 config COMPAT_VDSO
5500- def_bool y
5501+ def_bool n
5502 prompt "Compat VDSO support"
5503 depends on X86_32 || IA32_EMULATION
5504+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
5505 ---help---
5506 Map the 32-bit VDSO to the predictable old-style address too.
5507
5508diff -urNp linux-3.0.7/arch/x86/Kconfig.cpu linux-3.0.7/arch/x86/Kconfig.cpu
5509--- linux-3.0.7/arch/x86/Kconfig.cpu 2011-07-21 22:17:23.000000000 -0400
5510+++ linux-3.0.7/arch/x86/Kconfig.cpu 2011-08-23 21:47:55.000000000 -0400
5511@@ -338,7 +338,7 @@ config X86_PPRO_FENCE
5512
5513 config X86_F00F_BUG
5514 def_bool y
5515- depends on M586MMX || M586TSC || M586 || M486 || M386
5516+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
5517
5518 config X86_INVD_BUG
5519 def_bool y
5520@@ -362,7 +362,7 @@ config X86_POPAD_OK
5521
5522 config X86_ALIGNMENT_16
5523 def_bool y
5524- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
5525+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
5526
5527 config X86_INTEL_USERCOPY
5528 def_bool y
5529@@ -408,7 +408,7 @@ config X86_CMPXCHG64
5530 # generates cmov.
5531 config X86_CMOV
5532 def_bool y
5533- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
5534+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
5535
5536 config X86_MINIMUM_CPU_FAMILY
5537 int
5538diff -urNp linux-3.0.7/arch/x86/Kconfig.debug linux-3.0.7/arch/x86/Kconfig.debug
5539--- linux-3.0.7/arch/x86/Kconfig.debug 2011-07-21 22:17:23.000000000 -0400
5540+++ linux-3.0.7/arch/x86/Kconfig.debug 2011-08-23 21:47:55.000000000 -0400
5541@@ -81,7 +81,7 @@ config X86_PTDUMP
5542 config DEBUG_RODATA
5543 bool "Write protect kernel read-only data structures"
5544 default y
5545- depends on DEBUG_KERNEL
5546+ depends on DEBUG_KERNEL && BROKEN
5547 ---help---
5548 Mark the kernel read-only data as write-protected in the pagetables,
5549 in order to catch accidental (and incorrect) writes to such const
5550@@ -99,7 +99,7 @@ config DEBUG_RODATA_TEST
5551
5552 config DEBUG_SET_MODULE_RONX
5553 bool "Set loadable kernel module data as NX and text as RO"
5554- depends on MODULES
5555+ depends on MODULES && BROKEN
5556 ---help---
5557 This option helps catch unintended modifications to loadable
5558 kernel module's text and read-only data. It also prevents execution
5559diff -urNp linux-3.0.7/arch/x86/Makefile linux-3.0.7/arch/x86/Makefile
5560--- linux-3.0.7/arch/x86/Makefile 2011-07-21 22:17:23.000000000 -0400
5561+++ linux-3.0.7/arch/x86/Makefile 2011-08-23 21:48:14.000000000 -0400
5562@@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
5563 else
5564 BITS := 64
5565 UTS_MACHINE := x86_64
5566+ biarch := $(call cc-option,-m64)
5567 CHECKFLAGS += -D__x86_64__ -m64
5568
5569 KBUILD_AFLAGS += -m64
5570@@ -195,3 +196,12 @@ define archhelp
5571 echo ' FDARGS="..." arguments for the booted kernel'
5572 echo ' FDINITRD=file initrd for the booted kernel'
5573 endef
5574+
5575+define OLD_LD
5576+
5577+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
5578+*** Please upgrade your binutils to 2.18 or newer
5579+endef
5580+
5581+archprepare:
5582+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
5583diff -urNp linux-3.0.7/arch/x86/boot/Makefile linux-3.0.7/arch/x86/boot/Makefile
5584--- linux-3.0.7/arch/x86/boot/Makefile 2011-07-21 22:17:23.000000000 -0400
5585+++ linux-3.0.7/arch/x86/boot/Makefile 2011-08-23 21:47:55.000000000 -0400
5586@@ -69,6 +69,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
5587 $(call cc-option, -fno-stack-protector) \
5588 $(call cc-option, -mpreferred-stack-boundary=2)
5589 KBUILD_CFLAGS += $(call cc-option, -m32)
5590+ifdef CONSTIFY_PLUGIN
5591+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5592+endif
5593 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5594 GCOV_PROFILE := n
5595
5596diff -urNp linux-3.0.7/arch/x86/boot/bitops.h linux-3.0.7/arch/x86/boot/bitops.h
5597--- linux-3.0.7/arch/x86/boot/bitops.h 2011-07-21 22:17:23.000000000 -0400
5598+++ linux-3.0.7/arch/x86/boot/bitops.h 2011-08-23 21:47:55.000000000 -0400
5599@@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5600 u8 v;
5601 const u32 *p = (const u32 *)addr;
5602
5603- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5604+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5605 return v;
5606 }
5607
5608@@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5609
5610 static inline void set_bit(int nr, void *addr)
5611 {
5612- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5613+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5614 }
5615
5616 #endif /* BOOT_BITOPS_H */
5617diff -urNp linux-3.0.7/arch/x86/boot/boot.h linux-3.0.7/arch/x86/boot/boot.h
5618--- linux-3.0.7/arch/x86/boot/boot.h 2011-07-21 22:17:23.000000000 -0400
5619+++ linux-3.0.7/arch/x86/boot/boot.h 2011-08-23 21:47:55.000000000 -0400
5620@@ -85,7 +85,7 @@ static inline void io_delay(void)
5621 static inline u16 ds(void)
5622 {
5623 u16 seg;
5624- asm("movw %%ds,%0" : "=rm" (seg));
5625+ asm volatile("movw %%ds,%0" : "=rm" (seg));
5626 return seg;
5627 }
5628
5629@@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5630 static inline int memcmp(const void *s1, const void *s2, size_t len)
5631 {
5632 u8 diff;
5633- asm("repe; cmpsb; setnz %0"
5634+ asm volatile("repe; cmpsb; setnz %0"
5635 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5636 return diff;
5637 }
5638diff -urNp linux-3.0.7/arch/x86/boot/compressed/Makefile linux-3.0.7/arch/x86/boot/compressed/Makefile
5639--- linux-3.0.7/arch/x86/boot/compressed/Makefile 2011-07-21 22:17:23.000000000 -0400
5640+++ linux-3.0.7/arch/x86/boot/compressed/Makefile 2011-08-23 21:47:55.000000000 -0400
5641@@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
5642 KBUILD_CFLAGS += $(cflags-y)
5643 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
5644 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
5645+ifdef CONSTIFY_PLUGIN
5646+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5647+endif
5648
5649 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5650 GCOV_PROFILE := n
5651diff -urNp linux-3.0.7/arch/x86/boot/compressed/head_32.S linux-3.0.7/arch/x86/boot/compressed/head_32.S
5652--- linux-3.0.7/arch/x86/boot/compressed/head_32.S 2011-07-21 22:17:23.000000000 -0400
5653+++ linux-3.0.7/arch/x86/boot/compressed/head_32.S 2011-08-23 21:47:55.000000000 -0400
5654@@ -76,7 +76,7 @@ ENTRY(startup_32)
5655 notl %eax
5656 andl %eax, %ebx
5657 #else
5658- movl $LOAD_PHYSICAL_ADDR, %ebx
5659+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5660 #endif
5661
5662 /* Target address to relocate to for decompression */
5663@@ -162,7 +162,7 @@ relocated:
5664 * and where it was actually loaded.
5665 */
5666 movl %ebp, %ebx
5667- subl $LOAD_PHYSICAL_ADDR, %ebx
5668+ subl $____LOAD_PHYSICAL_ADDR, %ebx
5669 jz 2f /* Nothing to be done if loaded at compiled addr. */
5670 /*
5671 * Process relocations.
5672@@ -170,8 +170,7 @@ relocated:
5673
5674 1: subl $4, %edi
5675 movl (%edi), %ecx
5676- testl %ecx, %ecx
5677- jz 2f
5678+ jecxz 2f
5679 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5680 jmp 1b
5681 2:
5682diff -urNp linux-3.0.7/arch/x86/boot/compressed/head_64.S linux-3.0.7/arch/x86/boot/compressed/head_64.S
5683--- linux-3.0.7/arch/x86/boot/compressed/head_64.S 2011-07-21 22:17:23.000000000 -0400
5684+++ linux-3.0.7/arch/x86/boot/compressed/head_64.S 2011-08-23 21:47:55.000000000 -0400
5685@@ -91,7 +91,7 @@ ENTRY(startup_32)
5686 notl %eax
5687 andl %eax, %ebx
5688 #else
5689- movl $LOAD_PHYSICAL_ADDR, %ebx
5690+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5691 #endif
5692
5693 /* Target address to relocate to for decompression */
5694@@ -233,7 +233,7 @@ ENTRY(startup_64)
5695 notq %rax
5696 andq %rax, %rbp
5697 #else
5698- movq $LOAD_PHYSICAL_ADDR, %rbp
5699+ movq $____LOAD_PHYSICAL_ADDR, %rbp
5700 #endif
5701
5702 /* Target address to relocate to for decompression */
5703diff -urNp linux-3.0.7/arch/x86/boot/compressed/misc.c linux-3.0.7/arch/x86/boot/compressed/misc.c
5704--- linux-3.0.7/arch/x86/boot/compressed/misc.c 2011-07-21 22:17:23.000000000 -0400
5705+++ linux-3.0.7/arch/x86/boot/compressed/misc.c 2011-08-23 21:47:55.000000000 -0400
5706@@ -310,7 +310,7 @@ static void parse_elf(void *output)
5707 case PT_LOAD:
5708 #ifdef CONFIG_RELOCATABLE
5709 dest = output;
5710- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5711+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5712 #else
5713 dest = (void *)(phdr->p_paddr);
5714 #endif
5715@@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5716 error("Destination address too large");
5717 #endif
5718 #ifndef CONFIG_RELOCATABLE
5719- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5720+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5721 error("Wrong destination address");
5722 #endif
5723
5724diff -urNp linux-3.0.7/arch/x86/boot/compressed/relocs.c linux-3.0.7/arch/x86/boot/compressed/relocs.c
5725--- linux-3.0.7/arch/x86/boot/compressed/relocs.c 2011-07-21 22:17:23.000000000 -0400
5726+++ linux-3.0.7/arch/x86/boot/compressed/relocs.c 2011-08-23 21:47:55.000000000 -0400
5727@@ -13,8 +13,11 @@
5728
5729 static void die(char *fmt, ...);
5730
5731+#include "../../../../include/generated/autoconf.h"
5732+
5733 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5734 static Elf32_Ehdr ehdr;
5735+static Elf32_Phdr *phdr;
5736 static unsigned long reloc_count, reloc_idx;
5737 static unsigned long *relocs;
5738
5739@@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5740 }
5741 }
5742
5743+static void read_phdrs(FILE *fp)
5744+{
5745+ unsigned int i;
5746+
5747+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5748+ if (!phdr) {
5749+ die("Unable to allocate %d program headers\n",
5750+ ehdr.e_phnum);
5751+ }
5752+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5753+ die("Seek to %d failed: %s\n",
5754+ ehdr.e_phoff, strerror(errno));
5755+ }
5756+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5757+ die("Cannot read ELF program headers: %s\n",
5758+ strerror(errno));
5759+ }
5760+ for(i = 0; i < ehdr.e_phnum; i++) {
5761+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5762+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5763+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5764+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5765+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5766+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5767+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5768+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5769+ }
5770+
5771+}
5772+
5773 static void read_shdrs(FILE *fp)
5774 {
5775- int i;
5776+ unsigned int i;
5777 Elf32_Shdr shdr;
5778
5779 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5780@@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5781
5782 static void read_strtabs(FILE *fp)
5783 {
5784- int i;
5785+ unsigned int i;
5786 for (i = 0; i < ehdr.e_shnum; i++) {
5787 struct section *sec = &secs[i];
5788 if (sec->shdr.sh_type != SHT_STRTAB) {
5789@@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5790
5791 static void read_symtabs(FILE *fp)
5792 {
5793- int i,j;
5794+ unsigned int i,j;
5795 for (i = 0; i < ehdr.e_shnum; i++) {
5796 struct section *sec = &secs[i];
5797 if (sec->shdr.sh_type != SHT_SYMTAB) {
5798@@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5799
5800 static void read_relocs(FILE *fp)
5801 {
5802- int i,j;
5803+ unsigned int i,j;
5804+ uint32_t base;
5805+
5806 for (i = 0; i < ehdr.e_shnum; i++) {
5807 struct section *sec = &secs[i];
5808 if (sec->shdr.sh_type != SHT_REL) {
5809@@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5810 die("Cannot read symbol table: %s\n",
5811 strerror(errno));
5812 }
5813+ base = 0;
5814+ for (j = 0; j < ehdr.e_phnum; j++) {
5815+ if (phdr[j].p_type != PT_LOAD )
5816+ continue;
5817+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5818+ continue;
5819+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5820+ break;
5821+ }
5822 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5823 Elf32_Rel *rel = &sec->reltab[j];
5824- rel->r_offset = elf32_to_cpu(rel->r_offset);
5825+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5826 rel->r_info = elf32_to_cpu(rel->r_info);
5827 }
5828 }
5829@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5830
5831 static void print_absolute_symbols(void)
5832 {
5833- int i;
5834+ unsigned int i;
5835 printf("Absolute symbols\n");
5836 printf(" Num: Value Size Type Bind Visibility Name\n");
5837 for (i = 0; i < ehdr.e_shnum; i++) {
5838 struct section *sec = &secs[i];
5839 char *sym_strtab;
5840 Elf32_Sym *sh_symtab;
5841- int j;
5842+ unsigned int j;
5843
5844 if (sec->shdr.sh_type != SHT_SYMTAB) {
5845 continue;
5846@@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5847
5848 static void print_absolute_relocs(void)
5849 {
5850- int i, printed = 0;
5851+ unsigned int i, printed = 0;
5852
5853 for (i = 0; i < ehdr.e_shnum; i++) {
5854 struct section *sec = &secs[i];
5855 struct section *sec_applies, *sec_symtab;
5856 char *sym_strtab;
5857 Elf32_Sym *sh_symtab;
5858- int j;
5859+ unsigned int j;
5860 if (sec->shdr.sh_type != SHT_REL) {
5861 continue;
5862 }
5863@@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5864
5865 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5866 {
5867- int i;
5868+ unsigned int i;
5869 /* Walk through the relocations */
5870 for (i = 0; i < ehdr.e_shnum; i++) {
5871 char *sym_strtab;
5872 Elf32_Sym *sh_symtab;
5873 struct section *sec_applies, *sec_symtab;
5874- int j;
5875+ unsigned int j;
5876 struct section *sec = &secs[i];
5877
5878 if (sec->shdr.sh_type != SHT_REL) {
5879@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5880 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5881 continue;
5882 }
5883+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5884+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5885+ continue;
5886+
5887+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5888+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5889+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5890+ continue;
5891+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5892+ continue;
5893+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5894+ continue;
5895+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5896+ continue;
5897+#endif
5898+
5899 switch (r_type) {
5900 case R_386_NONE:
5901 case R_386_PC32:
5902@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5903
5904 static void emit_relocs(int as_text)
5905 {
5906- int i;
5907+ unsigned int i;
5908 /* Count how many relocations I have and allocate space for them. */
5909 reloc_count = 0;
5910 walk_relocs(count_reloc);
5911@@ -665,6 +725,7 @@ int main(int argc, char **argv)
5912 fname, strerror(errno));
5913 }
5914 read_ehdr(fp);
5915+ read_phdrs(fp);
5916 read_shdrs(fp);
5917 read_strtabs(fp);
5918 read_symtabs(fp);
5919diff -urNp linux-3.0.7/arch/x86/boot/cpucheck.c linux-3.0.7/arch/x86/boot/cpucheck.c
5920--- linux-3.0.7/arch/x86/boot/cpucheck.c 2011-07-21 22:17:23.000000000 -0400
5921+++ linux-3.0.7/arch/x86/boot/cpucheck.c 2011-08-23 21:47:55.000000000 -0400
5922@@ -74,7 +74,7 @@ static int has_fpu(void)
5923 u16 fcw = -1, fsw = -1;
5924 u32 cr0;
5925
5926- asm("movl %%cr0,%0" : "=r" (cr0));
5927+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
5928 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5929 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5930 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5931@@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5932 {
5933 u32 f0, f1;
5934
5935- asm("pushfl ; "
5936+ asm volatile("pushfl ; "
5937 "pushfl ; "
5938 "popl %0 ; "
5939 "movl %0,%1 ; "
5940@@ -115,7 +115,7 @@ static void get_flags(void)
5941 set_bit(X86_FEATURE_FPU, cpu.flags);
5942
5943 if (has_eflag(X86_EFLAGS_ID)) {
5944- asm("cpuid"
5945+ asm volatile("cpuid"
5946 : "=a" (max_intel_level),
5947 "=b" (cpu_vendor[0]),
5948 "=d" (cpu_vendor[1]),
5949@@ -124,7 +124,7 @@ static void get_flags(void)
5950
5951 if (max_intel_level >= 0x00000001 &&
5952 max_intel_level <= 0x0000ffff) {
5953- asm("cpuid"
5954+ asm volatile("cpuid"
5955 : "=a" (tfms),
5956 "=c" (cpu.flags[4]),
5957 "=d" (cpu.flags[0])
5958@@ -136,7 +136,7 @@ static void get_flags(void)
5959 cpu.model += ((tfms >> 16) & 0xf) << 4;
5960 }
5961
5962- asm("cpuid"
5963+ asm volatile("cpuid"
5964 : "=a" (max_amd_level)
5965 : "a" (0x80000000)
5966 : "ebx", "ecx", "edx");
5967@@ -144,7 +144,7 @@ static void get_flags(void)
5968 if (max_amd_level >= 0x80000001 &&
5969 max_amd_level <= 0x8000ffff) {
5970 u32 eax = 0x80000001;
5971- asm("cpuid"
5972+ asm volatile("cpuid"
5973 : "+a" (eax),
5974 "=c" (cpu.flags[6]),
5975 "=d" (cpu.flags[1])
5976@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5977 u32 ecx = MSR_K7_HWCR;
5978 u32 eax, edx;
5979
5980- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5981+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5982 eax &= ~(1 << 15);
5983- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5984+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5985
5986 get_flags(); /* Make sure it really did something */
5987 err = check_flags();
5988@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5989 u32 ecx = MSR_VIA_FCR;
5990 u32 eax, edx;
5991
5992- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5993+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5994 eax |= (1<<1)|(1<<7);
5995- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5996+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5997
5998 set_bit(X86_FEATURE_CX8, cpu.flags);
5999 err = check_flags();
6000@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6001 u32 eax, edx;
6002 u32 level = 1;
6003
6004- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6005- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6006- asm("cpuid"
6007+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6008+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6009+ asm volatile("cpuid"
6010 : "+a" (level), "=d" (cpu.flags[0])
6011 : : "ecx", "ebx");
6012- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6013+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6014
6015 err = check_flags();
6016 }
6017diff -urNp linux-3.0.7/arch/x86/boot/header.S linux-3.0.7/arch/x86/boot/header.S
6018--- linux-3.0.7/arch/x86/boot/header.S 2011-07-21 22:17:23.000000000 -0400
6019+++ linux-3.0.7/arch/x86/boot/header.S 2011-08-23 21:47:55.000000000 -0400
6020@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6021 # single linked list of
6022 # struct setup_data
6023
6024-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6025+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6026
6027 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6028 #define VO_INIT_SIZE (VO__end - VO__text)
6029diff -urNp linux-3.0.7/arch/x86/boot/memory.c linux-3.0.7/arch/x86/boot/memory.c
6030--- linux-3.0.7/arch/x86/boot/memory.c 2011-07-21 22:17:23.000000000 -0400
6031+++ linux-3.0.7/arch/x86/boot/memory.c 2011-08-23 21:47:55.000000000 -0400
6032@@ -19,7 +19,7 @@
6033
6034 static int detect_memory_e820(void)
6035 {
6036- int count = 0;
6037+ unsigned int count = 0;
6038 struct biosregs ireg, oreg;
6039 struct e820entry *desc = boot_params.e820_map;
6040 static struct e820entry buf; /* static so it is zeroed */
6041diff -urNp linux-3.0.7/arch/x86/boot/video-vesa.c linux-3.0.7/arch/x86/boot/video-vesa.c
6042--- linux-3.0.7/arch/x86/boot/video-vesa.c 2011-07-21 22:17:23.000000000 -0400
6043+++ linux-3.0.7/arch/x86/boot/video-vesa.c 2011-08-23 21:47:55.000000000 -0400
6044@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6045
6046 boot_params.screen_info.vesapm_seg = oreg.es;
6047 boot_params.screen_info.vesapm_off = oreg.di;
6048+ boot_params.screen_info.vesapm_size = oreg.cx;
6049 }
6050
6051 /*
6052diff -urNp linux-3.0.7/arch/x86/boot/video.c linux-3.0.7/arch/x86/boot/video.c
6053--- linux-3.0.7/arch/x86/boot/video.c 2011-07-21 22:17:23.000000000 -0400
6054+++ linux-3.0.7/arch/x86/boot/video.c 2011-08-23 21:47:55.000000000 -0400
6055@@ -96,7 +96,7 @@ static void store_mode_params(void)
6056 static unsigned int get_entry(void)
6057 {
6058 char entry_buf[4];
6059- int i, len = 0;
6060+ unsigned int i, len = 0;
6061 int key;
6062 unsigned int v;
6063
6064diff -urNp linux-3.0.7/arch/x86/crypto/aes-x86_64-asm_64.S linux-3.0.7/arch/x86/crypto/aes-x86_64-asm_64.S
6065--- linux-3.0.7/arch/x86/crypto/aes-x86_64-asm_64.S 2011-07-21 22:17:23.000000000 -0400
6066+++ linux-3.0.7/arch/x86/crypto/aes-x86_64-asm_64.S 2011-10-06 04:17:55.000000000 -0400
6067@@ -8,6 +8,8 @@
6068 * including this sentence is retained in full.
6069 */
6070
6071+#include <asm/alternative-asm.h>
6072+
6073 .extern crypto_ft_tab
6074 .extern crypto_it_tab
6075 .extern crypto_fl_tab
6076@@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
6077 je B192; \
6078 leaq 32(r9),r9;
6079
6080+#define ret pax_force_retaddr; ret
6081+
6082 #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
6083 movq r1,r2; \
6084 movq r3,r4; \
6085diff -urNp linux-3.0.7/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-3.0.7/arch/x86/crypto/salsa20-x86_64-asm_64.S
6086--- linux-3.0.7/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-07-21 22:17:23.000000000 -0400
6087+++ linux-3.0.7/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-10-06 04:17:55.000000000 -0400
6088@@ -1,3 +1,5 @@
6089+#include <asm/alternative-asm.h>
6090+
6091 # enter ECRYPT_encrypt_bytes
6092 .text
6093 .p2align 5
6094@@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
6095 add %r11,%rsp
6096 mov %rdi,%rax
6097 mov %rsi,%rdx
6098+ pax_force_retaddr
6099 ret
6100 # bytesatleast65:
6101 ._bytesatleast65:
6102@@ -891,6 +894,7 @@ ECRYPT_keysetup:
6103 add %r11,%rsp
6104 mov %rdi,%rax
6105 mov %rsi,%rdx
6106+ pax_force_retaddr
6107 ret
6108 # enter ECRYPT_ivsetup
6109 .text
6110@@ -917,4 +921,5 @@ ECRYPT_ivsetup:
6111 add %r11,%rsp
6112 mov %rdi,%rax
6113 mov %rsi,%rdx
6114+ pax_force_retaddr
6115 ret
6116diff -urNp linux-3.0.7/arch/x86/crypto/twofish-x86_64-asm_64.S linux-3.0.7/arch/x86/crypto/twofish-x86_64-asm_64.S
6117--- linux-3.0.7/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-07-21 22:17:23.000000000 -0400
6118+++ linux-3.0.7/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-10-06 04:17:55.000000000 -0400
6119@@ -21,6 +21,7 @@
6120 .text
6121
6122 #include <asm/asm-offsets.h>
6123+#include <asm/alternative-asm.h>
6124
6125 #define a_offset 0
6126 #define b_offset 4
6127@@ -269,6 +270,7 @@ twofish_enc_blk:
6128
6129 popq R1
6130 movq $1,%rax
6131+ pax_force_retaddr
6132 ret
6133
6134 twofish_dec_blk:
6135@@ -321,4 +323,5 @@ twofish_dec_blk:
6136
6137 popq R1
6138 movq $1,%rax
6139+ pax_force_retaddr
6140 ret
6141diff -urNp linux-3.0.7/arch/x86/ia32/ia32_aout.c linux-3.0.7/arch/x86/ia32/ia32_aout.c
6142--- linux-3.0.7/arch/x86/ia32/ia32_aout.c 2011-07-21 22:17:23.000000000 -0400
6143+++ linux-3.0.7/arch/x86/ia32/ia32_aout.c 2011-08-23 21:48:14.000000000 -0400
6144@@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6145 unsigned long dump_start, dump_size;
6146 struct user32 dump;
6147
6148+ memset(&dump, 0, sizeof(dump));
6149+
6150 fs = get_fs();
6151 set_fs(KERNEL_DS);
6152 has_dumped = 1;
6153diff -urNp linux-3.0.7/arch/x86/ia32/ia32_signal.c linux-3.0.7/arch/x86/ia32/ia32_signal.c
6154--- linux-3.0.7/arch/x86/ia32/ia32_signal.c 2011-07-21 22:17:23.000000000 -0400
6155+++ linux-3.0.7/arch/x86/ia32/ia32_signal.c 2011-10-06 04:17:55.000000000 -0400
6156@@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const
6157 }
6158 seg = get_fs();
6159 set_fs(KERNEL_DS);
6160- ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
6161+ ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
6162 set_fs(seg);
6163 if (ret >= 0 && uoss_ptr) {
6164 if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
6165@@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct
6166 */
6167 static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
6168 size_t frame_size,
6169- void **fpstate)
6170+ void __user **fpstate)
6171 {
6172 unsigned long sp;
6173
6174@@ -395,7 +395,7 @@ static void __user *get_sigframe(struct
6175
6176 if (used_math()) {
6177 sp = sp - sig_xstate_ia32_size;
6178- *fpstate = (struct _fpstate_ia32 *) sp;
6179+ *fpstate = (struct _fpstate_ia32 __user *) sp;
6180 if (save_i387_xstate_ia32(*fpstate) < 0)
6181 return (void __user *) -1L;
6182 }
6183@@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6184 sp -= frame_size;
6185 /* Align the stack pointer according to the i386 ABI,
6186 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6187- sp = ((sp + 4) & -16ul) - 4;
6188+ sp = ((sp - 12) & -16ul) - 4;
6189 return (void __user *) sp;
6190 }
6191
6192@@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6193 * These are actually not used anymore, but left because some
6194 * gdb versions depend on them as a marker.
6195 */
6196- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6197+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
6198 } put_user_catch(err);
6199
6200 if (err)
6201@@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6202 0xb8,
6203 __NR_ia32_rt_sigreturn,
6204 0x80cd,
6205- 0,
6206+ 0
6207 };
6208
6209 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6210@@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6211
6212 if (ka->sa.sa_flags & SA_RESTORER)
6213 restorer = ka->sa.sa_restorer;
6214+ else if (current->mm->context.vdso)
6215+ /* Return stub is in 32bit vsyscall page */
6216+ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6217 else
6218- restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6219- rt_sigreturn);
6220+ restorer = &frame->retcode;
6221 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6222
6223 /*
6224 * Not actually used anymore, but left because some gdb
6225 * versions need it.
6226 */
6227- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6228+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
6229 } put_user_catch(err);
6230
6231 if (err)
6232diff -urNp linux-3.0.7/arch/x86/ia32/ia32entry.S linux-3.0.7/arch/x86/ia32/ia32entry.S
6233--- linux-3.0.7/arch/x86/ia32/ia32entry.S 2011-07-21 22:17:23.000000000 -0400
6234+++ linux-3.0.7/arch/x86/ia32/ia32entry.S 2011-10-11 10:44:33.000000000 -0400
6235@@ -13,7 +13,9 @@
6236 #include <asm/thread_info.h>
6237 #include <asm/segment.h>
6238 #include <asm/irqflags.h>
6239+#include <asm/pgtable.h>
6240 #include <linux/linkage.h>
6241+#include <asm/alternative-asm.h>
6242
6243 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6244 #include <linux/elf-em.h>
6245@@ -95,6 +97,29 @@ ENTRY(native_irq_enable_sysexit)
6246 ENDPROC(native_irq_enable_sysexit)
6247 #endif
6248
6249+ .macro pax_enter_kernel_user
6250+#ifdef CONFIG_PAX_MEMORY_UDEREF
6251+ call pax_enter_kernel_user
6252+#endif
6253+ .endm
6254+
6255+ .macro pax_exit_kernel_user
6256+#ifdef CONFIG_PAX_MEMORY_UDEREF
6257+ call pax_exit_kernel_user
6258+#endif
6259+#ifdef CONFIG_PAX_RANDKSTACK
6260+ pushq %rax
6261+ call pax_randomize_kstack
6262+ popq %rax
6263+#endif
6264+ .endm
6265+
6266+ .macro pax_erase_kstack
6267+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6268+ call pax_erase_kstack
6269+#endif
6270+ .endm
6271+
6272 /*
6273 * 32bit SYSENTER instruction entry.
6274 *
6275@@ -121,7 +146,7 @@ ENTRY(ia32_sysenter_target)
6276 CFI_REGISTER rsp,rbp
6277 SWAPGS_UNSAFE_STACK
6278 movq PER_CPU_VAR(kernel_stack), %rsp
6279- addq $(KERNEL_STACK_OFFSET),%rsp
6280+ pax_enter_kernel_user
6281 /*
6282 * No need to follow this irqs on/off section: the syscall
6283 * disabled irqs, here we enable it straight after entry:
6284@@ -134,7 +159,8 @@ ENTRY(ia32_sysenter_target)
6285 CFI_REL_OFFSET rsp,0
6286 pushfq_cfi
6287 /*CFI_REL_OFFSET rflags,0*/
6288- movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6289+ GET_THREAD_INFO(%r10)
6290+ movl TI_sysenter_return(%r10), %r10d
6291 CFI_REGISTER rip,r10
6292 pushq_cfi $__USER32_CS
6293 /*CFI_REL_OFFSET cs,0*/
6294@@ -146,6 +172,12 @@ ENTRY(ia32_sysenter_target)
6295 SAVE_ARGS 0,0,1
6296 /* no need to do an access_ok check here because rbp has been
6297 32bit zero extended */
6298+
6299+#ifdef CONFIG_PAX_MEMORY_UDEREF
6300+ mov $PAX_USER_SHADOW_BASE,%r10
6301+ add %r10,%rbp
6302+#endif
6303+
6304 1: movl (%rbp),%ebp
6305 .section __ex_table,"a"
6306 .quad 1b,ia32_badarg
6307@@ -168,6 +200,8 @@ sysenter_dispatch:
6308 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6309 jnz sysexit_audit
6310 sysexit_from_sys_call:
6311+ pax_exit_kernel_user
6312+ pax_erase_kstack
6313 andl $~TS_COMPAT,TI_status(%r10)
6314 /* clear IF, that popfq doesn't enable interrupts early */
6315 andl $~0x200,EFLAGS-R11(%rsp)
6316@@ -194,6 +228,9 @@ sysexit_from_sys_call:
6317 movl %eax,%esi /* 2nd arg: syscall number */
6318 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6319 call audit_syscall_entry
6320+
6321+ pax_erase_kstack
6322+
6323 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6324 cmpq $(IA32_NR_syscalls-1),%rax
6325 ja ia32_badsys
6326@@ -246,6 +283,9 @@ sysenter_tracesys:
6327 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
6328 movq %rsp,%rdi /* &pt_regs -> arg1 */
6329 call syscall_trace_enter
6330+
6331+ pax_erase_kstack
6332+
6333 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6334 RESTORE_REST
6335 cmpq $(IA32_NR_syscalls-1),%rax
6336@@ -277,19 +317,24 @@ ENDPROC(ia32_sysenter_target)
6337 ENTRY(ia32_cstar_target)
6338 CFI_STARTPROC32 simple
6339 CFI_SIGNAL_FRAME
6340- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6341+ CFI_DEF_CFA rsp,0
6342 CFI_REGISTER rip,rcx
6343 /*CFI_REGISTER rflags,r11*/
6344 SWAPGS_UNSAFE_STACK
6345 movl %esp,%r8d
6346 CFI_REGISTER rsp,r8
6347 movq PER_CPU_VAR(kernel_stack),%rsp
6348+
6349+#ifdef CONFIG_PAX_MEMORY_UDEREF
6350+ pax_enter_kernel_user
6351+#endif
6352+
6353 /*
6354 * No need to follow this irqs on/off section: the syscall
6355 * disabled irqs and here we enable it straight after entry:
6356 */
6357 ENABLE_INTERRUPTS(CLBR_NONE)
6358- SAVE_ARGS 8,1,1
6359+ SAVE_ARGS 8*6,1,1
6360 movl %eax,%eax /* zero extension */
6361 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6362 movq %rcx,RIP-ARGOFFSET(%rsp)
6363@@ -305,6 +350,12 @@ ENTRY(ia32_cstar_target)
6364 /* no need to do an access_ok check here because r8 has been
6365 32bit zero extended */
6366 /* hardware stack frame is complete now */
6367+
6368+#ifdef CONFIG_PAX_MEMORY_UDEREF
6369+ mov $PAX_USER_SHADOW_BASE,%r10
6370+ add %r10,%r8
6371+#endif
6372+
6373 1: movl (%r8),%r9d
6374 .section __ex_table,"a"
6375 .quad 1b,ia32_badarg
6376@@ -327,6 +378,8 @@ cstar_dispatch:
6377 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6378 jnz sysretl_audit
6379 sysretl_from_sys_call:
6380+ pax_exit_kernel_user
6381+ pax_erase_kstack
6382 andl $~TS_COMPAT,TI_status(%r10)
6383 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6384 movl RIP-ARGOFFSET(%rsp),%ecx
6385@@ -364,6 +417,9 @@ cstar_tracesys:
6386 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6387 movq %rsp,%rdi /* &pt_regs -> arg1 */
6388 call syscall_trace_enter
6389+
6390+ pax_erase_kstack
6391+
6392 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
6393 RESTORE_REST
6394 xchgl %ebp,%r9d
6395@@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
6396 CFI_REL_OFFSET rip,RIP-RIP
6397 PARAVIRT_ADJUST_EXCEPTION_FRAME
6398 SWAPGS
6399+ pax_enter_kernel_user
6400 /*
6401 * No need to follow this irqs on/off section: the syscall
6402 * disabled irqs and here we enable it straight after entry:
6403@@ -441,6 +498,9 @@ ia32_tracesys:
6404 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6405 movq %rsp,%rdi /* &pt_regs -> arg1 */
6406 call syscall_trace_enter
6407+
6408+ pax_erase_kstack
6409+
6410 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6411 RESTORE_REST
6412 cmpq $(IA32_NR_syscalls-1),%rax
6413@@ -455,6 +515,7 @@ ia32_badsys:
6414
6415 quiet_ni_syscall:
6416 movq $-ENOSYS,%rax
6417+ pax_force_retaddr
6418 ret
6419 CFI_ENDPROC
6420
6421diff -urNp linux-3.0.7/arch/x86/ia32/sys_ia32.c linux-3.0.7/arch/x86/ia32/sys_ia32.c
6422--- linux-3.0.7/arch/x86/ia32/sys_ia32.c 2011-07-21 22:17:23.000000000 -0400
6423+++ linux-3.0.7/arch/x86/ia32/sys_ia32.c 2011-10-06 04:17:55.000000000 -0400
6424@@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
6425 */
6426 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
6427 {
6428- typeof(ubuf->st_uid) uid = 0;
6429- typeof(ubuf->st_gid) gid = 0;
6430+ typeof(((struct stat64 *)0)->st_uid) uid = 0;
6431+ typeof(((struct stat64 *)0)->st_gid) gid = 0;
6432 SET_UID(uid, stat->uid);
6433 SET_GID(gid, stat->gid);
6434 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
6435@@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
6436 }
6437 set_fs(KERNEL_DS);
6438 ret = sys_rt_sigprocmask(how,
6439- set ? (sigset_t __user *)&s : NULL,
6440- oset ? (sigset_t __user *)&s : NULL,
6441+ set ? (sigset_t __force_user *)&s : NULL,
6442+ oset ? (sigset_t __force_user *)&s : NULL,
6443 sigsetsize);
6444 set_fs(old_fs);
6445 if (ret)
6446@@ -332,7 +332,7 @@ asmlinkage long sys32_alarm(unsigned int
6447 return alarm_setitimer(seconds);
6448 }
6449
6450-asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int *stat_addr,
6451+asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int __user *stat_addr,
6452 int options)
6453 {
6454 return compat_sys_wait4(pid, stat_addr, options, NULL);
6455@@ -353,7 +353,7 @@ asmlinkage long sys32_sched_rr_get_inter
6456 mm_segment_t old_fs = get_fs();
6457
6458 set_fs(KERNEL_DS);
6459- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
6460+ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
6461 set_fs(old_fs);
6462 if (put_compat_timespec(&t, interval))
6463 return -EFAULT;
6464@@ -369,7 +369,7 @@ asmlinkage long sys32_rt_sigpending(comp
6465 mm_segment_t old_fs = get_fs();
6466
6467 set_fs(KERNEL_DS);
6468- ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
6469+ ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
6470 set_fs(old_fs);
6471 if (!ret) {
6472 switch (_NSIG_WORDS) {
6473@@ -394,7 +394,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
6474 if (copy_siginfo_from_user32(&info, uinfo))
6475 return -EFAULT;
6476 set_fs(KERNEL_DS);
6477- ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
6478+ ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
6479 set_fs(old_fs);
6480 return ret;
6481 }
6482@@ -439,7 +439,7 @@ asmlinkage long sys32_sendfile(int out_f
6483 return -EFAULT;
6484
6485 set_fs(KERNEL_DS);
6486- ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
6487+ ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
6488 count);
6489 set_fs(old_fs);
6490
6491diff -urNp linux-3.0.7/arch/x86/include/asm/alternative-asm.h linux-3.0.7/arch/x86/include/asm/alternative-asm.h
6492--- linux-3.0.7/arch/x86/include/asm/alternative-asm.h 2011-07-21 22:17:23.000000000 -0400
6493+++ linux-3.0.7/arch/x86/include/asm/alternative-asm.h 2011-10-07 19:07:23.000000000 -0400
6494@@ -15,6 +15,20 @@
6495 .endm
6496 #endif
6497
6498+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
6499+ .macro pax_force_retaddr rip=0
6500+ btsq $63,\rip(%rsp)
6501+ .endm
6502+ .macro pax_force_fptr ptr
6503+ btsq $63,\ptr
6504+ .endm
6505+#else
6506+ .macro pax_force_retaddr rip=0
6507+ .endm
6508+ .macro pax_force_fptr ptr
6509+ .endm
6510+#endif
6511+
6512 .macro altinstruction_entry orig alt feature orig_len alt_len
6513 .align 8
6514 .quad \orig
6515diff -urNp linux-3.0.7/arch/x86/include/asm/alternative.h linux-3.0.7/arch/x86/include/asm/alternative.h
6516--- linux-3.0.7/arch/x86/include/asm/alternative.h 2011-07-21 22:17:23.000000000 -0400
6517+++ linux-3.0.7/arch/x86/include/asm/alternative.h 2011-08-23 21:47:55.000000000 -0400
6518@@ -93,7 +93,7 @@ static inline int alternatives_text_rese
6519 ".section .discard,\"aw\",@progbits\n" \
6520 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6521 ".previous\n" \
6522- ".section .altinstr_replacement, \"ax\"\n" \
6523+ ".section .altinstr_replacement, \"a\"\n" \
6524 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6525 ".previous"
6526
6527diff -urNp linux-3.0.7/arch/x86/include/asm/apic.h linux-3.0.7/arch/x86/include/asm/apic.h
6528--- linux-3.0.7/arch/x86/include/asm/apic.h 2011-07-21 22:17:23.000000000 -0400
6529+++ linux-3.0.7/arch/x86/include/asm/apic.h 2011-08-23 21:48:14.000000000 -0400
6530@@ -45,7 +45,7 @@ static inline void generic_apic_probe(vo
6531
6532 #ifdef CONFIG_X86_LOCAL_APIC
6533
6534-extern unsigned int apic_verbosity;
6535+extern int apic_verbosity;
6536 extern int local_apic_timer_c2_ok;
6537
6538 extern int disable_apic;
6539diff -urNp linux-3.0.7/arch/x86/include/asm/apm.h linux-3.0.7/arch/x86/include/asm/apm.h
6540--- linux-3.0.7/arch/x86/include/asm/apm.h 2011-07-21 22:17:23.000000000 -0400
6541+++ linux-3.0.7/arch/x86/include/asm/apm.h 2011-08-23 21:47:55.000000000 -0400
6542@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6543 __asm__ __volatile__(APM_DO_ZERO_SEGS
6544 "pushl %%edi\n\t"
6545 "pushl %%ebp\n\t"
6546- "lcall *%%cs:apm_bios_entry\n\t"
6547+ "lcall *%%ss:apm_bios_entry\n\t"
6548 "setc %%al\n\t"
6549 "popl %%ebp\n\t"
6550 "popl %%edi\n\t"
6551@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6552 __asm__ __volatile__(APM_DO_ZERO_SEGS
6553 "pushl %%edi\n\t"
6554 "pushl %%ebp\n\t"
6555- "lcall *%%cs:apm_bios_entry\n\t"
6556+ "lcall *%%ss:apm_bios_entry\n\t"
6557 "setc %%bl\n\t"
6558 "popl %%ebp\n\t"
6559 "popl %%edi\n\t"
6560diff -urNp linux-3.0.7/arch/x86/include/asm/atomic.h linux-3.0.7/arch/x86/include/asm/atomic.h
6561--- linux-3.0.7/arch/x86/include/asm/atomic.h 2011-07-21 22:17:23.000000000 -0400
6562+++ linux-3.0.7/arch/x86/include/asm/atomic.h 2011-08-23 21:47:55.000000000 -0400
6563@@ -22,7 +22,18 @@
6564 */
6565 static inline int atomic_read(const atomic_t *v)
6566 {
6567- return (*(volatile int *)&(v)->counter);
6568+ return (*(volatile const int *)&(v)->counter);
6569+}
6570+
6571+/**
6572+ * atomic_read_unchecked - read atomic variable
6573+ * @v: pointer of type atomic_unchecked_t
6574+ *
6575+ * Atomically reads the value of @v.
6576+ */
6577+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6578+{
6579+ return (*(volatile const int *)&(v)->counter);
6580 }
6581
6582 /**
6583@@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6584 }
6585
6586 /**
6587+ * atomic_set_unchecked - set atomic variable
6588+ * @v: pointer of type atomic_unchecked_t
6589+ * @i: required value
6590+ *
6591+ * Atomically sets the value of @v to @i.
6592+ */
6593+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6594+{
6595+ v->counter = i;
6596+}
6597+
6598+/**
6599 * atomic_add - add integer to atomic variable
6600 * @i: integer value to add
6601 * @v: pointer of type atomic_t
6602@@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6603 */
6604 static inline void atomic_add(int i, atomic_t *v)
6605 {
6606- asm volatile(LOCK_PREFIX "addl %1,%0"
6607+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
6608+
6609+#ifdef CONFIG_PAX_REFCOUNT
6610+ "jno 0f\n"
6611+ LOCK_PREFIX "subl %1,%0\n"
6612+ "int $4\n0:\n"
6613+ _ASM_EXTABLE(0b, 0b)
6614+#endif
6615+
6616+ : "+m" (v->counter)
6617+ : "ir" (i));
6618+}
6619+
6620+/**
6621+ * atomic_add_unchecked - add integer to atomic variable
6622+ * @i: integer value to add
6623+ * @v: pointer of type atomic_unchecked_t
6624+ *
6625+ * Atomically adds @i to @v.
6626+ */
6627+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6628+{
6629+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
6630 : "+m" (v->counter)
6631 : "ir" (i));
6632 }
6633@@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6634 */
6635 static inline void atomic_sub(int i, atomic_t *v)
6636 {
6637- asm volatile(LOCK_PREFIX "subl %1,%0"
6638+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
6639+
6640+#ifdef CONFIG_PAX_REFCOUNT
6641+ "jno 0f\n"
6642+ LOCK_PREFIX "addl %1,%0\n"
6643+ "int $4\n0:\n"
6644+ _ASM_EXTABLE(0b, 0b)
6645+#endif
6646+
6647+ : "+m" (v->counter)
6648+ : "ir" (i));
6649+}
6650+
6651+/**
6652+ * atomic_sub_unchecked - subtract integer from atomic variable
6653+ * @i: integer value to subtract
6654+ * @v: pointer of type atomic_unchecked_t
6655+ *
6656+ * Atomically subtracts @i from @v.
6657+ */
6658+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6659+{
6660+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
6661 : "+m" (v->counter)
6662 : "ir" (i));
6663 }
6664@@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6665 {
6666 unsigned char c;
6667
6668- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6669+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
6670+
6671+#ifdef CONFIG_PAX_REFCOUNT
6672+ "jno 0f\n"
6673+ LOCK_PREFIX "addl %2,%0\n"
6674+ "int $4\n0:\n"
6675+ _ASM_EXTABLE(0b, 0b)
6676+#endif
6677+
6678+ "sete %1\n"
6679 : "+m" (v->counter), "=qm" (c)
6680 : "ir" (i) : "memory");
6681 return c;
6682@@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6683 */
6684 static inline void atomic_inc(atomic_t *v)
6685 {
6686- asm volatile(LOCK_PREFIX "incl %0"
6687+ asm volatile(LOCK_PREFIX "incl %0\n"
6688+
6689+#ifdef CONFIG_PAX_REFCOUNT
6690+ "jno 0f\n"
6691+ LOCK_PREFIX "decl %0\n"
6692+ "int $4\n0:\n"
6693+ _ASM_EXTABLE(0b, 0b)
6694+#endif
6695+
6696+ : "+m" (v->counter));
6697+}
6698+
6699+/**
6700+ * atomic_inc_unchecked - increment atomic variable
6701+ * @v: pointer of type atomic_unchecked_t
6702+ *
6703+ * Atomically increments @v by 1.
6704+ */
6705+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6706+{
6707+ asm volatile(LOCK_PREFIX "incl %0\n"
6708 : "+m" (v->counter));
6709 }
6710
6711@@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6712 */
6713 static inline void atomic_dec(atomic_t *v)
6714 {
6715- asm volatile(LOCK_PREFIX "decl %0"
6716+ asm volatile(LOCK_PREFIX "decl %0\n"
6717+
6718+#ifdef CONFIG_PAX_REFCOUNT
6719+ "jno 0f\n"
6720+ LOCK_PREFIX "incl %0\n"
6721+ "int $4\n0:\n"
6722+ _ASM_EXTABLE(0b, 0b)
6723+#endif
6724+
6725+ : "+m" (v->counter));
6726+}
6727+
6728+/**
6729+ * atomic_dec_unchecked - decrement atomic variable
6730+ * @v: pointer of type atomic_unchecked_t
6731+ *
6732+ * Atomically decrements @v by 1.
6733+ */
6734+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6735+{
6736+ asm volatile(LOCK_PREFIX "decl %0\n"
6737 : "+m" (v->counter));
6738 }
6739
6740@@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6741 {
6742 unsigned char c;
6743
6744- asm volatile(LOCK_PREFIX "decl %0; sete %1"
6745+ asm volatile(LOCK_PREFIX "decl %0\n"
6746+
6747+#ifdef CONFIG_PAX_REFCOUNT
6748+ "jno 0f\n"
6749+ LOCK_PREFIX "incl %0\n"
6750+ "int $4\n0:\n"
6751+ _ASM_EXTABLE(0b, 0b)
6752+#endif
6753+
6754+ "sete %1\n"
6755 : "+m" (v->counter), "=qm" (c)
6756 : : "memory");
6757 return c != 0;
6758@@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
6759 {
6760 unsigned char c;
6761
6762- asm volatile(LOCK_PREFIX "incl %0; sete %1"
6763+ asm volatile(LOCK_PREFIX "incl %0\n"
6764+
6765+#ifdef CONFIG_PAX_REFCOUNT
6766+ "jno 0f\n"
6767+ LOCK_PREFIX "decl %0\n"
6768+ "int $4\n0:\n"
6769+ _ASM_EXTABLE(0b, 0b)
6770+#endif
6771+
6772+ "sete %1\n"
6773+ : "+m" (v->counter), "=qm" (c)
6774+ : : "memory");
6775+ return c != 0;
6776+}
6777+
6778+/**
6779+ * atomic_inc_and_test_unchecked - increment and test
6780+ * @v: pointer of type atomic_unchecked_t
6781+ *
6782+ * Atomically increments @v by 1
6783+ * and returns true if the result is zero, or false for all
6784+ * other cases.
6785+ */
6786+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6787+{
6788+ unsigned char c;
6789+
6790+ asm volatile(LOCK_PREFIX "incl %0\n"
6791+ "sete %1\n"
6792 : "+m" (v->counter), "=qm" (c)
6793 : : "memory");
6794 return c != 0;
6795@@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
6796 {
6797 unsigned char c;
6798
6799- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6800+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
6801+
6802+#ifdef CONFIG_PAX_REFCOUNT
6803+ "jno 0f\n"
6804+ LOCK_PREFIX "subl %2,%0\n"
6805+ "int $4\n0:\n"
6806+ _ASM_EXTABLE(0b, 0b)
6807+#endif
6808+
6809+ "sets %1\n"
6810 : "+m" (v->counter), "=qm" (c)
6811 : "ir" (i) : "memory");
6812 return c;
6813@@ -180,6 +342,46 @@ static inline int atomic_add_return(int
6814 #endif
6815 /* Modern 486+ processor */
6816 __i = i;
6817+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6818+
6819+#ifdef CONFIG_PAX_REFCOUNT
6820+ "jno 0f\n"
6821+ "movl %0, %1\n"
6822+ "int $4\n0:\n"
6823+ _ASM_EXTABLE(0b, 0b)
6824+#endif
6825+
6826+ : "+r" (i), "+m" (v->counter)
6827+ : : "memory");
6828+ return i + __i;
6829+
6830+#ifdef CONFIG_M386
6831+no_xadd: /* Legacy 386 processor */
6832+ local_irq_save(flags);
6833+ __i = atomic_read(v);
6834+ atomic_set(v, i + __i);
6835+ local_irq_restore(flags);
6836+ return i + __i;
6837+#endif
6838+}
6839+
6840+/**
6841+ * atomic_add_return_unchecked - add integer and return
6842+ * @v: pointer of type atomic_unchecked_t
6843+ * @i: integer value to add
6844+ *
6845+ * Atomically adds @i to @v and returns @i + @v
6846+ */
6847+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6848+{
6849+ int __i;
6850+#ifdef CONFIG_M386
6851+ unsigned long flags;
6852+ if (unlikely(boot_cpu_data.x86 <= 3))
6853+ goto no_xadd;
6854+#endif
6855+ /* Modern 486+ processor */
6856+ __i = i;
6857 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6858 : "+r" (i), "+m" (v->counter)
6859 : : "memory");
6860@@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
6861 }
6862
6863 #define atomic_inc_return(v) (atomic_add_return(1, v))
6864+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6865+{
6866+ return atomic_add_return_unchecked(1, v);
6867+}
6868 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6869
6870 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6871@@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
6872 return cmpxchg(&v->counter, old, new);
6873 }
6874
6875+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
6876+{
6877+ return cmpxchg(&v->counter, old, new);
6878+}
6879+
6880 static inline int atomic_xchg(atomic_t *v, int new)
6881 {
6882 return xchg(&v->counter, new);
6883 }
6884
6885+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
6886+{
6887+ return xchg(&v->counter, new);
6888+}
6889+
6890 /**
6891 * atomic_add_unless - add unless the number is already a given value
6892 * @v: pointer of type atomic_t
6893@@ -231,21 +447,77 @@ static inline int atomic_xchg(atomic_t *
6894 */
6895 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6896 {
6897- int c, old;
6898+ int c, old, new;
6899 c = atomic_read(v);
6900 for (;;) {
6901- if (unlikely(c == (u)))
6902+ if (unlikely(c == u))
6903 break;
6904- old = atomic_cmpxchg((v), c, c + (a));
6905+
6906+ asm volatile("addl %2,%0\n"
6907+
6908+#ifdef CONFIG_PAX_REFCOUNT
6909+ "jno 0f\n"
6910+ "subl %2,%0\n"
6911+ "int $4\n0:\n"
6912+ _ASM_EXTABLE(0b, 0b)
6913+#endif
6914+
6915+ : "=r" (new)
6916+ : "0" (c), "ir" (a));
6917+
6918+ old = atomic_cmpxchg(v, c, new);
6919 if (likely(old == c))
6920 break;
6921 c = old;
6922 }
6923- return c != (u);
6924+ return c != u;
6925 }
6926
6927 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6928
6929+/**
6930+ * atomic_inc_not_zero_hint - increment if not null
6931+ * @v: pointer of type atomic_t
6932+ * @hint: probable value of the atomic before the increment
6933+ *
6934+ * This version of atomic_inc_not_zero() gives a hint of probable
6935+ * value of the atomic. This helps processor to not read the memory
6936+ * before doing the atomic read/modify/write cycle, lowering
6937+ * number of bus transactions on some arches.
6938+ *
6939+ * Returns: 0 if increment was not done, 1 otherwise.
6940+ */
6941+#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
6942+static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
6943+{
6944+ int val, c = hint, new;
6945+
6946+ /* sanity test, should be removed by compiler if hint is a constant */
6947+ if (!hint)
6948+ return atomic_inc_not_zero(v);
6949+
6950+ do {
6951+ asm volatile("incl %0\n"
6952+
6953+#ifdef CONFIG_PAX_REFCOUNT
6954+ "jno 0f\n"
6955+ "decl %0\n"
6956+ "int $4\n0:\n"
6957+ _ASM_EXTABLE(0b, 0b)
6958+#endif
6959+
6960+ : "=r" (new)
6961+ : "0" (c));
6962+
6963+ val = atomic_cmpxchg(v, c, new);
6964+ if (val == c)
6965+ return 1;
6966+ c = val;
6967+ } while (c);
6968+
6969+ return 0;
6970+}
6971+
6972 /*
6973 * atomic_dec_if_positive - decrement by 1 if old value positive
6974 * @v: pointer of type atomic_t
6975diff -urNp linux-3.0.7/arch/x86/include/asm/atomic64_32.h linux-3.0.7/arch/x86/include/asm/atomic64_32.h
6976--- linux-3.0.7/arch/x86/include/asm/atomic64_32.h 2011-07-21 22:17:23.000000000 -0400
6977+++ linux-3.0.7/arch/x86/include/asm/atomic64_32.h 2011-08-23 21:47:55.000000000 -0400
6978@@ -12,6 +12,14 @@ typedef struct {
6979 u64 __aligned(8) counter;
6980 } atomic64_t;
6981
6982+#ifdef CONFIG_PAX_REFCOUNT
6983+typedef struct {
6984+ u64 __aligned(8) counter;
6985+} atomic64_unchecked_t;
6986+#else
6987+typedef atomic64_t atomic64_unchecked_t;
6988+#endif
6989+
6990 #define ATOMIC64_INIT(val) { (val) }
6991
6992 #ifdef CONFIG_X86_CMPXCHG64
6993@@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
6994 }
6995
6996 /**
6997+ * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
6998+ * @p: pointer to type atomic64_unchecked_t
6999+ * @o: expected value
7000+ * @n: new value
7001+ *
7002+ * Atomically sets @v to @n if it was equal to @o and returns
7003+ * the old value.
7004+ */
7005+
7006+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
7007+{
7008+ return cmpxchg64(&v->counter, o, n);
7009+}
7010+
7011+/**
7012 * atomic64_xchg - xchg atomic64 variable
7013 * @v: pointer to type atomic64_t
7014 * @n: value to assign
7015@@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
7016 }
7017
7018 /**
7019+ * atomic64_set_unchecked - set atomic64 variable
7020+ * @v: pointer to type atomic64_unchecked_t
7021+ * @n: value to assign
7022+ *
7023+ * Atomically sets the value of @v to @n.
7024+ */
7025+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
7026+{
7027+ unsigned high = (unsigned)(i >> 32);
7028+ unsigned low = (unsigned)i;
7029+ asm volatile(ATOMIC64_ALTERNATIVE(set)
7030+ : "+b" (low), "+c" (high)
7031+ : "S" (v)
7032+ : "eax", "edx", "memory"
7033+ );
7034+}
7035+
7036+/**
7037 * atomic64_read - read atomic64 variable
7038 * @v: pointer to type atomic64_t
7039 *
7040@@ -93,6 +134,22 @@ static inline long long atomic64_read(at
7041 }
7042
7043 /**
7044+ * atomic64_read_unchecked - read atomic64 variable
7045+ * @v: pointer to type atomic64_unchecked_t
7046+ *
7047+ * Atomically reads the value of @v and returns it.
7048+ */
7049+static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
7050+{
7051+ long long r;
7052+ asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
7053+ : "=A" (r), "+c" (v)
7054+ : : "memory"
7055+ );
7056+ return r;
7057+ }
7058+
7059+/**
7060 * atomic64_add_return - add and return
7061 * @i: integer value to add
7062 * @v: pointer to type atomic64_t
7063@@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
7064 return i;
7065 }
7066
7067+/**
7068+ * atomic64_add_return_unchecked - add and return
7069+ * @i: integer value to add
7070+ * @v: pointer to type atomic64_unchecked_t
7071+ *
7072+ * Atomically adds @i to @v and returns @i + *@v
7073+ */
7074+static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
7075+{
7076+ asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
7077+ : "+A" (i), "+c" (v)
7078+ : : "memory"
7079+ );
7080+ return i;
7081+}
7082+
7083 /*
7084 * Other variants with different arithmetic operators:
7085 */
7086@@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
7087 return a;
7088 }
7089
7090+static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
7091+{
7092+ long long a;
7093+ asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
7094+ : "=A" (a)
7095+ : "S" (v)
7096+ : "memory", "ecx"
7097+ );
7098+ return a;
7099+}
7100+
7101 static inline long long atomic64_dec_return(atomic64_t *v)
7102 {
7103 long long a;
7104@@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
7105 }
7106
7107 /**
7108+ * atomic64_add_unchecked - add integer to atomic64 variable
7109+ * @i: integer value to add
7110+ * @v: pointer to type atomic64_unchecked_t
7111+ *
7112+ * Atomically adds @i to @v.
7113+ */
7114+static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
7115+{
7116+ asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
7117+ : "+A" (i), "+c" (v)
7118+ : : "memory"
7119+ );
7120+ return i;
7121+}
7122+
7123+/**
7124 * atomic64_sub - subtract the atomic64 variable
7125 * @i: integer value to subtract
7126 * @v: pointer to type atomic64_t
7127diff -urNp linux-3.0.7/arch/x86/include/asm/atomic64_64.h linux-3.0.7/arch/x86/include/asm/atomic64_64.h
7128--- linux-3.0.7/arch/x86/include/asm/atomic64_64.h 2011-07-21 22:17:23.000000000 -0400
7129+++ linux-3.0.7/arch/x86/include/asm/atomic64_64.h 2011-08-23 21:47:55.000000000 -0400
7130@@ -18,7 +18,19 @@
7131 */
7132 static inline long atomic64_read(const atomic64_t *v)
7133 {
7134- return (*(volatile long *)&(v)->counter);
7135+ return (*(volatile const long *)&(v)->counter);
7136+}
7137+
7138+/**
7139+ * atomic64_read_unchecked - read atomic64 variable
7140+ * @v: pointer of type atomic64_unchecked_t
7141+ *
7142+ * Atomically reads the value of @v.
7143+ * Doesn't imply a read memory barrier.
7144+ */
7145+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
7146+{
7147+ return (*(volatile const long *)&(v)->counter);
7148 }
7149
7150 /**
7151@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
7152 }
7153
7154 /**
7155+ * atomic64_set_unchecked - set atomic64 variable
7156+ * @v: pointer to type atomic64_unchecked_t
7157+ * @i: required value
7158+ *
7159+ * Atomically sets the value of @v to @i.
7160+ */
7161+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
7162+{
7163+ v->counter = i;
7164+}
7165+
7166+/**
7167 * atomic64_add - add integer to atomic64 variable
7168 * @i: integer value to add
7169 * @v: pointer to type atomic64_t
7170@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
7171 */
7172 static inline void atomic64_add(long i, atomic64_t *v)
7173 {
7174+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
7175+
7176+#ifdef CONFIG_PAX_REFCOUNT
7177+ "jno 0f\n"
7178+ LOCK_PREFIX "subq %1,%0\n"
7179+ "int $4\n0:\n"
7180+ _ASM_EXTABLE(0b, 0b)
7181+#endif
7182+
7183+ : "=m" (v->counter)
7184+ : "er" (i), "m" (v->counter));
7185+}
7186+
7187+/**
7188+ * atomic64_add_unchecked - add integer to atomic64 variable
7189+ * @i: integer value to add
7190+ * @v: pointer to type atomic64_unchecked_t
7191+ *
7192+ * Atomically adds @i to @v.
7193+ */
7194+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
7195+{
7196 asm volatile(LOCK_PREFIX "addq %1,%0"
7197 : "=m" (v->counter)
7198 : "er" (i), "m" (v->counter));
7199@@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
7200 */
7201 static inline void atomic64_sub(long i, atomic64_t *v)
7202 {
7203- asm volatile(LOCK_PREFIX "subq %1,%0"
7204+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
7205+
7206+#ifdef CONFIG_PAX_REFCOUNT
7207+ "jno 0f\n"
7208+ LOCK_PREFIX "addq %1,%0\n"
7209+ "int $4\n0:\n"
7210+ _ASM_EXTABLE(0b, 0b)
7211+#endif
7212+
7213+ : "=m" (v->counter)
7214+ : "er" (i), "m" (v->counter));
7215+}
7216+
7217+/**
7218+ * atomic64_sub_unchecked - subtract the atomic64 variable
7219+ * @i: integer value to subtract
7220+ * @v: pointer to type atomic64_unchecked_t
7221+ *
7222+ * Atomically subtracts @i from @v.
7223+ */
7224+static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
7225+{
7226+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
7227 : "=m" (v->counter)
7228 : "er" (i), "m" (v->counter));
7229 }
7230@@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
7231 {
7232 unsigned char c;
7233
7234- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
7235+ asm volatile(LOCK_PREFIX "subq %2,%0\n"
7236+
7237+#ifdef CONFIG_PAX_REFCOUNT
7238+ "jno 0f\n"
7239+ LOCK_PREFIX "addq %2,%0\n"
7240+ "int $4\n0:\n"
7241+ _ASM_EXTABLE(0b, 0b)
7242+#endif
7243+
7244+ "sete %1\n"
7245 : "=m" (v->counter), "=qm" (c)
7246 : "er" (i), "m" (v->counter) : "memory");
7247 return c;
7248@@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
7249 */
7250 static inline void atomic64_inc(atomic64_t *v)
7251 {
7252+ asm volatile(LOCK_PREFIX "incq %0\n"
7253+
7254+#ifdef CONFIG_PAX_REFCOUNT
7255+ "jno 0f\n"
7256+ LOCK_PREFIX "decq %0\n"
7257+ "int $4\n0:\n"
7258+ _ASM_EXTABLE(0b, 0b)
7259+#endif
7260+
7261+ : "=m" (v->counter)
7262+ : "m" (v->counter));
7263+}
7264+
7265+/**
7266+ * atomic64_inc_unchecked - increment atomic64 variable
7267+ * @v: pointer to type atomic64_unchecked_t
7268+ *
7269+ * Atomically increments @v by 1.
7270+ */
7271+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
7272+{
7273 asm volatile(LOCK_PREFIX "incq %0"
7274 : "=m" (v->counter)
7275 : "m" (v->counter));
7276@@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
7277 */
7278 static inline void atomic64_dec(atomic64_t *v)
7279 {
7280- asm volatile(LOCK_PREFIX "decq %0"
7281+ asm volatile(LOCK_PREFIX "decq %0\n"
7282+
7283+#ifdef CONFIG_PAX_REFCOUNT
7284+ "jno 0f\n"
7285+ LOCK_PREFIX "incq %0\n"
7286+ "int $4\n0:\n"
7287+ _ASM_EXTABLE(0b, 0b)
7288+#endif
7289+
7290+ : "=m" (v->counter)
7291+ : "m" (v->counter));
7292+}
7293+
7294+/**
7295+ * atomic64_dec_unchecked - decrement atomic64 variable
7296+ * @v: pointer to type atomic64_t
7297+ *
7298+ * Atomically decrements @v by 1.
7299+ */
7300+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
7301+{
7302+ asm volatile(LOCK_PREFIX "decq %0\n"
7303 : "=m" (v->counter)
7304 : "m" (v->counter));
7305 }
7306@@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
7307 {
7308 unsigned char c;
7309
7310- asm volatile(LOCK_PREFIX "decq %0; sete %1"
7311+ asm volatile(LOCK_PREFIX "decq %0\n"
7312+
7313+#ifdef CONFIG_PAX_REFCOUNT
7314+ "jno 0f\n"
7315+ LOCK_PREFIX "incq %0\n"
7316+ "int $4\n0:\n"
7317+ _ASM_EXTABLE(0b, 0b)
7318+#endif
7319+
7320+ "sete %1\n"
7321 : "=m" (v->counter), "=qm" (c)
7322 : "m" (v->counter) : "memory");
7323 return c != 0;
7324@@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
7325 {
7326 unsigned char c;
7327
7328- asm volatile(LOCK_PREFIX "incq %0; sete %1"
7329+ asm volatile(LOCK_PREFIX "incq %0\n"
7330+
7331+#ifdef CONFIG_PAX_REFCOUNT
7332+ "jno 0f\n"
7333+ LOCK_PREFIX "decq %0\n"
7334+ "int $4\n0:\n"
7335+ _ASM_EXTABLE(0b, 0b)
7336+#endif
7337+
7338+ "sete %1\n"
7339 : "=m" (v->counter), "=qm" (c)
7340 : "m" (v->counter) : "memory");
7341 return c != 0;
7342@@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
7343 {
7344 unsigned char c;
7345
7346- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
7347+ asm volatile(LOCK_PREFIX "addq %2,%0\n"
7348+
7349+#ifdef CONFIG_PAX_REFCOUNT
7350+ "jno 0f\n"
7351+ LOCK_PREFIX "subq %2,%0\n"
7352+ "int $4\n0:\n"
7353+ _ASM_EXTABLE(0b, 0b)
7354+#endif
7355+
7356+ "sets %1\n"
7357 : "=m" (v->counter), "=qm" (c)
7358 : "er" (i), "m" (v->counter) : "memory");
7359 return c;
7360@@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
7361 static inline long atomic64_add_return(long i, atomic64_t *v)
7362 {
7363 long __i = i;
7364- asm volatile(LOCK_PREFIX "xaddq %0, %1;"
7365+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
7366+
7367+#ifdef CONFIG_PAX_REFCOUNT
7368+ "jno 0f\n"
7369+ "movq %0, %1\n"
7370+ "int $4\n0:\n"
7371+ _ASM_EXTABLE(0b, 0b)
7372+#endif
7373+
7374+ : "+r" (i), "+m" (v->counter)
7375+ : : "memory");
7376+ return i + __i;
7377+}
7378+
7379+/**
7380+ * atomic64_add_return_unchecked - add and return
7381+ * @i: integer value to add
7382+ * @v: pointer to type atomic64_unchecked_t
7383+ *
7384+ * Atomically adds @i to @v and returns @i + @v
7385+ */
7386+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
7387+{
7388+ long __i = i;
7389+ asm volatile(LOCK_PREFIX "xaddq %0, %1"
7390 : "+r" (i), "+m" (v->counter)
7391 : : "memory");
7392 return i + __i;
7393@@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
7394 }
7395
7396 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
7397+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
7398+{
7399+ return atomic64_add_return_unchecked(1, v);
7400+}
7401 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
7402
7403 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
7404@@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
7405 return cmpxchg(&v->counter, old, new);
7406 }
7407
7408+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
7409+{
7410+ return cmpxchg(&v->counter, old, new);
7411+}
7412+
7413 static inline long atomic64_xchg(atomic64_t *v, long new)
7414 {
7415 return xchg(&v->counter, new);
7416@@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
7417 */
7418 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
7419 {
7420- long c, old;
7421+ long c, old, new;
7422 c = atomic64_read(v);
7423 for (;;) {
7424- if (unlikely(c == (u)))
7425+ if (unlikely(c == u))
7426 break;
7427- old = atomic64_cmpxchg((v), c, c + (a));
7428+
7429+ asm volatile("add %2,%0\n"
7430+
7431+#ifdef CONFIG_PAX_REFCOUNT
7432+ "jno 0f\n"
7433+ "sub %2,%0\n"
7434+ "int $4\n0:\n"
7435+ _ASM_EXTABLE(0b, 0b)
7436+#endif
7437+
7438+ : "=r" (new)
7439+ : "0" (c), "ir" (a));
7440+
7441+ old = atomic64_cmpxchg(v, c, new);
7442 if (likely(old == c))
7443 break;
7444 c = old;
7445 }
7446- return c != (u);
7447+ return c != u;
7448 }
7449
7450 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
7451diff -urNp linux-3.0.7/arch/x86/include/asm/bitops.h linux-3.0.7/arch/x86/include/asm/bitops.h
7452--- linux-3.0.7/arch/x86/include/asm/bitops.h 2011-07-21 22:17:23.000000000 -0400
7453+++ linux-3.0.7/arch/x86/include/asm/bitops.h 2011-08-23 21:47:55.000000000 -0400
7454@@ -38,7 +38,7 @@
7455 * a mask operation on a byte.
7456 */
7457 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7458-#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7459+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7460 #define CONST_MASK(nr) (1 << ((nr) & 7))
7461
7462 /**
7463diff -urNp linux-3.0.7/arch/x86/include/asm/boot.h linux-3.0.7/arch/x86/include/asm/boot.h
7464--- linux-3.0.7/arch/x86/include/asm/boot.h 2011-07-21 22:17:23.000000000 -0400
7465+++ linux-3.0.7/arch/x86/include/asm/boot.h 2011-08-23 21:47:55.000000000 -0400
7466@@ -11,10 +11,15 @@
7467 #include <asm/pgtable_types.h>
7468
7469 /* Physical address where kernel should be loaded. */
7470-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7471+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7472 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7473 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7474
7475+#ifndef __ASSEMBLY__
7476+extern unsigned char __LOAD_PHYSICAL_ADDR[];
7477+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7478+#endif
7479+
7480 /* Minimum kernel alignment, as a power of two */
7481 #ifdef CONFIG_X86_64
7482 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7483diff -urNp linux-3.0.7/arch/x86/include/asm/cache.h linux-3.0.7/arch/x86/include/asm/cache.h
7484--- linux-3.0.7/arch/x86/include/asm/cache.h 2011-07-21 22:17:23.000000000 -0400
7485+++ linux-3.0.7/arch/x86/include/asm/cache.h 2011-08-23 21:47:55.000000000 -0400
7486@@ -5,12 +5,13 @@
7487
7488 /* L1 cache line size */
7489 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
7490-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7491+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7492
7493 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7494+#define __read_only __attribute__((__section__(".data..read_only")))
7495
7496 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7497-#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7498+#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
7499
7500 #ifdef CONFIG_X86_VSMP
7501 #ifdef CONFIG_SMP
7502diff -urNp linux-3.0.7/arch/x86/include/asm/cacheflush.h linux-3.0.7/arch/x86/include/asm/cacheflush.h
7503--- linux-3.0.7/arch/x86/include/asm/cacheflush.h 2011-07-21 22:17:23.000000000 -0400
7504+++ linux-3.0.7/arch/x86/include/asm/cacheflush.h 2011-08-23 21:47:55.000000000 -0400
7505@@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7506 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7507
7508 if (pg_flags == _PGMT_DEFAULT)
7509- return -1;
7510+ return ~0UL;
7511 else if (pg_flags == _PGMT_WC)
7512 return _PAGE_CACHE_WC;
7513 else if (pg_flags == _PGMT_UC_MINUS)
7514diff -urNp linux-3.0.7/arch/x86/include/asm/checksum_32.h linux-3.0.7/arch/x86/include/asm/checksum_32.h
7515--- linux-3.0.7/arch/x86/include/asm/checksum_32.h 2011-07-21 22:17:23.000000000 -0400
7516+++ linux-3.0.7/arch/x86/include/asm/checksum_32.h 2011-08-23 21:47:55.000000000 -0400
7517@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7518 int len, __wsum sum,
7519 int *src_err_ptr, int *dst_err_ptr);
7520
7521+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7522+ int len, __wsum sum,
7523+ int *src_err_ptr, int *dst_err_ptr);
7524+
7525+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7526+ int len, __wsum sum,
7527+ int *src_err_ptr, int *dst_err_ptr);
7528+
7529 /*
7530 * Note: when you get a NULL pointer exception here this means someone
7531 * passed in an incorrect kernel address to one of these functions.
7532@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7533 int *err_ptr)
7534 {
7535 might_sleep();
7536- return csum_partial_copy_generic((__force void *)src, dst,
7537+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
7538 len, sum, err_ptr, NULL);
7539 }
7540
7541@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7542 {
7543 might_sleep();
7544 if (access_ok(VERIFY_WRITE, dst, len))
7545- return csum_partial_copy_generic(src, (__force void *)dst,
7546+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7547 len, sum, NULL, err_ptr);
7548
7549 if (len)
7550diff -urNp linux-3.0.7/arch/x86/include/asm/cpufeature.h linux-3.0.7/arch/x86/include/asm/cpufeature.h
7551--- linux-3.0.7/arch/x86/include/asm/cpufeature.h 2011-07-21 22:17:23.000000000 -0400
7552+++ linux-3.0.7/arch/x86/include/asm/cpufeature.h 2011-08-23 21:47:55.000000000 -0400
7553@@ -358,7 +358,7 @@ static __always_inline __pure bool __sta
7554 ".section .discard,\"aw\",@progbits\n"
7555 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7556 ".previous\n"
7557- ".section .altinstr_replacement,\"ax\"\n"
7558+ ".section .altinstr_replacement,\"a\"\n"
7559 "3: movb $1,%0\n"
7560 "4:\n"
7561 ".previous\n"
7562diff -urNp linux-3.0.7/arch/x86/include/asm/desc.h linux-3.0.7/arch/x86/include/asm/desc.h
7563--- linux-3.0.7/arch/x86/include/asm/desc.h 2011-07-21 22:17:23.000000000 -0400
7564+++ linux-3.0.7/arch/x86/include/asm/desc.h 2011-08-23 21:47:55.000000000 -0400
7565@@ -4,6 +4,7 @@
7566 #include <asm/desc_defs.h>
7567 #include <asm/ldt.h>
7568 #include <asm/mmu.h>
7569+#include <asm/pgtable.h>
7570
7571 #include <linux/smp.h>
7572
7573@@ -16,6 +17,7 @@ static inline void fill_ldt(struct desc_
7574
7575 desc->type = (info->read_exec_only ^ 1) << 1;
7576 desc->type |= info->contents << 2;
7577+ desc->type |= info->seg_not_present ^ 1;
7578
7579 desc->s = 1;
7580 desc->dpl = 0x3;
7581@@ -34,17 +36,12 @@ static inline void fill_ldt(struct desc_
7582 }
7583
7584 extern struct desc_ptr idt_descr;
7585-extern gate_desc idt_table[];
7586-
7587-struct gdt_page {
7588- struct desc_struct gdt[GDT_ENTRIES];
7589-} __attribute__((aligned(PAGE_SIZE)));
7590-
7591-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7592+extern gate_desc idt_table[256];
7593
7594+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7595 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7596 {
7597- return per_cpu(gdt_page, cpu).gdt;
7598+ return cpu_gdt_table[cpu];
7599 }
7600
7601 #ifdef CONFIG_X86_64
7602@@ -69,8 +66,14 @@ static inline void pack_gate(gate_desc *
7603 unsigned long base, unsigned dpl, unsigned flags,
7604 unsigned short seg)
7605 {
7606- gate->a = (seg << 16) | (base & 0xffff);
7607- gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7608+ gate->gate.offset_low = base;
7609+ gate->gate.seg = seg;
7610+ gate->gate.reserved = 0;
7611+ gate->gate.type = type;
7612+ gate->gate.s = 0;
7613+ gate->gate.dpl = dpl;
7614+ gate->gate.p = 1;
7615+ gate->gate.offset_high = base >> 16;
7616 }
7617
7618 #endif
7619@@ -115,12 +118,16 @@ static inline void paravirt_free_ldt(str
7620
7621 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
7622 {
7623+ pax_open_kernel();
7624 memcpy(&idt[entry], gate, sizeof(*gate));
7625+ pax_close_kernel();
7626 }
7627
7628 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
7629 {
7630+ pax_open_kernel();
7631 memcpy(&ldt[entry], desc, 8);
7632+ pax_close_kernel();
7633 }
7634
7635 static inline void
7636@@ -134,7 +141,9 @@ native_write_gdt_entry(struct desc_struc
7637 default: size = sizeof(*gdt); break;
7638 }
7639
7640+ pax_open_kernel();
7641 memcpy(&gdt[entry], desc, size);
7642+ pax_close_kernel();
7643 }
7644
7645 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7646@@ -207,7 +216,9 @@ static inline void native_set_ldt(const
7647
7648 static inline void native_load_tr_desc(void)
7649 {
7650+ pax_open_kernel();
7651 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7652+ pax_close_kernel();
7653 }
7654
7655 static inline void native_load_gdt(const struct desc_ptr *dtr)
7656@@ -244,8 +255,10 @@ static inline void native_load_tls(struc
7657 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7658 unsigned int i;
7659
7660+ pax_open_kernel();
7661 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7662 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7663+ pax_close_kernel();
7664 }
7665
7666 #define _LDT_empty(info) \
7667@@ -307,7 +320,7 @@ static inline void set_desc_limit(struct
7668 desc->limit = (limit >> 16) & 0xf;
7669 }
7670
7671-static inline void _set_gate(int gate, unsigned type, void *addr,
7672+static inline void _set_gate(int gate, unsigned type, const void *addr,
7673 unsigned dpl, unsigned ist, unsigned seg)
7674 {
7675 gate_desc s;
7676@@ -326,7 +339,7 @@ static inline void _set_gate(int gate, u
7677 * Pentium F0 0F bugfix can have resulted in the mapped
7678 * IDT being write-protected.
7679 */
7680-static inline void set_intr_gate(unsigned int n, void *addr)
7681+static inline void set_intr_gate(unsigned int n, const void *addr)
7682 {
7683 BUG_ON((unsigned)n > 0xFF);
7684 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7685@@ -356,19 +369,19 @@ static inline void alloc_intr_gate(unsig
7686 /*
7687 * This routine sets up an interrupt gate at directory privilege level 3.
7688 */
7689-static inline void set_system_intr_gate(unsigned int n, void *addr)
7690+static inline void set_system_intr_gate(unsigned int n, const void *addr)
7691 {
7692 BUG_ON((unsigned)n > 0xFF);
7693 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7694 }
7695
7696-static inline void set_system_trap_gate(unsigned int n, void *addr)
7697+static inline void set_system_trap_gate(unsigned int n, const void *addr)
7698 {
7699 BUG_ON((unsigned)n > 0xFF);
7700 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7701 }
7702
7703-static inline void set_trap_gate(unsigned int n, void *addr)
7704+static inline void set_trap_gate(unsigned int n, const void *addr)
7705 {
7706 BUG_ON((unsigned)n > 0xFF);
7707 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7708@@ -377,19 +390,31 @@ static inline void set_trap_gate(unsigne
7709 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7710 {
7711 BUG_ON((unsigned)n > 0xFF);
7712- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7713+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7714 }
7715
7716-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7717+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7718 {
7719 BUG_ON((unsigned)n > 0xFF);
7720 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7721 }
7722
7723-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7724+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7725 {
7726 BUG_ON((unsigned)n > 0xFF);
7727 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7728 }
7729
7730+#ifdef CONFIG_X86_32
7731+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7732+{
7733+ struct desc_struct d;
7734+
7735+ if (likely(limit))
7736+ limit = (limit - 1UL) >> PAGE_SHIFT;
7737+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
7738+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7739+}
7740+#endif
7741+
7742 #endif /* _ASM_X86_DESC_H */
7743diff -urNp linux-3.0.7/arch/x86/include/asm/desc_defs.h linux-3.0.7/arch/x86/include/asm/desc_defs.h
7744--- linux-3.0.7/arch/x86/include/asm/desc_defs.h 2011-07-21 22:17:23.000000000 -0400
7745+++ linux-3.0.7/arch/x86/include/asm/desc_defs.h 2011-08-23 21:47:55.000000000 -0400
7746@@ -31,6 +31,12 @@ struct desc_struct {
7747 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7748 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7749 };
7750+ struct {
7751+ u16 offset_low;
7752+ u16 seg;
7753+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7754+ unsigned offset_high: 16;
7755+ } gate;
7756 };
7757 } __attribute__((packed));
7758
7759diff -urNp linux-3.0.7/arch/x86/include/asm/e820.h linux-3.0.7/arch/x86/include/asm/e820.h
7760--- linux-3.0.7/arch/x86/include/asm/e820.h 2011-07-21 22:17:23.000000000 -0400
7761+++ linux-3.0.7/arch/x86/include/asm/e820.h 2011-08-23 21:47:55.000000000 -0400
7762@@ -69,7 +69,7 @@ struct e820map {
7763 #define ISA_START_ADDRESS 0xa0000
7764 #define ISA_END_ADDRESS 0x100000
7765
7766-#define BIOS_BEGIN 0x000a0000
7767+#define BIOS_BEGIN 0x000c0000
7768 #define BIOS_END 0x00100000
7769
7770 #define BIOS_ROM_BASE 0xffe00000
7771diff -urNp linux-3.0.7/arch/x86/include/asm/elf.h linux-3.0.7/arch/x86/include/asm/elf.h
7772--- linux-3.0.7/arch/x86/include/asm/elf.h 2011-07-21 22:17:23.000000000 -0400
7773+++ linux-3.0.7/arch/x86/include/asm/elf.h 2011-08-23 21:47:55.000000000 -0400
7774@@ -237,7 +237,25 @@ extern int force_personality32;
7775 the loader. We need to make sure that it is out of the way of the program
7776 that it will "exec", and that there is sufficient room for the brk. */
7777
7778+#ifdef CONFIG_PAX_SEGMEXEC
7779+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7780+#else
7781 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7782+#endif
7783+
7784+#ifdef CONFIG_PAX_ASLR
7785+#ifdef CONFIG_X86_32
7786+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7787+
7788+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7789+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7790+#else
7791+#define PAX_ELF_ET_DYN_BASE 0x400000UL
7792+
7793+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7794+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7795+#endif
7796+#endif
7797
7798 /* This yields a mask that user programs can use to figure out what
7799 instruction set this CPU supports. This could be done in user space,
7800@@ -290,9 +308,7 @@ do { \
7801
7802 #define ARCH_DLINFO \
7803 do { \
7804- if (vdso_enabled) \
7805- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7806- (unsigned long)current->mm->context.vdso); \
7807+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
7808 } while (0)
7809
7810 #define AT_SYSINFO 32
7811@@ -303,7 +319,7 @@ do { \
7812
7813 #endif /* !CONFIG_X86_32 */
7814
7815-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7816+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7817
7818 #define VDSO_ENTRY \
7819 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7820@@ -317,7 +333,4 @@ extern int arch_setup_additional_pages(s
7821 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7822 #define compat_arch_setup_additional_pages syscall32_setup_pages
7823
7824-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7825-#define arch_randomize_brk arch_randomize_brk
7826-
7827 #endif /* _ASM_X86_ELF_H */
7828diff -urNp linux-3.0.7/arch/x86/include/asm/emergency-restart.h linux-3.0.7/arch/x86/include/asm/emergency-restart.h
7829--- linux-3.0.7/arch/x86/include/asm/emergency-restart.h 2011-07-21 22:17:23.000000000 -0400
7830+++ linux-3.0.7/arch/x86/include/asm/emergency-restart.h 2011-08-23 21:47:55.000000000 -0400
7831@@ -15,6 +15,6 @@ enum reboot_type {
7832
7833 extern enum reboot_type reboot_type;
7834
7835-extern void machine_emergency_restart(void);
7836+extern void machine_emergency_restart(void) __noreturn;
7837
7838 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
7839diff -urNp linux-3.0.7/arch/x86/include/asm/futex.h linux-3.0.7/arch/x86/include/asm/futex.h
7840--- linux-3.0.7/arch/x86/include/asm/futex.h 2011-07-21 22:17:23.000000000 -0400
7841+++ linux-3.0.7/arch/x86/include/asm/futex.h 2011-10-06 04:17:55.000000000 -0400
7842@@ -12,16 +12,18 @@
7843 #include <asm/system.h>
7844
7845 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7846+ typecheck(u32 __user *, uaddr); \
7847 asm volatile("1:\t" insn "\n" \
7848 "2:\t.section .fixup,\"ax\"\n" \
7849 "3:\tmov\t%3, %1\n" \
7850 "\tjmp\t2b\n" \
7851 "\t.previous\n" \
7852 _ASM_EXTABLE(1b, 3b) \
7853- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7854+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
7855 : "i" (-EFAULT), "0" (oparg), "1" (0))
7856
7857 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7858+ typecheck(u32 __user *, uaddr); \
7859 asm volatile("1:\tmovl %2, %0\n" \
7860 "\tmovl\t%0, %3\n" \
7861 "\t" insn "\n" \
7862@@ -34,7 +36,7 @@
7863 _ASM_EXTABLE(1b, 4b) \
7864 _ASM_EXTABLE(2b, 4b) \
7865 : "=&a" (oldval), "=&r" (ret), \
7866- "+m" (*uaddr), "=&r" (tem) \
7867+ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
7868 : "r" (oparg), "i" (-EFAULT), "1" (0))
7869
7870 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7871@@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7872
7873 switch (op) {
7874 case FUTEX_OP_SET:
7875- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7876+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7877 break;
7878 case FUTEX_OP_ADD:
7879- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7880+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7881 uaddr, oparg);
7882 break;
7883 case FUTEX_OP_OR:
7884@@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
7885 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7886 return -EFAULT;
7887
7888- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
7889+ asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
7890 "2:\t.section .fixup, \"ax\"\n"
7891 "3:\tmov %3, %0\n"
7892 "\tjmp 2b\n"
7893 "\t.previous\n"
7894 _ASM_EXTABLE(1b, 3b)
7895- : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
7896+ : "+r" (ret), "=a" (oldval), "+m" (*(u32 __user *)____m(uaddr))
7897 : "i" (-EFAULT), "r" (newval), "1" (oldval)
7898 : "memory"
7899 );
7900diff -urNp linux-3.0.7/arch/x86/include/asm/hw_irq.h linux-3.0.7/arch/x86/include/asm/hw_irq.h
7901--- linux-3.0.7/arch/x86/include/asm/hw_irq.h 2011-07-21 22:17:23.000000000 -0400
7902+++ linux-3.0.7/arch/x86/include/asm/hw_irq.h 2011-08-23 21:47:55.000000000 -0400
7903@@ -137,8 +137,8 @@ extern void setup_ioapic_dest(void);
7904 extern void enable_IO_APIC(void);
7905
7906 /* Statistics */
7907-extern atomic_t irq_err_count;
7908-extern atomic_t irq_mis_count;
7909+extern atomic_unchecked_t irq_err_count;
7910+extern atomic_unchecked_t irq_mis_count;
7911
7912 /* EISA */
7913 extern void eisa_set_level_irq(unsigned int irq);
7914diff -urNp linux-3.0.7/arch/x86/include/asm/i387.h linux-3.0.7/arch/x86/include/asm/i387.h
7915--- linux-3.0.7/arch/x86/include/asm/i387.h 2011-07-21 22:17:23.000000000 -0400
7916+++ linux-3.0.7/arch/x86/include/asm/i387.h 2011-10-06 04:17:55.000000000 -0400
7917@@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7918 {
7919 int err;
7920
7921+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7922+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7923+ fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE);
7924+#endif
7925+
7926 /* See comment in fxsave() below. */
7927 #ifdef CONFIG_AS_FXSAVEQ
7928 asm volatile("1: fxrstorq %[fx]\n\t"
7929@@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7930 {
7931 int err;
7932
7933+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7934+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7935+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7936+#endif
7937+
7938 /*
7939 * Clear the bytes not touched by the fxsave and reserved
7940 * for the SW usage.
7941@@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
7942 #endif /* CONFIG_X86_64 */
7943
7944 /* We need a safe address that is cheap to find and that is already
7945- in L1 during context switch. The best choices are unfortunately
7946- different for UP and SMP */
7947-#ifdef CONFIG_SMP
7948-#define safe_address (__per_cpu_offset[0])
7949-#else
7950-#define safe_address (kstat_cpu(0).cpustat.user)
7951-#endif
7952+ in L1 during context switch. */
7953+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7954
7955 /*
7956 * These must be called with preempt disabled
7957@@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
7958 struct thread_info *me = current_thread_info();
7959 preempt_disable();
7960 if (me->status & TS_USEDFPU)
7961- __save_init_fpu(me->task);
7962+ __save_init_fpu(current);
7963 else
7964 clts();
7965 }
7966diff -urNp linux-3.0.7/arch/x86/include/asm/io.h linux-3.0.7/arch/x86/include/asm/io.h
7967--- linux-3.0.7/arch/x86/include/asm/io.h 2011-07-21 22:17:23.000000000 -0400
7968+++ linux-3.0.7/arch/x86/include/asm/io.h 2011-08-23 21:47:55.000000000 -0400
7969@@ -196,6 +196,17 @@ extern void set_iounmap_nonlazy(void);
7970
7971 #include <linux/vmalloc.h>
7972
7973+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7974+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7975+{
7976+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7977+}
7978+
7979+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7980+{
7981+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7982+}
7983+
7984 /*
7985 * Convert a virtual cached pointer to an uncached pointer
7986 */
7987diff -urNp linux-3.0.7/arch/x86/include/asm/irqflags.h linux-3.0.7/arch/x86/include/asm/irqflags.h
7988--- linux-3.0.7/arch/x86/include/asm/irqflags.h 2011-07-21 22:17:23.000000000 -0400
7989+++ linux-3.0.7/arch/x86/include/asm/irqflags.h 2011-08-23 21:47:55.000000000 -0400
7990@@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7991 sti; \
7992 sysexit
7993
7994+#define GET_CR0_INTO_RDI mov %cr0, %rdi
7995+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7996+#define GET_CR3_INTO_RDI mov %cr3, %rdi
7997+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7998+
7999 #else
8000 #define INTERRUPT_RETURN iret
8001 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
8002diff -urNp linux-3.0.7/arch/x86/include/asm/kprobes.h linux-3.0.7/arch/x86/include/asm/kprobes.h
8003--- linux-3.0.7/arch/x86/include/asm/kprobes.h 2011-07-21 22:17:23.000000000 -0400
8004+++ linux-3.0.7/arch/x86/include/asm/kprobes.h 2011-08-23 21:47:55.000000000 -0400
8005@@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
8006 #define RELATIVEJUMP_SIZE 5
8007 #define RELATIVECALL_OPCODE 0xe8
8008 #define RELATIVE_ADDR_SIZE 4
8009-#define MAX_STACK_SIZE 64
8010-#define MIN_STACK_SIZE(ADDR) \
8011- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
8012- THREAD_SIZE - (unsigned long)(ADDR))) \
8013- ? (MAX_STACK_SIZE) \
8014- : (((unsigned long)current_thread_info()) + \
8015- THREAD_SIZE - (unsigned long)(ADDR)))
8016+#define MAX_STACK_SIZE 64UL
8017+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
8018
8019 #define flush_insn_slot(p) do { } while (0)
8020
8021diff -urNp linux-3.0.7/arch/x86/include/asm/kvm_host.h linux-3.0.7/arch/x86/include/asm/kvm_host.h
8022--- linux-3.0.7/arch/x86/include/asm/kvm_host.h 2011-07-21 22:17:23.000000000 -0400
8023+++ linux-3.0.7/arch/x86/include/asm/kvm_host.h 2011-08-26 19:49:56.000000000 -0400
8024@@ -441,7 +441,7 @@ struct kvm_arch {
8025 unsigned int n_used_mmu_pages;
8026 unsigned int n_requested_mmu_pages;
8027 unsigned int n_max_mmu_pages;
8028- atomic_t invlpg_counter;
8029+ atomic_unchecked_t invlpg_counter;
8030 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
8031 /*
8032 * Hash table of struct kvm_mmu_page.
8033@@ -619,7 +619,7 @@ struct kvm_x86_ops {
8034 enum x86_intercept_stage stage);
8035
8036 const struct trace_print_flags *exit_reasons_str;
8037-};
8038+} __do_const;
8039
8040 struct kvm_arch_async_pf {
8041 u32 token;
8042diff -urNp linux-3.0.7/arch/x86/include/asm/local.h linux-3.0.7/arch/x86/include/asm/local.h
8043--- linux-3.0.7/arch/x86/include/asm/local.h 2011-07-21 22:17:23.000000000 -0400
8044+++ linux-3.0.7/arch/x86/include/asm/local.h 2011-08-23 21:47:55.000000000 -0400
8045@@ -18,26 +18,58 @@ typedef struct {
8046
8047 static inline void local_inc(local_t *l)
8048 {
8049- asm volatile(_ASM_INC "%0"
8050+ asm volatile(_ASM_INC "%0\n"
8051+
8052+#ifdef CONFIG_PAX_REFCOUNT
8053+ "jno 0f\n"
8054+ _ASM_DEC "%0\n"
8055+ "int $4\n0:\n"
8056+ _ASM_EXTABLE(0b, 0b)
8057+#endif
8058+
8059 : "+m" (l->a.counter));
8060 }
8061
8062 static inline void local_dec(local_t *l)
8063 {
8064- asm volatile(_ASM_DEC "%0"
8065+ asm volatile(_ASM_DEC "%0\n"
8066+
8067+#ifdef CONFIG_PAX_REFCOUNT
8068+ "jno 0f\n"
8069+ _ASM_INC "%0\n"
8070+ "int $4\n0:\n"
8071+ _ASM_EXTABLE(0b, 0b)
8072+#endif
8073+
8074 : "+m" (l->a.counter));
8075 }
8076
8077 static inline void local_add(long i, local_t *l)
8078 {
8079- asm volatile(_ASM_ADD "%1,%0"
8080+ asm volatile(_ASM_ADD "%1,%0\n"
8081+
8082+#ifdef CONFIG_PAX_REFCOUNT
8083+ "jno 0f\n"
8084+ _ASM_SUB "%1,%0\n"
8085+ "int $4\n0:\n"
8086+ _ASM_EXTABLE(0b, 0b)
8087+#endif
8088+
8089 : "+m" (l->a.counter)
8090 : "ir" (i));
8091 }
8092
8093 static inline void local_sub(long i, local_t *l)
8094 {
8095- asm volatile(_ASM_SUB "%1,%0"
8096+ asm volatile(_ASM_SUB "%1,%0\n"
8097+
8098+#ifdef CONFIG_PAX_REFCOUNT
8099+ "jno 0f\n"
8100+ _ASM_ADD "%1,%0\n"
8101+ "int $4\n0:\n"
8102+ _ASM_EXTABLE(0b, 0b)
8103+#endif
8104+
8105 : "+m" (l->a.counter)
8106 : "ir" (i));
8107 }
8108@@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
8109 {
8110 unsigned char c;
8111
8112- asm volatile(_ASM_SUB "%2,%0; sete %1"
8113+ asm volatile(_ASM_SUB "%2,%0\n"
8114+
8115+#ifdef CONFIG_PAX_REFCOUNT
8116+ "jno 0f\n"
8117+ _ASM_ADD "%2,%0\n"
8118+ "int $4\n0:\n"
8119+ _ASM_EXTABLE(0b, 0b)
8120+#endif
8121+
8122+ "sete %1\n"
8123 : "+m" (l->a.counter), "=qm" (c)
8124 : "ir" (i) : "memory");
8125 return c;
8126@@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
8127 {
8128 unsigned char c;
8129
8130- asm volatile(_ASM_DEC "%0; sete %1"
8131+ asm volatile(_ASM_DEC "%0\n"
8132+
8133+#ifdef CONFIG_PAX_REFCOUNT
8134+ "jno 0f\n"
8135+ _ASM_INC "%0\n"
8136+ "int $4\n0:\n"
8137+ _ASM_EXTABLE(0b, 0b)
8138+#endif
8139+
8140+ "sete %1\n"
8141 : "+m" (l->a.counter), "=qm" (c)
8142 : : "memory");
8143 return c != 0;
8144@@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
8145 {
8146 unsigned char c;
8147
8148- asm volatile(_ASM_INC "%0; sete %1"
8149+ asm volatile(_ASM_INC "%0\n"
8150+
8151+#ifdef CONFIG_PAX_REFCOUNT
8152+ "jno 0f\n"
8153+ _ASM_DEC "%0\n"
8154+ "int $4\n0:\n"
8155+ _ASM_EXTABLE(0b, 0b)
8156+#endif
8157+
8158+ "sete %1\n"
8159 : "+m" (l->a.counter), "=qm" (c)
8160 : : "memory");
8161 return c != 0;
8162@@ -110,7 +169,16 @@ static inline int local_add_negative(lon
8163 {
8164 unsigned char c;
8165
8166- asm volatile(_ASM_ADD "%2,%0; sets %1"
8167+ asm volatile(_ASM_ADD "%2,%0\n"
8168+
8169+#ifdef CONFIG_PAX_REFCOUNT
8170+ "jno 0f\n"
8171+ _ASM_SUB "%2,%0\n"
8172+ "int $4\n0:\n"
8173+ _ASM_EXTABLE(0b, 0b)
8174+#endif
8175+
8176+ "sets %1\n"
8177 : "+m" (l->a.counter), "=qm" (c)
8178 : "ir" (i) : "memory");
8179 return c;
8180@@ -133,7 +201,15 @@ static inline long local_add_return(long
8181 #endif
8182 /* Modern 486+ processor */
8183 __i = i;
8184- asm volatile(_ASM_XADD "%0, %1;"
8185+ asm volatile(_ASM_XADD "%0, %1\n"
8186+
8187+#ifdef CONFIG_PAX_REFCOUNT
8188+ "jno 0f\n"
8189+ _ASM_MOV "%0,%1\n"
8190+ "int $4\n0:\n"
8191+ _ASM_EXTABLE(0b, 0b)
8192+#endif
8193+
8194 : "+r" (i), "+m" (l->a.counter)
8195 : : "memory");
8196 return i + __i;
8197diff -urNp linux-3.0.7/arch/x86/include/asm/mman.h linux-3.0.7/arch/x86/include/asm/mman.h
8198--- linux-3.0.7/arch/x86/include/asm/mman.h 2011-07-21 22:17:23.000000000 -0400
8199+++ linux-3.0.7/arch/x86/include/asm/mman.h 2011-08-23 21:47:55.000000000 -0400
8200@@ -5,4 +5,14 @@
8201
8202 #include <asm-generic/mman.h>
8203
8204+#ifdef __KERNEL__
8205+#ifndef __ASSEMBLY__
8206+#ifdef CONFIG_X86_32
8207+#define arch_mmap_check i386_mmap_check
8208+int i386_mmap_check(unsigned long addr, unsigned long len,
8209+ unsigned long flags);
8210+#endif
8211+#endif
8212+#endif
8213+
8214 #endif /* _ASM_X86_MMAN_H */
8215diff -urNp linux-3.0.7/arch/x86/include/asm/mmu.h linux-3.0.7/arch/x86/include/asm/mmu.h
8216--- linux-3.0.7/arch/x86/include/asm/mmu.h 2011-07-21 22:17:23.000000000 -0400
8217+++ linux-3.0.7/arch/x86/include/asm/mmu.h 2011-08-23 21:47:55.000000000 -0400
8218@@ -9,7 +9,7 @@
8219 * we put the segment information here.
8220 */
8221 typedef struct {
8222- void *ldt;
8223+ struct desc_struct *ldt;
8224 int size;
8225
8226 #ifdef CONFIG_X86_64
8227@@ -18,7 +18,19 @@ typedef struct {
8228 #endif
8229
8230 struct mutex lock;
8231- void *vdso;
8232+ unsigned long vdso;
8233+
8234+#ifdef CONFIG_X86_32
8235+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8236+ unsigned long user_cs_base;
8237+ unsigned long user_cs_limit;
8238+
8239+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8240+ cpumask_t cpu_user_cs_mask;
8241+#endif
8242+
8243+#endif
8244+#endif
8245 } mm_context_t;
8246
8247 #ifdef CONFIG_SMP
8248diff -urNp linux-3.0.7/arch/x86/include/asm/mmu_context.h linux-3.0.7/arch/x86/include/asm/mmu_context.h
8249--- linux-3.0.7/arch/x86/include/asm/mmu_context.h 2011-07-21 22:17:23.000000000 -0400
8250+++ linux-3.0.7/arch/x86/include/asm/mmu_context.h 2011-08-23 21:48:14.000000000 -0400
8251@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
8252
8253 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8254 {
8255+
8256+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8257+ unsigned int i;
8258+ pgd_t *pgd;
8259+
8260+ pax_open_kernel();
8261+ pgd = get_cpu_pgd(smp_processor_id());
8262+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8263+ set_pgd_batched(pgd+i, native_make_pgd(0));
8264+ pax_close_kernel();
8265+#endif
8266+
8267 #ifdef CONFIG_SMP
8268 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8269 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8270@@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
8271 struct task_struct *tsk)
8272 {
8273 unsigned cpu = smp_processor_id();
8274+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8275+ int tlbstate = TLBSTATE_OK;
8276+#endif
8277
8278 if (likely(prev != next)) {
8279 #ifdef CONFIG_SMP
8280+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8281+ tlbstate = percpu_read(cpu_tlbstate.state);
8282+#endif
8283 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8284 percpu_write(cpu_tlbstate.active_mm, next);
8285 #endif
8286 cpumask_set_cpu(cpu, mm_cpumask(next));
8287
8288 /* Re-load page tables */
8289+#ifdef CONFIG_PAX_PER_CPU_PGD
8290+ pax_open_kernel();
8291+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8292+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8293+ pax_close_kernel();
8294+ load_cr3(get_cpu_pgd(cpu));
8295+#else
8296 load_cr3(next->pgd);
8297+#endif
8298
8299 /* stop flush ipis for the previous mm */
8300 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8301@@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
8302 */
8303 if (unlikely(prev->context.ldt != next->context.ldt))
8304 load_LDT_nolock(&next->context);
8305- }
8306+
8307+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8308+ if (!(__supported_pte_mask & _PAGE_NX)) {
8309+ smp_mb__before_clear_bit();
8310+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8311+ smp_mb__after_clear_bit();
8312+ cpu_set(cpu, next->context.cpu_user_cs_mask);
8313+ }
8314+#endif
8315+
8316+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8317+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8318+ prev->context.user_cs_limit != next->context.user_cs_limit))
8319+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8320 #ifdef CONFIG_SMP
8321+ else if (unlikely(tlbstate != TLBSTATE_OK))
8322+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8323+#endif
8324+#endif
8325+
8326+ }
8327 else {
8328+
8329+#ifdef CONFIG_PAX_PER_CPU_PGD
8330+ pax_open_kernel();
8331+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8332+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8333+ pax_close_kernel();
8334+ load_cr3(get_cpu_pgd(cpu));
8335+#endif
8336+
8337+#ifdef CONFIG_SMP
8338 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8339 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8340
8341@@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
8342 * tlb flush IPI delivery. We must reload CR3
8343 * to make sure to use no freed page tables.
8344 */
8345+
8346+#ifndef CONFIG_PAX_PER_CPU_PGD
8347 load_cr3(next->pgd);
8348+#endif
8349+
8350 load_LDT_nolock(&next->context);
8351+
8352+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8353+ if (!(__supported_pte_mask & _PAGE_NX))
8354+ cpu_set(cpu, next->context.cpu_user_cs_mask);
8355+#endif
8356+
8357+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8358+#ifdef CONFIG_PAX_PAGEEXEC
8359+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8360+#endif
8361+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8362+#endif
8363+
8364 }
8365- }
8366 #endif
8367+ }
8368 }
8369
8370 #define activate_mm(prev, next) \
8371diff -urNp linux-3.0.7/arch/x86/include/asm/module.h linux-3.0.7/arch/x86/include/asm/module.h
8372--- linux-3.0.7/arch/x86/include/asm/module.h 2011-07-21 22:17:23.000000000 -0400
8373+++ linux-3.0.7/arch/x86/include/asm/module.h 2011-10-07 19:24:31.000000000 -0400
8374@@ -5,6 +5,7 @@
8375
8376 #ifdef CONFIG_X86_64
8377 /* X86_64 does not define MODULE_PROC_FAMILY */
8378+#define MODULE_PROC_FAMILY ""
8379 #elif defined CONFIG_M386
8380 #define MODULE_PROC_FAMILY "386 "
8381 #elif defined CONFIG_M486
8382@@ -59,8 +60,18 @@
8383 #error unknown processor family
8384 #endif
8385
8386-#ifdef CONFIG_X86_32
8387-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8388+#ifdef CONFIG_PAX_KERNEXEC
8389+#define MODULE_PAX_KERNEXEC "KERNEXEC "
8390+#else
8391+#define MODULE_PAX_KERNEXEC ""
8392 #endif
8393
8394+#ifdef CONFIG_PAX_MEMORY_UDEREF
8395+#define MODULE_PAX_UDEREF "UDEREF "
8396+#else
8397+#define MODULE_PAX_UDEREF ""
8398+#endif
8399+
8400+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8401+
8402 #endif /* _ASM_X86_MODULE_H */
8403diff -urNp linux-3.0.7/arch/x86/include/asm/page_64_types.h linux-3.0.7/arch/x86/include/asm/page_64_types.h
8404--- linux-3.0.7/arch/x86/include/asm/page_64_types.h 2011-07-21 22:17:23.000000000 -0400
8405+++ linux-3.0.7/arch/x86/include/asm/page_64_types.h 2011-08-23 21:47:55.000000000 -0400
8406@@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8407
8408 /* duplicated to the one in bootmem.h */
8409 extern unsigned long max_pfn;
8410-extern unsigned long phys_base;
8411+extern const unsigned long phys_base;
8412
8413 extern unsigned long __phys_addr(unsigned long);
8414 #define __phys_reloc_hide(x) (x)
8415diff -urNp linux-3.0.7/arch/x86/include/asm/paravirt.h linux-3.0.7/arch/x86/include/asm/paravirt.h
8416--- linux-3.0.7/arch/x86/include/asm/paravirt.h 2011-07-21 22:17:23.000000000 -0400
8417+++ linux-3.0.7/arch/x86/include/asm/paravirt.h 2011-08-23 21:47:55.000000000 -0400
8418@@ -658,6 +658,18 @@ static inline void set_pgd(pgd_t *pgdp,
8419 val);
8420 }
8421
8422+static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
8423+{
8424+ pgdval_t val = native_pgd_val(pgd);
8425+
8426+ if (sizeof(pgdval_t) > sizeof(long))
8427+ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
8428+ val, (u64)val >> 32);
8429+ else
8430+ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
8431+ val);
8432+}
8433+
8434 static inline void pgd_clear(pgd_t *pgdp)
8435 {
8436 set_pgd(pgdp, __pgd(0));
8437@@ -739,6 +751,21 @@ static inline void __set_fixmap(unsigned
8438 pv_mmu_ops.set_fixmap(idx, phys, flags);
8439 }
8440
8441+#ifdef CONFIG_PAX_KERNEXEC
8442+static inline unsigned long pax_open_kernel(void)
8443+{
8444+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8445+}
8446+
8447+static inline unsigned long pax_close_kernel(void)
8448+{
8449+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8450+}
8451+#else
8452+static inline unsigned long pax_open_kernel(void) { return 0; }
8453+static inline unsigned long pax_close_kernel(void) { return 0; }
8454+#endif
8455+
8456 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8457
8458 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8459@@ -955,7 +982,7 @@ extern void default_banner(void);
8460
8461 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8462 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8463-#define PARA_INDIRECT(addr) *%cs:addr
8464+#define PARA_INDIRECT(addr) *%ss:addr
8465 #endif
8466
8467 #define INTERRUPT_RETURN \
8468@@ -1032,6 +1059,21 @@ extern void default_banner(void);
8469 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8470 CLBR_NONE, \
8471 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8472+
8473+#define GET_CR0_INTO_RDI \
8474+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8475+ mov %rax,%rdi
8476+
8477+#define SET_RDI_INTO_CR0 \
8478+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8479+
8480+#define GET_CR3_INTO_RDI \
8481+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8482+ mov %rax,%rdi
8483+
8484+#define SET_RDI_INTO_CR3 \
8485+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8486+
8487 #endif /* CONFIG_X86_32 */
8488
8489 #endif /* __ASSEMBLY__ */
8490diff -urNp linux-3.0.7/arch/x86/include/asm/paravirt_types.h linux-3.0.7/arch/x86/include/asm/paravirt_types.h
8491--- linux-3.0.7/arch/x86/include/asm/paravirt_types.h 2011-07-21 22:17:23.000000000 -0400
8492+++ linux-3.0.7/arch/x86/include/asm/paravirt_types.h 2011-08-23 21:47:55.000000000 -0400
8493@@ -78,19 +78,19 @@ struct pv_init_ops {
8494 */
8495 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
8496 unsigned long addr, unsigned len);
8497-};
8498+} __no_const;
8499
8500
8501 struct pv_lazy_ops {
8502 /* Set deferred update mode, used for batching operations. */
8503 void (*enter)(void);
8504 void (*leave)(void);
8505-};
8506+} __no_const;
8507
8508 struct pv_time_ops {
8509 unsigned long long (*sched_clock)(void);
8510 unsigned long (*get_tsc_khz)(void);
8511-};
8512+} __no_const;
8513
8514 struct pv_cpu_ops {
8515 /* hooks for various privileged instructions */
8516@@ -186,7 +186,7 @@ struct pv_cpu_ops {
8517
8518 void (*start_context_switch)(struct task_struct *prev);
8519 void (*end_context_switch)(struct task_struct *next);
8520-};
8521+} __no_const;
8522
8523 struct pv_irq_ops {
8524 /*
8525@@ -217,7 +217,7 @@ struct pv_apic_ops {
8526 unsigned long start_eip,
8527 unsigned long start_esp);
8528 #endif
8529-};
8530+} __no_const;
8531
8532 struct pv_mmu_ops {
8533 unsigned long (*read_cr2)(void);
8534@@ -306,6 +306,7 @@ struct pv_mmu_ops {
8535 struct paravirt_callee_save make_pud;
8536
8537 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
8538+ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
8539 #endif /* PAGETABLE_LEVELS == 4 */
8540 #endif /* PAGETABLE_LEVELS >= 3 */
8541
8542@@ -317,6 +318,12 @@ struct pv_mmu_ops {
8543 an mfn. We can tell which is which from the index. */
8544 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8545 phys_addr_t phys, pgprot_t flags);
8546+
8547+#ifdef CONFIG_PAX_KERNEXEC
8548+ unsigned long (*pax_open_kernel)(void);
8549+ unsigned long (*pax_close_kernel)(void);
8550+#endif
8551+
8552 };
8553
8554 struct arch_spinlock;
8555@@ -327,7 +334,7 @@ struct pv_lock_ops {
8556 void (*spin_lock_flags)(struct arch_spinlock *lock, unsigned long flags);
8557 int (*spin_trylock)(struct arch_spinlock *lock);
8558 void (*spin_unlock)(struct arch_spinlock *lock);
8559-};
8560+} __no_const;
8561
8562 /* This contains all the paravirt structures: we get a convenient
8563 * number for each function using the offset which we use to indicate
8564diff -urNp linux-3.0.7/arch/x86/include/asm/pgalloc.h linux-3.0.7/arch/x86/include/asm/pgalloc.h
8565--- linux-3.0.7/arch/x86/include/asm/pgalloc.h 2011-07-21 22:17:23.000000000 -0400
8566+++ linux-3.0.7/arch/x86/include/asm/pgalloc.h 2011-08-23 21:47:55.000000000 -0400
8567@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8568 pmd_t *pmd, pte_t *pte)
8569 {
8570 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8571+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8572+}
8573+
8574+static inline void pmd_populate_user(struct mm_struct *mm,
8575+ pmd_t *pmd, pte_t *pte)
8576+{
8577+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8578 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8579 }
8580
8581diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable-2level.h linux-3.0.7/arch/x86/include/asm/pgtable-2level.h
8582--- linux-3.0.7/arch/x86/include/asm/pgtable-2level.h 2011-07-21 22:17:23.000000000 -0400
8583+++ linux-3.0.7/arch/x86/include/asm/pgtable-2level.h 2011-08-23 21:47:55.000000000 -0400
8584@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8585
8586 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8587 {
8588+ pax_open_kernel();
8589 *pmdp = pmd;
8590+ pax_close_kernel();
8591 }
8592
8593 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8594diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable-3level.h linux-3.0.7/arch/x86/include/asm/pgtable-3level.h
8595--- linux-3.0.7/arch/x86/include/asm/pgtable-3level.h 2011-07-21 22:17:23.000000000 -0400
8596+++ linux-3.0.7/arch/x86/include/asm/pgtable-3level.h 2011-08-23 21:47:55.000000000 -0400
8597@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8598
8599 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8600 {
8601+ pax_open_kernel();
8602 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8603+ pax_close_kernel();
8604 }
8605
8606 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8607 {
8608+ pax_open_kernel();
8609 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8610+ pax_close_kernel();
8611 }
8612
8613 /*
8614diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable.h linux-3.0.7/arch/x86/include/asm/pgtable.h
8615--- linux-3.0.7/arch/x86/include/asm/pgtable.h 2011-07-21 22:17:23.000000000 -0400
8616+++ linux-3.0.7/arch/x86/include/asm/pgtable.h 2011-08-23 21:47:55.000000000 -0400
8617@@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm
8618
8619 #ifndef __PAGETABLE_PUD_FOLDED
8620 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
8621+#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
8622 #define pgd_clear(pgd) native_pgd_clear(pgd)
8623 #endif
8624
8625@@ -81,12 +82,51 @@ extern struct mm_struct *pgd_page_get_mm
8626
8627 #define arch_end_context_switch(prev) do {} while(0)
8628
8629+#define pax_open_kernel() native_pax_open_kernel()
8630+#define pax_close_kernel() native_pax_close_kernel()
8631 #endif /* CONFIG_PARAVIRT */
8632
8633+#define __HAVE_ARCH_PAX_OPEN_KERNEL
8634+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8635+
8636+#ifdef CONFIG_PAX_KERNEXEC
8637+static inline unsigned long native_pax_open_kernel(void)
8638+{
8639+ unsigned long cr0;
8640+
8641+ preempt_disable();
8642+ barrier();
8643+ cr0 = read_cr0() ^ X86_CR0_WP;
8644+ BUG_ON(unlikely(cr0 & X86_CR0_WP));
8645+ write_cr0(cr0);
8646+ return cr0 ^ X86_CR0_WP;
8647+}
8648+
8649+static inline unsigned long native_pax_close_kernel(void)
8650+{
8651+ unsigned long cr0;
8652+
8653+ cr0 = read_cr0() ^ X86_CR0_WP;
8654+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8655+ write_cr0(cr0);
8656+ barrier();
8657+ preempt_enable_no_resched();
8658+ return cr0 ^ X86_CR0_WP;
8659+}
8660+#else
8661+static inline unsigned long native_pax_open_kernel(void) { return 0; }
8662+static inline unsigned long native_pax_close_kernel(void) { return 0; }
8663+#endif
8664+
8665 /*
8666 * The following only work if pte_present() is true.
8667 * Undefined behaviour if not..
8668 */
8669+static inline int pte_user(pte_t pte)
8670+{
8671+ return pte_val(pte) & _PAGE_USER;
8672+}
8673+
8674 static inline int pte_dirty(pte_t pte)
8675 {
8676 return pte_flags(pte) & _PAGE_DIRTY;
8677@@ -196,9 +236,29 @@ static inline pte_t pte_wrprotect(pte_t
8678 return pte_clear_flags(pte, _PAGE_RW);
8679 }
8680
8681+static inline pte_t pte_mkread(pte_t pte)
8682+{
8683+ return __pte(pte_val(pte) | _PAGE_USER);
8684+}
8685+
8686 static inline pte_t pte_mkexec(pte_t pte)
8687 {
8688- return pte_clear_flags(pte, _PAGE_NX);
8689+#ifdef CONFIG_X86_PAE
8690+ if (__supported_pte_mask & _PAGE_NX)
8691+ return pte_clear_flags(pte, _PAGE_NX);
8692+ else
8693+#endif
8694+ return pte_set_flags(pte, _PAGE_USER);
8695+}
8696+
8697+static inline pte_t pte_exprotect(pte_t pte)
8698+{
8699+#ifdef CONFIG_X86_PAE
8700+ if (__supported_pte_mask & _PAGE_NX)
8701+ return pte_set_flags(pte, _PAGE_NX);
8702+ else
8703+#endif
8704+ return pte_clear_flags(pte, _PAGE_USER);
8705 }
8706
8707 static inline pte_t pte_mkdirty(pte_t pte)
8708@@ -390,6 +450,15 @@ pte_t *populate_extra_pte(unsigned long
8709 #endif
8710
8711 #ifndef __ASSEMBLY__
8712+
8713+#ifdef CONFIG_PAX_PER_CPU_PGD
8714+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8715+static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8716+{
8717+ return cpu_pgd[cpu];
8718+}
8719+#endif
8720+
8721 #include <linux/mm_types.h>
8722
8723 static inline int pte_none(pte_t pte)
8724@@ -560,7 +629,7 @@ static inline pud_t *pud_offset(pgd_t *p
8725
8726 static inline int pgd_bad(pgd_t pgd)
8727 {
8728- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8729+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8730 }
8731
8732 static inline int pgd_none(pgd_t pgd)
8733@@ -583,7 +652,12 @@ static inline int pgd_none(pgd_t pgd)
8734 * pgd_offset() returns a (pgd_t *)
8735 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8736 */
8737-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8738+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8739+
8740+#ifdef CONFIG_PAX_PER_CPU_PGD
8741+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8742+#endif
8743+
8744 /*
8745 * a shortcut which implies the use of the kernel's pgd, instead
8746 * of a process's
8747@@ -594,6 +668,20 @@ static inline int pgd_none(pgd_t pgd)
8748 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8749 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8750
8751+#ifdef CONFIG_X86_32
8752+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8753+#else
8754+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8755+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8756+
8757+#ifdef CONFIG_PAX_MEMORY_UDEREF
8758+#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8759+#else
8760+#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8761+#endif
8762+
8763+#endif
8764+
8765 #ifndef __ASSEMBLY__
8766
8767 extern int direct_gbpages;
8768@@ -758,11 +846,23 @@ static inline void pmdp_set_wrprotect(st
8769 * dst and src can be on the same page, but the range must not overlap,
8770 * and must not cross a page boundary.
8771 */
8772-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8773+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8774 {
8775- memcpy(dst, src, count * sizeof(pgd_t));
8776+ pax_open_kernel();
8777+ while (count--)
8778+ *dst++ = *src++;
8779+ pax_close_kernel();
8780 }
8781
8782+#ifdef CONFIG_PAX_PER_CPU_PGD
8783+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8784+#endif
8785+
8786+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8787+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8788+#else
8789+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8790+#endif
8791
8792 #include <asm-generic/pgtable.h>
8793 #endif /* __ASSEMBLY__ */
8794diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable_32.h linux-3.0.7/arch/x86/include/asm/pgtable_32.h
8795--- linux-3.0.7/arch/x86/include/asm/pgtable_32.h 2011-07-21 22:17:23.000000000 -0400
8796+++ linux-3.0.7/arch/x86/include/asm/pgtable_32.h 2011-08-23 21:47:55.000000000 -0400
8797@@ -25,9 +25,6 @@
8798 struct mm_struct;
8799 struct vm_area_struct;
8800
8801-extern pgd_t swapper_pg_dir[1024];
8802-extern pgd_t initial_page_table[1024];
8803-
8804 static inline void pgtable_cache_init(void) { }
8805 static inline void check_pgt_cache(void) { }
8806 void paging_init(void);
8807@@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8808 # include <asm/pgtable-2level.h>
8809 #endif
8810
8811+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8812+extern pgd_t initial_page_table[PTRS_PER_PGD];
8813+#ifdef CONFIG_X86_PAE
8814+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8815+#endif
8816+
8817 #if defined(CONFIG_HIGHPTE)
8818 #define pte_offset_map(dir, address) \
8819 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8820@@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8821 /* Clear a kernel PTE and flush it from the TLB */
8822 #define kpte_clear_flush(ptep, vaddr) \
8823 do { \
8824+ pax_open_kernel(); \
8825 pte_clear(&init_mm, (vaddr), (ptep)); \
8826+ pax_close_kernel(); \
8827 __flush_tlb_one((vaddr)); \
8828 } while (0)
8829
8830@@ -74,6 +79,9 @@ do { \
8831
8832 #endif /* !__ASSEMBLY__ */
8833
8834+#define HAVE_ARCH_UNMAPPED_AREA
8835+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8836+
8837 /*
8838 * kern_addr_valid() is (1) for FLATMEM and (0) for
8839 * SPARSEMEM and DISCONTIGMEM
8840diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable_32_types.h linux-3.0.7/arch/x86/include/asm/pgtable_32_types.h
8841--- linux-3.0.7/arch/x86/include/asm/pgtable_32_types.h 2011-07-21 22:17:23.000000000 -0400
8842+++ linux-3.0.7/arch/x86/include/asm/pgtable_32_types.h 2011-08-23 21:47:55.000000000 -0400
8843@@ -8,7 +8,7 @@
8844 */
8845 #ifdef CONFIG_X86_PAE
8846 # include <asm/pgtable-3level_types.h>
8847-# define PMD_SIZE (1UL << PMD_SHIFT)
8848+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8849 # define PMD_MASK (~(PMD_SIZE - 1))
8850 #else
8851 # include <asm/pgtable-2level_types.h>
8852@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8853 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8854 #endif
8855
8856+#ifdef CONFIG_PAX_KERNEXEC
8857+#ifndef __ASSEMBLY__
8858+extern unsigned char MODULES_EXEC_VADDR[];
8859+extern unsigned char MODULES_EXEC_END[];
8860+#endif
8861+#include <asm/boot.h>
8862+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8863+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8864+#else
8865+#define ktla_ktva(addr) (addr)
8866+#define ktva_ktla(addr) (addr)
8867+#endif
8868+
8869 #define MODULES_VADDR VMALLOC_START
8870 #define MODULES_END VMALLOC_END
8871 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8872diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable_64.h linux-3.0.7/arch/x86/include/asm/pgtable_64.h
8873--- linux-3.0.7/arch/x86/include/asm/pgtable_64.h 2011-07-21 22:17:23.000000000 -0400
8874+++ linux-3.0.7/arch/x86/include/asm/pgtable_64.h 2011-08-23 21:47:55.000000000 -0400
8875@@ -16,10 +16,13 @@
8876
8877 extern pud_t level3_kernel_pgt[512];
8878 extern pud_t level3_ident_pgt[512];
8879+extern pud_t level3_vmalloc_pgt[512];
8880+extern pud_t level3_vmemmap_pgt[512];
8881+extern pud_t level2_vmemmap_pgt[512];
8882 extern pmd_t level2_kernel_pgt[512];
8883 extern pmd_t level2_fixmap_pgt[512];
8884-extern pmd_t level2_ident_pgt[512];
8885-extern pgd_t init_level4_pgt[];
8886+extern pmd_t level2_ident_pgt[512*2];
8887+extern pgd_t init_level4_pgt[512];
8888
8889 #define swapper_pg_dir init_level4_pgt
8890
8891@@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8892
8893 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8894 {
8895+ pax_open_kernel();
8896 *pmdp = pmd;
8897+ pax_close_kernel();
8898 }
8899
8900 static inline void native_pmd_clear(pmd_t *pmd)
8901@@ -107,6 +112,13 @@ static inline void native_pud_clear(pud_
8902
8903 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8904 {
8905+ pax_open_kernel();
8906+ *pgdp = pgd;
8907+ pax_close_kernel();
8908+}
8909+
8910+static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
8911+{
8912 *pgdp = pgd;
8913 }
8914
8915diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable_64_types.h linux-3.0.7/arch/x86/include/asm/pgtable_64_types.h
8916--- linux-3.0.7/arch/x86/include/asm/pgtable_64_types.h 2011-07-21 22:17:23.000000000 -0400
8917+++ linux-3.0.7/arch/x86/include/asm/pgtable_64_types.h 2011-08-23 21:47:55.000000000 -0400
8918@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8919 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8920 #define MODULES_END _AC(0xffffffffff000000, UL)
8921 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8922+#define MODULES_EXEC_VADDR MODULES_VADDR
8923+#define MODULES_EXEC_END MODULES_END
8924+
8925+#define ktla_ktva(addr) (addr)
8926+#define ktva_ktla(addr) (addr)
8927
8928 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8929diff -urNp linux-3.0.7/arch/x86/include/asm/pgtable_types.h linux-3.0.7/arch/x86/include/asm/pgtable_types.h
8930--- linux-3.0.7/arch/x86/include/asm/pgtable_types.h 2011-07-21 22:17:23.000000000 -0400
8931+++ linux-3.0.7/arch/x86/include/asm/pgtable_types.h 2011-08-23 21:47:55.000000000 -0400
8932@@ -16,13 +16,12 @@
8933 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8934 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8935 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8936-#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8937+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8938 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8939 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8940 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8941-#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8942-#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8943-#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8944+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8945+#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8946 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8947
8948 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8949@@ -40,7 +39,6 @@
8950 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8951 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8952 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8953-#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8954 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8955 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8956 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8957@@ -57,8 +55,10 @@
8958
8959 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8960 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8961-#else
8962+#elif defined(CONFIG_KMEMCHECK)
8963 #define _PAGE_NX (_AT(pteval_t, 0))
8964+#else
8965+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8966 #endif
8967
8968 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8969@@ -96,6 +96,9 @@
8970 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8971 _PAGE_ACCESSED)
8972
8973+#define PAGE_READONLY_NOEXEC PAGE_READONLY
8974+#define PAGE_SHARED_NOEXEC PAGE_SHARED
8975+
8976 #define __PAGE_KERNEL_EXEC \
8977 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8978 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8979@@ -106,8 +109,8 @@
8980 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8981 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8982 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8983-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8984-#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8985+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8986+#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8987 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8988 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8989 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8990@@ -166,8 +169,8 @@
8991 * bits are combined, this will alow user to access the high address mapped
8992 * VDSO in the presence of CONFIG_COMPAT_VDSO
8993 */
8994-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8995-#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8996+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8997+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8998 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8999 #endif
9000
9001@@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
9002 {
9003 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
9004 }
9005+#endif
9006
9007+#if PAGETABLE_LEVELS == 3
9008+#include <asm-generic/pgtable-nopud.h>
9009+#endif
9010+
9011+#if PAGETABLE_LEVELS == 2
9012+#include <asm-generic/pgtable-nopmd.h>
9013+#endif
9014+
9015+#ifndef __ASSEMBLY__
9016 #if PAGETABLE_LEVELS > 3
9017 typedef struct { pudval_t pud; } pud_t;
9018
9019@@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
9020 return pud.pud;
9021 }
9022 #else
9023-#include <asm-generic/pgtable-nopud.h>
9024-
9025 static inline pudval_t native_pud_val(pud_t pud)
9026 {
9027 return native_pgd_val(pud.pgd);
9028@@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
9029 return pmd.pmd;
9030 }
9031 #else
9032-#include <asm-generic/pgtable-nopmd.h>
9033-
9034 static inline pmdval_t native_pmd_val(pmd_t pmd)
9035 {
9036 return native_pgd_val(pmd.pud.pgd);
9037@@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
9038
9039 extern pteval_t __supported_pte_mask;
9040 extern void set_nx(void);
9041-extern int nx_enabled;
9042
9043 #define pgprot_writecombine pgprot_writecombine
9044 extern pgprot_t pgprot_writecombine(pgprot_t prot);
9045diff -urNp linux-3.0.7/arch/x86/include/asm/processor.h linux-3.0.7/arch/x86/include/asm/processor.h
9046--- linux-3.0.7/arch/x86/include/asm/processor.h 2011-07-21 22:17:23.000000000 -0400
9047+++ linux-3.0.7/arch/x86/include/asm/processor.h 2011-08-23 21:47:55.000000000 -0400
9048@@ -266,7 +266,7 @@ struct tss_struct {
9049
9050 } ____cacheline_aligned;
9051
9052-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
9053+extern struct tss_struct init_tss[NR_CPUS];
9054
9055 /*
9056 * Save the original ist values for checking stack pointers during debugging
9057@@ -860,11 +860,18 @@ static inline void spin_lock_prefetch(co
9058 */
9059 #define TASK_SIZE PAGE_OFFSET
9060 #define TASK_SIZE_MAX TASK_SIZE
9061+
9062+#ifdef CONFIG_PAX_SEGMEXEC
9063+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
9064+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
9065+#else
9066 #define STACK_TOP TASK_SIZE
9067-#define STACK_TOP_MAX STACK_TOP
9068+#endif
9069+
9070+#define STACK_TOP_MAX TASK_SIZE
9071
9072 #define INIT_THREAD { \
9073- .sp0 = sizeof(init_stack) + (long)&init_stack, \
9074+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9075 .vm86_info = NULL, \
9076 .sysenter_cs = __KERNEL_CS, \
9077 .io_bitmap_ptr = NULL, \
9078@@ -878,7 +885,7 @@ static inline void spin_lock_prefetch(co
9079 */
9080 #define INIT_TSS { \
9081 .x86_tss = { \
9082- .sp0 = sizeof(init_stack) + (long)&init_stack, \
9083+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9084 .ss0 = __KERNEL_DS, \
9085 .ss1 = __KERNEL_CS, \
9086 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
9087@@ -889,11 +896,7 @@ static inline void spin_lock_prefetch(co
9088 extern unsigned long thread_saved_pc(struct task_struct *tsk);
9089
9090 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
9091-#define KSTK_TOP(info) \
9092-({ \
9093- unsigned long *__ptr = (unsigned long *)(info); \
9094- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
9095-})
9096+#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
9097
9098 /*
9099 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
9100@@ -908,7 +911,7 @@ extern unsigned long thread_saved_pc(str
9101 #define task_pt_regs(task) \
9102 ({ \
9103 struct pt_regs *__regs__; \
9104- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
9105+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \
9106 __regs__ - 1; \
9107 })
9108
9109@@ -918,13 +921,13 @@ extern unsigned long thread_saved_pc(str
9110 /*
9111 * User space process size. 47bits minus one guard page.
9112 */
9113-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
9114+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
9115
9116 /* This decides where the kernel will search for a free chunk of vm
9117 * space during mmap's.
9118 */
9119 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
9120- 0xc0000000 : 0xFFFFe000)
9121+ 0xc0000000 : 0xFFFFf000)
9122
9123 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
9124 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
9125@@ -935,11 +938,11 @@ extern unsigned long thread_saved_pc(str
9126 #define STACK_TOP_MAX TASK_SIZE_MAX
9127
9128 #define INIT_THREAD { \
9129- .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9130+ .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9131 }
9132
9133 #define INIT_TSS { \
9134- .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9135+ .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9136 }
9137
9138 /*
9139@@ -961,6 +964,10 @@ extern void start_thread(struct pt_regs
9140 */
9141 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
9142
9143+#ifdef CONFIG_PAX_SEGMEXEC
9144+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
9145+#endif
9146+
9147 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
9148
9149 /* Get/set a process' ability to use the timestamp counter instruction */
9150diff -urNp linux-3.0.7/arch/x86/include/asm/ptrace.h linux-3.0.7/arch/x86/include/asm/ptrace.h
9151--- linux-3.0.7/arch/x86/include/asm/ptrace.h 2011-07-21 22:17:23.000000000 -0400
9152+++ linux-3.0.7/arch/x86/include/asm/ptrace.h 2011-08-23 21:47:55.000000000 -0400
9153@@ -153,28 +153,29 @@ static inline unsigned long regs_return_
9154 }
9155
9156 /*
9157- * user_mode_vm(regs) determines whether a register set came from user mode.
9158+ * user_mode(regs) determines whether a register set came from user mode.
9159 * This is true if V8086 mode was enabled OR if the register set was from
9160 * protected mode with RPL-3 CS value. This tricky test checks that with
9161 * one comparison. Many places in the kernel can bypass this full check
9162- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
9163+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
9164+ * be used.
9165 */
9166-static inline int user_mode(struct pt_regs *regs)
9167+static inline int user_mode_novm(struct pt_regs *regs)
9168 {
9169 #ifdef CONFIG_X86_32
9170 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
9171 #else
9172- return !!(regs->cs & 3);
9173+ return !!(regs->cs & SEGMENT_RPL_MASK);
9174 #endif
9175 }
9176
9177-static inline int user_mode_vm(struct pt_regs *regs)
9178+static inline int user_mode(struct pt_regs *regs)
9179 {
9180 #ifdef CONFIG_X86_32
9181 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
9182 USER_RPL;
9183 #else
9184- return user_mode(regs);
9185+ return user_mode_novm(regs);
9186 #endif
9187 }
9188
9189diff -urNp linux-3.0.7/arch/x86/include/asm/reboot.h linux-3.0.7/arch/x86/include/asm/reboot.h
9190--- linux-3.0.7/arch/x86/include/asm/reboot.h 2011-07-21 22:17:23.000000000 -0400
9191+++ linux-3.0.7/arch/x86/include/asm/reboot.h 2011-08-23 21:47:55.000000000 -0400
9192@@ -6,19 +6,19 @@
9193 struct pt_regs;
9194
9195 struct machine_ops {
9196- void (*restart)(char *cmd);
9197- void (*halt)(void);
9198- void (*power_off)(void);
9199+ void (* __noreturn restart)(char *cmd);
9200+ void (* __noreturn halt)(void);
9201+ void (* __noreturn power_off)(void);
9202 void (*shutdown)(void);
9203 void (*crash_shutdown)(struct pt_regs *);
9204- void (*emergency_restart)(void);
9205-};
9206+ void (* __noreturn emergency_restart)(void);
9207+} __no_const;
9208
9209 extern struct machine_ops machine_ops;
9210
9211 void native_machine_crash_shutdown(struct pt_regs *regs);
9212 void native_machine_shutdown(void);
9213-void machine_real_restart(unsigned int type);
9214+void machine_real_restart(unsigned int type) __noreturn;
9215 /* These must match dispatch_table in reboot_32.S */
9216 #define MRR_BIOS 0
9217 #define MRR_APM 1
9218diff -urNp linux-3.0.7/arch/x86/include/asm/rwsem.h linux-3.0.7/arch/x86/include/asm/rwsem.h
9219--- linux-3.0.7/arch/x86/include/asm/rwsem.h 2011-07-21 22:17:23.000000000 -0400
9220+++ linux-3.0.7/arch/x86/include/asm/rwsem.h 2011-08-23 21:47:55.000000000 -0400
9221@@ -64,6 +64,14 @@ static inline void __down_read(struct rw
9222 {
9223 asm volatile("# beginning down_read\n\t"
9224 LOCK_PREFIX _ASM_INC "(%1)\n\t"
9225+
9226+#ifdef CONFIG_PAX_REFCOUNT
9227+ "jno 0f\n"
9228+ LOCK_PREFIX _ASM_DEC "(%1)\n"
9229+ "int $4\n0:\n"
9230+ _ASM_EXTABLE(0b, 0b)
9231+#endif
9232+
9233 /* adds 0x00000001 */
9234 " jns 1f\n"
9235 " call call_rwsem_down_read_failed\n"
9236@@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
9237 "1:\n\t"
9238 " mov %1,%2\n\t"
9239 " add %3,%2\n\t"
9240+
9241+#ifdef CONFIG_PAX_REFCOUNT
9242+ "jno 0f\n"
9243+ "sub %3,%2\n"
9244+ "int $4\n0:\n"
9245+ _ASM_EXTABLE(0b, 0b)
9246+#endif
9247+
9248 " jle 2f\n\t"
9249 LOCK_PREFIX " cmpxchg %2,%0\n\t"
9250 " jnz 1b\n\t"
9251@@ -104,6 +120,14 @@ static inline void __down_write_nested(s
9252 long tmp;
9253 asm volatile("# beginning down_write\n\t"
9254 LOCK_PREFIX " xadd %1,(%2)\n\t"
9255+
9256+#ifdef CONFIG_PAX_REFCOUNT
9257+ "jno 0f\n"
9258+ "mov %1,(%2)\n"
9259+ "int $4\n0:\n"
9260+ _ASM_EXTABLE(0b, 0b)
9261+#endif
9262+
9263 /* adds 0xffff0001, returns the old value */
9264 " test %1,%1\n\t"
9265 /* was the count 0 before? */
9266@@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
9267 long tmp;
9268 asm volatile("# beginning __up_read\n\t"
9269 LOCK_PREFIX " xadd %1,(%2)\n\t"
9270+
9271+#ifdef CONFIG_PAX_REFCOUNT
9272+ "jno 0f\n"
9273+ "mov %1,(%2)\n"
9274+ "int $4\n0:\n"
9275+ _ASM_EXTABLE(0b, 0b)
9276+#endif
9277+
9278 /* subtracts 1, returns the old value */
9279 " jns 1f\n\t"
9280 " call call_rwsem_wake\n" /* expects old value in %edx */
9281@@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
9282 long tmp;
9283 asm volatile("# beginning __up_write\n\t"
9284 LOCK_PREFIX " xadd %1,(%2)\n\t"
9285+
9286+#ifdef CONFIG_PAX_REFCOUNT
9287+ "jno 0f\n"
9288+ "mov %1,(%2)\n"
9289+ "int $4\n0:\n"
9290+ _ASM_EXTABLE(0b, 0b)
9291+#endif
9292+
9293 /* subtracts 0xffff0001, returns the old value */
9294 " jns 1f\n\t"
9295 " call call_rwsem_wake\n" /* expects old value in %edx */
9296@@ -176,6 +216,14 @@ static inline void __downgrade_write(str
9297 {
9298 asm volatile("# beginning __downgrade_write\n\t"
9299 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9300+
9301+#ifdef CONFIG_PAX_REFCOUNT
9302+ "jno 0f\n"
9303+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9304+ "int $4\n0:\n"
9305+ _ASM_EXTABLE(0b, 0b)
9306+#endif
9307+
9308 /*
9309 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9310 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9311@@ -194,7 +242,15 @@ static inline void __downgrade_write(str
9312 */
9313 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
9314 {
9315- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9316+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9317+
9318+#ifdef CONFIG_PAX_REFCOUNT
9319+ "jno 0f\n"
9320+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
9321+ "int $4\n0:\n"
9322+ _ASM_EXTABLE(0b, 0b)
9323+#endif
9324+
9325 : "+m" (sem->count)
9326 : "er" (delta));
9327 }
9328@@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
9329 {
9330 long tmp = delta;
9331
9332- asm volatile(LOCK_PREFIX "xadd %0,%1"
9333+ asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9334+
9335+#ifdef CONFIG_PAX_REFCOUNT
9336+ "jno 0f\n"
9337+ "mov %0,%1\n"
9338+ "int $4\n0:\n"
9339+ _ASM_EXTABLE(0b, 0b)
9340+#endif
9341+
9342 : "+r" (tmp), "+m" (sem->count)
9343 : : "memory");
9344
9345diff -urNp linux-3.0.7/arch/x86/include/asm/segment.h linux-3.0.7/arch/x86/include/asm/segment.h
9346--- linux-3.0.7/arch/x86/include/asm/segment.h 2011-07-21 22:17:23.000000000 -0400
9347+++ linux-3.0.7/arch/x86/include/asm/segment.h 2011-09-17 00:53:42.000000000 -0400
9348@@ -64,10 +64,15 @@
9349 * 26 - ESPFIX small SS
9350 * 27 - per-cpu [ offset to per-cpu data area ]
9351 * 28 - stack_canary-20 [ for stack protector ]
9352- * 29 - unused
9353- * 30 - unused
9354+ * 29 - PCI BIOS CS
9355+ * 30 - PCI BIOS DS
9356 * 31 - TSS for double fault handler
9357 */
9358+#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
9359+#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
9360+#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
9361+#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
9362+
9363 #define GDT_ENTRY_TLS_MIN 6
9364 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
9365
9366@@ -79,6 +84,8 @@
9367
9368 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9369
9370+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9371+
9372 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9373
9374 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9375@@ -104,6 +111,12 @@
9376 #define __KERNEL_STACK_CANARY 0
9377 #endif
9378
9379+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9380+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9381+
9382+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9383+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9384+
9385 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9386
9387 /*
9388@@ -141,7 +154,7 @@
9389 */
9390
9391 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9392-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9393+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9394
9395
9396 #else
9397@@ -165,6 +178,8 @@
9398 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9399 #define __USER32_DS __USER_DS
9400
9401+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9402+
9403 #define GDT_ENTRY_TSS 8 /* needs two entries */
9404 #define GDT_ENTRY_LDT 10 /* needs two entries */
9405 #define GDT_ENTRY_TLS_MIN 12
9406@@ -185,6 +200,7 @@
9407 #endif
9408
9409 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9410+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9411 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9412 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9413 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9414diff -urNp linux-3.0.7/arch/x86/include/asm/smp.h linux-3.0.7/arch/x86/include/asm/smp.h
9415--- linux-3.0.7/arch/x86/include/asm/smp.h 2011-07-21 22:17:23.000000000 -0400
9416+++ linux-3.0.7/arch/x86/include/asm/smp.h 2011-08-23 21:47:55.000000000 -0400
9417@@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
9418 /* cpus sharing the last level cache: */
9419 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
9420 DECLARE_PER_CPU(u16, cpu_llc_id);
9421-DECLARE_PER_CPU(int, cpu_number);
9422+DECLARE_PER_CPU(unsigned int, cpu_number);
9423
9424 static inline struct cpumask *cpu_sibling_mask(int cpu)
9425 {
9426@@ -77,7 +77,7 @@ struct smp_ops {
9427
9428 void (*send_call_func_ipi)(const struct cpumask *mask);
9429 void (*send_call_func_single_ipi)(int cpu);
9430-};
9431+} __no_const;
9432
9433 /* Globals due to paravirt */
9434 extern void set_cpu_sibling_map(int cpu);
9435@@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
9436 extern int safe_smp_processor_id(void);
9437
9438 #elif defined(CONFIG_X86_64_SMP)
9439-#define raw_smp_processor_id() (percpu_read(cpu_number))
9440-
9441-#define stack_smp_processor_id() \
9442-({ \
9443- struct thread_info *ti; \
9444- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
9445- ti->cpu; \
9446-})
9447+#define raw_smp_processor_id() (percpu_read(cpu_number))
9448+#define stack_smp_processor_id() raw_smp_processor_id()
9449 #define safe_smp_processor_id() smp_processor_id()
9450
9451 #endif
9452diff -urNp linux-3.0.7/arch/x86/include/asm/spinlock.h linux-3.0.7/arch/x86/include/asm/spinlock.h
9453--- linux-3.0.7/arch/x86/include/asm/spinlock.h 2011-07-21 22:17:23.000000000 -0400
9454+++ linux-3.0.7/arch/x86/include/asm/spinlock.h 2011-08-23 21:47:55.000000000 -0400
9455@@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9456 static inline void arch_read_lock(arch_rwlock_t *rw)
9457 {
9458 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9459+
9460+#ifdef CONFIG_PAX_REFCOUNT
9461+ "jno 0f\n"
9462+ LOCK_PREFIX " addl $1,(%0)\n"
9463+ "int $4\n0:\n"
9464+ _ASM_EXTABLE(0b, 0b)
9465+#endif
9466+
9467 "jns 1f\n"
9468 "call __read_lock_failed\n\t"
9469 "1:\n"
9470@@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9471 static inline void arch_write_lock(arch_rwlock_t *rw)
9472 {
9473 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9474+
9475+#ifdef CONFIG_PAX_REFCOUNT
9476+ "jno 0f\n"
9477+ LOCK_PREFIX " addl %1,(%0)\n"
9478+ "int $4\n0:\n"
9479+ _ASM_EXTABLE(0b, 0b)
9480+#endif
9481+
9482 "jz 1f\n"
9483 "call __write_lock_failed\n\t"
9484 "1:\n"
9485@@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9486
9487 static inline void arch_read_unlock(arch_rwlock_t *rw)
9488 {
9489- asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9490+ asm volatile(LOCK_PREFIX "incl %0\n"
9491+
9492+#ifdef CONFIG_PAX_REFCOUNT
9493+ "jno 0f\n"
9494+ LOCK_PREFIX "decl %0\n"
9495+ "int $4\n0:\n"
9496+ _ASM_EXTABLE(0b, 0b)
9497+#endif
9498+
9499+ :"+m" (rw->lock) : : "memory");
9500 }
9501
9502 static inline void arch_write_unlock(arch_rwlock_t *rw)
9503 {
9504- asm volatile(LOCK_PREFIX "addl %1, %0"
9505+ asm volatile(LOCK_PREFIX "addl %1, %0\n"
9506+
9507+#ifdef CONFIG_PAX_REFCOUNT
9508+ "jno 0f\n"
9509+ LOCK_PREFIX "subl %1, %0\n"
9510+ "int $4\n0:\n"
9511+ _ASM_EXTABLE(0b, 0b)
9512+#endif
9513+
9514 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9515 }
9516
9517diff -urNp linux-3.0.7/arch/x86/include/asm/stackprotector.h linux-3.0.7/arch/x86/include/asm/stackprotector.h
9518--- linux-3.0.7/arch/x86/include/asm/stackprotector.h 2011-07-21 22:17:23.000000000 -0400
9519+++ linux-3.0.7/arch/x86/include/asm/stackprotector.h 2011-08-23 21:47:55.000000000 -0400
9520@@ -48,7 +48,7 @@
9521 * head_32 for boot CPU and setup_per_cpu_areas() for others.
9522 */
9523 #define GDT_STACK_CANARY_INIT \
9524- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
9525+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
9526
9527 /*
9528 * Initialize the stackprotector canary value.
9529@@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9530
9531 static inline void load_stack_canary_segment(void)
9532 {
9533-#ifdef CONFIG_X86_32
9534+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9535 asm volatile ("mov %0, %%gs" : : "r" (0));
9536 #endif
9537 }
9538diff -urNp linux-3.0.7/arch/x86/include/asm/stacktrace.h linux-3.0.7/arch/x86/include/asm/stacktrace.h
9539--- linux-3.0.7/arch/x86/include/asm/stacktrace.h 2011-07-21 22:17:23.000000000 -0400
9540+++ linux-3.0.7/arch/x86/include/asm/stacktrace.h 2011-08-23 21:47:55.000000000 -0400
9541@@ -11,28 +11,20 @@
9542
9543 extern int kstack_depth_to_print;
9544
9545-struct thread_info;
9546+struct task_struct;
9547 struct stacktrace_ops;
9548
9549-typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
9550- unsigned long *stack,
9551- unsigned long bp,
9552- const struct stacktrace_ops *ops,
9553- void *data,
9554- unsigned long *end,
9555- int *graph);
9556-
9557-extern unsigned long
9558-print_context_stack(struct thread_info *tinfo,
9559- unsigned long *stack, unsigned long bp,
9560- const struct stacktrace_ops *ops, void *data,
9561- unsigned long *end, int *graph);
9562-
9563-extern unsigned long
9564-print_context_stack_bp(struct thread_info *tinfo,
9565- unsigned long *stack, unsigned long bp,
9566- const struct stacktrace_ops *ops, void *data,
9567- unsigned long *end, int *graph);
9568+typedef unsigned long walk_stack_t(struct task_struct *task,
9569+ void *stack_start,
9570+ unsigned long *stack,
9571+ unsigned long bp,
9572+ const struct stacktrace_ops *ops,
9573+ void *data,
9574+ unsigned long *end,
9575+ int *graph);
9576+
9577+extern walk_stack_t print_context_stack;
9578+extern walk_stack_t print_context_stack_bp;
9579
9580 /* Generic stack tracer with callbacks */
9581
9582@@ -40,7 +32,7 @@ struct stacktrace_ops {
9583 void (*address)(void *data, unsigned long address, int reliable);
9584 /* On negative return stop dumping */
9585 int (*stack)(void *data, char *name);
9586- walk_stack_t walk_stack;
9587+ walk_stack_t *walk_stack;
9588 };
9589
9590 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
9591diff -urNp linux-3.0.7/arch/x86/include/asm/sys_ia32.h linux-3.0.7/arch/x86/include/asm/sys_ia32.h
9592--- linux-3.0.7/arch/x86/include/asm/sys_ia32.h 2011-07-21 22:17:23.000000000 -0400
9593+++ linux-3.0.7/arch/x86/include/asm/sys_ia32.h 2011-10-06 04:17:55.000000000 -0400
9594@@ -40,7 +40,7 @@ asmlinkage long sys32_rt_sigprocmask(int
9595 compat_sigset_t __user *, unsigned int);
9596 asmlinkage long sys32_alarm(unsigned int);
9597
9598-asmlinkage long sys32_waitpid(compat_pid_t, unsigned int *, int);
9599+asmlinkage long sys32_waitpid(compat_pid_t, unsigned int __user *, int);
9600 asmlinkage long sys32_sysfs(int, u32, u32);
9601
9602 asmlinkage long sys32_sched_rr_get_interval(compat_pid_t,
9603diff -urNp linux-3.0.7/arch/x86/include/asm/system.h linux-3.0.7/arch/x86/include/asm/system.h
9604--- linux-3.0.7/arch/x86/include/asm/system.h 2011-07-21 22:17:23.000000000 -0400
9605+++ linux-3.0.7/arch/x86/include/asm/system.h 2011-08-23 21:47:55.000000000 -0400
9606@@ -129,7 +129,7 @@ do { \
9607 "call __switch_to\n\t" \
9608 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
9609 __switch_canary \
9610- "movq %P[thread_info](%%rsi),%%r8\n\t" \
9611+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \
9612 "movq %%rax,%%rdi\n\t" \
9613 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
9614 "jnz ret_from_fork\n\t" \
9615@@ -140,7 +140,7 @@ do { \
9616 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
9617 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
9618 [_tif_fork] "i" (_TIF_FORK), \
9619- [thread_info] "i" (offsetof(struct task_struct, stack)), \
9620+ [thread_info] "m" (current_tinfo), \
9621 [current_task] "m" (current_task) \
9622 __switch_canary_iparam \
9623 : "memory", "cc" __EXTRA_CLOBBER)
9624@@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
9625 {
9626 unsigned long __limit;
9627 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9628- return __limit + 1;
9629+ return __limit;
9630 }
9631
9632 static inline void native_clts(void)
9633@@ -397,12 +397,12 @@ void enable_hlt(void);
9634
9635 void cpu_idle_wait(void);
9636
9637-extern unsigned long arch_align_stack(unsigned long sp);
9638+#define arch_align_stack(x) ((x) & ~0xfUL)
9639 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9640
9641 void default_idle(void);
9642
9643-void stop_this_cpu(void *dummy);
9644+void stop_this_cpu(void *dummy) __noreturn;
9645
9646 /*
9647 * Force strict CPU ordering.
9648diff -urNp linux-3.0.7/arch/x86/include/asm/thread_info.h linux-3.0.7/arch/x86/include/asm/thread_info.h
9649--- linux-3.0.7/arch/x86/include/asm/thread_info.h 2011-07-21 22:17:23.000000000 -0400
9650+++ linux-3.0.7/arch/x86/include/asm/thread_info.h 2011-08-23 21:47:55.000000000 -0400
9651@@ -10,6 +10,7 @@
9652 #include <linux/compiler.h>
9653 #include <asm/page.h>
9654 #include <asm/types.h>
9655+#include <asm/percpu.h>
9656
9657 /*
9658 * low level task data that entry.S needs immediate access to
9659@@ -24,7 +25,6 @@ struct exec_domain;
9660 #include <asm/atomic.h>
9661
9662 struct thread_info {
9663- struct task_struct *task; /* main task structure */
9664 struct exec_domain *exec_domain; /* execution domain */
9665 __u32 flags; /* low level flags */
9666 __u32 status; /* thread synchronous flags */
9667@@ -34,18 +34,12 @@ struct thread_info {
9668 mm_segment_t addr_limit;
9669 struct restart_block restart_block;
9670 void __user *sysenter_return;
9671-#ifdef CONFIG_X86_32
9672- unsigned long previous_esp; /* ESP of the previous stack in
9673- case of nested (IRQ) stacks
9674- */
9675- __u8 supervisor_stack[0];
9676-#endif
9677+ unsigned long lowest_stack;
9678 int uaccess_err;
9679 };
9680
9681-#define INIT_THREAD_INFO(tsk) \
9682+#define INIT_THREAD_INFO \
9683 { \
9684- .task = &tsk, \
9685 .exec_domain = &default_exec_domain, \
9686 .flags = 0, \
9687 .cpu = 0, \
9688@@ -56,7 +50,7 @@ struct thread_info {
9689 }, \
9690 }
9691
9692-#define init_thread_info (init_thread_union.thread_info)
9693+#define init_thread_info (init_thread_union.stack)
9694 #define init_stack (init_thread_union.stack)
9695
9696 #else /* !__ASSEMBLY__ */
9697@@ -170,6 +164,23 @@ struct thread_info {
9698 ret; \
9699 })
9700
9701+#ifdef __ASSEMBLY__
9702+/* how to get the thread information struct from ASM */
9703+#define GET_THREAD_INFO(reg) \
9704+ mov PER_CPU_VAR(current_tinfo), reg
9705+
9706+/* use this one if reg already contains %esp */
9707+#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
9708+#else
9709+/* how to get the thread information struct from C */
9710+DECLARE_PER_CPU(struct thread_info *, current_tinfo);
9711+
9712+static __always_inline struct thread_info *current_thread_info(void)
9713+{
9714+ return percpu_read_stable(current_tinfo);
9715+}
9716+#endif
9717+
9718 #ifdef CONFIG_X86_32
9719
9720 #define STACK_WARN (THREAD_SIZE/8)
9721@@ -180,35 +191,13 @@ struct thread_info {
9722 */
9723 #ifndef __ASSEMBLY__
9724
9725-
9726 /* how to get the current stack pointer from C */
9727 register unsigned long current_stack_pointer asm("esp") __used;
9728
9729-/* how to get the thread information struct from C */
9730-static inline struct thread_info *current_thread_info(void)
9731-{
9732- return (struct thread_info *)
9733- (current_stack_pointer & ~(THREAD_SIZE - 1));
9734-}
9735-
9736-#else /* !__ASSEMBLY__ */
9737-
9738-/* how to get the thread information struct from ASM */
9739-#define GET_THREAD_INFO(reg) \
9740- movl $-THREAD_SIZE, reg; \
9741- andl %esp, reg
9742-
9743-/* use this one if reg already contains %esp */
9744-#define GET_THREAD_INFO_WITH_ESP(reg) \
9745- andl $-THREAD_SIZE, reg
9746-
9747 #endif
9748
9749 #else /* X86_32 */
9750
9751-#include <asm/percpu.h>
9752-#define KERNEL_STACK_OFFSET (5*8)
9753-
9754 /*
9755 * macros/functions for gaining access to the thread information structure
9756 * preempt_count needs to be 1 initially, until the scheduler is functional.
9757@@ -216,21 +205,8 @@ static inline struct thread_info *curren
9758 #ifndef __ASSEMBLY__
9759 DECLARE_PER_CPU(unsigned long, kernel_stack);
9760
9761-static inline struct thread_info *current_thread_info(void)
9762-{
9763- struct thread_info *ti;
9764- ti = (void *)(percpu_read_stable(kernel_stack) +
9765- KERNEL_STACK_OFFSET - THREAD_SIZE);
9766- return ti;
9767-}
9768-
9769-#else /* !__ASSEMBLY__ */
9770-
9771-/* how to get the thread information struct from ASM */
9772-#define GET_THREAD_INFO(reg) \
9773- movq PER_CPU_VAR(kernel_stack),reg ; \
9774- subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
9775-
9776+/* how to get the current stack pointer from C */
9777+register unsigned long current_stack_pointer asm("rsp") __used;
9778 #endif
9779
9780 #endif /* !X86_32 */
9781@@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
9782 extern void free_thread_info(struct thread_info *ti);
9783 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
9784 #define arch_task_cache_init arch_task_cache_init
9785+
9786+#define __HAVE_THREAD_FUNCTIONS
9787+#define task_thread_info(task) (&(task)->tinfo)
9788+#define task_stack_page(task) ((task)->stack)
9789+#define setup_thread_stack(p, org) do {} while (0)
9790+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
9791+
9792+#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
9793+extern struct task_struct *alloc_task_struct_node(int node);
9794+extern void free_task_struct(struct task_struct *);
9795+
9796 #endif
9797 #endif /* _ASM_X86_THREAD_INFO_H */
9798diff -urNp linux-3.0.7/arch/x86/include/asm/uaccess.h linux-3.0.7/arch/x86/include/asm/uaccess.h
9799--- linux-3.0.7/arch/x86/include/asm/uaccess.h 2011-07-21 22:17:23.000000000 -0400
9800+++ linux-3.0.7/arch/x86/include/asm/uaccess.h 2011-10-06 04:17:55.000000000 -0400
9801@@ -7,12 +7,15 @@
9802 #include <linux/compiler.h>
9803 #include <linux/thread_info.h>
9804 #include <linux/string.h>
9805+#include <linux/sched.h>
9806 #include <asm/asm.h>
9807 #include <asm/page.h>
9808
9809 #define VERIFY_READ 0
9810 #define VERIFY_WRITE 1
9811
9812+extern void check_object_size(const void *ptr, unsigned long n, bool to);
9813+
9814 /*
9815 * The fs value determines whether argument validity checking should be
9816 * performed or not. If get_fs() == USER_DS, checking is performed, with
9817@@ -28,7 +31,12 @@
9818
9819 #define get_ds() (KERNEL_DS)
9820 #define get_fs() (current_thread_info()->addr_limit)
9821+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9822+void __set_fs(mm_segment_t x);
9823+void set_fs(mm_segment_t x);
9824+#else
9825 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9826+#endif
9827
9828 #define segment_eq(a, b) ((a).seg == (b).seg)
9829
9830@@ -76,7 +84,33 @@
9831 * checks that the pointer is in the user space range - after calling
9832 * this function, memory access functions may still return -EFAULT.
9833 */
9834-#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9835+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9836+#define access_ok(type, addr, size) \
9837+({ \
9838+ long __size = size; \
9839+ unsigned long __addr = (unsigned long)addr; \
9840+ unsigned long __addr_ao = __addr & PAGE_MASK; \
9841+ unsigned long __end_ao = __addr + __size - 1; \
9842+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9843+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9844+ while(__addr_ao <= __end_ao) { \
9845+ char __c_ao; \
9846+ __addr_ao += PAGE_SIZE; \
9847+ if (__size > PAGE_SIZE) \
9848+ cond_resched(); \
9849+ if (__get_user(__c_ao, (char __user *)__addr)) \
9850+ break; \
9851+ if (type != VERIFY_WRITE) { \
9852+ __addr = __addr_ao; \
9853+ continue; \
9854+ } \
9855+ if (__put_user(__c_ao, (char __user *)__addr)) \
9856+ break; \
9857+ __addr = __addr_ao; \
9858+ } \
9859+ } \
9860+ __ret_ao; \
9861+})
9862
9863 /*
9864 * The exception table consists of pairs of addresses: the first is the
9865@@ -182,12 +216,20 @@ extern int __get_user_bad(void);
9866 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9867 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9868
9869-
9870+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9871+#define __copyuser_seg "gs;"
9872+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
9873+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
9874+#else
9875+#define __copyuser_seg
9876+#define __COPYUSER_SET_ES
9877+#define __COPYUSER_RESTORE_ES
9878+#endif
9879
9880 #ifdef CONFIG_X86_32
9881 #define __put_user_asm_u64(x, addr, err, errret) \
9882- asm volatile("1: movl %%eax,0(%2)\n" \
9883- "2: movl %%edx,4(%2)\n" \
9884+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
9885+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
9886 "3:\n" \
9887 ".section .fixup,\"ax\"\n" \
9888 "4: movl %3,%0\n" \
9889@@ -199,8 +241,8 @@ extern int __get_user_bad(void);
9890 : "A" (x), "r" (addr), "i" (errret), "0" (err))
9891
9892 #define __put_user_asm_ex_u64(x, addr) \
9893- asm volatile("1: movl %%eax,0(%1)\n" \
9894- "2: movl %%edx,4(%1)\n" \
9895+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
9896+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
9897 "3:\n" \
9898 _ASM_EXTABLE(1b, 2b - 1b) \
9899 _ASM_EXTABLE(2b, 3b - 2b) \
9900@@ -252,7 +294,7 @@ extern void __put_user_8(void);
9901 __typeof__(*(ptr)) __pu_val; \
9902 __chk_user_ptr(ptr); \
9903 might_fault(); \
9904- __pu_val = x; \
9905+ __pu_val = (x); \
9906 switch (sizeof(*(ptr))) { \
9907 case 1: \
9908 __put_user_x(1, __pu_val, ptr, __ret_pu); \
9909@@ -373,7 +415,7 @@ do { \
9910 } while (0)
9911
9912 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9913- asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9914+ asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
9915 "2:\n" \
9916 ".section .fixup,\"ax\"\n" \
9917 "3: mov %3,%0\n" \
9918@@ -381,7 +423,7 @@ do { \
9919 " jmp 2b\n" \
9920 ".previous\n" \
9921 _ASM_EXTABLE(1b, 3b) \
9922- : "=r" (err), ltype(x) \
9923+ : "=r" (err), ltype (x) \
9924 : "m" (__m(addr)), "i" (errret), "0" (err))
9925
9926 #define __get_user_size_ex(x, ptr, size) \
9927@@ -406,7 +448,7 @@ do { \
9928 } while (0)
9929
9930 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9931- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9932+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
9933 "2:\n" \
9934 _ASM_EXTABLE(1b, 2b - 1b) \
9935 : ltype(x) : "m" (__m(addr)))
9936@@ -423,13 +465,24 @@ do { \
9937 int __gu_err; \
9938 unsigned long __gu_val; \
9939 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9940- (x) = (__force __typeof__(*(ptr)))__gu_val; \
9941+ (x) = (__typeof__(*(ptr)))__gu_val; \
9942 __gu_err; \
9943 })
9944
9945 /* FIXME: this hack is definitely wrong -AK */
9946 struct __large_struct { unsigned long buf[100]; };
9947-#define __m(x) (*(struct __large_struct __user *)(x))
9948+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9949+#define ____m(x) \
9950+({ \
9951+ unsigned long ____x = (unsigned long)(x); \
9952+ if (____x < PAX_USER_SHADOW_BASE) \
9953+ ____x += PAX_USER_SHADOW_BASE; \
9954+ (void __user *)____x; \
9955+})
9956+#else
9957+#define ____m(x) (x)
9958+#endif
9959+#define __m(x) (*(struct __large_struct __user *)____m(x))
9960
9961 /*
9962 * Tell gcc we read from memory instead of writing: this is because
9963@@ -437,7 +490,7 @@ struct __large_struct { unsigned long bu
9964 * aliasing issues.
9965 */
9966 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9967- asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9968+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
9969 "2:\n" \
9970 ".section .fixup,\"ax\"\n" \
9971 "3: mov %3,%0\n" \
9972@@ -445,10 +498,10 @@ struct __large_struct { unsigned long bu
9973 ".previous\n" \
9974 _ASM_EXTABLE(1b, 3b) \
9975 : "=r"(err) \
9976- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9977+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
9978
9979 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9980- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9981+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
9982 "2:\n" \
9983 _ASM_EXTABLE(1b, 2b - 1b) \
9984 : : ltype(x), "m" (__m(addr)))
9985@@ -487,8 +540,12 @@ struct __large_struct { unsigned long bu
9986 * On error, the variable @x is set to zero.
9987 */
9988
9989+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9990+#define __get_user(x, ptr) get_user((x), (ptr))
9991+#else
9992 #define __get_user(x, ptr) \
9993 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
9994+#endif
9995
9996 /**
9997 * __put_user: - Write a simple value into user space, with less checking.
9998@@ -510,8 +567,12 @@ struct __large_struct { unsigned long bu
9999 * Returns zero on success, or -EFAULT on error.
10000 */
10001
10002+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10003+#define __put_user(x, ptr) put_user((x), (ptr))
10004+#else
10005 #define __put_user(x, ptr) \
10006 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10007+#endif
10008
10009 #define __get_user_unaligned __get_user
10010 #define __put_user_unaligned __put_user
10011@@ -529,7 +590,7 @@ struct __large_struct { unsigned long bu
10012 #define get_user_ex(x, ptr) do { \
10013 unsigned long __gue_val; \
10014 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10015- (x) = (__force __typeof__(*(ptr)))__gue_val; \
10016+ (x) = (__typeof__(*(ptr)))__gue_val; \
10017 } while (0)
10018
10019 #ifdef CONFIG_X86_WP_WORKS_OK
10020diff -urNp linux-3.0.7/arch/x86/include/asm/uaccess_32.h linux-3.0.7/arch/x86/include/asm/uaccess_32.h
10021--- linux-3.0.7/arch/x86/include/asm/uaccess_32.h 2011-07-21 22:17:23.000000000 -0400
10022+++ linux-3.0.7/arch/x86/include/asm/uaccess_32.h 2011-08-23 21:48:14.000000000 -0400
10023@@ -43,6 +43,11 @@ unsigned long __must_check __copy_from_u
10024 static __always_inline unsigned long __must_check
10025 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
10026 {
10027+ pax_track_stack();
10028+
10029+ if ((long)n < 0)
10030+ return n;
10031+
10032 if (__builtin_constant_p(n)) {
10033 unsigned long ret;
10034
10035@@ -61,6 +66,8 @@ __copy_to_user_inatomic(void __user *to,
10036 return ret;
10037 }
10038 }
10039+ if (!__builtin_constant_p(n))
10040+ check_object_size(from, n, true);
10041 return __copy_to_user_ll(to, from, n);
10042 }
10043
10044@@ -82,12 +89,16 @@ static __always_inline unsigned long __m
10045 __copy_to_user(void __user *to, const void *from, unsigned long n)
10046 {
10047 might_fault();
10048+
10049 return __copy_to_user_inatomic(to, from, n);
10050 }
10051
10052 static __always_inline unsigned long
10053 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
10054 {
10055+ if ((long)n < 0)
10056+ return n;
10057+
10058 /* Avoid zeroing the tail if the copy fails..
10059 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
10060 * but as the zeroing behaviour is only significant when n is not
10061@@ -137,6 +148,12 @@ static __always_inline unsigned long
10062 __copy_from_user(void *to, const void __user *from, unsigned long n)
10063 {
10064 might_fault();
10065+
10066+ pax_track_stack();
10067+
10068+ if ((long)n < 0)
10069+ return n;
10070+
10071 if (__builtin_constant_p(n)) {
10072 unsigned long ret;
10073
10074@@ -152,6 +169,8 @@ __copy_from_user(void *to, const void __
10075 return ret;
10076 }
10077 }
10078+ if (!__builtin_constant_p(n))
10079+ check_object_size(to, n, false);
10080 return __copy_from_user_ll(to, from, n);
10081 }
10082
10083@@ -159,6 +178,10 @@ static __always_inline unsigned long __c
10084 const void __user *from, unsigned long n)
10085 {
10086 might_fault();
10087+
10088+ if ((long)n < 0)
10089+ return n;
10090+
10091 if (__builtin_constant_p(n)) {
10092 unsigned long ret;
10093
10094@@ -181,15 +204,19 @@ static __always_inline unsigned long
10095 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
10096 unsigned long n)
10097 {
10098- return __copy_from_user_ll_nocache_nozero(to, from, n);
10099-}
10100+ if ((long)n < 0)
10101+ return n;
10102
10103-unsigned long __must_check copy_to_user(void __user *to,
10104- const void *from, unsigned long n);
10105-unsigned long __must_check _copy_from_user(void *to,
10106- const void __user *from,
10107- unsigned long n);
10108+ return __copy_from_user_ll_nocache_nozero(to, from, n);
10109+}
10110
10111+extern void copy_to_user_overflow(void)
10112+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
10113+ __compiletime_error("copy_to_user() buffer size is not provably correct")
10114+#else
10115+ __compiletime_warning("copy_to_user() buffer size is not provably correct")
10116+#endif
10117+;
10118
10119 extern void copy_from_user_overflow(void)
10120 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
10121@@ -199,17 +226,61 @@ extern void copy_from_user_overflow(void
10122 #endif
10123 ;
10124
10125-static inline unsigned long __must_check copy_from_user(void *to,
10126- const void __user *from,
10127- unsigned long n)
10128+/**
10129+ * copy_to_user: - Copy a block of data into user space.
10130+ * @to: Destination address, in user space.
10131+ * @from: Source address, in kernel space.
10132+ * @n: Number of bytes to copy.
10133+ *
10134+ * Context: User context only. This function may sleep.
10135+ *
10136+ * Copy data from kernel space to user space.
10137+ *
10138+ * Returns number of bytes that could not be copied.
10139+ * On success, this will be zero.
10140+ */
10141+static inline unsigned long __must_check
10142+copy_to_user(void __user *to, const void *from, unsigned long n)
10143+{
10144+ int sz = __compiletime_object_size(from);
10145+
10146+ if (unlikely(sz != -1 && sz < n))
10147+ copy_to_user_overflow();
10148+ else if (access_ok(VERIFY_WRITE, to, n))
10149+ n = __copy_to_user(to, from, n);
10150+ return n;
10151+}
10152+
10153+/**
10154+ * copy_from_user: - Copy a block of data from user space.
10155+ * @to: Destination address, in kernel space.
10156+ * @from: Source address, in user space.
10157+ * @n: Number of bytes to copy.
10158+ *
10159+ * Context: User context only. This function may sleep.
10160+ *
10161+ * Copy data from user space to kernel space.
10162+ *
10163+ * Returns number of bytes that could not be copied.
10164+ * On success, this will be zero.
10165+ *
10166+ * If some data could not be copied, this function will pad the copied
10167+ * data to the requested size using zero bytes.
10168+ */
10169+static inline unsigned long __must_check
10170+copy_from_user(void *to, const void __user *from, unsigned long n)
10171 {
10172 int sz = __compiletime_object_size(to);
10173
10174- if (likely(sz == -1 || sz >= n))
10175- n = _copy_from_user(to, from, n);
10176- else
10177+ if (unlikely(sz != -1 && sz < n))
10178 copy_from_user_overflow();
10179-
10180+ else if (access_ok(VERIFY_READ, from, n))
10181+ n = __copy_from_user(to, from, n);
10182+ else if ((long)n > 0) {
10183+ if (!__builtin_constant_p(n))
10184+ check_object_size(to, n, false);
10185+ memset(to, 0, n);
10186+ }
10187 return n;
10188 }
10189
10190diff -urNp linux-3.0.7/arch/x86/include/asm/uaccess_64.h linux-3.0.7/arch/x86/include/asm/uaccess_64.h
10191--- linux-3.0.7/arch/x86/include/asm/uaccess_64.h 2011-07-21 22:17:23.000000000 -0400
10192+++ linux-3.0.7/arch/x86/include/asm/uaccess_64.h 2011-10-06 04:17:55.000000000 -0400
10193@@ -10,6 +10,9 @@
10194 #include <asm/alternative.h>
10195 #include <asm/cpufeature.h>
10196 #include <asm/page.h>
10197+#include <asm/pgtable.h>
10198+
10199+#define set_fs(x) (current_thread_info()->addr_limit = (x))
10200
10201 /*
10202 * Copy To/From Userspace
10203@@ -36,26 +39,26 @@ copy_user_generic(void *to, const void *
10204 return ret;
10205 }
10206
10207-__must_check unsigned long
10208-_copy_to_user(void __user *to, const void *from, unsigned len);
10209-__must_check unsigned long
10210-_copy_from_user(void *to, const void __user *from, unsigned len);
10211+static __always_inline __must_check unsigned long
10212+__copy_to_user(void __user *to, const void *from, unsigned len);
10213+static __always_inline __must_check unsigned long
10214+__copy_from_user(void *to, const void __user *from, unsigned len);
10215 __must_check unsigned long
10216 copy_in_user(void __user *to, const void __user *from, unsigned len);
10217
10218 static inline unsigned long __must_check copy_from_user(void *to,
10219 const void __user *from,
10220- unsigned long n)
10221+ unsigned n)
10222 {
10223- int sz = __compiletime_object_size(to);
10224-
10225 might_fault();
10226- if (likely(sz == -1 || sz >= n))
10227- n = _copy_from_user(to, from, n);
10228-#ifdef CONFIG_DEBUG_VM
10229- else
10230- WARN(1, "Buffer overflow detected!\n");
10231-#endif
10232+
10233+ if (access_ok(VERIFY_READ, from, n))
10234+ n = __copy_from_user(to, from, n);
10235+ else if ((int)n > 0) {
10236+ if (!__builtin_constant_p(n))
10237+ check_object_size(to, n, false);
10238+ memset(to, 0, n);
10239+ }
10240 return n;
10241 }
10242
10243@@ -64,110 +67,198 @@ int copy_to_user(void __user *dst, const
10244 {
10245 might_fault();
10246
10247- return _copy_to_user(dst, src, size);
10248+ if (access_ok(VERIFY_WRITE, dst, size))
10249+ size = __copy_to_user(dst, src, size);
10250+ return size;
10251 }
10252
10253 static __always_inline __must_check
10254-int __copy_from_user(void *dst, const void __user *src, unsigned size)
10255+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
10256 {
10257- int ret = 0;
10258+ int sz = __compiletime_object_size(dst);
10259+ unsigned ret = 0;
10260
10261 might_fault();
10262- if (!__builtin_constant_p(size))
10263- return copy_user_generic(dst, (__force void *)src, size);
10264+
10265+ pax_track_stack();
10266+
10267+ if ((int)size < 0)
10268+ return size;
10269+
10270+#ifdef CONFIG_PAX_MEMORY_UDEREF
10271+ if (!__access_ok(VERIFY_READ, src, size))
10272+ return size;
10273+#endif
10274+
10275+ if (unlikely(sz != -1 && sz < size)) {
10276+#ifdef CONFIG_DEBUG_VM
10277+ WARN(1, "Buffer overflow detected!\n");
10278+#endif
10279+ return size;
10280+ }
10281+
10282+ if (!__builtin_constant_p(size)) {
10283+ check_object_size(dst, size, false);
10284+
10285+#ifdef CONFIG_PAX_MEMORY_UDEREF
10286+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10287+ src += PAX_USER_SHADOW_BASE;
10288+#endif
10289+
10290+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
10291+ }
10292 switch (size) {
10293- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
10294+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
10295 ret, "b", "b", "=q", 1);
10296 return ret;
10297- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
10298+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
10299 ret, "w", "w", "=r", 2);
10300 return ret;
10301- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
10302+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
10303 ret, "l", "k", "=r", 4);
10304 return ret;
10305- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
10306+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10307 ret, "q", "", "=r", 8);
10308 return ret;
10309 case 10:
10310- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10311+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10312 ret, "q", "", "=r", 10);
10313 if (unlikely(ret))
10314 return ret;
10315 __get_user_asm(*(u16 *)(8 + (char *)dst),
10316- (u16 __user *)(8 + (char __user *)src),
10317+ (const u16 __user *)(8 + (const char __user *)src),
10318 ret, "w", "w", "=r", 2);
10319 return ret;
10320 case 16:
10321- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10322+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10323 ret, "q", "", "=r", 16);
10324 if (unlikely(ret))
10325 return ret;
10326 __get_user_asm(*(u64 *)(8 + (char *)dst),
10327- (u64 __user *)(8 + (char __user *)src),
10328+ (const u64 __user *)(8 + (const char __user *)src),
10329 ret, "q", "", "=r", 8);
10330 return ret;
10331 default:
10332- return copy_user_generic(dst, (__force void *)src, size);
10333+
10334+#ifdef CONFIG_PAX_MEMORY_UDEREF
10335+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10336+ src += PAX_USER_SHADOW_BASE;
10337+#endif
10338+
10339+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
10340 }
10341 }
10342
10343 static __always_inline __must_check
10344-int __copy_to_user(void __user *dst, const void *src, unsigned size)
10345+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
10346 {
10347- int ret = 0;
10348+ int sz = __compiletime_object_size(src);
10349+ unsigned ret = 0;
10350
10351 might_fault();
10352- if (!__builtin_constant_p(size))
10353- return copy_user_generic((__force void *)dst, src, size);
10354+
10355+ pax_track_stack();
10356+
10357+ if ((int)size < 0)
10358+ return size;
10359+
10360+#ifdef CONFIG_PAX_MEMORY_UDEREF
10361+ if (!__access_ok(VERIFY_WRITE, dst, size))
10362+ return size;
10363+#endif
10364+
10365+ if (unlikely(sz != -1 && sz < size)) {
10366+#ifdef CONFIG_DEBUG_VM
10367+ WARN(1, "Buffer overflow detected!\n");
10368+#endif
10369+ return size;
10370+ }
10371+
10372+ if (!__builtin_constant_p(size)) {
10373+ check_object_size(src, size, true);
10374+
10375+#ifdef CONFIG_PAX_MEMORY_UDEREF
10376+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10377+ dst += PAX_USER_SHADOW_BASE;
10378+#endif
10379+
10380+ return copy_user_generic((__force_kernel void *)dst, src, size);
10381+ }
10382 switch (size) {
10383- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
10384+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
10385 ret, "b", "b", "iq", 1);
10386 return ret;
10387- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
10388+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
10389 ret, "w", "w", "ir", 2);
10390 return ret;
10391- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
10392+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
10393 ret, "l", "k", "ir", 4);
10394 return ret;
10395- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
10396+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10397 ret, "q", "", "er", 8);
10398 return ret;
10399 case 10:
10400- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10401+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10402 ret, "q", "", "er", 10);
10403 if (unlikely(ret))
10404 return ret;
10405 asm("":::"memory");
10406- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
10407+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
10408 ret, "w", "w", "ir", 2);
10409 return ret;
10410 case 16:
10411- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10412+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10413 ret, "q", "", "er", 16);
10414 if (unlikely(ret))
10415 return ret;
10416 asm("":::"memory");
10417- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
10418+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
10419 ret, "q", "", "er", 8);
10420 return ret;
10421 default:
10422- return copy_user_generic((__force void *)dst, src, size);
10423+
10424+#ifdef CONFIG_PAX_MEMORY_UDEREF
10425+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10426+ dst += PAX_USER_SHADOW_BASE;
10427+#endif
10428+
10429+ return copy_user_generic((__force_kernel void *)dst, src, size);
10430 }
10431 }
10432
10433 static __always_inline __must_check
10434-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10435+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10436 {
10437- int ret = 0;
10438+ unsigned ret = 0;
10439
10440 might_fault();
10441- if (!__builtin_constant_p(size))
10442- return copy_user_generic((__force void *)dst,
10443- (__force void *)src, size);
10444+
10445+ if ((int)size < 0)
10446+ return size;
10447+
10448+#ifdef CONFIG_PAX_MEMORY_UDEREF
10449+ if (!__access_ok(VERIFY_READ, src, size))
10450+ return size;
10451+ if (!__access_ok(VERIFY_WRITE, dst, size))
10452+ return size;
10453+#endif
10454+
10455+ if (!__builtin_constant_p(size)) {
10456+
10457+#ifdef CONFIG_PAX_MEMORY_UDEREF
10458+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10459+ src += PAX_USER_SHADOW_BASE;
10460+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10461+ dst += PAX_USER_SHADOW_BASE;
10462+#endif
10463+
10464+ return copy_user_generic((__force_kernel void *)dst,
10465+ (__force_kernel const void *)src, size);
10466+ }
10467 switch (size) {
10468 case 1: {
10469 u8 tmp;
10470- __get_user_asm(tmp, (u8 __user *)src,
10471+ __get_user_asm(tmp, (const u8 __user *)src,
10472 ret, "b", "b", "=q", 1);
10473 if (likely(!ret))
10474 __put_user_asm(tmp, (u8 __user *)dst,
10475@@ -176,7 +267,7 @@ int __copy_in_user(void __user *dst, con
10476 }
10477 case 2: {
10478 u16 tmp;
10479- __get_user_asm(tmp, (u16 __user *)src,
10480+ __get_user_asm(tmp, (const u16 __user *)src,
10481 ret, "w", "w", "=r", 2);
10482 if (likely(!ret))
10483 __put_user_asm(tmp, (u16 __user *)dst,
10484@@ -186,7 +277,7 @@ int __copy_in_user(void __user *dst, con
10485
10486 case 4: {
10487 u32 tmp;
10488- __get_user_asm(tmp, (u32 __user *)src,
10489+ __get_user_asm(tmp, (const u32 __user *)src,
10490 ret, "l", "k", "=r", 4);
10491 if (likely(!ret))
10492 __put_user_asm(tmp, (u32 __user *)dst,
10493@@ -195,7 +286,7 @@ int __copy_in_user(void __user *dst, con
10494 }
10495 case 8: {
10496 u64 tmp;
10497- __get_user_asm(tmp, (u64 __user *)src,
10498+ __get_user_asm(tmp, (const u64 __user *)src,
10499 ret, "q", "", "=r", 8);
10500 if (likely(!ret))
10501 __put_user_asm(tmp, (u64 __user *)dst,
10502@@ -203,8 +294,16 @@ int __copy_in_user(void __user *dst, con
10503 return ret;
10504 }
10505 default:
10506- return copy_user_generic((__force void *)dst,
10507- (__force void *)src, size);
10508+
10509+#ifdef CONFIG_PAX_MEMORY_UDEREF
10510+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10511+ src += PAX_USER_SHADOW_BASE;
10512+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10513+ dst += PAX_USER_SHADOW_BASE;
10514+#endif
10515+
10516+ return copy_user_generic((__force_kernel void *)dst,
10517+ (__force_kernel const void *)src, size);
10518 }
10519 }
10520
10521@@ -221,33 +320,72 @@ __must_check unsigned long __clear_user(
10522 static __must_check __always_inline int
10523 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
10524 {
10525- return copy_user_generic(dst, (__force const void *)src, size);
10526+ pax_track_stack();
10527+
10528+ if ((int)size < 0)
10529+ return size;
10530+
10531+#ifdef CONFIG_PAX_MEMORY_UDEREF
10532+ if (!__access_ok(VERIFY_READ, src, size))
10533+ return size;
10534+
10535+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10536+ src += PAX_USER_SHADOW_BASE;
10537+#endif
10538+
10539+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
10540 }
10541
10542-static __must_check __always_inline int
10543+static __must_check __always_inline unsigned long
10544 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
10545 {
10546- return copy_user_generic((__force void *)dst, src, size);
10547+ if ((int)size < 0)
10548+ return size;
10549+
10550+#ifdef CONFIG_PAX_MEMORY_UDEREF
10551+ if (!__access_ok(VERIFY_WRITE, dst, size))
10552+ return size;
10553+
10554+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10555+ dst += PAX_USER_SHADOW_BASE;
10556+#endif
10557+
10558+ return copy_user_generic((__force_kernel void *)dst, src, size);
10559 }
10560
10561-extern long __copy_user_nocache(void *dst, const void __user *src,
10562+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
10563 unsigned size, int zerorest);
10564
10565-static inline int
10566-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10567+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10568 {
10569 might_sleep();
10570+
10571+ if ((int)size < 0)
10572+ return size;
10573+
10574+#ifdef CONFIG_PAX_MEMORY_UDEREF
10575+ if (!__access_ok(VERIFY_READ, src, size))
10576+ return size;
10577+#endif
10578+
10579 return __copy_user_nocache(dst, src, size, 1);
10580 }
10581
10582-static inline int
10583-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10584+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10585 unsigned size)
10586 {
10587+ if ((int)size < 0)
10588+ return size;
10589+
10590+#ifdef CONFIG_PAX_MEMORY_UDEREF
10591+ if (!__access_ok(VERIFY_READ, src, size))
10592+ return size;
10593+#endif
10594+
10595 return __copy_user_nocache(dst, src, size, 0);
10596 }
10597
10598-unsigned long
10599-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
10600+extern unsigned long
10601+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
10602
10603 #endif /* _ASM_X86_UACCESS_64_H */
10604diff -urNp linux-3.0.7/arch/x86/include/asm/vdso.h linux-3.0.7/arch/x86/include/asm/vdso.h
10605--- linux-3.0.7/arch/x86/include/asm/vdso.h 2011-07-21 22:17:23.000000000 -0400
10606+++ linux-3.0.7/arch/x86/include/asm/vdso.h 2011-10-06 04:17:55.000000000 -0400
10607@@ -11,7 +11,7 @@ extern const char VDSO32_PRELINK[];
10608 #define VDSO32_SYMBOL(base, name) \
10609 ({ \
10610 extern const char VDSO32_##name[]; \
10611- (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10612+ (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10613 })
10614 #endif
10615
10616diff -urNp linux-3.0.7/arch/x86/include/asm/x86_init.h linux-3.0.7/arch/x86/include/asm/x86_init.h
10617--- linux-3.0.7/arch/x86/include/asm/x86_init.h 2011-07-21 22:17:23.000000000 -0400
10618+++ linux-3.0.7/arch/x86/include/asm/x86_init.h 2011-08-23 21:47:55.000000000 -0400
10619@@ -28,7 +28,7 @@ struct x86_init_mpparse {
10620 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
10621 void (*find_smp_config)(void);
10622 void (*get_smp_config)(unsigned int early);
10623-};
10624+} __no_const;
10625
10626 /**
10627 * struct x86_init_resources - platform specific resource related ops
10628@@ -42,7 +42,7 @@ struct x86_init_resources {
10629 void (*probe_roms)(void);
10630 void (*reserve_resources)(void);
10631 char *(*memory_setup)(void);
10632-};
10633+} __no_const;
10634
10635 /**
10636 * struct x86_init_irqs - platform specific interrupt setup
10637@@ -55,7 +55,7 @@ struct x86_init_irqs {
10638 void (*pre_vector_init)(void);
10639 void (*intr_init)(void);
10640 void (*trap_init)(void);
10641-};
10642+} __no_const;
10643
10644 /**
10645 * struct x86_init_oem - oem platform specific customizing functions
10646@@ -65,7 +65,7 @@ struct x86_init_irqs {
10647 struct x86_init_oem {
10648 void (*arch_setup)(void);
10649 void (*banner)(void);
10650-};
10651+} __no_const;
10652
10653 /**
10654 * struct x86_init_mapping - platform specific initial kernel pagetable setup
10655@@ -76,7 +76,7 @@ struct x86_init_oem {
10656 */
10657 struct x86_init_mapping {
10658 void (*pagetable_reserve)(u64 start, u64 end);
10659-};
10660+} __no_const;
10661
10662 /**
10663 * struct x86_init_paging - platform specific paging functions
10664@@ -86,7 +86,7 @@ struct x86_init_mapping {
10665 struct x86_init_paging {
10666 void (*pagetable_setup_start)(pgd_t *base);
10667 void (*pagetable_setup_done)(pgd_t *base);
10668-};
10669+} __no_const;
10670
10671 /**
10672 * struct x86_init_timers - platform specific timer setup
10673@@ -101,7 +101,7 @@ struct x86_init_timers {
10674 void (*tsc_pre_init)(void);
10675 void (*timer_init)(void);
10676 void (*wallclock_init)(void);
10677-};
10678+} __no_const;
10679
10680 /**
10681 * struct x86_init_iommu - platform specific iommu setup
10682@@ -109,7 +109,7 @@ struct x86_init_timers {
10683 */
10684 struct x86_init_iommu {
10685 int (*iommu_init)(void);
10686-};
10687+} __no_const;
10688
10689 /**
10690 * struct x86_init_pci - platform specific pci init functions
10691@@ -123,7 +123,7 @@ struct x86_init_pci {
10692 int (*init)(void);
10693 void (*init_irq)(void);
10694 void (*fixup_irqs)(void);
10695-};
10696+} __no_const;
10697
10698 /**
10699 * struct x86_init_ops - functions for platform specific setup
10700@@ -139,7 +139,7 @@ struct x86_init_ops {
10701 struct x86_init_timers timers;
10702 struct x86_init_iommu iommu;
10703 struct x86_init_pci pci;
10704-};
10705+} __no_const;
10706
10707 /**
10708 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
10709@@ -147,7 +147,7 @@ struct x86_init_ops {
10710 */
10711 struct x86_cpuinit_ops {
10712 void (*setup_percpu_clockev)(void);
10713-};
10714+} __no_const;
10715
10716 /**
10717 * struct x86_platform_ops - platform specific runtime functions
10718@@ -166,7 +166,7 @@ struct x86_platform_ops {
10719 bool (*is_untracked_pat_range)(u64 start, u64 end);
10720 void (*nmi_init)(void);
10721 int (*i8042_detect)(void);
10722-};
10723+} __no_const;
10724
10725 struct pci_dev;
10726
10727@@ -174,7 +174,7 @@ struct x86_msi_ops {
10728 int (*setup_msi_irqs)(struct pci_dev *dev, int nvec, int type);
10729 void (*teardown_msi_irq)(unsigned int irq);
10730 void (*teardown_msi_irqs)(struct pci_dev *dev);
10731-};
10732+} __no_const;
10733
10734 extern struct x86_init_ops x86_init;
10735 extern struct x86_cpuinit_ops x86_cpuinit;
10736diff -urNp linux-3.0.7/arch/x86/include/asm/xsave.h linux-3.0.7/arch/x86/include/asm/xsave.h
10737--- linux-3.0.7/arch/x86/include/asm/xsave.h 2011-07-21 22:17:23.000000000 -0400
10738+++ linux-3.0.7/arch/x86/include/asm/xsave.h 2011-10-06 04:17:55.000000000 -0400
10739@@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10740 {
10741 int err;
10742
10743+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10744+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10745+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10746+#endif
10747+
10748 /*
10749 * Clear the xsave header first, so that reserved fields are
10750 * initialized to zero.
10751@@ -96,10 +101,15 @@ static inline int xsave_user(struct xsav
10752 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
10753 {
10754 int err;
10755- struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
10756+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
10757 u32 lmask = mask;
10758 u32 hmask = mask >> 32;
10759
10760+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10761+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10762+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10763+#endif
10764+
10765 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10766 "2:\n"
10767 ".section .fixup,\"ax\"\n"
10768diff -urNp linux-3.0.7/arch/x86/kernel/acpi/realmode/Makefile linux-3.0.7/arch/x86/kernel/acpi/realmode/Makefile
10769--- linux-3.0.7/arch/x86/kernel/acpi/realmode/Makefile 2011-07-21 22:17:23.000000000 -0400
10770+++ linux-3.0.7/arch/x86/kernel/acpi/realmode/Makefile 2011-08-23 21:47:55.000000000 -0400
10771@@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
10772 $(call cc-option, -fno-stack-protector) \
10773 $(call cc-option, -mpreferred-stack-boundary=2)
10774 KBUILD_CFLAGS += $(call cc-option, -m32)
10775+ifdef CONSTIFY_PLUGIN
10776+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
10777+endif
10778 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
10779 GCOV_PROFILE := n
10780
10781diff -urNp linux-3.0.7/arch/x86/kernel/acpi/realmode/wakeup.S linux-3.0.7/arch/x86/kernel/acpi/realmode/wakeup.S
10782--- linux-3.0.7/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-21 22:17:23.000000000 -0400
10783+++ linux-3.0.7/arch/x86/kernel/acpi/realmode/wakeup.S 2011-08-23 21:48:14.000000000 -0400
10784@@ -108,6 +108,9 @@ wakeup_code:
10785 /* Do any other stuff... */
10786
10787 #ifndef CONFIG_64BIT
10788+ /* Recheck NX bit overrides (64bit path does this in trampoline */
10789+ call verify_cpu
10790+
10791 /* This could also be done in C code... */
10792 movl pmode_cr3, %eax
10793 movl %eax, %cr3
10794@@ -131,6 +134,7 @@ wakeup_code:
10795 movl pmode_cr0, %eax
10796 movl %eax, %cr0
10797 jmp pmode_return
10798+# include "../../verify_cpu.S"
10799 #else
10800 pushw $0
10801 pushw trampoline_segment
10802diff -urNp linux-3.0.7/arch/x86/kernel/acpi/sleep.c linux-3.0.7/arch/x86/kernel/acpi/sleep.c
10803--- linux-3.0.7/arch/x86/kernel/acpi/sleep.c 2011-07-21 22:17:23.000000000 -0400
10804+++ linux-3.0.7/arch/x86/kernel/acpi/sleep.c 2011-08-23 21:47:55.000000000 -0400
10805@@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void)
10806 header->trampoline_segment = trampoline_address() >> 4;
10807 #ifdef CONFIG_SMP
10808 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10809+
10810+ pax_open_kernel();
10811 early_gdt_descr.address =
10812 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10813+ pax_close_kernel();
10814+
10815 initial_gs = per_cpu_offset(smp_processor_id());
10816 #endif
10817 initial_code = (unsigned long)wakeup_long64;
10818diff -urNp linux-3.0.7/arch/x86/kernel/acpi/wakeup_32.S linux-3.0.7/arch/x86/kernel/acpi/wakeup_32.S
10819--- linux-3.0.7/arch/x86/kernel/acpi/wakeup_32.S 2011-07-21 22:17:23.000000000 -0400
10820+++ linux-3.0.7/arch/x86/kernel/acpi/wakeup_32.S 2011-08-23 21:47:55.000000000 -0400
10821@@ -30,13 +30,11 @@ wakeup_pmode_return:
10822 # and restore the stack ... but you need gdt for this to work
10823 movl saved_context_esp, %esp
10824
10825- movl %cs:saved_magic, %eax
10826- cmpl $0x12345678, %eax
10827+ cmpl $0x12345678, saved_magic
10828 jne bogus_magic
10829
10830 # jump to place where we left off
10831- movl saved_eip, %eax
10832- jmp *%eax
10833+ jmp *(saved_eip)
10834
10835 bogus_magic:
10836 jmp bogus_magic
10837diff -urNp linux-3.0.7/arch/x86/kernel/alternative.c linux-3.0.7/arch/x86/kernel/alternative.c
10838--- linux-3.0.7/arch/x86/kernel/alternative.c 2011-07-21 22:17:23.000000000 -0400
10839+++ linux-3.0.7/arch/x86/kernel/alternative.c 2011-08-23 21:47:55.000000000 -0400
10840@@ -313,7 +313,7 @@ static void alternatives_smp_lock(const
10841 if (!*poff || ptr < text || ptr >= text_end)
10842 continue;
10843 /* turn DS segment override prefix into lock prefix */
10844- if (*ptr == 0x3e)
10845+ if (*ktla_ktva(ptr) == 0x3e)
10846 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10847 };
10848 mutex_unlock(&text_mutex);
10849@@ -334,7 +334,7 @@ static void alternatives_smp_unlock(cons
10850 if (!*poff || ptr < text || ptr >= text_end)
10851 continue;
10852 /* turn lock prefix into DS segment override prefix */
10853- if (*ptr == 0xf0)
10854+ if (*ktla_ktva(ptr) == 0xf0)
10855 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10856 };
10857 mutex_unlock(&text_mutex);
10858@@ -503,7 +503,7 @@ void __init_or_module apply_paravirt(str
10859
10860 BUG_ON(p->len > MAX_PATCH_LEN);
10861 /* prep the buffer with the original instructions */
10862- memcpy(insnbuf, p->instr, p->len);
10863+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10864 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10865 (unsigned long)p->instr, p->len);
10866
10867@@ -571,7 +571,7 @@ void __init alternative_instructions(voi
10868 if (smp_alt_once)
10869 free_init_pages("SMP alternatives",
10870 (unsigned long)__smp_locks,
10871- (unsigned long)__smp_locks_end);
10872+ PAGE_ALIGN((unsigned long)__smp_locks_end));
10873
10874 restart_nmi();
10875 }
10876@@ -588,13 +588,17 @@ void __init alternative_instructions(voi
10877 * instructions. And on the local CPU you need to be protected again NMI or MCE
10878 * handlers seeing an inconsistent instruction while you patch.
10879 */
10880-void *__init_or_module text_poke_early(void *addr, const void *opcode,
10881+void *__kprobes text_poke_early(void *addr, const void *opcode,
10882 size_t len)
10883 {
10884 unsigned long flags;
10885 local_irq_save(flags);
10886- memcpy(addr, opcode, len);
10887+
10888+ pax_open_kernel();
10889+ memcpy(ktla_ktva(addr), opcode, len);
10890 sync_core();
10891+ pax_close_kernel();
10892+
10893 local_irq_restore(flags);
10894 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10895 that causes hangs on some VIA CPUs. */
10896@@ -616,36 +620,22 @@ void *__init_or_module text_poke_early(v
10897 */
10898 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10899 {
10900- unsigned long flags;
10901- char *vaddr;
10902+ unsigned char *vaddr = ktla_ktva(addr);
10903 struct page *pages[2];
10904- int i;
10905+ size_t i;
10906
10907 if (!core_kernel_text((unsigned long)addr)) {
10908- pages[0] = vmalloc_to_page(addr);
10909- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10910+ pages[0] = vmalloc_to_page(vaddr);
10911+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10912 } else {
10913- pages[0] = virt_to_page(addr);
10914+ pages[0] = virt_to_page(vaddr);
10915 WARN_ON(!PageReserved(pages[0]));
10916- pages[1] = virt_to_page(addr + PAGE_SIZE);
10917+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10918 }
10919 BUG_ON(!pages[0]);
10920- local_irq_save(flags);
10921- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10922- if (pages[1])
10923- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10924- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10925- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10926- clear_fixmap(FIX_TEXT_POKE0);
10927- if (pages[1])
10928- clear_fixmap(FIX_TEXT_POKE1);
10929- local_flush_tlb();
10930- sync_core();
10931- /* Could also do a CLFLUSH here to speed up CPU recovery; but
10932- that causes hangs on some VIA CPUs. */
10933+ text_poke_early(addr, opcode, len);
10934 for (i = 0; i < len; i++)
10935- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10936- local_irq_restore(flags);
10937+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10938 return addr;
10939 }
10940
10941diff -urNp linux-3.0.7/arch/x86/kernel/apic/apic.c linux-3.0.7/arch/x86/kernel/apic/apic.c
10942--- linux-3.0.7/arch/x86/kernel/apic/apic.c 2011-07-21 22:17:23.000000000 -0400
10943+++ linux-3.0.7/arch/x86/kernel/apic/apic.c 2011-08-23 21:48:14.000000000 -0400
10944@@ -173,7 +173,7 @@ int first_system_vector = 0xfe;
10945 /*
10946 * Debug level, exported for io_apic.c
10947 */
10948-unsigned int apic_verbosity;
10949+int apic_verbosity;
10950
10951 int pic_mode;
10952
10953@@ -1834,7 +1834,7 @@ void smp_error_interrupt(struct pt_regs
10954 apic_write(APIC_ESR, 0);
10955 v1 = apic_read(APIC_ESR);
10956 ack_APIC_irq();
10957- atomic_inc(&irq_err_count);
10958+ atomic_inc_unchecked(&irq_err_count);
10959
10960 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x(%02x)",
10961 smp_processor_id(), v0 , v1);
10962@@ -2190,6 +2190,8 @@ static int __cpuinit apic_cluster_num(vo
10963 u16 *bios_cpu_apicid;
10964 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
10965
10966+ pax_track_stack();
10967+
10968 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
10969 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
10970
10971diff -urNp linux-3.0.7/arch/x86/kernel/apic/io_apic.c linux-3.0.7/arch/x86/kernel/apic/io_apic.c
10972--- linux-3.0.7/arch/x86/kernel/apic/io_apic.c 2011-07-21 22:17:23.000000000 -0400
10973+++ linux-3.0.7/arch/x86/kernel/apic/io_apic.c 2011-08-23 21:47:55.000000000 -0400
10974@@ -1028,7 +1028,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10975 }
10976 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10977
10978-void lock_vector_lock(void)
10979+void lock_vector_lock(void) __acquires(vector_lock)
10980 {
10981 /* Used to the online set of cpus does not change
10982 * during assign_irq_vector.
10983@@ -1036,7 +1036,7 @@ void lock_vector_lock(void)
10984 raw_spin_lock(&vector_lock);
10985 }
10986
10987-void unlock_vector_lock(void)
10988+void unlock_vector_lock(void) __releases(vector_lock)
10989 {
10990 raw_spin_unlock(&vector_lock);
10991 }
10992@@ -2364,7 +2364,7 @@ static void ack_apic_edge(struct irq_dat
10993 ack_APIC_irq();
10994 }
10995
10996-atomic_t irq_mis_count;
10997+atomic_unchecked_t irq_mis_count;
10998
10999 /*
11000 * IO-APIC versions below 0x20 don't support EOI register.
11001@@ -2472,7 +2472,7 @@ static void ack_apic_level(struct irq_da
11002 * at the cpu.
11003 */
11004 if (!(v & (1 << (i & 0x1f)))) {
11005- atomic_inc(&irq_mis_count);
11006+ atomic_inc_unchecked(&irq_mis_count);
11007
11008 eoi_ioapic_irq(irq, cfg);
11009 }
11010diff -urNp linux-3.0.7/arch/x86/kernel/apm_32.c linux-3.0.7/arch/x86/kernel/apm_32.c
11011--- linux-3.0.7/arch/x86/kernel/apm_32.c 2011-07-21 22:17:23.000000000 -0400
11012+++ linux-3.0.7/arch/x86/kernel/apm_32.c 2011-08-23 21:47:55.000000000 -0400
11013@@ -413,7 +413,7 @@ static DEFINE_MUTEX(apm_mutex);
11014 * This is for buggy BIOS's that refer to (real mode) segment 0x40
11015 * even though they are called in protected mode.
11016 */
11017-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
11018+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
11019 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
11020
11021 static const char driver_version[] = "1.16ac"; /* no spaces */
11022@@ -591,7 +591,10 @@ static long __apm_bios_call(void *_call)
11023 BUG_ON(cpu != 0);
11024 gdt = get_cpu_gdt_table(cpu);
11025 save_desc_40 = gdt[0x40 / 8];
11026+
11027+ pax_open_kernel();
11028 gdt[0x40 / 8] = bad_bios_desc;
11029+ pax_close_kernel();
11030
11031 apm_irq_save(flags);
11032 APM_DO_SAVE_SEGS;
11033@@ -600,7 +603,11 @@ static long __apm_bios_call(void *_call)
11034 &call->esi);
11035 APM_DO_RESTORE_SEGS;
11036 apm_irq_restore(flags);
11037+
11038+ pax_open_kernel();
11039 gdt[0x40 / 8] = save_desc_40;
11040+ pax_close_kernel();
11041+
11042 put_cpu();
11043
11044 return call->eax & 0xff;
11045@@ -667,7 +674,10 @@ static long __apm_bios_call_simple(void
11046 BUG_ON(cpu != 0);
11047 gdt = get_cpu_gdt_table(cpu);
11048 save_desc_40 = gdt[0x40 / 8];
11049+
11050+ pax_open_kernel();
11051 gdt[0x40 / 8] = bad_bios_desc;
11052+ pax_close_kernel();
11053
11054 apm_irq_save(flags);
11055 APM_DO_SAVE_SEGS;
11056@@ -675,7 +685,11 @@ static long __apm_bios_call_simple(void
11057 &call->eax);
11058 APM_DO_RESTORE_SEGS;
11059 apm_irq_restore(flags);
11060+
11061+ pax_open_kernel();
11062 gdt[0x40 / 8] = save_desc_40;
11063+ pax_close_kernel();
11064+
11065 put_cpu();
11066 return error;
11067 }
11068@@ -2349,12 +2363,15 @@ static int __init apm_init(void)
11069 * code to that CPU.
11070 */
11071 gdt = get_cpu_gdt_table(0);
11072+
11073+ pax_open_kernel();
11074 set_desc_base(&gdt[APM_CS >> 3],
11075 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
11076 set_desc_base(&gdt[APM_CS_16 >> 3],
11077 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
11078 set_desc_base(&gdt[APM_DS >> 3],
11079 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
11080+ pax_close_kernel();
11081
11082 proc_create("apm", 0, NULL, &apm_file_ops);
11083
11084diff -urNp linux-3.0.7/arch/x86/kernel/asm-offsets.c linux-3.0.7/arch/x86/kernel/asm-offsets.c
11085--- linux-3.0.7/arch/x86/kernel/asm-offsets.c 2011-07-21 22:17:23.000000000 -0400
11086+++ linux-3.0.7/arch/x86/kernel/asm-offsets.c 2011-08-23 21:47:55.000000000 -0400
11087@@ -33,6 +33,8 @@ void common(void) {
11088 OFFSET(TI_status, thread_info, status);
11089 OFFSET(TI_addr_limit, thread_info, addr_limit);
11090 OFFSET(TI_preempt_count, thread_info, preempt_count);
11091+ OFFSET(TI_lowest_stack, thread_info, lowest_stack);
11092+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
11093
11094 BLANK();
11095 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
11096@@ -53,8 +55,26 @@ void common(void) {
11097 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
11098 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
11099 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
11100+
11101+#ifdef CONFIG_PAX_KERNEXEC
11102+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
11103+#endif
11104+
11105+#ifdef CONFIG_PAX_MEMORY_UDEREF
11106+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
11107+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
11108+#ifdef CONFIG_X86_64
11109+ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
11110+#endif
11111 #endif
11112
11113+#endif
11114+
11115+ BLANK();
11116+ DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
11117+ DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
11118+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
11119+
11120 #ifdef CONFIG_XEN
11121 BLANK();
11122 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
11123diff -urNp linux-3.0.7/arch/x86/kernel/asm-offsets_64.c linux-3.0.7/arch/x86/kernel/asm-offsets_64.c
11124--- linux-3.0.7/arch/x86/kernel/asm-offsets_64.c 2011-07-21 22:17:23.000000000 -0400
11125+++ linux-3.0.7/arch/x86/kernel/asm-offsets_64.c 2011-08-23 21:47:55.000000000 -0400
11126@@ -69,6 +69,7 @@ int main(void)
11127 BLANK();
11128 #undef ENTRY
11129
11130+ DEFINE(TSS_size, sizeof(struct tss_struct));
11131 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
11132 BLANK();
11133
11134diff -urNp linux-3.0.7/arch/x86/kernel/cpu/Makefile linux-3.0.7/arch/x86/kernel/cpu/Makefile
11135--- linux-3.0.7/arch/x86/kernel/cpu/Makefile 2011-07-21 22:17:23.000000000 -0400
11136+++ linux-3.0.7/arch/x86/kernel/cpu/Makefile 2011-08-23 21:47:55.000000000 -0400
11137@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
11138 CFLAGS_REMOVE_perf_event.o = -pg
11139 endif
11140
11141-# Make sure load_percpu_segment has no stackprotector
11142-nostackp := $(call cc-option, -fno-stack-protector)
11143-CFLAGS_common.o := $(nostackp)
11144-
11145 obj-y := intel_cacheinfo.o scattered.o topology.o
11146 obj-y += proc.o capflags.o powerflags.o common.o
11147 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
11148diff -urNp linux-3.0.7/arch/x86/kernel/cpu/amd.c linux-3.0.7/arch/x86/kernel/cpu/amd.c
11149--- linux-3.0.7/arch/x86/kernel/cpu/amd.c 2011-07-21 22:17:23.000000000 -0400
11150+++ linux-3.0.7/arch/x86/kernel/cpu/amd.c 2011-08-23 21:47:55.000000000 -0400
11151@@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
11152 unsigned int size)
11153 {
11154 /* AMD errata T13 (order #21922) */
11155- if ((c->x86 == 6)) {
11156+ if (c->x86 == 6) {
11157 /* Duron Rev A0 */
11158 if (c->x86_model == 3 && c->x86_mask == 0)
11159 size = 64;
11160diff -urNp linux-3.0.7/arch/x86/kernel/cpu/common.c linux-3.0.7/arch/x86/kernel/cpu/common.c
11161--- linux-3.0.7/arch/x86/kernel/cpu/common.c 2011-07-21 22:17:23.000000000 -0400
11162+++ linux-3.0.7/arch/x86/kernel/cpu/common.c 2011-08-23 21:47:55.000000000 -0400
11163@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
11164
11165 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
11166
11167-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
11168-#ifdef CONFIG_X86_64
11169- /*
11170- * We need valid kernel segments for data and code in long mode too
11171- * IRET will check the segment types kkeil 2000/10/28
11172- * Also sysret mandates a special GDT layout
11173- *
11174- * TLS descriptors are currently at a different place compared to i386.
11175- * Hopefully nobody expects them at a fixed place (Wine?)
11176- */
11177- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
11178- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
11179- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
11180- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
11181- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
11182- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
11183-#else
11184- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
11185- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11186- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
11187- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
11188- /*
11189- * Segments used for calling PnP BIOS have byte granularity.
11190- * They code segments and data segments have fixed 64k limits,
11191- * the transfer segment sizes are set at run time.
11192- */
11193- /* 32-bit code */
11194- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
11195- /* 16-bit code */
11196- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
11197- /* 16-bit data */
11198- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
11199- /* 16-bit data */
11200- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
11201- /* 16-bit data */
11202- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
11203- /*
11204- * The APM segments have byte granularity and their bases
11205- * are set at run time. All have 64k limits.
11206- */
11207- /* 32-bit code */
11208- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
11209- /* 16-bit code */
11210- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
11211- /* data */
11212- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
11213-
11214- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11215- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11216- GDT_STACK_CANARY_INIT
11217-#endif
11218-} };
11219-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
11220-
11221 static int __init x86_xsave_setup(char *s)
11222 {
11223 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
11224@@ -371,7 +317,7 @@ void switch_to_new_gdt(int cpu)
11225 {
11226 struct desc_ptr gdt_descr;
11227
11228- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
11229+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
11230 gdt_descr.size = GDT_SIZE - 1;
11231 load_gdt(&gdt_descr);
11232 /* Reload the per-cpu base */
11233@@ -840,6 +786,10 @@ static void __cpuinit identify_cpu(struc
11234 /* Filter out anything that depends on CPUID levels we don't have */
11235 filter_cpuid_features(c, true);
11236
11237+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
11238+ setup_clear_cpu_cap(X86_FEATURE_SEP);
11239+#endif
11240+
11241 /* If the model name is still unset, do table lookup. */
11242 if (!c->x86_model_id[0]) {
11243 const char *p;
11244@@ -1019,6 +969,9 @@ static __init int setup_disablecpuid(cha
11245 }
11246 __setup("clearcpuid=", setup_disablecpuid);
11247
11248+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
11249+EXPORT_PER_CPU_SYMBOL(current_tinfo);
11250+
11251 #ifdef CONFIG_X86_64
11252 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
11253
11254@@ -1034,7 +987,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
11255 EXPORT_PER_CPU_SYMBOL(current_task);
11256
11257 DEFINE_PER_CPU(unsigned long, kernel_stack) =
11258- (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
11259+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
11260 EXPORT_PER_CPU_SYMBOL(kernel_stack);
11261
11262 DEFINE_PER_CPU(char *, irq_stack_ptr) =
11263@@ -1099,7 +1052,7 @@ struct pt_regs * __cpuinit idle_regs(str
11264 {
11265 memset(regs, 0, sizeof(struct pt_regs));
11266 regs->fs = __KERNEL_PERCPU;
11267- regs->gs = __KERNEL_STACK_CANARY;
11268+ savesegment(gs, regs->gs);
11269
11270 return regs;
11271 }
11272@@ -1154,7 +1107,7 @@ void __cpuinit cpu_init(void)
11273 int i;
11274
11275 cpu = stack_smp_processor_id();
11276- t = &per_cpu(init_tss, cpu);
11277+ t = init_tss + cpu;
11278 oist = &per_cpu(orig_ist, cpu);
11279
11280 #ifdef CONFIG_NUMA
11281@@ -1180,7 +1133,7 @@ void __cpuinit cpu_init(void)
11282 switch_to_new_gdt(cpu);
11283 loadsegment(fs, 0);
11284
11285- load_idt((const struct desc_ptr *)&idt_descr);
11286+ load_idt(&idt_descr);
11287
11288 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
11289 syscall_init();
11290@@ -1189,7 +1142,6 @@ void __cpuinit cpu_init(void)
11291 wrmsrl(MSR_KERNEL_GS_BASE, 0);
11292 barrier();
11293
11294- x86_configure_nx();
11295 if (cpu != 0)
11296 enable_x2apic();
11297
11298@@ -1243,7 +1195,7 @@ void __cpuinit cpu_init(void)
11299 {
11300 int cpu = smp_processor_id();
11301 struct task_struct *curr = current;
11302- struct tss_struct *t = &per_cpu(init_tss, cpu);
11303+ struct tss_struct *t = init_tss + cpu;
11304 struct thread_struct *thread = &curr->thread;
11305
11306 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
11307diff -urNp linux-3.0.7/arch/x86/kernel/cpu/intel.c linux-3.0.7/arch/x86/kernel/cpu/intel.c
11308--- linux-3.0.7/arch/x86/kernel/cpu/intel.c 2011-09-02 18:11:26.000000000 -0400
11309+++ linux-3.0.7/arch/x86/kernel/cpu/intel.c 2011-08-29 23:30:14.000000000 -0400
11310@@ -172,7 +172,7 @@ static void __cpuinit trap_init_f00f_bug
11311 * Update the IDT descriptor and reload the IDT so that
11312 * it uses the read-only mapped virtual address.
11313 */
11314- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
11315+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
11316 load_idt(&idt_descr);
11317 }
11318 #endif
11319diff -urNp linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce-inject.c
11320--- linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-07-21 22:17:23.000000000 -0400
11321+++ linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-08-23 21:47:55.000000000 -0400
11322@@ -215,7 +215,9 @@ static int inject_init(void)
11323 if (!alloc_cpumask_var(&mce_inject_cpumask, GFP_KERNEL))
11324 return -ENOMEM;
11325 printk(KERN_INFO "Machine check injector initialized\n");
11326- mce_chrdev_ops.write = mce_write;
11327+ pax_open_kernel();
11328+ *(void **)&mce_chrdev_ops.write = mce_write;
11329+ pax_close_kernel();
11330 register_die_notifier(&mce_raise_nb);
11331 return 0;
11332 }
11333diff -urNp linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce.c linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce.c
11334--- linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce.c 2011-07-21 22:17:23.000000000 -0400
11335+++ linux-3.0.7/arch/x86/kernel/cpu/mcheck/mce.c 2011-08-23 21:47:55.000000000 -0400
11336@@ -46,6 +46,7 @@
11337 #include <asm/ipi.h>
11338 #include <asm/mce.h>
11339 #include <asm/msr.h>
11340+#include <asm/local.h>
11341
11342 #include "mce-internal.h"
11343
11344@@ -208,7 +209,7 @@ static void print_mce(struct mce *m)
11345 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11346 m->cs, m->ip);
11347
11348- if (m->cs == __KERNEL_CS)
11349+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11350 print_symbol("{%s}", m->ip);
11351 pr_cont("\n");
11352 }
11353@@ -236,10 +237,10 @@ static void print_mce(struct mce *m)
11354
11355 #define PANIC_TIMEOUT 5 /* 5 seconds */
11356
11357-static atomic_t mce_paniced;
11358+static atomic_unchecked_t mce_paniced;
11359
11360 static int fake_panic;
11361-static atomic_t mce_fake_paniced;
11362+static atomic_unchecked_t mce_fake_paniced;
11363
11364 /* Panic in progress. Enable interrupts and wait for final IPI */
11365 static void wait_for_panic(void)
11366@@ -263,7 +264,7 @@ static void mce_panic(char *msg, struct
11367 /*
11368 * Make sure only one CPU runs in machine check panic
11369 */
11370- if (atomic_inc_return(&mce_paniced) > 1)
11371+ if (atomic_inc_return_unchecked(&mce_paniced) > 1)
11372 wait_for_panic();
11373 barrier();
11374
11375@@ -271,7 +272,7 @@ static void mce_panic(char *msg, struct
11376 console_verbose();
11377 } else {
11378 /* Don't log too much for fake panic */
11379- if (atomic_inc_return(&mce_fake_paniced) > 1)
11380+ if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
11381 return;
11382 }
11383 /* First print corrected ones that are still unlogged */
11384@@ -638,7 +639,7 @@ static int mce_timed_out(u64 *t)
11385 * might have been modified by someone else.
11386 */
11387 rmb();
11388- if (atomic_read(&mce_paniced))
11389+ if (atomic_read_unchecked(&mce_paniced))
11390 wait_for_panic();
11391 if (!monarch_timeout)
11392 goto out;
11393@@ -1452,14 +1453,14 @@ void __cpuinit mcheck_cpu_init(struct cp
11394 */
11395
11396 static DEFINE_SPINLOCK(mce_state_lock);
11397-static int open_count; /* #times opened */
11398+static local_t open_count; /* #times opened */
11399 static int open_exclu; /* already open exclusive? */
11400
11401 static int mce_open(struct inode *inode, struct file *file)
11402 {
11403 spin_lock(&mce_state_lock);
11404
11405- if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
11406+ if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
11407 spin_unlock(&mce_state_lock);
11408
11409 return -EBUSY;
11410@@ -1467,7 +1468,7 @@ static int mce_open(struct inode *inode,
11411
11412 if (file->f_flags & O_EXCL)
11413 open_exclu = 1;
11414- open_count++;
11415+ local_inc(&open_count);
11416
11417 spin_unlock(&mce_state_lock);
11418
11419@@ -1478,7 +1479,7 @@ static int mce_release(struct inode *ino
11420 {
11421 spin_lock(&mce_state_lock);
11422
11423- open_count--;
11424+ local_dec(&open_count);
11425 open_exclu = 0;
11426
11427 spin_unlock(&mce_state_lock);
11428@@ -2163,7 +2164,7 @@ struct dentry *mce_get_debugfs_dir(void)
11429 static void mce_reset(void)
11430 {
11431 cpu_missing = 0;
11432- atomic_set(&mce_fake_paniced, 0);
11433+ atomic_set_unchecked(&mce_fake_paniced, 0);
11434 atomic_set(&mce_executing, 0);
11435 atomic_set(&mce_callin, 0);
11436 atomic_set(&global_nwo, 0);
11437diff -urNp linux-3.0.7/arch/x86/kernel/cpu/mtrr/main.c linux-3.0.7/arch/x86/kernel/cpu/mtrr/main.c
11438--- linux-3.0.7/arch/x86/kernel/cpu/mtrr/main.c 2011-09-02 18:11:26.000000000 -0400
11439+++ linux-3.0.7/arch/x86/kernel/cpu/mtrr/main.c 2011-08-29 23:26:21.000000000 -0400
11440@@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
11441 u64 size_or_mask, size_and_mask;
11442 static bool mtrr_aps_delayed_init;
11443
11444-static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11445+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11446
11447 const struct mtrr_ops *mtrr_if;
11448
11449diff -urNp linux-3.0.7/arch/x86/kernel/cpu/mtrr/mtrr.h linux-3.0.7/arch/x86/kernel/cpu/mtrr/mtrr.h
11450--- linux-3.0.7/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-07-21 22:17:23.000000000 -0400
11451+++ linux-3.0.7/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-08-26 19:49:56.000000000 -0400
11452@@ -25,7 +25,7 @@ struct mtrr_ops {
11453 int (*validate_add_page)(unsigned long base, unsigned long size,
11454 unsigned int type);
11455 int (*have_wrcomb)(void);
11456-};
11457+} __do_const;
11458
11459 extern int generic_get_free_region(unsigned long base, unsigned long size,
11460 int replace_reg);
11461diff -urNp linux-3.0.7/arch/x86/kernel/cpu/perf_event.c linux-3.0.7/arch/x86/kernel/cpu/perf_event.c
11462--- linux-3.0.7/arch/x86/kernel/cpu/perf_event.c 2011-10-16 21:54:53.000000000 -0400
11463+++ linux-3.0.7/arch/x86/kernel/cpu/perf_event.c 2011-10-16 21:55:27.000000000 -0400
11464@@ -781,6 +781,8 @@ static int x86_schedule_events(struct cp
11465 int i, j, w, wmax, num = 0;
11466 struct hw_perf_event *hwc;
11467
11468+ pax_track_stack();
11469+
11470 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
11471
11472 for (i = 0; i < n; i++) {
11473@@ -1875,7 +1877,7 @@ perf_callchain_user(struct perf_callchai
11474 break;
11475
11476 perf_callchain_store(entry, frame.return_address);
11477- fp = frame.next_frame;
11478+ fp = (const void __force_user *)frame.next_frame;
11479 }
11480 }
11481
11482diff -urNp linux-3.0.7/arch/x86/kernel/crash.c linux-3.0.7/arch/x86/kernel/crash.c
11483--- linux-3.0.7/arch/x86/kernel/crash.c 2011-07-21 22:17:23.000000000 -0400
11484+++ linux-3.0.7/arch/x86/kernel/crash.c 2011-08-23 21:47:55.000000000 -0400
11485@@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11486 regs = args->regs;
11487
11488 #ifdef CONFIG_X86_32
11489- if (!user_mode_vm(regs)) {
11490+ if (!user_mode(regs)) {
11491 crash_fixup_ss_esp(&fixed_regs, regs);
11492 regs = &fixed_regs;
11493 }
11494diff -urNp linux-3.0.7/arch/x86/kernel/doublefault_32.c linux-3.0.7/arch/x86/kernel/doublefault_32.c
11495--- linux-3.0.7/arch/x86/kernel/doublefault_32.c 2011-07-21 22:17:23.000000000 -0400
11496+++ linux-3.0.7/arch/x86/kernel/doublefault_32.c 2011-08-23 21:47:55.000000000 -0400
11497@@ -11,7 +11,7 @@
11498
11499 #define DOUBLEFAULT_STACKSIZE (1024)
11500 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11501-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11502+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11503
11504 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11505
11506@@ -21,7 +21,7 @@ static void doublefault_fn(void)
11507 unsigned long gdt, tss;
11508
11509 store_gdt(&gdt_desc);
11510- gdt = gdt_desc.address;
11511+ gdt = (unsigned long)gdt_desc.address;
11512
11513 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11514
11515@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11516 /* 0x2 bit is always set */
11517 .flags = X86_EFLAGS_SF | 0x2,
11518 .sp = STACK_START,
11519- .es = __USER_DS,
11520+ .es = __KERNEL_DS,
11521 .cs = __KERNEL_CS,
11522 .ss = __KERNEL_DS,
11523- .ds = __USER_DS,
11524+ .ds = __KERNEL_DS,
11525 .fs = __KERNEL_PERCPU,
11526
11527 .__cr3 = __pa_nodebug(swapper_pg_dir),
11528diff -urNp linux-3.0.7/arch/x86/kernel/dumpstack.c linux-3.0.7/arch/x86/kernel/dumpstack.c
11529--- linux-3.0.7/arch/x86/kernel/dumpstack.c 2011-07-21 22:17:23.000000000 -0400
11530+++ linux-3.0.7/arch/x86/kernel/dumpstack.c 2011-08-23 21:48:14.000000000 -0400
11531@@ -2,6 +2,9 @@
11532 * Copyright (C) 1991, 1992 Linus Torvalds
11533 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11534 */
11535+#ifdef CONFIG_GRKERNSEC_HIDESYM
11536+#define __INCLUDED_BY_HIDESYM 1
11537+#endif
11538 #include <linux/kallsyms.h>
11539 #include <linux/kprobes.h>
11540 #include <linux/uaccess.h>
11541@@ -35,9 +38,8 @@ void printk_address(unsigned long addres
11542 static void
11543 print_ftrace_graph_addr(unsigned long addr, void *data,
11544 const struct stacktrace_ops *ops,
11545- struct thread_info *tinfo, int *graph)
11546+ struct task_struct *task, int *graph)
11547 {
11548- struct task_struct *task = tinfo->task;
11549 unsigned long ret_addr;
11550 int index = task->curr_ret_stack;
11551
11552@@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
11553 static inline void
11554 print_ftrace_graph_addr(unsigned long addr, void *data,
11555 const struct stacktrace_ops *ops,
11556- struct thread_info *tinfo, int *graph)
11557+ struct task_struct *task, int *graph)
11558 { }
11559 #endif
11560
11561@@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
11562 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
11563 */
11564
11565-static inline int valid_stack_ptr(struct thread_info *tinfo,
11566- void *p, unsigned int size, void *end)
11567+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
11568 {
11569- void *t = tinfo;
11570 if (end) {
11571 if (p < end && p >= (end-THREAD_SIZE))
11572 return 1;
11573@@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
11574 }
11575
11576 unsigned long
11577-print_context_stack(struct thread_info *tinfo,
11578+print_context_stack(struct task_struct *task, void *stack_start,
11579 unsigned long *stack, unsigned long bp,
11580 const struct stacktrace_ops *ops, void *data,
11581 unsigned long *end, int *graph)
11582 {
11583 struct stack_frame *frame = (struct stack_frame *)bp;
11584
11585- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
11586+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
11587 unsigned long addr;
11588
11589 addr = *stack;
11590@@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
11591 } else {
11592 ops->address(data, addr, 0);
11593 }
11594- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11595+ print_ftrace_graph_addr(addr, data, ops, task, graph);
11596 }
11597 stack++;
11598 }
11599@@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
11600 EXPORT_SYMBOL_GPL(print_context_stack);
11601
11602 unsigned long
11603-print_context_stack_bp(struct thread_info *tinfo,
11604+print_context_stack_bp(struct task_struct *task, void *stack_start,
11605 unsigned long *stack, unsigned long bp,
11606 const struct stacktrace_ops *ops, void *data,
11607 unsigned long *end, int *graph)
11608@@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
11609 struct stack_frame *frame = (struct stack_frame *)bp;
11610 unsigned long *ret_addr = &frame->return_address;
11611
11612- while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
11613+ while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
11614 unsigned long addr = *ret_addr;
11615
11616 if (!__kernel_text_address(addr))
11617@@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
11618 ops->address(data, addr, 1);
11619 frame = frame->next_frame;
11620 ret_addr = &frame->return_address;
11621- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11622+ print_ftrace_graph_addr(addr, data, ops, task, graph);
11623 }
11624
11625 return (unsigned long)frame;
11626@@ -186,7 +186,7 @@ void dump_stack(void)
11627
11628 bp = stack_frame(current, NULL);
11629 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
11630- current->pid, current->comm, print_tainted(),
11631+ task_pid_nr(current), current->comm, print_tainted(),
11632 init_utsname()->release,
11633 (int)strcspn(init_utsname()->version, " "),
11634 init_utsname()->version);
11635@@ -222,6 +222,8 @@ unsigned __kprobes long oops_begin(void)
11636 }
11637 EXPORT_SYMBOL_GPL(oops_begin);
11638
11639+extern void gr_handle_kernel_exploit(void);
11640+
11641 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
11642 {
11643 if (regs && kexec_should_crash(current))
11644@@ -243,7 +245,10 @@ void __kprobes oops_end(unsigned long fl
11645 panic("Fatal exception in interrupt");
11646 if (panic_on_oops)
11647 panic("Fatal exception");
11648- do_exit(signr);
11649+
11650+ gr_handle_kernel_exploit();
11651+
11652+ do_group_exit(signr);
11653 }
11654
11655 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11656@@ -269,7 +274,7 @@ int __kprobes __die(const char *str, str
11657
11658 show_registers(regs);
11659 #ifdef CONFIG_X86_32
11660- if (user_mode_vm(regs)) {
11661+ if (user_mode(regs)) {
11662 sp = regs->sp;
11663 ss = regs->ss & 0xffff;
11664 } else {
11665@@ -297,7 +302,7 @@ void die(const char *str, struct pt_regs
11666 unsigned long flags = oops_begin();
11667 int sig = SIGSEGV;
11668
11669- if (!user_mode_vm(regs))
11670+ if (!user_mode(regs))
11671 report_bug(regs->ip, regs);
11672
11673 if (__die(str, regs, err))
11674diff -urNp linux-3.0.7/arch/x86/kernel/dumpstack_32.c linux-3.0.7/arch/x86/kernel/dumpstack_32.c
11675--- linux-3.0.7/arch/x86/kernel/dumpstack_32.c 2011-07-21 22:17:23.000000000 -0400
11676+++ linux-3.0.7/arch/x86/kernel/dumpstack_32.c 2011-08-23 21:47:55.000000000 -0400
11677@@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
11678 bp = stack_frame(task, regs);
11679
11680 for (;;) {
11681- struct thread_info *context;
11682+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11683
11684- context = (struct thread_info *)
11685- ((unsigned long)stack & (~(THREAD_SIZE - 1)));
11686- bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
11687+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11688
11689- stack = (unsigned long *)context->previous_esp;
11690- if (!stack)
11691+ if (stack_start == task_stack_page(task))
11692 break;
11693+ stack = *(unsigned long **)stack_start;
11694 if (ops->stack(data, "IRQ") < 0)
11695 break;
11696 touch_nmi_watchdog();
11697@@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
11698 * When in-kernel, we also print out the stack and code at the
11699 * time of the fault..
11700 */
11701- if (!user_mode_vm(regs)) {
11702+ if (!user_mode(regs)) {
11703 unsigned int code_prologue = code_bytes * 43 / 64;
11704 unsigned int code_len = code_bytes;
11705 unsigned char c;
11706 u8 *ip;
11707+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11708
11709 printk(KERN_EMERG "Stack:\n");
11710 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
11711
11712 printk(KERN_EMERG "Code: ");
11713
11714- ip = (u8 *)regs->ip - code_prologue;
11715+ ip = (u8 *)regs->ip - code_prologue + cs_base;
11716 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11717 /* try starting at IP */
11718- ip = (u8 *)regs->ip;
11719+ ip = (u8 *)regs->ip + cs_base;
11720 code_len = code_len - code_prologue + 1;
11721 }
11722 for (i = 0; i < code_len; i++, ip++) {
11723@@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
11724 printk(" Bad EIP value.");
11725 break;
11726 }
11727- if (ip == (u8 *)regs->ip)
11728+ if (ip == (u8 *)regs->ip + cs_base)
11729 printk("<%02x> ", c);
11730 else
11731 printk("%02x ", c);
11732@@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
11733 {
11734 unsigned short ud2;
11735
11736+ ip = ktla_ktva(ip);
11737 if (ip < PAGE_OFFSET)
11738 return 0;
11739 if (probe_kernel_address((unsigned short *)ip, ud2))
11740diff -urNp linux-3.0.7/arch/x86/kernel/dumpstack_64.c linux-3.0.7/arch/x86/kernel/dumpstack_64.c
11741--- linux-3.0.7/arch/x86/kernel/dumpstack_64.c 2011-07-21 22:17:23.000000000 -0400
11742+++ linux-3.0.7/arch/x86/kernel/dumpstack_64.c 2011-08-23 21:47:55.000000000 -0400
11743@@ -147,9 +147,9 @@ void dump_trace(struct task_struct *task
11744 unsigned long *irq_stack_end =
11745 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
11746 unsigned used = 0;
11747- struct thread_info *tinfo;
11748 int graph = 0;
11749 unsigned long dummy;
11750+ void *stack_start;
11751
11752 if (!task)
11753 task = current;
11754@@ -167,10 +167,10 @@ void dump_trace(struct task_struct *task
11755 * current stack address. If the stacks consist of nested
11756 * exceptions
11757 */
11758- tinfo = task_thread_info(task);
11759 for (;;) {
11760 char *id;
11761 unsigned long *estack_end;
11762+
11763 estack_end = in_exception_stack(cpu, (unsigned long)stack,
11764 &used, &id);
11765
11766@@ -178,7 +178,7 @@ void dump_trace(struct task_struct *task
11767 if (ops->stack(data, id) < 0)
11768 break;
11769
11770- bp = ops->walk_stack(tinfo, stack, bp, ops,
11771+ bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
11772 data, estack_end, &graph);
11773 ops->stack(data, "<EOE>");
11774 /*
11775@@ -197,7 +197,7 @@ void dump_trace(struct task_struct *task
11776 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
11777 if (ops->stack(data, "IRQ") < 0)
11778 break;
11779- bp = ops->walk_stack(tinfo, stack, bp,
11780+ bp = ops->walk_stack(task, irq_stack, stack, bp,
11781 ops, data, irq_stack_end, &graph);
11782 /*
11783 * We link to the next stack (which would be
11784@@ -218,7 +218,8 @@ void dump_trace(struct task_struct *task
11785 /*
11786 * This handles the process stack:
11787 */
11788- bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
11789+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11790+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11791 put_cpu();
11792 }
11793 EXPORT_SYMBOL(dump_trace);
11794diff -urNp linux-3.0.7/arch/x86/kernel/early_printk.c linux-3.0.7/arch/x86/kernel/early_printk.c
11795--- linux-3.0.7/arch/x86/kernel/early_printk.c 2011-07-21 22:17:23.000000000 -0400
11796+++ linux-3.0.7/arch/x86/kernel/early_printk.c 2011-08-23 21:48:14.000000000 -0400
11797@@ -7,6 +7,7 @@
11798 #include <linux/pci_regs.h>
11799 #include <linux/pci_ids.h>
11800 #include <linux/errno.h>
11801+#include <linux/sched.h>
11802 #include <asm/io.h>
11803 #include <asm/processor.h>
11804 #include <asm/fcntl.h>
11805@@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
11806 int n;
11807 va_list ap;
11808
11809+ pax_track_stack();
11810+
11811 va_start(ap, fmt);
11812 n = vscnprintf(buf, sizeof(buf), fmt, ap);
11813 early_console->write(early_console, buf, n);
11814diff -urNp linux-3.0.7/arch/x86/kernel/entry_32.S linux-3.0.7/arch/x86/kernel/entry_32.S
11815--- linux-3.0.7/arch/x86/kernel/entry_32.S 2011-07-21 22:17:23.000000000 -0400
11816+++ linux-3.0.7/arch/x86/kernel/entry_32.S 2011-08-30 18:23:52.000000000 -0400
11817@@ -185,13 +185,146 @@
11818 /*CFI_REL_OFFSET gs, PT_GS*/
11819 .endm
11820 .macro SET_KERNEL_GS reg
11821+
11822+#ifdef CONFIG_CC_STACKPROTECTOR
11823 movl $(__KERNEL_STACK_CANARY), \reg
11824+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11825+ movl $(__USER_DS), \reg
11826+#else
11827+ xorl \reg, \reg
11828+#endif
11829+
11830 movl \reg, %gs
11831 .endm
11832
11833 #endif /* CONFIG_X86_32_LAZY_GS */
11834
11835-.macro SAVE_ALL
11836+.macro pax_enter_kernel
11837+#ifdef CONFIG_PAX_KERNEXEC
11838+ call pax_enter_kernel
11839+#endif
11840+.endm
11841+
11842+.macro pax_exit_kernel
11843+#ifdef CONFIG_PAX_KERNEXEC
11844+ call pax_exit_kernel
11845+#endif
11846+.endm
11847+
11848+#ifdef CONFIG_PAX_KERNEXEC
11849+ENTRY(pax_enter_kernel)
11850+#ifdef CONFIG_PARAVIRT
11851+ pushl %eax
11852+ pushl %ecx
11853+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11854+ mov %eax, %esi
11855+#else
11856+ mov %cr0, %esi
11857+#endif
11858+ bts $16, %esi
11859+ jnc 1f
11860+ mov %cs, %esi
11861+ cmp $__KERNEL_CS, %esi
11862+ jz 3f
11863+ ljmp $__KERNEL_CS, $3f
11864+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11865+2:
11866+#ifdef CONFIG_PARAVIRT
11867+ mov %esi, %eax
11868+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11869+#else
11870+ mov %esi, %cr0
11871+#endif
11872+3:
11873+#ifdef CONFIG_PARAVIRT
11874+ popl %ecx
11875+ popl %eax
11876+#endif
11877+ ret
11878+ENDPROC(pax_enter_kernel)
11879+
11880+ENTRY(pax_exit_kernel)
11881+#ifdef CONFIG_PARAVIRT
11882+ pushl %eax
11883+ pushl %ecx
11884+#endif
11885+ mov %cs, %esi
11886+ cmp $__KERNEXEC_KERNEL_CS, %esi
11887+ jnz 2f
11888+#ifdef CONFIG_PARAVIRT
11889+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11890+ mov %eax, %esi
11891+#else
11892+ mov %cr0, %esi
11893+#endif
11894+ btr $16, %esi
11895+ ljmp $__KERNEL_CS, $1f
11896+1:
11897+#ifdef CONFIG_PARAVIRT
11898+ mov %esi, %eax
11899+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11900+#else
11901+ mov %esi, %cr0
11902+#endif
11903+2:
11904+#ifdef CONFIG_PARAVIRT
11905+ popl %ecx
11906+ popl %eax
11907+#endif
11908+ ret
11909+ENDPROC(pax_exit_kernel)
11910+#endif
11911+
11912+.macro pax_erase_kstack
11913+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11914+ call pax_erase_kstack
11915+#endif
11916+.endm
11917+
11918+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11919+/*
11920+ * ebp: thread_info
11921+ * ecx, edx: can be clobbered
11922+ */
11923+ENTRY(pax_erase_kstack)
11924+ pushl %edi
11925+ pushl %eax
11926+
11927+ mov TI_lowest_stack(%ebp), %edi
11928+ mov $-0xBEEF, %eax
11929+ std
11930+
11931+1: mov %edi, %ecx
11932+ and $THREAD_SIZE_asm - 1, %ecx
11933+ shr $2, %ecx
11934+ repne scasl
11935+ jecxz 2f
11936+
11937+ cmp $2*16, %ecx
11938+ jc 2f
11939+
11940+ mov $2*16, %ecx
11941+ repe scasl
11942+ jecxz 2f
11943+ jne 1b
11944+
11945+2: cld
11946+ mov %esp, %ecx
11947+ sub %edi, %ecx
11948+ shr $2, %ecx
11949+ rep stosl
11950+
11951+ mov TI_task_thread_sp0(%ebp), %edi
11952+ sub $128, %edi
11953+ mov %edi, TI_lowest_stack(%ebp)
11954+
11955+ popl %eax
11956+ popl %edi
11957+ ret
11958+ENDPROC(pax_erase_kstack)
11959+#endif
11960+
11961+.macro __SAVE_ALL _DS
11962 cld
11963 PUSH_GS
11964 pushl_cfi %fs
11965@@ -214,7 +347,7 @@
11966 CFI_REL_OFFSET ecx, 0
11967 pushl_cfi %ebx
11968 CFI_REL_OFFSET ebx, 0
11969- movl $(__USER_DS), %edx
11970+ movl $\_DS, %edx
11971 movl %edx, %ds
11972 movl %edx, %es
11973 movl $(__KERNEL_PERCPU), %edx
11974@@ -222,6 +355,15 @@
11975 SET_KERNEL_GS %edx
11976 .endm
11977
11978+.macro SAVE_ALL
11979+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11980+ __SAVE_ALL __KERNEL_DS
11981+ pax_enter_kernel
11982+#else
11983+ __SAVE_ALL __USER_DS
11984+#endif
11985+.endm
11986+
11987 .macro RESTORE_INT_REGS
11988 popl_cfi %ebx
11989 CFI_RESTORE ebx
11990@@ -332,7 +474,15 @@ check_userspace:
11991 movb PT_CS(%esp), %al
11992 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11993 cmpl $USER_RPL, %eax
11994+
11995+#ifdef CONFIG_PAX_KERNEXEC
11996+ jae resume_userspace
11997+
11998+ PAX_EXIT_KERNEL
11999+ jmp resume_kernel
12000+#else
12001 jb resume_kernel # not returning to v8086 or userspace
12002+#endif
12003
12004 ENTRY(resume_userspace)
12005 LOCKDEP_SYS_EXIT
12006@@ -344,7 +494,7 @@ ENTRY(resume_userspace)
12007 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
12008 # int/exception return?
12009 jne work_pending
12010- jmp restore_all
12011+ jmp restore_all_pax
12012 END(ret_from_exception)
12013
12014 #ifdef CONFIG_PREEMPT
12015@@ -394,23 +544,34 @@ sysenter_past_esp:
12016 /*CFI_REL_OFFSET cs, 0*/
12017 /*
12018 * Push current_thread_info()->sysenter_return to the stack.
12019- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
12020- * pushed above; +8 corresponds to copy_thread's esp0 setting.
12021 */
12022- pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
12023+ pushl_cfi $0
12024 CFI_REL_OFFSET eip, 0
12025
12026 pushl_cfi %eax
12027 SAVE_ALL
12028+ GET_THREAD_INFO(%ebp)
12029+ movl TI_sysenter_return(%ebp),%ebp
12030+ movl %ebp,PT_EIP(%esp)
12031 ENABLE_INTERRUPTS(CLBR_NONE)
12032
12033 /*
12034 * Load the potential sixth argument from user stack.
12035 * Careful about security.
12036 */
12037+ movl PT_OLDESP(%esp),%ebp
12038+
12039+#ifdef CONFIG_PAX_MEMORY_UDEREF
12040+ mov PT_OLDSS(%esp),%ds
12041+1: movl %ds:(%ebp),%ebp
12042+ push %ss
12043+ pop %ds
12044+#else
12045 cmpl $__PAGE_OFFSET-3,%ebp
12046 jae syscall_fault
12047 1: movl (%ebp),%ebp
12048+#endif
12049+
12050 movl %ebp,PT_EBP(%esp)
12051 .section __ex_table,"a"
12052 .align 4
12053@@ -433,12 +594,24 @@ sysenter_do_call:
12054 testl $_TIF_ALLWORK_MASK, %ecx
12055 jne sysexit_audit
12056 sysenter_exit:
12057+
12058+#ifdef CONFIG_PAX_RANDKSTACK
12059+ pushl_cfi %eax
12060+ movl %esp, %eax
12061+ call pax_randomize_kstack
12062+ popl_cfi %eax
12063+#endif
12064+
12065+ pax_erase_kstack
12066+
12067 /* if something modifies registers it must also disable sysexit */
12068 movl PT_EIP(%esp), %edx
12069 movl PT_OLDESP(%esp), %ecx
12070 xorl %ebp,%ebp
12071 TRACE_IRQS_ON
12072 1: mov PT_FS(%esp), %fs
12073+2: mov PT_DS(%esp), %ds
12074+3: mov PT_ES(%esp), %es
12075 PTGS_TO_GS
12076 ENABLE_INTERRUPTS_SYSEXIT
12077
12078@@ -455,6 +628,9 @@ sysenter_audit:
12079 movl %eax,%edx /* 2nd arg: syscall number */
12080 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
12081 call audit_syscall_entry
12082+
12083+ pax_erase_kstack
12084+
12085 pushl_cfi %ebx
12086 movl PT_EAX(%esp),%eax /* reload syscall number */
12087 jmp sysenter_do_call
12088@@ -481,11 +657,17 @@ sysexit_audit:
12089
12090 CFI_ENDPROC
12091 .pushsection .fixup,"ax"
12092-2: movl $0,PT_FS(%esp)
12093+4: movl $0,PT_FS(%esp)
12094+ jmp 1b
12095+5: movl $0,PT_DS(%esp)
12096+ jmp 1b
12097+6: movl $0,PT_ES(%esp)
12098 jmp 1b
12099 .section __ex_table,"a"
12100 .align 4
12101- .long 1b,2b
12102+ .long 1b,4b
12103+ .long 2b,5b
12104+ .long 3b,6b
12105 .popsection
12106 PTGS_TO_GS_EX
12107 ENDPROC(ia32_sysenter_target)
12108@@ -518,6 +700,15 @@ syscall_exit:
12109 testl $_TIF_ALLWORK_MASK, %ecx # current->work
12110 jne syscall_exit_work
12111
12112+restore_all_pax:
12113+
12114+#ifdef CONFIG_PAX_RANDKSTACK
12115+ movl %esp, %eax
12116+ call pax_randomize_kstack
12117+#endif
12118+
12119+ pax_erase_kstack
12120+
12121 restore_all:
12122 TRACE_IRQS_IRET
12123 restore_all_notrace:
12124@@ -577,14 +768,34 @@ ldt_ss:
12125 * compensating for the offset by changing to the ESPFIX segment with
12126 * a base address that matches for the difference.
12127 */
12128-#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
12129+#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
12130 mov %esp, %edx /* load kernel esp */
12131 mov PT_OLDESP(%esp), %eax /* load userspace esp */
12132 mov %dx, %ax /* eax: new kernel esp */
12133 sub %eax, %edx /* offset (low word is 0) */
12134+#ifdef CONFIG_SMP
12135+ movl PER_CPU_VAR(cpu_number), %ebx
12136+ shll $PAGE_SHIFT_asm, %ebx
12137+ addl $cpu_gdt_table, %ebx
12138+#else
12139+ movl $cpu_gdt_table, %ebx
12140+#endif
12141 shr $16, %edx
12142- mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
12143- mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
12144+
12145+#ifdef CONFIG_PAX_KERNEXEC
12146+ mov %cr0, %esi
12147+ btr $16, %esi
12148+ mov %esi, %cr0
12149+#endif
12150+
12151+ mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
12152+ mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
12153+
12154+#ifdef CONFIG_PAX_KERNEXEC
12155+ bts $16, %esi
12156+ mov %esi, %cr0
12157+#endif
12158+
12159 pushl_cfi $__ESPFIX_SS
12160 pushl_cfi %eax /* new kernel esp */
12161 /* Disable interrupts, but do not irqtrace this section: we
12162@@ -613,29 +824,23 @@ work_resched:
12163 movl TI_flags(%ebp), %ecx
12164 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
12165 # than syscall tracing?
12166- jz restore_all
12167+ jz restore_all_pax
12168 testb $_TIF_NEED_RESCHED, %cl
12169 jnz work_resched
12170
12171 work_notifysig: # deal with pending signals and
12172 # notify-resume requests
12173+ movl %esp, %eax
12174 #ifdef CONFIG_VM86
12175 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
12176- movl %esp, %eax
12177- jne work_notifysig_v86 # returning to kernel-space or
12178+ jz 1f # returning to kernel-space or
12179 # vm86-space
12180- xorl %edx, %edx
12181- call do_notify_resume
12182- jmp resume_userspace_sig
12183
12184- ALIGN
12185-work_notifysig_v86:
12186 pushl_cfi %ecx # save ti_flags for do_notify_resume
12187 call save_v86_state # %eax contains pt_regs pointer
12188 popl_cfi %ecx
12189 movl %eax, %esp
12190-#else
12191- movl %esp, %eax
12192+1:
12193 #endif
12194 xorl %edx, %edx
12195 call do_notify_resume
12196@@ -648,6 +853,9 @@ syscall_trace_entry:
12197 movl $-ENOSYS,PT_EAX(%esp)
12198 movl %esp, %eax
12199 call syscall_trace_enter
12200+
12201+ pax_erase_kstack
12202+
12203 /* What it returned is what we'll actually use. */
12204 cmpl $(nr_syscalls), %eax
12205 jnae syscall_call
12206@@ -670,6 +878,10 @@ END(syscall_exit_work)
12207
12208 RING0_INT_FRAME # can't unwind into user space anyway
12209 syscall_fault:
12210+#ifdef CONFIG_PAX_MEMORY_UDEREF
12211+ push %ss
12212+ pop %ds
12213+#endif
12214 GET_THREAD_INFO(%ebp)
12215 movl $-EFAULT,PT_EAX(%esp)
12216 jmp resume_userspace
12217@@ -752,6 +964,36 @@ ptregs_clone:
12218 CFI_ENDPROC
12219 ENDPROC(ptregs_clone)
12220
12221+ ALIGN;
12222+ENTRY(kernel_execve)
12223+ CFI_STARTPROC
12224+ pushl_cfi %ebp
12225+ sub $PT_OLDSS+4,%esp
12226+ pushl_cfi %edi
12227+ pushl_cfi %ecx
12228+ pushl_cfi %eax
12229+ lea 3*4(%esp),%edi
12230+ mov $PT_OLDSS/4+1,%ecx
12231+ xorl %eax,%eax
12232+ rep stosl
12233+ popl_cfi %eax
12234+ popl_cfi %ecx
12235+ popl_cfi %edi
12236+ movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
12237+ pushl_cfi %esp
12238+ call sys_execve
12239+ add $4,%esp
12240+ CFI_ADJUST_CFA_OFFSET -4
12241+ GET_THREAD_INFO(%ebp)
12242+ test %eax,%eax
12243+ jz syscall_exit
12244+ add $PT_OLDSS+4,%esp
12245+ CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
12246+ popl_cfi %ebp
12247+ ret
12248+ CFI_ENDPROC
12249+ENDPROC(kernel_execve)
12250+
12251 .macro FIXUP_ESPFIX_STACK
12252 /*
12253 * Switch back for ESPFIX stack to the normal zerobased stack
12254@@ -761,8 +1003,15 @@ ENDPROC(ptregs_clone)
12255 * normal stack and adjusts ESP with the matching offset.
12256 */
12257 /* fixup the stack */
12258- mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
12259- mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
12260+#ifdef CONFIG_SMP
12261+ movl PER_CPU_VAR(cpu_number), %ebx
12262+ shll $PAGE_SHIFT_asm, %ebx
12263+ addl $cpu_gdt_table, %ebx
12264+#else
12265+ movl $cpu_gdt_table, %ebx
12266+#endif
12267+ mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
12268+ mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
12269 shl $16, %eax
12270 addl %esp, %eax /* the adjusted stack pointer */
12271 pushl_cfi $__KERNEL_DS
12272@@ -1213,7 +1462,6 @@ return_to_handler:
12273 jmp *%ecx
12274 #endif
12275
12276-.section .rodata,"a"
12277 #include "syscall_table_32.S"
12278
12279 syscall_table_size=(.-sys_call_table)
12280@@ -1259,9 +1507,12 @@ error_code:
12281 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
12282 REG_TO_PTGS %ecx
12283 SET_KERNEL_GS %ecx
12284- movl $(__USER_DS), %ecx
12285+ movl $(__KERNEL_DS), %ecx
12286 movl %ecx, %ds
12287 movl %ecx, %es
12288+
12289+ pax_enter_kernel
12290+
12291 TRACE_IRQS_OFF
12292 movl %esp,%eax # pt_regs pointer
12293 call *%edi
12294@@ -1346,6 +1597,9 @@ nmi_stack_correct:
12295 xorl %edx,%edx # zero error code
12296 movl %esp,%eax # pt_regs pointer
12297 call do_nmi
12298+
12299+ pax_exit_kernel
12300+
12301 jmp restore_all_notrace
12302 CFI_ENDPROC
12303
12304@@ -1382,6 +1636,9 @@ nmi_espfix_stack:
12305 FIXUP_ESPFIX_STACK # %eax == %esp
12306 xorl %edx,%edx # zero error code
12307 call do_nmi
12308+
12309+ pax_exit_kernel
12310+
12311 RESTORE_REGS
12312 lss 12+4(%esp), %esp # back to espfix stack
12313 CFI_ADJUST_CFA_OFFSET -24
12314diff -urNp linux-3.0.7/arch/x86/kernel/entry_64.S linux-3.0.7/arch/x86/kernel/entry_64.S
12315--- linux-3.0.7/arch/x86/kernel/entry_64.S 2011-07-21 22:17:23.000000000 -0400
12316+++ linux-3.0.7/arch/x86/kernel/entry_64.S 2011-10-11 10:44:33.000000000 -0400
12317@@ -53,6 +53,8 @@
12318 #include <asm/paravirt.h>
12319 #include <asm/ftrace.h>
12320 #include <asm/percpu.h>
12321+#include <asm/pgtable.h>
12322+#include <asm/alternative-asm.h>
12323
12324 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
12325 #include <linux/elf-em.h>
12326@@ -66,6 +68,7 @@
12327 #ifdef CONFIG_FUNCTION_TRACER
12328 #ifdef CONFIG_DYNAMIC_FTRACE
12329 ENTRY(mcount)
12330+ pax_force_retaddr
12331 retq
12332 END(mcount)
12333
12334@@ -90,6 +93,7 @@ GLOBAL(ftrace_graph_call)
12335 #endif
12336
12337 GLOBAL(ftrace_stub)
12338+ pax_force_retaddr
12339 retq
12340 END(ftrace_caller)
12341
12342@@ -110,6 +114,7 @@ ENTRY(mcount)
12343 #endif
12344
12345 GLOBAL(ftrace_stub)
12346+ pax_force_retaddr
12347 retq
12348
12349 trace:
12350@@ -119,6 +124,7 @@ trace:
12351 movq 8(%rbp), %rsi
12352 subq $MCOUNT_INSN_SIZE, %rdi
12353
12354+ pax_force_fptr ftrace_trace_function
12355 call *ftrace_trace_function
12356
12357 MCOUNT_RESTORE_FRAME
12358@@ -144,6 +150,7 @@ ENTRY(ftrace_graph_caller)
12359
12360 MCOUNT_RESTORE_FRAME
12361
12362+ pax_force_retaddr
12363 retq
12364 END(ftrace_graph_caller)
12365
12366@@ -161,6 +168,7 @@ GLOBAL(return_to_handler)
12367 movq 8(%rsp), %rdx
12368 movq (%rsp), %rax
12369 addq $24, %rsp
12370+ pax_force_fptr %rdi
12371 jmp *%rdi
12372 #endif
12373
12374@@ -176,6 +184,269 @@ ENTRY(native_usergs_sysret64)
12375 ENDPROC(native_usergs_sysret64)
12376 #endif /* CONFIG_PARAVIRT */
12377
12378+ .macro ljmpq sel, off
12379+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
12380+ .byte 0x48; ljmp *1234f(%rip)
12381+ .pushsection .rodata
12382+ .align 16
12383+ 1234: .quad \off; .word \sel
12384+ .popsection
12385+#else
12386+ pushq $\sel
12387+ pushq $\off
12388+ lretq
12389+#endif
12390+ .endm
12391+
12392+ .macro pax_enter_kernel
12393+#ifdef CONFIG_PAX_KERNEXEC
12394+ call pax_enter_kernel
12395+#endif
12396+ .endm
12397+
12398+ .macro pax_exit_kernel
12399+#ifdef CONFIG_PAX_KERNEXEC
12400+ call pax_exit_kernel
12401+#endif
12402+ .endm
12403+
12404+#ifdef CONFIG_PAX_KERNEXEC
12405+ENTRY(pax_enter_kernel)
12406+ pushq %rdi
12407+
12408+#ifdef CONFIG_PARAVIRT
12409+ PV_SAVE_REGS(CLBR_RDI)
12410+#endif
12411+
12412+ GET_CR0_INTO_RDI
12413+ bts $16,%rdi
12414+ jnc 1f
12415+ mov %cs,%edi
12416+ cmp $__KERNEL_CS,%edi
12417+ jz 3f
12418+ ljmpq __KERNEL_CS,3f
12419+1: ljmpq __KERNEXEC_KERNEL_CS,2f
12420+2: SET_RDI_INTO_CR0
12421+3:
12422+
12423+#ifdef CONFIG_PARAVIRT
12424+ PV_RESTORE_REGS(CLBR_RDI)
12425+#endif
12426+
12427+ popq %rdi
12428+ pax_force_retaddr
12429+ retq
12430+ENDPROC(pax_enter_kernel)
12431+
12432+ENTRY(pax_exit_kernel)
12433+ pushq %rdi
12434+
12435+#ifdef CONFIG_PARAVIRT
12436+ PV_SAVE_REGS(CLBR_RDI)
12437+#endif
12438+
12439+ mov %cs,%rdi
12440+ cmp $__KERNEXEC_KERNEL_CS,%edi
12441+ jnz 2f
12442+ GET_CR0_INTO_RDI
12443+ btr $16,%rdi
12444+ ljmpq __KERNEL_CS,1f
12445+1: SET_RDI_INTO_CR0
12446+2:
12447+
12448+#ifdef CONFIG_PARAVIRT
12449+ PV_RESTORE_REGS(CLBR_RDI);
12450+#endif
12451+
12452+ popq %rdi
12453+ pax_force_retaddr
12454+ retq
12455+ENDPROC(pax_exit_kernel)
12456+#endif
12457+
12458+ .macro pax_enter_kernel_user
12459+#ifdef CONFIG_PAX_MEMORY_UDEREF
12460+ call pax_enter_kernel_user
12461+#endif
12462+ .endm
12463+
12464+ .macro pax_exit_kernel_user
12465+#ifdef CONFIG_PAX_MEMORY_UDEREF
12466+ call pax_exit_kernel_user
12467+#endif
12468+#ifdef CONFIG_PAX_RANDKSTACK
12469+ push %rax
12470+ call pax_randomize_kstack
12471+ pop %rax
12472+#endif
12473+ .endm
12474+
12475+#ifdef CONFIG_PAX_MEMORY_UDEREF
12476+ENTRY(pax_enter_kernel_user)
12477+ pushq %rdi
12478+ pushq %rbx
12479+
12480+#ifdef CONFIG_PARAVIRT
12481+ PV_SAVE_REGS(CLBR_RDI)
12482+#endif
12483+
12484+ GET_CR3_INTO_RDI
12485+ mov %rdi,%rbx
12486+ add $__START_KERNEL_map,%rbx
12487+ sub phys_base(%rip),%rbx
12488+
12489+#ifdef CONFIG_PARAVIRT
12490+ pushq %rdi
12491+ cmpl $0, pv_info+PARAVIRT_enabled
12492+ jz 1f
12493+ i = 0
12494+ .rept USER_PGD_PTRS
12495+ mov i*8(%rbx),%rsi
12496+ mov $0,%sil
12497+ lea i*8(%rbx),%rdi
12498+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12499+ i = i + 1
12500+ .endr
12501+ jmp 2f
12502+1:
12503+#endif
12504+
12505+ i = 0
12506+ .rept USER_PGD_PTRS
12507+ movb $0,i*8(%rbx)
12508+ i = i + 1
12509+ .endr
12510+
12511+#ifdef CONFIG_PARAVIRT
12512+2: popq %rdi
12513+#endif
12514+ SET_RDI_INTO_CR3
12515+
12516+#ifdef CONFIG_PAX_KERNEXEC
12517+ GET_CR0_INTO_RDI
12518+ bts $16,%rdi
12519+ SET_RDI_INTO_CR0
12520+#endif
12521+
12522+#ifdef CONFIG_PARAVIRT
12523+ PV_RESTORE_REGS(CLBR_RDI)
12524+#endif
12525+
12526+ popq %rbx
12527+ popq %rdi
12528+ pax_force_retaddr
12529+ retq
12530+ENDPROC(pax_enter_kernel_user)
12531+
12532+ENTRY(pax_exit_kernel_user)
12533+ push %rdi
12534+
12535+#ifdef CONFIG_PARAVIRT
12536+ pushq %rbx
12537+ PV_SAVE_REGS(CLBR_RDI)
12538+#endif
12539+
12540+#ifdef CONFIG_PAX_KERNEXEC
12541+ GET_CR0_INTO_RDI
12542+ btr $16,%rdi
12543+ SET_RDI_INTO_CR0
12544+#endif
12545+
12546+ GET_CR3_INTO_RDI
12547+ add $__START_KERNEL_map,%rdi
12548+ sub phys_base(%rip),%rdi
12549+
12550+#ifdef CONFIG_PARAVIRT
12551+ cmpl $0, pv_info+PARAVIRT_enabled
12552+ jz 1f
12553+ mov %rdi,%rbx
12554+ i = 0
12555+ .rept USER_PGD_PTRS
12556+ mov i*8(%rbx),%rsi
12557+ mov $0x67,%sil
12558+ lea i*8(%rbx),%rdi
12559+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12560+ i = i + 1
12561+ .endr
12562+ jmp 2f
12563+1:
12564+#endif
12565+
12566+ i = 0
12567+ .rept USER_PGD_PTRS
12568+ movb $0x67,i*8(%rdi)
12569+ i = i + 1
12570+ .endr
12571+
12572+#ifdef CONFIG_PARAVIRT
12573+2: PV_RESTORE_REGS(CLBR_RDI)
12574+ popq %rbx
12575+#endif
12576+
12577+ popq %rdi
12578+ pax_force_retaddr
12579+ retq
12580+ENDPROC(pax_exit_kernel_user)
12581+#endif
12582+
12583+ .macro pax_erase_kstack
12584+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12585+ call pax_erase_kstack
12586+#endif
12587+ .endm
12588+
12589+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12590+/*
12591+ * r10: thread_info
12592+ * rcx, rdx: can be clobbered
12593+ */
12594+ENTRY(pax_erase_kstack)
12595+ pushq %rdi
12596+ pushq %rax
12597+ pushq %r10
12598+
12599+ GET_THREAD_INFO(%r10)
12600+ mov TI_lowest_stack(%r10), %rdi
12601+ mov $-0xBEEF, %rax
12602+ std
12603+
12604+1: mov %edi, %ecx
12605+ and $THREAD_SIZE_asm - 1, %ecx
12606+ shr $3, %ecx
12607+ repne scasq
12608+ jecxz 2f
12609+
12610+ cmp $2*8, %ecx
12611+ jc 2f
12612+
12613+ mov $2*8, %ecx
12614+ repe scasq
12615+ jecxz 2f
12616+ jne 1b
12617+
12618+2: cld
12619+ mov %esp, %ecx
12620+ sub %edi, %ecx
12621+
12622+ cmp $THREAD_SIZE_asm, %rcx
12623+ jb 3f
12624+ ud2
12625+3:
12626+
12627+ shr $3, %ecx
12628+ rep stosq
12629+
12630+ mov TI_task_thread_sp0(%r10), %rdi
12631+ sub $256, %rdi
12632+ mov %rdi, TI_lowest_stack(%r10)
12633+
12634+ popq %r10
12635+ popq %rax
12636+ popq %rdi
12637+ pax_force_retaddr
12638+ ret
12639+ENDPROC(pax_erase_kstack)
12640+#endif
12641
12642 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
12643 #ifdef CONFIG_TRACE_IRQFLAGS
12644@@ -318,7 +589,7 @@ ENTRY(save_args)
12645 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
12646 movq_cfi rbp, 8 /* push %rbp */
12647 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
12648- testl $3, CS(%rdi)
12649+ testb $3, CS(%rdi)
12650 je 1f
12651 SWAPGS
12652 /*
12653@@ -338,6 +609,7 @@ ENTRY(save_args)
12654 * We entered an interrupt context - irqs are off:
12655 */
12656 2: TRACE_IRQS_OFF
12657+ pax_force_retaddr
12658 ret
12659 CFI_ENDPROC
12660 END(save_args)
12661@@ -354,6 +626,7 @@ ENTRY(save_rest)
12662 movq_cfi r15, R15+16
12663 movq %r11, 8(%rsp) /* return address */
12664 FIXUP_TOP_OF_STACK %r11, 16
12665+ pax_force_retaddr
12666 ret
12667 CFI_ENDPROC
12668 END(save_rest)
12669@@ -385,7 +658,8 @@ ENTRY(save_paranoid)
12670 js 1f /* negative -> in kernel */
12671 SWAPGS
12672 xorl %ebx,%ebx
12673-1: ret
12674+1: pax_force_retaddr
12675+ ret
12676 CFI_ENDPROC
12677 END(save_paranoid)
12678 .popsection
12679@@ -409,7 +683,7 @@ ENTRY(ret_from_fork)
12680
12681 RESTORE_REST
12682
12683- testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12684+ testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12685 je int_ret_from_sys_call
12686
12687 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
12688@@ -455,7 +729,7 @@ END(ret_from_fork)
12689 ENTRY(system_call)
12690 CFI_STARTPROC simple
12691 CFI_SIGNAL_FRAME
12692- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12693+ CFI_DEF_CFA rsp,0
12694 CFI_REGISTER rip,rcx
12695 /*CFI_REGISTER rflags,r11*/
12696 SWAPGS_UNSAFE_STACK
12697@@ -468,12 +742,13 @@ ENTRY(system_call_after_swapgs)
12698
12699 movq %rsp,PER_CPU_VAR(old_rsp)
12700 movq PER_CPU_VAR(kernel_stack),%rsp
12701+ pax_enter_kernel_user
12702 /*
12703 * No need to follow this irqs off/on section - it's straight
12704 * and short:
12705 */
12706 ENABLE_INTERRUPTS(CLBR_NONE)
12707- SAVE_ARGS 8,1
12708+ SAVE_ARGS 8*6,1
12709 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12710 movq %rcx,RIP-ARGOFFSET(%rsp)
12711 CFI_REL_OFFSET rip,RIP-ARGOFFSET
12712@@ -502,6 +777,8 @@ sysret_check:
12713 andl %edi,%edx
12714 jnz sysret_careful
12715 CFI_REMEMBER_STATE
12716+ pax_exit_kernel_user
12717+ pax_erase_kstack
12718 /*
12719 * sysretq will re-enable interrupts:
12720 */
12721@@ -560,6 +837,9 @@ auditsys:
12722 movq %rax,%rsi /* 2nd arg: syscall number */
12723 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
12724 call audit_syscall_entry
12725+
12726+ pax_erase_kstack
12727+
12728 LOAD_ARGS 0 /* reload call-clobbered registers */
12729 jmp system_call_fastpath
12730
12731@@ -590,6 +870,9 @@ tracesys:
12732 FIXUP_TOP_OF_STACK %rdi
12733 movq %rsp,%rdi
12734 call syscall_trace_enter
12735+
12736+ pax_erase_kstack
12737+
12738 /*
12739 * Reload arg registers from stack in case ptrace changed them.
12740 * We don't reload %rax because syscall_trace_enter() returned
12741@@ -611,7 +894,7 @@ tracesys:
12742 GLOBAL(int_ret_from_sys_call)
12743 DISABLE_INTERRUPTS(CLBR_NONE)
12744 TRACE_IRQS_OFF
12745- testl $3,CS-ARGOFFSET(%rsp)
12746+ testb $3,CS-ARGOFFSET(%rsp)
12747 je retint_restore_args
12748 movl $_TIF_ALLWORK_MASK,%edi
12749 /* edi: mask to check */
12750@@ -702,6 +985,7 @@ ENTRY(ptregscall_common)
12751 movq_cfi_restore R12+8, r12
12752 movq_cfi_restore RBP+8, rbp
12753 movq_cfi_restore RBX+8, rbx
12754+ pax_force_retaddr
12755 ret $REST_SKIP /* pop extended registers */
12756 CFI_ENDPROC
12757 END(ptregscall_common)
12758@@ -793,6 +1077,16 @@ END(interrupt)
12759 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
12760 call save_args
12761 PARTIAL_FRAME 0
12762+#ifdef CONFIG_PAX_MEMORY_UDEREF
12763+ testb $3, CS(%rdi)
12764+ jnz 1f
12765+ pax_enter_kernel
12766+ jmp 2f
12767+1: pax_enter_kernel_user
12768+2:
12769+#else
12770+ pax_enter_kernel
12771+#endif
12772 call \func
12773 .endm
12774
12775@@ -825,7 +1119,7 @@ ret_from_intr:
12776 CFI_ADJUST_CFA_OFFSET -8
12777 exit_intr:
12778 GET_THREAD_INFO(%rcx)
12779- testl $3,CS-ARGOFFSET(%rsp)
12780+ testb $3,CS-ARGOFFSET(%rsp)
12781 je retint_kernel
12782
12783 /* Interrupt came from user space */
12784@@ -847,12 +1141,16 @@ retint_swapgs: /* return to user-space
12785 * The iretq could re-enable interrupts:
12786 */
12787 DISABLE_INTERRUPTS(CLBR_ANY)
12788+ pax_exit_kernel_user
12789+ pax_erase_kstack
12790 TRACE_IRQS_IRETQ
12791 SWAPGS
12792 jmp restore_args
12793
12794 retint_restore_args: /* return to kernel space */
12795 DISABLE_INTERRUPTS(CLBR_ANY)
12796+ pax_exit_kernel
12797+ pax_force_retaddr RIP-ARGOFFSET
12798 /*
12799 * The iretq could re-enable interrupts:
12800 */
12801@@ -1027,6 +1325,16 @@ ENTRY(\sym)
12802 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12803 call error_entry
12804 DEFAULT_FRAME 0
12805+#ifdef CONFIG_PAX_MEMORY_UDEREF
12806+ testb $3, CS(%rsp)
12807+ jnz 1f
12808+ pax_enter_kernel
12809+ jmp 2f
12810+1: pax_enter_kernel_user
12811+2:
12812+#else
12813+ pax_enter_kernel
12814+#endif
12815 movq %rsp,%rdi /* pt_regs pointer */
12816 xorl %esi,%esi /* no error code */
12817 call \do_sym
12818@@ -1044,6 +1352,16 @@ ENTRY(\sym)
12819 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12820 call save_paranoid
12821 TRACE_IRQS_OFF
12822+#ifdef CONFIG_PAX_MEMORY_UDEREF
12823+ testb $3, CS(%rsp)
12824+ jnz 1f
12825+ pax_enter_kernel
12826+ jmp 2f
12827+1: pax_enter_kernel_user
12828+2:
12829+#else
12830+ pax_enter_kernel
12831+#endif
12832 movq %rsp,%rdi /* pt_regs pointer */
12833 xorl %esi,%esi /* no error code */
12834 call \do_sym
12835@@ -1052,7 +1370,7 @@ ENTRY(\sym)
12836 END(\sym)
12837 .endm
12838
12839-#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12840+#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12841 .macro paranoidzeroentry_ist sym do_sym ist
12842 ENTRY(\sym)
12843 INTR_FRAME
12844@@ -1062,8 +1380,24 @@ ENTRY(\sym)
12845 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12846 call save_paranoid
12847 TRACE_IRQS_OFF
12848+#ifdef CONFIG_PAX_MEMORY_UDEREF
12849+ testb $3, CS(%rsp)
12850+ jnz 1f
12851+ pax_enter_kernel
12852+ jmp 2f
12853+1: pax_enter_kernel_user
12854+2:
12855+#else
12856+ pax_enter_kernel
12857+#endif
12858 movq %rsp,%rdi /* pt_regs pointer */
12859 xorl %esi,%esi /* no error code */
12860+#ifdef CONFIG_SMP
12861+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
12862+ lea init_tss(%r12), %r12
12863+#else
12864+ lea init_tss(%rip), %r12
12865+#endif
12866 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12867 call \do_sym
12868 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
12869@@ -1080,6 +1414,16 @@ ENTRY(\sym)
12870 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12871 call error_entry
12872 DEFAULT_FRAME 0
12873+#ifdef CONFIG_PAX_MEMORY_UDEREF
12874+ testb $3, CS(%rsp)
12875+ jnz 1f
12876+ pax_enter_kernel
12877+ jmp 2f
12878+1: pax_enter_kernel_user
12879+2:
12880+#else
12881+ pax_enter_kernel
12882+#endif
12883 movq %rsp,%rdi /* pt_regs pointer */
12884 movq ORIG_RAX(%rsp),%rsi /* get error code */
12885 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12886@@ -1099,6 +1443,16 @@ ENTRY(\sym)
12887 call save_paranoid
12888 DEFAULT_FRAME 0
12889 TRACE_IRQS_OFF
12890+#ifdef CONFIG_PAX_MEMORY_UDEREF
12891+ testb $3, CS(%rsp)
12892+ jnz 1f
12893+ pax_enter_kernel
12894+ jmp 2f
12895+1: pax_enter_kernel_user
12896+2:
12897+#else
12898+ pax_enter_kernel
12899+#endif
12900 movq %rsp,%rdi /* pt_regs pointer */
12901 movq ORIG_RAX(%rsp),%rsi /* get error code */
12902 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
12903@@ -1134,6 +1488,7 @@ gs_change:
12904 2: mfence /* workaround */
12905 SWAPGS
12906 popfq_cfi
12907+ pax_force_retaddr
12908 ret
12909 CFI_ENDPROC
12910 END(native_load_gs_index)
12911@@ -1158,6 +1513,7 @@ ENTRY(kernel_thread_helper)
12912 * Here we are in the child and the registers are set as they were
12913 * at kernel_thread() invocation in the parent.
12914 */
12915+ pax_force_fptr %rsi
12916 call *%rsi
12917 # exit
12918 mov %eax, %edi
12919@@ -1193,9 +1549,10 @@ ENTRY(kernel_execve)
12920 je int_ret_from_sys_call
12921 RESTORE_ARGS
12922 UNFAKE_STACK_FRAME
12923+ pax_force_retaddr
12924 ret
12925 CFI_ENDPROC
12926-END(kernel_execve)
12927+ENDPROC(kernel_execve)
12928
12929 /* Call softirq on interrupt stack. Interrupts are off. */
12930 ENTRY(call_softirq)
12931@@ -1213,9 +1570,10 @@ ENTRY(call_softirq)
12932 CFI_DEF_CFA_REGISTER rsp
12933 CFI_ADJUST_CFA_OFFSET -8
12934 decl PER_CPU_VAR(irq_count)
12935+ pax_force_retaddr
12936 ret
12937 CFI_ENDPROC
12938-END(call_softirq)
12939+ENDPROC(call_softirq)
12940
12941 #ifdef CONFIG_XEN
12942 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
12943@@ -1361,16 +1719,31 @@ ENTRY(paranoid_exit)
12944 TRACE_IRQS_OFF
12945 testl %ebx,%ebx /* swapgs needed? */
12946 jnz paranoid_restore
12947- testl $3,CS(%rsp)
12948+ testb $3,CS(%rsp)
12949 jnz paranoid_userspace
12950+#ifdef CONFIG_PAX_MEMORY_UDEREF
12951+ pax_exit_kernel
12952+ TRACE_IRQS_IRETQ 0
12953+ SWAPGS_UNSAFE_STACK
12954+ RESTORE_ALL 8
12955+ pax_force_retaddr
12956+ jmp irq_return
12957+#endif
12958 paranoid_swapgs:
12959+#ifdef CONFIG_PAX_MEMORY_UDEREF
12960+ pax_exit_kernel_user
12961+#else
12962+ pax_exit_kernel
12963+#endif
12964 TRACE_IRQS_IRETQ 0
12965 SWAPGS_UNSAFE_STACK
12966 RESTORE_ALL 8
12967 jmp irq_return
12968 paranoid_restore:
12969+ pax_exit_kernel
12970 TRACE_IRQS_IRETQ 0
12971 RESTORE_ALL 8
12972+ pax_force_retaddr
12973 jmp irq_return
12974 paranoid_userspace:
12975 GET_THREAD_INFO(%rcx)
12976@@ -1426,12 +1799,13 @@ ENTRY(error_entry)
12977 movq_cfi r14, R14+8
12978 movq_cfi r15, R15+8
12979 xorl %ebx,%ebx
12980- testl $3,CS+8(%rsp)
12981+ testb $3,CS+8(%rsp)
12982 je error_kernelspace
12983 error_swapgs:
12984 SWAPGS
12985 error_sti:
12986 TRACE_IRQS_OFF
12987+ pax_force_retaddr
12988 ret
12989
12990 /*
12991@@ -1490,6 +1864,16 @@ ENTRY(nmi)
12992 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12993 call save_paranoid
12994 DEFAULT_FRAME 0
12995+#ifdef CONFIG_PAX_MEMORY_UDEREF
12996+ testb $3, CS(%rsp)
12997+ jnz 1f
12998+ pax_enter_kernel
12999+ jmp 2f
13000+1: pax_enter_kernel_user
13001+2:
13002+#else
13003+ pax_enter_kernel
13004+#endif
13005 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
13006 movq %rsp,%rdi
13007 movq $-1,%rsi
13008@@ -1500,12 +1884,28 @@ ENTRY(nmi)
13009 DISABLE_INTERRUPTS(CLBR_NONE)
13010 testl %ebx,%ebx /* swapgs needed? */
13011 jnz nmi_restore
13012- testl $3,CS(%rsp)
13013+ testb $3,CS(%rsp)
13014 jnz nmi_userspace
13015+#ifdef CONFIG_PAX_MEMORY_UDEREF
13016+ pax_exit_kernel
13017+ SWAPGS_UNSAFE_STACK
13018+ RESTORE_ALL 8
13019+ pax_force_retaddr
13020+ jmp irq_return
13021+#endif
13022 nmi_swapgs:
13023+#ifdef CONFIG_PAX_MEMORY_UDEREF
13024+ pax_exit_kernel_user
13025+#else
13026+ pax_exit_kernel
13027+#endif
13028 SWAPGS_UNSAFE_STACK
13029+ RESTORE_ALL 8
13030+ jmp irq_return
13031 nmi_restore:
13032+ pax_exit_kernel
13033 RESTORE_ALL 8
13034+ pax_force_retaddr
13035 jmp irq_return
13036 nmi_userspace:
13037 GET_THREAD_INFO(%rcx)
13038diff -urNp linux-3.0.7/arch/x86/kernel/ftrace.c linux-3.0.7/arch/x86/kernel/ftrace.c
13039--- linux-3.0.7/arch/x86/kernel/ftrace.c 2011-07-21 22:17:23.000000000 -0400
13040+++ linux-3.0.7/arch/x86/kernel/ftrace.c 2011-08-23 21:47:55.000000000 -0400
13041@@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
13042 static const void *mod_code_newcode; /* holds the text to write to the IP */
13043
13044 static unsigned nmi_wait_count;
13045-static atomic_t nmi_update_count = ATOMIC_INIT(0);
13046+static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
13047
13048 int ftrace_arch_read_dyn_info(char *buf, int size)
13049 {
13050@@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
13051
13052 r = snprintf(buf, size, "%u %u",
13053 nmi_wait_count,
13054- atomic_read(&nmi_update_count));
13055+ atomic_read_unchecked(&nmi_update_count));
13056 return r;
13057 }
13058
13059@@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
13060
13061 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
13062 smp_rmb();
13063+ pax_open_kernel();
13064 ftrace_mod_code();
13065- atomic_inc(&nmi_update_count);
13066+ pax_close_kernel();
13067+ atomic_inc_unchecked(&nmi_update_count);
13068 }
13069 /* Must have previous changes seen before executions */
13070 smp_mb();
13071@@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
13072 {
13073 unsigned char replaced[MCOUNT_INSN_SIZE];
13074
13075+ ip = ktla_ktva(ip);
13076+
13077 /*
13078 * Note: Due to modules and __init, code can
13079 * disappear and change, we need to protect against faulting
13080@@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
13081 unsigned char old[MCOUNT_INSN_SIZE], *new;
13082 int ret;
13083
13084- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
13085+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
13086 new = ftrace_call_replace(ip, (unsigned long)func);
13087 ret = ftrace_modify_code(ip, old, new);
13088
13089@@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
13090 {
13091 unsigned char code[MCOUNT_INSN_SIZE];
13092
13093+ ip = ktla_ktva(ip);
13094+
13095 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
13096 return -EFAULT;
13097
13098diff -urNp linux-3.0.7/arch/x86/kernel/head32.c linux-3.0.7/arch/x86/kernel/head32.c
13099--- linux-3.0.7/arch/x86/kernel/head32.c 2011-07-21 22:17:23.000000000 -0400
13100+++ linux-3.0.7/arch/x86/kernel/head32.c 2011-08-23 21:47:55.000000000 -0400
13101@@ -19,6 +19,7 @@
13102 #include <asm/io_apic.h>
13103 #include <asm/bios_ebda.h>
13104 #include <asm/tlbflush.h>
13105+#include <asm/boot.h>
13106
13107 static void __init i386_default_early_setup(void)
13108 {
13109@@ -33,7 +34,7 @@ void __init i386_start_kernel(void)
13110 {
13111 memblock_init();
13112
13113- memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13114+ memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13115
13116 #ifdef CONFIG_BLK_DEV_INITRD
13117 /* Reserve INITRD */
13118diff -urNp linux-3.0.7/arch/x86/kernel/head_32.S linux-3.0.7/arch/x86/kernel/head_32.S
13119--- linux-3.0.7/arch/x86/kernel/head_32.S 2011-07-21 22:17:23.000000000 -0400
13120+++ linux-3.0.7/arch/x86/kernel/head_32.S 2011-08-23 21:47:55.000000000 -0400
13121@@ -25,6 +25,12 @@
13122 /* Physical address */
13123 #define pa(X) ((X) - __PAGE_OFFSET)
13124
13125+#ifdef CONFIG_PAX_KERNEXEC
13126+#define ta(X) (X)
13127+#else
13128+#define ta(X) ((X) - __PAGE_OFFSET)
13129+#endif
13130+
13131 /*
13132 * References to members of the new_cpu_data structure.
13133 */
13134@@ -54,11 +60,7 @@
13135 * and small than max_low_pfn, otherwise will waste some page table entries
13136 */
13137
13138-#if PTRS_PER_PMD > 1
13139-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
13140-#else
13141-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
13142-#endif
13143+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
13144
13145 /* Number of possible pages in the lowmem region */
13146 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
13147@@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
13148 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13149
13150 /*
13151+ * Real beginning of normal "text" segment
13152+ */
13153+ENTRY(stext)
13154+ENTRY(_stext)
13155+
13156+/*
13157 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
13158 * %esi points to the real-mode code as a 32-bit pointer.
13159 * CS and DS must be 4 GB flat segments, but we don't depend on
13160@@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13161 * can.
13162 */
13163 __HEAD
13164+
13165+#ifdef CONFIG_PAX_KERNEXEC
13166+ jmp startup_32
13167+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
13168+.fill PAGE_SIZE-5,1,0xcc
13169+#endif
13170+
13171 ENTRY(startup_32)
13172 movl pa(stack_start),%ecx
13173
13174@@ -105,6 +120,57 @@ ENTRY(startup_32)
13175 2:
13176 leal -__PAGE_OFFSET(%ecx),%esp
13177
13178+#ifdef CONFIG_SMP
13179+ movl $pa(cpu_gdt_table),%edi
13180+ movl $__per_cpu_load,%eax
13181+ movw %ax,__KERNEL_PERCPU + 2(%edi)
13182+ rorl $16,%eax
13183+ movb %al,__KERNEL_PERCPU + 4(%edi)
13184+ movb %ah,__KERNEL_PERCPU + 7(%edi)
13185+ movl $__per_cpu_end - 1,%eax
13186+ subl $__per_cpu_start,%eax
13187+ movw %ax,__KERNEL_PERCPU + 0(%edi)
13188+#endif
13189+
13190+#ifdef CONFIG_PAX_MEMORY_UDEREF
13191+ movl $NR_CPUS,%ecx
13192+ movl $pa(cpu_gdt_table),%edi
13193+1:
13194+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
13195+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
13196+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
13197+ addl $PAGE_SIZE_asm,%edi
13198+ loop 1b
13199+#endif
13200+
13201+#ifdef CONFIG_PAX_KERNEXEC
13202+ movl $pa(boot_gdt),%edi
13203+ movl $__LOAD_PHYSICAL_ADDR,%eax
13204+ movw %ax,__BOOT_CS + 2(%edi)
13205+ rorl $16,%eax
13206+ movb %al,__BOOT_CS + 4(%edi)
13207+ movb %ah,__BOOT_CS + 7(%edi)
13208+ rorl $16,%eax
13209+
13210+ ljmp $(__BOOT_CS),$1f
13211+1:
13212+
13213+ movl $NR_CPUS,%ecx
13214+ movl $pa(cpu_gdt_table),%edi
13215+ addl $__PAGE_OFFSET,%eax
13216+1:
13217+ movw %ax,__KERNEL_CS + 2(%edi)
13218+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
13219+ rorl $16,%eax
13220+ movb %al,__KERNEL_CS + 4(%edi)
13221+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
13222+ movb %ah,__KERNEL_CS + 7(%edi)
13223+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
13224+ rorl $16,%eax
13225+ addl $PAGE_SIZE_asm,%edi
13226+ loop 1b
13227+#endif
13228+
13229 /*
13230 * Clear BSS first so that there are no surprises...
13231 */
13232@@ -195,8 +261,11 @@ ENTRY(startup_32)
13233 movl %eax, pa(max_pfn_mapped)
13234
13235 /* Do early initialization of the fixmap area */
13236- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13237- movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
13238+#ifdef CONFIG_COMPAT_VDSO
13239+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
13240+#else
13241+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
13242+#endif
13243 #else /* Not PAE */
13244
13245 page_pde_offset = (__PAGE_OFFSET >> 20);
13246@@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13247 movl %eax, pa(max_pfn_mapped)
13248
13249 /* Do early initialization of the fixmap area */
13250- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13251- movl %eax,pa(initial_page_table+0xffc)
13252+#ifdef CONFIG_COMPAT_VDSO
13253+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
13254+#else
13255+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
13256+#endif
13257 #endif
13258
13259 #ifdef CONFIG_PARAVIRT
13260@@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13261 cmpl $num_subarch_entries, %eax
13262 jae bad_subarch
13263
13264- movl pa(subarch_entries)(,%eax,4), %eax
13265- subl $__PAGE_OFFSET, %eax
13266- jmp *%eax
13267+ jmp *pa(subarch_entries)(,%eax,4)
13268
13269 bad_subarch:
13270 WEAK(lguest_entry)
13271@@ -255,10 +325,10 @@ WEAK(xen_entry)
13272 __INITDATA
13273
13274 subarch_entries:
13275- .long default_entry /* normal x86/PC */
13276- .long lguest_entry /* lguest hypervisor */
13277- .long xen_entry /* Xen hypervisor */
13278- .long default_entry /* Moorestown MID */
13279+ .long ta(default_entry) /* normal x86/PC */
13280+ .long ta(lguest_entry) /* lguest hypervisor */
13281+ .long ta(xen_entry) /* Xen hypervisor */
13282+ .long ta(default_entry) /* Moorestown MID */
13283 num_subarch_entries = (. - subarch_entries) / 4
13284 .previous
13285 #else
13286@@ -312,6 +382,7 @@ default_entry:
13287 orl %edx,%eax
13288 movl %eax,%cr4
13289
13290+#ifdef CONFIG_X86_PAE
13291 testb $X86_CR4_PAE, %al # check if PAE is enabled
13292 jz 6f
13293
13294@@ -340,6 +411,9 @@ default_entry:
13295 /* Make changes effective */
13296 wrmsr
13297
13298+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
13299+#endif
13300+
13301 6:
13302
13303 /*
13304@@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
13305 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
13306 movl %eax,%ss # after changing gdt.
13307
13308- movl $(__USER_DS),%eax # DS/ES contains default USER segment
13309+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
13310 movl %eax,%ds
13311 movl %eax,%es
13312
13313@@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
13314 */
13315 cmpb $0,ready
13316 jne 1f
13317- movl $gdt_page,%eax
13318+ movl $cpu_gdt_table,%eax
13319 movl $stack_canary,%ecx
13320+#ifdef CONFIG_SMP
13321+ addl $__per_cpu_load,%ecx
13322+#endif
13323 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
13324 shrl $16, %ecx
13325 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
13326 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
13327 1:
13328-#endif
13329 movl $(__KERNEL_STACK_CANARY),%eax
13330+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13331+ movl $(__USER_DS),%eax
13332+#else
13333+ xorl %eax,%eax
13334+#endif
13335 movl %eax,%gs
13336
13337 xorl %eax,%eax # Clear LDT
13338@@ -558,22 +639,22 @@ early_page_fault:
13339 jmp early_fault
13340
13341 early_fault:
13342- cld
13343 #ifdef CONFIG_PRINTK
13344+ cmpl $1,%ss:early_recursion_flag
13345+ je hlt_loop
13346+ incl %ss:early_recursion_flag
13347+ cld
13348 pusha
13349 movl $(__KERNEL_DS),%eax
13350 movl %eax,%ds
13351 movl %eax,%es
13352- cmpl $2,early_recursion_flag
13353- je hlt_loop
13354- incl early_recursion_flag
13355 movl %cr2,%eax
13356 pushl %eax
13357 pushl %edx /* trapno */
13358 pushl $fault_msg
13359 call printk
13360+; call dump_stack
13361 #endif
13362- call dump_stack
13363 hlt_loop:
13364 hlt
13365 jmp hlt_loop
13366@@ -581,8 +662,11 @@ hlt_loop:
13367 /* This is the default interrupt "handler" :-) */
13368 ALIGN
13369 ignore_int:
13370- cld
13371 #ifdef CONFIG_PRINTK
13372+ cmpl $2,%ss:early_recursion_flag
13373+ je hlt_loop
13374+ incl %ss:early_recursion_flag
13375+ cld
13376 pushl %eax
13377 pushl %ecx
13378 pushl %edx
13379@@ -591,9 +675,6 @@ ignore_int:
13380 movl $(__KERNEL_DS),%eax
13381 movl %eax,%ds
13382 movl %eax,%es
13383- cmpl $2,early_recursion_flag
13384- je hlt_loop
13385- incl early_recursion_flag
13386 pushl 16(%esp)
13387 pushl 24(%esp)
13388 pushl 32(%esp)
13389@@ -622,29 +703,43 @@ ENTRY(initial_code)
13390 /*
13391 * BSS section
13392 */
13393-__PAGE_ALIGNED_BSS
13394- .align PAGE_SIZE
13395 #ifdef CONFIG_X86_PAE
13396+.section .initial_pg_pmd,"a",@progbits
13397 initial_pg_pmd:
13398 .fill 1024*KPMDS,4,0
13399 #else
13400+.section .initial_page_table,"a",@progbits
13401 ENTRY(initial_page_table)
13402 .fill 1024,4,0
13403 #endif
13404+.section .initial_pg_fixmap,"a",@progbits
13405 initial_pg_fixmap:
13406 .fill 1024,4,0
13407+.section .empty_zero_page,"a",@progbits
13408 ENTRY(empty_zero_page)
13409 .fill 4096,1,0
13410+.section .swapper_pg_dir,"a",@progbits
13411 ENTRY(swapper_pg_dir)
13412+#ifdef CONFIG_X86_PAE
13413+ .fill 4,8,0
13414+#else
13415 .fill 1024,4,0
13416+#endif
13417+
13418+/*
13419+ * The IDT has to be page-aligned to simplify the Pentium
13420+ * F0 0F bug workaround.. We have a special link segment
13421+ * for this.
13422+ */
13423+.section .idt,"a",@progbits
13424+ENTRY(idt_table)
13425+ .fill 256,8,0
13426
13427 /*
13428 * This starts the data section.
13429 */
13430 #ifdef CONFIG_X86_PAE
13431-__PAGE_ALIGNED_DATA
13432- /* Page-aligned for the benefit of paravirt? */
13433- .align PAGE_SIZE
13434+.section .initial_page_table,"a",@progbits
13435 ENTRY(initial_page_table)
13436 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
13437 # if KPMDS == 3
13438@@ -663,18 +758,27 @@ ENTRY(initial_page_table)
13439 # error "Kernel PMDs should be 1, 2 or 3"
13440 # endif
13441 .align PAGE_SIZE /* needs to be page-sized too */
13442+
13443+#ifdef CONFIG_PAX_PER_CPU_PGD
13444+ENTRY(cpu_pgd)
13445+ .rept NR_CPUS
13446+ .fill 4,8,0
13447+ .endr
13448+#endif
13449+
13450 #endif
13451
13452 .data
13453 .balign 4
13454 ENTRY(stack_start)
13455- .long init_thread_union+THREAD_SIZE
13456+ .long init_thread_union+THREAD_SIZE-8
13457+
13458+ready: .byte 0
13459
13460+.section .rodata,"a",@progbits
13461 early_recursion_flag:
13462 .long 0
13463
13464-ready: .byte 0
13465-
13466 int_msg:
13467 .asciz "Unknown interrupt or fault at: %p %p %p\n"
13468
13469@@ -707,7 +811,7 @@ fault_msg:
13470 .word 0 # 32 bit align gdt_desc.address
13471 boot_gdt_descr:
13472 .word __BOOT_DS+7
13473- .long boot_gdt - __PAGE_OFFSET
13474+ .long pa(boot_gdt)
13475
13476 .word 0 # 32-bit align idt_desc.address
13477 idt_descr:
13478@@ -718,7 +822,7 @@ idt_descr:
13479 .word 0 # 32 bit align gdt_desc.address
13480 ENTRY(early_gdt_descr)
13481 .word GDT_ENTRIES*8-1
13482- .long gdt_page /* Overwritten for secondary CPUs */
13483+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
13484
13485 /*
13486 * The boot_gdt must mirror the equivalent in setup.S and is
13487@@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
13488 .align L1_CACHE_BYTES
13489 ENTRY(boot_gdt)
13490 .fill GDT_ENTRY_BOOT_CS,8,0
13491- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
13492- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
13493+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
13494+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
13495+
13496+ .align PAGE_SIZE_asm
13497+ENTRY(cpu_gdt_table)
13498+ .rept NR_CPUS
13499+ .quad 0x0000000000000000 /* NULL descriptor */
13500+ .quad 0x0000000000000000 /* 0x0b reserved */
13501+ .quad 0x0000000000000000 /* 0x13 reserved */
13502+ .quad 0x0000000000000000 /* 0x1b reserved */
13503+
13504+#ifdef CONFIG_PAX_KERNEXEC
13505+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
13506+#else
13507+ .quad 0x0000000000000000 /* 0x20 unused */
13508+#endif
13509+
13510+ .quad 0x0000000000000000 /* 0x28 unused */
13511+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
13512+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
13513+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
13514+ .quad 0x0000000000000000 /* 0x4b reserved */
13515+ .quad 0x0000000000000000 /* 0x53 reserved */
13516+ .quad 0x0000000000000000 /* 0x5b reserved */
13517+
13518+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
13519+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
13520+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
13521+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
13522+
13523+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
13524+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
13525+
13526+ /*
13527+ * Segments used for calling PnP BIOS have byte granularity.
13528+ * The code segments and data segments have fixed 64k limits,
13529+ * the transfer segment sizes are set at run time.
13530+ */
13531+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
13532+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
13533+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
13534+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
13535+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
13536+
13537+ /*
13538+ * The APM segments have byte granularity and their bases
13539+ * are set at run time. All have 64k limits.
13540+ */
13541+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
13542+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
13543+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
13544+
13545+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
13546+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
13547+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
13548+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
13549+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
13550+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
13551+
13552+ /* Be sure this is zeroed to avoid false validations in Xen */
13553+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
13554+ .endr
13555diff -urNp linux-3.0.7/arch/x86/kernel/head_64.S linux-3.0.7/arch/x86/kernel/head_64.S
13556--- linux-3.0.7/arch/x86/kernel/head_64.S 2011-07-21 22:17:23.000000000 -0400
13557+++ linux-3.0.7/arch/x86/kernel/head_64.S 2011-08-23 21:47:55.000000000 -0400
13558@@ -19,6 +19,7 @@
13559 #include <asm/cache.h>
13560 #include <asm/processor-flags.h>
13561 #include <asm/percpu.h>
13562+#include <asm/cpufeature.h>
13563
13564 #ifdef CONFIG_PARAVIRT
13565 #include <asm/asm-offsets.h>
13566@@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
13567 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
13568 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
13569 L3_START_KERNEL = pud_index(__START_KERNEL_map)
13570+L4_VMALLOC_START = pgd_index(VMALLOC_START)
13571+L3_VMALLOC_START = pud_index(VMALLOC_START)
13572+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
13573+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
13574
13575 .text
13576 __HEAD
13577@@ -85,35 +90,22 @@ startup_64:
13578 */
13579 addq %rbp, init_level4_pgt + 0(%rip)
13580 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
13581+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
13582+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
13583 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
13584
13585 addq %rbp, level3_ident_pgt + 0(%rip)
13586+#ifndef CONFIG_XEN
13587+ addq %rbp, level3_ident_pgt + 8(%rip)
13588+#endif
13589
13590- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
13591- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
13592+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
13593
13594- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13595+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
13596+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
13597
13598- /* Add an Identity mapping if I am above 1G */
13599- leaq _text(%rip), %rdi
13600- andq $PMD_PAGE_MASK, %rdi
13601-
13602- movq %rdi, %rax
13603- shrq $PUD_SHIFT, %rax
13604- andq $(PTRS_PER_PUD - 1), %rax
13605- jz ident_complete
13606-
13607- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
13608- leaq level3_ident_pgt(%rip), %rbx
13609- movq %rdx, 0(%rbx, %rax, 8)
13610-
13611- movq %rdi, %rax
13612- shrq $PMD_SHIFT, %rax
13613- andq $(PTRS_PER_PMD - 1), %rax
13614- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
13615- leaq level2_spare_pgt(%rip), %rbx
13616- movq %rdx, 0(%rbx, %rax, 8)
13617-ident_complete:
13618+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13619+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
13620
13621 /*
13622 * Fixup the kernel text+data virtual addresses. Note that
13623@@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
13624 * after the boot processor executes this code.
13625 */
13626
13627- /* Enable PAE mode and PGE */
13628- movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
13629+ /* Enable PAE mode and PSE/PGE */
13630+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
13631 movq %rax, %cr4
13632
13633 /* Setup early boot stage 4 level pagetables. */
13634@@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
13635 movl $MSR_EFER, %ecx
13636 rdmsr
13637 btsl $_EFER_SCE, %eax /* Enable System Call */
13638- btl $20,%edi /* No Execute supported? */
13639+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
13640 jnc 1f
13641 btsl $_EFER_NX, %eax
13642+ leaq init_level4_pgt(%rip), %rdi
13643+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
13644+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
13645+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
13646+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
13647 1: wrmsr /* Make changes effective */
13648
13649 /* Setup cr0 */
13650@@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
13651 bad_address:
13652 jmp bad_address
13653
13654- .section ".init.text","ax"
13655+ __INIT
13656 #ifdef CONFIG_EARLY_PRINTK
13657 .globl early_idt_handlers
13658 early_idt_handlers:
13659@@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
13660 #endif /* EARLY_PRINTK */
13661 1: hlt
13662 jmp 1b
13663+ .previous
13664
13665 #ifdef CONFIG_EARLY_PRINTK
13666+ __INITDATA
13667 early_recursion_flag:
13668 .long 0
13669+ .previous
13670
13671+ .section .rodata,"a",@progbits
13672 early_idt_msg:
13673 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
13674 early_idt_ripmsg:
13675 .asciz "RIP %s\n"
13676-#endif /* CONFIG_EARLY_PRINTK */
13677 .previous
13678+#endif /* CONFIG_EARLY_PRINTK */
13679
13680+ .section .rodata,"a",@progbits
13681 #define NEXT_PAGE(name) \
13682 .balign PAGE_SIZE; \
13683 ENTRY(name)
13684@@ -338,7 +340,6 @@ ENTRY(name)
13685 i = i + 1 ; \
13686 .endr
13687
13688- .data
13689 /*
13690 * This default setting generates an ident mapping at address 0x100000
13691 * and a mapping for the kernel that precisely maps virtual address
13692@@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
13693 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13694 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
13695 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13696+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
13697+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
13698+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
13699+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13700 .org init_level4_pgt + L4_START_KERNEL*8, 0
13701 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
13702 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
13703
13704+#ifdef CONFIG_PAX_PER_CPU_PGD
13705+NEXT_PAGE(cpu_pgd)
13706+ .rept NR_CPUS
13707+ .fill 512,8,0
13708+ .endr
13709+#endif
13710+
13711 NEXT_PAGE(level3_ident_pgt)
13712 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13713+#ifdef CONFIG_XEN
13714 .fill 511,8,0
13715+#else
13716+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
13717+ .fill 510,8,0
13718+#endif
13719+
13720+NEXT_PAGE(level3_vmalloc_pgt)
13721+ .fill 512,8,0
13722+
13723+NEXT_PAGE(level3_vmemmap_pgt)
13724+ .fill L3_VMEMMAP_START,8,0
13725+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13726
13727 NEXT_PAGE(level3_kernel_pgt)
13728 .fill L3_START_KERNEL,8,0
13729@@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
13730 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
13731 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13732
13733+NEXT_PAGE(level2_vmemmap_pgt)
13734+ .fill 512,8,0
13735+
13736 NEXT_PAGE(level2_fixmap_pgt)
13737- .fill 506,8,0
13738- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13739- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
13740- .fill 5,8,0
13741+ .fill 507,8,0
13742+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
13743+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
13744+ .fill 4,8,0
13745
13746-NEXT_PAGE(level1_fixmap_pgt)
13747+NEXT_PAGE(level1_vsyscall_pgt)
13748 .fill 512,8,0
13749
13750-NEXT_PAGE(level2_ident_pgt)
13751- /* Since I easily can, map the first 1G.
13752+ /* Since I easily can, map the first 2G.
13753 * Don't set NX because code runs from these pages.
13754 */
13755- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
13756+NEXT_PAGE(level2_ident_pgt)
13757+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
13758
13759 NEXT_PAGE(level2_kernel_pgt)
13760 /*
13761@@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
13762 * If you want to increase this then increase MODULES_VADDR
13763 * too.)
13764 */
13765- PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
13766- KERNEL_IMAGE_SIZE/PMD_SIZE)
13767-
13768-NEXT_PAGE(level2_spare_pgt)
13769- .fill 512, 8, 0
13770+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
13771
13772 #undef PMDS
13773 #undef NEXT_PAGE
13774
13775- .data
13776+ .align PAGE_SIZE
13777+ENTRY(cpu_gdt_table)
13778+ .rept NR_CPUS
13779+ .quad 0x0000000000000000 /* NULL descriptor */
13780+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
13781+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
13782+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
13783+ .quad 0x00cffb000000ffff /* __USER32_CS */
13784+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
13785+ .quad 0x00affb000000ffff /* __USER_CS */
13786+
13787+#ifdef CONFIG_PAX_KERNEXEC
13788+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
13789+#else
13790+ .quad 0x0 /* unused */
13791+#endif
13792+
13793+ .quad 0,0 /* TSS */
13794+ .quad 0,0 /* LDT */
13795+ .quad 0,0,0 /* three TLS descriptors */
13796+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
13797+ /* asm/segment.h:GDT_ENTRIES must match this */
13798+
13799+ /* zero the remaining page */
13800+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
13801+ .endr
13802+
13803 .align 16
13804 .globl early_gdt_descr
13805 early_gdt_descr:
13806 .word GDT_ENTRIES*8-1
13807 early_gdt_descr_base:
13808- .quad INIT_PER_CPU_VAR(gdt_page)
13809+ .quad cpu_gdt_table
13810
13811 ENTRY(phys_base)
13812 /* This must match the first entry in level2_kernel_pgt */
13813 .quad 0x0000000000000000
13814
13815 #include "../../x86/xen/xen-head.S"
13816-
13817- .section .bss, "aw", @nobits
13818+
13819+ .section .rodata,"a",@progbits
13820 .align L1_CACHE_BYTES
13821 ENTRY(idt_table)
13822- .skip IDT_ENTRIES * 16
13823+ .fill 512,8,0
13824
13825 __PAGE_ALIGNED_BSS
13826 .align PAGE_SIZE
13827diff -urNp linux-3.0.7/arch/x86/kernel/i386_ksyms_32.c linux-3.0.7/arch/x86/kernel/i386_ksyms_32.c
13828--- linux-3.0.7/arch/x86/kernel/i386_ksyms_32.c 2011-07-21 22:17:23.000000000 -0400
13829+++ linux-3.0.7/arch/x86/kernel/i386_ksyms_32.c 2011-08-23 21:47:55.000000000 -0400
13830@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
13831 EXPORT_SYMBOL(cmpxchg8b_emu);
13832 #endif
13833
13834+EXPORT_SYMBOL_GPL(cpu_gdt_table);
13835+
13836 /* Networking helper routines. */
13837 EXPORT_SYMBOL(csum_partial_copy_generic);
13838+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
13839+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
13840
13841 EXPORT_SYMBOL(__get_user_1);
13842 EXPORT_SYMBOL(__get_user_2);
13843@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
13844
13845 EXPORT_SYMBOL(csum_partial);
13846 EXPORT_SYMBOL(empty_zero_page);
13847+
13848+#ifdef CONFIG_PAX_KERNEXEC
13849+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
13850+#endif
13851diff -urNp linux-3.0.7/arch/x86/kernel/i8259.c linux-3.0.7/arch/x86/kernel/i8259.c
13852--- linux-3.0.7/arch/x86/kernel/i8259.c 2011-07-21 22:17:23.000000000 -0400
13853+++ linux-3.0.7/arch/x86/kernel/i8259.c 2011-08-23 21:47:55.000000000 -0400
13854@@ -210,7 +210,7 @@ spurious_8259A_irq:
13855 "spurious 8259A interrupt: IRQ%d.\n", irq);
13856 spurious_irq_mask |= irqmask;
13857 }
13858- atomic_inc(&irq_err_count);
13859+ atomic_inc_unchecked(&irq_err_count);
13860 /*
13861 * Theoretically we do not have to handle this IRQ,
13862 * but in Linux this does not cause problems and is
13863diff -urNp linux-3.0.7/arch/x86/kernel/init_task.c linux-3.0.7/arch/x86/kernel/init_task.c
13864--- linux-3.0.7/arch/x86/kernel/init_task.c 2011-07-21 22:17:23.000000000 -0400
13865+++ linux-3.0.7/arch/x86/kernel/init_task.c 2011-08-23 21:47:55.000000000 -0400
13866@@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
13867 * way process stacks are handled. This is done by having a special
13868 * "init_task" linker map entry..
13869 */
13870-union thread_union init_thread_union __init_task_data =
13871- { INIT_THREAD_INFO(init_task) };
13872+union thread_union init_thread_union __init_task_data;
13873
13874 /*
13875 * Initial task structure.
13876@@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
13877 * section. Since TSS's are completely CPU-local, we want them
13878 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
13879 */
13880-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
13881-
13882+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
13883+EXPORT_SYMBOL(init_tss);
13884diff -urNp linux-3.0.7/arch/x86/kernel/ioport.c linux-3.0.7/arch/x86/kernel/ioport.c
13885--- linux-3.0.7/arch/x86/kernel/ioport.c 2011-07-21 22:17:23.000000000 -0400
13886+++ linux-3.0.7/arch/x86/kernel/ioport.c 2011-08-23 21:48:14.000000000 -0400
13887@@ -6,6 +6,7 @@
13888 #include <linux/sched.h>
13889 #include <linux/kernel.h>
13890 #include <linux/capability.h>
13891+#include <linux/security.h>
13892 #include <linux/errno.h>
13893 #include <linux/types.h>
13894 #include <linux/ioport.h>
13895@@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
13896
13897 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
13898 return -EINVAL;
13899+#ifdef CONFIG_GRKERNSEC_IO
13900+ if (turn_on && grsec_disable_privio) {
13901+ gr_handle_ioperm();
13902+ return -EPERM;
13903+ }
13904+#endif
13905 if (turn_on && !capable(CAP_SYS_RAWIO))
13906 return -EPERM;
13907
13908@@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
13909 * because the ->io_bitmap_max value must match the bitmap
13910 * contents:
13911 */
13912- tss = &per_cpu(init_tss, get_cpu());
13913+ tss = init_tss + get_cpu();
13914
13915 if (turn_on)
13916 bitmap_clear(t->io_bitmap_ptr, from, num);
13917@@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
13918 return -EINVAL;
13919 /* Trying to gain more privileges? */
13920 if (level > old) {
13921+#ifdef CONFIG_GRKERNSEC_IO
13922+ if (grsec_disable_privio) {
13923+ gr_handle_iopl();
13924+ return -EPERM;
13925+ }
13926+#endif
13927 if (!capable(CAP_SYS_RAWIO))
13928 return -EPERM;
13929 }
13930diff -urNp linux-3.0.7/arch/x86/kernel/irq.c linux-3.0.7/arch/x86/kernel/irq.c
13931--- linux-3.0.7/arch/x86/kernel/irq.c 2011-07-21 22:17:23.000000000 -0400
13932+++ linux-3.0.7/arch/x86/kernel/irq.c 2011-08-23 21:47:55.000000000 -0400
13933@@ -17,7 +17,7 @@
13934 #include <asm/mce.h>
13935 #include <asm/hw_irq.h>
13936
13937-atomic_t irq_err_count;
13938+atomic_unchecked_t irq_err_count;
13939
13940 /* Function pointer for generic interrupt vector handling */
13941 void (*x86_platform_ipi_callback)(void) = NULL;
13942@@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
13943 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
13944 seq_printf(p, " Machine check polls\n");
13945 #endif
13946- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
13947+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
13948 #if defined(CONFIG_X86_IO_APIC)
13949- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
13950+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
13951 #endif
13952 return 0;
13953 }
13954@@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
13955
13956 u64 arch_irq_stat(void)
13957 {
13958- u64 sum = atomic_read(&irq_err_count);
13959+ u64 sum = atomic_read_unchecked(&irq_err_count);
13960
13961 #ifdef CONFIG_X86_IO_APIC
13962- sum += atomic_read(&irq_mis_count);
13963+ sum += atomic_read_unchecked(&irq_mis_count);
13964 #endif
13965 return sum;
13966 }
13967diff -urNp linux-3.0.7/arch/x86/kernel/irq_32.c linux-3.0.7/arch/x86/kernel/irq_32.c
13968--- linux-3.0.7/arch/x86/kernel/irq_32.c 2011-07-21 22:17:23.000000000 -0400
13969+++ linux-3.0.7/arch/x86/kernel/irq_32.c 2011-08-23 21:47:55.000000000 -0400
13970@@ -36,7 +36,7 @@ static int check_stack_overflow(void)
13971 __asm__ __volatile__("andl %%esp,%0" :
13972 "=r" (sp) : "0" (THREAD_SIZE - 1));
13973
13974- return sp < (sizeof(struct thread_info) + STACK_WARN);
13975+ return sp < STACK_WARN;
13976 }
13977
13978 static void print_stack_overflow(void)
13979@@ -54,8 +54,8 @@ static inline void print_stack_overflow(
13980 * per-CPU IRQ handling contexts (thread information and stack)
13981 */
13982 union irq_ctx {
13983- struct thread_info tinfo;
13984- u32 stack[THREAD_SIZE/sizeof(u32)];
13985+ unsigned long previous_esp;
13986+ u32 stack[THREAD_SIZE/sizeof(u32)];
13987 } __attribute__((aligned(THREAD_SIZE)));
13988
13989 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
13990@@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
13991 static inline int
13992 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
13993 {
13994- union irq_ctx *curctx, *irqctx;
13995+ union irq_ctx *irqctx;
13996 u32 *isp, arg1, arg2;
13997
13998- curctx = (union irq_ctx *) current_thread_info();
13999 irqctx = __this_cpu_read(hardirq_ctx);
14000
14001 /*
14002@@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc
14003 * handler) we can't do that and just have to keep using the
14004 * current stack (which is the irq stack already after all)
14005 */
14006- if (unlikely(curctx == irqctx))
14007+ if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
14008 return 0;
14009
14010 /* build the stack frame on the IRQ stack */
14011- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14012- irqctx->tinfo.task = curctx->tinfo.task;
14013- irqctx->tinfo.previous_esp = current_stack_pointer;
14014+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14015+ irqctx->previous_esp = current_stack_pointer;
14016
14017- /*
14018- * Copy the softirq bits in preempt_count so that the
14019- * softirq checks work in the hardirq context.
14020- */
14021- irqctx->tinfo.preempt_count =
14022- (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
14023- (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
14024+#ifdef CONFIG_PAX_MEMORY_UDEREF
14025+ __set_fs(MAKE_MM_SEG(0));
14026+#endif
14027
14028 if (unlikely(overflow))
14029 call_on_stack(print_stack_overflow, isp);
14030@@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc
14031 : "0" (irq), "1" (desc), "2" (isp),
14032 "D" (desc->handle_irq)
14033 : "memory", "cc", "ecx");
14034+
14035+#ifdef CONFIG_PAX_MEMORY_UDEREF
14036+ __set_fs(current_thread_info()->addr_limit);
14037+#endif
14038+
14039 return 1;
14040 }
14041
14042@@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc
14043 */
14044 void __cpuinit irq_ctx_init(int cpu)
14045 {
14046- union irq_ctx *irqctx;
14047-
14048 if (per_cpu(hardirq_ctx, cpu))
14049 return;
14050
14051- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14052- THREAD_FLAGS,
14053- THREAD_ORDER));
14054- memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14055- irqctx->tinfo.cpu = cpu;
14056- irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
14057- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14058-
14059- per_cpu(hardirq_ctx, cpu) = irqctx;
14060-
14061- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14062- THREAD_FLAGS,
14063- THREAD_ORDER));
14064- memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14065- irqctx->tinfo.cpu = cpu;
14066- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14067-
14068- per_cpu(softirq_ctx, cpu) = irqctx;
14069+ per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14070+ per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14071
14072 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
14073 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
14074@@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
14075 asmlinkage void do_softirq(void)
14076 {
14077 unsigned long flags;
14078- struct thread_info *curctx;
14079 union irq_ctx *irqctx;
14080 u32 *isp;
14081
14082@@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
14083 local_irq_save(flags);
14084
14085 if (local_softirq_pending()) {
14086- curctx = current_thread_info();
14087 irqctx = __this_cpu_read(softirq_ctx);
14088- irqctx->tinfo.task = curctx->task;
14089- irqctx->tinfo.previous_esp = current_stack_pointer;
14090+ irqctx->previous_esp = current_stack_pointer;
14091
14092 /* build the stack frame on the softirq stack */
14093- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14094+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14095+
14096+#ifdef CONFIG_PAX_MEMORY_UDEREF
14097+ __set_fs(MAKE_MM_SEG(0));
14098+#endif
14099
14100 call_on_stack(__do_softirq, isp);
14101+
14102+#ifdef CONFIG_PAX_MEMORY_UDEREF
14103+ __set_fs(current_thread_info()->addr_limit);
14104+#endif
14105+
14106 /*
14107 * Shouldn't happen, we returned above if in_interrupt():
14108 */
14109diff -urNp linux-3.0.7/arch/x86/kernel/kgdb.c linux-3.0.7/arch/x86/kernel/kgdb.c
14110--- linux-3.0.7/arch/x86/kernel/kgdb.c 2011-07-21 22:17:23.000000000 -0400
14111+++ linux-3.0.7/arch/x86/kernel/kgdb.c 2011-08-23 21:47:55.000000000 -0400
14112@@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
14113 #ifdef CONFIG_X86_32
14114 switch (regno) {
14115 case GDB_SS:
14116- if (!user_mode_vm(regs))
14117+ if (!user_mode(regs))
14118 *(unsigned long *)mem = __KERNEL_DS;
14119 break;
14120 case GDB_SP:
14121- if (!user_mode_vm(regs))
14122+ if (!user_mode(regs))
14123 *(unsigned long *)mem = kernel_stack_pointer(regs);
14124 break;
14125 case GDB_GS:
14126@@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
14127 case 'k':
14128 /* clear the trace bit */
14129 linux_regs->flags &= ~X86_EFLAGS_TF;
14130- atomic_set(&kgdb_cpu_doing_single_step, -1);
14131+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
14132
14133 /* set the trace bit if we're stepping */
14134 if (remcomInBuffer[0] == 's') {
14135 linux_regs->flags |= X86_EFLAGS_TF;
14136- atomic_set(&kgdb_cpu_doing_single_step,
14137+ atomic_set_unchecked(&kgdb_cpu_doing_single_step,
14138 raw_smp_processor_id());
14139 }
14140
14141@@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
14142 return NOTIFY_DONE;
14143
14144 case DIE_DEBUG:
14145- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
14146+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
14147 if (user_mode(regs))
14148 return single_step_cont(regs, args);
14149 break;
14150diff -urNp linux-3.0.7/arch/x86/kernel/kprobes.c linux-3.0.7/arch/x86/kernel/kprobes.c
14151--- linux-3.0.7/arch/x86/kernel/kprobes.c 2011-07-21 22:17:23.000000000 -0400
14152+++ linux-3.0.7/arch/x86/kernel/kprobes.c 2011-10-11 10:44:33.000000000 -0400
14153@@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
14154 } __attribute__((packed)) *insn;
14155
14156 insn = (struct __arch_relative_insn *)from;
14157+
14158+ pax_open_kernel();
14159 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
14160 insn->op = op;
14161+ pax_close_kernel();
14162 }
14163
14164 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
14165@@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
14166 kprobe_opcode_t opcode;
14167 kprobe_opcode_t *orig_opcodes = opcodes;
14168
14169- if (search_exception_tables((unsigned long)opcodes))
14170+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
14171 return 0; /* Page fault may occur on this address. */
14172
14173 retry:
14174@@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
14175 }
14176 }
14177 insn_get_length(&insn);
14178+ pax_open_kernel();
14179 memcpy(dest, insn.kaddr, insn.length);
14180+ pax_close_kernel();
14181
14182 #ifdef CONFIG_X86_64
14183 if (insn_rip_relative(&insn)) {
14184@@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
14185 (u8 *) dest;
14186 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
14187 disp = (u8 *) dest + insn_offset_displacement(&insn);
14188+ pax_open_kernel();
14189 *(s32 *) disp = (s32) newdisp;
14190+ pax_close_kernel();
14191 }
14192 #endif
14193 return insn.length;
14194@@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
14195 */
14196 __copy_instruction(p->ainsn.insn, p->addr, 0);
14197
14198- if (can_boost(p->addr))
14199+ if (can_boost(ktla_ktva(p->addr)))
14200 p->ainsn.boostable = 0;
14201 else
14202 p->ainsn.boostable = -1;
14203
14204- p->opcode = *p->addr;
14205+ p->opcode = *(ktla_ktva(p->addr));
14206 }
14207
14208 int __kprobes arch_prepare_kprobe(struct kprobe *p)
14209@@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
14210 * nor set current_kprobe, because it doesn't use single
14211 * stepping.
14212 */
14213- regs->ip = (unsigned long)p->ainsn.insn;
14214+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14215 preempt_enable_no_resched();
14216 return;
14217 }
14218@@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
14219 if (p->opcode == BREAKPOINT_INSTRUCTION)
14220 regs->ip = (unsigned long)p->addr;
14221 else
14222- regs->ip = (unsigned long)p->ainsn.insn;
14223+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14224 }
14225
14226 /*
14227@@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
14228 setup_singlestep(p, regs, kcb, 0);
14229 return 1;
14230 }
14231- } else if (*addr != BREAKPOINT_INSTRUCTION) {
14232+ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
14233 /*
14234 * The breakpoint instruction was removed right
14235 * after we hit it. Another cpu has removed
14236@@ -680,6 +687,9 @@ static void __used __kprobes kretprobe_t
14237 " movq %rax, 152(%rsp)\n"
14238 RESTORE_REGS_STRING
14239 " popfq\n"
14240+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
14241+ " btsq $63,(%rsp)\n"
14242+#endif
14243 #else
14244 " pushf\n"
14245 SAVE_REGS_STRING
14246@@ -817,7 +827,7 @@ static void __kprobes resume_execution(s
14247 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
14248 {
14249 unsigned long *tos = stack_addr(regs);
14250- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
14251+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
14252 unsigned long orig_ip = (unsigned long)p->addr;
14253 kprobe_opcode_t *insn = p->ainsn.insn;
14254
14255@@ -999,7 +1009,7 @@ int __kprobes kprobe_exceptions_notify(s
14256 struct die_args *args = data;
14257 int ret = NOTIFY_DONE;
14258
14259- if (args->regs && user_mode_vm(args->regs))
14260+ if (args->regs && user_mode(args->regs))
14261 return ret;
14262
14263 switch (val) {
14264@@ -1381,7 +1391,7 @@ int __kprobes arch_prepare_optimized_kpr
14265 * Verify if the address gap is in 2GB range, because this uses
14266 * a relative jump.
14267 */
14268- rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
14269+ rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
14270 if (abs(rel) > 0x7fffffff)
14271 return -ERANGE;
14272
14273@@ -1402,11 +1412,11 @@ int __kprobes arch_prepare_optimized_kpr
14274 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
14275
14276 /* Set probe function call */
14277- synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
14278+ synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
14279
14280 /* Set returning jmp instruction at the tail of out-of-line buffer */
14281 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
14282- (u8 *)op->kp.addr + op->optinsn.size);
14283+ (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
14284
14285 flush_icache_range((unsigned long) buf,
14286 (unsigned long) buf + TMPL_END_IDX +
14287@@ -1428,7 +1438,7 @@ static void __kprobes setup_optimize_kpr
14288 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
14289
14290 /* Backup instructions which will be replaced by jump address */
14291- memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
14292+ memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
14293 RELATIVE_ADDR_SIZE);
14294
14295 insn_buf[0] = RELATIVEJUMP_OPCODE;
14296diff -urNp linux-3.0.7/arch/x86/kernel/kvm.c linux-3.0.7/arch/x86/kernel/kvm.c
14297--- linux-3.0.7/arch/x86/kernel/kvm.c 2011-07-21 22:17:23.000000000 -0400
14298+++ linux-3.0.7/arch/x86/kernel/kvm.c 2011-08-24 18:10:12.000000000 -0400
14299@@ -426,6 +426,7 @@ static void __init paravirt_ops_setup(vo
14300 pv_mmu_ops.set_pud = kvm_set_pud;
14301 #if PAGETABLE_LEVELS == 4
14302 pv_mmu_ops.set_pgd = kvm_set_pgd;
14303+ pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
14304 #endif
14305 #endif
14306 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
14307diff -urNp linux-3.0.7/arch/x86/kernel/ldt.c linux-3.0.7/arch/x86/kernel/ldt.c
14308--- linux-3.0.7/arch/x86/kernel/ldt.c 2011-07-21 22:17:23.000000000 -0400
14309+++ linux-3.0.7/arch/x86/kernel/ldt.c 2011-08-23 21:47:55.000000000 -0400
14310@@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
14311 if (reload) {
14312 #ifdef CONFIG_SMP
14313 preempt_disable();
14314- load_LDT(pc);
14315+ load_LDT_nolock(pc);
14316 if (!cpumask_equal(mm_cpumask(current->mm),
14317 cpumask_of(smp_processor_id())))
14318 smp_call_function(flush_ldt, current->mm, 1);
14319 preempt_enable();
14320 #else
14321- load_LDT(pc);
14322+ load_LDT_nolock(pc);
14323 #endif
14324 }
14325 if (oldsize) {
14326@@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
14327 return err;
14328
14329 for (i = 0; i < old->size; i++)
14330- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
14331+ write_ldt_entry(new->ldt, i, old->ldt + i);
14332 return 0;
14333 }
14334
14335@@ -116,6 +116,24 @@ int init_new_context(struct task_struct
14336 retval = copy_ldt(&mm->context, &old_mm->context);
14337 mutex_unlock(&old_mm->context.lock);
14338 }
14339+
14340+ if (tsk == current) {
14341+ mm->context.vdso = 0;
14342+
14343+#ifdef CONFIG_X86_32
14344+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14345+ mm->context.user_cs_base = 0UL;
14346+ mm->context.user_cs_limit = ~0UL;
14347+
14348+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
14349+ cpus_clear(mm->context.cpu_user_cs_mask);
14350+#endif
14351+
14352+#endif
14353+#endif
14354+
14355+ }
14356+
14357 return retval;
14358 }
14359
14360@@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
14361 }
14362 }
14363
14364+#ifdef CONFIG_PAX_SEGMEXEC
14365+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
14366+ error = -EINVAL;
14367+ goto out_unlock;
14368+ }
14369+#endif
14370+
14371 fill_ldt(&ldt, &ldt_info);
14372 if (oldmode)
14373 ldt.avl = 0;
14374diff -urNp linux-3.0.7/arch/x86/kernel/machine_kexec_32.c linux-3.0.7/arch/x86/kernel/machine_kexec_32.c
14375--- linux-3.0.7/arch/x86/kernel/machine_kexec_32.c 2011-07-21 22:17:23.000000000 -0400
14376+++ linux-3.0.7/arch/x86/kernel/machine_kexec_32.c 2011-08-23 21:47:55.000000000 -0400
14377@@ -27,7 +27,7 @@
14378 #include <asm/cacheflush.h>
14379 #include <asm/debugreg.h>
14380
14381-static void set_idt(void *newidt, __u16 limit)
14382+static void set_idt(struct desc_struct *newidt, __u16 limit)
14383 {
14384 struct desc_ptr curidt;
14385
14386@@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
14387 }
14388
14389
14390-static void set_gdt(void *newgdt, __u16 limit)
14391+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
14392 {
14393 struct desc_ptr curgdt;
14394
14395@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
14396 }
14397
14398 control_page = page_address(image->control_code_page);
14399- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
14400+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
14401
14402 relocate_kernel_ptr = control_page;
14403 page_list[PA_CONTROL_PAGE] = __pa(control_page);
14404diff -urNp linux-3.0.7/arch/x86/kernel/microcode_intel.c linux-3.0.7/arch/x86/kernel/microcode_intel.c
14405--- linux-3.0.7/arch/x86/kernel/microcode_intel.c 2011-07-21 22:17:23.000000000 -0400
14406+++ linux-3.0.7/arch/x86/kernel/microcode_intel.c 2011-10-06 04:17:55.000000000 -0400
14407@@ -440,13 +440,13 @@ static enum ucode_state request_microcod
14408
14409 static int get_ucode_user(void *to, const void *from, size_t n)
14410 {
14411- return copy_from_user(to, from, n);
14412+ return copy_from_user(to, (const void __force_user *)from, n);
14413 }
14414
14415 static enum ucode_state
14416 request_microcode_user(int cpu, const void __user *buf, size_t size)
14417 {
14418- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
14419+ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
14420 }
14421
14422 static void microcode_fini_cpu(int cpu)
14423diff -urNp linux-3.0.7/arch/x86/kernel/module.c linux-3.0.7/arch/x86/kernel/module.c
14424--- linux-3.0.7/arch/x86/kernel/module.c 2011-07-21 22:17:23.000000000 -0400
14425+++ linux-3.0.7/arch/x86/kernel/module.c 2011-08-23 21:47:55.000000000 -0400
14426@@ -36,21 +36,66 @@
14427 #define DEBUGP(fmt...)
14428 #endif
14429
14430-void *module_alloc(unsigned long size)
14431+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
14432 {
14433 if (PAGE_ALIGN(size) > MODULES_LEN)
14434 return NULL;
14435 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
14436- GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
14437+ GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
14438 -1, __builtin_return_address(0));
14439 }
14440
14441+void *module_alloc(unsigned long size)
14442+{
14443+
14444+#ifdef CONFIG_PAX_KERNEXEC
14445+ return __module_alloc(size, PAGE_KERNEL);
14446+#else
14447+ return __module_alloc(size, PAGE_KERNEL_EXEC);
14448+#endif
14449+
14450+}
14451+
14452 /* Free memory returned from module_alloc */
14453 void module_free(struct module *mod, void *module_region)
14454 {
14455 vfree(module_region);
14456 }
14457
14458+#ifdef CONFIG_PAX_KERNEXEC
14459+#ifdef CONFIG_X86_32
14460+void *module_alloc_exec(unsigned long size)
14461+{
14462+ struct vm_struct *area;
14463+
14464+ if (size == 0)
14465+ return NULL;
14466+
14467+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
14468+ return area ? area->addr : NULL;
14469+}
14470+EXPORT_SYMBOL(module_alloc_exec);
14471+
14472+void module_free_exec(struct module *mod, void *module_region)
14473+{
14474+ vunmap(module_region);
14475+}
14476+EXPORT_SYMBOL(module_free_exec);
14477+#else
14478+void module_free_exec(struct module *mod, void *module_region)
14479+{
14480+ module_free(mod, module_region);
14481+}
14482+EXPORT_SYMBOL(module_free_exec);
14483+
14484+void *module_alloc_exec(unsigned long size)
14485+{
14486+ return __module_alloc(size, PAGE_KERNEL_RX);
14487+}
14488+EXPORT_SYMBOL(module_alloc_exec);
14489+#endif
14490+#endif
14491+
14492 /* We don't need anything special. */
14493 int module_frob_arch_sections(Elf_Ehdr *hdr,
14494 Elf_Shdr *sechdrs,
14495@@ -70,14 +115,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14496 unsigned int i;
14497 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
14498 Elf32_Sym *sym;
14499- uint32_t *location;
14500+ uint32_t *plocation, location;
14501
14502 DEBUGP("Applying relocate section %u to %u\n", relsec,
14503 sechdrs[relsec].sh_info);
14504 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
14505 /* This is where to make the change */
14506- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
14507- + rel[i].r_offset;
14508+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
14509+ location = (uint32_t)plocation;
14510+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
14511+ plocation = ktla_ktva((void *)plocation);
14512 /* This is the symbol it is referring to. Note that all
14513 undefined symbols have been resolved. */
14514 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
14515@@ -86,11 +133,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14516 switch (ELF32_R_TYPE(rel[i].r_info)) {
14517 case R_386_32:
14518 /* We add the value into the location given */
14519- *location += sym->st_value;
14520+ pax_open_kernel();
14521+ *plocation += sym->st_value;
14522+ pax_close_kernel();
14523 break;
14524 case R_386_PC32:
14525 /* Add the value, subtract its postition */
14526- *location += sym->st_value - (uint32_t)location;
14527+ pax_open_kernel();
14528+ *plocation += sym->st_value - location;
14529+ pax_close_kernel();
14530 break;
14531 default:
14532 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
14533@@ -146,21 +197,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
14534 case R_X86_64_NONE:
14535 break;
14536 case R_X86_64_64:
14537+ pax_open_kernel();
14538 *(u64 *)loc = val;
14539+ pax_close_kernel();
14540 break;
14541 case R_X86_64_32:
14542+ pax_open_kernel();
14543 *(u32 *)loc = val;
14544+ pax_close_kernel();
14545 if (val != *(u32 *)loc)
14546 goto overflow;
14547 break;
14548 case R_X86_64_32S:
14549+ pax_open_kernel();
14550 *(s32 *)loc = val;
14551+ pax_close_kernel();
14552 if ((s64)val != *(s32 *)loc)
14553 goto overflow;
14554 break;
14555 case R_X86_64_PC32:
14556 val -= (u64)loc;
14557+ pax_open_kernel();
14558 *(u32 *)loc = val;
14559+ pax_close_kernel();
14560+
14561 #if 0
14562 if ((s64)val != *(s32 *)loc)
14563 goto overflow;
14564diff -urNp linux-3.0.7/arch/x86/kernel/paravirt-spinlocks.c linux-3.0.7/arch/x86/kernel/paravirt-spinlocks.c
14565--- linux-3.0.7/arch/x86/kernel/paravirt-spinlocks.c 2011-07-21 22:17:23.000000000 -0400
14566+++ linux-3.0.7/arch/x86/kernel/paravirt-spinlocks.c 2011-08-23 21:47:55.000000000 -0400
14567@@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
14568 arch_spin_lock(lock);
14569 }
14570
14571-struct pv_lock_ops pv_lock_ops = {
14572+struct pv_lock_ops pv_lock_ops __read_only = {
14573 #ifdef CONFIG_SMP
14574 .spin_is_locked = __ticket_spin_is_locked,
14575 .spin_is_contended = __ticket_spin_is_contended,
14576diff -urNp linux-3.0.7/arch/x86/kernel/paravirt.c linux-3.0.7/arch/x86/kernel/paravirt.c
14577--- linux-3.0.7/arch/x86/kernel/paravirt.c 2011-07-21 22:17:23.000000000 -0400
14578+++ linux-3.0.7/arch/x86/kernel/paravirt.c 2011-08-23 21:48:14.000000000 -0400
14579@@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
14580 {
14581 return x;
14582 }
14583+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14584+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
14585+#endif
14586
14587 void __init default_banner(void)
14588 {
14589@@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
14590 * corresponding structure. */
14591 static void *get_call_destination(u8 type)
14592 {
14593- struct paravirt_patch_template tmpl = {
14594+ const struct paravirt_patch_template tmpl = {
14595 .pv_init_ops = pv_init_ops,
14596 .pv_time_ops = pv_time_ops,
14597 .pv_cpu_ops = pv_cpu_ops,
14598@@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ
14599 .pv_lock_ops = pv_lock_ops,
14600 #endif
14601 };
14602+
14603+ pax_track_stack();
14604+
14605 return *((void **)&tmpl + type);
14606 }
14607
14608@@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type,
14609 if (opfunc == NULL)
14610 /* If there's no function, patch it with a ud2a (BUG) */
14611 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
14612- else if (opfunc == _paravirt_nop)
14613+ else if (opfunc == (void *)_paravirt_nop)
14614 /* If the operation is a nop, then nop the callsite */
14615 ret = paravirt_patch_nop();
14616
14617 /* identity functions just return their single argument */
14618- else if (opfunc == _paravirt_ident_32)
14619+ else if (opfunc == (void *)_paravirt_ident_32)
14620 ret = paravirt_patch_ident_32(insnbuf, len);
14621- else if (opfunc == _paravirt_ident_64)
14622+ else if (opfunc == (void *)_paravirt_ident_64)
14623 ret = paravirt_patch_ident_64(insnbuf, len);
14624+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14625+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
14626+ ret = paravirt_patch_ident_64(insnbuf, len);
14627+#endif
14628
14629 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
14630 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
14631@@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn
14632 if (insn_len > len || start == NULL)
14633 insn_len = len;
14634 else
14635- memcpy(insnbuf, start, insn_len);
14636+ memcpy(insnbuf, ktla_ktva(start), insn_len);
14637
14638 return insn_len;
14639 }
14640@@ -294,22 +304,22 @@ void arch_flush_lazy_mmu_mode(void)
14641 preempt_enable();
14642 }
14643
14644-struct pv_info pv_info = {
14645+struct pv_info pv_info __read_only = {
14646 .name = "bare hardware",
14647 .paravirt_enabled = 0,
14648 .kernel_rpl = 0,
14649 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
14650 };
14651
14652-struct pv_init_ops pv_init_ops = {
14653+struct pv_init_ops pv_init_ops __read_only = {
14654 .patch = native_patch,
14655 };
14656
14657-struct pv_time_ops pv_time_ops = {
14658+struct pv_time_ops pv_time_ops __read_only = {
14659 .sched_clock = native_sched_clock,
14660 };
14661
14662-struct pv_irq_ops pv_irq_ops = {
14663+struct pv_irq_ops pv_irq_ops __read_only = {
14664 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
14665 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
14666 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
14667@@ -321,7 +331,7 @@ struct pv_irq_ops pv_irq_ops = {
14668 #endif
14669 };
14670
14671-struct pv_cpu_ops pv_cpu_ops = {
14672+struct pv_cpu_ops pv_cpu_ops __read_only = {
14673 .cpuid = native_cpuid,
14674 .get_debugreg = native_get_debugreg,
14675 .set_debugreg = native_set_debugreg,
14676@@ -382,21 +392,26 @@ struct pv_cpu_ops pv_cpu_ops = {
14677 .end_context_switch = paravirt_nop,
14678 };
14679
14680-struct pv_apic_ops pv_apic_ops = {
14681+struct pv_apic_ops pv_apic_ops __read_only = {
14682 #ifdef CONFIG_X86_LOCAL_APIC
14683 .startup_ipi_hook = paravirt_nop,
14684 #endif
14685 };
14686
14687-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
14688+#ifdef CONFIG_X86_32
14689+#ifdef CONFIG_X86_PAE
14690+/* 64-bit pagetable entries */
14691+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
14692+#else
14693 /* 32-bit pagetable entries */
14694 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
14695+#endif
14696 #else
14697 /* 64-bit pagetable entries */
14698 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
14699 #endif
14700
14701-struct pv_mmu_ops pv_mmu_ops = {
14702+struct pv_mmu_ops pv_mmu_ops __read_only = {
14703
14704 .read_cr2 = native_read_cr2,
14705 .write_cr2 = native_write_cr2,
14706@@ -446,6 +461,7 @@ struct pv_mmu_ops pv_mmu_ops = {
14707 .make_pud = PTE_IDENT,
14708
14709 .set_pgd = native_set_pgd,
14710+ .set_pgd_batched = native_set_pgd_batched,
14711 #endif
14712 #endif /* PAGETABLE_LEVELS >= 3 */
14713
14714@@ -465,6 +481,12 @@ struct pv_mmu_ops pv_mmu_ops = {
14715 },
14716
14717 .set_fixmap = native_set_fixmap,
14718+
14719+#ifdef CONFIG_PAX_KERNEXEC
14720+ .pax_open_kernel = native_pax_open_kernel,
14721+ .pax_close_kernel = native_pax_close_kernel,
14722+#endif
14723+
14724 };
14725
14726 EXPORT_SYMBOL_GPL(pv_time_ops);
14727diff -urNp linux-3.0.7/arch/x86/kernel/pci-iommu_table.c linux-3.0.7/arch/x86/kernel/pci-iommu_table.c
14728--- linux-3.0.7/arch/x86/kernel/pci-iommu_table.c 2011-07-21 22:17:23.000000000 -0400
14729+++ linux-3.0.7/arch/x86/kernel/pci-iommu_table.c 2011-08-23 21:48:14.000000000 -0400
14730@@ -2,7 +2,7 @@
14731 #include <asm/iommu_table.h>
14732 #include <linux/string.h>
14733 #include <linux/kallsyms.h>
14734-
14735+#include <linux/sched.h>
14736
14737 #define DEBUG 1
14738
14739@@ -51,6 +51,8 @@ void __init check_iommu_entries(struct i
14740 {
14741 struct iommu_table_entry *p, *q, *x;
14742
14743+ pax_track_stack();
14744+
14745 /* Simple cyclic dependency checker. */
14746 for (p = start; p < finish; p++) {
14747 q = find_dependents_of(start, finish, p);
14748diff -urNp linux-3.0.7/arch/x86/kernel/process.c linux-3.0.7/arch/x86/kernel/process.c
14749--- linux-3.0.7/arch/x86/kernel/process.c 2011-07-21 22:17:23.000000000 -0400
14750+++ linux-3.0.7/arch/x86/kernel/process.c 2011-08-30 18:23:52.000000000 -0400
14751@@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
14752
14753 void free_thread_info(struct thread_info *ti)
14754 {
14755- free_thread_xstate(ti->task);
14756 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
14757 }
14758
14759+static struct kmem_cache *task_struct_cachep;
14760+
14761 void arch_task_cache_init(void)
14762 {
14763- task_xstate_cachep =
14764- kmem_cache_create("task_xstate", xstate_size,
14765+ /* create a slab on which task_structs can be allocated */
14766+ task_struct_cachep =
14767+ kmem_cache_create("task_struct", sizeof(struct task_struct),
14768+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
14769+
14770+ task_xstate_cachep =
14771+ kmem_cache_create("task_xstate", xstate_size,
14772 __alignof__(union thread_xstate),
14773- SLAB_PANIC | SLAB_NOTRACK, NULL);
14774+ SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
14775+}
14776+
14777+struct task_struct *alloc_task_struct_node(int node)
14778+{
14779+ return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
14780+}
14781+
14782+void free_task_struct(struct task_struct *task)
14783+{
14784+ free_thread_xstate(task);
14785+ kmem_cache_free(task_struct_cachep, task);
14786 }
14787
14788 /*
14789@@ -70,7 +87,7 @@ void exit_thread(void)
14790 unsigned long *bp = t->io_bitmap_ptr;
14791
14792 if (bp) {
14793- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
14794+ struct tss_struct *tss = init_tss + get_cpu();
14795
14796 t->io_bitmap_ptr = NULL;
14797 clear_thread_flag(TIF_IO_BITMAP);
14798@@ -106,7 +123,7 @@ void show_regs_common(void)
14799
14800 printk(KERN_CONT "\n");
14801 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
14802- current->pid, current->comm, print_tainted(),
14803+ task_pid_nr(current), current->comm, print_tainted(),
14804 init_utsname()->release,
14805 (int)strcspn(init_utsname()->version, " "),
14806 init_utsname()->version);
14807@@ -120,6 +137,9 @@ void flush_thread(void)
14808 {
14809 struct task_struct *tsk = current;
14810
14811+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
14812+ loadsegment(gs, 0);
14813+#endif
14814 flush_ptrace_hw_breakpoint(tsk);
14815 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
14816 /*
14817@@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
14818 regs.di = (unsigned long) arg;
14819
14820 #ifdef CONFIG_X86_32
14821- regs.ds = __USER_DS;
14822- regs.es = __USER_DS;
14823+ regs.ds = __KERNEL_DS;
14824+ regs.es = __KERNEL_DS;
14825 regs.fs = __KERNEL_PERCPU;
14826- regs.gs = __KERNEL_STACK_CANARY;
14827+ savesegment(gs, regs.gs);
14828 #else
14829 regs.ss = __KERNEL_DS;
14830 #endif
14831@@ -403,7 +423,7 @@ void default_idle(void)
14832 EXPORT_SYMBOL(default_idle);
14833 #endif
14834
14835-void stop_this_cpu(void *dummy)
14836+__noreturn void stop_this_cpu(void *dummy)
14837 {
14838 local_irq_disable();
14839 /*
14840@@ -668,16 +688,37 @@ static int __init idle_setup(char *str)
14841 }
14842 early_param("idle", idle_setup);
14843
14844-unsigned long arch_align_stack(unsigned long sp)
14845+#ifdef CONFIG_PAX_RANDKSTACK
14846+void pax_randomize_kstack(struct pt_regs *regs)
14847 {
14848- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
14849- sp -= get_random_int() % 8192;
14850- return sp & ~0xf;
14851-}
14852+ struct thread_struct *thread = &current->thread;
14853+ unsigned long time;
14854
14855-unsigned long arch_randomize_brk(struct mm_struct *mm)
14856-{
14857- unsigned long range_end = mm->brk + 0x02000000;
14858- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
14859-}
14860+ if (!randomize_va_space)
14861+ return;
14862+
14863+ if (v8086_mode(regs))
14864+ return;
14865
14866+ rdtscl(time);
14867+
14868+ /* P4 seems to return a 0 LSB, ignore it */
14869+#ifdef CONFIG_MPENTIUM4
14870+ time &= 0x3EUL;
14871+ time <<= 2;
14872+#elif defined(CONFIG_X86_64)
14873+ time &= 0xFUL;
14874+ time <<= 4;
14875+#else
14876+ time &= 0x1FUL;
14877+ time <<= 3;
14878+#endif
14879+
14880+ thread->sp0 ^= time;
14881+ load_sp0(init_tss + smp_processor_id(), thread);
14882+
14883+#ifdef CONFIG_X86_64
14884+ percpu_write(kernel_stack, thread->sp0);
14885+#endif
14886+}
14887+#endif
14888diff -urNp linux-3.0.7/arch/x86/kernel/process_32.c linux-3.0.7/arch/x86/kernel/process_32.c
14889--- linux-3.0.7/arch/x86/kernel/process_32.c 2011-07-21 22:17:23.000000000 -0400
14890+++ linux-3.0.7/arch/x86/kernel/process_32.c 2011-08-23 21:47:55.000000000 -0400
14891@@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
14892 unsigned long thread_saved_pc(struct task_struct *tsk)
14893 {
14894 return ((unsigned long *)tsk->thread.sp)[3];
14895+//XXX return tsk->thread.eip;
14896 }
14897
14898 #ifndef CONFIG_SMP
14899@@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
14900 unsigned long sp;
14901 unsigned short ss, gs;
14902
14903- if (user_mode_vm(regs)) {
14904+ if (user_mode(regs)) {
14905 sp = regs->sp;
14906 ss = regs->ss & 0xffff;
14907- gs = get_user_gs(regs);
14908 } else {
14909 sp = kernel_stack_pointer(regs);
14910 savesegment(ss, ss);
14911- savesegment(gs, gs);
14912 }
14913+ gs = get_user_gs(regs);
14914
14915 show_regs_common();
14916
14917@@ -196,13 +196,14 @@ int copy_thread(unsigned long clone_flag
14918 struct task_struct *tsk;
14919 int err;
14920
14921- childregs = task_pt_regs(p);
14922+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
14923 *childregs = *regs;
14924 childregs->ax = 0;
14925 childregs->sp = sp;
14926
14927 p->thread.sp = (unsigned long) childregs;
14928 p->thread.sp0 = (unsigned long) (childregs+1);
14929+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
14930
14931 p->thread.ip = (unsigned long) ret_from_fork;
14932
14933@@ -292,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
14934 struct thread_struct *prev = &prev_p->thread,
14935 *next = &next_p->thread;
14936 int cpu = smp_processor_id();
14937- struct tss_struct *tss = &per_cpu(init_tss, cpu);
14938+ struct tss_struct *tss = init_tss + cpu;
14939 bool preload_fpu;
14940
14941 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
14942@@ -327,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
14943 */
14944 lazy_save_gs(prev->gs);
14945
14946+#ifdef CONFIG_PAX_MEMORY_UDEREF
14947+ __set_fs(task_thread_info(next_p)->addr_limit);
14948+#endif
14949+
14950 /*
14951 * Load the per-thread Thread-Local Storage descriptor.
14952 */
14953@@ -362,6 +367,9 @@ __switch_to(struct task_struct *prev_p,
14954 */
14955 arch_end_context_switch(next_p);
14956
14957+ percpu_write(current_task, next_p);
14958+ percpu_write(current_tinfo, &next_p->tinfo);
14959+
14960 if (preload_fpu)
14961 __math_state_restore();
14962
14963@@ -371,8 +379,6 @@ __switch_to(struct task_struct *prev_p,
14964 if (prev->gs | next->gs)
14965 lazy_load_gs(next->gs);
14966
14967- percpu_write(current_task, next_p);
14968-
14969 return prev_p;
14970 }
14971
14972@@ -402,4 +408,3 @@ unsigned long get_wchan(struct task_stru
14973 } while (count++ < 16);
14974 return 0;
14975 }
14976-
14977diff -urNp linux-3.0.7/arch/x86/kernel/process_64.c linux-3.0.7/arch/x86/kernel/process_64.c
14978--- linux-3.0.7/arch/x86/kernel/process_64.c 2011-07-21 22:17:23.000000000 -0400
14979+++ linux-3.0.7/arch/x86/kernel/process_64.c 2011-08-23 21:47:55.000000000 -0400
14980@@ -87,7 +87,7 @@ static void __exit_idle(void)
14981 void exit_idle(void)
14982 {
14983 /* idle loop has pid 0 */
14984- if (current->pid)
14985+ if (task_pid_nr(current))
14986 return;
14987 __exit_idle();
14988 }
14989@@ -260,8 +260,7 @@ int copy_thread(unsigned long clone_flag
14990 struct pt_regs *childregs;
14991 struct task_struct *me = current;
14992
14993- childregs = ((struct pt_regs *)
14994- (THREAD_SIZE + task_stack_page(p))) - 1;
14995+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
14996 *childregs = *regs;
14997
14998 childregs->ax = 0;
14999@@ -273,6 +272,7 @@ int copy_thread(unsigned long clone_flag
15000 p->thread.sp = (unsigned long) childregs;
15001 p->thread.sp0 = (unsigned long) (childregs+1);
15002 p->thread.usersp = me->thread.usersp;
15003+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15004
15005 set_tsk_thread_flag(p, TIF_FORK);
15006
15007@@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
15008 struct thread_struct *prev = &prev_p->thread;
15009 struct thread_struct *next = &next_p->thread;
15010 int cpu = smp_processor_id();
15011- struct tss_struct *tss = &per_cpu(init_tss, cpu);
15012+ struct tss_struct *tss = init_tss + cpu;
15013 unsigned fsindex, gsindex;
15014 bool preload_fpu;
15015
15016@@ -471,10 +471,9 @@ __switch_to(struct task_struct *prev_p,
15017 prev->usersp = percpu_read(old_rsp);
15018 percpu_write(old_rsp, next->usersp);
15019 percpu_write(current_task, next_p);
15020+ percpu_write(current_tinfo, &next_p->tinfo);
15021
15022- percpu_write(kernel_stack,
15023- (unsigned long)task_stack_page(next_p) +
15024- THREAD_SIZE - KERNEL_STACK_OFFSET);
15025+ percpu_write(kernel_stack, next->sp0);
15026
15027 /*
15028 * Now maybe reload the debug registers and handle I/O bitmaps
15029@@ -536,12 +535,11 @@ unsigned long get_wchan(struct task_stru
15030 if (!p || p == current || p->state == TASK_RUNNING)
15031 return 0;
15032 stack = (unsigned long)task_stack_page(p);
15033- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
15034+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
15035 return 0;
15036 fp = *(u64 *)(p->thread.sp);
15037 do {
15038- if (fp < (unsigned long)stack ||
15039- fp >= (unsigned long)stack+THREAD_SIZE)
15040+ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
15041 return 0;
15042 ip = *(u64 *)(fp+8);
15043 if (!in_sched_functions(ip))
15044diff -urNp linux-3.0.7/arch/x86/kernel/ptrace.c linux-3.0.7/arch/x86/kernel/ptrace.c
15045--- linux-3.0.7/arch/x86/kernel/ptrace.c 2011-07-21 22:17:23.000000000 -0400
15046+++ linux-3.0.7/arch/x86/kernel/ptrace.c 2011-08-23 21:47:55.000000000 -0400
15047@@ -821,7 +821,7 @@ long arch_ptrace(struct task_struct *chi
15048 unsigned long addr, unsigned long data)
15049 {
15050 int ret;
15051- unsigned long __user *datap = (unsigned long __user *)data;
15052+ unsigned long __user *datap = (__force unsigned long __user *)data;
15053
15054 switch (request) {
15055 /* read the word at location addr in the USER area. */
15056@@ -906,14 +906,14 @@ long arch_ptrace(struct task_struct *chi
15057 if ((int) addr < 0)
15058 return -EIO;
15059 ret = do_get_thread_area(child, addr,
15060- (struct user_desc __user *)data);
15061+ (__force struct user_desc __user *) data);
15062 break;
15063
15064 case PTRACE_SET_THREAD_AREA:
15065 if ((int) addr < 0)
15066 return -EIO;
15067 ret = do_set_thread_area(child, addr,
15068- (struct user_desc __user *)data, 0);
15069+ (__force struct user_desc __user *) data, 0);
15070 break;
15071 #endif
15072
15073@@ -1330,7 +1330,7 @@ static void fill_sigtrap_info(struct tas
15074 memset(info, 0, sizeof(*info));
15075 info->si_signo = SIGTRAP;
15076 info->si_code = si_code;
15077- info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
15078+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
15079 }
15080
15081 void user_single_step_siginfo(struct task_struct *tsk,
15082diff -urNp linux-3.0.7/arch/x86/kernel/pvclock.c linux-3.0.7/arch/x86/kernel/pvclock.c
15083--- linux-3.0.7/arch/x86/kernel/pvclock.c 2011-07-21 22:17:23.000000000 -0400
15084+++ linux-3.0.7/arch/x86/kernel/pvclock.c 2011-08-23 21:47:55.000000000 -0400
15085@@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
15086 return pv_tsc_khz;
15087 }
15088
15089-static atomic64_t last_value = ATOMIC64_INIT(0);
15090+static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
15091
15092 void pvclock_resume(void)
15093 {
15094- atomic64_set(&last_value, 0);
15095+ atomic64_set_unchecked(&last_value, 0);
15096 }
15097
15098 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
15099@@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
15100 * updating at the same time, and one of them could be slightly behind,
15101 * making the assumption that last_value always go forward fail to hold.
15102 */
15103- last = atomic64_read(&last_value);
15104+ last = atomic64_read_unchecked(&last_value);
15105 do {
15106 if (ret < last)
15107 return last;
15108- last = atomic64_cmpxchg(&last_value, last, ret);
15109+ last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
15110 } while (unlikely(last != ret));
15111
15112 return ret;
15113diff -urNp linux-3.0.7/arch/x86/kernel/reboot.c linux-3.0.7/arch/x86/kernel/reboot.c
15114--- linux-3.0.7/arch/x86/kernel/reboot.c 2011-07-21 22:17:23.000000000 -0400
15115+++ linux-3.0.7/arch/x86/kernel/reboot.c 2011-08-23 21:47:55.000000000 -0400
15116@@ -35,7 +35,7 @@ void (*pm_power_off)(void);
15117 EXPORT_SYMBOL(pm_power_off);
15118
15119 static const struct desc_ptr no_idt = {};
15120-static int reboot_mode;
15121+static unsigned short reboot_mode;
15122 enum reboot_type reboot_type = BOOT_ACPI;
15123 int reboot_force;
15124
15125@@ -315,13 +315,17 @@ core_initcall(reboot_init);
15126 extern const unsigned char machine_real_restart_asm[];
15127 extern const u64 machine_real_restart_gdt[3];
15128
15129-void machine_real_restart(unsigned int type)
15130+__noreturn void machine_real_restart(unsigned int type)
15131 {
15132 void *restart_va;
15133 unsigned long restart_pa;
15134- void (*restart_lowmem)(unsigned int);
15135+ void (* __noreturn restart_lowmem)(unsigned int);
15136 u64 *lowmem_gdt;
15137
15138+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15139+ struct desc_struct *gdt;
15140+#endif
15141+
15142 local_irq_disable();
15143
15144 /* Write zero to CMOS register number 0x0f, which the BIOS POST
15145@@ -347,14 +351,14 @@ void machine_real_restart(unsigned int t
15146 boot)". This seems like a fairly standard thing that gets set by
15147 REBOOT.COM programs, and the previous reset routine did this
15148 too. */
15149- *((unsigned short *)0x472) = reboot_mode;
15150+ *(unsigned short *)(__va(0x472)) = reboot_mode;
15151
15152 /* Patch the GDT in the low memory trampoline */
15153 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
15154
15155 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
15156 restart_pa = virt_to_phys(restart_va);
15157- restart_lowmem = (void (*)(unsigned int))restart_pa;
15158+ restart_lowmem = (void *)restart_pa;
15159
15160 /* GDT[0]: GDT self-pointer */
15161 lowmem_gdt[0] =
15162@@ -365,7 +369,33 @@ void machine_real_restart(unsigned int t
15163 GDT_ENTRY(0x009b, restart_pa, 0xffff);
15164
15165 /* Jump to the identity-mapped low memory code */
15166+
15167+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15168+ gdt = get_cpu_gdt_table(smp_processor_id());
15169+ pax_open_kernel();
15170+#ifdef CONFIG_PAX_MEMORY_UDEREF
15171+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
15172+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
15173+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
15174+#endif
15175+#ifdef CONFIG_PAX_KERNEXEC
15176+ gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
15177+ gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
15178+ gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
15179+ gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
15180+ gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
15181+ gdt[GDT_ENTRY_KERNEL_CS].g = 1;
15182+#endif
15183+ pax_close_kernel();
15184+#endif
15185+
15186+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15187+ asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
15188+ unreachable();
15189+#else
15190 restart_lowmem(type);
15191+#endif
15192+
15193 }
15194 #ifdef CONFIG_APM_MODULE
15195 EXPORT_SYMBOL(machine_real_restart);
15196@@ -523,7 +553,7 @@ void __attribute__((weak)) mach_reboot_f
15197 * try to force a triple fault and then cycle between hitting the keyboard
15198 * controller and doing that
15199 */
15200-static void native_machine_emergency_restart(void)
15201+__noreturn static void native_machine_emergency_restart(void)
15202 {
15203 int i;
15204 int attempt = 0;
15205@@ -647,13 +677,13 @@ void native_machine_shutdown(void)
15206 #endif
15207 }
15208
15209-static void __machine_emergency_restart(int emergency)
15210+static __noreturn void __machine_emergency_restart(int emergency)
15211 {
15212 reboot_emergency = emergency;
15213 machine_ops.emergency_restart();
15214 }
15215
15216-static void native_machine_restart(char *__unused)
15217+static __noreturn void native_machine_restart(char *__unused)
15218 {
15219 printk("machine restart\n");
15220
15221@@ -662,7 +692,7 @@ static void native_machine_restart(char
15222 __machine_emergency_restart(0);
15223 }
15224
15225-static void native_machine_halt(void)
15226+static __noreturn void native_machine_halt(void)
15227 {
15228 /* stop other cpus and apics */
15229 machine_shutdown();
15230@@ -673,7 +703,7 @@ static void native_machine_halt(void)
15231 stop_this_cpu(NULL);
15232 }
15233
15234-static void native_machine_power_off(void)
15235+__noreturn static void native_machine_power_off(void)
15236 {
15237 if (pm_power_off) {
15238 if (!reboot_force)
15239@@ -682,6 +712,7 @@ static void native_machine_power_off(voi
15240 }
15241 /* a fallback in case there is no PM info available */
15242 tboot_shutdown(TB_SHUTDOWN_HALT);
15243+ unreachable();
15244 }
15245
15246 struct machine_ops machine_ops = {
15247diff -urNp linux-3.0.7/arch/x86/kernel/setup.c linux-3.0.7/arch/x86/kernel/setup.c
15248--- linux-3.0.7/arch/x86/kernel/setup.c 2011-07-21 22:17:23.000000000 -0400
15249+++ linux-3.0.7/arch/x86/kernel/setup.c 2011-10-06 04:17:55.000000000 -0400
15250@@ -447,7 +447,7 @@ static void __init parse_setup_data(void
15251
15252 switch (data->type) {
15253 case SETUP_E820_EXT:
15254- parse_e820_ext(data);
15255+ parse_e820_ext((struct setup_data __force_kernel *)data);
15256 break;
15257 case SETUP_DTB:
15258 add_dtb(pa_data);
15259@@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
15260 * area (640->1Mb) as ram even though it is not.
15261 * take them out.
15262 */
15263- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
15264+ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
15265 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
15266 }
15267
15268@@ -773,14 +773,14 @@ void __init setup_arch(char **cmdline_p)
15269
15270 if (!boot_params.hdr.root_flags)
15271 root_mountflags &= ~MS_RDONLY;
15272- init_mm.start_code = (unsigned long) _text;
15273- init_mm.end_code = (unsigned long) _etext;
15274+ init_mm.start_code = ktla_ktva((unsigned long) _text);
15275+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
15276 init_mm.end_data = (unsigned long) _edata;
15277 init_mm.brk = _brk_end;
15278
15279- code_resource.start = virt_to_phys(_text);
15280- code_resource.end = virt_to_phys(_etext)-1;
15281- data_resource.start = virt_to_phys(_etext);
15282+ code_resource.start = virt_to_phys(ktla_ktva(_text));
15283+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
15284+ data_resource.start = virt_to_phys(_sdata);
15285 data_resource.end = virt_to_phys(_edata)-1;
15286 bss_resource.start = virt_to_phys(&__bss_start);
15287 bss_resource.end = virt_to_phys(&__bss_stop)-1;
15288diff -urNp linux-3.0.7/arch/x86/kernel/setup_percpu.c linux-3.0.7/arch/x86/kernel/setup_percpu.c
15289--- linux-3.0.7/arch/x86/kernel/setup_percpu.c 2011-07-21 22:17:23.000000000 -0400
15290+++ linux-3.0.7/arch/x86/kernel/setup_percpu.c 2011-08-23 21:47:55.000000000 -0400
15291@@ -21,19 +21,17 @@
15292 #include <asm/cpu.h>
15293 #include <asm/stackprotector.h>
15294
15295-DEFINE_PER_CPU(int, cpu_number);
15296+#ifdef CONFIG_SMP
15297+DEFINE_PER_CPU(unsigned int, cpu_number);
15298 EXPORT_PER_CPU_SYMBOL(cpu_number);
15299+#endif
15300
15301-#ifdef CONFIG_X86_64
15302 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
15303-#else
15304-#define BOOT_PERCPU_OFFSET 0
15305-#endif
15306
15307 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
15308 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
15309
15310-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
15311+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
15312 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
15313 };
15314 EXPORT_SYMBOL(__per_cpu_offset);
15315@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
15316 {
15317 #ifdef CONFIG_X86_32
15318 struct desc_struct gdt;
15319+ unsigned long base = per_cpu_offset(cpu);
15320
15321- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
15322- 0x2 | DESCTYPE_S, 0x8);
15323- gdt.s = 1;
15324+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
15325+ 0x83 | DESCTYPE_S, 0xC);
15326 write_gdt_entry(get_cpu_gdt_table(cpu),
15327 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
15328 #endif
15329@@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
15330 /* alrighty, percpu areas up and running */
15331 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
15332 for_each_possible_cpu(cpu) {
15333+#ifdef CONFIG_CC_STACKPROTECTOR
15334+#ifdef CONFIG_X86_32
15335+ unsigned long canary = per_cpu(stack_canary.canary, cpu);
15336+#endif
15337+#endif
15338 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
15339 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
15340 per_cpu(cpu_number, cpu) = cpu;
15341@@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
15342 */
15343 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
15344 #endif
15345+#ifdef CONFIG_CC_STACKPROTECTOR
15346+#ifdef CONFIG_X86_32
15347+ if (!cpu)
15348+ per_cpu(stack_canary.canary, cpu) = canary;
15349+#endif
15350+#endif
15351 /*
15352 * Up to this point, the boot CPU has been using .init.data
15353 * area. Reload any changed state for the boot CPU.
15354diff -urNp linux-3.0.7/arch/x86/kernel/signal.c linux-3.0.7/arch/x86/kernel/signal.c
15355--- linux-3.0.7/arch/x86/kernel/signal.c 2011-07-21 22:17:23.000000000 -0400
15356+++ linux-3.0.7/arch/x86/kernel/signal.c 2011-08-23 21:48:14.000000000 -0400
15357@@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
15358 * Align the stack pointer according to the i386 ABI,
15359 * i.e. so that on function entry ((sp + 4) & 15) == 0.
15360 */
15361- sp = ((sp + 4) & -16ul) - 4;
15362+ sp = ((sp - 12) & -16ul) - 4;
15363 #else /* !CONFIG_X86_32 */
15364 sp = round_down(sp, 16) - 8;
15365 #endif
15366@@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
15367 * Return an always-bogus address instead so we will die with SIGSEGV.
15368 */
15369 if (onsigstack && !likely(on_sig_stack(sp)))
15370- return (void __user *)-1L;
15371+ return (__force void __user *)-1L;
15372
15373 /* save i387 state */
15374 if (used_math() && save_i387_xstate(*fpstate) < 0)
15375- return (void __user *)-1L;
15376+ return (__force void __user *)-1L;
15377
15378 return (void __user *)sp;
15379 }
15380@@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
15381 }
15382
15383 if (current->mm->context.vdso)
15384- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15385+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15386 else
15387- restorer = &frame->retcode;
15388+ restorer = (void __user *)&frame->retcode;
15389 if (ka->sa.sa_flags & SA_RESTORER)
15390 restorer = ka->sa.sa_restorer;
15391
15392@@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
15393 * reasons and because gdb uses it as a signature to notice
15394 * signal handler stack frames.
15395 */
15396- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
15397+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
15398
15399 if (err)
15400 return -EFAULT;
15401@@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
15402 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
15403
15404 /* Set up to return from userspace. */
15405- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15406+ if (current->mm->context.vdso)
15407+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15408+ else
15409+ restorer = (void __user *)&frame->retcode;
15410 if (ka->sa.sa_flags & SA_RESTORER)
15411 restorer = ka->sa.sa_restorer;
15412 put_user_ex(restorer, &frame->pretcode);
15413@@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
15414 * reasons and because gdb uses it as a signature to notice
15415 * signal handler stack frames.
15416 */
15417- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
15418+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
15419 } put_user_catch(err);
15420
15421 if (err)
15422@@ -769,6 +772,8 @@ static void do_signal(struct pt_regs *re
15423 int signr;
15424 sigset_t *oldset;
15425
15426+ pax_track_stack();
15427+
15428 /*
15429 * We want the common case to go fast, which is why we may in certain
15430 * cases get here from kernel mode. Just return without doing anything
15431@@ -776,7 +781,7 @@ static void do_signal(struct pt_regs *re
15432 * X86_32: vm86 regs switched out by assembly code before reaching
15433 * here, so testing against kernel CS suffices.
15434 */
15435- if (!user_mode(regs))
15436+ if (!user_mode_novm(regs))
15437 return;
15438
15439 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
15440diff -urNp linux-3.0.7/arch/x86/kernel/smpboot.c linux-3.0.7/arch/x86/kernel/smpboot.c
15441--- linux-3.0.7/arch/x86/kernel/smpboot.c 2011-07-21 22:17:23.000000000 -0400
15442+++ linux-3.0.7/arch/x86/kernel/smpboot.c 2011-08-23 21:47:55.000000000 -0400
15443@@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
15444 set_idle_for_cpu(cpu, c_idle.idle);
15445 do_rest:
15446 per_cpu(current_task, cpu) = c_idle.idle;
15447+ per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
15448 #ifdef CONFIG_X86_32
15449 /* Stack for startup_32 can be just as for start_secondary onwards */
15450 irq_ctx_init(cpu);
15451 #else
15452 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
15453 initial_gs = per_cpu_offset(cpu);
15454- per_cpu(kernel_stack, cpu) =
15455- (unsigned long)task_stack_page(c_idle.idle) -
15456- KERNEL_STACK_OFFSET + THREAD_SIZE;
15457+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
15458 #endif
15459+
15460+ pax_open_kernel();
15461 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
15462+ pax_close_kernel();
15463+
15464 initial_code = (unsigned long)start_secondary;
15465 stack_start = c_idle.idle->thread.sp;
15466
15467@@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
15468
15469 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
15470
15471+#ifdef CONFIG_PAX_PER_CPU_PGD
15472+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
15473+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
15474+ KERNEL_PGD_PTRS);
15475+#endif
15476+
15477 err = do_boot_cpu(apicid, cpu);
15478 if (err) {
15479 pr_debug("do_boot_cpu failed %d\n", err);
15480diff -urNp linux-3.0.7/arch/x86/kernel/step.c linux-3.0.7/arch/x86/kernel/step.c
15481--- linux-3.0.7/arch/x86/kernel/step.c 2011-07-21 22:17:23.000000000 -0400
15482+++ linux-3.0.7/arch/x86/kernel/step.c 2011-08-23 21:47:55.000000000 -0400
15483@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
15484 struct desc_struct *desc;
15485 unsigned long base;
15486
15487- seg &= ~7UL;
15488+ seg >>= 3;
15489
15490 mutex_lock(&child->mm->context.lock);
15491- if (unlikely((seg >> 3) >= child->mm->context.size))
15492+ if (unlikely(seg >= child->mm->context.size))
15493 addr = -1L; /* bogus selector, access would fault */
15494 else {
15495 desc = child->mm->context.ldt + seg;
15496@@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
15497 addr += base;
15498 }
15499 mutex_unlock(&child->mm->context.lock);
15500- }
15501+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
15502+ addr = ktla_ktva(addr);
15503
15504 return addr;
15505 }
15506@@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
15507 unsigned char opcode[15];
15508 unsigned long addr = convert_ip_to_linear(child, regs);
15509
15510+ if (addr == -EINVAL)
15511+ return 0;
15512+
15513 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
15514 for (i = 0; i < copied; i++) {
15515 switch (opcode[i]) {
15516@@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
15517
15518 #ifdef CONFIG_X86_64
15519 case 0x40 ... 0x4f:
15520- if (regs->cs != __USER_CS)
15521+ if ((regs->cs & 0xffff) != __USER_CS)
15522 /* 32-bit mode: register increment */
15523 return 0;
15524 /* 64-bit mode: REX prefix */
15525diff -urNp linux-3.0.7/arch/x86/kernel/sys_i386_32.c linux-3.0.7/arch/x86/kernel/sys_i386_32.c
15526--- linux-3.0.7/arch/x86/kernel/sys_i386_32.c 2011-07-21 22:17:23.000000000 -0400
15527+++ linux-3.0.7/arch/x86/kernel/sys_i386_32.c 2011-08-23 21:47:55.000000000 -0400
15528@@ -24,17 +24,224 @@
15529
15530 #include <asm/syscalls.h>
15531
15532-/*
15533- * Do a system call from kernel instead of calling sys_execve so we
15534- * end up with proper pt_regs.
15535- */
15536-int kernel_execve(const char *filename,
15537- const char *const argv[],
15538- const char *const envp[])
15539+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
15540 {
15541- long __res;
15542- asm volatile ("int $0x80"
15543- : "=a" (__res)
15544- : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
15545- return __res;
15546+ unsigned long pax_task_size = TASK_SIZE;
15547+
15548+#ifdef CONFIG_PAX_SEGMEXEC
15549+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
15550+ pax_task_size = SEGMEXEC_TASK_SIZE;
15551+#endif
15552+
15553+ if (len > pax_task_size || addr > pax_task_size - len)
15554+ return -EINVAL;
15555+
15556+ return 0;
15557+}
15558+
15559+unsigned long
15560+arch_get_unmapped_area(struct file *filp, unsigned long addr,
15561+ unsigned long len, unsigned long pgoff, unsigned long flags)
15562+{
15563+ struct mm_struct *mm = current->mm;
15564+ struct vm_area_struct *vma;
15565+ unsigned long start_addr, pax_task_size = TASK_SIZE;
15566+
15567+#ifdef CONFIG_PAX_SEGMEXEC
15568+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
15569+ pax_task_size = SEGMEXEC_TASK_SIZE;
15570+#endif
15571+
15572+ pax_task_size -= PAGE_SIZE;
15573+
15574+ if (len > pax_task_size)
15575+ return -ENOMEM;
15576+
15577+ if (flags & MAP_FIXED)
15578+ return addr;
15579+
15580+#ifdef CONFIG_PAX_RANDMMAP
15581+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15582+#endif
15583+
15584+ if (addr) {
15585+ addr = PAGE_ALIGN(addr);
15586+ if (pax_task_size - len >= addr) {
15587+ vma = find_vma(mm, addr);
15588+ if (check_heap_stack_gap(vma, addr, len))
15589+ return addr;
15590+ }
15591+ }
15592+ if (len > mm->cached_hole_size) {
15593+ start_addr = addr = mm->free_area_cache;
15594+ } else {
15595+ start_addr = addr = mm->mmap_base;
15596+ mm->cached_hole_size = 0;
15597+ }
15598+
15599+#ifdef CONFIG_PAX_PAGEEXEC
15600+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
15601+ start_addr = 0x00110000UL;
15602+
15603+#ifdef CONFIG_PAX_RANDMMAP
15604+ if (mm->pax_flags & MF_PAX_RANDMMAP)
15605+ start_addr += mm->delta_mmap & 0x03FFF000UL;
15606+#endif
15607+
15608+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
15609+ start_addr = addr = mm->mmap_base;
15610+ else
15611+ addr = start_addr;
15612+ }
15613+#endif
15614+
15615+full_search:
15616+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
15617+ /* At this point: (!vma || addr < vma->vm_end). */
15618+ if (pax_task_size - len < addr) {
15619+ /*
15620+ * Start a new search - just in case we missed
15621+ * some holes.
15622+ */
15623+ if (start_addr != mm->mmap_base) {
15624+ start_addr = addr = mm->mmap_base;
15625+ mm->cached_hole_size = 0;
15626+ goto full_search;
15627+ }
15628+ return -ENOMEM;
15629+ }
15630+ if (check_heap_stack_gap(vma, addr, len))
15631+ break;
15632+ if (addr + mm->cached_hole_size < vma->vm_start)
15633+ mm->cached_hole_size = vma->vm_start - addr;
15634+ addr = vma->vm_end;
15635+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
15636+ start_addr = addr = mm->mmap_base;
15637+ mm->cached_hole_size = 0;
15638+ goto full_search;
15639+ }
15640+ }
15641+
15642+ /*
15643+ * Remember the place where we stopped the search:
15644+ */
15645+ mm->free_area_cache = addr + len;
15646+ return addr;
15647+}
15648+
15649+unsigned long
15650+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
15651+ const unsigned long len, const unsigned long pgoff,
15652+ const unsigned long flags)
15653+{
15654+ struct vm_area_struct *vma;
15655+ struct mm_struct *mm = current->mm;
15656+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
15657+
15658+#ifdef CONFIG_PAX_SEGMEXEC
15659+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
15660+ pax_task_size = SEGMEXEC_TASK_SIZE;
15661+#endif
15662+
15663+ pax_task_size -= PAGE_SIZE;
15664+
15665+ /* requested length too big for entire address space */
15666+ if (len > pax_task_size)
15667+ return -ENOMEM;
15668+
15669+ if (flags & MAP_FIXED)
15670+ return addr;
15671+
15672+#ifdef CONFIG_PAX_PAGEEXEC
15673+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
15674+ goto bottomup;
15675+#endif
15676+
15677+#ifdef CONFIG_PAX_RANDMMAP
15678+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15679+#endif
15680+
15681+ /* requesting a specific address */
15682+ if (addr) {
15683+ addr = PAGE_ALIGN(addr);
15684+ if (pax_task_size - len >= addr) {
15685+ vma = find_vma(mm, addr);
15686+ if (check_heap_stack_gap(vma, addr, len))
15687+ return addr;
15688+ }
15689+ }
15690+
15691+ /* check if free_area_cache is useful for us */
15692+ if (len <= mm->cached_hole_size) {
15693+ mm->cached_hole_size = 0;
15694+ mm->free_area_cache = mm->mmap_base;
15695+ }
15696+
15697+ /* either no address requested or can't fit in requested address hole */
15698+ addr = mm->free_area_cache;
15699+
15700+ /* make sure it can fit in the remaining address space */
15701+ if (addr > len) {
15702+ vma = find_vma(mm, addr-len);
15703+ if (check_heap_stack_gap(vma, addr - len, len))
15704+ /* remember the address as a hint for next time */
15705+ return (mm->free_area_cache = addr-len);
15706+ }
15707+
15708+ if (mm->mmap_base < len)
15709+ goto bottomup;
15710+
15711+ addr = mm->mmap_base-len;
15712+
15713+ do {
15714+ /*
15715+ * Lookup failure means no vma is above this address,
15716+ * else if new region fits below vma->vm_start,
15717+ * return with success:
15718+ */
15719+ vma = find_vma(mm, addr);
15720+ if (check_heap_stack_gap(vma, addr, len))
15721+ /* remember the address as a hint for next time */
15722+ return (mm->free_area_cache = addr);
15723+
15724+ /* remember the largest hole we saw so far */
15725+ if (addr + mm->cached_hole_size < vma->vm_start)
15726+ mm->cached_hole_size = vma->vm_start - addr;
15727+
15728+ /* try just below the current vma->vm_start */
15729+ addr = skip_heap_stack_gap(vma, len);
15730+ } while (!IS_ERR_VALUE(addr));
15731+
15732+bottomup:
15733+ /*
15734+ * A failed mmap() very likely causes application failure,
15735+ * so fall back to the bottom-up function here. This scenario
15736+ * can happen with large stack limits and large mmap()
15737+ * allocations.
15738+ */
15739+
15740+#ifdef CONFIG_PAX_SEGMEXEC
15741+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
15742+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
15743+ else
15744+#endif
15745+
15746+ mm->mmap_base = TASK_UNMAPPED_BASE;
15747+
15748+#ifdef CONFIG_PAX_RANDMMAP
15749+ if (mm->pax_flags & MF_PAX_RANDMMAP)
15750+ mm->mmap_base += mm->delta_mmap;
15751+#endif
15752+
15753+ mm->free_area_cache = mm->mmap_base;
15754+ mm->cached_hole_size = ~0UL;
15755+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15756+ /*
15757+ * Restore the topdown base:
15758+ */
15759+ mm->mmap_base = base;
15760+ mm->free_area_cache = base;
15761+ mm->cached_hole_size = ~0UL;
15762+
15763+ return addr;
15764 }
15765diff -urNp linux-3.0.7/arch/x86/kernel/sys_x86_64.c linux-3.0.7/arch/x86/kernel/sys_x86_64.c
15766--- linux-3.0.7/arch/x86/kernel/sys_x86_64.c 2011-07-21 22:17:23.000000000 -0400
15767+++ linux-3.0.7/arch/x86/kernel/sys_x86_64.c 2011-08-23 21:47:55.000000000 -0400
15768@@ -32,8 +32,8 @@ out:
15769 return error;
15770 }
15771
15772-static void find_start_end(unsigned long flags, unsigned long *begin,
15773- unsigned long *end)
15774+static void find_start_end(struct mm_struct *mm, unsigned long flags,
15775+ unsigned long *begin, unsigned long *end)
15776 {
15777 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
15778 unsigned long new_begin;
15779@@ -52,7 +52,7 @@ static void find_start_end(unsigned long
15780 *begin = new_begin;
15781 }
15782 } else {
15783- *begin = TASK_UNMAPPED_BASE;
15784+ *begin = mm->mmap_base;
15785 *end = TASK_SIZE;
15786 }
15787 }
15788@@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
15789 if (flags & MAP_FIXED)
15790 return addr;
15791
15792- find_start_end(flags, &begin, &end);
15793+ find_start_end(mm, flags, &begin, &end);
15794
15795 if (len > end)
15796 return -ENOMEM;
15797
15798+#ifdef CONFIG_PAX_RANDMMAP
15799+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15800+#endif
15801+
15802 if (addr) {
15803 addr = PAGE_ALIGN(addr);
15804 vma = find_vma(mm, addr);
15805- if (end - len >= addr &&
15806- (!vma || addr + len <= vma->vm_start))
15807+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
15808 return addr;
15809 }
15810 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
15811@@ -106,7 +109,7 @@ full_search:
15812 }
15813 return -ENOMEM;
15814 }
15815- if (!vma || addr + len <= vma->vm_start) {
15816+ if (check_heap_stack_gap(vma, addr, len)) {
15817 /*
15818 * Remember the place where we stopped the search:
15819 */
15820@@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
15821 {
15822 struct vm_area_struct *vma;
15823 struct mm_struct *mm = current->mm;
15824- unsigned long addr = addr0;
15825+ unsigned long base = mm->mmap_base, addr = addr0;
15826
15827 /* requested length too big for entire address space */
15828 if (len > TASK_SIZE)
15829@@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
15830 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
15831 goto bottomup;
15832
15833+#ifdef CONFIG_PAX_RANDMMAP
15834+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15835+#endif
15836+
15837 /* requesting a specific address */
15838 if (addr) {
15839 addr = PAGE_ALIGN(addr);
15840- vma = find_vma(mm, addr);
15841- if (TASK_SIZE - len >= addr &&
15842- (!vma || addr + len <= vma->vm_start))
15843- return addr;
15844+ if (TASK_SIZE - len >= addr) {
15845+ vma = find_vma(mm, addr);
15846+ if (check_heap_stack_gap(vma, addr, len))
15847+ return addr;
15848+ }
15849 }
15850
15851 /* check if free_area_cache is useful for us */
15852@@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
15853 /* make sure it can fit in the remaining address space */
15854 if (addr > len) {
15855 vma = find_vma(mm, addr-len);
15856- if (!vma || addr <= vma->vm_start)
15857+ if (check_heap_stack_gap(vma, addr - len, len))
15858 /* remember the address as a hint for next time */
15859 return mm->free_area_cache = addr-len;
15860 }
15861@@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
15862 * return with success:
15863 */
15864 vma = find_vma(mm, addr);
15865- if (!vma || addr+len <= vma->vm_start)
15866+ if (check_heap_stack_gap(vma, addr, len))
15867 /* remember the address as a hint for next time */
15868 return mm->free_area_cache = addr;
15869
15870@@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
15871 mm->cached_hole_size = vma->vm_start - addr;
15872
15873 /* try just below the current vma->vm_start */
15874- addr = vma->vm_start-len;
15875- } while (len < vma->vm_start);
15876+ addr = skip_heap_stack_gap(vma, len);
15877+ } while (!IS_ERR_VALUE(addr));
15878
15879 bottomup:
15880 /*
15881@@ -198,13 +206,21 @@ bottomup:
15882 * can happen with large stack limits and large mmap()
15883 * allocations.
15884 */
15885+ mm->mmap_base = TASK_UNMAPPED_BASE;
15886+
15887+#ifdef CONFIG_PAX_RANDMMAP
15888+ if (mm->pax_flags & MF_PAX_RANDMMAP)
15889+ mm->mmap_base += mm->delta_mmap;
15890+#endif
15891+
15892+ mm->free_area_cache = mm->mmap_base;
15893 mm->cached_hole_size = ~0UL;
15894- mm->free_area_cache = TASK_UNMAPPED_BASE;
15895 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15896 /*
15897 * Restore the topdown base:
15898 */
15899- mm->free_area_cache = mm->mmap_base;
15900+ mm->mmap_base = base;
15901+ mm->free_area_cache = base;
15902 mm->cached_hole_size = ~0UL;
15903
15904 return addr;
15905diff -urNp linux-3.0.7/arch/x86/kernel/syscall_table_32.S linux-3.0.7/arch/x86/kernel/syscall_table_32.S
15906--- linux-3.0.7/arch/x86/kernel/syscall_table_32.S 2011-07-21 22:17:23.000000000 -0400
15907+++ linux-3.0.7/arch/x86/kernel/syscall_table_32.S 2011-08-23 21:47:55.000000000 -0400
15908@@ -1,3 +1,4 @@
15909+.section .rodata,"a",@progbits
15910 ENTRY(sys_call_table)
15911 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
15912 .long sys_exit
15913diff -urNp linux-3.0.7/arch/x86/kernel/tboot.c linux-3.0.7/arch/x86/kernel/tboot.c
15914--- linux-3.0.7/arch/x86/kernel/tboot.c 2011-07-21 22:17:23.000000000 -0400
15915+++ linux-3.0.7/arch/x86/kernel/tboot.c 2011-08-23 21:47:55.000000000 -0400
15916@@ -217,7 +217,7 @@ static int tboot_setup_sleep(void)
15917
15918 void tboot_shutdown(u32 shutdown_type)
15919 {
15920- void (*shutdown)(void);
15921+ void (* __noreturn shutdown)(void);
15922
15923 if (!tboot_enabled())
15924 return;
15925@@ -239,7 +239,7 @@ void tboot_shutdown(u32 shutdown_type)
15926
15927 switch_to_tboot_pt();
15928
15929- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
15930+ shutdown = (void *)tboot->shutdown_entry;
15931 shutdown();
15932
15933 /* should not reach here */
15934@@ -296,7 +296,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
15935 tboot_shutdown(acpi_shutdown_map[sleep_state]);
15936 }
15937
15938-static atomic_t ap_wfs_count;
15939+static atomic_unchecked_t ap_wfs_count;
15940
15941 static int tboot_wait_for_aps(int num_aps)
15942 {
15943@@ -320,9 +320,9 @@ static int __cpuinit tboot_cpu_callback(
15944 {
15945 switch (action) {
15946 case CPU_DYING:
15947- atomic_inc(&ap_wfs_count);
15948+ atomic_inc_unchecked(&ap_wfs_count);
15949 if (num_online_cpus() == 1)
15950- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
15951+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
15952 return NOTIFY_BAD;
15953 break;
15954 }
15955@@ -341,7 +341,7 @@ static __init int tboot_late_init(void)
15956
15957 tboot_create_trampoline();
15958
15959- atomic_set(&ap_wfs_count, 0);
15960+ atomic_set_unchecked(&ap_wfs_count, 0);
15961 register_hotcpu_notifier(&tboot_cpu_notifier);
15962 return 0;
15963 }
15964diff -urNp linux-3.0.7/arch/x86/kernel/time.c linux-3.0.7/arch/x86/kernel/time.c
15965--- linux-3.0.7/arch/x86/kernel/time.c 2011-07-21 22:17:23.000000000 -0400
15966+++ linux-3.0.7/arch/x86/kernel/time.c 2011-08-23 21:47:55.000000000 -0400
15967@@ -30,9 +30,9 @@ unsigned long profile_pc(struct pt_regs
15968 {
15969 unsigned long pc = instruction_pointer(regs);
15970
15971- if (!user_mode_vm(regs) && in_lock_functions(pc)) {
15972+ if (!user_mode(regs) && in_lock_functions(pc)) {
15973 #ifdef CONFIG_FRAME_POINTER
15974- return *(unsigned long *)(regs->bp + sizeof(long));
15975+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
15976 #else
15977 unsigned long *sp =
15978 (unsigned long *)kernel_stack_pointer(regs);
15979@@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
15980 * or above a saved flags. Eflags has bits 22-31 zero,
15981 * kernel addresses don't.
15982 */
15983+
15984+#ifdef CONFIG_PAX_KERNEXEC
15985+ return ktla_ktva(sp[0]);
15986+#else
15987 if (sp[0] >> 22)
15988 return sp[0];
15989 if (sp[1] >> 22)
15990 return sp[1];
15991 #endif
15992+
15993+#endif
15994 }
15995 return pc;
15996 }
15997diff -urNp linux-3.0.7/arch/x86/kernel/tls.c linux-3.0.7/arch/x86/kernel/tls.c
15998--- linux-3.0.7/arch/x86/kernel/tls.c 2011-07-21 22:17:23.000000000 -0400
15999+++ linux-3.0.7/arch/x86/kernel/tls.c 2011-08-23 21:47:55.000000000 -0400
16000@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
16001 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
16002 return -EINVAL;
16003
16004+#ifdef CONFIG_PAX_SEGMEXEC
16005+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
16006+ return -EINVAL;
16007+#endif
16008+
16009 set_tls_desc(p, idx, &info, 1);
16010
16011 return 0;
16012diff -urNp linux-3.0.7/arch/x86/kernel/trampoline_32.S linux-3.0.7/arch/x86/kernel/trampoline_32.S
16013--- linux-3.0.7/arch/x86/kernel/trampoline_32.S 2011-07-21 22:17:23.000000000 -0400
16014+++ linux-3.0.7/arch/x86/kernel/trampoline_32.S 2011-08-23 21:47:55.000000000 -0400
16015@@ -32,6 +32,12 @@
16016 #include <asm/segment.h>
16017 #include <asm/page_types.h>
16018
16019+#ifdef CONFIG_PAX_KERNEXEC
16020+#define ta(X) (X)
16021+#else
16022+#define ta(X) ((X) - __PAGE_OFFSET)
16023+#endif
16024+
16025 #ifdef CONFIG_SMP
16026
16027 .section ".x86_trampoline","a"
16028@@ -62,7 +68,7 @@ r_base = .
16029 inc %ax # protected mode (PE) bit
16030 lmsw %ax # into protected mode
16031 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
16032- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
16033+ ljmpl $__BOOT_CS, $ta(startup_32_smp)
16034
16035 # These need to be in the same 64K segment as the above;
16036 # hence we don't use the boot_gdt_descr defined in head.S
16037diff -urNp linux-3.0.7/arch/x86/kernel/trampoline_64.S linux-3.0.7/arch/x86/kernel/trampoline_64.S
16038--- linux-3.0.7/arch/x86/kernel/trampoline_64.S 2011-07-21 22:17:23.000000000 -0400
16039+++ linux-3.0.7/arch/x86/kernel/trampoline_64.S 2011-08-23 21:47:55.000000000 -0400
16040@@ -90,7 +90,7 @@ startup_32:
16041 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
16042 movl %eax, %ds
16043
16044- movl $X86_CR4_PAE, %eax
16045+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16046 movl %eax, %cr4 # Enable PAE mode
16047
16048 # Setup trampoline 4 level pagetables
16049@@ -138,7 +138,7 @@ tidt:
16050 # so the kernel can live anywhere
16051 .balign 4
16052 tgdt:
16053- .short tgdt_end - tgdt # gdt limit
16054+ .short tgdt_end - tgdt - 1 # gdt limit
16055 .long tgdt - r_base
16056 .short 0
16057 .quad 0x00cf9b000000ffff # __KERNEL32_CS
16058diff -urNp linux-3.0.7/arch/x86/kernel/traps.c linux-3.0.7/arch/x86/kernel/traps.c
16059--- linux-3.0.7/arch/x86/kernel/traps.c 2011-07-21 22:17:23.000000000 -0400
16060+++ linux-3.0.7/arch/x86/kernel/traps.c 2011-08-23 21:47:55.000000000 -0400
16061@@ -70,12 +70,6 @@ asmlinkage int system_call(void);
16062
16063 /* Do we ignore FPU interrupts ? */
16064 char ignore_fpu_irq;
16065-
16066-/*
16067- * The IDT has to be page-aligned to simplify the Pentium
16068- * F0 0F bug workaround.
16069- */
16070-gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
16071 #endif
16072
16073 DECLARE_BITMAP(used_vectors, NR_VECTORS);
16074@@ -117,13 +111,13 @@ static inline void preempt_conditional_c
16075 }
16076
16077 static void __kprobes
16078-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
16079+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
16080 long error_code, siginfo_t *info)
16081 {
16082 struct task_struct *tsk = current;
16083
16084 #ifdef CONFIG_X86_32
16085- if (regs->flags & X86_VM_MASK) {
16086+ if (v8086_mode(regs)) {
16087 /*
16088 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
16089 * On nmi (interrupt 2), do_trap should not be called.
16090@@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
16091 }
16092 #endif
16093
16094- if (!user_mode(regs))
16095+ if (!user_mode_novm(regs))
16096 goto kernel_trap;
16097
16098 #ifdef CONFIG_X86_32
16099@@ -157,7 +151,7 @@ trap_signal:
16100 printk_ratelimit()) {
16101 printk(KERN_INFO
16102 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
16103- tsk->comm, tsk->pid, str,
16104+ tsk->comm, task_pid_nr(tsk), str,
16105 regs->ip, regs->sp, error_code);
16106 print_vma_addr(" in ", regs->ip);
16107 printk("\n");
16108@@ -174,8 +168,20 @@ kernel_trap:
16109 if (!fixup_exception(regs)) {
16110 tsk->thread.error_code = error_code;
16111 tsk->thread.trap_no = trapnr;
16112+
16113+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16114+ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
16115+ str = "PAX: suspicious stack segment fault";
16116+#endif
16117+
16118 die(str, regs, error_code);
16119 }
16120+
16121+#ifdef CONFIG_PAX_REFCOUNT
16122+ if (trapnr == 4)
16123+ pax_report_refcount_overflow(regs);
16124+#endif
16125+
16126 return;
16127
16128 #ifdef CONFIG_X86_32
16129@@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
16130 conditional_sti(regs);
16131
16132 #ifdef CONFIG_X86_32
16133- if (regs->flags & X86_VM_MASK)
16134+ if (v8086_mode(regs))
16135 goto gp_in_vm86;
16136 #endif
16137
16138 tsk = current;
16139- if (!user_mode(regs))
16140+ if (!user_mode_novm(regs))
16141 goto gp_in_kernel;
16142
16143+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16144+ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
16145+ struct mm_struct *mm = tsk->mm;
16146+ unsigned long limit;
16147+
16148+ down_write(&mm->mmap_sem);
16149+ limit = mm->context.user_cs_limit;
16150+ if (limit < TASK_SIZE) {
16151+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
16152+ up_write(&mm->mmap_sem);
16153+ return;
16154+ }
16155+ up_write(&mm->mmap_sem);
16156+ }
16157+#endif
16158+
16159 tsk->thread.error_code = error_code;
16160 tsk->thread.trap_no = 13;
16161
16162@@ -304,6 +326,13 @@ gp_in_kernel:
16163 if (notify_die(DIE_GPF, "general protection fault", regs,
16164 error_code, 13, SIGSEGV) == NOTIFY_STOP)
16165 return;
16166+
16167+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16168+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
16169+ die("PAX: suspicious general protection fault", regs, error_code);
16170+ else
16171+#endif
16172+
16173 die("general protection fault", regs, error_code);
16174 }
16175
16176@@ -433,6 +462,17 @@ static notrace __kprobes void default_do
16177 dotraplinkage notrace __kprobes void
16178 do_nmi(struct pt_regs *regs, long error_code)
16179 {
16180+
16181+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16182+ if (!user_mode(regs)) {
16183+ unsigned long cs = regs->cs & 0xFFFF;
16184+ unsigned long ip = ktva_ktla(regs->ip);
16185+
16186+ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
16187+ regs->ip = ip;
16188+ }
16189+#endif
16190+
16191 nmi_enter();
16192
16193 inc_irq_stat(__nmi_count);
16194@@ -569,7 +609,7 @@ dotraplinkage void __kprobes do_debug(st
16195 /* It's safe to allow irq's after DR6 has been saved */
16196 preempt_conditional_sti(regs);
16197
16198- if (regs->flags & X86_VM_MASK) {
16199+ if (v8086_mode(regs)) {
16200 handle_vm86_trap((struct kernel_vm86_regs *) regs,
16201 error_code, 1);
16202 preempt_conditional_cli(regs);
16203@@ -583,7 +623,7 @@ dotraplinkage void __kprobes do_debug(st
16204 * We already checked v86 mode above, so we can check for kernel mode
16205 * by just checking the CPL of CS.
16206 */
16207- if ((dr6 & DR_STEP) && !user_mode(regs)) {
16208+ if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
16209 tsk->thread.debugreg6 &= ~DR_STEP;
16210 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
16211 regs->flags &= ~X86_EFLAGS_TF;
16212@@ -612,7 +652,7 @@ void math_error(struct pt_regs *regs, in
16213 return;
16214 conditional_sti(regs);
16215
16216- if (!user_mode_vm(regs))
16217+ if (!user_mode(regs))
16218 {
16219 if (!fixup_exception(regs)) {
16220 task->thread.error_code = error_code;
16221@@ -723,7 +763,7 @@ asmlinkage void __attribute__((weak)) sm
16222 void __math_state_restore(void)
16223 {
16224 struct thread_info *thread = current_thread_info();
16225- struct task_struct *tsk = thread->task;
16226+ struct task_struct *tsk = current;
16227
16228 /*
16229 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
16230@@ -750,8 +790,7 @@ void __math_state_restore(void)
16231 */
16232 asmlinkage void math_state_restore(void)
16233 {
16234- struct thread_info *thread = current_thread_info();
16235- struct task_struct *tsk = thread->task;
16236+ struct task_struct *tsk = current;
16237
16238 if (!tsk_used_math(tsk)) {
16239 local_irq_enable();
16240diff -urNp linux-3.0.7/arch/x86/kernel/verify_cpu.S linux-3.0.7/arch/x86/kernel/verify_cpu.S
16241--- linux-3.0.7/arch/x86/kernel/verify_cpu.S 2011-07-21 22:17:23.000000000 -0400
16242+++ linux-3.0.7/arch/x86/kernel/verify_cpu.S 2011-08-23 21:48:14.000000000 -0400
16243@@ -20,6 +20,7 @@
16244 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
16245 * arch/x86/kernel/trampoline_64.S: secondary processor verification
16246 * arch/x86/kernel/head_32.S: processor startup
16247+ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
16248 *
16249 * verify_cpu, returns the status of longmode and SSE in register %eax.
16250 * 0: Success 1: Failure
16251diff -urNp linux-3.0.7/arch/x86/kernel/vm86_32.c linux-3.0.7/arch/x86/kernel/vm86_32.c
16252--- linux-3.0.7/arch/x86/kernel/vm86_32.c 2011-07-21 22:17:23.000000000 -0400
16253+++ linux-3.0.7/arch/x86/kernel/vm86_32.c 2011-08-23 21:48:14.000000000 -0400
16254@@ -41,6 +41,7 @@
16255 #include <linux/ptrace.h>
16256 #include <linux/audit.h>
16257 #include <linux/stddef.h>
16258+#include <linux/grsecurity.h>
16259
16260 #include <asm/uaccess.h>
16261 #include <asm/io.h>
16262@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
16263 do_exit(SIGSEGV);
16264 }
16265
16266- tss = &per_cpu(init_tss, get_cpu());
16267+ tss = init_tss + get_cpu();
16268 current->thread.sp0 = current->thread.saved_sp0;
16269 current->thread.sysenter_cs = __KERNEL_CS;
16270 load_sp0(tss, &current->thread);
16271@@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
16272 struct task_struct *tsk;
16273 int tmp, ret = -EPERM;
16274
16275+#ifdef CONFIG_GRKERNSEC_VM86
16276+ if (!capable(CAP_SYS_RAWIO)) {
16277+ gr_handle_vm86();
16278+ goto out;
16279+ }
16280+#endif
16281+
16282 tsk = current;
16283 if (tsk->thread.saved_sp0)
16284 goto out;
16285@@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
16286 int tmp, ret;
16287 struct vm86plus_struct __user *v86;
16288
16289+#ifdef CONFIG_GRKERNSEC_VM86
16290+ if (!capable(CAP_SYS_RAWIO)) {
16291+ gr_handle_vm86();
16292+ ret = -EPERM;
16293+ goto out;
16294+ }
16295+#endif
16296+
16297 tsk = current;
16298 switch (cmd) {
16299 case VM86_REQUEST_IRQ:
16300@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
16301 tsk->thread.saved_fs = info->regs32->fs;
16302 tsk->thread.saved_gs = get_user_gs(info->regs32);
16303
16304- tss = &per_cpu(init_tss, get_cpu());
16305+ tss = init_tss + get_cpu();
16306 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
16307 if (cpu_has_sep)
16308 tsk->thread.sysenter_cs = 0;
16309@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
16310 goto cannot_handle;
16311 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
16312 goto cannot_handle;
16313- intr_ptr = (unsigned long __user *) (i << 2);
16314+ intr_ptr = (__force unsigned long __user *) (i << 2);
16315 if (get_user(segoffs, intr_ptr))
16316 goto cannot_handle;
16317 if ((segoffs >> 16) == BIOSSEG)
16318diff -urNp linux-3.0.7/arch/x86/kernel/vmlinux.lds.S linux-3.0.7/arch/x86/kernel/vmlinux.lds.S
16319--- linux-3.0.7/arch/x86/kernel/vmlinux.lds.S 2011-07-21 22:17:23.000000000 -0400
16320+++ linux-3.0.7/arch/x86/kernel/vmlinux.lds.S 2011-08-23 21:47:55.000000000 -0400
16321@@ -26,6 +26,13 @@
16322 #include <asm/page_types.h>
16323 #include <asm/cache.h>
16324 #include <asm/boot.h>
16325+#include <asm/segment.h>
16326+
16327+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16328+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
16329+#else
16330+#define __KERNEL_TEXT_OFFSET 0
16331+#endif
16332
16333 #undef i386 /* in case the preprocessor is a 32bit one */
16334
16335@@ -69,31 +76,46 @@ jiffies_64 = jiffies;
16336
16337 PHDRS {
16338 text PT_LOAD FLAGS(5); /* R_E */
16339+#ifdef CONFIG_X86_32
16340+ module PT_LOAD FLAGS(5); /* R_E */
16341+#endif
16342+#ifdef CONFIG_XEN
16343+ rodata PT_LOAD FLAGS(5); /* R_E */
16344+#else
16345+ rodata PT_LOAD FLAGS(4); /* R__ */
16346+#endif
16347 data PT_LOAD FLAGS(6); /* RW_ */
16348 #ifdef CONFIG_X86_64
16349 user PT_LOAD FLAGS(5); /* R_E */
16350+#endif
16351+ init.begin PT_LOAD FLAGS(6); /* RW_ */
16352 #ifdef CONFIG_SMP
16353 percpu PT_LOAD FLAGS(6); /* RW_ */
16354 #endif
16355+ text.init PT_LOAD FLAGS(5); /* R_E */
16356+ text.exit PT_LOAD FLAGS(5); /* R_E */
16357 init PT_LOAD FLAGS(7); /* RWE */
16358-#endif
16359 note PT_NOTE FLAGS(0); /* ___ */
16360 }
16361
16362 SECTIONS
16363 {
16364 #ifdef CONFIG_X86_32
16365- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
16366- phys_startup_32 = startup_32 - LOAD_OFFSET;
16367+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
16368 #else
16369- . = __START_KERNEL;
16370- phys_startup_64 = startup_64 - LOAD_OFFSET;
16371+ . = __START_KERNEL;
16372 #endif
16373
16374 /* Text and read-only data */
16375- .text : AT(ADDR(.text) - LOAD_OFFSET) {
16376- _text = .;
16377+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16378 /* bootstrapping code */
16379+#ifdef CONFIG_X86_32
16380+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16381+#else
16382+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16383+#endif
16384+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16385+ _text = .;
16386 HEAD_TEXT
16387 #ifdef CONFIG_X86_32
16388 . = ALIGN(PAGE_SIZE);
16389@@ -109,13 +131,47 @@ SECTIONS
16390 IRQENTRY_TEXT
16391 *(.fixup)
16392 *(.gnu.warning)
16393- /* End of text section */
16394- _etext = .;
16395 } :text = 0x9090
16396
16397- NOTES :text :note
16398+ . += __KERNEL_TEXT_OFFSET;
16399+
16400+#ifdef CONFIG_X86_32
16401+ . = ALIGN(PAGE_SIZE);
16402+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
16403+
16404+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
16405+ MODULES_EXEC_VADDR = .;
16406+ BYTE(0)
16407+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
16408+ . = ALIGN(HPAGE_SIZE);
16409+ MODULES_EXEC_END = . - 1;
16410+#endif
16411+
16412+ } :module
16413+#endif
16414+
16415+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
16416+ /* End of text section */
16417+ _etext = . - __KERNEL_TEXT_OFFSET;
16418+ }
16419+
16420+#ifdef CONFIG_X86_32
16421+ . = ALIGN(PAGE_SIZE);
16422+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
16423+ *(.idt)
16424+ . = ALIGN(PAGE_SIZE);
16425+ *(.empty_zero_page)
16426+ *(.initial_pg_fixmap)
16427+ *(.initial_pg_pmd)
16428+ *(.initial_page_table)
16429+ *(.swapper_pg_dir)
16430+ } :rodata
16431+#endif
16432+
16433+ . = ALIGN(PAGE_SIZE);
16434+ NOTES :rodata :note
16435
16436- EXCEPTION_TABLE(16) :text = 0x9090
16437+ EXCEPTION_TABLE(16) :rodata
16438
16439 #if defined(CONFIG_DEBUG_RODATA)
16440 /* .text should occupy whole number of pages */
16441@@ -127,16 +183,20 @@ SECTIONS
16442
16443 /* Data */
16444 .data : AT(ADDR(.data) - LOAD_OFFSET) {
16445+
16446+#ifdef CONFIG_PAX_KERNEXEC
16447+ . = ALIGN(HPAGE_SIZE);
16448+#else
16449+ . = ALIGN(PAGE_SIZE);
16450+#endif
16451+
16452 /* Start of data section */
16453 _sdata = .;
16454
16455 /* init_task */
16456 INIT_TASK_DATA(THREAD_SIZE)
16457
16458-#ifdef CONFIG_X86_32
16459- /* 32 bit has nosave before _edata */
16460 NOSAVE_DATA
16461-#endif
16462
16463 PAGE_ALIGNED_DATA(PAGE_SIZE)
16464
16465@@ -208,12 +268,19 @@ SECTIONS
16466 #endif /* CONFIG_X86_64 */
16467
16468 /* Init code and data - will be freed after init */
16469- . = ALIGN(PAGE_SIZE);
16470 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
16471+ BYTE(0)
16472+
16473+#ifdef CONFIG_PAX_KERNEXEC
16474+ . = ALIGN(HPAGE_SIZE);
16475+#else
16476+ . = ALIGN(PAGE_SIZE);
16477+#endif
16478+
16479 __init_begin = .; /* paired with __init_end */
16480- }
16481+ } :init.begin
16482
16483-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
16484+#ifdef CONFIG_SMP
16485 /*
16486 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
16487 * output PHDR, so the next output section - .init.text - should
16488@@ -222,12 +289,27 @@ SECTIONS
16489 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
16490 #endif
16491
16492- INIT_TEXT_SECTION(PAGE_SIZE)
16493-#ifdef CONFIG_X86_64
16494- :init
16495-#endif
16496+ . = ALIGN(PAGE_SIZE);
16497+ init_begin = .;
16498+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
16499+ VMLINUX_SYMBOL(_sinittext) = .;
16500+ INIT_TEXT
16501+ VMLINUX_SYMBOL(_einittext) = .;
16502+ . = ALIGN(PAGE_SIZE);
16503+ } :text.init
16504
16505- INIT_DATA_SECTION(16)
16506+ /*
16507+ * .exit.text is discard at runtime, not link time, to deal with
16508+ * references from .altinstructions and .eh_frame
16509+ */
16510+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16511+ EXIT_TEXT
16512+ . = ALIGN(16);
16513+ } :text.exit
16514+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
16515+
16516+ . = ALIGN(PAGE_SIZE);
16517+ INIT_DATA_SECTION(16) :init
16518
16519 /*
16520 * Code and data for a variety of lowlevel trampolines, to be
16521@@ -301,19 +383,12 @@ SECTIONS
16522 }
16523
16524 . = ALIGN(8);
16525- /*
16526- * .exit.text is discard at runtime, not link time, to deal with
16527- * references from .altinstructions and .eh_frame
16528- */
16529- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
16530- EXIT_TEXT
16531- }
16532
16533 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
16534 EXIT_DATA
16535 }
16536
16537-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
16538+#ifndef CONFIG_SMP
16539 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
16540 #endif
16541
16542@@ -332,16 +407,10 @@ SECTIONS
16543 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
16544 __smp_locks = .;
16545 *(.smp_locks)
16546- . = ALIGN(PAGE_SIZE);
16547 __smp_locks_end = .;
16548+ . = ALIGN(PAGE_SIZE);
16549 }
16550
16551-#ifdef CONFIG_X86_64
16552- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
16553- NOSAVE_DATA
16554- }
16555-#endif
16556-
16557 /* BSS */
16558 . = ALIGN(PAGE_SIZE);
16559 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
16560@@ -357,6 +426,7 @@ SECTIONS
16561 __brk_base = .;
16562 . += 64 * 1024; /* 64k alignment slop space */
16563 *(.brk_reservation) /* areas brk users have reserved */
16564+ . = ALIGN(HPAGE_SIZE);
16565 __brk_limit = .;
16566 }
16567
16568@@ -383,13 +453,12 @@ SECTIONS
16569 * for the boot processor.
16570 */
16571 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
16572-INIT_PER_CPU(gdt_page);
16573 INIT_PER_CPU(irq_stack_union);
16574
16575 /*
16576 * Build-time check on the image size:
16577 */
16578-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
16579+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
16580 "kernel image bigger than KERNEL_IMAGE_SIZE");
16581
16582 #ifdef CONFIG_SMP
16583diff -urNp linux-3.0.7/arch/x86/kernel/vsyscall_64.c linux-3.0.7/arch/x86/kernel/vsyscall_64.c
16584--- linux-3.0.7/arch/x86/kernel/vsyscall_64.c 2011-07-21 22:17:23.000000000 -0400
16585+++ linux-3.0.7/arch/x86/kernel/vsyscall_64.c 2011-08-23 21:47:55.000000000 -0400
16586@@ -53,7 +53,7 @@ DEFINE_VVAR(int, vgetcpu_mode);
16587 DEFINE_VVAR(struct vsyscall_gtod_data, vsyscall_gtod_data) =
16588 {
16589 .lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
16590- .sysctl_enabled = 1,
16591+ .sysctl_enabled = 0,
16592 };
16593
16594 void update_vsyscall_tz(void)
16595@@ -231,7 +231,7 @@ static long __vsyscall(3) venosys_1(void
16596 static ctl_table kernel_table2[] = {
16597 { .procname = "vsyscall64",
16598 .data = &vsyscall_gtod_data.sysctl_enabled, .maxlen = sizeof(int),
16599- .mode = 0644,
16600+ .mode = 0444,
16601 .proc_handler = proc_dointvec },
16602 {}
16603 };
16604diff -urNp linux-3.0.7/arch/x86/kernel/x8664_ksyms_64.c linux-3.0.7/arch/x86/kernel/x8664_ksyms_64.c
16605--- linux-3.0.7/arch/x86/kernel/x8664_ksyms_64.c 2011-07-21 22:17:23.000000000 -0400
16606+++ linux-3.0.7/arch/x86/kernel/x8664_ksyms_64.c 2011-08-23 21:47:55.000000000 -0400
16607@@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
16608 EXPORT_SYMBOL(copy_user_generic_string);
16609 EXPORT_SYMBOL(copy_user_generic_unrolled);
16610 EXPORT_SYMBOL(__copy_user_nocache);
16611-EXPORT_SYMBOL(_copy_from_user);
16612-EXPORT_SYMBOL(_copy_to_user);
16613
16614 EXPORT_SYMBOL(copy_page);
16615 EXPORT_SYMBOL(clear_page);
16616diff -urNp linux-3.0.7/arch/x86/kernel/xsave.c linux-3.0.7/arch/x86/kernel/xsave.c
16617--- linux-3.0.7/arch/x86/kernel/xsave.c 2011-07-21 22:17:23.000000000 -0400
16618+++ linux-3.0.7/arch/x86/kernel/xsave.c 2011-10-06 04:17:55.000000000 -0400
16619@@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
16620 fx_sw_user->xstate_size > fx_sw_user->extended_size)
16621 return -EINVAL;
16622
16623- err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
16624+ err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
16625 fx_sw_user->extended_size -
16626 FP_XSTATE_MAGIC2_SIZE));
16627 if (err)
16628@@ -267,7 +267,7 @@ fx_only:
16629 * the other extended state.
16630 */
16631 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
16632- return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
16633+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
16634 }
16635
16636 /*
16637@@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
16638 if (use_xsave())
16639 err = restore_user_xstate(buf);
16640 else
16641- err = fxrstor_checking((__force struct i387_fxsave_struct *)
16642+ err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *)
16643 buf);
16644 if (unlikely(err)) {
16645 /*
16646diff -urNp linux-3.0.7/arch/x86/kvm/emulate.c linux-3.0.7/arch/x86/kvm/emulate.c
16647--- linux-3.0.7/arch/x86/kvm/emulate.c 2011-07-21 22:17:23.000000000 -0400
16648+++ linux-3.0.7/arch/x86/kvm/emulate.c 2011-08-23 21:47:55.000000000 -0400
16649@@ -96,7 +96,7 @@
16650 #define Src2ImmByte (2<<29)
16651 #define Src2One (3<<29)
16652 #define Src2Imm (4<<29)
16653-#define Src2Mask (7<<29)
16654+#define Src2Mask (7U<<29)
16655
16656 #define X2(x...) x, x
16657 #define X3(x...) X2(x), x
16658@@ -207,6 +207,7 @@ struct gprefix {
16659
16660 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
16661 do { \
16662+ unsigned long _tmp; \
16663 __asm__ __volatile__ ( \
16664 _PRE_EFLAGS("0", "4", "2") \
16665 _op _suffix " %"_x"3,%1; " \
16666@@ -220,8 +221,6 @@ struct gprefix {
16667 /* Raw emulation: instruction has two explicit operands. */
16668 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
16669 do { \
16670- unsigned long _tmp; \
16671- \
16672 switch ((_dst).bytes) { \
16673 case 2: \
16674 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
16675@@ -237,7 +236,6 @@ struct gprefix {
16676
16677 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
16678 do { \
16679- unsigned long _tmp; \
16680 switch ((_dst).bytes) { \
16681 case 1: \
16682 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
16683diff -urNp linux-3.0.7/arch/x86/kvm/lapic.c linux-3.0.7/arch/x86/kvm/lapic.c
16684--- linux-3.0.7/arch/x86/kvm/lapic.c 2011-07-21 22:17:23.000000000 -0400
16685+++ linux-3.0.7/arch/x86/kvm/lapic.c 2011-08-23 21:47:55.000000000 -0400
16686@@ -53,7 +53,7 @@
16687 #define APIC_BUS_CYCLE_NS 1
16688
16689 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
16690-#define apic_debug(fmt, arg...)
16691+#define apic_debug(fmt, arg...) do {} while (0)
16692
16693 #define APIC_LVT_NUM 6
16694 /* 14 is the version for Xeon and Pentium 8.4.8*/
16695diff -urNp linux-3.0.7/arch/x86/kvm/mmu.c linux-3.0.7/arch/x86/kvm/mmu.c
16696--- linux-3.0.7/arch/x86/kvm/mmu.c 2011-07-21 22:17:23.000000000 -0400
16697+++ linux-3.0.7/arch/x86/kvm/mmu.c 2011-08-23 21:47:55.000000000 -0400
16698@@ -3238,7 +3238,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16699
16700 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
16701
16702- invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
16703+ invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
16704
16705 /*
16706 * Assume that the pte write on a page table of the same type
16707@@ -3270,7 +3270,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16708 }
16709
16710 spin_lock(&vcpu->kvm->mmu_lock);
16711- if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16712+ if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16713 gentry = 0;
16714 kvm_mmu_free_some_pages(vcpu);
16715 ++vcpu->kvm->stat.mmu_pte_write;
16716diff -urNp linux-3.0.7/arch/x86/kvm/paging_tmpl.h linux-3.0.7/arch/x86/kvm/paging_tmpl.h
16717--- linux-3.0.7/arch/x86/kvm/paging_tmpl.h 2011-07-21 22:17:23.000000000 -0400
16718+++ linux-3.0.7/arch/x86/kvm/paging_tmpl.h 2011-10-06 04:17:55.000000000 -0400
16719@@ -182,7 +182,7 @@ walk:
16720 break;
16721 }
16722
16723- ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
16724+ ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
16725 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte)))) {
16726 present = false;
16727 break;
16728@@ -583,6 +583,8 @@ static int FNAME(page_fault)(struct kvm_
16729 unsigned long mmu_seq;
16730 bool map_writable;
16731
16732+ pax_track_stack();
16733+
16734 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
16735
16736 r = mmu_topup_memory_caches(vcpu);
16737@@ -703,7 +705,7 @@ static void FNAME(invlpg)(struct kvm_vcp
16738 if (need_flush)
16739 kvm_flush_remote_tlbs(vcpu->kvm);
16740
16741- atomic_inc(&vcpu->kvm->arch.invlpg_counter);
16742+ atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
16743
16744 spin_unlock(&vcpu->kvm->mmu_lock);
16745
16746diff -urNp linux-3.0.7/arch/x86/kvm/svm.c linux-3.0.7/arch/x86/kvm/svm.c
16747--- linux-3.0.7/arch/x86/kvm/svm.c 2011-07-21 22:17:23.000000000 -0400
16748+++ linux-3.0.7/arch/x86/kvm/svm.c 2011-08-23 21:47:55.000000000 -0400
16749@@ -3377,7 +3377,11 @@ static void reload_tss(struct kvm_vcpu *
16750 int cpu = raw_smp_processor_id();
16751
16752 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
16753+
16754+ pax_open_kernel();
16755 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
16756+ pax_close_kernel();
16757+
16758 load_TR_desc();
16759 }
16760
16761@@ -3755,6 +3759,10 @@ static void svm_vcpu_run(struct kvm_vcpu
16762 #endif
16763 #endif
16764
16765+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16766+ __set_fs(current_thread_info()->addr_limit);
16767+#endif
16768+
16769 reload_tss(vcpu);
16770
16771 local_irq_disable();
16772diff -urNp linux-3.0.7/arch/x86/kvm/vmx.c linux-3.0.7/arch/x86/kvm/vmx.c
16773--- linux-3.0.7/arch/x86/kvm/vmx.c 2011-07-21 22:17:23.000000000 -0400
16774+++ linux-3.0.7/arch/x86/kvm/vmx.c 2011-08-23 21:47:55.000000000 -0400
16775@@ -797,7 +797,11 @@ static void reload_tss(void)
16776 struct desc_struct *descs;
16777
16778 descs = (void *)gdt->address;
16779+
16780+ pax_open_kernel();
16781 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
16782+ pax_close_kernel();
16783+
16784 load_TR_desc();
16785 }
16786
16787@@ -1747,8 +1751,11 @@ static __init int hardware_setup(void)
16788 if (!cpu_has_vmx_flexpriority())
16789 flexpriority_enabled = 0;
16790
16791- if (!cpu_has_vmx_tpr_shadow())
16792- kvm_x86_ops->update_cr8_intercept = NULL;
16793+ if (!cpu_has_vmx_tpr_shadow()) {
16794+ pax_open_kernel();
16795+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
16796+ pax_close_kernel();
16797+ }
16798
16799 if (enable_ept && !cpu_has_vmx_ept_2m_page())
16800 kvm_disable_largepages();
16801@@ -2814,7 +2821,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
16802 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
16803
16804 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
16805- vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
16806+ vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
16807 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
16808 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
16809 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
16810@@ -4211,6 +4218,12 @@ static void __noclone vmx_vcpu_run(struc
16811 "jmp .Lkvm_vmx_return \n\t"
16812 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
16813 ".Lkvm_vmx_return: "
16814+
16815+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16816+ "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
16817+ ".Lkvm_vmx_return2: "
16818+#endif
16819+
16820 /* Save guest registers, load host registers, keep flags */
16821 "mov %0, %c[wordsize](%%"R"sp) \n\t"
16822 "pop %0 \n\t"
16823@@ -4259,6 +4272,11 @@ static void __noclone vmx_vcpu_run(struc
16824 #endif
16825 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
16826 [wordsize]"i"(sizeof(ulong))
16827+
16828+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16829+ ,[cs]"i"(__KERNEL_CS)
16830+#endif
16831+
16832 : "cc", "memory"
16833 , R"ax", R"bx", R"di", R"si"
16834 #ifdef CONFIG_X86_64
16835@@ -4276,7 +4294,16 @@ static void __noclone vmx_vcpu_run(struc
16836
16837 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
16838
16839- asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
16840+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
16841+
16842+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16843+ loadsegment(fs, __KERNEL_PERCPU);
16844+#endif
16845+
16846+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16847+ __set_fs(current_thread_info()->addr_limit);
16848+#endif
16849+
16850 vmx->launched = 1;
16851
16852 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
16853diff -urNp linux-3.0.7/arch/x86/kvm/x86.c linux-3.0.7/arch/x86/kvm/x86.c
16854--- linux-3.0.7/arch/x86/kvm/x86.c 2011-07-21 22:17:23.000000000 -0400
16855+++ linux-3.0.7/arch/x86/kvm/x86.c 2011-10-06 04:17:55.000000000 -0400
16856@@ -1313,8 +1313,8 @@ static int xen_hvm_config(struct kvm_vcp
16857 {
16858 struct kvm *kvm = vcpu->kvm;
16859 int lm = is_long_mode(vcpu);
16860- u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
16861- : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
16862+ u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
16863+ : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
16864 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
16865 : kvm->arch.xen_hvm_config.blob_size_32;
16866 u32 page_num = data & ~PAGE_MASK;
16867@@ -2057,6 +2057,8 @@ long kvm_arch_dev_ioctl(struct file *fil
16868 if (n < msr_list.nmsrs)
16869 goto out;
16870 r = -EFAULT;
16871+ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
16872+ goto out;
16873 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
16874 num_msrs_to_save * sizeof(u32)))
16875 goto out;
16876@@ -2229,15 +2231,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
16877 struct kvm_cpuid2 *cpuid,
16878 struct kvm_cpuid_entry2 __user *entries)
16879 {
16880- int r;
16881+ int r, i;
16882
16883 r = -E2BIG;
16884 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
16885 goto out;
16886 r = -EFAULT;
16887- if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
16888- cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16889+ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
16890 goto out;
16891+ for (i = 0; i < cpuid->nent; ++i) {
16892+ struct kvm_cpuid_entry2 cpuid_entry;
16893+ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
16894+ goto out;
16895+ vcpu->arch.cpuid_entries[i] = cpuid_entry;
16896+ }
16897 vcpu->arch.cpuid_nent = cpuid->nent;
16898 kvm_apic_set_version(vcpu);
16899 kvm_x86_ops->cpuid_update(vcpu);
16900@@ -2252,15 +2259,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
16901 struct kvm_cpuid2 *cpuid,
16902 struct kvm_cpuid_entry2 __user *entries)
16903 {
16904- int r;
16905+ int r, i;
16906
16907 r = -E2BIG;
16908 if (cpuid->nent < vcpu->arch.cpuid_nent)
16909 goto out;
16910 r = -EFAULT;
16911- if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
16912- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16913+ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
16914 goto out;
16915+ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
16916+ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
16917+ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
16918+ goto out;
16919+ }
16920 return 0;
16921
16922 out:
16923@@ -2579,7 +2590,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
16924 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
16925 struct kvm_interrupt *irq)
16926 {
16927- if (irq->irq < 0 || irq->irq >= 256)
16928+ if (irq->irq >= 256)
16929 return -EINVAL;
16930 if (irqchip_in_kernel(vcpu->kvm))
16931 return -ENXIO;
16932@@ -4878,7 +4889,7 @@ void kvm_after_handle_nmi(struct kvm_vcp
16933 }
16934 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
16935
16936-int kvm_arch_init(void *opaque)
16937+int kvm_arch_init(const void *opaque)
16938 {
16939 int r;
16940 struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
16941diff -urNp linux-3.0.7/arch/x86/lguest/boot.c linux-3.0.7/arch/x86/lguest/boot.c
16942--- linux-3.0.7/arch/x86/lguest/boot.c 2011-07-21 22:17:23.000000000 -0400
16943+++ linux-3.0.7/arch/x86/lguest/boot.c 2011-08-23 21:47:55.000000000 -0400
16944@@ -1176,9 +1176,10 @@ static __init int early_put_chars(u32 vt
16945 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
16946 * Launcher to reboot us.
16947 */
16948-static void lguest_restart(char *reason)
16949+static __noreturn void lguest_restart(char *reason)
16950 {
16951 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
16952+ BUG();
16953 }
16954
16955 /*G:050
16956diff -urNp linux-3.0.7/arch/x86/lib/atomic64_32.c linux-3.0.7/arch/x86/lib/atomic64_32.c
16957--- linux-3.0.7/arch/x86/lib/atomic64_32.c 2011-07-21 22:17:23.000000000 -0400
16958+++ linux-3.0.7/arch/x86/lib/atomic64_32.c 2011-08-23 21:47:55.000000000 -0400
16959@@ -8,18 +8,30 @@
16960
16961 long long atomic64_read_cx8(long long, const atomic64_t *v);
16962 EXPORT_SYMBOL(atomic64_read_cx8);
16963+long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
16964+EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
16965 long long atomic64_set_cx8(long long, const atomic64_t *v);
16966 EXPORT_SYMBOL(atomic64_set_cx8);
16967+long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
16968+EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
16969 long long atomic64_xchg_cx8(long long, unsigned high);
16970 EXPORT_SYMBOL(atomic64_xchg_cx8);
16971 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
16972 EXPORT_SYMBOL(atomic64_add_return_cx8);
16973+long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16974+EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
16975 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
16976 EXPORT_SYMBOL(atomic64_sub_return_cx8);
16977+long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16978+EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
16979 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
16980 EXPORT_SYMBOL(atomic64_inc_return_cx8);
16981+long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16982+EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
16983 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
16984 EXPORT_SYMBOL(atomic64_dec_return_cx8);
16985+long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
16986+EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
16987 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
16988 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
16989 int atomic64_inc_not_zero_cx8(atomic64_t *v);
16990@@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
16991 #ifndef CONFIG_X86_CMPXCHG64
16992 long long atomic64_read_386(long long, const atomic64_t *v);
16993 EXPORT_SYMBOL(atomic64_read_386);
16994+long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
16995+EXPORT_SYMBOL(atomic64_read_unchecked_386);
16996 long long atomic64_set_386(long long, const atomic64_t *v);
16997 EXPORT_SYMBOL(atomic64_set_386);
16998+long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
16999+EXPORT_SYMBOL(atomic64_set_unchecked_386);
17000 long long atomic64_xchg_386(long long, unsigned high);
17001 EXPORT_SYMBOL(atomic64_xchg_386);
17002 long long atomic64_add_return_386(long long a, atomic64_t *v);
17003 EXPORT_SYMBOL(atomic64_add_return_386);
17004+long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17005+EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
17006 long long atomic64_sub_return_386(long long a, atomic64_t *v);
17007 EXPORT_SYMBOL(atomic64_sub_return_386);
17008+long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17009+EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
17010 long long atomic64_inc_return_386(long long a, atomic64_t *v);
17011 EXPORT_SYMBOL(atomic64_inc_return_386);
17012+long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17013+EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
17014 long long atomic64_dec_return_386(long long a, atomic64_t *v);
17015 EXPORT_SYMBOL(atomic64_dec_return_386);
17016+long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17017+EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
17018 long long atomic64_add_386(long long a, atomic64_t *v);
17019 EXPORT_SYMBOL(atomic64_add_386);
17020+long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
17021+EXPORT_SYMBOL(atomic64_add_unchecked_386);
17022 long long atomic64_sub_386(long long a, atomic64_t *v);
17023 EXPORT_SYMBOL(atomic64_sub_386);
17024+long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
17025+EXPORT_SYMBOL(atomic64_sub_unchecked_386);
17026 long long atomic64_inc_386(long long a, atomic64_t *v);
17027 EXPORT_SYMBOL(atomic64_inc_386);
17028+long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
17029+EXPORT_SYMBOL(atomic64_inc_unchecked_386);
17030 long long atomic64_dec_386(long long a, atomic64_t *v);
17031 EXPORT_SYMBOL(atomic64_dec_386);
17032+long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
17033+EXPORT_SYMBOL(atomic64_dec_unchecked_386);
17034 long long atomic64_dec_if_positive_386(atomic64_t *v);
17035 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
17036 int atomic64_inc_not_zero_386(atomic64_t *v);
17037diff -urNp linux-3.0.7/arch/x86/lib/atomic64_386_32.S linux-3.0.7/arch/x86/lib/atomic64_386_32.S
17038--- linux-3.0.7/arch/x86/lib/atomic64_386_32.S 2011-07-21 22:17:23.000000000 -0400
17039+++ linux-3.0.7/arch/x86/lib/atomic64_386_32.S 2011-08-23 21:47:55.000000000 -0400
17040@@ -48,6 +48,10 @@ BEGIN(read)
17041 movl (v), %eax
17042 movl 4(v), %edx
17043 RET_ENDP
17044+BEGIN(read_unchecked)
17045+ movl (v), %eax
17046+ movl 4(v), %edx
17047+RET_ENDP
17048 #undef v
17049
17050 #define v %esi
17051@@ -55,6 +59,10 @@ BEGIN(set)
17052 movl %ebx, (v)
17053 movl %ecx, 4(v)
17054 RET_ENDP
17055+BEGIN(set_unchecked)
17056+ movl %ebx, (v)
17057+ movl %ecx, 4(v)
17058+RET_ENDP
17059 #undef v
17060
17061 #define v %esi
17062@@ -70,6 +78,20 @@ RET_ENDP
17063 BEGIN(add)
17064 addl %eax, (v)
17065 adcl %edx, 4(v)
17066+
17067+#ifdef CONFIG_PAX_REFCOUNT
17068+ jno 0f
17069+ subl %eax, (v)
17070+ sbbl %edx, 4(v)
17071+ int $4
17072+0:
17073+ _ASM_EXTABLE(0b, 0b)
17074+#endif
17075+
17076+RET_ENDP
17077+BEGIN(add_unchecked)
17078+ addl %eax, (v)
17079+ adcl %edx, 4(v)
17080 RET_ENDP
17081 #undef v
17082
17083@@ -77,6 +99,24 @@ RET_ENDP
17084 BEGIN(add_return)
17085 addl (v), %eax
17086 adcl 4(v), %edx
17087+
17088+#ifdef CONFIG_PAX_REFCOUNT
17089+ into
17090+1234:
17091+ _ASM_EXTABLE(1234b, 2f)
17092+#endif
17093+
17094+ movl %eax, (v)
17095+ movl %edx, 4(v)
17096+
17097+#ifdef CONFIG_PAX_REFCOUNT
17098+2:
17099+#endif
17100+
17101+RET_ENDP
17102+BEGIN(add_return_unchecked)
17103+ addl (v), %eax
17104+ adcl 4(v), %edx
17105 movl %eax, (v)
17106 movl %edx, 4(v)
17107 RET_ENDP
17108@@ -86,6 +126,20 @@ RET_ENDP
17109 BEGIN(sub)
17110 subl %eax, (v)
17111 sbbl %edx, 4(v)
17112+
17113+#ifdef CONFIG_PAX_REFCOUNT
17114+ jno 0f
17115+ addl %eax, (v)
17116+ adcl %edx, 4(v)
17117+ int $4
17118+0:
17119+ _ASM_EXTABLE(0b, 0b)
17120+#endif
17121+
17122+RET_ENDP
17123+BEGIN(sub_unchecked)
17124+ subl %eax, (v)
17125+ sbbl %edx, 4(v)
17126 RET_ENDP
17127 #undef v
17128
17129@@ -96,6 +150,27 @@ BEGIN(sub_return)
17130 sbbl $0, %edx
17131 addl (v), %eax
17132 adcl 4(v), %edx
17133+
17134+#ifdef CONFIG_PAX_REFCOUNT
17135+ into
17136+1234:
17137+ _ASM_EXTABLE(1234b, 2f)
17138+#endif
17139+
17140+ movl %eax, (v)
17141+ movl %edx, 4(v)
17142+
17143+#ifdef CONFIG_PAX_REFCOUNT
17144+2:
17145+#endif
17146+
17147+RET_ENDP
17148+BEGIN(sub_return_unchecked)
17149+ negl %edx
17150+ negl %eax
17151+ sbbl $0, %edx
17152+ addl (v), %eax
17153+ adcl 4(v), %edx
17154 movl %eax, (v)
17155 movl %edx, 4(v)
17156 RET_ENDP
17157@@ -105,6 +180,20 @@ RET_ENDP
17158 BEGIN(inc)
17159 addl $1, (v)
17160 adcl $0, 4(v)
17161+
17162+#ifdef CONFIG_PAX_REFCOUNT
17163+ jno 0f
17164+ subl $1, (v)
17165+ sbbl $0, 4(v)
17166+ int $4
17167+0:
17168+ _ASM_EXTABLE(0b, 0b)
17169+#endif
17170+
17171+RET_ENDP
17172+BEGIN(inc_unchecked)
17173+ addl $1, (v)
17174+ adcl $0, 4(v)
17175 RET_ENDP
17176 #undef v
17177
17178@@ -114,6 +203,26 @@ BEGIN(inc_return)
17179 movl 4(v), %edx
17180 addl $1, %eax
17181 adcl $0, %edx
17182+
17183+#ifdef CONFIG_PAX_REFCOUNT
17184+ into
17185+1234:
17186+ _ASM_EXTABLE(1234b, 2f)
17187+#endif
17188+
17189+ movl %eax, (v)
17190+ movl %edx, 4(v)
17191+
17192+#ifdef CONFIG_PAX_REFCOUNT
17193+2:
17194+#endif
17195+
17196+RET_ENDP
17197+BEGIN(inc_return_unchecked)
17198+ movl (v), %eax
17199+ movl 4(v), %edx
17200+ addl $1, %eax
17201+ adcl $0, %edx
17202 movl %eax, (v)
17203 movl %edx, 4(v)
17204 RET_ENDP
17205@@ -123,6 +232,20 @@ RET_ENDP
17206 BEGIN(dec)
17207 subl $1, (v)
17208 sbbl $0, 4(v)
17209+
17210+#ifdef CONFIG_PAX_REFCOUNT
17211+ jno 0f
17212+ addl $1, (v)
17213+ adcl $0, 4(v)
17214+ int $4
17215+0:
17216+ _ASM_EXTABLE(0b, 0b)
17217+#endif
17218+
17219+RET_ENDP
17220+BEGIN(dec_unchecked)
17221+ subl $1, (v)
17222+ sbbl $0, 4(v)
17223 RET_ENDP
17224 #undef v
17225
17226@@ -132,6 +255,26 @@ BEGIN(dec_return)
17227 movl 4(v), %edx
17228 subl $1, %eax
17229 sbbl $0, %edx
17230+
17231+#ifdef CONFIG_PAX_REFCOUNT
17232+ into
17233+1234:
17234+ _ASM_EXTABLE(1234b, 2f)
17235+#endif
17236+
17237+ movl %eax, (v)
17238+ movl %edx, 4(v)
17239+
17240+#ifdef CONFIG_PAX_REFCOUNT
17241+2:
17242+#endif
17243+
17244+RET_ENDP
17245+BEGIN(dec_return_unchecked)
17246+ movl (v), %eax
17247+ movl 4(v), %edx
17248+ subl $1, %eax
17249+ sbbl $0, %edx
17250 movl %eax, (v)
17251 movl %edx, 4(v)
17252 RET_ENDP
17253@@ -143,6 +286,13 @@ BEGIN(add_unless)
17254 adcl %edx, %edi
17255 addl (v), %eax
17256 adcl 4(v), %edx
17257+
17258+#ifdef CONFIG_PAX_REFCOUNT
17259+ into
17260+1234:
17261+ _ASM_EXTABLE(1234b, 2f)
17262+#endif
17263+
17264 cmpl %eax, %esi
17265 je 3f
17266 1:
17267@@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
17268 1:
17269 addl $1, %eax
17270 adcl $0, %edx
17271+
17272+#ifdef CONFIG_PAX_REFCOUNT
17273+ into
17274+1234:
17275+ _ASM_EXTABLE(1234b, 2f)
17276+#endif
17277+
17278 movl %eax, (v)
17279 movl %edx, 4(v)
17280 movl $1, %eax
17281@@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
17282 movl 4(v), %edx
17283 subl $1, %eax
17284 sbbl $0, %edx
17285+
17286+#ifdef CONFIG_PAX_REFCOUNT
17287+ into
17288+1234:
17289+ _ASM_EXTABLE(1234b, 1f)
17290+#endif
17291+
17292 js 1f
17293 movl %eax, (v)
17294 movl %edx, 4(v)
17295diff -urNp linux-3.0.7/arch/x86/lib/atomic64_cx8_32.S linux-3.0.7/arch/x86/lib/atomic64_cx8_32.S
17296--- linux-3.0.7/arch/x86/lib/atomic64_cx8_32.S 2011-07-21 22:17:23.000000000 -0400
17297+++ linux-3.0.7/arch/x86/lib/atomic64_cx8_32.S 2011-10-06 04:17:55.000000000 -0400
17298@@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8)
17299 CFI_STARTPROC
17300
17301 read64 %ecx
17302+ pax_force_retaddr
17303 ret
17304 CFI_ENDPROC
17305 ENDPROC(atomic64_read_cx8)
17306
17307+ENTRY(atomic64_read_unchecked_cx8)
17308+ CFI_STARTPROC
17309+
17310+ read64 %ecx
17311+ pax_force_retaddr
17312+ ret
17313+ CFI_ENDPROC
17314+ENDPROC(atomic64_read_unchecked_cx8)
17315+
17316 ENTRY(atomic64_set_cx8)
17317 CFI_STARTPROC
17318
17319@@ -48,10 +58,25 @@ ENTRY(atomic64_set_cx8)
17320 cmpxchg8b (%esi)
17321 jne 1b
17322
17323+ pax_force_retaddr
17324 ret
17325 CFI_ENDPROC
17326 ENDPROC(atomic64_set_cx8)
17327
17328+ENTRY(atomic64_set_unchecked_cx8)
17329+ CFI_STARTPROC
17330+
17331+1:
17332+/* we don't need LOCK_PREFIX since aligned 64-bit writes
17333+ * are atomic on 586 and newer */
17334+ cmpxchg8b (%esi)
17335+ jne 1b
17336+
17337+ pax_force_retaddr
17338+ ret
17339+ CFI_ENDPROC
17340+ENDPROC(atomic64_set_unchecked_cx8)
17341+
17342 ENTRY(atomic64_xchg_cx8)
17343 CFI_STARTPROC
17344
17345@@ -62,12 +87,13 @@ ENTRY(atomic64_xchg_cx8)
17346 cmpxchg8b (%esi)
17347 jne 1b
17348
17349+ pax_force_retaddr
17350 ret
17351 CFI_ENDPROC
17352 ENDPROC(atomic64_xchg_cx8)
17353
17354-.macro addsub_return func ins insc
17355-ENTRY(atomic64_\func\()_return_cx8)
17356+.macro addsub_return func ins insc unchecked=""
17357+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17358 CFI_STARTPROC
17359 SAVE ebp
17360 SAVE ebx
17361@@ -84,27 +110,44 @@ ENTRY(atomic64_\func\()_return_cx8)
17362 movl %edx, %ecx
17363 \ins\()l %esi, %ebx
17364 \insc\()l %edi, %ecx
17365+
17366+.ifb \unchecked
17367+#ifdef CONFIG_PAX_REFCOUNT
17368+ into
17369+2:
17370+ _ASM_EXTABLE(2b, 3f)
17371+#endif
17372+.endif
17373+
17374 LOCK_PREFIX
17375 cmpxchg8b (%ebp)
17376 jne 1b
17377-
17378-10:
17379 movl %ebx, %eax
17380 movl %ecx, %edx
17381+
17382+.ifb \unchecked
17383+#ifdef CONFIG_PAX_REFCOUNT
17384+3:
17385+#endif
17386+.endif
17387+
17388 RESTORE edi
17389 RESTORE esi
17390 RESTORE ebx
17391 RESTORE ebp
17392+ pax_force_retaddr
17393 ret
17394 CFI_ENDPROC
17395-ENDPROC(atomic64_\func\()_return_cx8)
17396+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17397 .endm
17398
17399 addsub_return add add adc
17400 addsub_return sub sub sbb
17401+addsub_return add add adc _unchecked
17402+addsub_return sub sub sbb _unchecked
17403
17404-.macro incdec_return func ins insc
17405-ENTRY(atomic64_\func\()_return_cx8)
17406+.macro incdec_return func ins insc unchecked
17407+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17408 CFI_STARTPROC
17409 SAVE ebx
17410
17411@@ -114,21 +157,39 @@ ENTRY(atomic64_\func\()_return_cx8)
17412 movl %edx, %ecx
17413 \ins\()l $1, %ebx
17414 \insc\()l $0, %ecx
17415+
17416+.ifb \unchecked
17417+#ifdef CONFIG_PAX_REFCOUNT
17418+ into
17419+2:
17420+ _ASM_EXTABLE(2b, 3f)
17421+#endif
17422+.endif
17423+
17424 LOCK_PREFIX
17425 cmpxchg8b (%esi)
17426 jne 1b
17427
17428-10:
17429 movl %ebx, %eax
17430 movl %ecx, %edx
17431+
17432+.ifb \unchecked
17433+#ifdef CONFIG_PAX_REFCOUNT
17434+3:
17435+#endif
17436+.endif
17437+
17438 RESTORE ebx
17439+ pax_force_retaddr
17440 ret
17441 CFI_ENDPROC
17442-ENDPROC(atomic64_\func\()_return_cx8)
17443+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17444 .endm
17445
17446 incdec_return inc add adc
17447 incdec_return dec sub sbb
17448+incdec_return inc add adc _unchecked
17449+incdec_return dec sub sbb _unchecked
17450
17451 ENTRY(atomic64_dec_if_positive_cx8)
17452 CFI_STARTPROC
17453@@ -140,6 +201,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
17454 movl %edx, %ecx
17455 subl $1, %ebx
17456 sbb $0, %ecx
17457+
17458+#ifdef CONFIG_PAX_REFCOUNT
17459+ into
17460+1234:
17461+ _ASM_EXTABLE(1234b, 2f)
17462+#endif
17463+
17464 js 2f
17465 LOCK_PREFIX
17466 cmpxchg8b (%esi)
17467@@ -149,6 +217,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
17468 movl %ebx, %eax
17469 movl %ecx, %edx
17470 RESTORE ebx
17471+ pax_force_retaddr
17472 ret
17473 CFI_ENDPROC
17474 ENDPROC(atomic64_dec_if_positive_cx8)
17475@@ -174,6 +243,13 @@ ENTRY(atomic64_add_unless_cx8)
17476 movl %edx, %ecx
17477 addl %esi, %ebx
17478 adcl %edi, %ecx
17479+
17480+#ifdef CONFIG_PAX_REFCOUNT
17481+ into
17482+1234:
17483+ _ASM_EXTABLE(1234b, 3f)
17484+#endif
17485+
17486 LOCK_PREFIX
17487 cmpxchg8b (%ebp)
17488 jne 1b
17489@@ -184,6 +260,7 @@ ENTRY(atomic64_add_unless_cx8)
17490 CFI_ADJUST_CFA_OFFSET -8
17491 RESTORE ebx
17492 RESTORE ebp
17493+ pax_force_retaddr
17494 ret
17495 4:
17496 cmpl %edx, 4(%esp)
17497@@ -206,6 +283,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
17498 movl %edx, %ecx
17499 addl $1, %ebx
17500 adcl $0, %ecx
17501+
17502+#ifdef CONFIG_PAX_REFCOUNT
17503+ into
17504+1234:
17505+ _ASM_EXTABLE(1234b, 3f)
17506+#endif
17507+
17508 LOCK_PREFIX
17509 cmpxchg8b (%esi)
17510 jne 1b
17511@@ -213,6 +297,7 @@ ENTRY(atomic64_inc_not_zero_cx8)
17512 movl $1, %eax
17513 3:
17514 RESTORE ebx
17515+ pax_force_retaddr
17516 ret
17517 4:
17518 testl %edx, %edx
17519diff -urNp linux-3.0.7/arch/x86/lib/checksum_32.S linux-3.0.7/arch/x86/lib/checksum_32.S
17520--- linux-3.0.7/arch/x86/lib/checksum_32.S 2011-07-21 22:17:23.000000000 -0400
17521+++ linux-3.0.7/arch/x86/lib/checksum_32.S 2011-08-23 21:47:55.000000000 -0400
17522@@ -28,7 +28,8 @@
17523 #include <linux/linkage.h>
17524 #include <asm/dwarf2.h>
17525 #include <asm/errno.h>
17526-
17527+#include <asm/segment.h>
17528+
17529 /*
17530 * computes a partial checksum, e.g. for TCP/UDP fragments
17531 */
17532@@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
17533
17534 #define ARGBASE 16
17535 #define FP 12
17536-
17537-ENTRY(csum_partial_copy_generic)
17538+
17539+ENTRY(csum_partial_copy_generic_to_user)
17540 CFI_STARTPROC
17541+
17542+#ifdef CONFIG_PAX_MEMORY_UDEREF
17543+ pushl_cfi %gs
17544+ popl_cfi %es
17545+ jmp csum_partial_copy_generic
17546+#endif
17547+
17548+ENTRY(csum_partial_copy_generic_from_user)
17549+
17550+#ifdef CONFIG_PAX_MEMORY_UDEREF
17551+ pushl_cfi %gs
17552+ popl_cfi %ds
17553+#endif
17554+
17555+ENTRY(csum_partial_copy_generic)
17556 subl $4,%esp
17557 CFI_ADJUST_CFA_OFFSET 4
17558 pushl_cfi %edi
17559@@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
17560 jmp 4f
17561 SRC(1: movw (%esi), %bx )
17562 addl $2, %esi
17563-DST( movw %bx, (%edi) )
17564+DST( movw %bx, %es:(%edi) )
17565 addl $2, %edi
17566 addw %bx, %ax
17567 adcl $0, %eax
17568@@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
17569 SRC(1: movl (%esi), %ebx )
17570 SRC( movl 4(%esi), %edx )
17571 adcl %ebx, %eax
17572-DST( movl %ebx, (%edi) )
17573+DST( movl %ebx, %es:(%edi) )
17574 adcl %edx, %eax
17575-DST( movl %edx, 4(%edi) )
17576+DST( movl %edx, %es:4(%edi) )
17577
17578 SRC( movl 8(%esi), %ebx )
17579 SRC( movl 12(%esi), %edx )
17580 adcl %ebx, %eax
17581-DST( movl %ebx, 8(%edi) )
17582+DST( movl %ebx, %es:8(%edi) )
17583 adcl %edx, %eax
17584-DST( movl %edx, 12(%edi) )
17585+DST( movl %edx, %es:12(%edi) )
17586
17587 SRC( movl 16(%esi), %ebx )
17588 SRC( movl 20(%esi), %edx )
17589 adcl %ebx, %eax
17590-DST( movl %ebx, 16(%edi) )
17591+DST( movl %ebx, %es:16(%edi) )
17592 adcl %edx, %eax
17593-DST( movl %edx, 20(%edi) )
17594+DST( movl %edx, %es:20(%edi) )
17595
17596 SRC( movl 24(%esi), %ebx )
17597 SRC( movl 28(%esi), %edx )
17598 adcl %ebx, %eax
17599-DST( movl %ebx, 24(%edi) )
17600+DST( movl %ebx, %es:24(%edi) )
17601 adcl %edx, %eax
17602-DST( movl %edx, 28(%edi) )
17603+DST( movl %edx, %es:28(%edi) )
17604
17605 lea 32(%esi), %esi
17606 lea 32(%edi), %edi
17607@@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
17608 shrl $2, %edx # This clears CF
17609 SRC(3: movl (%esi), %ebx )
17610 adcl %ebx, %eax
17611-DST( movl %ebx, (%edi) )
17612+DST( movl %ebx, %es:(%edi) )
17613 lea 4(%esi), %esi
17614 lea 4(%edi), %edi
17615 dec %edx
17616@@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
17617 jb 5f
17618 SRC( movw (%esi), %cx )
17619 leal 2(%esi), %esi
17620-DST( movw %cx, (%edi) )
17621+DST( movw %cx, %es:(%edi) )
17622 leal 2(%edi), %edi
17623 je 6f
17624 shll $16,%ecx
17625 SRC(5: movb (%esi), %cl )
17626-DST( movb %cl, (%edi) )
17627+DST( movb %cl, %es:(%edi) )
17628 6: addl %ecx, %eax
17629 adcl $0, %eax
17630 7:
17631@@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
17632
17633 6001:
17634 movl ARGBASE+20(%esp), %ebx # src_err_ptr
17635- movl $-EFAULT, (%ebx)
17636+ movl $-EFAULT, %ss:(%ebx)
17637
17638 # zero the complete destination - computing the rest
17639 # is too much work
17640@@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
17641
17642 6002:
17643 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17644- movl $-EFAULT,(%ebx)
17645+ movl $-EFAULT,%ss:(%ebx)
17646 jmp 5000b
17647
17648 .previous
17649
17650+ pushl_cfi %ss
17651+ popl_cfi %ds
17652+ pushl_cfi %ss
17653+ popl_cfi %es
17654 popl_cfi %ebx
17655 CFI_RESTORE ebx
17656 popl_cfi %esi
17657@@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
17658 popl_cfi %ecx # equivalent to addl $4,%esp
17659 ret
17660 CFI_ENDPROC
17661-ENDPROC(csum_partial_copy_generic)
17662+ENDPROC(csum_partial_copy_generic_to_user)
17663
17664 #else
17665
17666 /* Version for PentiumII/PPro */
17667
17668 #define ROUND1(x) \
17669+ nop; nop; nop; \
17670 SRC(movl x(%esi), %ebx ) ; \
17671 addl %ebx, %eax ; \
17672- DST(movl %ebx, x(%edi) ) ;
17673+ DST(movl %ebx, %es:x(%edi)) ;
17674
17675 #define ROUND(x) \
17676+ nop; nop; nop; \
17677 SRC(movl x(%esi), %ebx ) ; \
17678 adcl %ebx, %eax ; \
17679- DST(movl %ebx, x(%edi) ) ;
17680+ DST(movl %ebx, %es:x(%edi)) ;
17681
17682 #define ARGBASE 12
17683-
17684-ENTRY(csum_partial_copy_generic)
17685+
17686+ENTRY(csum_partial_copy_generic_to_user)
17687 CFI_STARTPROC
17688+
17689+#ifdef CONFIG_PAX_MEMORY_UDEREF
17690+ pushl_cfi %gs
17691+ popl_cfi %es
17692+ jmp csum_partial_copy_generic
17693+#endif
17694+
17695+ENTRY(csum_partial_copy_generic_from_user)
17696+
17697+#ifdef CONFIG_PAX_MEMORY_UDEREF
17698+ pushl_cfi %gs
17699+ popl_cfi %ds
17700+#endif
17701+
17702+ENTRY(csum_partial_copy_generic)
17703 pushl_cfi %ebx
17704 CFI_REL_OFFSET ebx, 0
17705 pushl_cfi %edi
17706@@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
17707 subl %ebx, %edi
17708 lea -1(%esi),%edx
17709 andl $-32,%edx
17710- lea 3f(%ebx,%ebx), %ebx
17711+ lea 3f(%ebx,%ebx,2), %ebx
17712 testl %esi, %esi
17713 jmp *%ebx
17714 1: addl $64,%esi
17715@@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
17716 jb 5f
17717 SRC( movw (%esi), %dx )
17718 leal 2(%esi), %esi
17719-DST( movw %dx, (%edi) )
17720+DST( movw %dx, %es:(%edi) )
17721 leal 2(%edi), %edi
17722 je 6f
17723 shll $16,%edx
17724 5:
17725 SRC( movb (%esi), %dl )
17726-DST( movb %dl, (%edi) )
17727+DST( movb %dl, %es:(%edi) )
17728 6: addl %edx, %eax
17729 adcl $0, %eax
17730 7:
17731 .section .fixup, "ax"
17732 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
17733- movl $-EFAULT, (%ebx)
17734+ movl $-EFAULT, %ss:(%ebx)
17735 # zero the complete destination (computing the rest is too much work)
17736 movl ARGBASE+8(%esp),%edi # dst
17737 movl ARGBASE+12(%esp),%ecx # len
17738@@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
17739 rep; stosb
17740 jmp 7b
17741 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17742- movl $-EFAULT, (%ebx)
17743+ movl $-EFAULT, %ss:(%ebx)
17744 jmp 7b
17745 .previous
17746
17747+#ifdef CONFIG_PAX_MEMORY_UDEREF
17748+ pushl_cfi %ss
17749+ popl_cfi %ds
17750+ pushl_cfi %ss
17751+ popl_cfi %es
17752+#endif
17753+
17754 popl_cfi %esi
17755 CFI_RESTORE esi
17756 popl_cfi %edi
17757@@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
17758 CFI_RESTORE ebx
17759 ret
17760 CFI_ENDPROC
17761-ENDPROC(csum_partial_copy_generic)
17762+ENDPROC(csum_partial_copy_generic_to_user)
17763
17764 #undef ROUND
17765 #undef ROUND1
17766diff -urNp linux-3.0.7/arch/x86/lib/clear_page_64.S linux-3.0.7/arch/x86/lib/clear_page_64.S
17767--- linux-3.0.7/arch/x86/lib/clear_page_64.S 2011-07-21 22:17:23.000000000 -0400
17768+++ linux-3.0.7/arch/x86/lib/clear_page_64.S 2011-10-06 04:17:55.000000000 -0400
17769@@ -11,6 +11,7 @@ ENTRY(clear_page_c)
17770 movl $4096/8,%ecx
17771 xorl %eax,%eax
17772 rep stosq
17773+ pax_force_retaddr
17774 ret
17775 CFI_ENDPROC
17776 ENDPROC(clear_page_c)
17777@@ -20,6 +21,7 @@ ENTRY(clear_page_c_e)
17778 movl $4096,%ecx
17779 xorl %eax,%eax
17780 rep stosb
17781+ pax_force_retaddr
17782 ret
17783 CFI_ENDPROC
17784 ENDPROC(clear_page_c_e)
17785@@ -43,6 +45,7 @@ ENTRY(clear_page)
17786 leaq 64(%rdi),%rdi
17787 jnz .Lloop
17788 nop
17789+ pax_force_retaddr
17790 ret
17791 CFI_ENDPROC
17792 .Lclear_page_end:
17793@@ -58,7 +61,7 @@ ENDPROC(clear_page)
17794
17795 #include <asm/cpufeature.h>
17796
17797- .section .altinstr_replacement,"ax"
17798+ .section .altinstr_replacement,"a"
17799 1: .byte 0xeb /* jmp <disp8> */
17800 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
17801 2: .byte 0xeb /* jmp <disp8> */
17802diff -urNp linux-3.0.7/arch/x86/lib/cmpxchg16b_emu.S linux-3.0.7/arch/x86/lib/cmpxchg16b_emu.S
17803--- linux-3.0.7/arch/x86/lib/cmpxchg16b_emu.S 2011-07-21 22:17:23.000000000 -0400
17804+++ linux-3.0.7/arch/x86/lib/cmpxchg16b_emu.S 2011-10-07 19:07:28.000000000 -0400
17805@@ -53,11 +53,13 @@ this_cpu_cmpxchg16b_emu:
17806
17807 popf
17808 mov $1, %al
17809+ pax_force_retaddr
17810 ret
17811
17812 not_same:
17813 popf
17814 xor %al,%al
17815+ pax_force_retaddr
17816 ret
17817
17818 CFI_ENDPROC
17819diff -urNp linux-3.0.7/arch/x86/lib/copy_page_64.S linux-3.0.7/arch/x86/lib/copy_page_64.S
17820--- linux-3.0.7/arch/x86/lib/copy_page_64.S 2011-07-21 22:17:23.000000000 -0400
17821+++ linux-3.0.7/arch/x86/lib/copy_page_64.S 2011-10-06 04:17:55.000000000 -0400
17822@@ -2,12 +2,14 @@
17823
17824 #include <linux/linkage.h>
17825 #include <asm/dwarf2.h>
17826+#include <asm/alternative-asm.h>
17827
17828 ALIGN
17829 copy_page_c:
17830 CFI_STARTPROC
17831 movl $4096/8,%ecx
17832 rep movsq
17833+ pax_force_retaddr
17834 ret
17835 CFI_ENDPROC
17836 ENDPROC(copy_page_c)
17837@@ -94,6 +96,7 @@ ENTRY(copy_page)
17838 CFI_RESTORE r13
17839 addq $3*8,%rsp
17840 CFI_ADJUST_CFA_OFFSET -3*8
17841+ pax_force_retaddr
17842 ret
17843 .Lcopy_page_end:
17844 CFI_ENDPROC
17845@@ -104,7 +107,7 @@ ENDPROC(copy_page)
17846
17847 #include <asm/cpufeature.h>
17848
17849- .section .altinstr_replacement,"ax"
17850+ .section .altinstr_replacement,"a"
17851 1: .byte 0xeb /* jmp <disp8> */
17852 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
17853 2:
17854diff -urNp linux-3.0.7/arch/x86/lib/copy_user_64.S linux-3.0.7/arch/x86/lib/copy_user_64.S
17855--- linux-3.0.7/arch/x86/lib/copy_user_64.S 2011-07-21 22:17:23.000000000 -0400
17856+++ linux-3.0.7/arch/x86/lib/copy_user_64.S 2011-10-06 04:17:55.000000000 -0400
17857@@ -16,6 +16,7 @@
17858 #include <asm/thread_info.h>
17859 #include <asm/cpufeature.h>
17860 #include <asm/alternative-asm.h>
17861+#include <asm/pgtable.h>
17862
17863 /*
17864 * By placing feature2 after feature1 in altinstructions section, we logically
17865@@ -29,7 +30,7 @@
17866 .byte 0xe9 /* 32bit jump */
17867 .long \orig-1f /* by default jump to orig */
17868 1:
17869- .section .altinstr_replacement,"ax"
17870+ .section .altinstr_replacement,"a"
17871 2: .byte 0xe9 /* near jump with 32bit immediate */
17872 .long \alt1-1b /* offset */ /* or alternatively to alt1 */
17873 3: .byte 0xe9 /* near jump with 32bit immediate */
17874@@ -71,47 +72,20 @@
17875 #endif
17876 .endm
17877
17878-/* Standard copy_to_user with segment limit checking */
17879-ENTRY(_copy_to_user)
17880- CFI_STARTPROC
17881- GET_THREAD_INFO(%rax)
17882- movq %rdi,%rcx
17883- addq %rdx,%rcx
17884- jc bad_to_user
17885- cmpq TI_addr_limit(%rax),%rcx
17886- ja bad_to_user
17887- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
17888- copy_user_generic_unrolled,copy_user_generic_string, \
17889- copy_user_enhanced_fast_string
17890- CFI_ENDPROC
17891-ENDPROC(_copy_to_user)
17892-
17893-/* Standard copy_from_user with segment limit checking */
17894-ENTRY(_copy_from_user)
17895- CFI_STARTPROC
17896- GET_THREAD_INFO(%rax)
17897- movq %rsi,%rcx
17898- addq %rdx,%rcx
17899- jc bad_from_user
17900- cmpq TI_addr_limit(%rax),%rcx
17901- ja bad_from_user
17902- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
17903- copy_user_generic_unrolled,copy_user_generic_string, \
17904- copy_user_enhanced_fast_string
17905- CFI_ENDPROC
17906-ENDPROC(_copy_from_user)
17907-
17908 .section .fixup,"ax"
17909 /* must zero dest */
17910 ENTRY(bad_from_user)
17911 bad_from_user:
17912 CFI_STARTPROC
17913+ testl %edx,%edx
17914+ js bad_to_user
17915 movl %edx,%ecx
17916 xorl %eax,%eax
17917 rep
17918 stosb
17919 bad_to_user:
17920 movl %edx,%eax
17921+ pax_force_retaddr
17922 ret
17923 CFI_ENDPROC
17924 ENDPROC(bad_from_user)
17925@@ -179,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
17926 decl %ecx
17927 jnz 21b
17928 23: xor %eax,%eax
17929+ pax_force_retaddr
17930 ret
17931
17932 .section .fixup,"ax"
17933@@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string)
17934 3: rep
17935 movsb
17936 4: xorl %eax,%eax
17937+ pax_force_retaddr
17938 ret
17939
17940 .section .fixup,"ax"
17941@@ -287,6 +263,7 @@ ENTRY(copy_user_enhanced_fast_string)
17942 1: rep
17943 movsb
17944 2: xorl %eax,%eax
17945+ pax_force_retaddr
17946 ret
17947
17948 .section .fixup,"ax"
17949diff -urNp linux-3.0.7/arch/x86/lib/copy_user_nocache_64.S linux-3.0.7/arch/x86/lib/copy_user_nocache_64.S
17950--- linux-3.0.7/arch/x86/lib/copy_user_nocache_64.S 2011-07-21 22:17:23.000000000 -0400
17951+++ linux-3.0.7/arch/x86/lib/copy_user_nocache_64.S 2011-10-06 04:17:55.000000000 -0400
17952@@ -8,12 +8,14 @@
17953
17954 #include <linux/linkage.h>
17955 #include <asm/dwarf2.h>
17956+#include <asm/alternative-asm.h>
17957
17958 #define FIX_ALIGNMENT 1
17959
17960 #include <asm/current.h>
17961 #include <asm/asm-offsets.h>
17962 #include <asm/thread_info.h>
17963+#include <asm/pgtable.h>
17964
17965 .macro ALIGN_DESTINATION
17966 #ifdef FIX_ALIGNMENT
17967@@ -50,6 +52,15 @@
17968 */
17969 ENTRY(__copy_user_nocache)
17970 CFI_STARTPROC
17971+
17972+#ifdef CONFIG_PAX_MEMORY_UDEREF
17973+ mov $PAX_USER_SHADOW_BASE,%rcx
17974+ cmp %rcx,%rsi
17975+ jae 1f
17976+ add %rcx,%rsi
17977+1:
17978+#endif
17979+
17980 cmpl $8,%edx
17981 jb 20f /* less then 8 bytes, go to byte copy loop */
17982 ALIGN_DESTINATION
17983@@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
17984 jnz 21b
17985 23: xorl %eax,%eax
17986 sfence
17987+ pax_force_retaddr
17988 ret
17989
17990 .section .fixup,"ax"
17991diff -urNp linux-3.0.7/arch/x86/lib/csum-copy_64.S linux-3.0.7/arch/x86/lib/csum-copy_64.S
17992--- linux-3.0.7/arch/x86/lib/csum-copy_64.S 2011-07-21 22:17:23.000000000 -0400
17993+++ linux-3.0.7/arch/x86/lib/csum-copy_64.S 2011-10-06 04:17:55.000000000 -0400
17994@@ -8,6 +8,7 @@
17995 #include <linux/linkage.h>
17996 #include <asm/dwarf2.h>
17997 #include <asm/errno.h>
17998+#include <asm/alternative-asm.h>
17999
18000 /*
18001 * Checksum copy with exception handling.
18002@@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
18003 CFI_RESTORE rbp
18004 addq $7*8, %rsp
18005 CFI_ADJUST_CFA_OFFSET -7*8
18006+ pax_force_retaddr
18007 ret
18008 CFI_RESTORE_STATE
18009
18010diff -urNp linux-3.0.7/arch/x86/lib/csum-wrappers_64.c linux-3.0.7/arch/x86/lib/csum-wrappers_64.c
18011--- linux-3.0.7/arch/x86/lib/csum-wrappers_64.c 2011-07-21 22:17:23.000000000 -0400
18012+++ linux-3.0.7/arch/x86/lib/csum-wrappers_64.c 2011-10-06 04:17:55.000000000 -0400
18013@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
18014 len -= 2;
18015 }
18016 }
18017- isum = csum_partial_copy_generic((__force const void *)src,
18018+
18019+#ifdef CONFIG_PAX_MEMORY_UDEREF
18020+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
18021+ src += PAX_USER_SHADOW_BASE;
18022+#endif
18023+
18024+ isum = csum_partial_copy_generic((const void __force_kernel *)src,
18025 dst, len, isum, errp, NULL);
18026 if (unlikely(*errp))
18027 goto out_err;
18028@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
18029 }
18030
18031 *errp = 0;
18032- return csum_partial_copy_generic(src, (void __force *)dst,
18033+
18034+#ifdef CONFIG_PAX_MEMORY_UDEREF
18035+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
18036+ dst += PAX_USER_SHADOW_BASE;
18037+#endif
18038+
18039+ return csum_partial_copy_generic(src, (void __force_kernel *)dst,
18040 len, isum, NULL, errp);
18041 }
18042 EXPORT_SYMBOL(csum_partial_copy_to_user);
18043diff -urNp linux-3.0.7/arch/x86/lib/getuser.S linux-3.0.7/arch/x86/lib/getuser.S
18044--- linux-3.0.7/arch/x86/lib/getuser.S 2011-07-21 22:17:23.000000000 -0400
18045+++ linux-3.0.7/arch/x86/lib/getuser.S 2011-10-07 19:07:23.000000000 -0400
18046@@ -33,15 +33,38 @@
18047 #include <asm/asm-offsets.h>
18048 #include <asm/thread_info.h>
18049 #include <asm/asm.h>
18050+#include <asm/segment.h>
18051+#include <asm/pgtable.h>
18052+#include <asm/alternative-asm.h>
18053+
18054+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18055+#define __copyuser_seg gs;
18056+#else
18057+#define __copyuser_seg
18058+#endif
18059
18060 .text
18061 ENTRY(__get_user_1)
18062 CFI_STARTPROC
18063+
18064+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18065 GET_THREAD_INFO(%_ASM_DX)
18066 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18067 jae bad_get_user
18068-1: movzb (%_ASM_AX),%edx
18069+
18070+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18071+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18072+ cmp %_ASM_DX,%_ASM_AX
18073+ jae 1234f
18074+ add %_ASM_DX,%_ASM_AX
18075+1234:
18076+#endif
18077+
18078+#endif
18079+
18080+1: __copyuser_seg movzb (%_ASM_AX),%edx
18081 xor %eax,%eax
18082+ pax_force_retaddr
18083 ret
18084 CFI_ENDPROC
18085 ENDPROC(__get_user_1)
18086@@ -49,12 +72,26 @@ ENDPROC(__get_user_1)
18087 ENTRY(__get_user_2)
18088 CFI_STARTPROC
18089 add $1,%_ASM_AX
18090+
18091+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18092 jc bad_get_user
18093 GET_THREAD_INFO(%_ASM_DX)
18094 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18095 jae bad_get_user
18096-2: movzwl -1(%_ASM_AX),%edx
18097+
18098+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18099+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18100+ cmp %_ASM_DX,%_ASM_AX
18101+ jae 1234f
18102+ add %_ASM_DX,%_ASM_AX
18103+1234:
18104+#endif
18105+
18106+#endif
18107+
18108+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
18109 xor %eax,%eax
18110+ pax_force_retaddr
18111 ret
18112 CFI_ENDPROC
18113 ENDPROC(__get_user_2)
18114@@ -62,12 +99,26 @@ ENDPROC(__get_user_2)
18115 ENTRY(__get_user_4)
18116 CFI_STARTPROC
18117 add $3,%_ASM_AX
18118+
18119+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18120 jc bad_get_user
18121 GET_THREAD_INFO(%_ASM_DX)
18122 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18123 jae bad_get_user
18124-3: mov -3(%_ASM_AX),%edx
18125+
18126+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18127+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18128+ cmp %_ASM_DX,%_ASM_AX
18129+ jae 1234f
18130+ add %_ASM_DX,%_ASM_AX
18131+1234:
18132+#endif
18133+
18134+#endif
18135+
18136+3: __copyuser_seg mov -3(%_ASM_AX),%edx
18137 xor %eax,%eax
18138+ pax_force_retaddr
18139 ret
18140 CFI_ENDPROC
18141 ENDPROC(__get_user_4)
18142@@ -80,8 +131,18 @@ ENTRY(__get_user_8)
18143 GET_THREAD_INFO(%_ASM_DX)
18144 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18145 jae bad_get_user
18146+
18147+#ifdef CONFIG_PAX_MEMORY_UDEREF
18148+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18149+ cmp %_ASM_DX,%_ASM_AX
18150+ jae 1234f
18151+ add %_ASM_DX,%_ASM_AX
18152+1234:
18153+#endif
18154+
18155 4: movq -7(%_ASM_AX),%_ASM_DX
18156 xor %eax,%eax
18157+ pax_force_retaddr
18158 ret
18159 CFI_ENDPROC
18160 ENDPROC(__get_user_8)
18161@@ -91,6 +152,7 @@ bad_get_user:
18162 CFI_STARTPROC
18163 xor %edx,%edx
18164 mov $(-EFAULT),%_ASM_AX
18165+ pax_force_retaddr
18166 ret
18167 CFI_ENDPROC
18168 END(bad_get_user)
18169diff -urNp linux-3.0.7/arch/x86/lib/insn.c linux-3.0.7/arch/x86/lib/insn.c
18170--- linux-3.0.7/arch/x86/lib/insn.c 2011-07-21 22:17:23.000000000 -0400
18171+++ linux-3.0.7/arch/x86/lib/insn.c 2011-08-23 21:47:55.000000000 -0400
18172@@ -21,6 +21,11 @@
18173 #include <linux/string.h>
18174 #include <asm/inat.h>
18175 #include <asm/insn.h>
18176+#ifdef __KERNEL__
18177+#include <asm/pgtable_types.h>
18178+#else
18179+#define ktla_ktva(addr) addr
18180+#endif
18181
18182 #define get_next(t, insn) \
18183 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
18184@@ -40,8 +45,8 @@
18185 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
18186 {
18187 memset(insn, 0, sizeof(*insn));
18188- insn->kaddr = kaddr;
18189- insn->next_byte = kaddr;
18190+ insn->kaddr = ktla_ktva(kaddr);
18191+ insn->next_byte = ktla_ktva(kaddr);
18192 insn->x86_64 = x86_64 ? 1 : 0;
18193 insn->opnd_bytes = 4;
18194 if (x86_64)
18195diff -urNp linux-3.0.7/arch/x86/lib/iomap_copy_64.S linux-3.0.7/arch/x86/lib/iomap_copy_64.S
18196--- linux-3.0.7/arch/x86/lib/iomap_copy_64.S 2011-07-21 22:17:23.000000000 -0400
18197+++ linux-3.0.7/arch/x86/lib/iomap_copy_64.S 2011-10-06 04:17:55.000000000 -0400
18198@@ -17,6 +17,7 @@
18199
18200 #include <linux/linkage.h>
18201 #include <asm/dwarf2.h>
18202+#include <asm/alternative-asm.h>
18203
18204 /*
18205 * override generic version in lib/iomap_copy.c
18206@@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
18207 CFI_STARTPROC
18208 movl %edx,%ecx
18209 rep movsd
18210+ pax_force_retaddr
18211 ret
18212 CFI_ENDPROC
18213 ENDPROC(__iowrite32_copy)
18214diff -urNp linux-3.0.7/arch/x86/lib/memcpy_64.S linux-3.0.7/arch/x86/lib/memcpy_64.S
18215--- linux-3.0.7/arch/x86/lib/memcpy_64.S 2011-07-21 22:17:23.000000000 -0400
18216+++ linux-3.0.7/arch/x86/lib/memcpy_64.S 2011-10-06 04:17:55.000000000 -0400
18217@@ -34,6 +34,7 @@
18218 rep movsq
18219 movl %edx, %ecx
18220 rep movsb
18221+ pax_force_retaddr
18222 ret
18223 .Lmemcpy_e:
18224 .previous
18225@@ -51,6 +52,7 @@
18226
18227 movl %edx, %ecx
18228 rep movsb
18229+ pax_force_retaddr
18230 ret
18231 .Lmemcpy_e_e:
18232 .previous
18233@@ -141,6 +143,7 @@ ENTRY(memcpy)
18234 movq %r9, 1*8(%rdi)
18235 movq %r10, -2*8(%rdi, %rdx)
18236 movq %r11, -1*8(%rdi, %rdx)
18237+ pax_force_retaddr
18238 retq
18239 .p2align 4
18240 .Lless_16bytes:
18241@@ -153,6 +156,7 @@ ENTRY(memcpy)
18242 movq -1*8(%rsi, %rdx), %r9
18243 movq %r8, 0*8(%rdi)
18244 movq %r9, -1*8(%rdi, %rdx)
18245+ pax_force_retaddr
18246 retq
18247 .p2align 4
18248 .Lless_8bytes:
18249@@ -166,6 +170,7 @@ ENTRY(memcpy)
18250 movl -4(%rsi, %rdx), %r8d
18251 movl %ecx, (%rdi)
18252 movl %r8d, -4(%rdi, %rdx)
18253+ pax_force_retaddr
18254 retq
18255 .p2align 4
18256 .Lless_3bytes:
18257@@ -183,6 +188,7 @@ ENTRY(memcpy)
18258 jnz .Lloop_1
18259
18260 .Lend:
18261+ pax_force_retaddr
18262 retq
18263 CFI_ENDPROC
18264 ENDPROC(memcpy)
18265diff -urNp linux-3.0.7/arch/x86/lib/memmove_64.S linux-3.0.7/arch/x86/lib/memmove_64.S
18266--- linux-3.0.7/arch/x86/lib/memmove_64.S 2011-07-21 22:17:23.000000000 -0400
18267+++ linux-3.0.7/arch/x86/lib/memmove_64.S 2011-10-06 04:17:55.000000000 -0400
18268@@ -9,6 +9,7 @@
18269 #include <linux/linkage.h>
18270 #include <asm/dwarf2.h>
18271 #include <asm/cpufeature.h>
18272+#include <asm/alternative-asm.h>
18273
18274 #undef memmove
18275
18276@@ -201,6 +202,7 @@ ENTRY(memmove)
18277 movb (%rsi), %r11b
18278 movb %r11b, (%rdi)
18279 13:
18280+ pax_force_retaddr
18281 retq
18282 CFI_ENDPROC
18283
18284@@ -209,6 +211,7 @@ ENTRY(memmove)
18285 /* Forward moving data. */
18286 movq %rdx, %rcx
18287 rep movsb
18288+ pax_force_retaddr
18289 retq
18290 .Lmemmove_end_forward_efs:
18291 .previous
18292diff -urNp linux-3.0.7/arch/x86/lib/memset_64.S linux-3.0.7/arch/x86/lib/memset_64.S
18293--- linux-3.0.7/arch/x86/lib/memset_64.S 2011-07-21 22:17:23.000000000 -0400
18294+++ linux-3.0.7/arch/x86/lib/memset_64.S 2011-10-06 04:17:55.000000000 -0400
18295@@ -31,6 +31,7 @@
18296 movl %r8d,%ecx
18297 rep stosb
18298 movq %r9,%rax
18299+ pax_force_retaddr
18300 ret
18301 .Lmemset_e:
18302 .previous
18303@@ -53,6 +54,7 @@
18304 movl %edx,%ecx
18305 rep stosb
18306 movq %r9,%rax
18307+ pax_force_retaddr
18308 ret
18309 .Lmemset_e_e:
18310 .previous
18311@@ -121,6 +123,7 @@ ENTRY(__memset)
18312
18313 .Lende:
18314 movq %r10,%rax
18315+ pax_force_retaddr
18316 ret
18317
18318 CFI_RESTORE_STATE
18319diff -urNp linux-3.0.7/arch/x86/lib/mmx_32.c linux-3.0.7/arch/x86/lib/mmx_32.c
18320--- linux-3.0.7/arch/x86/lib/mmx_32.c 2011-07-21 22:17:23.000000000 -0400
18321+++ linux-3.0.7/arch/x86/lib/mmx_32.c 2011-08-23 21:47:55.000000000 -0400
18322@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
18323 {
18324 void *p;
18325 int i;
18326+ unsigned long cr0;
18327
18328 if (unlikely(in_interrupt()))
18329 return __memcpy(to, from, len);
18330@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
18331 kernel_fpu_begin();
18332
18333 __asm__ __volatile__ (
18334- "1: prefetch (%0)\n" /* This set is 28 bytes */
18335- " prefetch 64(%0)\n"
18336- " prefetch 128(%0)\n"
18337- " prefetch 192(%0)\n"
18338- " prefetch 256(%0)\n"
18339+ "1: prefetch (%1)\n" /* This set is 28 bytes */
18340+ " prefetch 64(%1)\n"
18341+ " prefetch 128(%1)\n"
18342+ " prefetch 192(%1)\n"
18343+ " prefetch 256(%1)\n"
18344 "2: \n"
18345 ".section .fixup, \"ax\"\n"
18346- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18347+ "3: \n"
18348+
18349+#ifdef CONFIG_PAX_KERNEXEC
18350+ " movl %%cr0, %0\n"
18351+ " movl %0, %%eax\n"
18352+ " andl $0xFFFEFFFF, %%eax\n"
18353+ " movl %%eax, %%cr0\n"
18354+#endif
18355+
18356+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18357+
18358+#ifdef CONFIG_PAX_KERNEXEC
18359+ " movl %0, %%cr0\n"
18360+#endif
18361+
18362 " jmp 2b\n"
18363 ".previous\n"
18364 _ASM_EXTABLE(1b, 3b)
18365- : : "r" (from));
18366+ : "=&r" (cr0) : "r" (from) : "ax");
18367
18368 for ( ; i > 5; i--) {
18369 __asm__ __volatile__ (
18370- "1: prefetch 320(%0)\n"
18371- "2: movq (%0), %%mm0\n"
18372- " movq 8(%0), %%mm1\n"
18373- " movq 16(%0), %%mm2\n"
18374- " movq 24(%0), %%mm3\n"
18375- " movq %%mm0, (%1)\n"
18376- " movq %%mm1, 8(%1)\n"
18377- " movq %%mm2, 16(%1)\n"
18378- " movq %%mm3, 24(%1)\n"
18379- " movq 32(%0), %%mm0\n"
18380- " movq 40(%0), %%mm1\n"
18381- " movq 48(%0), %%mm2\n"
18382- " movq 56(%0), %%mm3\n"
18383- " movq %%mm0, 32(%1)\n"
18384- " movq %%mm1, 40(%1)\n"
18385- " movq %%mm2, 48(%1)\n"
18386- " movq %%mm3, 56(%1)\n"
18387+ "1: prefetch 320(%1)\n"
18388+ "2: movq (%1), %%mm0\n"
18389+ " movq 8(%1), %%mm1\n"
18390+ " movq 16(%1), %%mm2\n"
18391+ " movq 24(%1), %%mm3\n"
18392+ " movq %%mm0, (%2)\n"
18393+ " movq %%mm1, 8(%2)\n"
18394+ " movq %%mm2, 16(%2)\n"
18395+ " movq %%mm3, 24(%2)\n"
18396+ " movq 32(%1), %%mm0\n"
18397+ " movq 40(%1), %%mm1\n"
18398+ " movq 48(%1), %%mm2\n"
18399+ " movq 56(%1), %%mm3\n"
18400+ " movq %%mm0, 32(%2)\n"
18401+ " movq %%mm1, 40(%2)\n"
18402+ " movq %%mm2, 48(%2)\n"
18403+ " movq %%mm3, 56(%2)\n"
18404 ".section .fixup, \"ax\"\n"
18405- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18406+ "3:\n"
18407+
18408+#ifdef CONFIG_PAX_KERNEXEC
18409+ " movl %%cr0, %0\n"
18410+ " movl %0, %%eax\n"
18411+ " andl $0xFFFEFFFF, %%eax\n"
18412+ " movl %%eax, %%cr0\n"
18413+#endif
18414+
18415+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18416+
18417+#ifdef CONFIG_PAX_KERNEXEC
18418+ " movl %0, %%cr0\n"
18419+#endif
18420+
18421 " jmp 2b\n"
18422 ".previous\n"
18423 _ASM_EXTABLE(1b, 3b)
18424- : : "r" (from), "r" (to) : "memory");
18425+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18426
18427 from += 64;
18428 to += 64;
18429@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
18430 static void fast_copy_page(void *to, void *from)
18431 {
18432 int i;
18433+ unsigned long cr0;
18434
18435 kernel_fpu_begin();
18436
18437@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
18438 * but that is for later. -AV
18439 */
18440 __asm__ __volatile__(
18441- "1: prefetch (%0)\n"
18442- " prefetch 64(%0)\n"
18443- " prefetch 128(%0)\n"
18444- " prefetch 192(%0)\n"
18445- " prefetch 256(%0)\n"
18446+ "1: prefetch (%1)\n"
18447+ " prefetch 64(%1)\n"
18448+ " prefetch 128(%1)\n"
18449+ " prefetch 192(%1)\n"
18450+ " prefetch 256(%1)\n"
18451 "2: \n"
18452 ".section .fixup, \"ax\"\n"
18453- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18454+ "3: \n"
18455+
18456+#ifdef CONFIG_PAX_KERNEXEC
18457+ " movl %%cr0, %0\n"
18458+ " movl %0, %%eax\n"
18459+ " andl $0xFFFEFFFF, %%eax\n"
18460+ " movl %%eax, %%cr0\n"
18461+#endif
18462+
18463+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18464+
18465+#ifdef CONFIG_PAX_KERNEXEC
18466+ " movl %0, %%cr0\n"
18467+#endif
18468+
18469 " jmp 2b\n"
18470 ".previous\n"
18471- _ASM_EXTABLE(1b, 3b) : : "r" (from));
18472+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18473
18474 for (i = 0; i < (4096-320)/64; i++) {
18475 __asm__ __volatile__ (
18476- "1: prefetch 320(%0)\n"
18477- "2: movq (%0), %%mm0\n"
18478- " movntq %%mm0, (%1)\n"
18479- " movq 8(%0), %%mm1\n"
18480- " movntq %%mm1, 8(%1)\n"
18481- " movq 16(%0), %%mm2\n"
18482- " movntq %%mm2, 16(%1)\n"
18483- " movq 24(%0), %%mm3\n"
18484- " movntq %%mm3, 24(%1)\n"
18485- " movq 32(%0), %%mm4\n"
18486- " movntq %%mm4, 32(%1)\n"
18487- " movq 40(%0), %%mm5\n"
18488- " movntq %%mm5, 40(%1)\n"
18489- " movq 48(%0), %%mm6\n"
18490- " movntq %%mm6, 48(%1)\n"
18491- " movq 56(%0), %%mm7\n"
18492- " movntq %%mm7, 56(%1)\n"
18493+ "1: prefetch 320(%1)\n"
18494+ "2: movq (%1), %%mm0\n"
18495+ " movntq %%mm0, (%2)\n"
18496+ " movq 8(%1), %%mm1\n"
18497+ " movntq %%mm1, 8(%2)\n"
18498+ " movq 16(%1), %%mm2\n"
18499+ " movntq %%mm2, 16(%2)\n"
18500+ " movq 24(%1), %%mm3\n"
18501+ " movntq %%mm3, 24(%2)\n"
18502+ " movq 32(%1), %%mm4\n"
18503+ " movntq %%mm4, 32(%2)\n"
18504+ " movq 40(%1), %%mm5\n"
18505+ " movntq %%mm5, 40(%2)\n"
18506+ " movq 48(%1), %%mm6\n"
18507+ " movntq %%mm6, 48(%2)\n"
18508+ " movq 56(%1), %%mm7\n"
18509+ " movntq %%mm7, 56(%2)\n"
18510 ".section .fixup, \"ax\"\n"
18511- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18512+ "3:\n"
18513+
18514+#ifdef CONFIG_PAX_KERNEXEC
18515+ " movl %%cr0, %0\n"
18516+ " movl %0, %%eax\n"
18517+ " andl $0xFFFEFFFF, %%eax\n"
18518+ " movl %%eax, %%cr0\n"
18519+#endif
18520+
18521+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18522+
18523+#ifdef CONFIG_PAX_KERNEXEC
18524+ " movl %0, %%cr0\n"
18525+#endif
18526+
18527 " jmp 2b\n"
18528 ".previous\n"
18529- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
18530+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18531
18532 from += 64;
18533 to += 64;
18534@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
18535 static void fast_copy_page(void *to, void *from)
18536 {
18537 int i;
18538+ unsigned long cr0;
18539
18540 kernel_fpu_begin();
18541
18542 __asm__ __volatile__ (
18543- "1: prefetch (%0)\n"
18544- " prefetch 64(%0)\n"
18545- " prefetch 128(%0)\n"
18546- " prefetch 192(%0)\n"
18547- " prefetch 256(%0)\n"
18548+ "1: prefetch (%1)\n"
18549+ " prefetch 64(%1)\n"
18550+ " prefetch 128(%1)\n"
18551+ " prefetch 192(%1)\n"
18552+ " prefetch 256(%1)\n"
18553 "2: \n"
18554 ".section .fixup, \"ax\"\n"
18555- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18556+ "3: \n"
18557+
18558+#ifdef CONFIG_PAX_KERNEXEC
18559+ " movl %%cr0, %0\n"
18560+ " movl %0, %%eax\n"
18561+ " andl $0xFFFEFFFF, %%eax\n"
18562+ " movl %%eax, %%cr0\n"
18563+#endif
18564+
18565+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18566+
18567+#ifdef CONFIG_PAX_KERNEXEC
18568+ " movl %0, %%cr0\n"
18569+#endif
18570+
18571 " jmp 2b\n"
18572 ".previous\n"
18573- _ASM_EXTABLE(1b, 3b) : : "r" (from));
18574+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18575
18576 for (i = 0; i < 4096/64; i++) {
18577 __asm__ __volatile__ (
18578- "1: prefetch 320(%0)\n"
18579- "2: movq (%0), %%mm0\n"
18580- " movq 8(%0), %%mm1\n"
18581- " movq 16(%0), %%mm2\n"
18582- " movq 24(%0), %%mm3\n"
18583- " movq %%mm0, (%1)\n"
18584- " movq %%mm1, 8(%1)\n"
18585- " movq %%mm2, 16(%1)\n"
18586- " movq %%mm3, 24(%1)\n"
18587- " movq 32(%0), %%mm0\n"
18588- " movq 40(%0), %%mm1\n"
18589- " movq 48(%0), %%mm2\n"
18590- " movq 56(%0), %%mm3\n"
18591- " movq %%mm0, 32(%1)\n"
18592- " movq %%mm1, 40(%1)\n"
18593- " movq %%mm2, 48(%1)\n"
18594- " movq %%mm3, 56(%1)\n"
18595+ "1: prefetch 320(%1)\n"
18596+ "2: movq (%1), %%mm0\n"
18597+ " movq 8(%1), %%mm1\n"
18598+ " movq 16(%1), %%mm2\n"
18599+ " movq 24(%1), %%mm3\n"
18600+ " movq %%mm0, (%2)\n"
18601+ " movq %%mm1, 8(%2)\n"
18602+ " movq %%mm2, 16(%2)\n"
18603+ " movq %%mm3, 24(%2)\n"
18604+ " movq 32(%1), %%mm0\n"
18605+ " movq 40(%1), %%mm1\n"
18606+ " movq 48(%1), %%mm2\n"
18607+ " movq 56(%1), %%mm3\n"
18608+ " movq %%mm0, 32(%2)\n"
18609+ " movq %%mm1, 40(%2)\n"
18610+ " movq %%mm2, 48(%2)\n"
18611+ " movq %%mm3, 56(%2)\n"
18612 ".section .fixup, \"ax\"\n"
18613- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18614+ "3:\n"
18615+
18616+#ifdef CONFIG_PAX_KERNEXEC
18617+ " movl %%cr0, %0\n"
18618+ " movl %0, %%eax\n"
18619+ " andl $0xFFFEFFFF, %%eax\n"
18620+ " movl %%eax, %%cr0\n"
18621+#endif
18622+
18623+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18624+
18625+#ifdef CONFIG_PAX_KERNEXEC
18626+ " movl %0, %%cr0\n"
18627+#endif
18628+
18629 " jmp 2b\n"
18630 ".previous\n"
18631 _ASM_EXTABLE(1b, 3b)
18632- : : "r" (from), "r" (to) : "memory");
18633+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18634
18635 from += 64;
18636 to += 64;
18637diff -urNp linux-3.0.7/arch/x86/lib/msr-reg.S linux-3.0.7/arch/x86/lib/msr-reg.S
18638--- linux-3.0.7/arch/x86/lib/msr-reg.S 2011-07-21 22:17:23.000000000 -0400
18639+++ linux-3.0.7/arch/x86/lib/msr-reg.S 2011-10-07 19:07:28.000000000 -0400
18640@@ -3,6 +3,7 @@
18641 #include <asm/dwarf2.h>
18642 #include <asm/asm.h>
18643 #include <asm/msr.h>
18644+#include <asm/alternative-asm.h>
18645
18646 #ifdef CONFIG_X86_64
18647 /*
18648@@ -37,6 +38,7 @@ ENTRY(native_\op\()_safe_regs)
18649 movl %edi, 28(%r10)
18650 popq_cfi %rbp
18651 popq_cfi %rbx
18652+ pax_force_retaddr
18653 ret
18654 3:
18655 CFI_RESTORE_STATE
18656diff -urNp linux-3.0.7/arch/x86/lib/putuser.S linux-3.0.7/arch/x86/lib/putuser.S
18657--- linux-3.0.7/arch/x86/lib/putuser.S 2011-07-21 22:17:23.000000000 -0400
18658+++ linux-3.0.7/arch/x86/lib/putuser.S 2011-10-07 19:07:23.000000000 -0400
18659@@ -15,7 +15,9 @@
18660 #include <asm/thread_info.h>
18661 #include <asm/errno.h>
18662 #include <asm/asm.h>
18663-
18664+#include <asm/segment.h>
18665+#include <asm/pgtable.h>
18666+#include <asm/alternative-asm.h>
18667
18668 /*
18669 * __put_user_X
18670@@ -29,52 +31,119 @@
18671 * as they get called from within inline assembly.
18672 */
18673
18674-#define ENTER CFI_STARTPROC ; \
18675- GET_THREAD_INFO(%_ASM_BX)
18676-#define EXIT ret ; \
18677+#define ENTER CFI_STARTPROC
18678+#define EXIT pax_force_retaddr; ret ; \
18679 CFI_ENDPROC
18680
18681+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18682+#define _DEST %_ASM_CX,%_ASM_BX
18683+#else
18684+#define _DEST %_ASM_CX
18685+#endif
18686+
18687+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18688+#define __copyuser_seg gs;
18689+#else
18690+#define __copyuser_seg
18691+#endif
18692+
18693 .text
18694 ENTRY(__put_user_1)
18695 ENTER
18696+
18697+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18698+ GET_THREAD_INFO(%_ASM_BX)
18699 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
18700 jae bad_put_user
18701-1: movb %al,(%_ASM_CX)
18702+
18703+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18704+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18705+ cmp %_ASM_BX,%_ASM_CX
18706+ jb 1234f
18707+ xor %ebx,%ebx
18708+1234:
18709+#endif
18710+
18711+#endif
18712+
18713+1: __copyuser_seg movb %al,(_DEST)
18714 xor %eax,%eax
18715 EXIT
18716 ENDPROC(__put_user_1)
18717
18718 ENTRY(__put_user_2)
18719 ENTER
18720+
18721+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18722+ GET_THREAD_INFO(%_ASM_BX)
18723 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18724 sub $1,%_ASM_BX
18725 cmp %_ASM_BX,%_ASM_CX
18726 jae bad_put_user
18727-2: movw %ax,(%_ASM_CX)
18728+
18729+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18730+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18731+ cmp %_ASM_BX,%_ASM_CX
18732+ jb 1234f
18733+ xor %ebx,%ebx
18734+1234:
18735+#endif
18736+
18737+#endif
18738+
18739+2: __copyuser_seg movw %ax,(_DEST)
18740 xor %eax,%eax
18741 EXIT
18742 ENDPROC(__put_user_2)
18743
18744 ENTRY(__put_user_4)
18745 ENTER
18746+
18747+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18748+ GET_THREAD_INFO(%_ASM_BX)
18749 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18750 sub $3,%_ASM_BX
18751 cmp %_ASM_BX,%_ASM_CX
18752 jae bad_put_user
18753-3: movl %eax,(%_ASM_CX)
18754+
18755+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18756+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18757+ cmp %_ASM_BX,%_ASM_CX
18758+ jb 1234f
18759+ xor %ebx,%ebx
18760+1234:
18761+#endif
18762+
18763+#endif
18764+
18765+3: __copyuser_seg movl %eax,(_DEST)
18766 xor %eax,%eax
18767 EXIT
18768 ENDPROC(__put_user_4)
18769
18770 ENTRY(__put_user_8)
18771 ENTER
18772+
18773+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18774+ GET_THREAD_INFO(%_ASM_BX)
18775 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18776 sub $7,%_ASM_BX
18777 cmp %_ASM_BX,%_ASM_CX
18778 jae bad_put_user
18779-4: mov %_ASM_AX,(%_ASM_CX)
18780+
18781+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18782+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18783+ cmp %_ASM_BX,%_ASM_CX
18784+ jb 1234f
18785+ xor %ebx,%ebx
18786+1234:
18787+#endif
18788+
18789+#endif
18790+
18791+4: __copyuser_seg mov %_ASM_AX,(_DEST)
18792 #ifdef CONFIG_X86_32
18793-5: movl %edx,4(%_ASM_CX)
18794+5: __copyuser_seg movl %edx,4(_DEST)
18795 #endif
18796 xor %eax,%eax
18797 EXIT
18798diff -urNp linux-3.0.7/arch/x86/lib/rwlock_64.S linux-3.0.7/arch/x86/lib/rwlock_64.S
18799--- linux-3.0.7/arch/x86/lib/rwlock_64.S 2011-07-21 22:17:23.000000000 -0400
18800+++ linux-3.0.7/arch/x86/lib/rwlock_64.S 2011-10-06 04:17:55.000000000 -0400
18801@@ -17,6 +17,7 @@ ENTRY(__write_lock_failed)
18802 LOCK_PREFIX
18803 subl $RW_LOCK_BIAS,(%rdi)
18804 jnz __write_lock_failed
18805+ pax_force_retaddr
18806 ret
18807 CFI_ENDPROC
18808 END(__write_lock_failed)
18809@@ -33,6 +34,7 @@ ENTRY(__read_lock_failed)
18810 LOCK_PREFIX
18811 decl (%rdi)
18812 js __read_lock_failed
18813+ pax_force_retaddr
18814 ret
18815 CFI_ENDPROC
18816 END(__read_lock_failed)
18817diff -urNp linux-3.0.7/arch/x86/lib/rwsem_64.S linux-3.0.7/arch/x86/lib/rwsem_64.S
18818--- linux-3.0.7/arch/x86/lib/rwsem_64.S 2011-07-21 22:17:23.000000000 -0400
18819+++ linux-3.0.7/arch/x86/lib/rwsem_64.S 2011-10-07 10:46:47.000000000 -0400
18820@@ -51,6 +51,7 @@ ENTRY(call_rwsem_down_read_failed)
18821 popq_cfi %rdx
18822 CFI_RESTORE rdx
18823 restore_common_regs
18824+ pax_force_retaddr
18825 ret
18826 CFI_ENDPROC
18827 ENDPROC(call_rwsem_down_read_failed)
18828@@ -61,6 +62,7 @@ ENTRY(call_rwsem_down_write_failed)
18829 movq %rax,%rdi
18830 call rwsem_down_write_failed
18831 restore_common_regs
18832+ pax_force_retaddr
18833 ret
18834 CFI_ENDPROC
18835 ENDPROC(call_rwsem_down_write_failed)
18836@@ -73,7 +75,8 @@ ENTRY(call_rwsem_wake)
18837 movq %rax,%rdi
18838 call rwsem_wake
18839 restore_common_regs
18840-1: ret
18841+1: pax_force_retaddr
18842+ ret
18843 CFI_ENDPROC
18844 ENDPROC(call_rwsem_wake)
18845
18846@@ -88,6 +91,7 @@ ENTRY(call_rwsem_downgrade_wake)
18847 popq_cfi %rdx
18848 CFI_RESTORE rdx
18849 restore_common_regs
18850+ pax_force_retaddr
18851 ret
18852 CFI_ENDPROC
18853 ENDPROC(call_rwsem_downgrade_wake)
18854diff -urNp linux-3.0.7/arch/x86/lib/thunk_64.S linux-3.0.7/arch/x86/lib/thunk_64.S
18855--- linux-3.0.7/arch/x86/lib/thunk_64.S 2011-07-21 22:17:23.000000000 -0400
18856+++ linux-3.0.7/arch/x86/lib/thunk_64.S 2011-10-06 04:17:55.000000000 -0400
18857@@ -10,7 +10,8 @@
18858 #include <asm/dwarf2.h>
18859 #include <asm/calling.h>
18860 #include <asm/rwlock.h>
18861-
18862+ #include <asm/alternative-asm.h>
18863+
18864 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
18865 .macro thunk name,func
18866 .globl \name
18867@@ -50,5 +51,6 @@
18868 SAVE_ARGS
18869 restore:
18870 RESTORE_ARGS
18871- ret
18872+ pax_force_retaddr
18873+ ret
18874 CFI_ENDPROC
18875diff -urNp linux-3.0.7/arch/x86/lib/usercopy_32.c linux-3.0.7/arch/x86/lib/usercopy_32.c
18876--- linux-3.0.7/arch/x86/lib/usercopy_32.c 2011-07-21 22:17:23.000000000 -0400
18877+++ linux-3.0.7/arch/x86/lib/usercopy_32.c 2011-08-23 21:47:55.000000000 -0400
18878@@ -43,7 +43,7 @@ do { \
18879 __asm__ __volatile__( \
18880 " testl %1,%1\n" \
18881 " jz 2f\n" \
18882- "0: lodsb\n" \
18883+ "0: "__copyuser_seg"lodsb\n" \
18884 " stosb\n" \
18885 " testb %%al,%%al\n" \
18886 " jz 1f\n" \
18887@@ -128,10 +128,12 @@ do { \
18888 int __d0; \
18889 might_fault(); \
18890 __asm__ __volatile__( \
18891+ __COPYUSER_SET_ES \
18892 "0: rep; stosl\n" \
18893 " movl %2,%0\n" \
18894 "1: rep; stosb\n" \
18895 "2:\n" \
18896+ __COPYUSER_RESTORE_ES \
18897 ".section .fixup,\"ax\"\n" \
18898 "3: lea 0(%2,%0,4),%0\n" \
18899 " jmp 2b\n" \
18900@@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
18901 might_fault();
18902
18903 __asm__ __volatile__(
18904+ __COPYUSER_SET_ES
18905 " testl %0, %0\n"
18906 " jz 3f\n"
18907 " andl %0,%%ecx\n"
18908@@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
18909 " subl %%ecx,%0\n"
18910 " addl %0,%%eax\n"
18911 "1:\n"
18912+ __COPYUSER_RESTORE_ES
18913 ".section .fixup,\"ax\"\n"
18914 "2: xorl %%eax,%%eax\n"
18915 " jmp 1b\n"
18916@@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
18917
18918 #ifdef CONFIG_X86_INTEL_USERCOPY
18919 static unsigned long
18920-__copy_user_intel(void __user *to, const void *from, unsigned long size)
18921+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
18922 {
18923 int d0, d1;
18924 __asm__ __volatile__(
18925@@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
18926 " .align 2,0x90\n"
18927 "3: movl 0(%4), %%eax\n"
18928 "4: movl 4(%4), %%edx\n"
18929- "5: movl %%eax, 0(%3)\n"
18930- "6: movl %%edx, 4(%3)\n"
18931+ "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
18932+ "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
18933 "7: movl 8(%4), %%eax\n"
18934 "8: movl 12(%4),%%edx\n"
18935- "9: movl %%eax, 8(%3)\n"
18936- "10: movl %%edx, 12(%3)\n"
18937+ "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
18938+ "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
18939 "11: movl 16(%4), %%eax\n"
18940 "12: movl 20(%4), %%edx\n"
18941- "13: movl %%eax, 16(%3)\n"
18942- "14: movl %%edx, 20(%3)\n"
18943+ "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
18944+ "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
18945 "15: movl 24(%4), %%eax\n"
18946 "16: movl 28(%4), %%edx\n"
18947- "17: movl %%eax, 24(%3)\n"
18948- "18: movl %%edx, 28(%3)\n"
18949+ "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
18950+ "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
18951 "19: movl 32(%4), %%eax\n"
18952 "20: movl 36(%4), %%edx\n"
18953- "21: movl %%eax, 32(%3)\n"
18954- "22: movl %%edx, 36(%3)\n"
18955+ "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
18956+ "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
18957 "23: movl 40(%4), %%eax\n"
18958 "24: movl 44(%4), %%edx\n"
18959- "25: movl %%eax, 40(%3)\n"
18960- "26: movl %%edx, 44(%3)\n"
18961+ "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
18962+ "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
18963 "27: movl 48(%4), %%eax\n"
18964 "28: movl 52(%4), %%edx\n"
18965- "29: movl %%eax, 48(%3)\n"
18966- "30: movl %%edx, 52(%3)\n"
18967+ "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
18968+ "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
18969 "31: movl 56(%4), %%eax\n"
18970 "32: movl 60(%4), %%edx\n"
18971- "33: movl %%eax, 56(%3)\n"
18972- "34: movl %%edx, 60(%3)\n"
18973+ "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
18974+ "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
18975 " addl $-64, %0\n"
18976 " addl $64, %4\n"
18977 " addl $64, %3\n"
18978@@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
18979 " shrl $2, %0\n"
18980 " andl $3, %%eax\n"
18981 " cld\n"
18982+ __COPYUSER_SET_ES
18983 "99: rep; movsl\n"
18984 "36: movl %%eax, %0\n"
18985 "37: rep; movsb\n"
18986 "100:\n"
18987+ __COPYUSER_RESTORE_ES
18988+ ".section .fixup,\"ax\"\n"
18989+ "101: lea 0(%%eax,%0,4),%0\n"
18990+ " jmp 100b\n"
18991+ ".previous\n"
18992+ ".section __ex_table,\"a\"\n"
18993+ " .align 4\n"
18994+ " .long 1b,100b\n"
18995+ " .long 2b,100b\n"
18996+ " .long 3b,100b\n"
18997+ " .long 4b,100b\n"
18998+ " .long 5b,100b\n"
18999+ " .long 6b,100b\n"
19000+ " .long 7b,100b\n"
19001+ " .long 8b,100b\n"
19002+ " .long 9b,100b\n"
19003+ " .long 10b,100b\n"
19004+ " .long 11b,100b\n"
19005+ " .long 12b,100b\n"
19006+ " .long 13b,100b\n"
19007+ " .long 14b,100b\n"
19008+ " .long 15b,100b\n"
19009+ " .long 16b,100b\n"
19010+ " .long 17b,100b\n"
19011+ " .long 18b,100b\n"
19012+ " .long 19b,100b\n"
19013+ " .long 20b,100b\n"
19014+ " .long 21b,100b\n"
19015+ " .long 22b,100b\n"
19016+ " .long 23b,100b\n"
19017+ " .long 24b,100b\n"
19018+ " .long 25b,100b\n"
19019+ " .long 26b,100b\n"
19020+ " .long 27b,100b\n"
19021+ " .long 28b,100b\n"
19022+ " .long 29b,100b\n"
19023+ " .long 30b,100b\n"
19024+ " .long 31b,100b\n"
19025+ " .long 32b,100b\n"
19026+ " .long 33b,100b\n"
19027+ " .long 34b,100b\n"
19028+ " .long 35b,100b\n"
19029+ " .long 36b,100b\n"
19030+ " .long 37b,100b\n"
19031+ " .long 99b,101b\n"
19032+ ".previous"
19033+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
19034+ : "1"(to), "2"(from), "0"(size)
19035+ : "eax", "edx", "memory");
19036+ return size;
19037+}
19038+
19039+static unsigned long
19040+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
19041+{
19042+ int d0, d1;
19043+ __asm__ __volatile__(
19044+ " .align 2,0x90\n"
19045+ "1: "__copyuser_seg" movl 32(%4), %%eax\n"
19046+ " cmpl $67, %0\n"
19047+ " jbe 3f\n"
19048+ "2: "__copyuser_seg" movl 64(%4), %%eax\n"
19049+ " .align 2,0x90\n"
19050+ "3: "__copyuser_seg" movl 0(%4), %%eax\n"
19051+ "4: "__copyuser_seg" movl 4(%4), %%edx\n"
19052+ "5: movl %%eax, 0(%3)\n"
19053+ "6: movl %%edx, 4(%3)\n"
19054+ "7: "__copyuser_seg" movl 8(%4), %%eax\n"
19055+ "8: "__copyuser_seg" movl 12(%4),%%edx\n"
19056+ "9: movl %%eax, 8(%3)\n"
19057+ "10: movl %%edx, 12(%3)\n"
19058+ "11: "__copyuser_seg" movl 16(%4), %%eax\n"
19059+ "12: "__copyuser_seg" movl 20(%4), %%edx\n"
19060+ "13: movl %%eax, 16(%3)\n"
19061+ "14: movl %%edx, 20(%3)\n"
19062+ "15: "__copyuser_seg" movl 24(%4), %%eax\n"
19063+ "16: "__copyuser_seg" movl 28(%4), %%edx\n"
19064+ "17: movl %%eax, 24(%3)\n"
19065+ "18: movl %%edx, 28(%3)\n"
19066+ "19: "__copyuser_seg" movl 32(%4), %%eax\n"
19067+ "20: "__copyuser_seg" movl 36(%4), %%edx\n"
19068+ "21: movl %%eax, 32(%3)\n"
19069+ "22: movl %%edx, 36(%3)\n"
19070+ "23: "__copyuser_seg" movl 40(%4), %%eax\n"
19071+ "24: "__copyuser_seg" movl 44(%4), %%edx\n"
19072+ "25: movl %%eax, 40(%3)\n"
19073+ "26: movl %%edx, 44(%3)\n"
19074+ "27: "__copyuser_seg" movl 48(%4), %%eax\n"
19075+ "28: "__copyuser_seg" movl 52(%4), %%edx\n"
19076+ "29: movl %%eax, 48(%3)\n"
19077+ "30: movl %%edx, 52(%3)\n"
19078+ "31: "__copyuser_seg" movl 56(%4), %%eax\n"
19079+ "32: "__copyuser_seg" movl 60(%4), %%edx\n"
19080+ "33: movl %%eax, 56(%3)\n"
19081+ "34: movl %%edx, 60(%3)\n"
19082+ " addl $-64, %0\n"
19083+ " addl $64, %4\n"
19084+ " addl $64, %3\n"
19085+ " cmpl $63, %0\n"
19086+ " ja 1b\n"
19087+ "35: movl %0, %%eax\n"
19088+ " shrl $2, %0\n"
19089+ " andl $3, %%eax\n"
19090+ " cld\n"
19091+ "99: rep; "__copyuser_seg" movsl\n"
19092+ "36: movl %%eax, %0\n"
19093+ "37: rep; "__copyuser_seg" movsb\n"
19094+ "100:\n"
19095 ".section .fixup,\"ax\"\n"
19096 "101: lea 0(%%eax,%0,4),%0\n"
19097 " jmp 100b\n"
19098@@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
19099 int d0, d1;
19100 __asm__ __volatile__(
19101 " .align 2,0x90\n"
19102- "0: movl 32(%4), %%eax\n"
19103+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19104 " cmpl $67, %0\n"
19105 " jbe 2f\n"
19106- "1: movl 64(%4), %%eax\n"
19107+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19108 " .align 2,0x90\n"
19109- "2: movl 0(%4), %%eax\n"
19110- "21: movl 4(%4), %%edx\n"
19111+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19112+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19113 " movl %%eax, 0(%3)\n"
19114 " movl %%edx, 4(%3)\n"
19115- "3: movl 8(%4), %%eax\n"
19116- "31: movl 12(%4),%%edx\n"
19117+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19118+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19119 " movl %%eax, 8(%3)\n"
19120 " movl %%edx, 12(%3)\n"
19121- "4: movl 16(%4), %%eax\n"
19122- "41: movl 20(%4), %%edx\n"
19123+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19124+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19125 " movl %%eax, 16(%3)\n"
19126 " movl %%edx, 20(%3)\n"
19127- "10: movl 24(%4), %%eax\n"
19128- "51: movl 28(%4), %%edx\n"
19129+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19130+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19131 " movl %%eax, 24(%3)\n"
19132 " movl %%edx, 28(%3)\n"
19133- "11: movl 32(%4), %%eax\n"
19134- "61: movl 36(%4), %%edx\n"
19135+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19136+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19137 " movl %%eax, 32(%3)\n"
19138 " movl %%edx, 36(%3)\n"
19139- "12: movl 40(%4), %%eax\n"
19140- "71: movl 44(%4), %%edx\n"
19141+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19142+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19143 " movl %%eax, 40(%3)\n"
19144 " movl %%edx, 44(%3)\n"
19145- "13: movl 48(%4), %%eax\n"
19146- "81: movl 52(%4), %%edx\n"
19147+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19148+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19149 " movl %%eax, 48(%3)\n"
19150 " movl %%edx, 52(%3)\n"
19151- "14: movl 56(%4), %%eax\n"
19152- "91: movl 60(%4), %%edx\n"
19153+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19154+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19155 " movl %%eax, 56(%3)\n"
19156 " movl %%edx, 60(%3)\n"
19157 " addl $-64, %0\n"
19158@@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
19159 " shrl $2, %0\n"
19160 " andl $3, %%eax\n"
19161 " cld\n"
19162- "6: rep; movsl\n"
19163+ "6: rep; "__copyuser_seg" movsl\n"
19164 " movl %%eax,%0\n"
19165- "7: rep; movsb\n"
19166+ "7: rep; "__copyuser_seg" movsb\n"
19167 "8:\n"
19168 ".section .fixup,\"ax\"\n"
19169 "9: lea 0(%%eax,%0,4),%0\n"
19170@@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
19171
19172 __asm__ __volatile__(
19173 " .align 2,0x90\n"
19174- "0: movl 32(%4), %%eax\n"
19175+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19176 " cmpl $67, %0\n"
19177 " jbe 2f\n"
19178- "1: movl 64(%4), %%eax\n"
19179+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19180 " .align 2,0x90\n"
19181- "2: movl 0(%4), %%eax\n"
19182- "21: movl 4(%4), %%edx\n"
19183+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19184+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19185 " movnti %%eax, 0(%3)\n"
19186 " movnti %%edx, 4(%3)\n"
19187- "3: movl 8(%4), %%eax\n"
19188- "31: movl 12(%4),%%edx\n"
19189+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19190+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19191 " movnti %%eax, 8(%3)\n"
19192 " movnti %%edx, 12(%3)\n"
19193- "4: movl 16(%4), %%eax\n"
19194- "41: movl 20(%4), %%edx\n"
19195+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19196+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19197 " movnti %%eax, 16(%3)\n"
19198 " movnti %%edx, 20(%3)\n"
19199- "10: movl 24(%4), %%eax\n"
19200- "51: movl 28(%4), %%edx\n"
19201+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19202+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19203 " movnti %%eax, 24(%3)\n"
19204 " movnti %%edx, 28(%3)\n"
19205- "11: movl 32(%4), %%eax\n"
19206- "61: movl 36(%4), %%edx\n"
19207+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19208+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19209 " movnti %%eax, 32(%3)\n"
19210 " movnti %%edx, 36(%3)\n"
19211- "12: movl 40(%4), %%eax\n"
19212- "71: movl 44(%4), %%edx\n"
19213+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19214+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19215 " movnti %%eax, 40(%3)\n"
19216 " movnti %%edx, 44(%3)\n"
19217- "13: movl 48(%4), %%eax\n"
19218- "81: movl 52(%4), %%edx\n"
19219+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19220+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19221 " movnti %%eax, 48(%3)\n"
19222 " movnti %%edx, 52(%3)\n"
19223- "14: movl 56(%4), %%eax\n"
19224- "91: movl 60(%4), %%edx\n"
19225+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19226+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19227 " movnti %%eax, 56(%3)\n"
19228 " movnti %%edx, 60(%3)\n"
19229 " addl $-64, %0\n"
19230@@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
19231 " shrl $2, %0\n"
19232 " andl $3, %%eax\n"
19233 " cld\n"
19234- "6: rep; movsl\n"
19235+ "6: rep; "__copyuser_seg" movsl\n"
19236 " movl %%eax,%0\n"
19237- "7: rep; movsb\n"
19238+ "7: rep; "__copyuser_seg" movsb\n"
19239 "8:\n"
19240 ".section .fixup,\"ax\"\n"
19241 "9: lea 0(%%eax,%0,4),%0\n"
19242@@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
19243
19244 __asm__ __volatile__(
19245 " .align 2,0x90\n"
19246- "0: movl 32(%4), %%eax\n"
19247+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19248 " cmpl $67, %0\n"
19249 " jbe 2f\n"
19250- "1: movl 64(%4), %%eax\n"
19251+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19252 " .align 2,0x90\n"
19253- "2: movl 0(%4), %%eax\n"
19254- "21: movl 4(%4), %%edx\n"
19255+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19256+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19257 " movnti %%eax, 0(%3)\n"
19258 " movnti %%edx, 4(%3)\n"
19259- "3: movl 8(%4), %%eax\n"
19260- "31: movl 12(%4),%%edx\n"
19261+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19262+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19263 " movnti %%eax, 8(%3)\n"
19264 " movnti %%edx, 12(%3)\n"
19265- "4: movl 16(%4), %%eax\n"
19266- "41: movl 20(%4), %%edx\n"
19267+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19268+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19269 " movnti %%eax, 16(%3)\n"
19270 " movnti %%edx, 20(%3)\n"
19271- "10: movl 24(%4), %%eax\n"
19272- "51: movl 28(%4), %%edx\n"
19273+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19274+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19275 " movnti %%eax, 24(%3)\n"
19276 " movnti %%edx, 28(%3)\n"
19277- "11: movl 32(%4), %%eax\n"
19278- "61: movl 36(%4), %%edx\n"
19279+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19280+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19281 " movnti %%eax, 32(%3)\n"
19282 " movnti %%edx, 36(%3)\n"
19283- "12: movl 40(%4), %%eax\n"
19284- "71: movl 44(%4), %%edx\n"
19285+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19286+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19287 " movnti %%eax, 40(%3)\n"
19288 " movnti %%edx, 44(%3)\n"
19289- "13: movl 48(%4), %%eax\n"
19290- "81: movl 52(%4), %%edx\n"
19291+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19292+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19293 " movnti %%eax, 48(%3)\n"
19294 " movnti %%edx, 52(%3)\n"
19295- "14: movl 56(%4), %%eax\n"
19296- "91: movl 60(%4), %%edx\n"
19297+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19298+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19299 " movnti %%eax, 56(%3)\n"
19300 " movnti %%edx, 60(%3)\n"
19301 " addl $-64, %0\n"
19302@@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
19303 " shrl $2, %0\n"
19304 " andl $3, %%eax\n"
19305 " cld\n"
19306- "6: rep; movsl\n"
19307+ "6: rep; "__copyuser_seg" movsl\n"
19308 " movl %%eax,%0\n"
19309- "7: rep; movsb\n"
19310+ "7: rep; "__copyuser_seg" movsb\n"
19311 "8:\n"
19312 ".section .fixup,\"ax\"\n"
19313 "9: lea 0(%%eax,%0,4),%0\n"
19314@@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
19315 */
19316 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
19317 unsigned long size);
19318-unsigned long __copy_user_intel(void __user *to, const void *from,
19319+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
19320+ unsigned long size);
19321+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
19322 unsigned long size);
19323 unsigned long __copy_user_zeroing_intel_nocache(void *to,
19324 const void __user *from, unsigned long size);
19325 #endif /* CONFIG_X86_INTEL_USERCOPY */
19326
19327 /* Generic arbitrary sized copy. */
19328-#define __copy_user(to, from, size) \
19329+#define __copy_user(to, from, size, prefix, set, restore) \
19330 do { \
19331 int __d0, __d1, __d2; \
19332 __asm__ __volatile__( \
19333+ set \
19334 " cmp $7,%0\n" \
19335 " jbe 1f\n" \
19336 " movl %1,%0\n" \
19337 " negl %0\n" \
19338 " andl $7,%0\n" \
19339 " subl %0,%3\n" \
19340- "4: rep; movsb\n" \
19341+ "4: rep; "prefix"movsb\n" \
19342 " movl %3,%0\n" \
19343 " shrl $2,%0\n" \
19344 " andl $3,%3\n" \
19345 " .align 2,0x90\n" \
19346- "0: rep; movsl\n" \
19347+ "0: rep; "prefix"movsl\n" \
19348 " movl %3,%0\n" \
19349- "1: rep; movsb\n" \
19350+ "1: rep; "prefix"movsb\n" \
19351 "2:\n" \
19352+ restore \
19353 ".section .fixup,\"ax\"\n" \
19354 "5: addl %3,%0\n" \
19355 " jmp 2b\n" \
19356@@ -682,14 +799,14 @@ do { \
19357 " negl %0\n" \
19358 " andl $7,%0\n" \
19359 " subl %0,%3\n" \
19360- "4: rep; movsb\n" \
19361+ "4: rep; "__copyuser_seg"movsb\n" \
19362 " movl %3,%0\n" \
19363 " shrl $2,%0\n" \
19364 " andl $3,%3\n" \
19365 " .align 2,0x90\n" \
19366- "0: rep; movsl\n" \
19367+ "0: rep; "__copyuser_seg"movsl\n" \
19368 " movl %3,%0\n" \
19369- "1: rep; movsb\n" \
19370+ "1: rep; "__copyuser_seg"movsb\n" \
19371 "2:\n" \
19372 ".section .fixup,\"ax\"\n" \
19373 "5: addl %3,%0\n" \
19374@@ -775,9 +892,9 @@ survive:
19375 }
19376 #endif
19377 if (movsl_is_ok(to, from, n))
19378- __copy_user(to, from, n);
19379+ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
19380 else
19381- n = __copy_user_intel(to, from, n);
19382+ n = __generic_copy_to_user_intel(to, from, n);
19383 return n;
19384 }
19385 EXPORT_SYMBOL(__copy_to_user_ll);
19386@@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
19387 unsigned long n)
19388 {
19389 if (movsl_is_ok(to, from, n))
19390- __copy_user(to, from, n);
19391+ __copy_user(to, from, n, __copyuser_seg, "", "");
19392 else
19393- n = __copy_user_intel((void __user *)to,
19394- (const void *)from, n);
19395+ n = __generic_copy_from_user_intel(to, from, n);
19396 return n;
19397 }
19398 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
19399@@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
19400 if (n > 64 && cpu_has_xmm2)
19401 n = __copy_user_intel_nocache(to, from, n);
19402 else
19403- __copy_user(to, from, n);
19404+ __copy_user(to, from, n, __copyuser_seg, "", "");
19405 #else
19406- __copy_user(to, from, n);
19407+ __copy_user(to, from, n, __copyuser_seg, "", "");
19408 #endif
19409 return n;
19410 }
19411 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
19412
19413-/**
19414- * copy_to_user: - Copy a block of data into user space.
19415- * @to: Destination address, in user space.
19416- * @from: Source address, in kernel space.
19417- * @n: Number of bytes to copy.
19418- *
19419- * Context: User context only. This function may sleep.
19420- *
19421- * Copy data from kernel space to user space.
19422- *
19423- * Returns number of bytes that could not be copied.
19424- * On success, this will be zero.
19425- */
19426-unsigned long
19427-copy_to_user(void __user *to, const void *from, unsigned long n)
19428+void copy_from_user_overflow(void)
19429 {
19430- if (access_ok(VERIFY_WRITE, to, n))
19431- n = __copy_to_user(to, from, n);
19432- return n;
19433+ WARN(1, "Buffer overflow detected!\n");
19434 }
19435-EXPORT_SYMBOL(copy_to_user);
19436+EXPORT_SYMBOL(copy_from_user_overflow);
19437
19438-/**
19439- * copy_from_user: - Copy a block of data from user space.
19440- * @to: Destination address, in kernel space.
19441- * @from: Source address, in user space.
19442- * @n: Number of bytes to copy.
19443- *
19444- * Context: User context only. This function may sleep.
19445- *
19446- * Copy data from user space to kernel space.
19447- *
19448- * Returns number of bytes that could not be copied.
19449- * On success, this will be zero.
19450- *
19451- * If some data could not be copied, this function will pad the copied
19452- * data to the requested size using zero bytes.
19453- */
19454-unsigned long
19455-_copy_from_user(void *to, const void __user *from, unsigned long n)
19456+void copy_to_user_overflow(void)
19457 {
19458- if (access_ok(VERIFY_READ, from, n))
19459- n = __copy_from_user(to, from, n);
19460- else
19461- memset(to, 0, n);
19462- return n;
19463+ WARN(1, "Buffer overflow detected!\n");
19464 }
19465-EXPORT_SYMBOL(_copy_from_user);
19466+EXPORT_SYMBOL(copy_to_user_overflow);
19467
19468-void copy_from_user_overflow(void)
19469+#ifdef CONFIG_PAX_MEMORY_UDEREF
19470+void __set_fs(mm_segment_t x)
19471 {
19472- WARN(1, "Buffer overflow detected!\n");
19473+ switch (x.seg) {
19474+ case 0:
19475+ loadsegment(gs, 0);
19476+ break;
19477+ case TASK_SIZE_MAX:
19478+ loadsegment(gs, __USER_DS);
19479+ break;
19480+ case -1UL:
19481+ loadsegment(gs, __KERNEL_DS);
19482+ break;
19483+ default:
19484+ BUG();
19485+ }
19486+ return;
19487 }
19488-EXPORT_SYMBOL(copy_from_user_overflow);
19489+EXPORT_SYMBOL(__set_fs);
19490+
19491+void set_fs(mm_segment_t x)
19492+{
19493+ current_thread_info()->addr_limit = x;
19494+ __set_fs(x);
19495+}
19496+EXPORT_SYMBOL(set_fs);
19497+#endif
19498diff -urNp linux-3.0.7/arch/x86/lib/usercopy_64.c linux-3.0.7/arch/x86/lib/usercopy_64.c
19499--- linux-3.0.7/arch/x86/lib/usercopy_64.c 2011-07-21 22:17:23.000000000 -0400
19500+++ linux-3.0.7/arch/x86/lib/usercopy_64.c 2011-10-06 04:17:55.000000000 -0400
19501@@ -42,6 +42,12 @@ long
19502 __strncpy_from_user(char *dst, const char __user *src, long count)
19503 {
19504 long res;
19505+
19506+#ifdef CONFIG_PAX_MEMORY_UDEREF
19507+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19508+ src += PAX_USER_SHADOW_BASE;
19509+#endif
19510+
19511 __do_strncpy_from_user(dst, src, count, res);
19512 return res;
19513 }
19514@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
19515 {
19516 long __d0;
19517 might_fault();
19518+
19519+#ifdef CONFIG_PAX_MEMORY_UDEREF
19520+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
19521+ addr += PAX_USER_SHADOW_BASE;
19522+#endif
19523+
19524 /* no memory constraint because it doesn't change any memory gcc knows
19525 about */
19526 asm volatile(
19527@@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
19528
19529 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
19530 {
19531- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19532- return copy_user_generic((__force void *)to, (__force void *)from, len);
19533- }
19534- return len;
19535+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19536+
19537+#ifdef CONFIG_PAX_MEMORY_UDEREF
19538+ if ((unsigned long)to < PAX_USER_SHADOW_BASE)
19539+ to += PAX_USER_SHADOW_BASE;
19540+ if ((unsigned long)from < PAX_USER_SHADOW_BASE)
19541+ from += PAX_USER_SHADOW_BASE;
19542+#endif
19543+
19544+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
19545+ }
19546+ return len;
19547 }
19548 EXPORT_SYMBOL(copy_in_user);
19549
19550@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
19551 * it is not necessary to optimize tail handling.
19552 */
19553 unsigned long
19554-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
19555+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
19556 {
19557 char c;
19558 unsigned zero_len;
19559diff -urNp linux-3.0.7/arch/x86/mm/extable.c linux-3.0.7/arch/x86/mm/extable.c
19560--- linux-3.0.7/arch/x86/mm/extable.c 2011-07-21 22:17:23.000000000 -0400
19561+++ linux-3.0.7/arch/x86/mm/extable.c 2011-08-23 21:47:55.000000000 -0400
19562@@ -8,7 +8,7 @@ int fixup_exception(struct pt_regs *regs
19563 const struct exception_table_entry *fixup;
19564
19565 #ifdef CONFIG_PNPBIOS
19566- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
19567+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
19568 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
19569 extern u32 pnp_bios_is_utter_crap;
19570 pnp_bios_is_utter_crap = 1;
19571diff -urNp linux-3.0.7/arch/x86/mm/fault.c linux-3.0.7/arch/x86/mm/fault.c
19572--- linux-3.0.7/arch/x86/mm/fault.c 2011-07-21 22:17:23.000000000 -0400
19573+++ linux-3.0.7/arch/x86/mm/fault.c 2011-10-06 04:17:55.000000000 -0400
19574@@ -13,10 +13,18 @@
19575 #include <linux/perf_event.h> /* perf_sw_event */
19576 #include <linux/hugetlb.h> /* hstate_index_to_shift */
19577 #include <linux/prefetch.h> /* prefetchw */
19578+#include <linux/unistd.h>
19579+#include <linux/compiler.h>
19580
19581 #include <asm/traps.h> /* dotraplinkage, ... */
19582 #include <asm/pgalloc.h> /* pgd_*(), ... */
19583 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
19584+#include <asm/vsyscall.h>
19585+#include <asm/tlbflush.h>
19586+
19587+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19588+#include <asm/stacktrace.h>
19589+#endif
19590
19591 /*
19592 * Page fault error code bits:
19593@@ -54,7 +62,7 @@ static inline int __kprobes notify_page_
19594 int ret = 0;
19595
19596 /* kprobe_running() needs smp_processor_id() */
19597- if (kprobes_built_in() && !user_mode_vm(regs)) {
19598+ if (kprobes_built_in() && !user_mode(regs)) {
19599 preempt_disable();
19600 if (kprobe_running() && kprobe_fault_handler(regs, 14))
19601 ret = 1;
19602@@ -115,7 +123,10 @@ check_prefetch_opcode(struct pt_regs *re
19603 return !instr_lo || (instr_lo>>1) == 1;
19604 case 0x00:
19605 /* Prefetch instruction is 0x0F0D or 0x0F18 */
19606- if (probe_kernel_address(instr, opcode))
19607+ if (user_mode(regs)) {
19608+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19609+ return 0;
19610+ } else if (probe_kernel_address(instr, opcode))
19611 return 0;
19612
19613 *prefetch = (instr_lo == 0xF) &&
19614@@ -149,7 +160,10 @@ is_prefetch(struct pt_regs *regs, unsign
19615 while (instr < max_instr) {
19616 unsigned char opcode;
19617
19618- if (probe_kernel_address(instr, opcode))
19619+ if (user_mode(regs)) {
19620+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19621+ break;
19622+ } else if (probe_kernel_address(instr, opcode))
19623 break;
19624
19625 instr++;
19626@@ -180,6 +194,30 @@ force_sig_info_fault(int si_signo, int s
19627 force_sig_info(si_signo, &info, tsk);
19628 }
19629
19630+#ifdef CONFIG_PAX_EMUTRAMP
19631+static int pax_handle_fetch_fault(struct pt_regs *regs);
19632+#endif
19633+
19634+#ifdef CONFIG_PAX_PAGEEXEC
19635+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
19636+{
19637+ pgd_t *pgd;
19638+ pud_t *pud;
19639+ pmd_t *pmd;
19640+
19641+ pgd = pgd_offset(mm, address);
19642+ if (!pgd_present(*pgd))
19643+ return NULL;
19644+ pud = pud_offset(pgd, address);
19645+ if (!pud_present(*pud))
19646+ return NULL;
19647+ pmd = pmd_offset(pud, address);
19648+ if (!pmd_present(*pmd))
19649+ return NULL;
19650+ return pmd;
19651+}
19652+#endif
19653+
19654 DEFINE_SPINLOCK(pgd_lock);
19655 LIST_HEAD(pgd_list);
19656
19657@@ -230,10 +268,22 @@ void vmalloc_sync_all(void)
19658 for (address = VMALLOC_START & PMD_MASK;
19659 address >= TASK_SIZE && address < FIXADDR_TOP;
19660 address += PMD_SIZE) {
19661+
19662+#ifdef CONFIG_PAX_PER_CPU_PGD
19663+ unsigned long cpu;
19664+#else
19665 struct page *page;
19666+#endif
19667
19668 spin_lock(&pgd_lock);
19669+
19670+#ifdef CONFIG_PAX_PER_CPU_PGD
19671+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19672+ pgd_t *pgd = get_cpu_pgd(cpu);
19673+ pmd_t *ret;
19674+#else
19675 list_for_each_entry(page, &pgd_list, lru) {
19676+ pgd_t *pgd = page_address(page);
19677 spinlock_t *pgt_lock;
19678 pmd_t *ret;
19679
19680@@ -241,8 +291,13 @@ void vmalloc_sync_all(void)
19681 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
19682
19683 spin_lock(pgt_lock);
19684- ret = vmalloc_sync_one(page_address(page), address);
19685+#endif
19686+
19687+ ret = vmalloc_sync_one(pgd, address);
19688+
19689+#ifndef CONFIG_PAX_PER_CPU_PGD
19690 spin_unlock(pgt_lock);
19691+#endif
19692
19693 if (!ret)
19694 break;
19695@@ -276,6 +331,11 @@ static noinline __kprobes int vmalloc_fa
19696 * an interrupt in the middle of a task switch..
19697 */
19698 pgd_paddr = read_cr3();
19699+
19700+#ifdef CONFIG_PAX_PER_CPU_PGD
19701+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
19702+#endif
19703+
19704 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
19705 if (!pmd_k)
19706 return -1;
19707@@ -371,7 +431,14 @@ static noinline __kprobes int vmalloc_fa
19708 * happen within a race in page table update. In the later
19709 * case just flush:
19710 */
19711+
19712+#ifdef CONFIG_PAX_PER_CPU_PGD
19713+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
19714+ pgd = pgd_offset_cpu(smp_processor_id(), address);
19715+#else
19716 pgd = pgd_offset(current->active_mm, address);
19717+#endif
19718+
19719 pgd_ref = pgd_offset_k(address);
19720 if (pgd_none(*pgd_ref))
19721 return -1;
19722@@ -533,7 +600,7 @@ static int is_errata93(struct pt_regs *r
19723 static int is_errata100(struct pt_regs *regs, unsigned long address)
19724 {
19725 #ifdef CONFIG_X86_64
19726- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
19727+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
19728 return 1;
19729 #endif
19730 return 0;
19731@@ -560,7 +627,7 @@ static int is_f00f_bug(struct pt_regs *r
19732 }
19733
19734 static const char nx_warning[] = KERN_CRIT
19735-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
19736+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
19737
19738 static void
19739 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
19740@@ -569,14 +636,25 @@ show_fault_oops(struct pt_regs *regs, un
19741 if (!oops_may_print())
19742 return;
19743
19744- if (error_code & PF_INSTR) {
19745+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
19746 unsigned int level;
19747
19748 pte_t *pte = lookup_address(address, &level);
19749
19750 if (pte && pte_present(*pte) && !pte_exec(*pte))
19751- printk(nx_warning, current_uid());
19752+ printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
19753+ }
19754+
19755+#ifdef CONFIG_PAX_KERNEXEC
19756+ if (init_mm.start_code <= address && address < init_mm.end_code) {
19757+ if (current->signal->curr_ip)
19758+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
19759+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
19760+ else
19761+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
19762+ current->comm, task_pid_nr(current), current_uid(), current_euid());
19763 }
19764+#endif
19765
19766 printk(KERN_ALERT "BUG: unable to handle kernel ");
19767 if (address < PAGE_SIZE)
19768@@ -702,6 +780,66 @@ __bad_area_nosemaphore(struct pt_regs *r
19769 unsigned long address, int si_code)
19770 {
19771 struct task_struct *tsk = current;
19772+#if defined(CONFIG_X86_64) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19773+ struct mm_struct *mm = tsk->mm;
19774+#endif
19775+
19776+#ifdef CONFIG_X86_64
19777+ if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
19778+ if (regs->ip == VSYSCALL_ADDR(__NR_vgettimeofday) ||
19779+ regs->ip == VSYSCALL_ADDR(__NR_vtime) ||
19780+ regs->ip == VSYSCALL_ADDR(__NR_vgetcpu)) {
19781+ regs->ip += mm->context.vdso - PAGE_SIZE - VSYSCALL_START;
19782+ return;
19783+ }
19784+ }
19785+#endif
19786+
19787+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19788+ if (mm && (error_code & PF_USER)) {
19789+ unsigned long ip = regs->ip;
19790+
19791+ if (v8086_mode(regs))
19792+ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
19793+
19794+ /*
19795+ * It's possible to have interrupts off here:
19796+ */
19797+ local_irq_enable();
19798+
19799+#ifdef CONFIG_PAX_PAGEEXEC
19800+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
19801+ (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
19802+
19803+#ifdef CONFIG_PAX_EMUTRAMP
19804+ switch (pax_handle_fetch_fault(regs)) {
19805+ case 2:
19806+ return;
19807+ }
19808+#endif
19809+
19810+ pax_report_fault(regs, (void *)ip, (void *)regs->sp);
19811+ do_group_exit(SIGKILL);
19812+ }
19813+#endif
19814+
19815+#ifdef CONFIG_PAX_SEGMEXEC
19816+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
19817+
19818+#ifdef CONFIG_PAX_EMUTRAMP
19819+ switch (pax_handle_fetch_fault(regs)) {
19820+ case 2:
19821+ return;
19822+ }
19823+#endif
19824+
19825+ pax_report_fault(regs, (void *)ip, (void *)regs->sp);
19826+ do_group_exit(SIGKILL);
19827+ }
19828+#endif
19829+
19830+ }
19831+#endif
19832
19833 /* User mode accesses just cause a SIGSEGV */
19834 if (error_code & PF_USER) {
19835@@ -871,6 +1009,99 @@ static int spurious_fault_check(unsigned
19836 return 1;
19837 }
19838
19839+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
19840+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
19841+{
19842+ pte_t *pte;
19843+ pmd_t *pmd;
19844+ spinlock_t *ptl;
19845+ unsigned char pte_mask;
19846+
19847+ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
19848+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
19849+ return 0;
19850+
19851+ /* PaX: it's our fault, let's handle it if we can */
19852+
19853+ /* PaX: take a look at read faults before acquiring any locks */
19854+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
19855+ /* instruction fetch attempt from a protected page in user mode */
19856+ up_read(&mm->mmap_sem);
19857+
19858+#ifdef CONFIG_PAX_EMUTRAMP
19859+ switch (pax_handle_fetch_fault(regs)) {
19860+ case 2:
19861+ return 1;
19862+ }
19863+#endif
19864+
19865+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
19866+ do_group_exit(SIGKILL);
19867+ }
19868+
19869+ pmd = pax_get_pmd(mm, address);
19870+ if (unlikely(!pmd))
19871+ return 0;
19872+
19873+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
19874+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
19875+ pte_unmap_unlock(pte, ptl);
19876+ return 0;
19877+ }
19878+
19879+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
19880+ /* write attempt to a protected page in user mode */
19881+ pte_unmap_unlock(pte, ptl);
19882+ return 0;
19883+ }
19884+
19885+#ifdef CONFIG_SMP
19886+ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
19887+#else
19888+ if (likely(address > get_limit(regs->cs)))
19889+#endif
19890+ {
19891+ set_pte(pte, pte_mkread(*pte));
19892+ __flush_tlb_one(address);
19893+ pte_unmap_unlock(pte, ptl);
19894+ up_read(&mm->mmap_sem);
19895+ return 1;
19896+ }
19897+
19898+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
19899+
19900+ /*
19901+ * PaX: fill DTLB with user rights and retry
19902+ */
19903+ __asm__ __volatile__ (
19904+ "orb %2,(%1)\n"
19905+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
19906+/*
19907+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
19908+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
19909+ * page fault when examined during a TLB load attempt. this is true not only
19910+ * for PTEs holding a non-present entry but also present entries that will
19911+ * raise a page fault (such as those set up by PaX, or the copy-on-write
19912+ * mechanism). in effect it means that we do *not* need to flush the TLBs
19913+ * for our target pages since their PTEs are simply not in the TLBs at all.
19914+
19915+ * the best thing in omitting it is that we gain around 15-20% speed in the
19916+ * fast path of the page fault handler and can get rid of tracing since we
19917+ * can no longer flush unintended entries.
19918+ */
19919+ "invlpg (%0)\n"
19920+#endif
19921+ __copyuser_seg"testb $0,(%0)\n"
19922+ "xorb %3,(%1)\n"
19923+ :
19924+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
19925+ : "memory", "cc");
19926+ pte_unmap_unlock(pte, ptl);
19927+ up_read(&mm->mmap_sem);
19928+ return 1;
19929+}
19930+#endif
19931+
19932 /*
19933 * Handle a spurious fault caused by a stale TLB entry.
19934 *
19935@@ -943,6 +1174,9 @@ int show_unhandled_signals = 1;
19936 static inline int
19937 access_error(unsigned long error_code, struct vm_area_struct *vma)
19938 {
19939+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
19940+ return 1;
19941+
19942 if (error_code & PF_WRITE) {
19943 /* write, present and write, not present: */
19944 if (unlikely(!(vma->vm_flags & VM_WRITE)))
19945@@ -976,19 +1210,33 @@ do_page_fault(struct pt_regs *regs, unsi
19946 {
19947 struct vm_area_struct *vma;
19948 struct task_struct *tsk;
19949- unsigned long address;
19950 struct mm_struct *mm;
19951 int fault;
19952 int write = error_code & PF_WRITE;
19953 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE |
19954 (write ? FAULT_FLAG_WRITE : 0);
19955
19956+ /* Get the faulting address: */
19957+ unsigned long address = read_cr2();
19958+
19959+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19960+ if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
19961+ if (!search_exception_tables(regs->ip)) {
19962+ bad_area_nosemaphore(regs, error_code, address);
19963+ return;
19964+ }
19965+ if (address < PAX_USER_SHADOW_BASE) {
19966+ printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
19967+ printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
19968+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
19969+ } else
19970+ address -= PAX_USER_SHADOW_BASE;
19971+ }
19972+#endif
19973+
19974 tsk = current;
19975 mm = tsk->mm;
19976
19977- /* Get the faulting address: */
19978- address = read_cr2();
19979-
19980 /*
19981 * Detect and handle instructions that would cause a page fault for
19982 * both a tracked kernel page and a userspace page.
19983@@ -1048,7 +1296,7 @@ do_page_fault(struct pt_regs *regs, unsi
19984 * User-mode registers count as a user access even for any
19985 * potential system fault or CPU buglet:
19986 */
19987- if (user_mode_vm(regs)) {
19988+ if (user_mode(regs)) {
19989 local_irq_enable();
19990 error_code |= PF_USER;
19991 } else {
19992@@ -1103,6 +1351,11 @@ retry:
19993 might_sleep();
19994 }
19995
19996+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
19997+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
19998+ return;
19999+#endif
20000+
20001 vma = find_vma(mm, address);
20002 if (unlikely(!vma)) {
20003 bad_area(regs, error_code, address);
20004@@ -1114,18 +1367,24 @@ retry:
20005 bad_area(regs, error_code, address);
20006 return;
20007 }
20008- if (error_code & PF_USER) {
20009- /*
20010- * Accessing the stack below %sp is always a bug.
20011- * The large cushion allows instructions like enter
20012- * and pusha to work. ("enter $65535, $31" pushes
20013- * 32 pointers and then decrements %sp by 65535.)
20014- */
20015- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
20016- bad_area(regs, error_code, address);
20017- return;
20018- }
20019+ /*
20020+ * Accessing the stack below %sp is always a bug.
20021+ * The large cushion allows instructions like enter
20022+ * and pusha to work. ("enter $65535, $31" pushes
20023+ * 32 pointers and then decrements %sp by 65535.)
20024+ */
20025+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
20026+ bad_area(regs, error_code, address);
20027+ return;
20028 }
20029+
20030+#ifdef CONFIG_PAX_SEGMEXEC
20031+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
20032+ bad_area(regs, error_code, address);
20033+ return;
20034+ }
20035+#endif
20036+
20037 if (unlikely(expand_stack(vma, address))) {
20038 bad_area(regs, error_code, address);
20039 return;
20040@@ -1180,3 +1439,199 @@ good_area:
20041
20042 up_read(&mm->mmap_sem);
20043 }
20044+
20045+#ifdef CONFIG_PAX_EMUTRAMP
20046+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
20047+{
20048+ int err;
20049+
20050+ do { /* PaX: gcc trampoline emulation #1 */
20051+ unsigned char mov1, mov2;
20052+ unsigned short jmp;
20053+ unsigned int addr1, addr2;
20054+
20055+#ifdef CONFIG_X86_64
20056+ if ((regs->ip + 11) >> 32)
20057+ break;
20058+#endif
20059+
20060+ err = get_user(mov1, (unsigned char __user *)regs->ip);
20061+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20062+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
20063+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20064+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
20065+
20066+ if (err)
20067+ break;
20068+
20069+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
20070+ regs->cx = addr1;
20071+ regs->ax = addr2;
20072+ regs->ip = addr2;
20073+ return 2;
20074+ }
20075+ } while (0);
20076+
20077+ do { /* PaX: gcc trampoline emulation #2 */
20078+ unsigned char mov, jmp;
20079+ unsigned int addr1, addr2;
20080+
20081+#ifdef CONFIG_X86_64
20082+ if ((regs->ip + 9) >> 32)
20083+ break;
20084+#endif
20085+
20086+ err = get_user(mov, (unsigned char __user *)regs->ip);
20087+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20088+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
20089+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20090+
20091+ if (err)
20092+ break;
20093+
20094+ if (mov == 0xB9 && jmp == 0xE9) {
20095+ regs->cx = addr1;
20096+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
20097+ return 2;
20098+ }
20099+ } while (0);
20100+
20101+ return 1; /* PaX in action */
20102+}
20103+
20104+#ifdef CONFIG_X86_64
20105+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
20106+{
20107+ int err;
20108+
20109+ do { /* PaX: gcc trampoline emulation #1 */
20110+ unsigned short mov1, mov2, jmp1;
20111+ unsigned char jmp2;
20112+ unsigned int addr1;
20113+ unsigned long addr2;
20114+
20115+ err = get_user(mov1, (unsigned short __user *)regs->ip);
20116+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
20117+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
20118+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
20119+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
20120+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
20121+
20122+ if (err)
20123+ break;
20124+
20125+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20126+ regs->r11 = addr1;
20127+ regs->r10 = addr2;
20128+ regs->ip = addr1;
20129+ return 2;
20130+ }
20131+ } while (0);
20132+
20133+ do { /* PaX: gcc trampoline emulation #2 */
20134+ unsigned short mov1, mov2, jmp1;
20135+ unsigned char jmp2;
20136+ unsigned long addr1, addr2;
20137+
20138+ err = get_user(mov1, (unsigned short __user *)regs->ip);
20139+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
20140+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
20141+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
20142+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
20143+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
20144+
20145+ if (err)
20146+ break;
20147+
20148+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20149+ regs->r11 = addr1;
20150+ regs->r10 = addr2;
20151+ regs->ip = addr1;
20152+ return 2;
20153+ }
20154+ } while (0);
20155+
20156+ return 1; /* PaX in action */
20157+}
20158+#endif
20159+
20160+/*
20161+ * PaX: decide what to do with offenders (regs->ip = fault address)
20162+ *
20163+ * returns 1 when task should be killed
20164+ * 2 when gcc trampoline was detected
20165+ */
20166+static int pax_handle_fetch_fault(struct pt_regs *regs)
20167+{
20168+ if (v8086_mode(regs))
20169+ return 1;
20170+
20171+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
20172+ return 1;
20173+
20174+#ifdef CONFIG_X86_32
20175+ return pax_handle_fetch_fault_32(regs);
20176+#else
20177+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
20178+ return pax_handle_fetch_fault_32(regs);
20179+ else
20180+ return pax_handle_fetch_fault_64(regs);
20181+#endif
20182+}
20183+#endif
20184+
20185+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20186+void pax_report_insns(void *pc, void *sp)
20187+{
20188+ long i;
20189+
20190+ printk(KERN_ERR "PAX: bytes at PC: ");
20191+ for (i = 0; i < 20; i++) {
20192+ unsigned char c;
20193+ if (get_user(c, (unsigned char __force_user *)pc+i))
20194+ printk(KERN_CONT "?? ");
20195+ else
20196+ printk(KERN_CONT "%02x ", c);
20197+ }
20198+ printk("\n");
20199+
20200+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
20201+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
20202+ unsigned long c;
20203+ if (get_user(c, (unsigned long __force_user *)sp+i))
20204+#ifdef CONFIG_X86_32
20205+ printk(KERN_CONT "???????? ");
20206+#else
20207+ printk(KERN_CONT "???????????????? ");
20208+#endif
20209+ else
20210+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
20211+ }
20212+ printk("\n");
20213+}
20214+#endif
20215+
20216+/**
20217+ * probe_kernel_write(): safely attempt to write to a location
20218+ * @dst: address to write to
20219+ * @src: pointer to the data that shall be written
20220+ * @size: size of the data chunk
20221+ *
20222+ * Safely write to address @dst from the buffer at @src. If a kernel fault
20223+ * happens, handle that and return -EFAULT.
20224+ */
20225+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
20226+{
20227+ long ret;
20228+ mm_segment_t old_fs = get_fs();
20229+
20230+ set_fs(KERNEL_DS);
20231+ pagefault_disable();
20232+ pax_open_kernel();
20233+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
20234+ pax_close_kernel();
20235+ pagefault_enable();
20236+ set_fs(old_fs);
20237+
20238+ return ret ? -EFAULT : 0;
20239+}
20240diff -urNp linux-3.0.7/arch/x86/mm/gup.c linux-3.0.7/arch/x86/mm/gup.c
20241--- linux-3.0.7/arch/x86/mm/gup.c 2011-07-21 22:17:23.000000000 -0400
20242+++ linux-3.0.7/arch/x86/mm/gup.c 2011-08-23 21:47:55.000000000 -0400
20243@@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
20244 addr = start;
20245 len = (unsigned long) nr_pages << PAGE_SHIFT;
20246 end = start + len;
20247- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20248+ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20249 (void __user *)start, len)))
20250 return 0;
20251
20252diff -urNp linux-3.0.7/arch/x86/mm/highmem_32.c linux-3.0.7/arch/x86/mm/highmem_32.c
20253--- linux-3.0.7/arch/x86/mm/highmem_32.c 2011-07-21 22:17:23.000000000 -0400
20254+++ linux-3.0.7/arch/x86/mm/highmem_32.c 2011-08-23 21:47:55.000000000 -0400
20255@@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
20256 idx = type + KM_TYPE_NR*smp_processor_id();
20257 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
20258 BUG_ON(!pte_none(*(kmap_pte-idx)));
20259+
20260+ pax_open_kernel();
20261 set_pte(kmap_pte-idx, mk_pte(page, prot));
20262+ pax_close_kernel();
20263
20264 return (void *)vaddr;
20265 }
20266diff -urNp linux-3.0.7/arch/x86/mm/hugetlbpage.c linux-3.0.7/arch/x86/mm/hugetlbpage.c
20267--- linux-3.0.7/arch/x86/mm/hugetlbpage.c 2011-07-21 22:17:23.000000000 -0400
20268+++ linux-3.0.7/arch/x86/mm/hugetlbpage.c 2011-08-23 21:47:55.000000000 -0400
20269@@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
20270 struct hstate *h = hstate_file(file);
20271 struct mm_struct *mm = current->mm;
20272 struct vm_area_struct *vma;
20273- unsigned long start_addr;
20274+ unsigned long start_addr, pax_task_size = TASK_SIZE;
20275+
20276+#ifdef CONFIG_PAX_SEGMEXEC
20277+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
20278+ pax_task_size = SEGMEXEC_TASK_SIZE;
20279+#endif
20280+
20281+ pax_task_size -= PAGE_SIZE;
20282
20283 if (len > mm->cached_hole_size) {
20284- start_addr = mm->free_area_cache;
20285+ start_addr = mm->free_area_cache;
20286 } else {
20287- start_addr = TASK_UNMAPPED_BASE;
20288- mm->cached_hole_size = 0;
20289+ start_addr = mm->mmap_base;
20290+ mm->cached_hole_size = 0;
20291 }
20292
20293 full_search:
20294@@ -280,26 +287,27 @@ full_search:
20295
20296 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
20297 /* At this point: (!vma || addr < vma->vm_end). */
20298- if (TASK_SIZE - len < addr) {
20299+ if (pax_task_size - len < addr) {
20300 /*
20301 * Start a new search - just in case we missed
20302 * some holes.
20303 */
20304- if (start_addr != TASK_UNMAPPED_BASE) {
20305- start_addr = TASK_UNMAPPED_BASE;
20306+ if (start_addr != mm->mmap_base) {
20307+ start_addr = mm->mmap_base;
20308 mm->cached_hole_size = 0;
20309 goto full_search;
20310 }
20311 return -ENOMEM;
20312 }
20313- if (!vma || addr + len <= vma->vm_start) {
20314- mm->free_area_cache = addr + len;
20315- return addr;
20316- }
20317+ if (check_heap_stack_gap(vma, addr, len))
20318+ break;
20319 if (addr + mm->cached_hole_size < vma->vm_start)
20320 mm->cached_hole_size = vma->vm_start - addr;
20321 addr = ALIGN(vma->vm_end, huge_page_size(h));
20322 }
20323+
20324+ mm->free_area_cache = addr + len;
20325+ return addr;
20326 }
20327
20328 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
20329@@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
20330 {
20331 struct hstate *h = hstate_file(file);
20332 struct mm_struct *mm = current->mm;
20333- struct vm_area_struct *vma, *prev_vma;
20334- unsigned long base = mm->mmap_base, addr = addr0;
20335+ struct vm_area_struct *vma;
20336+ unsigned long base = mm->mmap_base, addr;
20337 unsigned long largest_hole = mm->cached_hole_size;
20338- int first_time = 1;
20339
20340 /* don't allow allocations above current base */
20341 if (mm->free_area_cache > base)
20342@@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
20343 largest_hole = 0;
20344 mm->free_area_cache = base;
20345 }
20346-try_again:
20347+
20348 /* make sure it can fit in the remaining address space */
20349 if (mm->free_area_cache < len)
20350 goto fail;
20351
20352 /* either no address requested or can't fit in requested address hole */
20353- addr = (mm->free_area_cache - len) & huge_page_mask(h);
20354+ addr = (mm->free_area_cache - len);
20355 do {
20356+ addr &= huge_page_mask(h);
20357+ vma = find_vma(mm, addr);
20358 /*
20359 * Lookup failure means no vma is above this address,
20360 * i.e. return with success:
20361- */
20362- if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
20363- return addr;
20364-
20365- /*
20366 * new region fits between prev_vma->vm_end and
20367 * vma->vm_start, use it:
20368 */
20369- if (addr + len <= vma->vm_start &&
20370- (!prev_vma || (addr >= prev_vma->vm_end))) {
20371+ if (check_heap_stack_gap(vma, addr, len)) {
20372 /* remember the address as a hint for next time */
20373- mm->cached_hole_size = largest_hole;
20374- return (mm->free_area_cache = addr);
20375- } else {
20376- /* pull free_area_cache down to the first hole */
20377- if (mm->free_area_cache == vma->vm_end) {
20378- mm->free_area_cache = vma->vm_start;
20379- mm->cached_hole_size = largest_hole;
20380- }
20381+ mm->cached_hole_size = largest_hole;
20382+ return (mm->free_area_cache = addr);
20383+ }
20384+ /* pull free_area_cache down to the first hole */
20385+ if (mm->free_area_cache == vma->vm_end) {
20386+ mm->free_area_cache = vma->vm_start;
20387+ mm->cached_hole_size = largest_hole;
20388 }
20389
20390 /* remember the largest hole we saw so far */
20391 if (addr + largest_hole < vma->vm_start)
20392- largest_hole = vma->vm_start - addr;
20393+ largest_hole = vma->vm_start - addr;
20394
20395 /* try just below the current vma->vm_start */
20396- addr = (vma->vm_start - len) & huge_page_mask(h);
20397- } while (len <= vma->vm_start);
20398+ addr = skip_heap_stack_gap(vma, len);
20399+ } while (!IS_ERR_VALUE(addr));
20400
20401 fail:
20402 /*
20403- * if hint left us with no space for the requested
20404- * mapping then try again:
20405- */
20406- if (first_time) {
20407- mm->free_area_cache = base;
20408- largest_hole = 0;
20409- first_time = 0;
20410- goto try_again;
20411- }
20412- /*
20413 * A failed mmap() very likely causes application failure,
20414 * so fall back to the bottom-up function here. This scenario
20415 * can happen with large stack limits and large mmap()
20416 * allocations.
20417 */
20418- mm->free_area_cache = TASK_UNMAPPED_BASE;
20419+
20420+#ifdef CONFIG_PAX_SEGMEXEC
20421+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
20422+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
20423+ else
20424+#endif
20425+
20426+ mm->mmap_base = TASK_UNMAPPED_BASE;
20427+
20428+#ifdef CONFIG_PAX_RANDMMAP
20429+ if (mm->pax_flags & MF_PAX_RANDMMAP)
20430+ mm->mmap_base += mm->delta_mmap;
20431+#endif
20432+
20433+ mm->free_area_cache = mm->mmap_base;
20434 mm->cached_hole_size = ~0UL;
20435 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
20436 len, pgoff, flags);
20437@@ -386,6 +392,7 @@ fail:
20438 /*
20439 * Restore the topdown base:
20440 */
20441+ mm->mmap_base = base;
20442 mm->free_area_cache = base;
20443 mm->cached_hole_size = ~0UL;
20444
20445@@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
20446 struct hstate *h = hstate_file(file);
20447 struct mm_struct *mm = current->mm;
20448 struct vm_area_struct *vma;
20449+ unsigned long pax_task_size = TASK_SIZE;
20450
20451 if (len & ~huge_page_mask(h))
20452 return -EINVAL;
20453- if (len > TASK_SIZE)
20454+
20455+#ifdef CONFIG_PAX_SEGMEXEC
20456+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
20457+ pax_task_size = SEGMEXEC_TASK_SIZE;
20458+#endif
20459+
20460+ pax_task_size -= PAGE_SIZE;
20461+
20462+ if (len > pax_task_size)
20463 return -ENOMEM;
20464
20465 if (flags & MAP_FIXED) {
20466@@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
20467 if (addr) {
20468 addr = ALIGN(addr, huge_page_size(h));
20469 vma = find_vma(mm, addr);
20470- if (TASK_SIZE - len >= addr &&
20471- (!vma || addr + len <= vma->vm_start))
20472+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
20473 return addr;
20474 }
20475 if (mm->get_unmapped_area == arch_get_unmapped_area)
20476diff -urNp linux-3.0.7/arch/x86/mm/init.c linux-3.0.7/arch/x86/mm/init.c
20477--- linux-3.0.7/arch/x86/mm/init.c 2011-07-21 22:17:23.000000000 -0400
20478+++ linux-3.0.7/arch/x86/mm/init.c 2011-08-23 21:48:14.000000000 -0400
20479@@ -31,7 +31,7 @@ int direct_gbpages
20480 static void __init find_early_table_space(unsigned long end, int use_pse,
20481 int use_gbpages)
20482 {
20483- unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
20484+ unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
20485 phys_addr_t base;
20486
20487 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
20488@@ -313,12 +313,34 @@ unsigned long __init_refok init_memory_m
20489 */
20490 int devmem_is_allowed(unsigned long pagenr)
20491 {
20492- if (pagenr <= 256)
20493+#ifdef CONFIG_GRKERNSEC_KMEM
20494+ /* allow BDA */
20495+ if (!pagenr)
20496+ return 1;
20497+ /* allow EBDA */
20498+ if ((0x9f000 >> PAGE_SHIFT) == pagenr)
20499+ return 1;
20500+#else
20501+ if (!pagenr)
20502+ return 1;
20503+#ifdef CONFIG_VM86
20504+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
20505+ return 1;
20506+#endif
20507+#endif
20508+
20509+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
20510 return 1;
20511+#ifdef CONFIG_GRKERNSEC_KMEM
20512+ /* throw out everything else below 1MB */
20513+ if (pagenr <= 256)
20514+ return 0;
20515+#endif
20516 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
20517 return 0;
20518 if (!page_is_ram(pagenr))
20519 return 1;
20520+
20521 return 0;
20522 }
20523
20524@@ -373,6 +395,86 @@ void free_init_pages(char *what, unsigne
20525
20526 void free_initmem(void)
20527 {
20528+
20529+#ifdef CONFIG_PAX_KERNEXEC
20530+#ifdef CONFIG_X86_32
20531+ /* PaX: limit KERNEL_CS to actual size */
20532+ unsigned long addr, limit;
20533+ struct desc_struct d;
20534+ int cpu;
20535+
20536+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
20537+ limit = (limit - 1UL) >> PAGE_SHIFT;
20538+
20539+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
20540+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
20541+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
20542+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
20543+ }
20544+
20545+ /* PaX: make KERNEL_CS read-only */
20546+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
20547+ if (!paravirt_enabled())
20548+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
20549+/*
20550+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
20551+ pgd = pgd_offset_k(addr);
20552+ pud = pud_offset(pgd, addr);
20553+ pmd = pmd_offset(pud, addr);
20554+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
20555+ }
20556+*/
20557+#ifdef CONFIG_X86_PAE
20558+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
20559+/*
20560+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
20561+ pgd = pgd_offset_k(addr);
20562+ pud = pud_offset(pgd, addr);
20563+ pmd = pmd_offset(pud, addr);
20564+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
20565+ }
20566+*/
20567+#endif
20568+
20569+#ifdef CONFIG_MODULES
20570+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
20571+#endif
20572+
20573+#else
20574+ pgd_t *pgd;
20575+ pud_t *pud;
20576+ pmd_t *pmd;
20577+ unsigned long addr, end;
20578+
20579+ /* PaX: make kernel code/rodata read-only, rest non-executable */
20580+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
20581+ pgd = pgd_offset_k(addr);
20582+ pud = pud_offset(pgd, addr);
20583+ pmd = pmd_offset(pud, addr);
20584+ if (!pmd_present(*pmd))
20585+ continue;
20586+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
20587+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
20588+ else
20589+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
20590+ }
20591+
20592+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
20593+ end = addr + KERNEL_IMAGE_SIZE;
20594+ for (; addr < end; addr += PMD_SIZE) {
20595+ pgd = pgd_offset_k(addr);
20596+ pud = pud_offset(pgd, addr);
20597+ pmd = pmd_offset(pud, addr);
20598+ if (!pmd_present(*pmd))
20599+ continue;
20600+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
20601+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
20602+ }
20603+#endif
20604+
20605+ flush_tlb_all();
20606+#endif
20607+
20608 free_init_pages("unused kernel memory",
20609 (unsigned long)(&__init_begin),
20610 (unsigned long)(&__init_end));
20611diff -urNp linux-3.0.7/arch/x86/mm/init_32.c linux-3.0.7/arch/x86/mm/init_32.c
20612--- linux-3.0.7/arch/x86/mm/init_32.c 2011-07-21 22:17:23.000000000 -0400
20613+++ linux-3.0.7/arch/x86/mm/init_32.c 2011-08-23 21:47:55.000000000 -0400
20614@@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
20615 }
20616
20617 /*
20618- * Creates a middle page table and puts a pointer to it in the
20619- * given global directory entry. This only returns the gd entry
20620- * in non-PAE compilation mode, since the middle layer is folded.
20621- */
20622-static pmd_t * __init one_md_table_init(pgd_t *pgd)
20623-{
20624- pud_t *pud;
20625- pmd_t *pmd_table;
20626-
20627-#ifdef CONFIG_X86_PAE
20628- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
20629- if (after_bootmem)
20630- pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
20631- else
20632- pmd_table = (pmd_t *)alloc_low_page();
20633- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
20634- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
20635- pud = pud_offset(pgd, 0);
20636- BUG_ON(pmd_table != pmd_offset(pud, 0));
20637-
20638- return pmd_table;
20639- }
20640-#endif
20641- pud = pud_offset(pgd, 0);
20642- pmd_table = pmd_offset(pud, 0);
20643-
20644- return pmd_table;
20645-}
20646-
20647-/*
20648 * Create a page table and place a pointer to it in a middle page
20649 * directory entry:
20650 */
20651@@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
20652 page_table = (pte_t *)alloc_low_page();
20653
20654 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
20655+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20656+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
20657+#else
20658 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
20659+#endif
20660 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
20661 }
20662
20663 return pte_offset_kernel(pmd, 0);
20664 }
20665
20666+static pmd_t * __init one_md_table_init(pgd_t *pgd)
20667+{
20668+ pud_t *pud;
20669+ pmd_t *pmd_table;
20670+
20671+ pud = pud_offset(pgd, 0);
20672+ pmd_table = pmd_offset(pud, 0);
20673+
20674+ return pmd_table;
20675+}
20676+
20677 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
20678 {
20679 int pgd_idx = pgd_index(vaddr);
20680@@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
20681 int pgd_idx, pmd_idx;
20682 unsigned long vaddr;
20683 pgd_t *pgd;
20684+ pud_t *pud;
20685 pmd_t *pmd;
20686 pte_t *pte = NULL;
20687
20688@@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
20689 pgd = pgd_base + pgd_idx;
20690
20691 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
20692- pmd = one_md_table_init(pgd);
20693- pmd = pmd + pmd_index(vaddr);
20694+ pud = pud_offset(pgd, vaddr);
20695+ pmd = pmd_offset(pud, vaddr);
20696+
20697+#ifdef CONFIG_X86_PAE
20698+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20699+#endif
20700+
20701 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
20702 pmd++, pmd_idx++) {
20703 pte = page_table_kmap_check(one_page_table_init(pmd),
20704@@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
20705 }
20706 }
20707
20708-static inline int is_kernel_text(unsigned long addr)
20709+static inline int is_kernel_text(unsigned long start, unsigned long end)
20710 {
20711- if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
20712- return 1;
20713- return 0;
20714+ if ((start > ktla_ktva((unsigned long)_etext) ||
20715+ end <= ktla_ktva((unsigned long)_stext)) &&
20716+ (start > ktla_ktva((unsigned long)_einittext) ||
20717+ end <= ktla_ktva((unsigned long)_sinittext)) &&
20718+
20719+#ifdef CONFIG_ACPI_SLEEP
20720+ (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
20721+#endif
20722+
20723+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
20724+ return 0;
20725+ return 1;
20726 }
20727
20728 /*
20729@@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
20730 unsigned long last_map_addr = end;
20731 unsigned long start_pfn, end_pfn;
20732 pgd_t *pgd_base = swapper_pg_dir;
20733- int pgd_idx, pmd_idx, pte_ofs;
20734+ unsigned int pgd_idx, pmd_idx, pte_ofs;
20735 unsigned long pfn;
20736 pgd_t *pgd;
20737+ pud_t *pud;
20738 pmd_t *pmd;
20739 pte_t *pte;
20740 unsigned pages_2m, pages_4k;
20741@@ -281,8 +282,13 @@ repeat:
20742 pfn = start_pfn;
20743 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20744 pgd = pgd_base + pgd_idx;
20745- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
20746- pmd = one_md_table_init(pgd);
20747+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
20748+ pud = pud_offset(pgd, 0);
20749+ pmd = pmd_offset(pud, 0);
20750+
20751+#ifdef CONFIG_X86_PAE
20752+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20753+#endif
20754
20755 if (pfn >= end_pfn)
20756 continue;
20757@@ -294,14 +300,13 @@ repeat:
20758 #endif
20759 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
20760 pmd++, pmd_idx++) {
20761- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
20762+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
20763
20764 /*
20765 * Map with big pages if possible, otherwise
20766 * create normal page tables:
20767 */
20768 if (use_pse) {
20769- unsigned int addr2;
20770 pgprot_t prot = PAGE_KERNEL_LARGE;
20771 /*
20772 * first pass will use the same initial
20773@@ -311,11 +316,7 @@ repeat:
20774 __pgprot(PTE_IDENT_ATTR |
20775 _PAGE_PSE);
20776
20777- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
20778- PAGE_OFFSET + PAGE_SIZE-1;
20779-
20780- if (is_kernel_text(addr) ||
20781- is_kernel_text(addr2))
20782+ if (is_kernel_text(address, address + PMD_SIZE))
20783 prot = PAGE_KERNEL_LARGE_EXEC;
20784
20785 pages_2m++;
20786@@ -332,7 +333,7 @@ repeat:
20787 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20788 pte += pte_ofs;
20789 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
20790- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
20791+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
20792 pgprot_t prot = PAGE_KERNEL;
20793 /*
20794 * first pass will use the same initial
20795@@ -340,7 +341,7 @@ repeat:
20796 */
20797 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
20798
20799- if (is_kernel_text(addr))
20800+ if (is_kernel_text(address, address + PAGE_SIZE))
20801 prot = PAGE_KERNEL_EXEC;
20802
20803 pages_4k++;
20804@@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
20805
20806 pud = pud_offset(pgd, va);
20807 pmd = pmd_offset(pud, va);
20808- if (!pmd_present(*pmd))
20809+ if (!pmd_present(*pmd) || pmd_huge(*pmd))
20810 break;
20811
20812 pte = pte_offset_kernel(pmd, va);
20813@@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
20814
20815 static void __init pagetable_init(void)
20816 {
20817- pgd_t *pgd_base = swapper_pg_dir;
20818-
20819- permanent_kmaps_init(pgd_base);
20820+ permanent_kmaps_init(swapper_pg_dir);
20821 }
20822
20823-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20824+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20825 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20826
20827 /* user-defined highmem size */
20828@@ -757,6 +756,12 @@ void __init mem_init(void)
20829
20830 pci_iommu_alloc();
20831
20832+#ifdef CONFIG_PAX_PER_CPU_PGD
20833+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
20834+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20835+ KERNEL_PGD_PTRS);
20836+#endif
20837+
20838 #ifdef CONFIG_FLATMEM
20839 BUG_ON(!mem_map);
20840 #endif
20841@@ -774,7 +779,7 @@ void __init mem_init(void)
20842 set_highmem_pages_init();
20843
20844 codesize = (unsigned long) &_etext - (unsigned long) &_text;
20845- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
20846+ datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
20847 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
20848
20849 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
20850@@ -815,10 +820,10 @@ void __init mem_init(void)
20851 ((unsigned long)&__init_end -
20852 (unsigned long)&__init_begin) >> 10,
20853
20854- (unsigned long)&_etext, (unsigned long)&_edata,
20855- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
20856+ (unsigned long)&_sdata, (unsigned long)&_edata,
20857+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
20858
20859- (unsigned long)&_text, (unsigned long)&_etext,
20860+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
20861 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
20862
20863 /*
20864@@ -896,6 +901,7 @@ void set_kernel_text_rw(void)
20865 if (!kernel_set_to_readonly)
20866 return;
20867
20868+ start = ktla_ktva(start);
20869 pr_debug("Set kernel text: %lx - %lx for read write\n",
20870 start, start+size);
20871
20872@@ -910,6 +916,7 @@ void set_kernel_text_ro(void)
20873 if (!kernel_set_to_readonly)
20874 return;
20875
20876+ start = ktla_ktva(start);
20877 pr_debug("Set kernel text: %lx - %lx for read only\n",
20878 start, start+size);
20879
20880@@ -938,6 +945,7 @@ void mark_rodata_ro(void)
20881 unsigned long start = PFN_ALIGN(_text);
20882 unsigned long size = PFN_ALIGN(_etext) - start;
20883
20884+ start = ktla_ktva(start);
20885 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
20886 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
20887 size >> 10);
20888diff -urNp linux-3.0.7/arch/x86/mm/init_64.c linux-3.0.7/arch/x86/mm/init_64.c
20889--- linux-3.0.7/arch/x86/mm/init_64.c 2011-07-21 22:17:23.000000000 -0400
20890+++ linux-3.0.7/arch/x86/mm/init_64.c 2011-10-06 04:17:55.000000000 -0400
20891@@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpa
20892 * around without checking the pgd every time.
20893 */
20894
20895-pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
20896+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
20897 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20898
20899 int force_personality32;
20900@@ -108,12 +108,22 @@ void sync_global_pgds(unsigned long star
20901
20902 for (address = start; address <= end; address += PGDIR_SIZE) {
20903 const pgd_t *pgd_ref = pgd_offset_k(address);
20904+
20905+#ifdef CONFIG_PAX_PER_CPU_PGD
20906+ unsigned long cpu;
20907+#else
20908 struct page *page;
20909+#endif
20910
20911 if (pgd_none(*pgd_ref))
20912 continue;
20913
20914 spin_lock(&pgd_lock);
20915+
20916+#ifdef CONFIG_PAX_PER_CPU_PGD
20917+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
20918+ pgd_t *pgd = pgd_offset_cpu(cpu, address);
20919+#else
20920 list_for_each_entry(page, &pgd_list, lru) {
20921 pgd_t *pgd;
20922 spinlock_t *pgt_lock;
20923@@ -122,6 +132,7 @@ void sync_global_pgds(unsigned long star
20924 /* the pgt_lock only for Xen */
20925 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
20926 spin_lock(pgt_lock);
20927+#endif
20928
20929 if (pgd_none(*pgd))
20930 set_pgd(pgd, *pgd_ref);
20931@@ -129,7 +140,10 @@ void sync_global_pgds(unsigned long star
20932 BUG_ON(pgd_page_vaddr(*pgd)
20933 != pgd_page_vaddr(*pgd_ref));
20934
20935+#ifndef CONFIG_PAX_PER_CPU_PGD
20936 spin_unlock(pgt_lock);
20937+#endif
20938+
20939 }
20940 spin_unlock(&pgd_lock);
20941 }
20942@@ -203,7 +217,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
20943 pmd = fill_pmd(pud, vaddr);
20944 pte = fill_pte(pmd, vaddr);
20945
20946+ pax_open_kernel();
20947 set_pte(pte, new_pte);
20948+ pax_close_kernel();
20949
20950 /*
20951 * It's enough to flush this one mapping.
20952@@ -262,14 +278,12 @@ static void __init __init_extra_mapping(
20953 pgd = pgd_offset_k((unsigned long)__va(phys));
20954 if (pgd_none(*pgd)) {
20955 pud = (pud_t *) spp_getpage();
20956- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
20957- _PAGE_USER));
20958+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
20959 }
20960 pud = pud_offset(pgd, (unsigned long)__va(phys));
20961 if (pud_none(*pud)) {
20962 pmd = (pmd_t *) spp_getpage();
20963- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
20964- _PAGE_USER));
20965+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
20966 }
20967 pmd = pmd_offset(pud, phys);
20968 BUG_ON(!pmd_none(*pmd));
20969@@ -330,7 +344,7 @@ static __ref void *alloc_low_page(unsign
20970 if (pfn >= pgt_buf_top)
20971 panic("alloc_low_page: ran out of memory");
20972
20973- adr = early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
20974+ adr = (void __force_kernel *)early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
20975 clear_page(adr);
20976 *phys = pfn * PAGE_SIZE;
20977 return adr;
20978@@ -346,7 +360,7 @@ static __ref void *map_low_page(void *vi
20979
20980 phys = __pa(virt);
20981 left = phys & (PAGE_SIZE - 1);
20982- adr = early_memremap(phys & PAGE_MASK, PAGE_SIZE);
20983+ adr = (void __force_kernel *)early_memremap(phys & PAGE_MASK, PAGE_SIZE);
20984 adr = (void *)(((unsigned long)adr) | left);
20985
20986 return adr;
20987@@ -693,6 +707,12 @@ void __init mem_init(void)
20988
20989 pci_iommu_alloc();
20990
20991+#ifdef CONFIG_PAX_PER_CPU_PGD
20992+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
20993+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20994+ KERNEL_PGD_PTRS);
20995+#endif
20996+
20997 /* clear_bss() already clear the empty_zero_page */
20998
20999 reservedpages = 0;
21000@@ -853,8 +873,8 @@ int kern_addr_valid(unsigned long addr)
21001 static struct vm_area_struct gate_vma = {
21002 .vm_start = VSYSCALL_START,
21003 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
21004- .vm_page_prot = PAGE_READONLY_EXEC,
21005- .vm_flags = VM_READ | VM_EXEC
21006+ .vm_page_prot = PAGE_READONLY,
21007+ .vm_flags = VM_READ
21008 };
21009
21010 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
21011@@ -888,7 +908,7 @@ int in_gate_area_no_mm(unsigned long add
21012
21013 const char *arch_vma_name(struct vm_area_struct *vma)
21014 {
21015- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
21016+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
21017 return "[vdso]";
21018 if (vma == &gate_vma)
21019 return "[vsyscall]";
21020diff -urNp linux-3.0.7/arch/x86/mm/iomap_32.c linux-3.0.7/arch/x86/mm/iomap_32.c
21021--- linux-3.0.7/arch/x86/mm/iomap_32.c 2011-07-21 22:17:23.000000000 -0400
21022+++ linux-3.0.7/arch/x86/mm/iomap_32.c 2011-08-23 21:47:55.000000000 -0400
21023@@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
21024 type = kmap_atomic_idx_push();
21025 idx = type + KM_TYPE_NR * smp_processor_id();
21026 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21027+
21028+ pax_open_kernel();
21029 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
21030+ pax_close_kernel();
21031+
21032 arch_flush_lazy_mmu_mode();
21033
21034 return (void *)vaddr;
21035diff -urNp linux-3.0.7/arch/x86/mm/ioremap.c linux-3.0.7/arch/x86/mm/ioremap.c
21036--- linux-3.0.7/arch/x86/mm/ioremap.c 2011-07-21 22:17:23.000000000 -0400
21037+++ linux-3.0.7/arch/x86/mm/ioremap.c 2011-08-23 21:47:55.000000000 -0400
21038@@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(re
21039 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
21040 int is_ram = page_is_ram(pfn);
21041
21042- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
21043+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
21044 return NULL;
21045 WARN_ON_ONCE(is_ram);
21046 }
21047@@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
21048 early_param("early_ioremap_debug", early_ioremap_debug_setup);
21049
21050 static __initdata int after_paging_init;
21051-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
21052+static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
21053
21054 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
21055 {
21056@@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
21057 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
21058
21059 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
21060- memset(bm_pte, 0, sizeof(bm_pte));
21061- pmd_populate_kernel(&init_mm, pmd, bm_pte);
21062+ pmd_populate_user(&init_mm, pmd, bm_pte);
21063
21064 /*
21065 * The boot-ioremap range spans multiple pmds, for which
21066diff -urNp linux-3.0.7/arch/x86/mm/kmemcheck/kmemcheck.c linux-3.0.7/arch/x86/mm/kmemcheck/kmemcheck.c
21067--- linux-3.0.7/arch/x86/mm/kmemcheck/kmemcheck.c 2011-07-21 22:17:23.000000000 -0400
21068+++ linux-3.0.7/arch/x86/mm/kmemcheck/kmemcheck.c 2011-08-23 21:47:55.000000000 -0400
21069@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
21070 * memory (e.g. tracked pages)? For now, we need this to avoid
21071 * invoking kmemcheck for PnP BIOS calls.
21072 */
21073- if (regs->flags & X86_VM_MASK)
21074+ if (v8086_mode(regs))
21075 return false;
21076- if (regs->cs != __KERNEL_CS)
21077+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
21078 return false;
21079
21080 pte = kmemcheck_pte_lookup(address);
21081diff -urNp linux-3.0.7/arch/x86/mm/mmap.c linux-3.0.7/arch/x86/mm/mmap.c
21082--- linux-3.0.7/arch/x86/mm/mmap.c 2011-07-21 22:17:23.000000000 -0400
21083+++ linux-3.0.7/arch/x86/mm/mmap.c 2011-08-23 21:47:55.000000000 -0400
21084@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
21085 * Leave an at least ~128 MB hole with possible stack randomization.
21086 */
21087 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
21088-#define MAX_GAP (TASK_SIZE/6*5)
21089+#define MAX_GAP (pax_task_size/6*5)
21090
21091 /*
21092 * True on X86_32 or when emulating IA32 on X86_64
21093@@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
21094 return rnd << PAGE_SHIFT;
21095 }
21096
21097-static unsigned long mmap_base(void)
21098+static unsigned long mmap_base(struct mm_struct *mm)
21099 {
21100 unsigned long gap = rlimit(RLIMIT_STACK);
21101+ unsigned long pax_task_size = TASK_SIZE;
21102+
21103+#ifdef CONFIG_PAX_SEGMEXEC
21104+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
21105+ pax_task_size = SEGMEXEC_TASK_SIZE;
21106+#endif
21107
21108 if (gap < MIN_GAP)
21109 gap = MIN_GAP;
21110 else if (gap > MAX_GAP)
21111 gap = MAX_GAP;
21112
21113- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
21114+ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
21115 }
21116
21117 /*
21118 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
21119 * does, but not when emulating X86_32
21120 */
21121-static unsigned long mmap_legacy_base(void)
21122+static unsigned long mmap_legacy_base(struct mm_struct *mm)
21123 {
21124- if (mmap_is_ia32())
21125+ if (mmap_is_ia32()) {
21126+
21127+#ifdef CONFIG_PAX_SEGMEXEC
21128+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
21129+ return SEGMEXEC_TASK_UNMAPPED_BASE;
21130+ else
21131+#endif
21132+
21133 return TASK_UNMAPPED_BASE;
21134- else
21135+ } else
21136 return TASK_UNMAPPED_BASE + mmap_rnd();
21137 }
21138
21139@@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
21140 void arch_pick_mmap_layout(struct mm_struct *mm)
21141 {
21142 if (mmap_is_legacy()) {
21143- mm->mmap_base = mmap_legacy_base();
21144+ mm->mmap_base = mmap_legacy_base(mm);
21145+
21146+#ifdef CONFIG_PAX_RANDMMAP
21147+ if (mm->pax_flags & MF_PAX_RANDMMAP)
21148+ mm->mmap_base += mm->delta_mmap;
21149+#endif
21150+
21151 mm->get_unmapped_area = arch_get_unmapped_area;
21152 mm->unmap_area = arch_unmap_area;
21153 } else {
21154- mm->mmap_base = mmap_base();
21155+ mm->mmap_base = mmap_base(mm);
21156+
21157+#ifdef CONFIG_PAX_RANDMMAP
21158+ if (mm->pax_flags & MF_PAX_RANDMMAP)
21159+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
21160+#endif
21161+
21162 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
21163 mm->unmap_area = arch_unmap_area_topdown;
21164 }
21165diff -urNp linux-3.0.7/arch/x86/mm/mmio-mod.c linux-3.0.7/arch/x86/mm/mmio-mod.c
21166--- linux-3.0.7/arch/x86/mm/mmio-mod.c 2011-07-21 22:17:23.000000000 -0400
21167+++ linux-3.0.7/arch/x86/mm/mmio-mod.c 2011-08-23 21:47:55.000000000 -0400
21168@@ -195,7 +195,7 @@ static void pre(struct kmmio_probe *p, s
21169 break;
21170 default:
21171 {
21172- unsigned char *ip = (unsigned char *)instptr;
21173+ unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
21174 my_trace->opcode = MMIO_UNKNOWN_OP;
21175 my_trace->width = 0;
21176 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
21177@@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
21178 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
21179 void __iomem *addr)
21180 {
21181- static atomic_t next_id;
21182+ static atomic_unchecked_t next_id;
21183 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
21184 /* These are page-unaligned. */
21185 struct mmiotrace_map map = {
21186@@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
21187 .private = trace
21188 },
21189 .phys = offset,
21190- .id = atomic_inc_return(&next_id)
21191+ .id = atomic_inc_return_unchecked(&next_id)
21192 };
21193 map.map_id = trace->id;
21194
21195diff -urNp linux-3.0.7/arch/x86/mm/pageattr-test.c linux-3.0.7/arch/x86/mm/pageattr-test.c
21196--- linux-3.0.7/arch/x86/mm/pageattr-test.c 2011-07-21 22:17:23.000000000 -0400
21197+++ linux-3.0.7/arch/x86/mm/pageattr-test.c 2011-08-23 21:47:55.000000000 -0400
21198@@ -36,7 +36,7 @@ enum {
21199
21200 static int pte_testbit(pte_t pte)
21201 {
21202- return pte_flags(pte) & _PAGE_UNUSED1;
21203+ return pte_flags(pte) & _PAGE_CPA_TEST;
21204 }
21205
21206 struct split_state {
21207diff -urNp linux-3.0.7/arch/x86/mm/pageattr.c linux-3.0.7/arch/x86/mm/pageattr.c
21208--- linux-3.0.7/arch/x86/mm/pageattr.c 2011-07-21 22:17:23.000000000 -0400
21209+++ linux-3.0.7/arch/x86/mm/pageattr.c 2011-08-23 21:47:55.000000000 -0400
21210@@ -261,7 +261,7 @@ static inline pgprot_t static_protection
21211 */
21212 #ifdef CONFIG_PCI_BIOS
21213 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
21214- pgprot_val(forbidden) |= _PAGE_NX;
21215+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21216 #endif
21217
21218 /*
21219@@ -269,9 +269,10 @@ static inline pgprot_t static_protection
21220 * Does not cover __inittext since that is gone later on. On
21221 * 64bit we do not enforce !NX on the low mapping
21222 */
21223- if (within(address, (unsigned long)_text, (unsigned long)_etext))
21224- pgprot_val(forbidden) |= _PAGE_NX;
21225+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
21226+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21227
21228+#ifdef CONFIG_DEBUG_RODATA
21229 /*
21230 * The .rodata section needs to be read-only. Using the pfn
21231 * catches all aliases.
21232@@ -279,6 +280,7 @@ static inline pgprot_t static_protection
21233 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
21234 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
21235 pgprot_val(forbidden) |= _PAGE_RW;
21236+#endif
21237
21238 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
21239 /*
21240@@ -317,6 +319,13 @@ static inline pgprot_t static_protection
21241 }
21242 #endif
21243
21244+#ifdef CONFIG_PAX_KERNEXEC
21245+ if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
21246+ pgprot_val(forbidden) |= _PAGE_RW;
21247+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21248+ }
21249+#endif
21250+
21251 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
21252
21253 return prot;
21254@@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
21255 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
21256 {
21257 /* change init_mm */
21258+ pax_open_kernel();
21259 set_pte_atomic(kpte, pte);
21260+
21261 #ifdef CONFIG_X86_32
21262 if (!SHARED_KERNEL_PMD) {
21263+
21264+#ifdef CONFIG_PAX_PER_CPU_PGD
21265+ unsigned long cpu;
21266+#else
21267 struct page *page;
21268+#endif
21269
21270+#ifdef CONFIG_PAX_PER_CPU_PGD
21271+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21272+ pgd_t *pgd = get_cpu_pgd(cpu);
21273+#else
21274 list_for_each_entry(page, &pgd_list, lru) {
21275- pgd_t *pgd;
21276+ pgd_t *pgd = (pgd_t *)page_address(page);
21277+#endif
21278+
21279 pud_t *pud;
21280 pmd_t *pmd;
21281
21282- pgd = (pgd_t *)page_address(page) + pgd_index(address);
21283+ pgd += pgd_index(address);
21284 pud = pud_offset(pgd, address);
21285 pmd = pmd_offset(pud, address);
21286 set_pte_atomic((pte_t *)pmd, pte);
21287 }
21288 }
21289 #endif
21290+ pax_close_kernel();
21291 }
21292
21293 static int
21294diff -urNp linux-3.0.7/arch/x86/mm/pat.c linux-3.0.7/arch/x86/mm/pat.c
21295--- linux-3.0.7/arch/x86/mm/pat.c 2011-07-21 22:17:23.000000000 -0400
21296+++ linux-3.0.7/arch/x86/mm/pat.c 2011-08-23 21:47:55.000000000 -0400
21297@@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
21298
21299 if (!entry) {
21300 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
21301- current->comm, current->pid, start, end);
21302+ current->comm, task_pid_nr(current), start, end);
21303 return -EINVAL;
21304 }
21305
21306@@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
21307 while (cursor < to) {
21308 if (!devmem_is_allowed(pfn)) {
21309 printk(KERN_INFO
21310- "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
21311- current->comm, from, to);
21312+ "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
21313+ current->comm, from, to, cursor);
21314 return 0;
21315 }
21316 cursor += PAGE_SIZE;
21317@@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
21318 printk(KERN_INFO
21319 "%s:%d ioremap_change_attr failed %s "
21320 "for %Lx-%Lx\n",
21321- current->comm, current->pid,
21322+ current->comm, task_pid_nr(current),
21323 cattr_name(flags),
21324 base, (unsigned long long)(base + size));
21325 return -EINVAL;
21326@@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
21327 if (want_flags != flags) {
21328 printk(KERN_WARNING
21329 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
21330- current->comm, current->pid,
21331+ current->comm, task_pid_nr(current),
21332 cattr_name(want_flags),
21333 (unsigned long long)paddr,
21334 (unsigned long long)(paddr + size),
21335@@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
21336 free_memtype(paddr, paddr + size);
21337 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
21338 " for %Lx-%Lx, got %s\n",
21339- current->comm, current->pid,
21340+ current->comm, task_pid_nr(current),
21341 cattr_name(want_flags),
21342 (unsigned long long)paddr,
21343 (unsigned long long)(paddr + size),
21344diff -urNp linux-3.0.7/arch/x86/mm/pf_in.c linux-3.0.7/arch/x86/mm/pf_in.c
21345--- linux-3.0.7/arch/x86/mm/pf_in.c 2011-07-21 22:17:23.000000000 -0400
21346+++ linux-3.0.7/arch/x86/mm/pf_in.c 2011-08-23 21:47:55.000000000 -0400
21347@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
21348 int i;
21349 enum reason_type rv = OTHERS;
21350
21351- p = (unsigned char *)ins_addr;
21352+ p = (unsigned char *)ktla_ktva(ins_addr);
21353 p += skip_prefix(p, &prf);
21354 p += get_opcode(p, &opcode);
21355
21356@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
21357 struct prefix_bits prf;
21358 int i;
21359
21360- p = (unsigned char *)ins_addr;
21361+ p = (unsigned char *)ktla_ktva(ins_addr);
21362 p += skip_prefix(p, &prf);
21363 p += get_opcode(p, &opcode);
21364
21365@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
21366 struct prefix_bits prf;
21367 int i;
21368
21369- p = (unsigned char *)ins_addr;
21370+ p = (unsigned char *)ktla_ktva(ins_addr);
21371 p += skip_prefix(p, &prf);
21372 p += get_opcode(p, &opcode);
21373
21374@@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned l
21375 struct prefix_bits prf;
21376 int i;
21377
21378- p = (unsigned char *)ins_addr;
21379+ p = (unsigned char *)ktla_ktva(ins_addr);
21380 p += skip_prefix(p, &prf);
21381 p += get_opcode(p, &opcode);
21382 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
21383@@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned l
21384 struct prefix_bits prf;
21385 int i;
21386
21387- p = (unsigned char *)ins_addr;
21388+ p = (unsigned char *)ktla_ktva(ins_addr);
21389 p += skip_prefix(p, &prf);
21390 p += get_opcode(p, &opcode);
21391 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
21392diff -urNp linux-3.0.7/arch/x86/mm/pgtable.c linux-3.0.7/arch/x86/mm/pgtable.c
21393--- linux-3.0.7/arch/x86/mm/pgtable.c 2011-07-21 22:17:23.000000000 -0400
21394+++ linux-3.0.7/arch/x86/mm/pgtable.c 2011-08-23 21:47:55.000000000 -0400
21395@@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
21396 list_del(&page->lru);
21397 }
21398
21399-#define UNSHARED_PTRS_PER_PGD \
21400- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21401+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21402+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
21403
21404+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21405+{
21406+ while (count--)
21407+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
21408+}
21409+#endif
21410+
21411+#ifdef CONFIG_PAX_PER_CPU_PGD
21412+void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21413+{
21414+ while (count--)
21415+
21416+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21417+ *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
21418+#else
21419+ *dst++ = *src++;
21420+#endif
21421
21422+}
21423+#endif
21424+
21425+#ifdef CONFIG_X86_64
21426+#define pxd_t pud_t
21427+#define pyd_t pgd_t
21428+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
21429+#define pxd_free(mm, pud) pud_free((mm), (pud))
21430+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
21431+#define pyd_offset(mm ,address) pgd_offset((mm), (address))
21432+#define PYD_SIZE PGDIR_SIZE
21433+#else
21434+#define pxd_t pmd_t
21435+#define pyd_t pud_t
21436+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
21437+#define pxd_free(mm, pud) pmd_free((mm), (pud))
21438+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
21439+#define pyd_offset(mm ,address) pud_offset((mm), (address))
21440+#define PYD_SIZE PUD_SIZE
21441+#endif
21442+
21443+#ifdef CONFIG_PAX_PER_CPU_PGD
21444+static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
21445+static inline void pgd_dtor(pgd_t *pgd) {}
21446+#else
21447 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
21448 {
21449 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
21450@@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
21451 pgd_list_del(pgd);
21452 spin_unlock(&pgd_lock);
21453 }
21454+#endif
21455
21456 /*
21457 * List of all pgd's needed for non-PAE so it can invalidate entries
21458@@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
21459 * -- wli
21460 */
21461
21462-#ifdef CONFIG_X86_PAE
21463+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
21464 /*
21465 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
21466 * updating the top-level pagetable entries to guarantee the
21467@@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
21468 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
21469 * and initialize the kernel pmds here.
21470 */
21471-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
21472+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21473
21474 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
21475 {
21476@@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
21477 */
21478 flush_tlb_mm(mm);
21479 }
21480+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
21481+#define PREALLOCATED_PXDS USER_PGD_PTRS
21482 #else /* !CONFIG_X86_PAE */
21483
21484 /* No need to prepopulate any pagetable entries in non-PAE modes. */
21485-#define PREALLOCATED_PMDS 0
21486+#define PREALLOCATED_PXDS 0
21487
21488 #endif /* CONFIG_X86_PAE */
21489
21490-static void free_pmds(pmd_t *pmds[])
21491+static void free_pxds(pxd_t *pxds[])
21492 {
21493 int i;
21494
21495- for(i = 0; i < PREALLOCATED_PMDS; i++)
21496- if (pmds[i])
21497- free_page((unsigned long)pmds[i]);
21498+ for(i = 0; i < PREALLOCATED_PXDS; i++)
21499+ if (pxds[i])
21500+ free_page((unsigned long)pxds[i]);
21501 }
21502
21503-static int preallocate_pmds(pmd_t *pmds[])
21504+static int preallocate_pxds(pxd_t *pxds[])
21505 {
21506 int i;
21507 bool failed = false;
21508
21509- for(i = 0; i < PREALLOCATED_PMDS; i++) {
21510- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
21511- if (pmd == NULL)
21512+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
21513+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
21514+ if (pxd == NULL)
21515 failed = true;
21516- pmds[i] = pmd;
21517+ pxds[i] = pxd;
21518 }
21519
21520 if (failed) {
21521- free_pmds(pmds);
21522+ free_pxds(pxds);
21523 return -ENOMEM;
21524 }
21525
21526@@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
21527 * preallocate which never got a corresponding vma will need to be
21528 * freed manually.
21529 */
21530-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
21531+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
21532 {
21533 int i;
21534
21535- for(i = 0; i < PREALLOCATED_PMDS; i++) {
21536+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
21537 pgd_t pgd = pgdp[i];
21538
21539 if (pgd_val(pgd) != 0) {
21540- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
21541+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
21542
21543- pgdp[i] = native_make_pgd(0);
21544+ set_pgd(pgdp + i, native_make_pgd(0));
21545
21546- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
21547- pmd_free(mm, pmd);
21548+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
21549+ pxd_free(mm, pxd);
21550 }
21551 }
21552 }
21553
21554-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
21555+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
21556 {
21557- pud_t *pud;
21558+ pyd_t *pyd;
21559 unsigned long addr;
21560 int i;
21561
21562- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
21563+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
21564 return;
21565
21566- pud = pud_offset(pgd, 0);
21567+#ifdef CONFIG_X86_64
21568+ pyd = pyd_offset(mm, 0L);
21569+#else
21570+ pyd = pyd_offset(pgd, 0L);
21571+#endif
21572
21573- for (addr = i = 0; i < PREALLOCATED_PMDS;
21574- i++, pud++, addr += PUD_SIZE) {
21575- pmd_t *pmd = pmds[i];
21576+ for (addr = i = 0; i < PREALLOCATED_PXDS;
21577+ i++, pyd++, addr += PYD_SIZE) {
21578+ pxd_t *pxd = pxds[i];
21579
21580 if (i >= KERNEL_PGD_BOUNDARY)
21581- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21582- sizeof(pmd_t) * PTRS_PER_PMD);
21583+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21584+ sizeof(pxd_t) * PTRS_PER_PMD);
21585
21586- pud_populate(mm, pud, pmd);
21587+ pyd_populate(mm, pyd, pxd);
21588 }
21589 }
21590
21591 pgd_t *pgd_alloc(struct mm_struct *mm)
21592 {
21593 pgd_t *pgd;
21594- pmd_t *pmds[PREALLOCATED_PMDS];
21595+ pxd_t *pxds[PREALLOCATED_PXDS];
21596
21597 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
21598
21599@@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21600
21601 mm->pgd = pgd;
21602
21603- if (preallocate_pmds(pmds) != 0)
21604+ if (preallocate_pxds(pxds) != 0)
21605 goto out_free_pgd;
21606
21607 if (paravirt_pgd_alloc(mm) != 0)
21608- goto out_free_pmds;
21609+ goto out_free_pxds;
21610
21611 /*
21612 * Make sure that pre-populating the pmds is atomic with
21613@@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21614 spin_lock(&pgd_lock);
21615
21616 pgd_ctor(mm, pgd);
21617- pgd_prepopulate_pmd(mm, pgd, pmds);
21618+ pgd_prepopulate_pxd(mm, pgd, pxds);
21619
21620 spin_unlock(&pgd_lock);
21621
21622 return pgd;
21623
21624-out_free_pmds:
21625- free_pmds(pmds);
21626+out_free_pxds:
21627+ free_pxds(pxds);
21628 out_free_pgd:
21629 free_page((unsigned long)pgd);
21630 out:
21631@@ -295,7 +344,7 @@ out:
21632
21633 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
21634 {
21635- pgd_mop_up_pmds(mm, pgd);
21636+ pgd_mop_up_pxds(mm, pgd);
21637 pgd_dtor(pgd);
21638 paravirt_pgd_free(mm, pgd);
21639 free_page((unsigned long)pgd);
21640diff -urNp linux-3.0.7/arch/x86/mm/pgtable_32.c linux-3.0.7/arch/x86/mm/pgtable_32.c
21641--- linux-3.0.7/arch/x86/mm/pgtable_32.c 2011-07-21 22:17:23.000000000 -0400
21642+++ linux-3.0.7/arch/x86/mm/pgtable_32.c 2011-08-23 21:47:55.000000000 -0400
21643@@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
21644 return;
21645 }
21646 pte = pte_offset_kernel(pmd, vaddr);
21647+
21648+ pax_open_kernel();
21649 if (pte_val(pteval))
21650 set_pte_at(&init_mm, vaddr, pte, pteval);
21651 else
21652 pte_clear(&init_mm, vaddr, pte);
21653+ pax_close_kernel();
21654
21655 /*
21656 * It's enough to flush this one mapping.
21657diff -urNp linux-3.0.7/arch/x86/mm/setup_nx.c linux-3.0.7/arch/x86/mm/setup_nx.c
21658--- linux-3.0.7/arch/x86/mm/setup_nx.c 2011-07-21 22:17:23.000000000 -0400
21659+++ linux-3.0.7/arch/x86/mm/setup_nx.c 2011-08-23 21:47:55.000000000 -0400
21660@@ -5,8 +5,10 @@
21661 #include <asm/pgtable.h>
21662 #include <asm/proto.h>
21663
21664+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21665 static int disable_nx __cpuinitdata;
21666
21667+#ifndef CONFIG_PAX_PAGEEXEC
21668 /*
21669 * noexec = on|off
21670 *
21671@@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
21672 return 0;
21673 }
21674 early_param("noexec", noexec_setup);
21675+#endif
21676+
21677+#endif
21678
21679 void __cpuinit x86_configure_nx(void)
21680 {
21681+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21682 if (cpu_has_nx && !disable_nx)
21683 __supported_pte_mask |= _PAGE_NX;
21684 else
21685+#endif
21686 __supported_pte_mask &= ~_PAGE_NX;
21687 }
21688
21689diff -urNp linux-3.0.7/arch/x86/mm/tlb.c linux-3.0.7/arch/x86/mm/tlb.c
21690--- linux-3.0.7/arch/x86/mm/tlb.c 2011-07-21 22:17:23.000000000 -0400
21691+++ linux-3.0.7/arch/x86/mm/tlb.c 2011-08-23 21:47:55.000000000 -0400
21692@@ -65,7 +65,11 @@ void leave_mm(int cpu)
21693 BUG();
21694 cpumask_clear_cpu(cpu,
21695 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
21696+
21697+#ifndef CONFIG_PAX_PER_CPU_PGD
21698 load_cr3(swapper_pg_dir);
21699+#endif
21700+
21701 }
21702 EXPORT_SYMBOL_GPL(leave_mm);
21703
21704diff -urNp linux-3.0.7/arch/x86/net/bpf_jit.S linux-3.0.7/arch/x86/net/bpf_jit.S
21705--- linux-3.0.7/arch/x86/net/bpf_jit.S 2011-07-21 22:17:23.000000000 -0400
21706+++ linux-3.0.7/arch/x86/net/bpf_jit.S 2011-10-07 19:07:28.000000000 -0400
21707@@ -9,6 +9,7 @@
21708 */
21709 #include <linux/linkage.h>
21710 #include <asm/dwarf2.h>
21711+#include <asm/alternative-asm.h>
21712
21713 /*
21714 * Calling convention :
21715@@ -35,6 +36,7 @@ sk_load_word:
21716 jle bpf_slow_path_word
21717 mov (SKBDATA,%rsi),%eax
21718 bswap %eax /* ntohl() */
21719+ pax_force_retaddr
21720 ret
21721
21722
21723@@ -53,6 +55,7 @@ sk_load_half:
21724 jle bpf_slow_path_half
21725 movzwl (SKBDATA,%rsi),%eax
21726 rol $8,%ax # ntohs()
21727+ pax_force_retaddr
21728 ret
21729
21730 sk_load_byte_ind:
21731@@ -66,6 +69,7 @@ sk_load_byte:
21732 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
21733 jle bpf_slow_path_byte
21734 movzbl (SKBDATA,%rsi),%eax
21735+ pax_force_retaddr
21736 ret
21737
21738 /**
21739@@ -82,6 +86,7 @@ ENTRY(sk_load_byte_msh)
21740 movzbl (SKBDATA,%rsi),%ebx
21741 and $15,%bl
21742 shl $2,%bl
21743+ pax_force_retaddr
21744 ret
21745 CFI_ENDPROC
21746 ENDPROC(sk_load_byte_msh)
21747@@ -91,6 +96,7 @@ bpf_error:
21748 xor %eax,%eax
21749 mov -8(%rbp),%rbx
21750 leaveq
21751+ pax_force_retaddr
21752 ret
21753
21754 /* rsi contains offset and can be scratched */
21755@@ -113,6 +119,7 @@ bpf_slow_path_word:
21756 js bpf_error
21757 mov -12(%rbp),%eax
21758 bswap %eax
21759+ pax_force_retaddr
21760 ret
21761
21762 bpf_slow_path_half:
21763@@ -121,12 +128,14 @@ bpf_slow_path_half:
21764 mov -12(%rbp),%ax
21765 rol $8,%ax
21766 movzwl %ax,%eax
21767+ pax_force_retaddr
21768 ret
21769
21770 bpf_slow_path_byte:
21771 bpf_slow_path_common(1)
21772 js bpf_error
21773 movzbl -12(%rbp),%eax
21774+ pax_force_retaddr
21775 ret
21776
21777 bpf_slow_path_byte_msh:
21778@@ -137,4 +146,5 @@ bpf_slow_path_byte_msh:
21779 and $15,%al
21780 shl $2,%al
21781 xchg %eax,%ebx
21782+ pax_force_retaddr
21783 ret
21784diff -urNp linux-3.0.7/arch/x86/net/bpf_jit_comp.c linux-3.0.7/arch/x86/net/bpf_jit_comp.c
21785--- linux-3.0.7/arch/x86/net/bpf_jit_comp.c 2011-07-21 22:17:23.000000000 -0400
21786+++ linux-3.0.7/arch/x86/net/bpf_jit_comp.c 2011-08-23 21:47:55.000000000 -0400
21787@@ -589,7 +589,9 @@ cond_branch: f_offset = addrs[i + filt
21788 module_free(NULL, image);
21789 return;
21790 }
21791+ pax_open_kernel();
21792 memcpy(image + proglen, temp, ilen);
21793+ pax_close_kernel();
21794 }
21795 proglen += ilen;
21796 addrs[i] = proglen;
21797@@ -609,7 +611,7 @@ cond_branch: f_offset = addrs[i + filt
21798 break;
21799 }
21800 if (proglen == oldproglen) {
21801- image = module_alloc(max_t(unsigned int,
21802+ image = module_alloc_exec(max_t(unsigned int,
21803 proglen,
21804 sizeof(struct work_struct)));
21805 if (!image)
21806diff -urNp linux-3.0.7/arch/x86/oprofile/backtrace.c linux-3.0.7/arch/x86/oprofile/backtrace.c
21807--- linux-3.0.7/arch/x86/oprofile/backtrace.c 2011-09-02 18:11:21.000000000 -0400
21808+++ linux-3.0.7/arch/x86/oprofile/backtrace.c 2011-10-06 04:17:55.000000000 -0400
21809@@ -83,11 +83,11 @@ dump_user_backtrace_32(struct stack_fram
21810 struct stack_frame_ia32 *fp;
21811 unsigned long bytes;
21812
21813- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
21814+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
21815 if (bytes != sizeof(bufhead))
21816 return NULL;
21817
21818- fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
21819+ fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
21820
21821 oprofile_add_trace(bufhead[0].return_address);
21822
21823@@ -129,7 +129,7 @@ static struct stack_frame *dump_user_bac
21824 struct stack_frame bufhead[2];
21825 unsigned long bytes;
21826
21827- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
21828+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
21829 if (bytes != sizeof(bufhead))
21830 return NULL;
21831
21832@@ -148,7 +148,7 @@ x86_backtrace(struct pt_regs * const reg
21833 {
21834 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
21835
21836- if (!user_mode_vm(regs)) {
21837+ if (!user_mode(regs)) {
21838 unsigned long stack = kernel_stack_pointer(regs);
21839 if (depth)
21840 dump_trace(NULL, regs, (unsigned long *)stack, 0,
21841diff -urNp linux-3.0.7/arch/x86/pci/mrst.c linux-3.0.7/arch/x86/pci/mrst.c
21842--- linux-3.0.7/arch/x86/pci/mrst.c 2011-07-21 22:17:23.000000000 -0400
21843+++ linux-3.0.7/arch/x86/pci/mrst.c 2011-08-23 21:47:55.000000000 -0400
21844@@ -234,7 +234,9 @@ int __init pci_mrst_init(void)
21845 printk(KERN_INFO "Moorestown platform detected, using MRST PCI ops\n");
21846 pci_mmcfg_late_init();
21847 pcibios_enable_irq = mrst_pci_irq_enable;
21848- pci_root_ops = pci_mrst_ops;
21849+ pax_open_kernel();
21850+ memcpy((void *)&pci_root_ops, &pci_mrst_ops, sizeof(pci_mrst_ops));
21851+ pax_close_kernel();
21852 /* Continue with standard init */
21853 return 1;
21854 }
21855diff -urNp linux-3.0.7/arch/x86/pci/pcbios.c linux-3.0.7/arch/x86/pci/pcbios.c
21856--- linux-3.0.7/arch/x86/pci/pcbios.c 2011-07-21 22:17:23.000000000 -0400
21857+++ linux-3.0.7/arch/x86/pci/pcbios.c 2011-08-23 21:47:55.000000000 -0400
21858@@ -79,50 +79,93 @@ union bios32 {
21859 static struct {
21860 unsigned long address;
21861 unsigned short segment;
21862-} bios32_indirect = { 0, __KERNEL_CS };
21863+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
21864
21865 /*
21866 * Returns the entry point for the given service, NULL on error
21867 */
21868
21869-static unsigned long bios32_service(unsigned long service)
21870+static unsigned long __devinit bios32_service(unsigned long service)
21871 {
21872 unsigned char return_code; /* %al */
21873 unsigned long address; /* %ebx */
21874 unsigned long length; /* %ecx */
21875 unsigned long entry; /* %edx */
21876 unsigned long flags;
21877+ struct desc_struct d, *gdt;
21878
21879 local_irq_save(flags);
21880- __asm__("lcall *(%%edi); cld"
21881+
21882+ gdt = get_cpu_gdt_table(smp_processor_id());
21883+
21884+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
21885+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
21886+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
21887+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
21888+
21889+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
21890 : "=a" (return_code),
21891 "=b" (address),
21892 "=c" (length),
21893 "=d" (entry)
21894 : "0" (service),
21895 "1" (0),
21896- "D" (&bios32_indirect));
21897+ "D" (&bios32_indirect),
21898+ "r"(__PCIBIOS_DS)
21899+ : "memory");
21900+
21901+ pax_open_kernel();
21902+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
21903+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
21904+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
21905+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
21906+ pax_close_kernel();
21907+
21908 local_irq_restore(flags);
21909
21910 switch (return_code) {
21911- case 0:
21912- return address + entry;
21913- case 0x80: /* Not present */
21914- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
21915- return 0;
21916- default: /* Shouldn't happen */
21917- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
21918- service, return_code);
21919+ case 0: {
21920+ int cpu;
21921+ unsigned char flags;
21922+
21923+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
21924+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
21925+ printk(KERN_WARNING "bios32_service: not valid\n");
21926 return 0;
21927+ }
21928+ address = address + PAGE_OFFSET;
21929+ length += 16UL; /* some BIOSs underreport this... */
21930+ flags = 4;
21931+ if (length >= 64*1024*1024) {
21932+ length >>= PAGE_SHIFT;
21933+ flags |= 8;
21934+ }
21935+
21936+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
21937+ gdt = get_cpu_gdt_table(cpu);
21938+ pack_descriptor(&d, address, length, 0x9b, flags);
21939+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
21940+ pack_descriptor(&d, address, length, 0x93, flags);
21941+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
21942+ }
21943+ return entry;
21944+ }
21945+ case 0x80: /* Not present */
21946+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
21947+ return 0;
21948+ default: /* Shouldn't happen */
21949+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
21950+ service, return_code);
21951+ return 0;
21952 }
21953 }
21954
21955 static struct {
21956 unsigned long address;
21957 unsigned short segment;
21958-} pci_indirect = { 0, __KERNEL_CS };
21959+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
21960
21961-static int pci_bios_present;
21962+static int pci_bios_present __read_only;
21963
21964 static int __devinit check_pcibios(void)
21965 {
21966@@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
21967 unsigned long flags, pcibios_entry;
21968
21969 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
21970- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
21971+ pci_indirect.address = pcibios_entry;
21972
21973 local_irq_save(flags);
21974- __asm__(
21975- "lcall *(%%edi); cld\n\t"
21976+ __asm__("movw %w6, %%ds\n\t"
21977+ "lcall *%%ss:(%%edi); cld\n\t"
21978+ "push %%ss\n\t"
21979+ "pop %%ds\n\t"
21980 "jc 1f\n\t"
21981 "xor %%ah, %%ah\n"
21982 "1:"
21983@@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
21984 "=b" (ebx),
21985 "=c" (ecx)
21986 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
21987- "D" (&pci_indirect)
21988+ "D" (&pci_indirect),
21989+ "r" (__PCIBIOS_DS)
21990 : "memory");
21991 local_irq_restore(flags);
21992
21993@@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
21994
21995 switch (len) {
21996 case 1:
21997- __asm__("lcall *(%%esi); cld\n\t"
21998+ __asm__("movw %w6, %%ds\n\t"
21999+ "lcall *%%ss:(%%esi); cld\n\t"
22000+ "push %%ss\n\t"
22001+ "pop %%ds\n\t"
22002 "jc 1f\n\t"
22003 "xor %%ah, %%ah\n"
22004 "1:"
22005@@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
22006 : "1" (PCIBIOS_READ_CONFIG_BYTE),
22007 "b" (bx),
22008 "D" ((long)reg),
22009- "S" (&pci_indirect));
22010+ "S" (&pci_indirect),
22011+ "r" (__PCIBIOS_DS));
22012 /*
22013 * Zero-extend the result beyond 8 bits, do not trust the
22014 * BIOS having done it:
22015@@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
22016 *value &= 0xff;
22017 break;
22018 case 2:
22019- __asm__("lcall *(%%esi); cld\n\t"
22020+ __asm__("movw %w6, %%ds\n\t"
22021+ "lcall *%%ss:(%%esi); cld\n\t"
22022+ "push %%ss\n\t"
22023+ "pop %%ds\n\t"
22024 "jc 1f\n\t"
22025 "xor %%ah, %%ah\n"
22026 "1:"
22027@@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
22028 : "1" (PCIBIOS_READ_CONFIG_WORD),
22029 "b" (bx),
22030 "D" ((long)reg),
22031- "S" (&pci_indirect));
22032+ "S" (&pci_indirect),
22033+ "r" (__PCIBIOS_DS));
22034 /*
22035 * Zero-extend the result beyond 16 bits, do not trust the
22036 * BIOS having done it:
22037@@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
22038 *value &= 0xffff;
22039 break;
22040 case 4:
22041- __asm__("lcall *(%%esi); cld\n\t"
22042+ __asm__("movw %w6, %%ds\n\t"
22043+ "lcall *%%ss:(%%esi); cld\n\t"
22044+ "push %%ss\n\t"
22045+ "pop %%ds\n\t"
22046 "jc 1f\n\t"
22047 "xor %%ah, %%ah\n"
22048 "1:"
22049@@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
22050 : "1" (PCIBIOS_READ_CONFIG_DWORD),
22051 "b" (bx),
22052 "D" ((long)reg),
22053- "S" (&pci_indirect));
22054+ "S" (&pci_indirect),
22055+ "r" (__PCIBIOS_DS));
22056 break;
22057 }
22058
22059@@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
22060
22061 switch (len) {
22062 case 1:
22063- __asm__("lcall *(%%esi); cld\n\t"
22064+ __asm__("movw %w6, %%ds\n\t"
22065+ "lcall *%%ss:(%%esi); cld\n\t"
22066+ "push %%ss\n\t"
22067+ "pop %%ds\n\t"
22068 "jc 1f\n\t"
22069 "xor %%ah, %%ah\n"
22070 "1:"
22071@@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
22072 "c" (value),
22073 "b" (bx),
22074 "D" ((long)reg),
22075- "S" (&pci_indirect));
22076+ "S" (&pci_indirect),
22077+ "r" (__PCIBIOS_DS));
22078 break;
22079 case 2:
22080- __asm__("lcall *(%%esi); cld\n\t"
22081+ __asm__("movw %w6, %%ds\n\t"
22082+ "lcall *%%ss:(%%esi); cld\n\t"
22083+ "push %%ss\n\t"
22084+ "pop %%ds\n\t"
22085 "jc 1f\n\t"
22086 "xor %%ah, %%ah\n"
22087 "1:"
22088@@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
22089 "c" (value),
22090 "b" (bx),
22091 "D" ((long)reg),
22092- "S" (&pci_indirect));
22093+ "S" (&pci_indirect),
22094+ "r" (__PCIBIOS_DS));
22095 break;
22096 case 4:
22097- __asm__("lcall *(%%esi); cld\n\t"
22098+ __asm__("movw %w6, %%ds\n\t"
22099+ "lcall *%%ss:(%%esi); cld\n\t"
22100+ "push %%ss\n\t"
22101+ "pop %%ds\n\t"
22102 "jc 1f\n\t"
22103 "xor %%ah, %%ah\n"
22104 "1:"
22105@@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
22106 "c" (value),
22107 "b" (bx),
22108 "D" ((long)reg),
22109- "S" (&pci_indirect));
22110+ "S" (&pci_indirect),
22111+ "r" (__PCIBIOS_DS));
22112 break;
22113 }
22114
22115@@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
22116
22117 DBG("PCI: Fetching IRQ routing table... ");
22118 __asm__("push %%es\n\t"
22119+ "movw %w8, %%ds\n\t"
22120 "push %%ds\n\t"
22121 "pop %%es\n\t"
22122- "lcall *(%%esi); cld\n\t"
22123+ "lcall *%%ss:(%%esi); cld\n\t"
22124 "pop %%es\n\t"
22125+ "push %%ss\n\t"
22126+ "pop %%ds\n"
22127 "jc 1f\n\t"
22128 "xor %%ah, %%ah\n"
22129 "1:"
22130@@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
22131 "1" (0),
22132 "D" ((long) &opt),
22133 "S" (&pci_indirect),
22134- "m" (opt)
22135+ "m" (opt),
22136+ "r" (__PCIBIOS_DS)
22137 : "memory");
22138 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
22139 if (ret & 0xff00)
22140@@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
22141 {
22142 int ret;
22143
22144- __asm__("lcall *(%%esi); cld\n\t"
22145+ __asm__("movw %w5, %%ds\n\t"
22146+ "lcall *%%ss:(%%esi); cld\n\t"
22147+ "push %%ss\n\t"
22148+ "pop %%ds\n"
22149 "jc 1f\n\t"
22150 "xor %%ah, %%ah\n"
22151 "1:"
22152@@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
22153 : "0" (PCIBIOS_SET_PCI_HW_INT),
22154 "b" ((dev->bus->number << 8) | dev->devfn),
22155 "c" ((irq << 8) | (pin + 10)),
22156- "S" (&pci_indirect));
22157+ "S" (&pci_indirect),
22158+ "r" (__PCIBIOS_DS));
22159 return !(ret & 0xff00);
22160 }
22161 EXPORT_SYMBOL(pcibios_set_irq_routing);
22162diff -urNp linux-3.0.7/arch/x86/platform/efi/efi_32.c linux-3.0.7/arch/x86/platform/efi/efi_32.c
22163--- linux-3.0.7/arch/x86/platform/efi/efi_32.c 2011-07-21 22:17:23.000000000 -0400
22164+++ linux-3.0.7/arch/x86/platform/efi/efi_32.c 2011-10-06 04:17:55.000000000 -0400
22165@@ -38,70 +38,56 @@
22166 */
22167
22168 static unsigned long efi_rt_eflags;
22169-static pgd_t efi_bak_pg_dir_pointer[2];
22170+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
22171
22172-void efi_call_phys_prelog(void)
22173+void __init efi_call_phys_prelog(void)
22174 {
22175- unsigned long cr4;
22176- unsigned long temp;
22177 struct desc_ptr gdt_descr;
22178
22179- local_irq_save(efi_rt_eflags);
22180+#ifdef CONFIG_PAX_KERNEXEC
22181+ struct desc_struct d;
22182+#endif
22183
22184- /*
22185- * If I don't have PAE, I should just duplicate two entries in page
22186- * directory. If I have PAE, I just need to duplicate one entry in
22187- * page directory.
22188- */
22189- cr4 = read_cr4_safe();
22190+ local_irq_save(efi_rt_eflags);
22191
22192- if (cr4 & X86_CR4_PAE) {
22193- efi_bak_pg_dir_pointer[0].pgd =
22194- swapper_pg_dir[pgd_index(0)].pgd;
22195- swapper_pg_dir[0].pgd =
22196- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22197- } else {
22198- efi_bak_pg_dir_pointer[0].pgd =
22199- swapper_pg_dir[pgd_index(0)].pgd;
22200- efi_bak_pg_dir_pointer[1].pgd =
22201- swapper_pg_dir[pgd_index(0x400000)].pgd;
22202- swapper_pg_dir[pgd_index(0)].pgd =
22203- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22204- temp = PAGE_OFFSET + 0x400000;
22205- swapper_pg_dir[pgd_index(0x400000)].pgd =
22206- swapper_pg_dir[pgd_index(temp)].pgd;
22207- }
22208+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
22209+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22210+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
22211
22212 /*
22213 * After the lock is released, the original page table is restored.
22214 */
22215 __flush_tlb_all();
22216
22217+#ifdef CONFIG_PAX_KERNEXEC
22218+ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
22219+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22220+ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
22221+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22222+#endif
22223+
22224 gdt_descr.address = __pa(get_cpu_gdt_table(0));
22225 gdt_descr.size = GDT_SIZE - 1;
22226 load_gdt(&gdt_descr);
22227 }
22228
22229-void efi_call_phys_epilog(void)
22230+void __init efi_call_phys_epilog(void)
22231 {
22232- unsigned long cr4;
22233 struct desc_ptr gdt_descr;
22234
22235+#ifdef CONFIG_PAX_KERNEXEC
22236+ struct desc_struct d;
22237+
22238+ memset(&d, 0, sizeof d);
22239+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22240+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22241+#endif
22242+
22243 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
22244 gdt_descr.size = GDT_SIZE - 1;
22245 load_gdt(&gdt_descr);
22246
22247- cr4 = read_cr4_safe();
22248-
22249- if (cr4 & X86_CR4_PAE) {
22250- swapper_pg_dir[pgd_index(0)].pgd =
22251- efi_bak_pg_dir_pointer[0].pgd;
22252- } else {
22253- swapper_pg_dir[pgd_index(0)].pgd =
22254- efi_bak_pg_dir_pointer[0].pgd;
22255- swapper_pg_dir[pgd_index(0x400000)].pgd =
22256- efi_bak_pg_dir_pointer[1].pgd;
22257- }
22258+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
22259
22260 /*
22261 * After the lock is released, the original page table is restored.
22262diff -urNp linux-3.0.7/arch/x86/platform/efi/efi_stub_32.S linux-3.0.7/arch/x86/platform/efi/efi_stub_32.S
22263--- linux-3.0.7/arch/x86/platform/efi/efi_stub_32.S 2011-07-21 22:17:23.000000000 -0400
22264+++ linux-3.0.7/arch/x86/platform/efi/efi_stub_32.S 2011-09-19 09:16:58.000000000 -0400
22265@@ -6,7 +6,9 @@
22266 */
22267
22268 #include <linux/linkage.h>
22269+#include <linux/init.h>
22270 #include <asm/page_types.h>
22271+#include <asm/segment.h>
22272
22273 /*
22274 * efi_call_phys(void *, ...) is a function with variable parameters.
22275@@ -20,7 +22,7 @@
22276 * service functions will comply with gcc calling convention, too.
22277 */
22278
22279-.text
22280+__INIT
22281 ENTRY(efi_call_phys)
22282 /*
22283 * 0. The function can only be called in Linux kernel. So CS has been
22284@@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
22285 * The mapping of lower virtual memory has been created in prelog and
22286 * epilog.
22287 */
22288- movl $1f, %edx
22289- subl $__PAGE_OFFSET, %edx
22290- jmp *%edx
22291+ movl $(__KERNEXEC_EFI_DS), %edx
22292+ mov %edx, %ds
22293+ mov %edx, %es
22294+ mov %edx, %ss
22295+ ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
22296 1:
22297
22298 /*
22299@@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
22300 * parameter 2, ..., param n. To make things easy, we save the return
22301 * address of efi_call_phys in a global variable.
22302 */
22303- popl %edx
22304- movl %edx, saved_return_addr
22305- /* get the function pointer into ECX*/
22306- popl %ecx
22307- movl %ecx, efi_rt_function_ptr
22308- movl $2f, %edx
22309- subl $__PAGE_OFFSET, %edx
22310- pushl %edx
22311+ popl (saved_return_addr)
22312+ popl (efi_rt_function_ptr)
22313
22314 /*
22315 * 3. Clear PG bit in %CR0.
22316@@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
22317 /*
22318 * 5. Call the physical function.
22319 */
22320- jmp *%ecx
22321+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
22322
22323-2:
22324 /*
22325 * 6. After EFI runtime service returns, control will return to
22326 * following instruction. We'd better readjust stack pointer first.
22327@@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
22328 movl %cr0, %edx
22329 orl $0x80000000, %edx
22330 movl %edx, %cr0
22331- jmp 1f
22332-1:
22333+
22334 /*
22335 * 8. Now restore the virtual mode from flat mode by
22336 * adding EIP with PAGE_OFFSET.
22337 */
22338- movl $1f, %edx
22339- jmp *%edx
22340+ ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
22341 1:
22342+ movl $(__KERNEL_DS), %edx
22343+ mov %edx, %ds
22344+ mov %edx, %es
22345+ mov %edx, %ss
22346
22347 /*
22348 * 9. Balance the stack. And because EAX contain the return value,
22349 * we'd better not clobber it.
22350 */
22351- leal efi_rt_function_ptr, %edx
22352- movl (%edx), %ecx
22353- pushl %ecx
22354+ pushl (efi_rt_function_ptr)
22355
22356 /*
22357- * 10. Push the saved return address onto the stack and return.
22358+ * 10. Return to the saved return address.
22359 */
22360- leal saved_return_addr, %edx
22361- movl (%edx), %ecx
22362- pushl %ecx
22363- ret
22364+ jmpl *(saved_return_addr)
22365 ENDPROC(efi_call_phys)
22366 .previous
22367
22368-.data
22369+__INITDATA
22370 saved_return_addr:
22371 .long 0
22372 efi_rt_function_ptr:
22373diff -urNp linux-3.0.7/arch/x86/platform/efi/efi_stub_64.S linux-3.0.7/arch/x86/platform/efi/efi_stub_64.S
22374--- linux-3.0.7/arch/x86/platform/efi/efi_stub_64.S 2011-07-21 22:17:23.000000000 -0400
22375+++ linux-3.0.7/arch/x86/platform/efi/efi_stub_64.S 2011-10-06 04:17:55.000000000 -0400
22376@@ -7,6 +7,7 @@
22377 */
22378
22379 #include <linux/linkage.h>
22380+#include <asm/alternative-asm.h>
22381
22382 #define SAVE_XMM \
22383 mov %rsp, %rax; \
22384@@ -40,6 +41,7 @@ ENTRY(efi_call0)
22385 call *%rdi
22386 addq $32, %rsp
22387 RESTORE_XMM
22388+ pax_force_retaddr
22389 ret
22390 ENDPROC(efi_call0)
22391
22392@@ -50,6 +52,7 @@ ENTRY(efi_call1)
22393 call *%rdi
22394 addq $32, %rsp
22395 RESTORE_XMM
22396+ pax_force_retaddr
22397 ret
22398 ENDPROC(efi_call1)
22399
22400@@ -60,6 +63,7 @@ ENTRY(efi_call2)
22401 call *%rdi
22402 addq $32, %rsp
22403 RESTORE_XMM
22404+ pax_force_retaddr
22405 ret
22406 ENDPROC(efi_call2)
22407
22408@@ -71,6 +75,7 @@ ENTRY(efi_call3)
22409 call *%rdi
22410 addq $32, %rsp
22411 RESTORE_XMM
22412+ pax_force_retaddr
22413 ret
22414 ENDPROC(efi_call3)
22415
22416@@ -83,6 +88,7 @@ ENTRY(efi_call4)
22417 call *%rdi
22418 addq $32, %rsp
22419 RESTORE_XMM
22420+ pax_force_retaddr
22421 ret
22422 ENDPROC(efi_call4)
22423
22424@@ -96,6 +102,7 @@ ENTRY(efi_call5)
22425 call *%rdi
22426 addq $48, %rsp
22427 RESTORE_XMM
22428+ pax_force_retaddr
22429 ret
22430 ENDPROC(efi_call5)
22431
22432@@ -112,5 +119,6 @@ ENTRY(efi_call6)
22433 call *%rdi
22434 addq $48, %rsp
22435 RESTORE_XMM
22436+ pax_force_retaddr
22437 ret
22438 ENDPROC(efi_call6)
22439diff -urNp linux-3.0.7/arch/x86/platform/mrst/mrst.c linux-3.0.7/arch/x86/platform/mrst/mrst.c
22440--- linux-3.0.7/arch/x86/platform/mrst/mrst.c 2011-07-21 22:17:23.000000000 -0400
22441+++ linux-3.0.7/arch/x86/platform/mrst/mrst.c 2011-08-23 21:47:55.000000000 -0400
22442@@ -239,14 +239,16 @@ static int mrst_i8042_detect(void)
22443 }
22444
22445 /* Reboot and power off are handled by the SCU on a MID device */
22446-static void mrst_power_off(void)
22447+static __noreturn void mrst_power_off(void)
22448 {
22449 intel_scu_ipc_simple_command(0xf1, 1);
22450+ BUG();
22451 }
22452
22453-static void mrst_reboot(void)
22454+static __noreturn void mrst_reboot(void)
22455 {
22456 intel_scu_ipc_simple_command(0xf1, 0);
22457+ BUG();
22458 }
22459
22460 /*
22461diff -urNp linux-3.0.7/arch/x86/platform/uv/tlb_uv.c linux-3.0.7/arch/x86/platform/uv/tlb_uv.c
22462--- linux-3.0.7/arch/x86/platform/uv/tlb_uv.c 2011-07-21 22:17:23.000000000 -0400
22463+++ linux-3.0.7/arch/x86/platform/uv/tlb_uv.c 2011-08-23 21:48:14.000000000 -0400
22464@@ -373,6 +373,8 @@ static void reset_with_ipi(struct bau_ta
22465 cpumask_t mask;
22466 struct reset_args reset_args;
22467
22468+ pax_track_stack();
22469+
22470 reset_args.sender = sender;
22471 cpus_clear(mask);
22472 /* find a single cpu for each uvhub in this distribution mask */
22473diff -urNp linux-3.0.7/arch/x86/power/cpu.c linux-3.0.7/arch/x86/power/cpu.c
22474--- linux-3.0.7/arch/x86/power/cpu.c 2011-07-21 22:17:23.000000000 -0400
22475+++ linux-3.0.7/arch/x86/power/cpu.c 2011-08-23 21:47:55.000000000 -0400
22476@@ -130,7 +130,7 @@ static void do_fpu_end(void)
22477 static void fix_processor_context(void)
22478 {
22479 int cpu = smp_processor_id();
22480- struct tss_struct *t = &per_cpu(init_tss, cpu);
22481+ struct tss_struct *t = init_tss + cpu;
22482
22483 set_tss_desc(cpu, t); /*
22484 * This just modifies memory; should not be
22485@@ -140,7 +140,9 @@ static void fix_processor_context(void)
22486 */
22487
22488 #ifdef CONFIG_X86_64
22489+ pax_open_kernel();
22490 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
22491+ pax_close_kernel();
22492
22493 syscall_init(); /* This sets MSR_*STAR and related */
22494 #endif
22495diff -urNp linux-3.0.7/arch/x86/vdso/Makefile linux-3.0.7/arch/x86/vdso/Makefile
22496--- linux-3.0.7/arch/x86/vdso/Makefile 2011-07-21 22:17:23.000000000 -0400
22497+++ linux-3.0.7/arch/x86/vdso/Makefile 2011-08-23 21:47:55.000000000 -0400
22498@@ -136,7 +136,7 @@ quiet_cmd_vdso = VDSO $@
22499 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
22500 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
22501
22502-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22503+VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22504 GCOV_PROFILE := n
22505
22506 #
22507diff -urNp linux-3.0.7/arch/x86/vdso/vdso32-setup.c linux-3.0.7/arch/x86/vdso/vdso32-setup.c
22508--- linux-3.0.7/arch/x86/vdso/vdso32-setup.c 2011-07-21 22:17:23.000000000 -0400
22509+++ linux-3.0.7/arch/x86/vdso/vdso32-setup.c 2011-08-23 21:47:55.000000000 -0400
22510@@ -25,6 +25,7 @@
22511 #include <asm/tlbflush.h>
22512 #include <asm/vdso.h>
22513 #include <asm/proto.h>
22514+#include <asm/mman.h>
22515
22516 enum {
22517 VDSO_DISABLED = 0,
22518@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
22519 void enable_sep_cpu(void)
22520 {
22521 int cpu = get_cpu();
22522- struct tss_struct *tss = &per_cpu(init_tss, cpu);
22523+ struct tss_struct *tss = init_tss + cpu;
22524
22525 if (!boot_cpu_has(X86_FEATURE_SEP)) {
22526 put_cpu();
22527@@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
22528 gate_vma.vm_start = FIXADDR_USER_START;
22529 gate_vma.vm_end = FIXADDR_USER_END;
22530 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
22531- gate_vma.vm_page_prot = __P101;
22532+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
22533 /*
22534 * Make sure the vDSO gets into every core dump.
22535 * Dumping its contents makes post-mortem fully interpretable later
22536@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
22537 if (compat)
22538 addr = VDSO_HIGH_BASE;
22539 else {
22540- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
22541+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
22542 if (IS_ERR_VALUE(addr)) {
22543 ret = addr;
22544 goto up_fail;
22545 }
22546 }
22547
22548- current->mm->context.vdso = (void *)addr;
22549+ current->mm->context.vdso = addr;
22550
22551 if (compat_uses_vma || !compat) {
22552 /*
22553@@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
22554 }
22555
22556 current_thread_info()->sysenter_return =
22557- VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22558+ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22559
22560 up_fail:
22561 if (ret)
22562- current->mm->context.vdso = NULL;
22563+ current->mm->context.vdso = 0;
22564
22565 up_write(&mm->mmap_sem);
22566
22567@@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
22568
22569 const char *arch_vma_name(struct vm_area_struct *vma)
22570 {
22571- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22572+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22573 return "[vdso]";
22574+
22575+#ifdef CONFIG_PAX_SEGMEXEC
22576+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
22577+ return "[vdso]";
22578+#endif
22579+
22580 return NULL;
22581 }
22582
22583@@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
22584 * Check to see if the corresponding task was created in compat vdso
22585 * mode.
22586 */
22587- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
22588+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
22589 return &gate_vma;
22590 return NULL;
22591 }
22592diff -urNp linux-3.0.7/arch/x86/vdso/vma.c linux-3.0.7/arch/x86/vdso/vma.c
22593--- linux-3.0.7/arch/x86/vdso/vma.c 2011-07-21 22:17:23.000000000 -0400
22594+++ linux-3.0.7/arch/x86/vdso/vma.c 2011-08-23 21:47:55.000000000 -0400
22595@@ -15,18 +15,19 @@
22596 #include <asm/proto.h>
22597 #include <asm/vdso.h>
22598
22599-unsigned int __read_mostly vdso_enabled = 1;
22600-
22601 extern char vdso_start[], vdso_end[];
22602 extern unsigned short vdso_sync_cpuid;
22603+extern char __vsyscall_0;
22604
22605 static struct page **vdso_pages;
22606+static struct page *vsyscall_page;
22607 static unsigned vdso_size;
22608
22609 static int __init init_vdso_vars(void)
22610 {
22611- int npages = (vdso_end - vdso_start + PAGE_SIZE - 1) / PAGE_SIZE;
22612- int i;
22613+ size_t nbytes = vdso_end - vdso_start;
22614+ size_t npages = (nbytes + PAGE_SIZE - 1) / PAGE_SIZE;
22615+ size_t i;
22616
22617 vdso_size = npages << PAGE_SHIFT;
22618 vdso_pages = kmalloc(sizeof(struct page *) * npages, GFP_KERNEL);
22619@@ -34,19 +35,19 @@ static int __init init_vdso_vars(void)
22620 goto oom;
22621 for (i = 0; i < npages; i++) {
22622 struct page *p;
22623- p = alloc_page(GFP_KERNEL);
22624+ p = alloc_page(GFP_KERNEL | __GFP_ZERO);
22625 if (!p)
22626 goto oom;
22627 vdso_pages[i] = p;
22628- copy_page(page_address(p), vdso_start + i*PAGE_SIZE);
22629+ memcpy(page_address(p), vdso_start + i*PAGE_SIZE, nbytes > PAGE_SIZE ? PAGE_SIZE : nbytes);
22630+ nbytes -= PAGE_SIZE;
22631 }
22632+ vsyscall_page = pfn_to_page((__pa_symbol(&__vsyscall_0)) >> PAGE_SHIFT);
22633
22634 return 0;
22635
22636 oom:
22637- printk("Cannot allocate vdso\n");
22638- vdso_enabled = 0;
22639- return -ENOMEM;
22640+ panic("Cannot allocate vdso\n");
22641 }
22642 subsys_initcall(init_vdso_vars);
22643
22644@@ -80,37 +81,35 @@ int arch_setup_additional_pages(struct l
22645 unsigned long addr;
22646 int ret;
22647
22648- if (!vdso_enabled)
22649- return 0;
22650-
22651 down_write(&mm->mmap_sem);
22652- addr = vdso_addr(mm->start_stack, vdso_size);
22653- addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
22654+ addr = vdso_addr(mm->start_stack, vdso_size + PAGE_SIZE);
22655+ addr = get_unmapped_area(NULL, addr, vdso_size + PAGE_SIZE, 0, 0);
22656 if (IS_ERR_VALUE(addr)) {
22657 ret = addr;
22658 goto up_fail;
22659 }
22660
22661- current->mm->context.vdso = (void *)addr;
22662+ mm->context.vdso = addr + PAGE_SIZE;
22663
22664- ret = install_special_mapping(mm, addr, vdso_size,
22665+ ret = install_special_mapping(mm, addr, PAGE_SIZE,
22666 VM_READ|VM_EXEC|
22667- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC|
22668+ VM_MAYREAD|VM_MAYEXEC|
22669 VM_ALWAYSDUMP,
22670- vdso_pages);
22671+ &vsyscall_page);
22672 if (ret) {
22673- current->mm->context.vdso = NULL;
22674+ mm->context.vdso = 0;
22675 goto up_fail;
22676 }
22677
22678+ ret = install_special_mapping(mm, addr + PAGE_SIZE, vdso_size,
22679+ VM_READ|VM_EXEC|
22680+ VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC|
22681+ VM_ALWAYSDUMP,
22682+ vdso_pages);
22683+ if (ret)
22684+ mm->context.vdso = 0;
22685+
22686 up_fail:
22687 up_write(&mm->mmap_sem);
22688 return ret;
22689 }
22690-
22691-static __init int vdso_setup(char *s)
22692-{
22693- vdso_enabled = simple_strtoul(s, NULL, 0);
22694- return 0;
22695-}
22696-__setup("vdso=", vdso_setup);
22697diff -urNp linux-3.0.7/arch/x86/xen/enlighten.c linux-3.0.7/arch/x86/xen/enlighten.c
22698--- linux-3.0.7/arch/x86/xen/enlighten.c 2011-09-02 18:11:26.000000000 -0400
22699+++ linux-3.0.7/arch/x86/xen/enlighten.c 2011-08-29 23:26:21.000000000 -0400
22700@@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
22701
22702 struct shared_info xen_dummy_shared_info;
22703
22704-void *xen_initial_gdt;
22705-
22706 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
22707 __read_mostly int xen_have_vector_callback;
22708 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
22709@@ -1010,7 +1008,7 @@ static const struct pv_apic_ops xen_apic
22710 #endif
22711 };
22712
22713-static void xen_reboot(int reason)
22714+static __noreturn void xen_reboot(int reason)
22715 {
22716 struct sched_shutdown r = { .reason = reason };
22717
22718@@ -1018,17 +1016,17 @@ static void xen_reboot(int reason)
22719 BUG();
22720 }
22721
22722-static void xen_restart(char *msg)
22723+static __noreturn void xen_restart(char *msg)
22724 {
22725 xen_reboot(SHUTDOWN_reboot);
22726 }
22727
22728-static void xen_emergency_restart(void)
22729+static __noreturn void xen_emergency_restart(void)
22730 {
22731 xen_reboot(SHUTDOWN_reboot);
22732 }
22733
22734-static void xen_machine_halt(void)
22735+static __noreturn void xen_machine_halt(void)
22736 {
22737 xen_reboot(SHUTDOWN_poweroff);
22738 }
22739@@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
22740 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
22741
22742 /* Work out if we support NX */
22743- x86_configure_nx();
22744+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22745+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
22746+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
22747+ unsigned l, h;
22748+
22749+ __supported_pte_mask |= _PAGE_NX;
22750+ rdmsr(MSR_EFER, l, h);
22751+ l |= EFER_NX;
22752+ wrmsr(MSR_EFER, l, h);
22753+ }
22754+#endif
22755
22756 xen_setup_features();
22757
22758@@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
22759
22760 machine_ops = xen_machine_ops;
22761
22762- /*
22763- * The only reliable way to retain the initial address of the
22764- * percpu gdt_page is to remember it here, so we can go and
22765- * mark it RW later, when the initial percpu area is freed.
22766- */
22767- xen_initial_gdt = &per_cpu(gdt_page, 0);
22768-
22769 xen_smp_init();
22770
22771 #ifdef CONFIG_ACPI_NUMA
22772diff -urNp linux-3.0.7/arch/x86/xen/mmu.c linux-3.0.7/arch/x86/xen/mmu.c
22773--- linux-3.0.7/arch/x86/xen/mmu.c 2011-09-02 18:11:26.000000000 -0400
22774+++ linux-3.0.7/arch/x86/xen/mmu.c 2011-08-29 23:26:21.000000000 -0400
22775@@ -1683,6 +1683,8 @@ pgd_t * __init xen_setup_kernel_pagetabl
22776 convert_pfn_mfn(init_level4_pgt);
22777 convert_pfn_mfn(level3_ident_pgt);
22778 convert_pfn_mfn(level3_kernel_pgt);
22779+ convert_pfn_mfn(level3_vmalloc_pgt);
22780+ convert_pfn_mfn(level3_vmemmap_pgt);
22781
22782 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
22783 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
22784@@ -1701,7 +1703,10 @@ pgd_t * __init xen_setup_kernel_pagetabl
22785 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
22786 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
22787 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
22788+ set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
22789+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
22790 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
22791+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
22792 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
22793 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
22794
22795@@ -1913,6 +1918,7 @@ static void __init xen_post_allocator_in
22796 pv_mmu_ops.set_pud = xen_set_pud;
22797 #if PAGETABLE_LEVELS == 4
22798 pv_mmu_ops.set_pgd = xen_set_pgd;
22799+ pv_mmu_ops.set_pgd_batched = xen_set_pgd;
22800 #endif
22801
22802 /* This will work as long as patching hasn't happened yet
22803@@ -1994,6 +2000,7 @@ static const struct pv_mmu_ops xen_mmu_o
22804 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
22805 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
22806 .set_pgd = xen_set_pgd_hyper,
22807+ .set_pgd_batched = xen_set_pgd_hyper,
22808
22809 .alloc_pud = xen_alloc_pmd_init,
22810 .release_pud = xen_release_pmd_init,
22811diff -urNp linux-3.0.7/arch/x86/xen/smp.c linux-3.0.7/arch/x86/xen/smp.c
22812--- linux-3.0.7/arch/x86/xen/smp.c 2011-10-16 21:54:53.000000000 -0400
22813+++ linux-3.0.7/arch/x86/xen/smp.c 2011-10-16 21:55:27.000000000 -0400
22814@@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
22815 {
22816 BUG_ON(smp_processor_id() != 0);
22817 native_smp_prepare_boot_cpu();
22818-
22819- /* We've switched to the "real" per-cpu gdt, so make sure the
22820- old memory can be recycled */
22821- make_lowmem_page_readwrite(xen_initial_gdt);
22822-
22823 xen_filter_cpu_maps();
22824 xen_setup_vcpu_info_placement();
22825 }
22826@@ -275,12 +270,12 @@ cpu_initialize_context(unsigned int cpu,
22827 gdt = get_cpu_gdt_table(cpu);
22828
22829 ctxt->flags = VGCF_IN_KERNEL;
22830- ctxt->user_regs.ds = __USER_DS;
22831- ctxt->user_regs.es = __USER_DS;
22832+ ctxt->user_regs.ds = __KERNEL_DS;
22833+ ctxt->user_regs.es = __KERNEL_DS;
22834 ctxt->user_regs.ss = __KERNEL_DS;
22835 #ifdef CONFIG_X86_32
22836 ctxt->user_regs.fs = __KERNEL_PERCPU;
22837- ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
22838+ savesegment(gs, ctxt->user_regs.gs);
22839 #else
22840 ctxt->gs_base_kernel = per_cpu_offset(cpu);
22841 #endif
22842@@ -331,13 +326,12 @@ static int __cpuinit xen_cpu_up(unsigned
22843 int rc;
22844
22845 per_cpu(current_task, cpu) = idle;
22846+ per_cpu(current_tinfo, cpu) = &idle->tinfo;
22847 #ifdef CONFIG_X86_32
22848 irq_ctx_init(cpu);
22849 #else
22850 clear_tsk_thread_flag(idle, TIF_FORK);
22851- per_cpu(kernel_stack, cpu) =
22852- (unsigned long)task_stack_page(idle) -
22853- KERNEL_STACK_OFFSET + THREAD_SIZE;
22854+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
22855 #endif
22856 xen_setup_runstate_info(cpu);
22857 xen_setup_timer(cpu);
22858diff -urNp linux-3.0.7/arch/x86/xen/xen-asm_32.S linux-3.0.7/arch/x86/xen/xen-asm_32.S
22859--- linux-3.0.7/arch/x86/xen/xen-asm_32.S 2011-10-16 21:54:53.000000000 -0400
22860+++ linux-3.0.7/arch/x86/xen/xen-asm_32.S 2011-10-16 21:55:27.000000000 -0400
22861@@ -83,14 +83,14 @@ ENTRY(xen_iret)
22862 ESP_OFFSET=4 # bytes pushed onto stack
22863
22864 /*
22865- * Store vcpu_info pointer for easy access. Do it this way to
22866- * avoid having to reload %fs
22867+ * Store vcpu_info pointer for easy access.
22868 */
22869 #ifdef CONFIG_SMP
22870- GET_THREAD_INFO(%eax)
22871- movl TI_cpu(%eax), %eax
22872- movl __per_cpu_offset(,%eax,4), %eax
22873- mov xen_vcpu(%eax), %eax
22874+ push %fs
22875+ mov $(__KERNEL_PERCPU), %eax
22876+ mov %eax, %fs
22877+ mov PER_CPU_VAR(xen_vcpu), %eax
22878+ pop %fs
22879 #else
22880 movl xen_vcpu, %eax
22881 #endif
22882diff -urNp linux-3.0.7/arch/x86/xen/xen-head.S linux-3.0.7/arch/x86/xen/xen-head.S
22883--- linux-3.0.7/arch/x86/xen/xen-head.S 2011-07-21 22:17:23.000000000 -0400
22884+++ linux-3.0.7/arch/x86/xen/xen-head.S 2011-08-23 21:47:55.000000000 -0400
22885@@ -19,6 +19,17 @@ ENTRY(startup_xen)
22886 #ifdef CONFIG_X86_32
22887 mov %esi,xen_start_info
22888 mov $init_thread_union+THREAD_SIZE,%esp
22889+#ifdef CONFIG_SMP
22890+ movl $cpu_gdt_table,%edi
22891+ movl $__per_cpu_load,%eax
22892+ movw %ax,__KERNEL_PERCPU + 2(%edi)
22893+ rorl $16,%eax
22894+ movb %al,__KERNEL_PERCPU + 4(%edi)
22895+ movb %ah,__KERNEL_PERCPU + 7(%edi)
22896+ movl $__per_cpu_end - 1,%eax
22897+ subl $__per_cpu_start,%eax
22898+ movw %ax,__KERNEL_PERCPU + 0(%edi)
22899+#endif
22900 #else
22901 mov %rsi,xen_start_info
22902 mov $init_thread_union+THREAD_SIZE,%rsp
22903diff -urNp linux-3.0.7/arch/x86/xen/xen-ops.h linux-3.0.7/arch/x86/xen/xen-ops.h
22904--- linux-3.0.7/arch/x86/xen/xen-ops.h 2011-09-02 18:11:21.000000000 -0400
22905+++ linux-3.0.7/arch/x86/xen/xen-ops.h 2011-08-23 21:47:55.000000000 -0400
22906@@ -10,8 +10,6 @@
22907 extern const char xen_hypervisor_callback[];
22908 extern const char xen_failsafe_callback[];
22909
22910-extern void *xen_initial_gdt;
22911-
22912 struct trap_info;
22913 void xen_copy_trap_info(struct trap_info *traps);
22914
22915diff -urNp linux-3.0.7/block/blk-iopoll.c linux-3.0.7/block/blk-iopoll.c
22916--- linux-3.0.7/block/blk-iopoll.c 2011-07-21 22:17:23.000000000 -0400
22917+++ linux-3.0.7/block/blk-iopoll.c 2011-08-23 21:47:55.000000000 -0400
22918@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
22919 }
22920 EXPORT_SYMBOL(blk_iopoll_complete);
22921
22922-static void blk_iopoll_softirq(struct softirq_action *h)
22923+static void blk_iopoll_softirq(void)
22924 {
22925 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
22926 int rearm = 0, budget = blk_iopoll_budget;
22927diff -urNp linux-3.0.7/block/blk-map.c linux-3.0.7/block/blk-map.c
22928--- linux-3.0.7/block/blk-map.c 2011-07-21 22:17:23.000000000 -0400
22929+++ linux-3.0.7/block/blk-map.c 2011-08-23 21:47:55.000000000 -0400
22930@@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
22931 if (!len || !kbuf)
22932 return -EINVAL;
22933
22934- do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
22935+ do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
22936 if (do_copy)
22937 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
22938 else
22939diff -urNp linux-3.0.7/block/blk-softirq.c linux-3.0.7/block/blk-softirq.c
22940--- linux-3.0.7/block/blk-softirq.c 2011-07-21 22:17:23.000000000 -0400
22941+++ linux-3.0.7/block/blk-softirq.c 2011-08-23 21:47:55.000000000 -0400
22942@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
22943 * Softirq action handler - move entries to local list and loop over them
22944 * while passing them to the queue registered handler.
22945 */
22946-static void blk_done_softirq(struct softirq_action *h)
22947+static void blk_done_softirq(void)
22948 {
22949 struct list_head *cpu_list, local_list;
22950
22951diff -urNp linux-3.0.7/block/bsg.c linux-3.0.7/block/bsg.c
22952--- linux-3.0.7/block/bsg.c 2011-07-21 22:17:23.000000000 -0400
22953+++ linux-3.0.7/block/bsg.c 2011-10-06 04:17:55.000000000 -0400
22954@@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
22955 struct sg_io_v4 *hdr, struct bsg_device *bd,
22956 fmode_t has_write_perm)
22957 {
22958+ unsigned char tmpcmd[sizeof(rq->__cmd)];
22959+ unsigned char *cmdptr;
22960+
22961 if (hdr->request_len > BLK_MAX_CDB) {
22962 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
22963 if (!rq->cmd)
22964 return -ENOMEM;
22965- }
22966+ cmdptr = rq->cmd;
22967+ } else
22968+ cmdptr = tmpcmd;
22969
22970- if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
22971+ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
22972 hdr->request_len))
22973 return -EFAULT;
22974
22975+ if (cmdptr != rq->cmd)
22976+ memcpy(rq->cmd, cmdptr, hdr->request_len);
22977+
22978 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
22979 if (blk_verify_command(rq->cmd, has_write_perm))
22980 return -EPERM;
22981@@ -249,7 +257,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
22982 struct request *rq, *next_rq = NULL;
22983 int ret, rw;
22984 unsigned int dxfer_len;
22985- void *dxferp = NULL;
22986+ void __user *dxferp = NULL;
22987 struct bsg_class_device *bcd = &q->bsg_dev;
22988
22989 /* if the LLD has been removed then the bsg_unregister_queue will
22990@@ -291,7 +299,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
22991 rq->next_rq = next_rq;
22992 next_rq->cmd_type = rq->cmd_type;
22993
22994- dxferp = (void*)(unsigned long)hdr->din_xferp;
22995+ dxferp = (void __user *)(unsigned long)hdr->din_xferp;
22996 ret = blk_rq_map_user(q, next_rq, NULL, dxferp,
22997 hdr->din_xfer_len, GFP_KERNEL);
22998 if (ret)
22999@@ -300,10 +308,10 @@ bsg_map_hdr(struct bsg_device *bd, struc
23000
23001 if (hdr->dout_xfer_len) {
23002 dxfer_len = hdr->dout_xfer_len;
23003- dxferp = (void*)(unsigned long)hdr->dout_xferp;
23004+ dxferp = (void __user *)(unsigned long)hdr->dout_xferp;
23005 } else if (hdr->din_xfer_len) {
23006 dxfer_len = hdr->din_xfer_len;
23007- dxferp = (void*)(unsigned long)hdr->din_xferp;
23008+ dxferp = (void __user *)(unsigned long)hdr->din_xferp;
23009 } else
23010 dxfer_len = 0;
23011
23012@@ -445,7 +453,7 @@ static int blk_complete_sgv4_hdr_rq(stru
23013 int len = min_t(unsigned int, hdr->max_response_len,
23014 rq->sense_len);
23015
23016- ret = copy_to_user((void*)(unsigned long)hdr->response,
23017+ ret = copy_to_user((void __user *)(unsigned long)hdr->response,
23018 rq->sense, len);
23019 if (!ret)
23020 hdr->response_len = len;
23021diff -urNp linux-3.0.7/block/compat_ioctl.c linux-3.0.7/block/compat_ioctl.c
23022--- linux-3.0.7/block/compat_ioctl.c 2011-07-21 22:17:23.000000000 -0400
23023+++ linux-3.0.7/block/compat_ioctl.c 2011-10-06 04:17:55.000000000 -0400
23024@@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_
23025 err |= __get_user(f->spec1, &uf->spec1);
23026 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
23027 err |= __get_user(name, &uf->name);
23028- f->name = compat_ptr(name);
23029+ f->name = (void __force_kernel *)compat_ptr(name);
23030 if (err) {
23031 err = -EFAULT;
23032 goto out;
23033diff -urNp linux-3.0.7/block/scsi_ioctl.c linux-3.0.7/block/scsi_ioctl.c
23034--- linux-3.0.7/block/scsi_ioctl.c 2011-07-21 22:17:23.000000000 -0400
23035+++ linux-3.0.7/block/scsi_ioctl.c 2011-08-23 21:47:55.000000000 -0400
23036@@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
23037 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
23038 struct sg_io_hdr *hdr, fmode_t mode)
23039 {
23040- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
23041+ unsigned char tmpcmd[sizeof(rq->__cmd)];
23042+ unsigned char *cmdptr;
23043+
23044+ if (rq->cmd != rq->__cmd)
23045+ cmdptr = rq->cmd;
23046+ else
23047+ cmdptr = tmpcmd;
23048+
23049+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
23050 return -EFAULT;
23051+
23052+ if (cmdptr != rq->cmd)
23053+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
23054+
23055 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
23056 return -EPERM;
23057
23058@@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
23059 int err;
23060 unsigned int in_len, out_len, bytes, opcode, cmdlen;
23061 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
23062+ unsigned char tmpcmd[sizeof(rq->__cmd)];
23063+ unsigned char *cmdptr;
23064
23065 if (!sic)
23066 return -EINVAL;
23067@@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
23068 */
23069 err = -EFAULT;
23070 rq->cmd_len = cmdlen;
23071- if (copy_from_user(rq->cmd, sic->data, cmdlen))
23072+
23073+ if (rq->cmd != rq->__cmd)
23074+ cmdptr = rq->cmd;
23075+ else
23076+ cmdptr = tmpcmd;
23077+
23078+ if (copy_from_user(cmdptr, sic->data, cmdlen))
23079 goto error;
23080
23081+ if (rq->cmd != cmdptr)
23082+ memcpy(rq->cmd, cmdptr, cmdlen);
23083+
23084 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
23085 goto error;
23086
23087diff -urNp linux-3.0.7/crypto/cryptd.c linux-3.0.7/crypto/cryptd.c
23088--- linux-3.0.7/crypto/cryptd.c 2011-07-21 22:17:23.000000000 -0400
23089+++ linux-3.0.7/crypto/cryptd.c 2011-08-23 21:47:55.000000000 -0400
23090@@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
23091
23092 struct cryptd_blkcipher_request_ctx {
23093 crypto_completion_t complete;
23094-};
23095+} __no_const;
23096
23097 struct cryptd_hash_ctx {
23098 struct crypto_shash *child;
23099@@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
23100
23101 struct cryptd_aead_request_ctx {
23102 crypto_completion_t complete;
23103-};
23104+} __no_const;
23105
23106 static void cryptd_queue_worker(struct work_struct *work);
23107
23108diff -urNp linux-3.0.7/crypto/gf128mul.c linux-3.0.7/crypto/gf128mul.c
23109--- linux-3.0.7/crypto/gf128mul.c 2011-07-21 22:17:23.000000000 -0400
23110+++ linux-3.0.7/crypto/gf128mul.c 2011-08-23 21:47:55.000000000 -0400
23111@@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
23112 for (i = 0; i < 7; ++i)
23113 gf128mul_x_lle(&p[i + 1], &p[i]);
23114
23115- memset(r, 0, sizeof(r));
23116+ memset(r, 0, sizeof(*r));
23117 for (i = 0;;) {
23118 u8 ch = ((u8 *)b)[15 - i];
23119
23120@@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
23121 for (i = 0; i < 7; ++i)
23122 gf128mul_x_bbe(&p[i + 1], &p[i]);
23123
23124- memset(r, 0, sizeof(r));
23125+ memset(r, 0, sizeof(*r));
23126 for (i = 0;;) {
23127 u8 ch = ((u8 *)b)[i];
23128
23129diff -urNp linux-3.0.7/crypto/serpent.c linux-3.0.7/crypto/serpent.c
23130--- linux-3.0.7/crypto/serpent.c 2011-07-21 22:17:23.000000000 -0400
23131+++ linux-3.0.7/crypto/serpent.c 2011-08-23 21:48:14.000000000 -0400
23132@@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
23133 u32 r0,r1,r2,r3,r4;
23134 int i;
23135
23136+ pax_track_stack();
23137+
23138 /* Copy key, add padding */
23139
23140 for (i = 0; i < keylen; ++i)
23141diff -urNp linux-3.0.7/drivers/acpi/apei/cper.c linux-3.0.7/drivers/acpi/apei/cper.c
23142--- linux-3.0.7/drivers/acpi/apei/cper.c 2011-07-21 22:17:23.000000000 -0400
23143+++ linux-3.0.7/drivers/acpi/apei/cper.c 2011-08-23 21:47:55.000000000 -0400
23144@@ -38,12 +38,12 @@
23145 */
23146 u64 cper_next_record_id(void)
23147 {
23148- static atomic64_t seq;
23149+ static atomic64_unchecked_t seq;
23150
23151- if (!atomic64_read(&seq))
23152- atomic64_set(&seq, ((u64)get_seconds()) << 32);
23153+ if (!atomic64_read_unchecked(&seq))
23154+ atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
23155
23156- return atomic64_inc_return(&seq);
23157+ return atomic64_inc_return_unchecked(&seq);
23158 }
23159 EXPORT_SYMBOL_GPL(cper_next_record_id);
23160
23161diff -urNp linux-3.0.7/drivers/acpi/ec_sys.c linux-3.0.7/drivers/acpi/ec_sys.c
23162--- linux-3.0.7/drivers/acpi/ec_sys.c 2011-07-21 22:17:23.000000000 -0400
23163+++ linux-3.0.7/drivers/acpi/ec_sys.c 2011-08-24 19:06:55.000000000 -0400
23164@@ -11,6 +11,7 @@
23165 #include <linux/kernel.h>
23166 #include <linux/acpi.h>
23167 #include <linux/debugfs.h>
23168+#include <asm/uaccess.h>
23169 #include "internal.h"
23170
23171 MODULE_AUTHOR("Thomas Renninger <trenn@suse.de>");
23172@@ -39,7 +40,7 @@ static ssize_t acpi_ec_read_io(struct fi
23173 * struct acpi_ec *ec = ((struct seq_file *)f->private_data)->private;
23174 */
23175 unsigned int size = EC_SPACE_SIZE;
23176- u8 *data = (u8 *) buf;
23177+ u8 data;
23178 loff_t init_off = *off;
23179 int err = 0;
23180
23181@@ -52,9 +53,11 @@ static ssize_t acpi_ec_read_io(struct fi
23182 size = count;
23183
23184 while (size) {
23185- err = ec_read(*off, &data[*off - init_off]);
23186+ err = ec_read(*off, &data);
23187 if (err)
23188 return err;
23189+ if (put_user(data, &buf[*off - init_off]))
23190+ return -EFAULT;
23191 *off += 1;
23192 size--;
23193 }
23194@@ -70,7 +73,6 @@ static ssize_t acpi_ec_write_io(struct f
23195
23196 unsigned int size = count;
23197 loff_t init_off = *off;
23198- u8 *data = (u8 *) buf;
23199 int err = 0;
23200
23201 if (*off >= EC_SPACE_SIZE)
23202@@ -81,7 +83,9 @@ static ssize_t acpi_ec_write_io(struct f
23203 }
23204
23205 while (size) {
23206- u8 byte_write = data[*off - init_off];
23207+ u8 byte_write;
23208+ if (get_user(byte_write, &buf[*off - init_off]))
23209+ return -EFAULT;
23210 err = ec_write(*off, byte_write);
23211 if (err)
23212 return err;
23213diff -urNp linux-3.0.7/drivers/acpi/proc.c linux-3.0.7/drivers/acpi/proc.c
23214--- linux-3.0.7/drivers/acpi/proc.c 2011-07-21 22:17:23.000000000 -0400
23215+++ linux-3.0.7/drivers/acpi/proc.c 2011-08-23 21:47:55.000000000 -0400
23216@@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
23217 size_t count, loff_t * ppos)
23218 {
23219 struct list_head *node, *next;
23220- char strbuf[5];
23221- char str[5] = "";
23222- unsigned int len = count;
23223-
23224- if (len > 4)
23225- len = 4;
23226- if (len < 0)
23227- return -EFAULT;
23228+ char strbuf[5] = {0};
23229
23230- if (copy_from_user(strbuf, buffer, len))
23231+ if (count > 4)
23232+ count = 4;
23233+ if (copy_from_user(strbuf, buffer, count))
23234 return -EFAULT;
23235- strbuf[len] = '\0';
23236- sscanf(strbuf, "%s", str);
23237+ strbuf[count] = '\0';
23238
23239 mutex_lock(&acpi_device_lock);
23240 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
23241@@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
23242 if (!dev->wakeup.flags.valid)
23243 continue;
23244
23245- if (!strncmp(dev->pnp.bus_id, str, 4)) {
23246+ if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
23247 if (device_can_wakeup(&dev->dev)) {
23248 bool enable = !device_may_wakeup(&dev->dev);
23249 device_set_wakeup_enable(&dev->dev, enable);
23250diff -urNp linux-3.0.7/drivers/acpi/processor_driver.c linux-3.0.7/drivers/acpi/processor_driver.c
23251--- linux-3.0.7/drivers/acpi/processor_driver.c 2011-07-21 22:17:23.000000000 -0400
23252+++ linux-3.0.7/drivers/acpi/processor_driver.c 2011-08-23 21:47:55.000000000 -0400
23253@@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
23254 return 0;
23255 #endif
23256
23257- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
23258+ BUG_ON(pr->id >= nr_cpu_ids);
23259
23260 /*
23261 * Buggy BIOS check
23262diff -urNp linux-3.0.7/drivers/ata/libata-core.c linux-3.0.7/drivers/ata/libata-core.c
23263--- linux-3.0.7/drivers/ata/libata-core.c 2011-07-21 22:17:23.000000000 -0400
23264+++ linux-3.0.7/drivers/ata/libata-core.c 2011-08-23 21:47:55.000000000 -0400
23265@@ -4753,7 +4753,7 @@ void ata_qc_free(struct ata_queued_cmd *
23266 struct ata_port *ap;
23267 unsigned int tag;
23268
23269- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23270+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23271 ap = qc->ap;
23272
23273 qc->flags = 0;
23274@@ -4769,7 +4769,7 @@ void __ata_qc_complete(struct ata_queued
23275 struct ata_port *ap;
23276 struct ata_link *link;
23277
23278- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23279+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23280 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
23281 ap = qc->ap;
23282 link = qc->dev->link;
23283@@ -5774,6 +5774,7 @@ static void ata_finalize_port_ops(struct
23284 return;
23285
23286 spin_lock(&lock);
23287+ pax_open_kernel();
23288
23289 for (cur = ops->inherits; cur; cur = cur->inherits) {
23290 void **inherit = (void **)cur;
23291@@ -5787,8 +5788,9 @@ static void ata_finalize_port_ops(struct
23292 if (IS_ERR(*pp))
23293 *pp = NULL;
23294
23295- ops->inherits = NULL;
23296+ *(struct ata_port_operations **)&ops->inherits = NULL;
23297
23298+ pax_close_kernel();
23299 spin_unlock(&lock);
23300 }
23301
23302diff -urNp linux-3.0.7/drivers/ata/libata-eh.c linux-3.0.7/drivers/ata/libata-eh.c
23303--- linux-3.0.7/drivers/ata/libata-eh.c 2011-07-21 22:17:23.000000000 -0400
23304+++ linux-3.0.7/drivers/ata/libata-eh.c 2011-08-23 21:48:14.000000000 -0400
23305@@ -2518,6 +2518,8 @@ void ata_eh_report(struct ata_port *ap)
23306 {
23307 struct ata_link *link;
23308
23309+ pax_track_stack();
23310+
23311 ata_for_each_link(link, ap, HOST_FIRST)
23312 ata_eh_link_report(link);
23313 }
23314diff -urNp linux-3.0.7/drivers/ata/pata_arasan_cf.c linux-3.0.7/drivers/ata/pata_arasan_cf.c
23315--- linux-3.0.7/drivers/ata/pata_arasan_cf.c 2011-07-21 22:17:23.000000000 -0400
23316+++ linux-3.0.7/drivers/ata/pata_arasan_cf.c 2011-08-23 21:47:55.000000000 -0400
23317@@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
23318 /* Handle platform specific quirks */
23319 if (pdata->quirk) {
23320 if (pdata->quirk & CF_BROKEN_PIO) {
23321- ap->ops->set_piomode = NULL;
23322+ pax_open_kernel();
23323+ *(void **)&ap->ops->set_piomode = NULL;
23324+ pax_close_kernel();
23325 ap->pio_mask = 0;
23326 }
23327 if (pdata->quirk & CF_BROKEN_MWDMA)
23328diff -urNp linux-3.0.7/drivers/atm/adummy.c linux-3.0.7/drivers/atm/adummy.c
23329--- linux-3.0.7/drivers/atm/adummy.c 2011-07-21 22:17:23.000000000 -0400
23330+++ linux-3.0.7/drivers/atm/adummy.c 2011-08-23 21:47:55.000000000 -0400
23331@@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
23332 vcc->pop(vcc, skb);
23333 else
23334 dev_kfree_skb_any(skb);
23335- atomic_inc(&vcc->stats->tx);
23336+ atomic_inc_unchecked(&vcc->stats->tx);
23337
23338 return 0;
23339 }
23340diff -urNp linux-3.0.7/drivers/atm/ambassador.c linux-3.0.7/drivers/atm/ambassador.c
23341--- linux-3.0.7/drivers/atm/ambassador.c 2011-07-21 22:17:23.000000000 -0400
23342+++ linux-3.0.7/drivers/atm/ambassador.c 2011-08-23 21:47:55.000000000 -0400
23343@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
23344 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
23345
23346 // VC layer stats
23347- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23348+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23349
23350 // free the descriptor
23351 kfree (tx_descr);
23352@@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
23353 dump_skb ("<<<", vc, skb);
23354
23355 // VC layer stats
23356- atomic_inc(&atm_vcc->stats->rx);
23357+ atomic_inc_unchecked(&atm_vcc->stats->rx);
23358 __net_timestamp(skb);
23359 // end of our responsibility
23360 atm_vcc->push (atm_vcc, skb);
23361@@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
23362 } else {
23363 PRINTK (KERN_INFO, "dropped over-size frame");
23364 // should we count this?
23365- atomic_inc(&atm_vcc->stats->rx_drop);
23366+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23367 }
23368
23369 } else {
23370@@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
23371 }
23372
23373 if (check_area (skb->data, skb->len)) {
23374- atomic_inc(&atm_vcc->stats->tx_err);
23375+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
23376 return -ENOMEM; // ?
23377 }
23378
23379diff -urNp linux-3.0.7/drivers/atm/atmtcp.c linux-3.0.7/drivers/atm/atmtcp.c
23380--- linux-3.0.7/drivers/atm/atmtcp.c 2011-07-21 22:17:23.000000000 -0400
23381+++ linux-3.0.7/drivers/atm/atmtcp.c 2011-08-23 21:47:55.000000000 -0400
23382@@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
23383 if (vcc->pop) vcc->pop(vcc,skb);
23384 else dev_kfree_skb(skb);
23385 if (dev_data) return 0;
23386- atomic_inc(&vcc->stats->tx_err);
23387+ atomic_inc_unchecked(&vcc->stats->tx_err);
23388 return -ENOLINK;
23389 }
23390 size = skb->len+sizeof(struct atmtcp_hdr);
23391@@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
23392 if (!new_skb) {
23393 if (vcc->pop) vcc->pop(vcc,skb);
23394 else dev_kfree_skb(skb);
23395- atomic_inc(&vcc->stats->tx_err);
23396+ atomic_inc_unchecked(&vcc->stats->tx_err);
23397 return -ENOBUFS;
23398 }
23399 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
23400@@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
23401 if (vcc->pop) vcc->pop(vcc,skb);
23402 else dev_kfree_skb(skb);
23403 out_vcc->push(out_vcc,new_skb);
23404- atomic_inc(&vcc->stats->tx);
23405- atomic_inc(&out_vcc->stats->rx);
23406+ atomic_inc_unchecked(&vcc->stats->tx);
23407+ atomic_inc_unchecked(&out_vcc->stats->rx);
23408 return 0;
23409 }
23410
23411@@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
23412 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
23413 read_unlock(&vcc_sklist_lock);
23414 if (!out_vcc) {
23415- atomic_inc(&vcc->stats->tx_err);
23416+ atomic_inc_unchecked(&vcc->stats->tx_err);
23417 goto done;
23418 }
23419 skb_pull(skb,sizeof(struct atmtcp_hdr));
23420@@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
23421 __net_timestamp(new_skb);
23422 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
23423 out_vcc->push(out_vcc,new_skb);
23424- atomic_inc(&vcc->stats->tx);
23425- atomic_inc(&out_vcc->stats->rx);
23426+ atomic_inc_unchecked(&vcc->stats->tx);
23427+ atomic_inc_unchecked(&out_vcc->stats->rx);
23428 done:
23429 if (vcc->pop) vcc->pop(vcc,skb);
23430 else dev_kfree_skb(skb);
23431diff -urNp linux-3.0.7/drivers/atm/eni.c linux-3.0.7/drivers/atm/eni.c
23432--- linux-3.0.7/drivers/atm/eni.c 2011-07-21 22:17:23.000000000 -0400
23433+++ linux-3.0.7/drivers/atm/eni.c 2011-10-11 10:44:33.000000000 -0400
23434@@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
23435 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
23436 vcc->dev->number);
23437 length = 0;
23438- atomic_inc(&vcc->stats->rx_err);
23439+ atomic_inc_unchecked(&vcc->stats->rx_err);
23440 }
23441 else {
23442 length = ATM_CELL_SIZE-1; /* no HEC */
23443@@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23444 size);
23445 }
23446 eff = length = 0;
23447- atomic_inc(&vcc->stats->rx_err);
23448+ atomic_inc_unchecked(&vcc->stats->rx_err);
23449 }
23450 else {
23451 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
23452@@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23453 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
23454 vcc->dev->number,vcc->vci,length,size << 2,descr);
23455 length = eff = 0;
23456- atomic_inc(&vcc->stats->rx_err);
23457+ atomic_inc_unchecked(&vcc->stats->rx_err);
23458 }
23459 }
23460 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
23461@@ -771,7 +771,7 @@ rx_dequeued++;
23462 vcc->push(vcc,skb);
23463 pushed++;
23464 }
23465- atomic_inc(&vcc->stats->rx);
23466+ atomic_inc_unchecked(&vcc->stats->rx);
23467 }
23468 wake_up(&eni_dev->rx_wait);
23469 }
23470@@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
23471 PCI_DMA_TODEVICE);
23472 if (vcc->pop) vcc->pop(vcc,skb);
23473 else dev_kfree_skb_irq(skb);
23474- atomic_inc(&vcc->stats->tx);
23475+ atomic_inc_unchecked(&vcc->stats->tx);
23476 wake_up(&eni_dev->tx_wait);
23477 dma_complete++;
23478 }
23479@@ -1568,7 +1568,7 @@ tx_complete++;
23480 /*--------------------------------- entries ---------------------------------*/
23481
23482
23483-static const char *media_name[] __devinitdata = {
23484+static const char *media_name[] __devinitconst = {
23485 "MMF", "SMF", "MMF", "03?", /* 0- 3 */
23486 "UTP", "05?", "06?", "07?", /* 4- 7 */
23487 "TAXI","09?", "10?", "11?", /* 8-11 */
23488diff -urNp linux-3.0.7/drivers/atm/firestream.c linux-3.0.7/drivers/atm/firestream.c
23489--- linux-3.0.7/drivers/atm/firestream.c 2011-07-21 22:17:23.000000000 -0400
23490+++ linux-3.0.7/drivers/atm/firestream.c 2011-08-23 21:47:55.000000000 -0400
23491@@ -749,7 +749,7 @@ static void process_txdone_queue (struct
23492 }
23493 }
23494
23495- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23496+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23497
23498 fs_dprintk (FS_DEBUG_TXMEM, "i");
23499 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
23500@@ -816,7 +816,7 @@ static void process_incoming (struct fs_
23501 #endif
23502 skb_put (skb, qe->p1 & 0xffff);
23503 ATM_SKB(skb)->vcc = atm_vcc;
23504- atomic_inc(&atm_vcc->stats->rx);
23505+ atomic_inc_unchecked(&atm_vcc->stats->rx);
23506 __net_timestamp(skb);
23507 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23508 atm_vcc->push (atm_vcc, skb);
23509@@ -837,12 +837,12 @@ static void process_incoming (struct fs_
23510 kfree (pe);
23511 }
23512 if (atm_vcc)
23513- atomic_inc(&atm_vcc->stats->rx_drop);
23514+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23515 break;
23516 case 0x1f: /* Reassembly abort: no buffers. */
23517 /* Silently increment error counter. */
23518 if (atm_vcc)
23519- atomic_inc(&atm_vcc->stats->rx_drop);
23520+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23521 break;
23522 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23523 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23524diff -urNp linux-3.0.7/drivers/atm/fore200e.c linux-3.0.7/drivers/atm/fore200e.c
23525--- linux-3.0.7/drivers/atm/fore200e.c 2011-07-21 22:17:23.000000000 -0400
23526+++ linux-3.0.7/drivers/atm/fore200e.c 2011-08-23 21:47:55.000000000 -0400
23527@@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23528 #endif
23529 /* check error condition */
23530 if (*entry->status & STATUS_ERROR)
23531- atomic_inc(&vcc->stats->tx_err);
23532+ atomic_inc_unchecked(&vcc->stats->tx_err);
23533 else
23534- atomic_inc(&vcc->stats->tx);
23535+ atomic_inc_unchecked(&vcc->stats->tx);
23536 }
23537 }
23538
23539@@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23540 if (skb == NULL) {
23541 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23542
23543- atomic_inc(&vcc->stats->rx_drop);
23544+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23545 return -ENOMEM;
23546 }
23547
23548@@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23549
23550 dev_kfree_skb_any(skb);
23551
23552- atomic_inc(&vcc->stats->rx_drop);
23553+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23554 return -ENOMEM;
23555 }
23556
23557 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23558
23559 vcc->push(vcc, skb);
23560- atomic_inc(&vcc->stats->rx);
23561+ atomic_inc_unchecked(&vcc->stats->rx);
23562
23563 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23564
23565@@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23566 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23567 fore200e->atm_dev->number,
23568 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23569- atomic_inc(&vcc->stats->rx_err);
23570+ atomic_inc_unchecked(&vcc->stats->rx_err);
23571 }
23572 }
23573
23574@@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23575 goto retry_here;
23576 }
23577
23578- atomic_inc(&vcc->stats->tx_err);
23579+ atomic_inc_unchecked(&vcc->stats->tx_err);
23580
23581 fore200e->tx_sat++;
23582 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23583diff -urNp linux-3.0.7/drivers/atm/he.c linux-3.0.7/drivers/atm/he.c
23584--- linux-3.0.7/drivers/atm/he.c 2011-07-21 22:17:23.000000000 -0400
23585+++ linux-3.0.7/drivers/atm/he.c 2011-08-23 21:47:55.000000000 -0400
23586@@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23587
23588 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23589 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23590- atomic_inc(&vcc->stats->rx_drop);
23591+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23592 goto return_host_buffers;
23593 }
23594
23595@@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23596 RBRQ_LEN_ERR(he_dev->rbrq_head)
23597 ? "LEN_ERR" : "",
23598 vcc->vpi, vcc->vci);
23599- atomic_inc(&vcc->stats->rx_err);
23600+ atomic_inc_unchecked(&vcc->stats->rx_err);
23601 goto return_host_buffers;
23602 }
23603
23604@@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23605 vcc->push(vcc, skb);
23606 spin_lock(&he_dev->global_lock);
23607
23608- atomic_inc(&vcc->stats->rx);
23609+ atomic_inc_unchecked(&vcc->stats->rx);
23610
23611 return_host_buffers:
23612 ++pdus_assembled;
23613@@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23614 tpd->vcc->pop(tpd->vcc, tpd->skb);
23615 else
23616 dev_kfree_skb_any(tpd->skb);
23617- atomic_inc(&tpd->vcc->stats->tx_err);
23618+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23619 }
23620 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23621 return;
23622@@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23623 vcc->pop(vcc, skb);
23624 else
23625 dev_kfree_skb_any(skb);
23626- atomic_inc(&vcc->stats->tx_err);
23627+ atomic_inc_unchecked(&vcc->stats->tx_err);
23628 return -EINVAL;
23629 }
23630
23631@@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23632 vcc->pop(vcc, skb);
23633 else
23634 dev_kfree_skb_any(skb);
23635- atomic_inc(&vcc->stats->tx_err);
23636+ atomic_inc_unchecked(&vcc->stats->tx_err);
23637 return -EINVAL;
23638 }
23639 #endif
23640@@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23641 vcc->pop(vcc, skb);
23642 else
23643 dev_kfree_skb_any(skb);
23644- atomic_inc(&vcc->stats->tx_err);
23645+ atomic_inc_unchecked(&vcc->stats->tx_err);
23646 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23647 return -ENOMEM;
23648 }
23649@@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23650 vcc->pop(vcc, skb);
23651 else
23652 dev_kfree_skb_any(skb);
23653- atomic_inc(&vcc->stats->tx_err);
23654+ atomic_inc_unchecked(&vcc->stats->tx_err);
23655 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23656 return -ENOMEM;
23657 }
23658@@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23659 __enqueue_tpd(he_dev, tpd, cid);
23660 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23661
23662- atomic_inc(&vcc->stats->tx);
23663+ atomic_inc_unchecked(&vcc->stats->tx);
23664
23665 return 0;
23666 }
23667diff -urNp linux-3.0.7/drivers/atm/horizon.c linux-3.0.7/drivers/atm/horizon.c
23668--- linux-3.0.7/drivers/atm/horizon.c 2011-07-21 22:17:23.000000000 -0400
23669+++ linux-3.0.7/drivers/atm/horizon.c 2011-08-23 21:47:55.000000000 -0400
23670@@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
23671 {
23672 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
23673 // VC layer stats
23674- atomic_inc(&vcc->stats->rx);
23675+ atomic_inc_unchecked(&vcc->stats->rx);
23676 __net_timestamp(skb);
23677 // end of our responsibility
23678 vcc->push (vcc, skb);
23679@@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
23680 dev->tx_iovec = NULL;
23681
23682 // VC layer stats
23683- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23684+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23685
23686 // free the skb
23687 hrz_kfree_skb (skb);
23688diff -urNp linux-3.0.7/drivers/atm/idt77252.c linux-3.0.7/drivers/atm/idt77252.c
23689--- linux-3.0.7/drivers/atm/idt77252.c 2011-07-21 22:17:23.000000000 -0400
23690+++ linux-3.0.7/drivers/atm/idt77252.c 2011-08-23 21:47:55.000000000 -0400
23691@@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
23692 else
23693 dev_kfree_skb(skb);
23694
23695- atomic_inc(&vcc->stats->tx);
23696+ atomic_inc_unchecked(&vcc->stats->tx);
23697 }
23698
23699 atomic_dec(&scq->used);
23700@@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
23701 if ((sb = dev_alloc_skb(64)) == NULL) {
23702 printk("%s: Can't allocate buffers for aal0.\n",
23703 card->name);
23704- atomic_add(i, &vcc->stats->rx_drop);
23705+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
23706 break;
23707 }
23708 if (!atm_charge(vcc, sb->truesize)) {
23709 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
23710 card->name);
23711- atomic_add(i - 1, &vcc->stats->rx_drop);
23712+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
23713 dev_kfree_skb(sb);
23714 break;
23715 }
23716@@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
23717 ATM_SKB(sb)->vcc = vcc;
23718 __net_timestamp(sb);
23719 vcc->push(vcc, sb);
23720- atomic_inc(&vcc->stats->rx);
23721+ atomic_inc_unchecked(&vcc->stats->rx);
23722
23723 cell += ATM_CELL_PAYLOAD;
23724 }
23725@@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
23726 "(CDC: %08x)\n",
23727 card->name, len, rpp->len, readl(SAR_REG_CDC));
23728 recycle_rx_pool_skb(card, rpp);
23729- atomic_inc(&vcc->stats->rx_err);
23730+ atomic_inc_unchecked(&vcc->stats->rx_err);
23731 return;
23732 }
23733 if (stat & SAR_RSQE_CRC) {
23734 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
23735 recycle_rx_pool_skb(card, rpp);
23736- atomic_inc(&vcc->stats->rx_err);
23737+ atomic_inc_unchecked(&vcc->stats->rx_err);
23738 return;
23739 }
23740 if (skb_queue_len(&rpp->queue) > 1) {
23741@@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
23742 RXPRINTK("%s: Can't alloc RX skb.\n",
23743 card->name);
23744 recycle_rx_pool_skb(card, rpp);
23745- atomic_inc(&vcc->stats->rx_err);
23746+ atomic_inc_unchecked(&vcc->stats->rx_err);
23747 return;
23748 }
23749 if (!atm_charge(vcc, skb->truesize)) {
23750@@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
23751 __net_timestamp(skb);
23752
23753 vcc->push(vcc, skb);
23754- atomic_inc(&vcc->stats->rx);
23755+ atomic_inc_unchecked(&vcc->stats->rx);
23756
23757 return;
23758 }
23759@@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
23760 __net_timestamp(skb);
23761
23762 vcc->push(vcc, skb);
23763- atomic_inc(&vcc->stats->rx);
23764+ atomic_inc_unchecked(&vcc->stats->rx);
23765
23766 if (skb->truesize > SAR_FB_SIZE_3)
23767 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
23768@@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
23769 if (vcc->qos.aal != ATM_AAL0) {
23770 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
23771 card->name, vpi, vci);
23772- atomic_inc(&vcc->stats->rx_drop);
23773+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23774 goto drop;
23775 }
23776
23777 if ((sb = dev_alloc_skb(64)) == NULL) {
23778 printk("%s: Can't allocate buffers for AAL0.\n",
23779 card->name);
23780- atomic_inc(&vcc->stats->rx_err);
23781+ atomic_inc_unchecked(&vcc->stats->rx_err);
23782 goto drop;
23783 }
23784
23785@@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
23786 ATM_SKB(sb)->vcc = vcc;
23787 __net_timestamp(sb);
23788 vcc->push(vcc, sb);
23789- atomic_inc(&vcc->stats->rx);
23790+ atomic_inc_unchecked(&vcc->stats->rx);
23791
23792 drop:
23793 skb_pull(queue, 64);
23794@@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23795
23796 if (vc == NULL) {
23797 printk("%s: NULL connection in send().\n", card->name);
23798- atomic_inc(&vcc->stats->tx_err);
23799+ atomic_inc_unchecked(&vcc->stats->tx_err);
23800 dev_kfree_skb(skb);
23801 return -EINVAL;
23802 }
23803 if (!test_bit(VCF_TX, &vc->flags)) {
23804 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
23805- atomic_inc(&vcc->stats->tx_err);
23806+ atomic_inc_unchecked(&vcc->stats->tx_err);
23807 dev_kfree_skb(skb);
23808 return -EINVAL;
23809 }
23810@@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23811 break;
23812 default:
23813 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
23814- atomic_inc(&vcc->stats->tx_err);
23815+ atomic_inc_unchecked(&vcc->stats->tx_err);
23816 dev_kfree_skb(skb);
23817 return -EINVAL;
23818 }
23819
23820 if (skb_shinfo(skb)->nr_frags != 0) {
23821 printk("%s: No scatter-gather yet.\n", card->name);
23822- atomic_inc(&vcc->stats->tx_err);
23823+ atomic_inc_unchecked(&vcc->stats->tx_err);
23824 dev_kfree_skb(skb);
23825 return -EINVAL;
23826 }
23827@@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23828
23829 err = queue_skb(card, vc, skb, oam);
23830 if (err) {
23831- atomic_inc(&vcc->stats->tx_err);
23832+ atomic_inc_unchecked(&vcc->stats->tx_err);
23833 dev_kfree_skb(skb);
23834 return err;
23835 }
23836@@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
23837 skb = dev_alloc_skb(64);
23838 if (!skb) {
23839 printk("%s: Out of memory in send_oam().\n", card->name);
23840- atomic_inc(&vcc->stats->tx_err);
23841+ atomic_inc_unchecked(&vcc->stats->tx_err);
23842 return -ENOMEM;
23843 }
23844 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
23845diff -urNp linux-3.0.7/drivers/atm/iphase.c linux-3.0.7/drivers/atm/iphase.c
23846--- linux-3.0.7/drivers/atm/iphase.c 2011-07-21 22:17:23.000000000 -0400
23847+++ linux-3.0.7/drivers/atm/iphase.c 2011-08-23 21:47:55.000000000 -0400
23848@@ -1120,7 +1120,7 @@ static int rx_pkt(struct atm_dev *dev)
23849 status = (u_short) (buf_desc_ptr->desc_mode);
23850 if (status & (RX_CER | RX_PTE | RX_OFL))
23851 {
23852- atomic_inc(&vcc->stats->rx_err);
23853+ atomic_inc_unchecked(&vcc->stats->rx_err);
23854 IF_ERR(printk("IA: bad packet, dropping it");)
23855 if (status & RX_CER) {
23856 IF_ERR(printk(" cause: packet CRC error\n");)
23857@@ -1143,7 +1143,7 @@ static int rx_pkt(struct atm_dev *dev)
23858 len = dma_addr - buf_addr;
23859 if (len > iadev->rx_buf_sz) {
23860 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23861- atomic_inc(&vcc->stats->rx_err);
23862+ atomic_inc_unchecked(&vcc->stats->rx_err);
23863 goto out_free_desc;
23864 }
23865
23866@@ -1293,7 +1293,7 @@ static void rx_dle_intr(struct atm_dev *
23867 ia_vcc = INPH_IA_VCC(vcc);
23868 if (ia_vcc == NULL)
23869 {
23870- atomic_inc(&vcc->stats->rx_err);
23871+ atomic_inc_unchecked(&vcc->stats->rx_err);
23872 dev_kfree_skb_any(skb);
23873 atm_return(vcc, atm_guess_pdu2truesize(len));
23874 goto INCR_DLE;
23875@@ -1305,7 +1305,7 @@ static void rx_dle_intr(struct atm_dev *
23876 if ((length > iadev->rx_buf_sz) || (length >
23877 (skb->len - sizeof(struct cpcs_trailer))))
23878 {
23879- atomic_inc(&vcc->stats->rx_err);
23880+ atomic_inc_unchecked(&vcc->stats->rx_err);
23881 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23882 length, skb->len);)
23883 dev_kfree_skb_any(skb);
23884@@ -1321,7 +1321,7 @@ static void rx_dle_intr(struct atm_dev *
23885
23886 IF_RX(printk("rx_dle_intr: skb push");)
23887 vcc->push(vcc,skb);
23888- atomic_inc(&vcc->stats->rx);
23889+ atomic_inc_unchecked(&vcc->stats->rx);
23890 iadev->rx_pkt_cnt++;
23891 }
23892 INCR_DLE:
23893@@ -2801,15 +2801,15 @@ static int ia_ioctl(struct atm_dev *dev,
23894 {
23895 struct k_sonet_stats *stats;
23896 stats = &PRIV(_ia_dev[board])->sonet_stats;
23897- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23898- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23899- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23900- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23901- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23902- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23903- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23904- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23905- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23906+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23907+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23908+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23909+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23910+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23911+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23912+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23913+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23914+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23915 }
23916 ia_cmds.status = 0;
23917 break;
23918@@ -2914,7 +2914,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23919 if ((desc == 0) || (desc > iadev->num_tx_desc))
23920 {
23921 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23922- atomic_inc(&vcc->stats->tx);
23923+ atomic_inc_unchecked(&vcc->stats->tx);
23924 if (vcc->pop)
23925 vcc->pop(vcc, skb);
23926 else
23927@@ -3019,14 +3019,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23928 ATM_DESC(skb) = vcc->vci;
23929 skb_queue_tail(&iadev->tx_dma_q, skb);
23930
23931- atomic_inc(&vcc->stats->tx);
23932+ atomic_inc_unchecked(&vcc->stats->tx);
23933 iadev->tx_pkt_cnt++;
23934 /* Increment transaction counter */
23935 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23936
23937 #if 0
23938 /* add flow control logic */
23939- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23940+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23941 if (iavcc->vc_desc_cnt > 10) {
23942 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23943 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23944diff -urNp linux-3.0.7/drivers/atm/lanai.c linux-3.0.7/drivers/atm/lanai.c
23945--- linux-3.0.7/drivers/atm/lanai.c 2011-07-21 22:17:23.000000000 -0400
23946+++ linux-3.0.7/drivers/atm/lanai.c 2011-08-23 21:47:55.000000000 -0400
23947@@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23948 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23949 lanai_endtx(lanai, lvcc);
23950 lanai_free_skb(lvcc->tx.atmvcc, skb);
23951- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23952+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23953 }
23954
23955 /* Try to fill the buffer - don't call unless there is backlog */
23956@@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23957 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23958 __net_timestamp(skb);
23959 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23960- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23961+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23962 out:
23963 lvcc->rx.buf.ptr = end;
23964 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23965@@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23966 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23967 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23968 lanai->stats.service_rxnotaal5++;
23969- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23970+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23971 return 0;
23972 }
23973 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23974@@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23975 int bytes;
23976 read_unlock(&vcc_sklist_lock);
23977 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23978- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23979+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23980 lvcc->stats.x.aal5.service_trash++;
23981 bytes = (SERVICE_GET_END(s) * 16) -
23982 (((unsigned long) lvcc->rx.buf.ptr) -
23983@@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23984 }
23985 if (s & SERVICE_STREAM) {
23986 read_unlock(&vcc_sklist_lock);
23987- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23988+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23989 lvcc->stats.x.aal5.service_stream++;
23990 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23991 "PDU on VCI %d!\n", lanai->number, vci);
23992@@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23993 return 0;
23994 }
23995 DPRINTK("got rx crc error on vci %d\n", vci);
23996- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23997+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23998 lvcc->stats.x.aal5.service_rxcrc++;
23999 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
24000 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
24001diff -urNp linux-3.0.7/drivers/atm/nicstar.c linux-3.0.7/drivers/atm/nicstar.c
24002--- linux-3.0.7/drivers/atm/nicstar.c 2011-07-21 22:17:23.000000000 -0400
24003+++ linux-3.0.7/drivers/atm/nicstar.c 2011-08-23 21:47:55.000000000 -0400
24004@@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
24005 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
24006 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
24007 card->index);
24008- atomic_inc(&vcc->stats->tx_err);
24009+ atomic_inc_unchecked(&vcc->stats->tx_err);
24010 dev_kfree_skb_any(skb);
24011 return -EINVAL;
24012 }
24013@@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
24014 if (!vc->tx) {
24015 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
24016 card->index);
24017- atomic_inc(&vcc->stats->tx_err);
24018+ atomic_inc_unchecked(&vcc->stats->tx_err);
24019 dev_kfree_skb_any(skb);
24020 return -EINVAL;
24021 }
24022@@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
24023 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
24024 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
24025 card->index);
24026- atomic_inc(&vcc->stats->tx_err);
24027+ atomic_inc_unchecked(&vcc->stats->tx_err);
24028 dev_kfree_skb_any(skb);
24029 return -EINVAL;
24030 }
24031
24032 if (skb_shinfo(skb)->nr_frags != 0) {
24033 printk("nicstar%d: No scatter-gather yet.\n", card->index);
24034- atomic_inc(&vcc->stats->tx_err);
24035+ atomic_inc_unchecked(&vcc->stats->tx_err);
24036 dev_kfree_skb_any(skb);
24037 return -EINVAL;
24038 }
24039@@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
24040 }
24041
24042 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
24043- atomic_inc(&vcc->stats->tx_err);
24044+ atomic_inc_unchecked(&vcc->stats->tx_err);
24045 dev_kfree_skb_any(skb);
24046 return -EIO;
24047 }
24048- atomic_inc(&vcc->stats->tx);
24049+ atomic_inc_unchecked(&vcc->stats->tx);
24050
24051 return 0;
24052 }
24053@@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
24054 printk
24055 ("nicstar%d: Can't allocate buffers for aal0.\n",
24056 card->index);
24057- atomic_add(i, &vcc->stats->rx_drop);
24058+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
24059 break;
24060 }
24061 if (!atm_charge(vcc, sb->truesize)) {
24062 RXPRINTK
24063 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
24064 card->index);
24065- atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24066+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24067 dev_kfree_skb_any(sb);
24068 break;
24069 }
24070@@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
24071 ATM_SKB(sb)->vcc = vcc;
24072 __net_timestamp(sb);
24073 vcc->push(vcc, sb);
24074- atomic_inc(&vcc->stats->rx);
24075+ atomic_inc_unchecked(&vcc->stats->rx);
24076 cell += ATM_CELL_PAYLOAD;
24077 }
24078
24079@@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
24080 if (iovb == NULL) {
24081 printk("nicstar%d: Out of iovec buffers.\n",
24082 card->index);
24083- atomic_inc(&vcc->stats->rx_drop);
24084+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24085 recycle_rx_buf(card, skb);
24086 return;
24087 }
24088@@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
24089 small or large buffer itself. */
24090 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
24091 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
24092- atomic_inc(&vcc->stats->rx_err);
24093+ atomic_inc_unchecked(&vcc->stats->rx_err);
24094 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24095 NS_MAX_IOVECS);
24096 NS_PRV_IOVCNT(iovb) = 0;
24097@@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
24098 ("nicstar%d: Expected a small buffer, and this is not one.\n",
24099 card->index);
24100 which_list(card, skb);
24101- atomic_inc(&vcc->stats->rx_err);
24102+ atomic_inc_unchecked(&vcc->stats->rx_err);
24103 recycle_rx_buf(card, skb);
24104 vc->rx_iov = NULL;
24105 recycle_iov_buf(card, iovb);
24106@@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
24107 ("nicstar%d: Expected a large buffer, and this is not one.\n",
24108 card->index);
24109 which_list(card, skb);
24110- atomic_inc(&vcc->stats->rx_err);
24111+ atomic_inc_unchecked(&vcc->stats->rx_err);
24112 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24113 NS_PRV_IOVCNT(iovb));
24114 vc->rx_iov = NULL;
24115@@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
24116 printk(" - PDU size mismatch.\n");
24117 else
24118 printk(".\n");
24119- atomic_inc(&vcc->stats->rx_err);
24120+ atomic_inc_unchecked(&vcc->stats->rx_err);
24121 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24122 NS_PRV_IOVCNT(iovb));
24123 vc->rx_iov = NULL;
24124@@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
24125 /* skb points to a small buffer */
24126 if (!atm_charge(vcc, skb->truesize)) {
24127 push_rxbufs(card, skb);
24128- atomic_inc(&vcc->stats->rx_drop);
24129+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24130 } else {
24131 skb_put(skb, len);
24132 dequeue_sm_buf(card, skb);
24133@@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
24134 ATM_SKB(skb)->vcc = vcc;
24135 __net_timestamp(skb);
24136 vcc->push(vcc, skb);
24137- atomic_inc(&vcc->stats->rx);
24138+ atomic_inc_unchecked(&vcc->stats->rx);
24139 }
24140 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
24141 struct sk_buff *sb;
24142@@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
24143 if (len <= NS_SMBUFSIZE) {
24144 if (!atm_charge(vcc, sb->truesize)) {
24145 push_rxbufs(card, sb);
24146- atomic_inc(&vcc->stats->rx_drop);
24147+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24148 } else {
24149 skb_put(sb, len);
24150 dequeue_sm_buf(card, sb);
24151@@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
24152 ATM_SKB(sb)->vcc = vcc;
24153 __net_timestamp(sb);
24154 vcc->push(vcc, sb);
24155- atomic_inc(&vcc->stats->rx);
24156+ atomic_inc_unchecked(&vcc->stats->rx);
24157 }
24158
24159 push_rxbufs(card, skb);
24160@@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
24161
24162 if (!atm_charge(vcc, skb->truesize)) {
24163 push_rxbufs(card, skb);
24164- atomic_inc(&vcc->stats->rx_drop);
24165+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24166 } else {
24167 dequeue_lg_buf(card, skb);
24168 #ifdef NS_USE_DESTRUCTORS
24169@@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
24170 ATM_SKB(skb)->vcc = vcc;
24171 __net_timestamp(skb);
24172 vcc->push(vcc, skb);
24173- atomic_inc(&vcc->stats->rx);
24174+ atomic_inc_unchecked(&vcc->stats->rx);
24175 }
24176
24177 push_rxbufs(card, sb);
24178@@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
24179 printk
24180 ("nicstar%d: Out of huge buffers.\n",
24181 card->index);
24182- atomic_inc(&vcc->stats->rx_drop);
24183+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24184 recycle_iovec_rx_bufs(card,
24185 (struct iovec *)
24186 iovb->data,
24187@@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
24188 card->hbpool.count++;
24189 } else
24190 dev_kfree_skb_any(hb);
24191- atomic_inc(&vcc->stats->rx_drop);
24192+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24193 } else {
24194 /* Copy the small buffer to the huge buffer */
24195 sb = (struct sk_buff *)iov->iov_base;
24196@@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
24197 #endif /* NS_USE_DESTRUCTORS */
24198 __net_timestamp(hb);
24199 vcc->push(vcc, hb);
24200- atomic_inc(&vcc->stats->rx);
24201+ atomic_inc_unchecked(&vcc->stats->rx);
24202 }
24203 }
24204
24205diff -urNp linux-3.0.7/drivers/atm/solos-pci.c linux-3.0.7/drivers/atm/solos-pci.c
24206--- linux-3.0.7/drivers/atm/solos-pci.c 2011-07-21 22:17:23.000000000 -0400
24207+++ linux-3.0.7/drivers/atm/solos-pci.c 2011-08-23 21:48:14.000000000 -0400
24208@@ -714,7 +714,7 @@ void solos_bh(unsigned long card_arg)
24209 }
24210 atm_charge(vcc, skb->truesize);
24211 vcc->push(vcc, skb);
24212- atomic_inc(&vcc->stats->rx);
24213+ atomic_inc_unchecked(&vcc->stats->rx);
24214 break;
24215
24216 case PKT_STATUS:
24217@@ -899,6 +899,8 @@ static int print_buffer(struct sk_buff *
24218 char msg[500];
24219 char item[10];
24220
24221+ pax_track_stack();
24222+
24223 len = buf->len;
24224 for (i = 0; i < len; i++){
24225 if(i % 8 == 0)
24226@@ -1008,7 +1010,7 @@ static uint32_t fpga_tx(struct solos_car
24227 vcc = SKB_CB(oldskb)->vcc;
24228
24229 if (vcc) {
24230- atomic_inc(&vcc->stats->tx);
24231+ atomic_inc_unchecked(&vcc->stats->tx);
24232 solos_pop(vcc, oldskb);
24233 } else
24234 dev_kfree_skb_irq(oldskb);
24235diff -urNp linux-3.0.7/drivers/atm/suni.c linux-3.0.7/drivers/atm/suni.c
24236--- linux-3.0.7/drivers/atm/suni.c 2011-07-21 22:17:23.000000000 -0400
24237+++ linux-3.0.7/drivers/atm/suni.c 2011-08-23 21:47:55.000000000 -0400
24238@@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
24239
24240
24241 #define ADD_LIMITED(s,v) \
24242- atomic_add((v),&stats->s); \
24243- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
24244+ atomic_add_unchecked((v),&stats->s); \
24245+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
24246
24247
24248 static void suni_hz(unsigned long from_timer)
24249diff -urNp linux-3.0.7/drivers/atm/uPD98402.c linux-3.0.7/drivers/atm/uPD98402.c
24250--- linux-3.0.7/drivers/atm/uPD98402.c 2011-07-21 22:17:23.000000000 -0400
24251+++ linux-3.0.7/drivers/atm/uPD98402.c 2011-08-23 21:47:55.000000000 -0400
24252@@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
24253 struct sonet_stats tmp;
24254 int error = 0;
24255
24256- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24257+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24258 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
24259 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
24260 if (zero && !error) {
24261@@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
24262
24263
24264 #define ADD_LIMITED(s,v) \
24265- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
24266- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
24267- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24268+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
24269+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
24270+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24271
24272
24273 static void stat_event(struct atm_dev *dev)
24274@@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
24275 if (reason & uPD98402_INT_PFM) stat_event(dev);
24276 if (reason & uPD98402_INT_PCO) {
24277 (void) GET(PCOCR); /* clear interrupt cause */
24278- atomic_add(GET(HECCT),
24279+ atomic_add_unchecked(GET(HECCT),
24280 &PRIV(dev)->sonet_stats.uncorr_hcs);
24281 }
24282 if ((reason & uPD98402_INT_RFO) &&
24283@@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
24284 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
24285 uPD98402_INT_LOS),PIMR); /* enable them */
24286 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
24287- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24288- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
24289- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
24290+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24291+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
24292+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
24293 return 0;
24294 }
24295
24296diff -urNp linux-3.0.7/drivers/atm/zatm.c linux-3.0.7/drivers/atm/zatm.c
24297--- linux-3.0.7/drivers/atm/zatm.c 2011-07-21 22:17:23.000000000 -0400
24298+++ linux-3.0.7/drivers/atm/zatm.c 2011-08-23 21:47:55.000000000 -0400
24299@@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24300 }
24301 if (!size) {
24302 dev_kfree_skb_irq(skb);
24303- if (vcc) atomic_inc(&vcc->stats->rx_err);
24304+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
24305 continue;
24306 }
24307 if (!atm_charge(vcc,skb->truesize)) {
24308@@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24309 skb->len = size;
24310 ATM_SKB(skb)->vcc = vcc;
24311 vcc->push(vcc,skb);
24312- atomic_inc(&vcc->stats->rx);
24313+ atomic_inc_unchecked(&vcc->stats->rx);
24314 }
24315 zout(pos & 0xffff,MTA(mbx));
24316 #if 0 /* probably a stupid idea */
24317@@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
24318 skb_queue_head(&zatm_vcc->backlog,skb);
24319 break;
24320 }
24321- atomic_inc(&vcc->stats->tx);
24322+ atomic_inc_unchecked(&vcc->stats->tx);
24323 wake_up(&zatm_vcc->tx_wait);
24324 }
24325
24326diff -urNp linux-3.0.7/drivers/base/devtmpfs.c linux-3.0.7/drivers/base/devtmpfs.c
24327--- linux-3.0.7/drivers/base/devtmpfs.c 2011-07-21 22:17:23.000000000 -0400
24328+++ linux-3.0.7/drivers/base/devtmpfs.c 2011-10-06 04:17:55.000000000 -0400
24329@@ -357,7 +357,7 @@ int devtmpfs_mount(const char *mntdir)
24330 if (!dev_mnt)
24331 return 0;
24332
24333- err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
24334+ err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
24335 if (err)
24336 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
24337 else
24338diff -urNp linux-3.0.7/drivers/base/power/wakeup.c linux-3.0.7/drivers/base/power/wakeup.c
24339--- linux-3.0.7/drivers/base/power/wakeup.c 2011-07-21 22:17:23.000000000 -0400
24340+++ linux-3.0.7/drivers/base/power/wakeup.c 2011-08-23 21:47:55.000000000 -0400
24341@@ -29,14 +29,14 @@ bool events_check_enabled;
24342 * They need to be modified together atomically, so it's better to use one
24343 * atomic variable to hold them both.
24344 */
24345-static atomic_t combined_event_count = ATOMIC_INIT(0);
24346+static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
24347
24348 #define IN_PROGRESS_BITS (sizeof(int) * 4)
24349 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
24350
24351 static void split_counters(unsigned int *cnt, unsigned int *inpr)
24352 {
24353- unsigned int comb = atomic_read(&combined_event_count);
24354+ unsigned int comb = atomic_read_unchecked(&combined_event_count);
24355
24356 *cnt = (comb >> IN_PROGRESS_BITS);
24357 *inpr = comb & MAX_IN_PROGRESS;
24358@@ -350,7 +350,7 @@ static void wakeup_source_activate(struc
24359 ws->last_time = ktime_get();
24360
24361 /* Increment the counter of events in progress. */
24362- atomic_inc(&combined_event_count);
24363+ atomic_inc_unchecked(&combined_event_count);
24364 }
24365
24366 /**
24367@@ -440,7 +440,7 @@ static void wakeup_source_deactivate(str
24368 * Increment the counter of registered wakeup events and decrement the
24369 * couter of wakeup events in progress simultaneously.
24370 */
24371- atomic_add(MAX_IN_PROGRESS, &combined_event_count);
24372+ atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
24373 }
24374
24375 /**
24376diff -urNp linux-3.0.7/drivers/block/DAC960.c linux-3.0.7/drivers/block/DAC960.c
24377--- linux-3.0.7/drivers/block/DAC960.c 2011-07-21 22:17:23.000000000 -0400
24378+++ linux-3.0.7/drivers/block/DAC960.c 2011-08-23 21:48:14.000000000 -0400
24379@@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
24380 unsigned long flags;
24381 int Channel, TargetID;
24382
24383+ pax_track_stack();
24384+
24385 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
24386 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
24387 sizeof(DAC960_SCSI_Inquiry_T) +
24388diff -urNp linux-3.0.7/drivers/block/cciss.c linux-3.0.7/drivers/block/cciss.c
24389--- linux-3.0.7/drivers/block/cciss.c 2011-07-21 22:17:23.000000000 -0400
24390+++ linux-3.0.7/drivers/block/cciss.c 2011-08-23 21:48:14.000000000 -0400
24391@@ -1179,6 +1179,8 @@ static int cciss_ioctl32_passthru(struct
24392 int err;
24393 u32 cp;
24394
24395+ memset(&arg64, 0, sizeof(arg64));
24396+
24397 err = 0;
24398 err |=
24399 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
24400@@ -2986,7 +2988,7 @@ static void start_io(ctlr_info_t *h)
24401 while (!list_empty(&h->reqQ)) {
24402 c = list_entry(h->reqQ.next, CommandList_struct, list);
24403 /* can't do anything if fifo is full */
24404- if ((h->access.fifo_full(h))) {
24405+ if ((h->access->fifo_full(h))) {
24406 dev_warn(&h->pdev->dev, "fifo full\n");
24407 break;
24408 }
24409@@ -2996,7 +2998,7 @@ static void start_io(ctlr_info_t *h)
24410 h->Qdepth--;
24411
24412 /* Tell the controller execute command */
24413- h->access.submit_command(h, c);
24414+ h->access->submit_command(h, c);
24415
24416 /* Put job onto the completed Q */
24417 addQ(&h->cmpQ, c);
24418@@ -3422,17 +3424,17 @@ startio:
24419
24420 static inline unsigned long get_next_completion(ctlr_info_t *h)
24421 {
24422- return h->access.command_completed(h);
24423+ return h->access->command_completed(h);
24424 }
24425
24426 static inline int interrupt_pending(ctlr_info_t *h)
24427 {
24428- return h->access.intr_pending(h);
24429+ return h->access->intr_pending(h);
24430 }
24431
24432 static inline long interrupt_not_for_us(ctlr_info_t *h)
24433 {
24434- return ((h->access.intr_pending(h) == 0) ||
24435+ return ((h->access->intr_pending(h) == 0) ||
24436 (h->interrupts_enabled == 0));
24437 }
24438
24439@@ -3465,7 +3467,7 @@ static inline u32 next_command(ctlr_info
24440 u32 a;
24441
24442 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
24443- return h->access.command_completed(h);
24444+ return h->access->command_completed(h);
24445
24446 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
24447 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
24448@@ -4020,7 +4022,7 @@ static void __devinit cciss_put_controll
24449 trans_support & CFGTBL_Trans_use_short_tags);
24450
24451 /* Change the access methods to the performant access methods */
24452- h->access = SA5_performant_access;
24453+ h->access = &SA5_performant_access;
24454 h->transMethod = CFGTBL_Trans_Performant;
24455
24456 return;
24457@@ -4292,7 +4294,7 @@ static int __devinit cciss_pci_init(ctlr
24458 if (prod_index < 0)
24459 return -ENODEV;
24460 h->product_name = products[prod_index].product_name;
24461- h->access = *(products[prod_index].access);
24462+ h->access = products[prod_index].access;
24463
24464 if (cciss_board_disabled(h)) {
24465 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
24466@@ -5002,7 +5004,7 @@ reinit_after_soft_reset:
24467 }
24468
24469 /* make sure the board interrupts are off */
24470- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24471+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24472 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
24473 if (rc)
24474 goto clean2;
24475@@ -5054,7 +5056,7 @@ reinit_after_soft_reset:
24476 * fake ones to scoop up any residual completions.
24477 */
24478 spin_lock_irqsave(&h->lock, flags);
24479- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24480+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24481 spin_unlock_irqrestore(&h->lock, flags);
24482 free_irq(h->intr[PERF_MODE_INT], h);
24483 rc = cciss_request_irq(h, cciss_msix_discard_completions,
24484@@ -5074,9 +5076,9 @@ reinit_after_soft_reset:
24485 dev_info(&h->pdev->dev, "Board READY.\n");
24486 dev_info(&h->pdev->dev,
24487 "Waiting for stale completions to drain.\n");
24488- h->access.set_intr_mask(h, CCISS_INTR_ON);
24489+ h->access->set_intr_mask(h, CCISS_INTR_ON);
24490 msleep(10000);
24491- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24492+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24493
24494 rc = controller_reset_failed(h->cfgtable);
24495 if (rc)
24496@@ -5099,7 +5101,7 @@ reinit_after_soft_reset:
24497 cciss_scsi_setup(h);
24498
24499 /* Turn the interrupts on so we can service requests */
24500- h->access.set_intr_mask(h, CCISS_INTR_ON);
24501+ h->access->set_intr_mask(h, CCISS_INTR_ON);
24502
24503 /* Get the firmware version */
24504 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
24505@@ -5171,7 +5173,7 @@ static void cciss_shutdown(struct pci_de
24506 kfree(flush_buf);
24507 if (return_code != IO_OK)
24508 dev_warn(&h->pdev->dev, "Error flushing cache\n");
24509- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24510+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24511 free_irq(h->intr[PERF_MODE_INT], h);
24512 }
24513
24514diff -urNp linux-3.0.7/drivers/block/cciss.h linux-3.0.7/drivers/block/cciss.h
24515--- linux-3.0.7/drivers/block/cciss.h 2011-09-02 18:11:21.000000000 -0400
24516+++ linux-3.0.7/drivers/block/cciss.h 2011-08-23 21:47:55.000000000 -0400
24517@@ -100,7 +100,7 @@ struct ctlr_info
24518 /* information about each logical volume */
24519 drive_info_struct *drv[CISS_MAX_LUN];
24520
24521- struct access_method access;
24522+ struct access_method *access;
24523
24524 /* queue and queue Info */
24525 struct list_head reqQ;
24526diff -urNp linux-3.0.7/drivers/block/cpqarray.c linux-3.0.7/drivers/block/cpqarray.c
24527--- linux-3.0.7/drivers/block/cpqarray.c 2011-07-21 22:17:23.000000000 -0400
24528+++ linux-3.0.7/drivers/block/cpqarray.c 2011-08-23 21:48:14.000000000 -0400
24529@@ -404,7 +404,7 @@ static int __devinit cpqarray_register_c
24530 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
24531 goto Enomem4;
24532 }
24533- hba[i]->access.set_intr_mask(hba[i], 0);
24534+ hba[i]->access->set_intr_mask(hba[i], 0);
24535 if (request_irq(hba[i]->intr, do_ida_intr,
24536 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
24537 {
24538@@ -459,7 +459,7 @@ static int __devinit cpqarray_register_c
24539 add_timer(&hba[i]->timer);
24540
24541 /* Enable IRQ now that spinlock and rate limit timer are set up */
24542- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24543+ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24544
24545 for(j=0; j<NWD; j++) {
24546 struct gendisk *disk = ida_gendisk[i][j];
24547@@ -694,7 +694,7 @@ DBGINFO(
24548 for(i=0; i<NR_PRODUCTS; i++) {
24549 if (board_id == products[i].board_id) {
24550 c->product_name = products[i].product_name;
24551- c->access = *(products[i].access);
24552+ c->access = products[i].access;
24553 break;
24554 }
24555 }
24556@@ -792,7 +792,7 @@ static int __devinit cpqarray_eisa_detec
24557 hba[ctlr]->intr = intr;
24558 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
24559 hba[ctlr]->product_name = products[j].product_name;
24560- hba[ctlr]->access = *(products[j].access);
24561+ hba[ctlr]->access = products[j].access;
24562 hba[ctlr]->ctlr = ctlr;
24563 hba[ctlr]->board_id = board_id;
24564 hba[ctlr]->pci_dev = NULL; /* not PCI */
24565@@ -911,6 +911,8 @@ static void do_ida_request(struct reques
24566 struct scatterlist tmp_sg[SG_MAX];
24567 int i, dir, seg;
24568
24569+ pax_track_stack();
24570+
24571 queue_next:
24572 creq = blk_peek_request(q);
24573 if (!creq)
24574@@ -980,7 +982,7 @@ static void start_io(ctlr_info_t *h)
24575
24576 while((c = h->reqQ) != NULL) {
24577 /* Can't do anything if we're busy */
24578- if (h->access.fifo_full(h) == 0)
24579+ if (h->access->fifo_full(h) == 0)
24580 return;
24581
24582 /* Get the first entry from the request Q */
24583@@ -988,7 +990,7 @@ static void start_io(ctlr_info_t *h)
24584 h->Qdepth--;
24585
24586 /* Tell the controller to do our bidding */
24587- h->access.submit_command(h, c);
24588+ h->access->submit_command(h, c);
24589
24590 /* Get onto the completion Q */
24591 addQ(&h->cmpQ, c);
24592@@ -1050,7 +1052,7 @@ static irqreturn_t do_ida_intr(int irq,
24593 unsigned long flags;
24594 __u32 a,a1;
24595
24596- istat = h->access.intr_pending(h);
24597+ istat = h->access->intr_pending(h);
24598 /* Is this interrupt for us? */
24599 if (istat == 0)
24600 return IRQ_NONE;
24601@@ -1061,7 +1063,7 @@ static irqreturn_t do_ida_intr(int irq,
24602 */
24603 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
24604 if (istat & FIFO_NOT_EMPTY) {
24605- while((a = h->access.command_completed(h))) {
24606+ while((a = h->access->command_completed(h))) {
24607 a1 = a; a &= ~3;
24608 if ((c = h->cmpQ) == NULL)
24609 {
24610@@ -1449,11 +1451,11 @@ static int sendcmd(
24611 /*
24612 * Disable interrupt
24613 */
24614- info_p->access.set_intr_mask(info_p, 0);
24615+ info_p->access->set_intr_mask(info_p, 0);
24616 /* Make sure there is room in the command FIFO */
24617 /* Actually it should be completely empty at this time. */
24618 for (i = 200000; i > 0; i--) {
24619- temp = info_p->access.fifo_full(info_p);
24620+ temp = info_p->access->fifo_full(info_p);
24621 if (temp != 0) {
24622 break;
24623 }
24624@@ -1466,7 +1468,7 @@ DBG(
24625 /*
24626 * Send the cmd
24627 */
24628- info_p->access.submit_command(info_p, c);
24629+ info_p->access->submit_command(info_p, c);
24630 complete = pollcomplete(ctlr);
24631
24632 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
24633@@ -1549,9 +1551,9 @@ static int revalidate_allvol(ctlr_info_t
24634 * we check the new geometry. Then turn interrupts back on when
24635 * we're done.
24636 */
24637- host->access.set_intr_mask(host, 0);
24638+ host->access->set_intr_mask(host, 0);
24639 getgeometry(ctlr);
24640- host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
24641+ host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
24642
24643 for(i=0; i<NWD; i++) {
24644 struct gendisk *disk = ida_gendisk[ctlr][i];
24645@@ -1591,7 +1593,7 @@ static int pollcomplete(int ctlr)
24646 /* Wait (up to 2 seconds) for a command to complete */
24647
24648 for (i = 200000; i > 0; i--) {
24649- done = hba[ctlr]->access.command_completed(hba[ctlr]);
24650+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
24651 if (done == 0) {
24652 udelay(10); /* a short fixed delay */
24653 } else
24654diff -urNp linux-3.0.7/drivers/block/cpqarray.h linux-3.0.7/drivers/block/cpqarray.h
24655--- linux-3.0.7/drivers/block/cpqarray.h 2011-07-21 22:17:23.000000000 -0400
24656+++ linux-3.0.7/drivers/block/cpqarray.h 2011-08-23 21:47:55.000000000 -0400
24657@@ -99,7 +99,7 @@ struct ctlr_info {
24658 drv_info_t drv[NWD];
24659 struct proc_dir_entry *proc;
24660
24661- struct access_method access;
24662+ struct access_method *access;
24663
24664 cmdlist_t *reqQ;
24665 cmdlist_t *cmpQ;
24666diff -urNp linux-3.0.7/drivers/block/drbd/drbd_int.h linux-3.0.7/drivers/block/drbd/drbd_int.h
24667--- linux-3.0.7/drivers/block/drbd/drbd_int.h 2011-07-21 22:17:23.000000000 -0400
24668+++ linux-3.0.7/drivers/block/drbd/drbd_int.h 2011-10-06 04:17:55.000000000 -0400
24669@@ -737,7 +737,7 @@ struct drbd_request;
24670 struct drbd_epoch {
24671 struct list_head list;
24672 unsigned int barrier_nr;
24673- atomic_t epoch_size; /* increased on every request added. */
24674+ atomic_unchecked_t epoch_size; /* increased on every request added. */
24675 atomic_t active; /* increased on every req. added, and dec on every finished. */
24676 unsigned long flags;
24677 };
24678@@ -1109,7 +1109,7 @@ struct drbd_conf {
24679 void *int_dig_in;
24680 void *int_dig_vv;
24681 wait_queue_head_t seq_wait;
24682- atomic_t packet_seq;
24683+ atomic_unchecked_t packet_seq;
24684 unsigned int peer_seq;
24685 spinlock_t peer_seq_lock;
24686 unsigned int minor;
24687@@ -1618,30 +1618,30 @@ static inline int drbd_setsockopt(struct
24688
24689 static inline void drbd_tcp_cork(struct socket *sock)
24690 {
24691- int __user val = 1;
24692+ int val = 1;
24693 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
24694- (char __user *)&val, sizeof(val));
24695+ (char __force_user *)&val, sizeof(val));
24696 }
24697
24698 static inline void drbd_tcp_uncork(struct socket *sock)
24699 {
24700- int __user val = 0;
24701+ int val = 0;
24702 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
24703- (char __user *)&val, sizeof(val));
24704+ (char __force_user *)&val, sizeof(val));
24705 }
24706
24707 static inline void drbd_tcp_nodelay(struct socket *sock)
24708 {
24709- int __user val = 1;
24710+ int val = 1;
24711 (void) drbd_setsockopt(sock, SOL_TCP, TCP_NODELAY,
24712- (char __user *)&val, sizeof(val));
24713+ (char __force_user *)&val, sizeof(val));
24714 }
24715
24716 static inline void drbd_tcp_quickack(struct socket *sock)
24717 {
24718- int __user val = 2;
24719+ int val = 2;
24720 (void) drbd_setsockopt(sock, SOL_TCP, TCP_QUICKACK,
24721- (char __user *)&val, sizeof(val));
24722+ (char __force_user *)&val, sizeof(val));
24723 }
24724
24725 void drbd_bump_write_ordering(struct drbd_conf *mdev, enum write_ordering_e wo);
24726diff -urNp linux-3.0.7/drivers/block/drbd/drbd_main.c linux-3.0.7/drivers/block/drbd/drbd_main.c
24727--- linux-3.0.7/drivers/block/drbd/drbd_main.c 2011-07-21 22:17:23.000000000 -0400
24728+++ linux-3.0.7/drivers/block/drbd/drbd_main.c 2011-08-23 21:47:55.000000000 -0400
24729@@ -2397,7 +2397,7 @@ static int _drbd_send_ack(struct drbd_co
24730 p.sector = sector;
24731 p.block_id = block_id;
24732 p.blksize = blksize;
24733- p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
24734+ p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
24735
24736 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
24737 return false;
24738@@ -2696,7 +2696,7 @@ int drbd_send_dblock(struct drbd_conf *m
24739 p.sector = cpu_to_be64(req->sector);
24740 p.block_id = (unsigned long)req;
24741 p.seq_num = cpu_to_be32(req->seq_num =
24742- atomic_add_return(1, &mdev->packet_seq));
24743+ atomic_add_return_unchecked(1, &mdev->packet_seq));
24744
24745 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
24746
24747@@ -2981,7 +2981,7 @@ void drbd_init_set_defaults(struct drbd_
24748 atomic_set(&mdev->unacked_cnt, 0);
24749 atomic_set(&mdev->local_cnt, 0);
24750 atomic_set(&mdev->net_cnt, 0);
24751- atomic_set(&mdev->packet_seq, 0);
24752+ atomic_set_unchecked(&mdev->packet_seq, 0);
24753 atomic_set(&mdev->pp_in_use, 0);
24754 atomic_set(&mdev->pp_in_use_by_net, 0);
24755 atomic_set(&mdev->rs_sect_in, 0);
24756@@ -3063,8 +3063,8 @@ void drbd_mdev_cleanup(struct drbd_conf
24757 mdev->receiver.t_state);
24758
24759 /* no need to lock it, I'm the only thread alive */
24760- if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
24761- dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
24762+ if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
24763+ dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
24764 mdev->al_writ_cnt =
24765 mdev->bm_writ_cnt =
24766 mdev->read_cnt =
24767diff -urNp linux-3.0.7/drivers/block/drbd/drbd_nl.c linux-3.0.7/drivers/block/drbd/drbd_nl.c
24768--- linux-3.0.7/drivers/block/drbd/drbd_nl.c 2011-07-21 22:17:23.000000000 -0400
24769+++ linux-3.0.7/drivers/block/drbd/drbd_nl.c 2011-08-23 21:47:55.000000000 -0400
24770@@ -2359,7 +2359,7 @@ static void drbd_connector_callback(stru
24771 module_put(THIS_MODULE);
24772 }
24773
24774-static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
24775+static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
24776
24777 static unsigned short *
24778 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
24779@@ -2430,7 +2430,7 @@ void drbd_bcast_state(struct drbd_conf *
24780 cn_reply->id.idx = CN_IDX_DRBD;
24781 cn_reply->id.val = CN_VAL_DRBD;
24782
24783- cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
24784+ cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
24785 cn_reply->ack = 0; /* not used here. */
24786 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
24787 (int)((char *)tl - (char *)reply->tag_list);
24788@@ -2462,7 +2462,7 @@ void drbd_bcast_ev_helper(struct drbd_co
24789 cn_reply->id.idx = CN_IDX_DRBD;
24790 cn_reply->id.val = CN_VAL_DRBD;
24791
24792- cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
24793+ cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
24794 cn_reply->ack = 0; /* not used here. */
24795 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
24796 (int)((char *)tl - (char *)reply->tag_list);
24797@@ -2540,7 +2540,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
24798 cn_reply->id.idx = CN_IDX_DRBD;
24799 cn_reply->id.val = CN_VAL_DRBD;
24800
24801- cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
24802+ cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
24803 cn_reply->ack = 0; // not used here.
24804 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
24805 (int)((char*)tl - (char*)reply->tag_list);
24806@@ -2579,7 +2579,7 @@ void drbd_bcast_sync_progress(struct drb
24807 cn_reply->id.idx = CN_IDX_DRBD;
24808 cn_reply->id.val = CN_VAL_DRBD;
24809
24810- cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
24811+ cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
24812 cn_reply->ack = 0; /* not used here. */
24813 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
24814 (int)((char *)tl - (char *)reply->tag_list);
24815diff -urNp linux-3.0.7/drivers/block/drbd/drbd_receiver.c linux-3.0.7/drivers/block/drbd/drbd_receiver.c
24816--- linux-3.0.7/drivers/block/drbd/drbd_receiver.c 2011-07-21 22:17:23.000000000 -0400
24817+++ linux-3.0.7/drivers/block/drbd/drbd_receiver.c 2011-08-23 21:47:55.000000000 -0400
24818@@ -894,7 +894,7 @@ retry:
24819 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
24820 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
24821
24822- atomic_set(&mdev->packet_seq, 0);
24823+ atomic_set_unchecked(&mdev->packet_seq, 0);
24824 mdev->peer_seq = 0;
24825
24826 drbd_thread_start(&mdev->asender);
24827@@ -985,7 +985,7 @@ static enum finish_epoch drbd_may_finish
24828 do {
24829 next_epoch = NULL;
24830
24831- epoch_size = atomic_read(&epoch->epoch_size);
24832+ epoch_size = atomic_read_unchecked(&epoch->epoch_size);
24833
24834 switch (ev & ~EV_CLEANUP) {
24835 case EV_PUT:
24836@@ -1020,7 +1020,7 @@ static enum finish_epoch drbd_may_finish
24837 rv = FE_DESTROYED;
24838 } else {
24839 epoch->flags = 0;
24840- atomic_set(&epoch->epoch_size, 0);
24841+ atomic_set_unchecked(&epoch->epoch_size, 0);
24842 /* atomic_set(&epoch->active, 0); is already zero */
24843 if (rv == FE_STILL_LIVE)
24844 rv = FE_RECYCLED;
24845@@ -1191,14 +1191,14 @@ static int receive_Barrier(struct drbd_c
24846 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
24847 drbd_flush(mdev);
24848
24849- if (atomic_read(&mdev->current_epoch->epoch_size)) {
24850+ if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
24851 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
24852 if (epoch)
24853 break;
24854 }
24855
24856 epoch = mdev->current_epoch;
24857- wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
24858+ wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
24859
24860 D_ASSERT(atomic_read(&epoch->active) == 0);
24861 D_ASSERT(epoch->flags == 0);
24862@@ -1210,11 +1210,11 @@ static int receive_Barrier(struct drbd_c
24863 }
24864
24865 epoch->flags = 0;
24866- atomic_set(&epoch->epoch_size, 0);
24867+ atomic_set_unchecked(&epoch->epoch_size, 0);
24868 atomic_set(&epoch->active, 0);
24869
24870 spin_lock(&mdev->epoch_lock);
24871- if (atomic_read(&mdev->current_epoch->epoch_size)) {
24872+ if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
24873 list_add(&epoch->list, &mdev->current_epoch->list);
24874 mdev->current_epoch = epoch;
24875 mdev->epochs++;
24876@@ -1663,7 +1663,7 @@ static int receive_Data(struct drbd_conf
24877 spin_unlock(&mdev->peer_seq_lock);
24878
24879 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
24880- atomic_inc(&mdev->current_epoch->epoch_size);
24881+ atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
24882 return drbd_drain_block(mdev, data_size);
24883 }
24884
24885@@ -1689,7 +1689,7 @@ static int receive_Data(struct drbd_conf
24886
24887 spin_lock(&mdev->epoch_lock);
24888 e->epoch = mdev->current_epoch;
24889- atomic_inc(&e->epoch->epoch_size);
24890+ atomic_inc_unchecked(&e->epoch->epoch_size);
24891 atomic_inc(&e->epoch->active);
24892 spin_unlock(&mdev->epoch_lock);
24893
24894@@ -3885,7 +3885,7 @@ static void drbd_disconnect(struct drbd_
24895 D_ASSERT(list_empty(&mdev->done_ee));
24896
24897 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
24898- atomic_set(&mdev->current_epoch->epoch_size, 0);
24899+ atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
24900 D_ASSERT(list_empty(&mdev->current_epoch->list));
24901 }
24902
24903diff -urNp linux-3.0.7/drivers/block/loop.c linux-3.0.7/drivers/block/loop.c
24904--- linux-3.0.7/drivers/block/loop.c 2011-09-02 18:11:26.000000000 -0400
24905+++ linux-3.0.7/drivers/block/loop.c 2011-10-06 04:17:55.000000000 -0400
24906@@ -283,7 +283,7 @@ static int __do_lo_send_write(struct fil
24907 mm_segment_t old_fs = get_fs();
24908
24909 set_fs(get_ds());
24910- bw = file->f_op->write(file, buf, len, &pos);
24911+ bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
24912 set_fs(old_fs);
24913 if (likely(bw == len))
24914 return 0;
24915diff -urNp linux-3.0.7/drivers/block/nbd.c linux-3.0.7/drivers/block/nbd.c
24916--- linux-3.0.7/drivers/block/nbd.c 2011-07-21 22:17:23.000000000 -0400
24917+++ linux-3.0.7/drivers/block/nbd.c 2011-08-23 21:48:14.000000000 -0400
24918@@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
24919 struct kvec iov;
24920 sigset_t blocked, oldset;
24921
24922+ pax_track_stack();
24923+
24924 if (unlikely(!sock)) {
24925 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
24926 lo->disk->disk_name, (send ? "send" : "recv"));
24927@@ -572,6 +574,8 @@ static void do_nbd_request(struct reques
24928 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
24929 unsigned int cmd, unsigned long arg)
24930 {
24931+ pax_track_stack();
24932+
24933 switch (cmd) {
24934 case NBD_DISCONNECT: {
24935 struct request sreq;
24936diff -urNp linux-3.0.7/drivers/char/Kconfig linux-3.0.7/drivers/char/Kconfig
24937--- linux-3.0.7/drivers/char/Kconfig 2011-07-21 22:17:23.000000000 -0400
24938+++ linux-3.0.7/drivers/char/Kconfig 2011-08-23 21:48:14.000000000 -0400
24939@@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
24940
24941 config DEVKMEM
24942 bool "/dev/kmem virtual device support"
24943- default y
24944+ default n
24945+ depends on !GRKERNSEC_KMEM
24946 help
24947 Say Y here if you want to support the /dev/kmem device. The
24948 /dev/kmem device is rarely used, but can be used for certain
24949@@ -596,6 +597,7 @@ config DEVPORT
24950 bool
24951 depends on !M68K
24952 depends on ISA || PCI
24953+ depends on !GRKERNSEC_KMEM
24954 default y
24955
24956 source "drivers/s390/char/Kconfig"
24957diff -urNp linux-3.0.7/drivers/char/agp/frontend.c linux-3.0.7/drivers/char/agp/frontend.c
24958--- linux-3.0.7/drivers/char/agp/frontend.c 2011-07-21 22:17:23.000000000 -0400
24959+++ linux-3.0.7/drivers/char/agp/frontend.c 2011-08-23 21:47:55.000000000 -0400
24960@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
24961 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
24962 return -EFAULT;
24963
24964- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
24965+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
24966 return -EFAULT;
24967
24968 client = agp_find_client_by_pid(reserve.pid);
24969diff -urNp linux-3.0.7/drivers/char/briq_panel.c linux-3.0.7/drivers/char/briq_panel.c
24970--- linux-3.0.7/drivers/char/briq_panel.c 2011-07-21 22:17:23.000000000 -0400
24971+++ linux-3.0.7/drivers/char/briq_panel.c 2011-08-23 21:48:14.000000000 -0400
24972@@ -9,6 +9,7 @@
24973 #include <linux/types.h>
24974 #include <linux/errno.h>
24975 #include <linux/tty.h>
24976+#include <linux/mutex.h>
24977 #include <linux/timer.h>
24978 #include <linux/kernel.h>
24979 #include <linux/wait.h>
24980@@ -34,6 +35,7 @@ static int vfd_is_open;
24981 static unsigned char vfd[40];
24982 static int vfd_cursor;
24983 static unsigned char ledpb, led;
24984+static DEFINE_MUTEX(vfd_mutex);
24985
24986 static void update_vfd(void)
24987 {
24988@@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
24989 if (!vfd_is_open)
24990 return -EBUSY;
24991
24992+ mutex_lock(&vfd_mutex);
24993 for (;;) {
24994 char c;
24995 if (!indx)
24996 break;
24997- if (get_user(c, buf))
24998+ if (get_user(c, buf)) {
24999+ mutex_unlock(&vfd_mutex);
25000 return -EFAULT;
25001+ }
25002 if (esc) {
25003 set_led(c);
25004 esc = 0;
25005@@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
25006 buf++;
25007 }
25008 update_vfd();
25009+ mutex_unlock(&vfd_mutex);
25010
25011 return len;
25012 }
25013diff -urNp linux-3.0.7/drivers/char/genrtc.c linux-3.0.7/drivers/char/genrtc.c
25014--- linux-3.0.7/drivers/char/genrtc.c 2011-07-21 22:17:23.000000000 -0400
25015+++ linux-3.0.7/drivers/char/genrtc.c 2011-08-23 21:48:14.000000000 -0400
25016@@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
25017 switch (cmd) {
25018
25019 case RTC_PLL_GET:
25020+ memset(&pll, 0, sizeof(pll));
25021 if (get_rtc_pll(&pll))
25022 return -EINVAL;
25023 else
25024diff -urNp linux-3.0.7/drivers/char/hpet.c linux-3.0.7/drivers/char/hpet.c
25025--- linux-3.0.7/drivers/char/hpet.c 2011-07-21 22:17:23.000000000 -0400
25026+++ linux-3.0.7/drivers/char/hpet.c 2011-08-23 21:47:55.000000000 -0400
25027@@ -572,7 +572,7 @@ static inline unsigned long hpet_time_di
25028 }
25029
25030 static int
25031-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
25032+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
25033 struct hpet_info *info)
25034 {
25035 struct hpet_timer __iomem *timer;
25036diff -urNp linux-3.0.7/drivers/char/ipmi/ipmi_msghandler.c linux-3.0.7/drivers/char/ipmi/ipmi_msghandler.c
25037--- linux-3.0.7/drivers/char/ipmi/ipmi_msghandler.c 2011-07-21 22:17:23.000000000 -0400
25038+++ linux-3.0.7/drivers/char/ipmi/ipmi_msghandler.c 2011-08-23 21:48:14.000000000 -0400
25039@@ -415,7 +415,7 @@ struct ipmi_smi {
25040 struct proc_dir_entry *proc_dir;
25041 char proc_dir_name[10];
25042
25043- atomic_t stats[IPMI_NUM_STATS];
25044+ atomic_unchecked_t stats[IPMI_NUM_STATS];
25045
25046 /*
25047 * run_to_completion duplicate of smb_info, smi_info
25048@@ -448,9 +448,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
25049
25050
25051 #define ipmi_inc_stat(intf, stat) \
25052- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
25053+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
25054 #define ipmi_get_stat(intf, stat) \
25055- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
25056+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
25057
25058 static int is_lan_addr(struct ipmi_addr *addr)
25059 {
25060@@ -2868,7 +2868,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
25061 INIT_LIST_HEAD(&intf->cmd_rcvrs);
25062 init_waitqueue_head(&intf->waitq);
25063 for (i = 0; i < IPMI_NUM_STATS; i++)
25064- atomic_set(&intf->stats[i], 0);
25065+ atomic_set_unchecked(&intf->stats[i], 0);
25066
25067 intf->proc_dir = NULL;
25068
25069@@ -4220,6 +4220,8 @@ static void send_panic_events(char *str)
25070 struct ipmi_smi_msg smi_msg;
25071 struct ipmi_recv_msg recv_msg;
25072
25073+ pax_track_stack();
25074+
25075 si = (struct ipmi_system_interface_addr *) &addr;
25076 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
25077 si->channel = IPMI_BMC_CHANNEL;
25078diff -urNp linux-3.0.7/drivers/char/ipmi/ipmi_si_intf.c linux-3.0.7/drivers/char/ipmi/ipmi_si_intf.c
25079--- linux-3.0.7/drivers/char/ipmi/ipmi_si_intf.c 2011-07-21 22:17:23.000000000 -0400
25080+++ linux-3.0.7/drivers/char/ipmi/ipmi_si_intf.c 2011-08-23 21:47:55.000000000 -0400
25081@@ -277,7 +277,7 @@ struct smi_info {
25082 unsigned char slave_addr;
25083
25084 /* Counters and things for the proc filesystem. */
25085- atomic_t stats[SI_NUM_STATS];
25086+ atomic_unchecked_t stats[SI_NUM_STATS];
25087
25088 struct task_struct *thread;
25089
25090@@ -286,9 +286,9 @@ struct smi_info {
25091 };
25092
25093 #define smi_inc_stat(smi, stat) \
25094- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
25095+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
25096 #define smi_get_stat(smi, stat) \
25097- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
25098+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
25099
25100 #define SI_MAX_PARMS 4
25101
25102@@ -3230,7 +3230,7 @@ static int try_smi_init(struct smi_info
25103 atomic_set(&new_smi->req_events, 0);
25104 new_smi->run_to_completion = 0;
25105 for (i = 0; i < SI_NUM_STATS; i++)
25106- atomic_set(&new_smi->stats[i], 0);
25107+ atomic_set_unchecked(&new_smi->stats[i], 0);
25108
25109 new_smi->interrupt_disabled = 1;
25110 atomic_set(&new_smi->stop_operation, 0);
25111diff -urNp linux-3.0.7/drivers/char/mbcs.c linux-3.0.7/drivers/char/mbcs.c
25112--- linux-3.0.7/drivers/char/mbcs.c 2011-07-21 22:17:23.000000000 -0400
25113+++ linux-3.0.7/drivers/char/mbcs.c 2011-10-11 10:44:33.000000000 -0400
25114@@ -800,7 +800,7 @@ static int mbcs_remove(struct cx_dev *de
25115 return 0;
25116 }
25117
25118-static const struct cx_device_id __devinitdata mbcs_id_table[] = {
25119+static const struct cx_device_id __devinitconst mbcs_id_table[] = {
25120 {
25121 .part_num = MBCS_PART_NUM,
25122 .mfg_num = MBCS_MFG_NUM,
25123diff -urNp linux-3.0.7/drivers/char/mem.c linux-3.0.7/drivers/char/mem.c
25124--- linux-3.0.7/drivers/char/mem.c 2011-07-21 22:17:23.000000000 -0400
25125+++ linux-3.0.7/drivers/char/mem.c 2011-08-23 21:48:14.000000000 -0400
25126@@ -18,6 +18,7 @@
25127 #include <linux/raw.h>
25128 #include <linux/tty.h>
25129 #include <linux/capability.h>
25130+#include <linux/security.h>
25131 #include <linux/ptrace.h>
25132 #include <linux/device.h>
25133 #include <linux/highmem.h>
25134@@ -34,6 +35,10 @@
25135 # include <linux/efi.h>
25136 #endif
25137
25138+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25139+extern struct file_operations grsec_fops;
25140+#endif
25141+
25142 static inline unsigned long size_inside_page(unsigned long start,
25143 unsigned long size)
25144 {
25145@@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
25146
25147 while (cursor < to) {
25148 if (!devmem_is_allowed(pfn)) {
25149+#ifdef CONFIG_GRKERNSEC_KMEM
25150+ gr_handle_mem_readwrite(from, to);
25151+#else
25152 printk(KERN_INFO
25153 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
25154 current->comm, from, to);
25155+#endif
25156 return 0;
25157 }
25158 cursor += PAGE_SIZE;
25159@@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
25160 }
25161 return 1;
25162 }
25163+#elif defined(CONFIG_GRKERNSEC_KMEM)
25164+static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25165+{
25166+ return 0;
25167+}
25168 #else
25169 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25170 {
25171@@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
25172
25173 while (count > 0) {
25174 unsigned long remaining;
25175+ char *temp;
25176
25177 sz = size_inside_page(p, count);
25178
25179@@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
25180 if (!ptr)
25181 return -EFAULT;
25182
25183- remaining = copy_to_user(buf, ptr, sz);
25184+#ifdef CONFIG_PAX_USERCOPY
25185+ temp = kmalloc(sz, GFP_KERNEL);
25186+ if (!temp) {
25187+ unxlate_dev_mem_ptr(p, ptr);
25188+ return -ENOMEM;
25189+ }
25190+ memcpy(temp, ptr, sz);
25191+#else
25192+ temp = ptr;
25193+#endif
25194+
25195+ remaining = copy_to_user(buf, temp, sz);
25196+
25197+#ifdef CONFIG_PAX_USERCOPY
25198+ kfree(temp);
25199+#endif
25200+
25201 unxlate_dev_mem_ptr(p, ptr);
25202 if (remaining)
25203 return -EFAULT;
25204@@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
25205 size_t count, loff_t *ppos)
25206 {
25207 unsigned long p = *ppos;
25208- ssize_t low_count, read, sz;
25209+ ssize_t low_count, read, sz, err = 0;
25210 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
25211- int err = 0;
25212
25213 read = 0;
25214 if (p < (unsigned long) high_memory) {
25215@@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
25216 }
25217 #endif
25218 while (low_count > 0) {
25219+ char *temp;
25220+
25221 sz = size_inside_page(p, low_count);
25222
25223 /*
25224@@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
25225 */
25226 kbuf = xlate_dev_kmem_ptr((char *)p);
25227
25228- if (copy_to_user(buf, kbuf, sz))
25229+#ifdef CONFIG_PAX_USERCOPY
25230+ temp = kmalloc(sz, GFP_KERNEL);
25231+ if (!temp)
25232+ return -ENOMEM;
25233+ memcpy(temp, kbuf, sz);
25234+#else
25235+ temp = kbuf;
25236+#endif
25237+
25238+ err = copy_to_user(buf, temp, sz);
25239+
25240+#ifdef CONFIG_PAX_USERCOPY
25241+ kfree(temp);
25242+#endif
25243+
25244+ if (err)
25245 return -EFAULT;
25246 buf += sz;
25247 p += sz;
25248@@ -866,6 +913,9 @@ static const struct memdev {
25249 #ifdef CONFIG_CRASH_DUMP
25250 [12] = { "oldmem", 0, &oldmem_fops, NULL },
25251 #endif
25252+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25253+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
25254+#endif
25255 };
25256
25257 static int memory_open(struct inode *inode, struct file *filp)
25258diff -urNp linux-3.0.7/drivers/char/nvram.c linux-3.0.7/drivers/char/nvram.c
25259--- linux-3.0.7/drivers/char/nvram.c 2011-07-21 22:17:23.000000000 -0400
25260+++ linux-3.0.7/drivers/char/nvram.c 2011-08-23 21:47:55.000000000 -0400
25261@@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
25262
25263 spin_unlock_irq(&rtc_lock);
25264
25265- if (copy_to_user(buf, contents, tmp - contents))
25266+ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
25267 return -EFAULT;
25268
25269 *ppos = i;
25270diff -urNp linux-3.0.7/drivers/char/random.c linux-3.0.7/drivers/char/random.c
25271--- linux-3.0.7/drivers/char/random.c 2011-09-02 18:11:21.000000000 -0400
25272+++ linux-3.0.7/drivers/char/random.c 2011-08-23 21:48:14.000000000 -0400
25273@@ -261,8 +261,13 @@
25274 /*
25275 * Configuration information
25276 */
25277+#ifdef CONFIG_GRKERNSEC_RANDNET
25278+#define INPUT_POOL_WORDS 512
25279+#define OUTPUT_POOL_WORDS 128
25280+#else
25281 #define INPUT_POOL_WORDS 128
25282 #define OUTPUT_POOL_WORDS 32
25283+#endif
25284 #define SEC_XFER_SIZE 512
25285 #define EXTRACT_SIZE 10
25286
25287@@ -300,10 +305,17 @@ static struct poolinfo {
25288 int poolwords;
25289 int tap1, tap2, tap3, tap4, tap5;
25290 } poolinfo_table[] = {
25291+#ifdef CONFIG_GRKERNSEC_RANDNET
25292+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
25293+ { 512, 411, 308, 208, 104, 1 },
25294+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
25295+ { 128, 103, 76, 51, 25, 1 },
25296+#else
25297 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
25298 { 128, 103, 76, 51, 25, 1 },
25299 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
25300 { 32, 26, 20, 14, 7, 1 },
25301+#endif
25302 #if 0
25303 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
25304 { 2048, 1638, 1231, 819, 411, 1 },
25305@@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
25306
25307 extract_buf(r, tmp);
25308 i = min_t(int, nbytes, EXTRACT_SIZE);
25309- if (copy_to_user(buf, tmp, i)) {
25310+ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
25311 ret = -EFAULT;
25312 break;
25313 }
25314@@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
25315 #include <linux/sysctl.h>
25316
25317 static int min_read_thresh = 8, min_write_thresh;
25318-static int max_read_thresh = INPUT_POOL_WORDS * 32;
25319+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
25320 static int max_write_thresh = INPUT_POOL_WORDS * 32;
25321 static char sysctl_bootid[16];
25322
25323diff -urNp linux-3.0.7/drivers/char/sonypi.c linux-3.0.7/drivers/char/sonypi.c
25324--- linux-3.0.7/drivers/char/sonypi.c 2011-07-21 22:17:23.000000000 -0400
25325+++ linux-3.0.7/drivers/char/sonypi.c 2011-08-23 21:47:55.000000000 -0400
25326@@ -55,6 +55,7 @@
25327 #include <asm/uaccess.h>
25328 #include <asm/io.h>
25329 #include <asm/system.h>
25330+#include <asm/local.h>
25331
25332 #include <linux/sonypi.h>
25333
25334@@ -491,7 +492,7 @@ static struct sonypi_device {
25335 spinlock_t fifo_lock;
25336 wait_queue_head_t fifo_proc_list;
25337 struct fasync_struct *fifo_async;
25338- int open_count;
25339+ local_t open_count;
25340 int model;
25341 struct input_dev *input_jog_dev;
25342 struct input_dev *input_key_dev;
25343@@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
25344 static int sonypi_misc_release(struct inode *inode, struct file *file)
25345 {
25346 mutex_lock(&sonypi_device.lock);
25347- sonypi_device.open_count--;
25348+ local_dec(&sonypi_device.open_count);
25349 mutex_unlock(&sonypi_device.lock);
25350 return 0;
25351 }
25352@@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
25353 {
25354 mutex_lock(&sonypi_device.lock);
25355 /* Flush input queue on first open */
25356- if (!sonypi_device.open_count)
25357+ if (!local_read(&sonypi_device.open_count))
25358 kfifo_reset(&sonypi_device.fifo);
25359- sonypi_device.open_count++;
25360+ local_inc(&sonypi_device.open_count);
25361 mutex_unlock(&sonypi_device.lock);
25362
25363 return 0;
25364diff -urNp linux-3.0.7/drivers/char/tpm/tpm.c linux-3.0.7/drivers/char/tpm/tpm.c
25365--- linux-3.0.7/drivers/char/tpm/tpm.c 2011-10-16 21:54:53.000000000 -0400
25366+++ linux-3.0.7/drivers/char/tpm/tpm.c 2011-10-16 21:55:27.000000000 -0400
25367@@ -414,7 +414,7 @@ static ssize_t tpm_transmit(struct tpm_c
25368 chip->vendor.req_complete_val)
25369 goto out_recv;
25370
25371- if ((status == chip->vendor.req_canceled)) {
25372+ if (status == chip->vendor.req_canceled) {
25373 dev_err(chip->dev, "Operation Canceled\n");
25374 rc = -ECANCELED;
25375 goto out;
25376@@ -847,6 +847,8 @@ ssize_t tpm_show_pubek(struct device *de
25377
25378 struct tpm_chip *chip = dev_get_drvdata(dev);
25379
25380+ pax_track_stack();
25381+
25382 tpm_cmd.header.in = tpm_readpubek_header;
25383 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
25384 "attempting to read the PUBEK");
25385diff -urNp linux-3.0.7/drivers/char/tpm/tpm_bios.c linux-3.0.7/drivers/char/tpm/tpm_bios.c
25386--- linux-3.0.7/drivers/char/tpm/tpm_bios.c 2011-07-21 22:17:23.000000000 -0400
25387+++ linux-3.0.7/drivers/char/tpm/tpm_bios.c 2011-10-06 04:17:55.000000000 -0400
25388@@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
25389 event = addr;
25390
25391 if ((event->event_type == 0 && event->event_size == 0) ||
25392- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
25393+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
25394 return NULL;
25395
25396 return addr;
25397@@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
25398 return NULL;
25399
25400 if ((event->event_type == 0 && event->event_size == 0) ||
25401- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
25402+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
25403 return NULL;
25404
25405 (*pos)++;
25406@@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
25407 int i;
25408
25409 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
25410- seq_putc(m, data[i]);
25411+ if (!seq_putc(m, data[i]))
25412+ return -EFAULT;
25413
25414 return 0;
25415 }
25416@@ -410,8 +411,13 @@ static int read_log(struct tpm_bios_log
25417 log->bios_event_log_end = log->bios_event_log + len;
25418
25419 virt = acpi_os_map_memory(start, len);
25420+ if (!virt) {
25421+ kfree(log->bios_event_log);
25422+ log->bios_event_log = NULL;
25423+ return -EFAULT;
25424+ }
25425
25426- memcpy(log->bios_event_log, virt, len);
25427+ memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
25428
25429 acpi_os_unmap_memory(virt, len);
25430 return 0;
25431diff -urNp linux-3.0.7/drivers/char/virtio_console.c linux-3.0.7/drivers/char/virtio_console.c
25432--- linux-3.0.7/drivers/char/virtio_console.c 2011-07-21 22:17:23.000000000 -0400
25433+++ linux-3.0.7/drivers/char/virtio_console.c 2011-10-06 04:17:55.000000000 -0400
25434@@ -555,7 +555,7 @@ static ssize_t fill_readbuf(struct port
25435 if (to_user) {
25436 ssize_t ret;
25437
25438- ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
25439+ ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
25440 if (ret)
25441 return -EFAULT;
25442 } else {
25443@@ -654,7 +654,7 @@ static ssize_t port_fops_read(struct fil
25444 if (!port_has_data(port) && !port->host_connected)
25445 return 0;
25446
25447- return fill_readbuf(port, ubuf, count, true);
25448+ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
25449 }
25450
25451 static ssize_t port_fops_write(struct file *filp, const char __user *ubuf,
25452diff -urNp linux-3.0.7/drivers/crypto/hifn_795x.c linux-3.0.7/drivers/crypto/hifn_795x.c
25453--- linux-3.0.7/drivers/crypto/hifn_795x.c 2011-07-21 22:17:23.000000000 -0400
25454+++ linux-3.0.7/drivers/crypto/hifn_795x.c 2011-08-23 21:48:14.000000000 -0400
25455@@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
25456 0xCA, 0x34, 0x2B, 0x2E};
25457 struct scatterlist sg;
25458
25459+ pax_track_stack();
25460+
25461 memset(src, 0, sizeof(src));
25462 memset(ctx.key, 0, sizeof(ctx.key));
25463
25464diff -urNp linux-3.0.7/drivers/crypto/padlock-aes.c linux-3.0.7/drivers/crypto/padlock-aes.c
25465--- linux-3.0.7/drivers/crypto/padlock-aes.c 2011-07-21 22:17:23.000000000 -0400
25466+++ linux-3.0.7/drivers/crypto/padlock-aes.c 2011-08-23 21:48:14.000000000 -0400
25467@@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
25468 struct crypto_aes_ctx gen_aes;
25469 int cpu;
25470
25471+ pax_track_stack();
25472+
25473 if (key_len % 8) {
25474 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
25475 return -EINVAL;
25476diff -urNp linux-3.0.7/drivers/dma/ioat/dma_v3.c linux-3.0.7/drivers/dma/ioat/dma_v3.c
25477--- linux-3.0.7/drivers/dma/ioat/dma_v3.c 2011-07-21 22:17:23.000000000 -0400
25478+++ linux-3.0.7/drivers/dma/ioat/dma_v3.c 2011-10-11 10:44:33.000000000 -0400
25479@@ -73,10 +73,10 @@
25480 /* provide a lookup table for setting the source address in the base or
25481 * extended descriptor of an xor or pq descriptor
25482 */
25483-static const u8 xor_idx_to_desc __read_mostly = 0xd0;
25484-static const u8 xor_idx_to_field[] __read_mostly = { 1, 4, 5, 6, 7, 0, 1, 2 };
25485-static const u8 pq_idx_to_desc __read_mostly = 0xf8;
25486-static const u8 pq_idx_to_field[] __read_mostly = { 1, 4, 5, 0, 1, 2, 4, 5 };
25487+static const u8 xor_idx_to_desc = 0xd0;
25488+static const u8 xor_idx_to_field[] = { 1, 4, 5, 6, 7, 0, 1, 2 };
25489+static const u8 pq_idx_to_desc = 0xf8;
25490+static const u8 pq_idx_to_field[] = { 1, 4, 5, 0, 1, 2, 4, 5 };
25491
25492 static dma_addr_t xor_get_src(struct ioat_raw_descriptor *descs[2], int idx)
25493 {
25494diff -urNp linux-3.0.7/drivers/edac/amd64_edac.c linux-3.0.7/drivers/edac/amd64_edac.c
25495--- linux-3.0.7/drivers/edac/amd64_edac.c 2011-07-21 22:17:23.000000000 -0400
25496+++ linux-3.0.7/drivers/edac/amd64_edac.c 2011-10-11 10:44:33.000000000 -0400
25497@@ -2670,7 +2670,7 @@ static void __devexit amd64_remove_one_i
25498 * PCI core identifies what devices are on a system during boot, and then
25499 * inquiry this table to see if this driver is for a given device found.
25500 */
25501-static const struct pci_device_id amd64_pci_table[] __devinitdata = {
25502+static const struct pci_device_id amd64_pci_table[] __devinitconst = {
25503 {
25504 .vendor = PCI_VENDOR_ID_AMD,
25505 .device = PCI_DEVICE_ID_AMD_K8_NB_MEMCTL,
25506diff -urNp linux-3.0.7/drivers/edac/amd76x_edac.c linux-3.0.7/drivers/edac/amd76x_edac.c
25507--- linux-3.0.7/drivers/edac/amd76x_edac.c 2011-07-21 22:17:23.000000000 -0400
25508+++ linux-3.0.7/drivers/edac/amd76x_edac.c 2011-10-11 10:44:33.000000000 -0400
25509@@ -321,7 +321,7 @@ static void __devexit amd76x_remove_one(
25510 edac_mc_free(mci);
25511 }
25512
25513-static const struct pci_device_id amd76x_pci_tbl[] __devinitdata = {
25514+static const struct pci_device_id amd76x_pci_tbl[] __devinitconst = {
25515 {
25516 PCI_VEND_DEV(AMD, FE_GATE_700C), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25517 AMD762},
25518diff -urNp linux-3.0.7/drivers/edac/e752x_edac.c linux-3.0.7/drivers/edac/e752x_edac.c
25519--- linux-3.0.7/drivers/edac/e752x_edac.c 2011-07-21 22:17:23.000000000 -0400
25520+++ linux-3.0.7/drivers/edac/e752x_edac.c 2011-10-11 10:44:33.000000000 -0400
25521@@ -1380,7 +1380,7 @@ static void __devexit e752x_remove_one(s
25522 edac_mc_free(mci);
25523 }
25524
25525-static const struct pci_device_id e752x_pci_tbl[] __devinitdata = {
25526+static const struct pci_device_id e752x_pci_tbl[] __devinitconst = {
25527 {
25528 PCI_VEND_DEV(INTEL, 7520_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25529 E7520},
25530diff -urNp linux-3.0.7/drivers/edac/e7xxx_edac.c linux-3.0.7/drivers/edac/e7xxx_edac.c
25531--- linux-3.0.7/drivers/edac/e7xxx_edac.c 2011-07-21 22:17:23.000000000 -0400
25532+++ linux-3.0.7/drivers/edac/e7xxx_edac.c 2011-10-11 10:44:33.000000000 -0400
25533@@ -525,7 +525,7 @@ static void __devexit e7xxx_remove_one(s
25534 edac_mc_free(mci);
25535 }
25536
25537-static const struct pci_device_id e7xxx_pci_tbl[] __devinitdata = {
25538+static const struct pci_device_id e7xxx_pci_tbl[] __devinitconst = {
25539 {
25540 PCI_VEND_DEV(INTEL, 7205_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25541 E7205},
25542diff -urNp linux-3.0.7/drivers/edac/edac_pci_sysfs.c linux-3.0.7/drivers/edac/edac_pci_sysfs.c
25543--- linux-3.0.7/drivers/edac/edac_pci_sysfs.c 2011-07-21 22:17:23.000000000 -0400
25544+++ linux-3.0.7/drivers/edac/edac_pci_sysfs.c 2011-08-23 21:47:55.000000000 -0400
25545@@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
25546 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
25547 static int edac_pci_poll_msec = 1000; /* one second workq period */
25548
25549-static atomic_t pci_parity_count = ATOMIC_INIT(0);
25550-static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
25551+static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
25552+static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
25553
25554 static struct kobject *edac_pci_top_main_kobj;
25555 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
25556@@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
25557 edac_printk(KERN_CRIT, EDAC_PCI,
25558 "Signaled System Error on %s\n",
25559 pci_name(dev));
25560- atomic_inc(&pci_nonparity_count);
25561+ atomic_inc_unchecked(&pci_nonparity_count);
25562 }
25563
25564 if (status & (PCI_STATUS_PARITY)) {
25565@@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
25566 "Master Data Parity Error on %s\n",
25567 pci_name(dev));
25568
25569- atomic_inc(&pci_parity_count);
25570+ atomic_inc_unchecked(&pci_parity_count);
25571 }
25572
25573 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25574@@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
25575 "Detected Parity Error on %s\n",
25576 pci_name(dev));
25577
25578- atomic_inc(&pci_parity_count);
25579+ atomic_inc_unchecked(&pci_parity_count);
25580 }
25581 }
25582
25583@@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
25584 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
25585 "Signaled System Error on %s\n",
25586 pci_name(dev));
25587- atomic_inc(&pci_nonparity_count);
25588+ atomic_inc_unchecked(&pci_nonparity_count);
25589 }
25590
25591 if (status & (PCI_STATUS_PARITY)) {
25592@@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
25593 "Master Data Parity Error on "
25594 "%s\n", pci_name(dev));
25595
25596- atomic_inc(&pci_parity_count);
25597+ atomic_inc_unchecked(&pci_parity_count);
25598 }
25599
25600 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25601@@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
25602 "Detected Parity Error on %s\n",
25603 pci_name(dev));
25604
25605- atomic_inc(&pci_parity_count);
25606+ atomic_inc_unchecked(&pci_parity_count);
25607 }
25608 }
25609 }
25610@@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
25611 if (!check_pci_errors)
25612 return;
25613
25614- before_count = atomic_read(&pci_parity_count);
25615+ before_count = atomic_read_unchecked(&pci_parity_count);
25616
25617 /* scan all PCI devices looking for a Parity Error on devices and
25618 * bridges.
25619@@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
25620 /* Only if operator has selected panic on PCI Error */
25621 if (edac_pci_get_panic_on_pe()) {
25622 /* If the count is different 'after' from 'before' */
25623- if (before_count != atomic_read(&pci_parity_count))
25624+ if (before_count != atomic_read_unchecked(&pci_parity_count))
25625 panic("EDAC: PCI Parity Error");
25626 }
25627 }
25628diff -urNp linux-3.0.7/drivers/edac/i3000_edac.c linux-3.0.7/drivers/edac/i3000_edac.c
25629--- linux-3.0.7/drivers/edac/i3000_edac.c 2011-07-21 22:17:23.000000000 -0400
25630+++ linux-3.0.7/drivers/edac/i3000_edac.c 2011-10-11 10:44:33.000000000 -0400
25631@@ -470,7 +470,7 @@ static void __devexit i3000_remove_one(s
25632 edac_mc_free(mci);
25633 }
25634
25635-static const struct pci_device_id i3000_pci_tbl[] __devinitdata = {
25636+static const struct pci_device_id i3000_pci_tbl[] __devinitconst = {
25637 {
25638 PCI_VEND_DEV(INTEL, 3000_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25639 I3000},
25640diff -urNp linux-3.0.7/drivers/edac/i3200_edac.c linux-3.0.7/drivers/edac/i3200_edac.c
25641--- linux-3.0.7/drivers/edac/i3200_edac.c 2011-07-21 22:17:23.000000000 -0400
25642+++ linux-3.0.7/drivers/edac/i3200_edac.c 2011-10-11 10:44:33.000000000 -0400
25643@@ -456,7 +456,7 @@ static void __devexit i3200_remove_one(s
25644 edac_mc_free(mci);
25645 }
25646
25647-static const struct pci_device_id i3200_pci_tbl[] __devinitdata = {
25648+static const struct pci_device_id i3200_pci_tbl[] __devinitconst = {
25649 {
25650 PCI_VEND_DEV(INTEL, 3200_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25651 I3200},
25652diff -urNp linux-3.0.7/drivers/edac/i5000_edac.c linux-3.0.7/drivers/edac/i5000_edac.c
25653--- linux-3.0.7/drivers/edac/i5000_edac.c 2011-07-21 22:17:23.000000000 -0400
25654+++ linux-3.0.7/drivers/edac/i5000_edac.c 2011-10-11 10:44:33.000000000 -0400
25655@@ -1516,7 +1516,7 @@ static void __devexit i5000_remove_one(s
25656 *
25657 * The "E500P" device is the first device supported.
25658 */
25659-static const struct pci_device_id i5000_pci_tbl[] __devinitdata = {
25660+static const struct pci_device_id i5000_pci_tbl[] __devinitconst = {
25661 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I5000_DEV16),
25662 .driver_data = I5000P},
25663
25664diff -urNp linux-3.0.7/drivers/edac/i5100_edac.c linux-3.0.7/drivers/edac/i5100_edac.c
25665--- linux-3.0.7/drivers/edac/i5100_edac.c 2011-07-21 22:17:23.000000000 -0400
25666+++ linux-3.0.7/drivers/edac/i5100_edac.c 2011-10-11 10:44:33.000000000 -0400
25667@@ -1051,7 +1051,7 @@ static void __devexit i5100_remove_one(s
25668 edac_mc_free(mci);
25669 }
25670
25671-static const struct pci_device_id i5100_pci_tbl[] __devinitdata = {
25672+static const struct pci_device_id i5100_pci_tbl[] __devinitconst = {
25673 /* Device 16, Function 0, Channel 0 Memory Map, Error Flag/Mask, ... */
25674 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5100_16) },
25675 { 0, }
25676diff -urNp linux-3.0.7/drivers/edac/i5400_edac.c linux-3.0.7/drivers/edac/i5400_edac.c
25677--- linux-3.0.7/drivers/edac/i5400_edac.c 2011-07-21 22:17:23.000000000 -0400
25678+++ linux-3.0.7/drivers/edac/i5400_edac.c 2011-10-11 10:44:33.000000000 -0400
25679@@ -1383,7 +1383,7 @@ static void __devexit i5400_remove_one(s
25680 *
25681 * The "E500P" device is the first device supported.
25682 */
25683-static const struct pci_device_id i5400_pci_tbl[] __devinitdata = {
25684+static const struct pci_device_id i5400_pci_tbl[] __devinitconst = {
25685 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5400_ERR)},
25686 {0,} /* 0 terminated list. */
25687 };
25688diff -urNp linux-3.0.7/drivers/edac/i7300_edac.c linux-3.0.7/drivers/edac/i7300_edac.c
25689--- linux-3.0.7/drivers/edac/i7300_edac.c 2011-07-21 22:17:23.000000000 -0400
25690+++ linux-3.0.7/drivers/edac/i7300_edac.c 2011-10-11 10:44:33.000000000 -0400
25691@@ -1191,7 +1191,7 @@ static void __devexit i7300_remove_one(s
25692 *
25693 * Has only 8086:360c PCI ID
25694 */
25695-static const struct pci_device_id i7300_pci_tbl[] __devinitdata = {
25696+static const struct pci_device_id i7300_pci_tbl[] __devinitconst = {
25697 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I7300_MCH_ERR)},
25698 {0,} /* 0 terminated list. */
25699 };
25700diff -urNp linux-3.0.7/drivers/edac/i7core_edac.c linux-3.0.7/drivers/edac/i7core_edac.c
25701--- linux-3.0.7/drivers/edac/i7core_edac.c 2011-09-02 18:11:26.000000000 -0400
25702+++ linux-3.0.7/drivers/edac/i7core_edac.c 2011-10-11 10:44:33.000000000 -0400
25703@@ -359,7 +359,7 @@ static const struct pci_id_table pci_dev
25704 /*
25705 * pci_device_id table for which devices we are looking for
25706 */
25707-static const struct pci_device_id i7core_pci_tbl[] __devinitdata = {
25708+static const struct pci_device_id i7core_pci_tbl[] __devinitconst = {
25709 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_X58_HUB_MGMT)},
25710 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_LYNNFIELD_QPI_LINK0)},
25711 {0,} /* 0 terminated list. */
25712diff -urNp linux-3.0.7/drivers/edac/i82443bxgx_edac.c linux-3.0.7/drivers/edac/i82443bxgx_edac.c
25713--- linux-3.0.7/drivers/edac/i82443bxgx_edac.c 2011-07-21 22:17:23.000000000 -0400
25714+++ linux-3.0.7/drivers/edac/i82443bxgx_edac.c 2011-10-11 10:44:33.000000000 -0400
25715@@ -380,7 +380,7 @@ static void __devexit i82443bxgx_edacmc_
25716
25717 EXPORT_SYMBOL_GPL(i82443bxgx_edacmc_remove_one);
25718
25719-static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitdata = {
25720+static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitconst = {
25721 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_0)},
25722 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_2)},
25723 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0)},
25724diff -urNp linux-3.0.7/drivers/edac/i82860_edac.c linux-3.0.7/drivers/edac/i82860_edac.c
25725--- linux-3.0.7/drivers/edac/i82860_edac.c 2011-07-21 22:17:23.000000000 -0400
25726+++ linux-3.0.7/drivers/edac/i82860_edac.c 2011-10-11 10:44:33.000000000 -0400
25727@@ -270,7 +270,7 @@ static void __devexit i82860_remove_one(
25728 edac_mc_free(mci);
25729 }
25730
25731-static const struct pci_device_id i82860_pci_tbl[] __devinitdata = {
25732+static const struct pci_device_id i82860_pci_tbl[] __devinitconst = {
25733 {
25734 PCI_VEND_DEV(INTEL, 82860_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25735 I82860},
25736diff -urNp linux-3.0.7/drivers/edac/i82875p_edac.c linux-3.0.7/drivers/edac/i82875p_edac.c
25737--- linux-3.0.7/drivers/edac/i82875p_edac.c 2011-07-21 22:17:23.000000000 -0400
25738+++ linux-3.0.7/drivers/edac/i82875p_edac.c 2011-10-11 10:44:33.000000000 -0400
25739@@ -511,7 +511,7 @@ static void __devexit i82875p_remove_one
25740 edac_mc_free(mci);
25741 }
25742
25743-static const struct pci_device_id i82875p_pci_tbl[] __devinitdata = {
25744+static const struct pci_device_id i82875p_pci_tbl[] __devinitconst = {
25745 {
25746 PCI_VEND_DEV(INTEL, 82875_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25747 I82875P},
25748diff -urNp linux-3.0.7/drivers/edac/i82975x_edac.c linux-3.0.7/drivers/edac/i82975x_edac.c
25749--- linux-3.0.7/drivers/edac/i82975x_edac.c 2011-07-21 22:17:23.000000000 -0400
25750+++ linux-3.0.7/drivers/edac/i82975x_edac.c 2011-10-11 10:44:33.000000000 -0400
25751@@ -604,7 +604,7 @@ static void __devexit i82975x_remove_one
25752 edac_mc_free(mci);
25753 }
25754
25755-static const struct pci_device_id i82975x_pci_tbl[] __devinitdata = {
25756+static const struct pci_device_id i82975x_pci_tbl[] __devinitconst = {
25757 {
25758 PCI_VEND_DEV(INTEL, 82975_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25759 I82975X
25760diff -urNp linux-3.0.7/drivers/edac/mce_amd.h linux-3.0.7/drivers/edac/mce_amd.h
25761--- linux-3.0.7/drivers/edac/mce_amd.h 2011-07-21 22:17:23.000000000 -0400
25762+++ linux-3.0.7/drivers/edac/mce_amd.h 2011-08-23 21:47:55.000000000 -0400
25763@@ -83,7 +83,7 @@ struct amd_decoder_ops {
25764 bool (*dc_mce)(u16, u8);
25765 bool (*ic_mce)(u16, u8);
25766 bool (*nb_mce)(u16, u8);
25767-};
25768+} __no_const;
25769
25770 void amd_report_gart_errors(bool);
25771 void amd_register_ecc_decoder(void (*f)(int, struct mce *, u32));
25772diff -urNp linux-3.0.7/drivers/edac/r82600_edac.c linux-3.0.7/drivers/edac/r82600_edac.c
25773--- linux-3.0.7/drivers/edac/r82600_edac.c 2011-07-21 22:17:23.000000000 -0400
25774+++ linux-3.0.7/drivers/edac/r82600_edac.c 2011-10-11 10:44:33.000000000 -0400
25775@@ -373,7 +373,7 @@ static void __devexit r82600_remove_one(
25776 edac_mc_free(mci);
25777 }
25778
25779-static const struct pci_device_id r82600_pci_tbl[] __devinitdata = {
25780+static const struct pci_device_id r82600_pci_tbl[] __devinitconst = {
25781 {
25782 PCI_DEVICE(PCI_VENDOR_ID_RADISYS, R82600_BRIDGE_ID)
25783 },
25784diff -urNp linux-3.0.7/drivers/edac/x38_edac.c linux-3.0.7/drivers/edac/x38_edac.c
25785--- linux-3.0.7/drivers/edac/x38_edac.c 2011-07-21 22:17:23.000000000 -0400
25786+++ linux-3.0.7/drivers/edac/x38_edac.c 2011-10-11 10:44:33.000000000 -0400
25787@@ -440,7 +440,7 @@ static void __devexit x38_remove_one(str
25788 edac_mc_free(mci);
25789 }
25790
25791-static const struct pci_device_id x38_pci_tbl[] __devinitdata = {
25792+static const struct pci_device_id x38_pci_tbl[] __devinitconst = {
25793 {
25794 PCI_VEND_DEV(INTEL, X38_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25795 X38},
25796diff -urNp linux-3.0.7/drivers/firewire/core-card.c linux-3.0.7/drivers/firewire/core-card.c
25797--- linux-3.0.7/drivers/firewire/core-card.c 2011-07-21 22:17:23.000000000 -0400
25798+++ linux-3.0.7/drivers/firewire/core-card.c 2011-08-23 21:47:55.000000000 -0400
25799@@ -657,7 +657,7 @@ void fw_card_release(struct kref *kref)
25800
25801 void fw_core_remove_card(struct fw_card *card)
25802 {
25803- struct fw_card_driver dummy_driver = dummy_driver_template;
25804+ fw_card_driver_no_const dummy_driver = dummy_driver_template;
25805
25806 card->driver->update_phy_reg(card, 4,
25807 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
25808diff -urNp linux-3.0.7/drivers/firewire/core-cdev.c linux-3.0.7/drivers/firewire/core-cdev.c
25809--- linux-3.0.7/drivers/firewire/core-cdev.c 2011-09-02 18:11:21.000000000 -0400
25810+++ linux-3.0.7/drivers/firewire/core-cdev.c 2011-08-23 21:47:55.000000000 -0400
25811@@ -1313,8 +1313,7 @@ static int init_iso_resource(struct clie
25812 int ret;
25813
25814 if ((request->channels == 0 && request->bandwidth == 0) ||
25815- request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
25816- request->bandwidth < 0)
25817+ request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
25818 return -EINVAL;
25819
25820 r = kmalloc(sizeof(*r), GFP_KERNEL);
25821diff -urNp linux-3.0.7/drivers/firewire/core-transaction.c linux-3.0.7/drivers/firewire/core-transaction.c
25822--- linux-3.0.7/drivers/firewire/core-transaction.c 2011-07-21 22:17:23.000000000 -0400
25823+++ linux-3.0.7/drivers/firewire/core-transaction.c 2011-08-23 21:48:14.000000000 -0400
25824@@ -37,6 +37,7 @@
25825 #include <linux/timer.h>
25826 #include <linux/types.h>
25827 #include <linux/workqueue.h>
25828+#include <linux/sched.h>
25829
25830 #include <asm/byteorder.h>
25831
25832@@ -422,6 +423,8 @@ int fw_run_transaction(struct fw_card *c
25833 struct transaction_callback_data d;
25834 struct fw_transaction t;
25835
25836+ pax_track_stack();
25837+
25838 init_timer_on_stack(&t.split_timeout_timer);
25839 init_completion(&d.done);
25840 d.payload = payload;
25841diff -urNp linux-3.0.7/drivers/firewire/core.h linux-3.0.7/drivers/firewire/core.h
25842--- linux-3.0.7/drivers/firewire/core.h 2011-07-21 22:17:23.000000000 -0400
25843+++ linux-3.0.7/drivers/firewire/core.h 2011-08-23 21:47:55.000000000 -0400
25844@@ -101,6 +101,7 @@ struct fw_card_driver {
25845
25846 int (*stop_iso)(struct fw_iso_context *ctx);
25847 };
25848+typedef struct fw_card_driver __no_const fw_card_driver_no_const;
25849
25850 void fw_card_initialize(struct fw_card *card,
25851 const struct fw_card_driver *driver, struct device *device);
25852diff -urNp linux-3.0.7/drivers/firmware/dmi_scan.c linux-3.0.7/drivers/firmware/dmi_scan.c
25853--- linux-3.0.7/drivers/firmware/dmi_scan.c 2011-07-21 22:17:23.000000000 -0400
25854+++ linux-3.0.7/drivers/firmware/dmi_scan.c 2011-10-06 04:17:55.000000000 -0400
25855@@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
25856 }
25857 }
25858 else {
25859- /*
25860- * no iounmap() for that ioremap(); it would be a no-op, but
25861- * it's so early in setup that sucker gets confused into doing
25862- * what it shouldn't if we actually call it.
25863- */
25864 p = dmi_ioremap(0xF0000, 0x10000);
25865 if (p == NULL)
25866 goto error;
25867@@ -725,7 +720,7 @@ int dmi_walk(void (*decode)(const struct
25868 if (buf == NULL)
25869 return -1;
25870
25871- dmi_table(buf, dmi_len, dmi_num, decode, private_data);
25872+ dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
25873
25874 iounmap(buf);
25875 return 0;
25876diff -urNp linux-3.0.7/drivers/gpio/vr41xx_giu.c linux-3.0.7/drivers/gpio/vr41xx_giu.c
25877--- linux-3.0.7/drivers/gpio/vr41xx_giu.c 2011-07-21 22:17:23.000000000 -0400
25878+++ linux-3.0.7/drivers/gpio/vr41xx_giu.c 2011-08-23 21:47:55.000000000 -0400
25879@@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
25880 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
25881 maskl, pendl, maskh, pendh);
25882
25883- atomic_inc(&irq_err_count);
25884+ atomic_inc_unchecked(&irq_err_count);
25885
25886 return -EINVAL;
25887 }
25888diff -urNp linux-3.0.7/drivers/gpu/drm/drm_crtc.c linux-3.0.7/drivers/gpu/drm/drm_crtc.c
25889--- linux-3.0.7/drivers/gpu/drm/drm_crtc.c 2011-07-21 22:17:23.000000000 -0400
25890+++ linux-3.0.7/drivers/gpu/drm/drm_crtc.c 2011-10-06 04:17:55.000000000 -0400
25891@@ -1372,7 +1372,7 @@ int drm_mode_getconnector(struct drm_dev
25892 */
25893 if ((out_resp->count_modes >= mode_count) && mode_count) {
25894 copied = 0;
25895- mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
25896+ mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
25897 list_for_each_entry(mode, &connector->modes, head) {
25898 drm_crtc_convert_to_umode(&u_mode, mode);
25899 if (copy_to_user(mode_ptr + copied,
25900@@ -1387,8 +1387,8 @@ int drm_mode_getconnector(struct drm_dev
25901
25902 if ((out_resp->count_props >= props_count) && props_count) {
25903 copied = 0;
25904- prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
25905- prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
25906+ prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
25907+ prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
25908 for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
25909 if (connector->property_ids[i] != 0) {
25910 if (put_user(connector->property_ids[i],
25911@@ -1410,7 +1410,7 @@ int drm_mode_getconnector(struct drm_dev
25912
25913 if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
25914 copied = 0;
25915- encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
25916+ encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
25917 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
25918 if (connector->encoder_ids[i] != 0) {
25919 if (put_user(connector->encoder_ids[i],
25920@@ -1569,7 +1569,7 @@ int drm_mode_setcrtc(struct drm_device *
25921 }
25922
25923 for (i = 0; i < crtc_req->count_connectors; i++) {
25924- set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
25925+ set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
25926 if (get_user(out_id, &set_connectors_ptr[i])) {
25927 ret = -EFAULT;
25928 goto out;
25929@@ -1850,7 +1850,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_de
25930 fb = obj_to_fb(obj);
25931
25932 num_clips = r->num_clips;
25933- clips_ptr = (struct drm_clip_rect *)(unsigned long)r->clips_ptr;
25934+ clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
25935
25936 if (!num_clips != !clips_ptr) {
25937 ret = -EINVAL;
25938@@ -2270,7 +2270,7 @@ int drm_mode_getproperty_ioctl(struct dr
25939 out_resp->flags = property->flags;
25940
25941 if ((out_resp->count_values >= value_count) && value_count) {
25942- values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
25943+ values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
25944 for (i = 0; i < value_count; i++) {
25945 if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
25946 ret = -EFAULT;
25947@@ -2283,7 +2283,7 @@ int drm_mode_getproperty_ioctl(struct dr
25948 if (property->flags & DRM_MODE_PROP_ENUM) {
25949 if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
25950 copied = 0;
25951- enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
25952+ enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
25953 list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
25954
25955 if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
25956@@ -2306,7 +2306,7 @@ int drm_mode_getproperty_ioctl(struct dr
25957 if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
25958 copied = 0;
25959 blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
25960- blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
25961+ blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
25962
25963 list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
25964 if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
25965@@ -2367,7 +2367,7 @@ int drm_mode_getblob_ioctl(struct drm_de
25966 struct drm_mode_get_blob *out_resp = data;
25967 struct drm_property_blob *blob;
25968 int ret = 0;
25969- void *blob_ptr;
25970+ void __user *blob_ptr;
25971
25972 if (!drm_core_check_feature(dev, DRIVER_MODESET))
25973 return -EINVAL;
25974@@ -2381,7 +2381,7 @@ int drm_mode_getblob_ioctl(struct drm_de
25975 blob = obj_to_blob(obj);
25976
25977 if (out_resp->length == blob->length) {
25978- blob_ptr = (void *)(unsigned long)out_resp->data;
25979+ blob_ptr = (void __user *)(unsigned long)out_resp->data;
25980 if (copy_to_user(blob_ptr, blob->data, blob->length)){
25981 ret = -EFAULT;
25982 goto done;
25983diff -urNp linux-3.0.7/drivers/gpu/drm/drm_crtc_helper.c linux-3.0.7/drivers/gpu/drm/drm_crtc_helper.c
25984--- linux-3.0.7/drivers/gpu/drm/drm_crtc_helper.c 2011-07-21 22:17:23.000000000 -0400
25985+++ linux-3.0.7/drivers/gpu/drm/drm_crtc_helper.c 2011-08-23 21:48:14.000000000 -0400
25986@@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
25987 struct drm_crtc *tmp;
25988 int crtc_mask = 1;
25989
25990- WARN(!crtc, "checking null crtc?\n");
25991+ BUG_ON(!crtc);
25992
25993 dev = crtc->dev;
25994
25995@@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
25996 struct drm_encoder *encoder;
25997 bool ret = true;
25998
25999+ pax_track_stack();
26000+
26001 crtc->enabled = drm_helper_crtc_in_use(crtc);
26002 if (!crtc->enabled)
26003 return true;
26004diff -urNp linux-3.0.7/drivers/gpu/drm/drm_drv.c linux-3.0.7/drivers/gpu/drm/drm_drv.c
26005--- linux-3.0.7/drivers/gpu/drm/drm_drv.c 2011-07-21 22:17:23.000000000 -0400
26006+++ linux-3.0.7/drivers/gpu/drm/drm_drv.c 2011-10-06 04:17:55.000000000 -0400
26007@@ -307,7 +307,7 @@ module_exit(drm_core_exit);
26008 /**
26009 * Copy and IOCTL return string to user space
26010 */
26011-static int drm_copy_field(char *buf, size_t *buf_len, const char *value)
26012+static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
26013 {
26014 int len;
26015
26016@@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
26017
26018 dev = file_priv->minor->dev;
26019 atomic_inc(&dev->ioctl_count);
26020- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
26021+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
26022 ++file_priv->ioctl_count;
26023
26024 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
26025diff -urNp linux-3.0.7/drivers/gpu/drm/drm_fops.c linux-3.0.7/drivers/gpu/drm/drm_fops.c
26026--- linux-3.0.7/drivers/gpu/drm/drm_fops.c 2011-07-21 22:17:23.000000000 -0400
26027+++ linux-3.0.7/drivers/gpu/drm/drm_fops.c 2011-08-23 21:47:55.000000000 -0400
26028@@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
26029 }
26030
26031 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
26032- atomic_set(&dev->counts[i], 0);
26033+ atomic_set_unchecked(&dev->counts[i], 0);
26034
26035 dev->sigdata.lock = NULL;
26036
26037@@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
26038
26039 retcode = drm_open_helper(inode, filp, dev);
26040 if (!retcode) {
26041- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
26042- if (!dev->open_count++)
26043+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
26044+ if (local_inc_return(&dev->open_count) == 1)
26045 retcode = drm_setup(dev);
26046 }
26047 if (!retcode) {
26048@@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
26049
26050 mutex_lock(&drm_global_mutex);
26051
26052- DRM_DEBUG("open_count = %d\n", dev->open_count);
26053+ DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
26054
26055 if (dev->driver->preclose)
26056 dev->driver->preclose(dev, file_priv);
26057@@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
26058 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
26059 task_pid_nr(current),
26060 (long)old_encode_dev(file_priv->minor->device),
26061- dev->open_count);
26062+ local_read(&dev->open_count));
26063
26064 /* if the master has gone away we can't do anything with the lock */
26065 if (file_priv->minor->master)
26066@@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
26067 * End inline drm_release
26068 */
26069
26070- atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
26071- if (!--dev->open_count) {
26072+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
26073+ if (local_dec_and_test(&dev->open_count)) {
26074 if (atomic_read(&dev->ioctl_count)) {
26075 DRM_ERROR("Device busy: %d\n",
26076 atomic_read(&dev->ioctl_count));
26077diff -urNp linux-3.0.7/drivers/gpu/drm/drm_global.c linux-3.0.7/drivers/gpu/drm/drm_global.c
26078--- linux-3.0.7/drivers/gpu/drm/drm_global.c 2011-07-21 22:17:23.000000000 -0400
26079+++ linux-3.0.7/drivers/gpu/drm/drm_global.c 2011-08-23 21:47:55.000000000 -0400
26080@@ -36,7 +36,7 @@
26081 struct drm_global_item {
26082 struct mutex mutex;
26083 void *object;
26084- int refcount;
26085+ atomic_t refcount;
26086 };
26087
26088 static struct drm_global_item glob[DRM_GLOBAL_NUM];
26089@@ -49,7 +49,7 @@ void drm_global_init(void)
26090 struct drm_global_item *item = &glob[i];
26091 mutex_init(&item->mutex);
26092 item->object = NULL;
26093- item->refcount = 0;
26094+ atomic_set(&item->refcount, 0);
26095 }
26096 }
26097
26098@@ -59,7 +59,7 @@ void drm_global_release(void)
26099 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
26100 struct drm_global_item *item = &glob[i];
26101 BUG_ON(item->object != NULL);
26102- BUG_ON(item->refcount != 0);
26103+ BUG_ON(atomic_read(&item->refcount) != 0);
26104 }
26105 }
26106
26107@@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
26108 void *object;
26109
26110 mutex_lock(&item->mutex);
26111- if (item->refcount == 0) {
26112+ if (atomic_read(&item->refcount) == 0) {
26113 item->object = kzalloc(ref->size, GFP_KERNEL);
26114 if (unlikely(item->object == NULL)) {
26115 ret = -ENOMEM;
26116@@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
26117 goto out_err;
26118
26119 }
26120- ++item->refcount;
26121+ atomic_inc(&item->refcount);
26122 ref->object = item->object;
26123 object = item->object;
26124 mutex_unlock(&item->mutex);
26125@@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
26126 struct drm_global_item *item = &glob[ref->global_type];
26127
26128 mutex_lock(&item->mutex);
26129- BUG_ON(item->refcount == 0);
26130+ BUG_ON(atomic_read(&item->refcount) == 0);
26131 BUG_ON(ref->object != item->object);
26132- if (--item->refcount == 0) {
26133+ if (atomic_dec_and_test(&item->refcount)) {
26134 ref->release(ref);
26135 item->object = NULL;
26136 }
26137diff -urNp linux-3.0.7/drivers/gpu/drm/drm_info.c linux-3.0.7/drivers/gpu/drm/drm_info.c
26138--- linux-3.0.7/drivers/gpu/drm/drm_info.c 2011-07-21 22:17:23.000000000 -0400
26139+++ linux-3.0.7/drivers/gpu/drm/drm_info.c 2011-08-23 21:48:14.000000000 -0400
26140@@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
26141 struct drm_local_map *map;
26142 struct drm_map_list *r_list;
26143
26144- /* Hardcoded from _DRM_FRAME_BUFFER,
26145- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
26146- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
26147- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
26148+ static const char * const types[] = {
26149+ [_DRM_FRAME_BUFFER] = "FB",
26150+ [_DRM_REGISTERS] = "REG",
26151+ [_DRM_SHM] = "SHM",
26152+ [_DRM_AGP] = "AGP",
26153+ [_DRM_SCATTER_GATHER] = "SG",
26154+ [_DRM_CONSISTENT] = "PCI",
26155+ [_DRM_GEM] = "GEM" };
26156 const char *type;
26157 int i;
26158
26159@@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
26160 map = r_list->map;
26161 if (!map)
26162 continue;
26163- if (map->type < 0 || map->type > 5)
26164+ if (map->type >= ARRAY_SIZE(types))
26165 type = "??";
26166 else
26167 type = types[map->type];
26168@@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
26169 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
26170 vma->vm_flags & VM_LOCKED ? 'l' : '-',
26171 vma->vm_flags & VM_IO ? 'i' : '-',
26172+#ifdef CONFIG_GRKERNSEC_HIDESYM
26173+ 0);
26174+#else
26175 vma->vm_pgoff);
26176+#endif
26177
26178 #if defined(__i386__)
26179 pgprot = pgprot_val(vma->vm_page_prot);
26180diff -urNp linux-3.0.7/drivers/gpu/drm/drm_ioc32.c linux-3.0.7/drivers/gpu/drm/drm_ioc32.c
26181--- linux-3.0.7/drivers/gpu/drm/drm_ioc32.c 2011-07-21 22:17:23.000000000 -0400
26182+++ linux-3.0.7/drivers/gpu/drm/drm_ioc32.c 2011-10-06 04:17:55.000000000 -0400
26183@@ -455,7 +455,7 @@ static int compat_drm_infobufs(struct fi
26184 request = compat_alloc_user_space(nbytes);
26185 if (!access_ok(VERIFY_WRITE, request, nbytes))
26186 return -EFAULT;
26187- list = (struct drm_buf_desc *) (request + 1);
26188+ list = (struct drm_buf_desc __user *) (request + 1);
26189
26190 if (__put_user(count, &request->count)
26191 || __put_user(list, &request->list))
26192@@ -516,7 +516,7 @@ static int compat_drm_mapbufs(struct fil
26193 request = compat_alloc_user_space(nbytes);
26194 if (!access_ok(VERIFY_WRITE, request, nbytes))
26195 return -EFAULT;
26196- list = (struct drm_buf_pub *) (request + 1);
26197+ list = (struct drm_buf_pub __user *) (request + 1);
26198
26199 if (__put_user(count, &request->count)
26200 || __put_user(list, &request->list))
26201diff -urNp linux-3.0.7/drivers/gpu/drm/drm_ioctl.c linux-3.0.7/drivers/gpu/drm/drm_ioctl.c
26202--- linux-3.0.7/drivers/gpu/drm/drm_ioctl.c 2011-07-21 22:17:23.000000000 -0400
26203+++ linux-3.0.7/drivers/gpu/drm/drm_ioctl.c 2011-08-23 21:47:55.000000000 -0400
26204@@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
26205 stats->data[i].value =
26206 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
26207 else
26208- stats->data[i].value = atomic_read(&dev->counts[i]);
26209+ stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
26210 stats->data[i].type = dev->types[i];
26211 }
26212
26213diff -urNp linux-3.0.7/drivers/gpu/drm/drm_lock.c linux-3.0.7/drivers/gpu/drm/drm_lock.c
26214--- linux-3.0.7/drivers/gpu/drm/drm_lock.c 2011-07-21 22:17:23.000000000 -0400
26215+++ linux-3.0.7/drivers/gpu/drm/drm_lock.c 2011-08-23 21:47:55.000000000 -0400
26216@@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
26217 if (drm_lock_take(&master->lock, lock->context)) {
26218 master->lock.file_priv = file_priv;
26219 master->lock.lock_time = jiffies;
26220- atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
26221+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
26222 break; /* Got lock */
26223 }
26224
26225@@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
26226 return -EINVAL;
26227 }
26228
26229- atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
26230+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
26231
26232 if (drm_lock_free(&master->lock, lock->context)) {
26233 /* FIXME: Should really bail out here. */
26234diff -urNp linux-3.0.7/drivers/gpu/drm/i810/i810_dma.c linux-3.0.7/drivers/gpu/drm/i810/i810_dma.c
26235--- linux-3.0.7/drivers/gpu/drm/i810/i810_dma.c 2011-07-21 22:17:23.000000000 -0400
26236+++ linux-3.0.7/drivers/gpu/drm/i810/i810_dma.c 2011-08-23 21:47:55.000000000 -0400
26237@@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
26238 dma->buflist[vertex->idx],
26239 vertex->discard, vertex->used);
26240
26241- atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26242- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26243+ atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26244+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26245 sarea_priv->last_enqueue = dev_priv->counter - 1;
26246 sarea_priv->last_dispatch = (int)hw_status[5];
26247
26248@@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
26249 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
26250 mc->last_render);
26251
26252- atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26253- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26254+ atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26255+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26256 sarea_priv->last_enqueue = dev_priv->counter - 1;
26257 sarea_priv->last_dispatch = (int)hw_status[5];
26258
26259diff -urNp linux-3.0.7/drivers/gpu/drm/i810/i810_drv.h linux-3.0.7/drivers/gpu/drm/i810/i810_drv.h
26260--- linux-3.0.7/drivers/gpu/drm/i810/i810_drv.h 2011-07-21 22:17:23.000000000 -0400
26261+++ linux-3.0.7/drivers/gpu/drm/i810/i810_drv.h 2011-08-23 21:47:55.000000000 -0400
26262@@ -108,8 +108,8 @@ typedef struct drm_i810_private {
26263 int page_flipping;
26264
26265 wait_queue_head_t irq_queue;
26266- atomic_t irq_received;
26267- atomic_t irq_emitted;
26268+ atomic_unchecked_t irq_received;
26269+ atomic_unchecked_t irq_emitted;
26270
26271 int front_offset;
26272 } drm_i810_private_t;
26273diff -urNp linux-3.0.7/drivers/gpu/drm/i915/i915_debugfs.c linux-3.0.7/drivers/gpu/drm/i915/i915_debugfs.c
26274--- linux-3.0.7/drivers/gpu/drm/i915/i915_debugfs.c 2011-07-21 22:17:23.000000000 -0400
26275+++ linux-3.0.7/drivers/gpu/drm/i915/i915_debugfs.c 2011-10-06 04:17:55.000000000 -0400
26276@@ -497,7 +497,7 @@ static int i915_interrupt_info(struct se
26277 I915_READ(GTIMR));
26278 }
26279 seq_printf(m, "Interrupts received: %d\n",
26280- atomic_read(&dev_priv->irq_received));
26281+ atomic_read_unchecked(&dev_priv->irq_received));
26282 for (i = 0; i < I915_NUM_RINGS; i++) {
26283 if (IS_GEN6(dev)) {
26284 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
26285@@ -1147,7 +1147,7 @@ static int i915_opregion(struct seq_file
26286 return ret;
26287
26288 if (opregion->header)
26289- seq_write(m, opregion->header, OPREGION_SIZE);
26290+ seq_write(m, (const void __force_kernel *)opregion->header, OPREGION_SIZE);
26291
26292 mutex_unlock(&dev->struct_mutex);
26293
26294diff -urNp linux-3.0.7/drivers/gpu/drm/i915/i915_dma.c linux-3.0.7/drivers/gpu/drm/i915/i915_dma.c
26295--- linux-3.0.7/drivers/gpu/drm/i915/i915_dma.c 2011-09-02 18:11:21.000000000 -0400
26296+++ linux-3.0.7/drivers/gpu/drm/i915/i915_dma.c 2011-08-23 21:47:55.000000000 -0400
26297@@ -1169,7 +1169,7 @@ static bool i915_switcheroo_can_switch(s
26298 bool can_switch;
26299
26300 spin_lock(&dev->count_lock);
26301- can_switch = (dev->open_count == 0);
26302+ can_switch = (local_read(&dev->open_count) == 0);
26303 spin_unlock(&dev->count_lock);
26304 return can_switch;
26305 }
26306diff -urNp linux-3.0.7/drivers/gpu/drm/i915/i915_drv.h linux-3.0.7/drivers/gpu/drm/i915/i915_drv.h
26307--- linux-3.0.7/drivers/gpu/drm/i915/i915_drv.h 2011-07-21 22:17:23.000000000 -0400
26308+++ linux-3.0.7/drivers/gpu/drm/i915/i915_drv.h 2011-08-23 21:47:55.000000000 -0400
26309@@ -219,7 +219,7 @@ struct drm_i915_display_funcs {
26310 /* render clock increase/decrease */
26311 /* display clock increase/decrease */
26312 /* pll clock increase/decrease */
26313-};
26314+} __no_const;
26315
26316 struct intel_device_info {
26317 u8 gen;
26318@@ -300,7 +300,7 @@ typedef struct drm_i915_private {
26319 int current_page;
26320 int page_flipping;
26321
26322- atomic_t irq_received;
26323+ atomic_unchecked_t irq_received;
26324
26325 /* protects the irq masks */
26326 spinlock_t irq_lock;
26327@@ -874,7 +874,7 @@ struct drm_i915_gem_object {
26328 * will be page flipped away on the next vblank. When it
26329 * reaches 0, dev_priv->pending_flip_queue will be woken up.
26330 */
26331- atomic_t pending_flip;
26332+ atomic_unchecked_t pending_flip;
26333 };
26334
26335 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
26336@@ -1247,7 +1247,7 @@ extern int intel_setup_gmbus(struct drm_
26337 extern void intel_teardown_gmbus(struct drm_device *dev);
26338 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
26339 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
26340-extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26341+static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26342 {
26343 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
26344 }
26345diff -urNp linux-3.0.7/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-3.0.7/drivers/gpu/drm/i915/i915_gem_execbuffer.c
26346--- linux-3.0.7/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-07-21 22:17:23.000000000 -0400
26347+++ linux-3.0.7/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-08-23 21:47:55.000000000 -0400
26348@@ -188,7 +188,7 @@ i915_gem_object_set_to_gpu_domain(struct
26349 i915_gem_clflush_object(obj);
26350
26351 if (obj->base.pending_write_domain)
26352- cd->flips |= atomic_read(&obj->pending_flip);
26353+ cd->flips |= atomic_read_unchecked(&obj->pending_flip);
26354
26355 /* The actual obj->write_domain will be updated with
26356 * pending_write_domain after we emit the accumulated flush for all
26357diff -urNp linux-3.0.7/drivers/gpu/drm/i915/i915_irq.c linux-3.0.7/drivers/gpu/drm/i915/i915_irq.c
26358--- linux-3.0.7/drivers/gpu/drm/i915/i915_irq.c 2011-09-02 18:11:21.000000000 -0400
26359+++ linux-3.0.7/drivers/gpu/drm/i915/i915_irq.c 2011-08-23 21:47:55.000000000 -0400
26360@@ -473,7 +473,7 @@ static irqreturn_t ivybridge_irq_handler
26361 u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
26362 struct drm_i915_master_private *master_priv;
26363
26364- atomic_inc(&dev_priv->irq_received);
26365+ atomic_inc_unchecked(&dev_priv->irq_received);
26366
26367 /* disable master interrupt before clearing iir */
26368 de_ier = I915_READ(DEIER);
26369@@ -563,7 +563,7 @@ static irqreturn_t ironlake_irq_handler(
26370 struct drm_i915_master_private *master_priv;
26371 u32 bsd_usr_interrupt = GT_BSD_USER_INTERRUPT;
26372
26373- atomic_inc(&dev_priv->irq_received);
26374+ atomic_inc_unchecked(&dev_priv->irq_received);
26375
26376 if (IS_GEN6(dev))
26377 bsd_usr_interrupt = GT_GEN6_BSD_USER_INTERRUPT;
26378@@ -1226,7 +1226,7 @@ static irqreturn_t i915_driver_irq_handl
26379 int ret = IRQ_NONE, pipe;
26380 bool blc_event = false;
26381
26382- atomic_inc(&dev_priv->irq_received);
26383+ atomic_inc_unchecked(&dev_priv->irq_received);
26384
26385 iir = I915_READ(IIR);
26386
26387@@ -1735,7 +1735,7 @@ static void ironlake_irq_preinstall(stru
26388 {
26389 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26390
26391- atomic_set(&dev_priv->irq_received, 0);
26392+ atomic_set_unchecked(&dev_priv->irq_received, 0);
26393
26394 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26395 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26396@@ -1899,7 +1899,7 @@ static void i915_driver_irq_preinstall(s
26397 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26398 int pipe;
26399
26400- atomic_set(&dev_priv->irq_received, 0);
26401+ atomic_set_unchecked(&dev_priv->irq_received, 0);
26402
26403 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26404 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26405diff -urNp linux-3.0.7/drivers/gpu/drm/i915/intel_display.c linux-3.0.7/drivers/gpu/drm/i915/intel_display.c
26406--- linux-3.0.7/drivers/gpu/drm/i915/intel_display.c 2011-09-02 18:11:21.000000000 -0400
26407+++ linux-3.0.7/drivers/gpu/drm/i915/intel_display.c 2011-08-23 21:47:55.000000000 -0400
26408@@ -1961,7 +1961,7 @@ intel_pipe_set_base(struct drm_crtc *crt
26409
26410 wait_event(dev_priv->pending_flip_queue,
26411 atomic_read(&dev_priv->mm.wedged) ||
26412- atomic_read(&obj->pending_flip) == 0);
26413+ atomic_read_unchecked(&obj->pending_flip) == 0);
26414
26415 /* Big Hammer, we also need to ensure that any pending
26416 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
26417@@ -2548,7 +2548,7 @@ static void intel_crtc_wait_for_pending_
26418 obj = to_intel_framebuffer(crtc->fb)->obj;
26419 dev_priv = crtc->dev->dev_private;
26420 wait_event(dev_priv->pending_flip_queue,
26421- atomic_read(&obj->pending_flip) == 0);
26422+ atomic_read_unchecked(&obj->pending_flip) == 0);
26423 }
26424
26425 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
26426@@ -6225,7 +6225,7 @@ static void do_intel_finish_page_flip(st
26427
26428 atomic_clear_mask(1 << intel_crtc->plane,
26429 &obj->pending_flip.counter);
26430- if (atomic_read(&obj->pending_flip) == 0)
26431+ if (atomic_read_unchecked(&obj->pending_flip) == 0)
26432 wake_up(&dev_priv->pending_flip_queue);
26433
26434 schedule_work(&work->work);
26435@@ -6514,7 +6514,7 @@ static int intel_crtc_page_flip(struct d
26436 /* Block clients from rendering to the new back buffer until
26437 * the flip occurs and the object is no longer visible.
26438 */
26439- atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26440+ atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26441
26442 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
26443 if (ret)
26444@@ -6527,7 +6527,7 @@ static int intel_crtc_page_flip(struct d
26445 return 0;
26446
26447 cleanup_pending:
26448- atomic_sub(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26449+ atomic_sub_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26450 cleanup_objs:
26451 drm_gem_object_unreference(&work->old_fb_obj->base);
26452 drm_gem_object_unreference(&obj->base);
26453diff -urNp linux-3.0.7/drivers/gpu/drm/mga/mga_drv.h linux-3.0.7/drivers/gpu/drm/mga/mga_drv.h
26454--- linux-3.0.7/drivers/gpu/drm/mga/mga_drv.h 2011-07-21 22:17:23.000000000 -0400
26455+++ linux-3.0.7/drivers/gpu/drm/mga/mga_drv.h 2011-08-23 21:47:55.000000000 -0400
26456@@ -120,9 +120,9 @@ typedef struct drm_mga_private {
26457 u32 clear_cmd;
26458 u32 maccess;
26459
26460- atomic_t vbl_received; /**< Number of vblanks received. */
26461+ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
26462 wait_queue_head_t fence_queue;
26463- atomic_t last_fence_retired;
26464+ atomic_unchecked_t last_fence_retired;
26465 u32 next_fence_to_post;
26466
26467 unsigned int fb_cpp;
26468diff -urNp linux-3.0.7/drivers/gpu/drm/mga/mga_irq.c linux-3.0.7/drivers/gpu/drm/mga/mga_irq.c
26469--- linux-3.0.7/drivers/gpu/drm/mga/mga_irq.c 2011-07-21 22:17:23.000000000 -0400
26470+++ linux-3.0.7/drivers/gpu/drm/mga/mga_irq.c 2011-08-23 21:47:55.000000000 -0400
26471@@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
26472 if (crtc != 0)
26473 return 0;
26474
26475- return atomic_read(&dev_priv->vbl_received);
26476+ return atomic_read_unchecked(&dev_priv->vbl_received);
26477 }
26478
26479
26480@@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26481 /* VBLANK interrupt */
26482 if (status & MGA_VLINEPEN) {
26483 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
26484- atomic_inc(&dev_priv->vbl_received);
26485+ atomic_inc_unchecked(&dev_priv->vbl_received);
26486 drm_handle_vblank(dev, 0);
26487 handled = 1;
26488 }
26489@@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26490 if ((prim_start & ~0x03) != (prim_end & ~0x03))
26491 MGA_WRITE(MGA_PRIMEND, prim_end);
26492
26493- atomic_inc(&dev_priv->last_fence_retired);
26494+ atomic_inc_unchecked(&dev_priv->last_fence_retired);
26495 DRM_WAKEUP(&dev_priv->fence_queue);
26496 handled = 1;
26497 }
26498@@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
26499 * using fences.
26500 */
26501 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
26502- (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
26503+ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
26504 - *sequence) <= (1 << 23)));
26505
26506 *sequence = cur_fence;
26507diff -urNp linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_bios.c linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_bios.c
26508--- linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-07-21 22:17:23.000000000 -0400
26509+++ linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-08-26 19:49:56.000000000 -0400
26510@@ -200,7 +200,7 @@ struct methods {
26511 const char desc[8];
26512 void (*loadbios)(struct drm_device *, uint8_t *);
26513 const bool rw;
26514-};
26515+} __do_const;
26516
26517 static struct methods shadow_methods[] = {
26518 { "PRAMIN", load_vbios_pramin, true },
26519@@ -5488,7 +5488,7 @@ parse_bit_displayport_tbl_entry(struct d
26520 struct bit_table {
26521 const char id;
26522 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
26523-};
26524+} __no_const;
26525
26526 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
26527
26528diff -urNp linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_drv.h linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_drv.h
26529--- linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-07-21 22:17:23.000000000 -0400
26530+++ linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-08-23 21:47:55.000000000 -0400
26531@@ -227,7 +227,7 @@ struct nouveau_channel {
26532 struct list_head pending;
26533 uint32_t sequence;
26534 uint32_t sequence_ack;
26535- atomic_t last_sequence_irq;
26536+ atomic_unchecked_t last_sequence_irq;
26537 } fence;
26538
26539 /* DMA push buffer */
26540@@ -304,7 +304,7 @@ struct nouveau_exec_engine {
26541 u32 handle, u16 class);
26542 void (*set_tile_region)(struct drm_device *dev, int i);
26543 void (*tlb_flush)(struct drm_device *, int engine);
26544-};
26545+} __no_const;
26546
26547 struct nouveau_instmem_engine {
26548 void *priv;
26549@@ -325,13 +325,13 @@ struct nouveau_instmem_engine {
26550 struct nouveau_mc_engine {
26551 int (*init)(struct drm_device *dev);
26552 void (*takedown)(struct drm_device *dev);
26553-};
26554+} __no_const;
26555
26556 struct nouveau_timer_engine {
26557 int (*init)(struct drm_device *dev);
26558 void (*takedown)(struct drm_device *dev);
26559 uint64_t (*read)(struct drm_device *dev);
26560-};
26561+} __no_const;
26562
26563 struct nouveau_fb_engine {
26564 int num_tiles;
26565@@ -494,7 +494,7 @@ struct nouveau_vram_engine {
26566 void (*put)(struct drm_device *, struct nouveau_mem **);
26567
26568 bool (*flags_valid)(struct drm_device *, u32 tile_flags);
26569-};
26570+} __no_const;
26571
26572 struct nouveau_engine {
26573 struct nouveau_instmem_engine instmem;
26574@@ -640,7 +640,7 @@ struct drm_nouveau_private {
26575 struct drm_global_reference mem_global_ref;
26576 struct ttm_bo_global_ref bo_global_ref;
26577 struct ttm_bo_device bdev;
26578- atomic_t validate_sequence;
26579+ atomic_unchecked_t validate_sequence;
26580 } ttm;
26581
26582 struct {
26583diff -urNp linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_fence.c linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_fence.c
26584--- linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-07-21 22:17:23.000000000 -0400
26585+++ linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-08-23 21:47:55.000000000 -0400
26586@@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
26587 if (USE_REFCNT(dev))
26588 sequence = nvchan_rd32(chan, 0x48);
26589 else
26590- sequence = atomic_read(&chan->fence.last_sequence_irq);
26591+ sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
26592
26593 if (chan->fence.sequence_ack == sequence)
26594 goto out;
26595@@ -544,7 +544,7 @@ nouveau_fence_channel_init(struct nouvea
26596
26597 INIT_LIST_HEAD(&chan->fence.pending);
26598 spin_lock_init(&chan->fence.lock);
26599- atomic_set(&chan->fence.last_sequence_irq, 0);
26600+ atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
26601 return 0;
26602 }
26603
26604diff -urNp linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_gem.c linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_gem.c
26605--- linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-07-21 22:17:23.000000000 -0400
26606+++ linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-08-23 21:47:55.000000000 -0400
26607@@ -249,7 +249,7 @@ validate_init(struct nouveau_channel *ch
26608 int trycnt = 0;
26609 int ret, i;
26610
26611- sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
26612+ sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
26613 retry:
26614 if (++trycnt > 100000) {
26615 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
26616diff -urNp linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_state.c linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_state.c
26617--- linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_state.c 2011-07-21 22:17:23.000000000 -0400
26618+++ linux-3.0.7/drivers/gpu/drm/nouveau/nouveau_state.c 2011-08-23 21:47:55.000000000 -0400
26619@@ -488,7 +488,7 @@ static bool nouveau_switcheroo_can_switc
26620 bool can_switch;
26621
26622 spin_lock(&dev->count_lock);
26623- can_switch = (dev->open_count == 0);
26624+ can_switch = (local_read(&dev->open_count) == 0);
26625 spin_unlock(&dev->count_lock);
26626 return can_switch;
26627 }
26628diff -urNp linux-3.0.7/drivers/gpu/drm/nouveau/nv04_graph.c linux-3.0.7/drivers/gpu/drm/nouveau/nv04_graph.c
26629--- linux-3.0.7/drivers/gpu/drm/nouveau/nv04_graph.c 2011-07-21 22:17:23.000000000 -0400
26630+++ linux-3.0.7/drivers/gpu/drm/nouveau/nv04_graph.c 2011-08-23 21:47:55.000000000 -0400
26631@@ -560,7 +560,7 @@ static int
26632 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
26633 u32 class, u32 mthd, u32 data)
26634 {
26635- atomic_set(&chan->fence.last_sequence_irq, data);
26636+ atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
26637 return 0;
26638 }
26639
26640diff -urNp linux-3.0.7/drivers/gpu/drm/r128/r128_cce.c linux-3.0.7/drivers/gpu/drm/r128/r128_cce.c
26641--- linux-3.0.7/drivers/gpu/drm/r128/r128_cce.c 2011-07-21 22:17:23.000000000 -0400
26642+++ linux-3.0.7/drivers/gpu/drm/r128/r128_cce.c 2011-08-23 21:47:55.000000000 -0400
26643@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
26644
26645 /* GH: Simple idle check.
26646 */
26647- atomic_set(&dev_priv->idle_count, 0);
26648+ atomic_set_unchecked(&dev_priv->idle_count, 0);
26649
26650 /* We don't support anything other than bus-mastering ring mode,
26651 * but the ring can be in either AGP or PCI space for the ring
26652diff -urNp linux-3.0.7/drivers/gpu/drm/r128/r128_drv.h linux-3.0.7/drivers/gpu/drm/r128/r128_drv.h
26653--- linux-3.0.7/drivers/gpu/drm/r128/r128_drv.h 2011-07-21 22:17:23.000000000 -0400
26654+++ linux-3.0.7/drivers/gpu/drm/r128/r128_drv.h 2011-08-23 21:47:55.000000000 -0400
26655@@ -90,14 +90,14 @@ typedef struct drm_r128_private {
26656 int is_pci;
26657 unsigned long cce_buffers_offset;
26658
26659- atomic_t idle_count;
26660+ atomic_unchecked_t idle_count;
26661
26662 int page_flipping;
26663 int current_page;
26664 u32 crtc_offset;
26665 u32 crtc_offset_cntl;
26666
26667- atomic_t vbl_received;
26668+ atomic_unchecked_t vbl_received;
26669
26670 u32 color_fmt;
26671 unsigned int front_offset;
26672diff -urNp linux-3.0.7/drivers/gpu/drm/r128/r128_irq.c linux-3.0.7/drivers/gpu/drm/r128/r128_irq.c
26673--- linux-3.0.7/drivers/gpu/drm/r128/r128_irq.c 2011-07-21 22:17:23.000000000 -0400
26674+++ linux-3.0.7/drivers/gpu/drm/r128/r128_irq.c 2011-08-23 21:47:55.000000000 -0400
26675@@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
26676 if (crtc != 0)
26677 return 0;
26678
26679- return atomic_read(&dev_priv->vbl_received);
26680+ return atomic_read_unchecked(&dev_priv->vbl_received);
26681 }
26682
26683 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
26684@@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
26685 /* VBLANK interrupt */
26686 if (status & R128_CRTC_VBLANK_INT) {
26687 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
26688- atomic_inc(&dev_priv->vbl_received);
26689+ atomic_inc_unchecked(&dev_priv->vbl_received);
26690 drm_handle_vblank(dev, 0);
26691 return IRQ_HANDLED;
26692 }
26693diff -urNp linux-3.0.7/drivers/gpu/drm/r128/r128_state.c linux-3.0.7/drivers/gpu/drm/r128/r128_state.c
26694--- linux-3.0.7/drivers/gpu/drm/r128/r128_state.c 2011-07-21 22:17:23.000000000 -0400
26695+++ linux-3.0.7/drivers/gpu/drm/r128/r128_state.c 2011-08-23 21:47:55.000000000 -0400
26696@@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
26697
26698 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
26699 {
26700- if (atomic_read(&dev_priv->idle_count) == 0)
26701+ if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
26702 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
26703 else
26704- atomic_set(&dev_priv->idle_count, 0);
26705+ atomic_set_unchecked(&dev_priv->idle_count, 0);
26706 }
26707
26708 #endif
26709diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/atom.c linux-3.0.7/drivers/gpu/drm/radeon/atom.c
26710--- linux-3.0.7/drivers/gpu/drm/radeon/atom.c 2011-07-21 22:17:23.000000000 -0400
26711+++ linux-3.0.7/drivers/gpu/drm/radeon/atom.c 2011-08-23 21:48:14.000000000 -0400
26712@@ -1245,6 +1245,8 @@ struct atom_context *atom_parse(struct c
26713 char name[512];
26714 int i;
26715
26716+ pax_track_stack();
26717+
26718 ctx->card = card;
26719 ctx->bios = bios;
26720
26721diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/mkregtable.c linux-3.0.7/drivers/gpu/drm/radeon/mkregtable.c
26722--- linux-3.0.7/drivers/gpu/drm/radeon/mkregtable.c 2011-07-21 22:17:23.000000000 -0400
26723+++ linux-3.0.7/drivers/gpu/drm/radeon/mkregtable.c 2011-08-23 21:47:55.000000000 -0400
26724@@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
26725 regex_t mask_rex;
26726 regmatch_t match[4];
26727 char buf[1024];
26728- size_t end;
26729+ long end;
26730 int len;
26731 int done = 0;
26732 int r;
26733 unsigned o;
26734 struct offset *offset;
26735 char last_reg_s[10];
26736- int last_reg;
26737+ unsigned long last_reg;
26738
26739 if (regcomp
26740 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
26741diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon.h linux-3.0.7/drivers/gpu/drm/radeon/radeon.h
26742--- linux-3.0.7/drivers/gpu/drm/radeon/radeon.h 2011-10-16 21:54:53.000000000 -0400
26743+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon.h 2011-10-16 21:55:27.000000000 -0400
26744@@ -191,7 +191,7 @@ extern int sumo_get_temp(struct radeon_d
26745 */
26746 struct radeon_fence_driver {
26747 uint32_t scratch_reg;
26748- atomic_t seq;
26749+ atomic_unchecked_t seq;
26750 uint32_t last_seq;
26751 unsigned long last_jiffies;
26752 unsigned long last_timeout;
26753@@ -961,7 +961,7 @@ struct radeon_asic {
26754 void (*pre_page_flip)(struct radeon_device *rdev, int crtc);
26755 u32 (*page_flip)(struct radeon_device *rdev, int crtc, u64 crtc_base);
26756 void (*post_page_flip)(struct radeon_device *rdev, int crtc);
26757-};
26758+} __no_const;
26759
26760 /*
26761 * Asic structures
26762diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_atombios.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_atombios.c
26763--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_atombios.c 2011-07-21 22:17:23.000000000 -0400
26764+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_atombios.c 2011-08-23 21:48:14.000000000 -0400
26765@@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
26766 struct radeon_gpio_rec gpio;
26767 struct radeon_hpd hpd;
26768
26769+ pax_track_stack();
26770+
26771 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
26772 return false;
26773
26774diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_device.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_device.c
26775--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_device.c 2011-09-02 18:11:21.000000000 -0400
26776+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_device.c 2011-08-23 21:47:55.000000000 -0400
26777@@ -678,7 +678,7 @@ static bool radeon_switcheroo_can_switch
26778 bool can_switch;
26779
26780 spin_lock(&dev->count_lock);
26781- can_switch = (dev->open_count == 0);
26782+ can_switch = (local_read(&dev->open_count) == 0);
26783 spin_unlock(&dev->count_lock);
26784 return can_switch;
26785 }
26786diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_display.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_display.c
26787--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_display.c 2011-09-02 18:11:21.000000000 -0400
26788+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_display.c 2011-08-23 21:48:14.000000000 -0400
26789@@ -946,6 +946,8 @@ void radeon_compute_pll_legacy(struct ra
26790 uint32_t post_div;
26791 u32 pll_out_min, pll_out_max;
26792
26793+ pax_track_stack();
26794+
26795 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
26796 freq = freq * 1000;
26797
26798diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_drv.h linux-3.0.7/drivers/gpu/drm/radeon/radeon_drv.h
26799--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_drv.h 2011-07-21 22:17:23.000000000 -0400
26800+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_drv.h 2011-08-23 21:47:55.000000000 -0400
26801@@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
26802
26803 /* SW interrupt */
26804 wait_queue_head_t swi_queue;
26805- atomic_t swi_emitted;
26806+ atomic_unchecked_t swi_emitted;
26807 int vblank_crtc;
26808 uint32_t irq_enable_reg;
26809 uint32_t r500_disp_irq_reg;
26810diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_fence.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_fence.c
26811--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_fence.c 2011-07-21 22:17:23.000000000 -0400
26812+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_fence.c 2011-08-23 21:47:55.000000000 -0400
26813@@ -78,7 +78,7 @@ int radeon_fence_emit(struct radeon_devi
26814 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
26815 return 0;
26816 }
26817- fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
26818+ fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
26819 if (!rdev->cp.ready)
26820 /* FIXME: cp is not running assume everythings is done right
26821 * away
26822@@ -373,7 +373,7 @@ int radeon_fence_driver_init(struct rade
26823 return r;
26824 }
26825 radeon_fence_write(rdev, 0);
26826- atomic_set(&rdev->fence_drv.seq, 0);
26827+ atomic_set_unchecked(&rdev->fence_drv.seq, 0);
26828 INIT_LIST_HEAD(&rdev->fence_drv.created);
26829 INIT_LIST_HEAD(&rdev->fence_drv.emited);
26830 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
26831diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_ioc32.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_ioc32.c
26832--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-07-21 22:17:23.000000000 -0400
26833+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-08-23 21:47:55.000000000 -0400
26834@@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
26835 request = compat_alloc_user_space(sizeof(*request));
26836 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
26837 || __put_user(req32.param, &request->param)
26838- || __put_user((void __user *)(unsigned long)req32.value,
26839+ || __put_user((unsigned long)req32.value,
26840 &request->value))
26841 return -EFAULT;
26842
26843diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_irq.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_irq.c
26844--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_irq.c 2011-07-21 22:17:23.000000000 -0400
26845+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_irq.c 2011-08-23 21:47:55.000000000 -0400
26846@@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
26847 unsigned int ret;
26848 RING_LOCALS;
26849
26850- atomic_inc(&dev_priv->swi_emitted);
26851- ret = atomic_read(&dev_priv->swi_emitted);
26852+ atomic_inc_unchecked(&dev_priv->swi_emitted);
26853+ ret = atomic_read_unchecked(&dev_priv->swi_emitted);
26854
26855 BEGIN_RING(4);
26856 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
26857@@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
26858 drm_radeon_private_t *dev_priv =
26859 (drm_radeon_private_t *) dev->dev_private;
26860
26861- atomic_set(&dev_priv->swi_emitted, 0);
26862+ atomic_set_unchecked(&dev_priv->swi_emitted, 0);
26863 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
26864
26865 dev->max_vblank_count = 0x001fffff;
26866diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_state.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_state.c
26867--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_state.c 2011-07-21 22:17:23.000000000 -0400
26868+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_state.c 2011-08-23 21:47:55.000000000 -0400
26869@@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
26870 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
26871 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
26872
26873- if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
26874+ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
26875 sarea_priv->nbox * sizeof(depth_boxes[0])))
26876 return -EFAULT;
26877
26878@@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
26879 {
26880 drm_radeon_private_t *dev_priv = dev->dev_private;
26881 drm_radeon_getparam_t *param = data;
26882- int value;
26883+ int value = 0;
26884
26885 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
26886
26887diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/radeon_ttm.c linux-3.0.7/drivers/gpu/drm/radeon/radeon_ttm.c
26888--- linux-3.0.7/drivers/gpu/drm/radeon/radeon_ttm.c 2011-10-16 21:54:53.000000000 -0400
26889+++ linux-3.0.7/drivers/gpu/drm/radeon/radeon_ttm.c 2011-10-16 21:55:27.000000000 -0400
26890@@ -649,8 +649,10 @@ int radeon_mmap(struct file *filp, struc
26891 }
26892 if (unlikely(ttm_vm_ops == NULL)) {
26893 ttm_vm_ops = vma->vm_ops;
26894- radeon_ttm_vm_ops = *ttm_vm_ops;
26895- radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
26896+ pax_open_kernel();
26897+ memcpy((void *)&radeon_ttm_vm_ops, ttm_vm_ops, sizeof(radeon_ttm_vm_ops));
26898+ *(void **)&radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
26899+ pax_close_kernel();
26900 }
26901 vma->vm_ops = &radeon_ttm_vm_ops;
26902 return 0;
26903diff -urNp linux-3.0.7/drivers/gpu/drm/radeon/rs690.c linux-3.0.7/drivers/gpu/drm/radeon/rs690.c
26904--- linux-3.0.7/drivers/gpu/drm/radeon/rs690.c 2011-07-21 22:17:23.000000000 -0400
26905+++ linux-3.0.7/drivers/gpu/drm/radeon/rs690.c 2011-08-23 21:47:55.000000000 -0400
26906@@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
26907 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
26908 rdev->pm.sideport_bandwidth.full)
26909 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
26910- read_delay_latency.full = dfixed_const(370 * 800 * 1000);
26911+ read_delay_latency.full = dfixed_const(800 * 1000);
26912 read_delay_latency.full = dfixed_div(read_delay_latency,
26913 rdev->pm.igp_sideport_mclk);
26914+ a.full = dfixed_const(370);
26915+ read_delay_latency.full = dfixed_mul(read_delay_latency, a);
26916 } else {
26917 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
26918 rdev->pm.k8_bandwidth.full)
26919diff -urNp linux-3.0.7/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-3.0.7/drivers/gpu/drm/ttm/ttm_page_alloc.c
26920--- linux-3.0.7/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-07-21 22:17:23.000000000 -0400
26921+++ linux-3.0.7/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-08-23 21:47:55.000000000 -0400
26922@@ -398,9 +398,9 @@ static int ttm_pool_get_num_unused_pages
26923 static int ttm_pool_mm_shrink(struct shrinker *shrink,
26924 struct shrink_control *sc)
26925 {
26926- static atomic_t start_pool = ATOMIC_INIT(0);
26927+ static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
26928 unsigned i;
26929- unsigned pool_offset = atomic_add_return(1, &start_pool);
26930+ unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
26931 struct ttm_page_pool *pool;
26932 int shrink_pages = sc->nr_to_scan;
26933
26934diff -urNp linux-3.0.7/drivers/gpu/drm/via/via_drv.h linux-3.0.7/drivers/gpu/drm/via/via_drv.h
26935--- linux-3.0.7/drivers/gpu/drm/via/via_drv.h 2011-07-21 22:17:23.000000000 -0400
26936+++ linux-3.0.7/drivers/gpu/drm/via/via_drv.h 2011-08-23 21:47:55.000000000 -0400
26937@@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
26938 typedef uint32_t maskarray_t[5];
26939
26940 typedef struct drm_via_irq {
26941- atomic_t irq_received;
26942+ atomic_unchecked_t irq_received;
26943 uint32_t pending_mask;
26944 uint32_t enable_mask;
26945 wait_queue_head_t irq_queue;
26946@@ -75,7 +75,7 @@ typedef struct drm_via_private {
26947 struct timeval last_vblank;
26948 int last_vblank_valid;
26949 unsigned usec_per_vblank;
26950- atomic_t vbl_received;
26951+ atomic_unchecked_t vbl_received;
26952 drm_via_state_t hc_state;
26953 char pci_buf[VIA_PCI_BUF_SIZE];
26954 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
26955diff -urNp linux-3.0.7/drivers/gpu/drm/via/via_irq.c linux-3.0.7/drivers/gpu/drm/via/via_irq.c
26956--- linux-3.0.7/drivers/gpu/drm/via/via_irq.c 2011-07-21 22:17:23.000000000 -0400
26957+++ linux-3.0.7/drivers/gpu/drm/via/via_irq.c 2011-08-23 21:47:55.000000000 -0400
26958@@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
26959 if (crtc != 0)
26960 return 0;
26961
26962- return atomic_read(&dev_priv->vbl_received);
26963+ return atomic_read_unchecked(&dev_priv->vbl_received);
26964 }
26965
26966 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
26967@@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
26968
26969 status = VIA_READ(VIA_REG_INTERRUPT);
26970 if (status & VIA_IRQ_VBLANK_PENDING) {
26971- atomic_inc(&dev_priv->vbl_received);
26972- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
26973+ atomic_inc_unchecked(&dev_priv->vbl_received);
26974+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
26975 do_gettimeofday(&cur_vblank);
26976 if (dev_priv->last_vblank_valid) {
26977 dev_priv->usec_per_vblank =
26978@@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
26979 dev_priv->last_vblank = cur_vblank;
26980 dev_priv->last_vblank_valid = 1;
26981 }
26982- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
26983+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
26984 DRM_DEBUG("US per vblank is: %u\n",
26985 dev_priv->usec_per_vblank);
26986 }
26987@@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
26988
26989 for (i = 0; i < dev_priv->num_irqs; ++i) {
26990 if (status & cur_irq->pending_mask) {
26991- atomic_inc(&cur_irq->irq_received);
26992+ atomic_inc_unchecked(&cur_irq->irq_received);
26993 DRM_WAKEUP(&cur_irq->irq_queue);
26994 handled = 1;
26995 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
26996@@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
26997 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
26998 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
26999 masks[irq][4]));
27000- cur_irq_sequence = atomic_read(&cur_irq->irq_received);
27001+ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
27002 } else {
27003 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27004 (((cur_irq_sequence =
27005- atomic_read(&cur_irq->irq_received)) -
27006+ atomic_read_unchecked(&cur_irq->irq_received)) -
27007 *sequence) <= (1 << 23)));
27008 }
27009 *sequence = cur_irq_sequence;
27010@@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
27011 }
27012
27013 for (i = 0; i < dev_priv->num_irqs; ++i) {
27014- atomic_set(&cur_irq->irq_received, 0);
27015+ atomic_set_unchecked(&cur_irq->irq_received, 0);
27016 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
27017 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
27018 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
27019@@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
27020 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
27021 case VIA_IRQ_RELATIVE:
27022 irqwait->request.sequence +=
27023- atomic_read(&cur_irq->irq_received);
27024+ atomic_read_unchecked(&cur_irq->irq_received);
27025 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
27026 case VIA_IRQ_ABSOLUTE:
27027 break;
27028diff -urNp linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
27029--- linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-07-21 22:17:23.000000000 -0400
27030+++ linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-08-23 21:47:55.000000000 -0400
27031@@ -240,7 +240,7 @@ struct vmw_private {
27032 * Fencing and IRQs.
27033 */
27034
27035- atomic_t fence_seq;
27036+ atomic_unchecked_t fence_seq;
27037 wait_queue_head_t fence_queue;
27038 wait_queue_head_t fifo_queue;
27039 atomic_t fence_queue_waiters;
27040diff -urNp linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
27041--- linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-07-21 22:17:23.000000000 -0400
27042+++ linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-10-06 04:17:55.000000000 -0400
27043@@ -610,7 +610,7 @@ int vmw_execbuf_ioctl(struct drm_device
27044 struct drm_vmw_fence_rep fence_rep;
27045 struct drm_vmw_fence_rep __user *user_fence_rep;
27046 int ret;
27047- void *user_cmd;
27048+ void __user *user_cmd;
27049 void *cmd;
27050 uint32_t sequence;
27051 struct vmw_sw_context *sw_context = &dev_priv->ctx;
27052diff -urNp linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
27053--- linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-07-21 22:17:23.000000000 -0400
27054+++ linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-08-23 21:47:55.000000000 -0400
27055@@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
27056 while (!vmw_lag_lt(queue, us)) {
27057 spin_lock(&queue->lock);
27058 if (list_empty(&queue->head))
27059- sequence = atomic_read(&dev_priv->fence_seq);
27060+ sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27061 else {
27062 fence = list_first_entry(&queue->head,
27063 struct vmw_fence, head);
27064diff -urNp linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
27065--- linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-07-21 22:17:23.000000000 -0400
27066+++ linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-10-06 04:17:55.000000000 -0400
27067@@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
27068 (unsigned int) min,
27069 (unsigned int) fifo->capabilities);
27070
27071- atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27072+ atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27073 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
27074 vmw_fence_queue_init(&fifo->fence_queue);
27075 return vmw_fifo_send_fence(dev_priv, &dummy);
27076@@ -356,7 +356,7 @@ void *vmw_fifo_reserve(struct vmw_privat
27077 if (reserveable)
27078 iowrite32(bytes, fifo_mem +
27079 SVGA_FIFO_RESERVED);
27080- return fifo_mem + (next_cmd >> 2);
27081+ return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
27082 } else {
27083 need_bounce = true;
27084 }
27085@@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27086
27087 fm = vmw_fifo_reserve(dev_priv, bytes);
27088 if (unlikely(fm == NULL)) {
27089- *sequence = atomic_read(&dev_priv->fence_seq);
27090+ *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27091 ret = -ENOMEM;
27092 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
27093 false, 3*HZ);
27094@@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27095 }
27096
27097 do {
27098- *sequence = atomic_add_return(1, &dev_priv->fence_seq);
27099+ *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
27100 } while (*sequence == 0);
27101
27102 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
27103diff -urNp linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
27104--- linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-07-21 22:17:23.000000000 -0400
27105+++ linux-3.0.7/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-08-23 21:47:55.000000000 -0400
27106@@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
27107 * emitted. Then the fence is stale and signaled.
27108 */
27109
27110- ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
27111+ ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
27112 > VMW_FENCE_WRAP);
27113
27114 return ret;
27115@@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
27116
27117 if (fifo_idle)
27118 down_read(&fifo_state->rwsem);
27119- signal_seq = atomic_read(&dev_priv->fence_seq);
27120+ signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
27121 ret = 0;
27122
27123 for (;;) {
27124diff -urNp linux-3.0.7/drivers/hid/hid-core.c linux-3.0.7/drivers/hid/hid-core.c
27125--- linux-3.0.7/drivers/hid/hid-core.c 2011-07-21 22:17:23.000000000 -0400
27126+++ linux-3.0.7/drivers/hid/hid-core.c 2011-08-23 21:47:55.000000000 -0400
27127@@ -1923,7 +1923,7 @@ static bool hid_ignore(struct hid_device
27128
27129 int hid_add_device(struct hid_device *hdev)
27130 {
27131- static atomic_t id = ATOMIC_INIT(0);
27132+ static atomic_unchecked_t id = ATOMIC_INIT(0);
27133 int ret;
27134
27135 if (WARN_ON(hdev->status & HID_STAT_ADDED))
27136@@ -1938,7 +1938,7 @@ int hid_add_device(struct hid_device *hd
27137 /* XXX hack, any other cleaner solution after the driver core
27138 * is converted to allow more than 20 bytes as the device name? */
27139 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
27140- hdev->vendor, hdev->product, atomic_inc_return(&id));
27141+ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
27142
27143 hid_debug_register(hdev, dev_name(&hdev->dev));
27144 ret = device_add(&hdev->dev);
27145diff -urNp linux-3.0.7/drivers/hid/usbhid/hiddev.c linux-3.0.7/drivers/hid/usbhid/hiddev.c
27146--- linux-3.0.7/drivers/hid/usbhid/hiddev.c 2011-07-21 22:17:23.000000000 -0400
27147+++ linux-3.0.7/drivers/hid/usbhid/hiddev.c 2011-08-23 21:47:55.000000000 -0400
27148@@ -624,7 +624,7 @@ static long hiddev_ioctl(struct file *fi
27149 break;
27150
27151 case HIDIOCAPPLICATION:
27152- if (arg < 0 || arg >= hid->maxapplication)
27153+ if (arg >= hid->maxapplication)
27154 break;
27155
27156 for (i = 0; i < hid->maxcollection; i++)
27157diff -urNp linux-3.0.7/drivers/hwmon/acpi_power_meter.c linux-3.0.7/drivers/hwmon/acpi_power_meter.c
27158--- linux-3.0.7/drivers/hwmon/acpi_power_meter.c 2011-07-21 22:17:23.000000000 -0400
27159+++ linux-3.0.7/drivers/hwmon/acpi_power_meter.c 2011-08-23 21:47:55.000000000 -0400
27160@@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
27161 return res;
27162
27163 temp /= 1000;
27164- if (temp < 0)
27165- return -EINVAL;
27166
27167 mutex_lock(&resource->lock);
27168 resource->trip[attr->index - 7] = temp;
27169diff -urNp linux-3.0.7/drivers/hwmon/sht15.c linux-3.0.7/drivers/hwmon/sht15.c
27170--- linux-3.0.7/drivers/hwmon/sht15.c 2011-07-21 22:17:23.000000000 -0400
27171+++ linux-3.0.7/drivers/hwmon/sht15.c 2011-08-23 21:47:55.000000000 -0400
27172@@ -166,7 +166,7 @@ struct sht15_data {
27173 int supply_uV;
27174 bool supply_uV_valid;
27175 struct work_struct update_supply_work;
27176- atomic_t interrupt_handled;
27177+ atomic_unchecked_t interrupt_handled;
27178 };
27179
27180 /**
27181@@ -509,13 +509,13 @@ static int sht15_measurement(struct sht1
27182 return ret;
27183
27184 gpio_direction_input(data->pdata->gpio_data);
27185- atomic_set(&data->interrupt_handled, 0);
27186+ atomic_set_unchecked(&data->interrupt_handled, 0);
27187
27188 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27189 if (gpio_get_value(data->pdata->gpio_data) == 0) {
27190 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
27191 /* Only relevant if the interrupt hasn't occurred. */
27192- if (!atomic_read(&data->interrupt_handled))
27193+ if (!atomic_read_unchecked(&data->interrupt_handled))
27194 schedule_work(&data->read_work);
27195 }
27196 ret = wait_event_timeout(data->wait_queue,
27197@@ -782,7 +782,7 @@ static irqreturn_t sht15_interrupt_fired
27198
27199 /* First disable the interrupt */
27200 disable_irq_nosync(irq);
27201- atomic_inc(&data->interrupt_handled);
27202+ atomic_inc_unchecked(&data->interrupt_handled);
27203 /* Then schedule a reading work struct */
27204 if (data->state != SHT15_READING_NOTHING)
27205 schedule_work(&data->read_work);
27206@@ -804,11 +804,11 @@ static void sht15_bh_read_data(struct wo
27207 * If not, then start the interrupt again - care here as could
27208 * have gone low in meantime so verify it hasn't!
27209 */
27210- atomic_set(&data->interrupt_handled, 0);
27211+ atomic_set_unchecked(&data->interrupt_handled, 0);
27212 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27213 /* If still not occurred or another handler has been scheduled */
27214 if (gpio_get_value(data->pdata->gpio_data)
27215- || atomic_read(&data->interrupt_handled))
27216+ || atomic_read_unchecked(&data->interrupt_handled))
27217 return;
27218 }
27219
27220diff -urNp linux-3.0.7/drivers/hwmon/w83791d.c linux-3.0.7/drivers/hwmon/w83791d.c
27221--- linux-3.0.7/drivers/hwmon/w83791d.c 2011-07-21 22:17:23.000000000 -0400
27222+++ linux-3.0.7/drivers/hwmon/w83791d.c 2011-08-23 21:47:55.000000000 -0400
27223@@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
27224 struct i2c_board_info *info);
27225 static int w83791d_remove(struct i2c_client *client);
27226
27227-static int w83791d_read(struct i2c_client *client, u8 register);
27228-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
27229+static int w83791d_read(struct i2c_client *client, u8 reg);
27230+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
27231 static struct w83791d_data *w83791d_update_device(struct device *dev);
27232
27233 #ifdef DEBUG
27234diff -urNp linux-3.0.7/drivers/i2c/busses/i2c-amd756-s4882.c linux-3.0.7/drivers/i2c/busses/i2c-amd756-s4882.c
27235--- linux-3.0.7/drivers/i2c/busses/i2c-amd756-s4882.c 2011-07-21 22:17:23.000000000 -0400
27236+++ linux-3.0.7/drivers/i2c/busses/i2c-amd756-s4882.c 2011-08-23 21:47:55.000000000 -0400
27237@@ -43,7 +43,7 @@
27238 extern struct i2c_adapter amd756_smbus;
27239
27240 static struct i2c_adapter *s4882_adapter;
27241-static struct i2c_algorithm *s4882_algo;
27242+static i2c_algorithm_no_const *s4882_algo;
27243
27244 /* Wrapper access functions for multiplexed SMBus */
27245 static DEFINE_MUTEX(amd756_lock);
27246diff -urNp linux-3.0.7/drivers/i2c/busses/i2c-nforce2-s4985.c linux-3.0.7/drivers/i2c/busses/i2c-nforce2-s4985.c
27247--- linux-3.0.7/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-07-21 22:17:23.000000000 -0400
27248+++ linux-3.0.7/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-08-23 21:47:55.000000000 -0400
27249@@ -41,7 +41,7 @@
27250 extern struct i2c_adapter *nforce2_smbus;
27251
27252 static struct i2c_adapter *s4985_adapter;
27253-static struct i2c_algorithm *s4985_algo;
27254+static i2c_algorithm_no_const *s4985_algo;
27255
27256 /* Wrapper access functions for multiplexed SMBus */
27257 static DEFINE_MUTEX(nforce2_lock);
27258diff -urNp linux-3.0.7/drivers/i2c/i2c-mux.c linux-3.0.7/drivers/i2c/i2c-mux.c
27259--- linux-3.0.7/drivers/i2c/i2c-mux.c 2011-07-21 22:17:23.000000000 -0400
27260+++ linux-3.0.7/drivers/i2c/i2c-mux.c 2011-08-23 21:47:55.000000000 -0400
27261@@ -28,7 +28,7 @@
27262 /* multiplexer per channel data */
27263 struct i2c_mux_priv {
27264 struct i2c_adapter adap;
27265- struct i2c_algorithm algo;
27266+ i2c_algorithm_no_const algo;
27267
27268 struct i2c_adapter *parent;
27269 void *mux_dev; /* the mux chip/device */
27270diff -urNp linux-3.0.7/drivers/ide/aec62xx.c linux-3.0.7/drivers/ide/aec62xx.c
27271--- linux-3.0.7/drivers/ide/aec62xx.c 2011-07-21 22:17:23.000000000 -0400
27272+++ linux-3.0.7/drivers/ide/aec62xx.c 2011-10-11 10:44:33.000000000 -0400
27273@@ -181,7 +181,7 @@ static const struct ide_port_ops atp86x_
27274 .cable_detect = atp86x_cable_detect,
27275 };
27276
27277-static const struct ide_port_info aec62xx_chipsets[] __devinitdata = {
27278+static const struct ide_port_info aec62xx_chipsets[] __devinitconst = {
27279 { /* 0: AEC6210 */
27280 .name = DRV_NAME,
27281 .init_chipset = init_chipset_aec62xx,
27282diff -urNp linux-3.0.7/drivers/ide/alim15x3.c linux-3.0.7/drivers/ide/alim15x3.c
27283--- linux-3.0.7/drivers/ide/alim15x3.c 2011-07-21 22:17:23.000000000 -0400
27284+++ linux-3.0.7/drivers/ide/alim15x3.c 2011-10-11 10:44:33.000000000 -0400
27285@@ -512,7 +512,7 @@ static const struct ide_dma_ops ali_dma_
27286 .dma_sff_read_status = ide_dma_sff_read_status,
27287 };
27288
27289-static const struct ide_port_info ali15x3_chipset __devinitdata = {
27290+static const struct ide_port_info ali15x3_chipset __devinitconst = {
27291 .name = DRV_NAME,
27292 .init_chipset = init_chipset_ali15x3,
27293 .init_hwif = init_hwif_ali15x3,
27294diff -urNp linux-3.0.7/drivers/ide/amd74xx.c linux-3.0.7/drivers/ide/amd74xx.c
27295--- linux-3.0.7/drivers/ide/amd74xx.c 2011-07-21 22:17:23.000000000 -0400
27296+++ linux-3.0.7/drivers/ide/amd74xx.c 2011-10-11 10:44:33.000000000 -0400
27297@@ -223,7 +223,7 @@ static const struct ide_port_ops amd_por
27298 .udma_mask = udma, \
27299 }
27300
27301-static const struct ide_port_info amd74xx_chipsets[] __devinitdata = {
27302+static const struct ide_port_info amd74xx_chipsets[] __devinitconst = {
27303 /* 0: AMD7401 */ DECLARE_AMD_DEV(0x00, ATA_UDMA2),
27304 /* 1: AMD7409 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA4),
27305 /* 2: AMD7411/7441 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA5),
27306diff -urNp linux-3.0.7/drivers/ide/atiixp.c linux-3.0.7/drivers/ide/atiixp.c
27307--- linux-3.0.7/drivers/ide/atiixp.c 2011-07-21 22:17:23.000000000 -0400
27308+++ linux-3.0.7/drivers/ide/atiixp.c 2011-10-11 10:44:33.000000000 -0400
27309@@ -139,7 +139,7 @@ static const struct ide_port_ops atiixp_
27310 .cable_detect = atiixp_cable_detect,
27311 };
27312
27313-static const struct ide_port_info atiixp_pci_info[] __devinitdata = {
27314+static const struct ide_port_info atiixp_pci_info[] __devinitconst = {
27315 { /* 0: IXP200/300/400/700 */
27316 .name = DRV_NAME,
27317 .enablebits = {{0x48,0x01,0x00}, {0x48,0x08,0x00}},
27318diff -urNp linux-3.0.7/drivers/ide/cmd64x.c linux-3.0.7/drivers/ide/cmd64x.c
27319--- linux-3.0.7/drivers/ide/cmd64x.c 2011-07-21 22:17:23.000000000 -0400
27320+++ linux-3.0.7/drivers/ide/cmd64x.c 2011-10-11 10:44:33.000000000 -0400
27321@@ -327,7 +327,7 @@ static const struct ide_dma_ops cmd646_r
27322 .dma_sff_read_status = ide_dma_sff_read_status,
27323 };
27324
27325-static const struct ide_port_info cmd64x_chipsets[] __devinitdata = {
27326+static const struct ide_port_info cmd64x_chipsets[] __devinitconst = {
27327 { /* 0: CMD643 */
27328 .name = DRV_NAME,
27329 .init_chipset = init_chipset_cmd64x,
27330diff -urNp linux-3.0.7/drivers/ide/cs5520.c linux-3.0.7/drivers/ide/cs5520.c
27331--- linux-3.0.7/drivers/ide/cs5520.c 2011-07-21 22:17:23.000000000 -0400
27332+++ linux-3.0.7/drivers/ide/cs5520.c 2011-10-11 10:44:33.000000000 -0400
27333@@ -94,7 +94,7 @@ static const struct ide_port_ops cs5520_
27334 .set_dma_mode = cs5520_set_dma_mode,
27335 };
27336
27337-static const struct ide_port_info cyrix_chipset __devinitdata = {
27338+static const struct ide_port_info cyrix_chipset __devinitconst = {
27339 .name = DRV_NAME,
27340 .enablebits = { { 0x60, 0x01, 0x01 }, { 0x60, 0x02, 0x02 } },
27341 .port_ops = &cs5520_port_ops,
27342diff -urNp linux-3.0.7/drivers/ide/cs5530.c linux-3.0.7/drivers/ide/cs5530.c
27343--- linux-3.0.7/drivers/ide/cs5530.c 2011-07-21 22:17:23.000000000 -0400
27344+++ linux-3.0.7/drivers/ide/cs5530.c 2011-10-11 10:44:33.000000000 -0400
27345@@ -245,7 +245,7 @@ static const struct ide_port_ops cs5530_
27346 .udma_filter = cs5530_udma_filter,
27347 };
27348
27349-static const struct ide_port_info cs5530_chipset __devinitdata = {
27350+static const struct ide_port_info cs5530_chipset __devinitconst = {
27351 .name = DRV_NAME,
27352 .init_chipset = init_chipset_cs5530,
27353 .init_hwif = init_hwif_cs5530,
27354diff -urNp linux-3.0.7/drivers/ide/cs5535.c linux-3.0.7/drivers/ide/cs5535.c
27355--- linux-3.0.7/drivers/ide/cs5535.c 2011-07-21 22:17:23.000000000 -0400
27356+++ linux-3.0.7/drivers/ide/cs5535.c 2011-10-11 10:44:33.000000000 -0400
27357@@ -170,7 +170,7 @@ static const struct ide_port_ops cs5535_
27358 .cable_detect = cs5535_cable_detect,
27359 };
27360
27361-static const struct ide_port_info cs5535_chipset __devinitdata = {
27362+static const struct ide_port_info cs5535_chipset __devinitconst = {
27363 .name = DRV_NAME,
27364 .port_ops = &cs5535_port_ops,
27365 .host_flags = IDE_HFLAG_SINGLE | IDE_HFLAG_POST_SET_MODE,
27366diff -urNp linux-3.0.7/drivers/ide/cy82c693.c linux-3.0.7/drivers/ide/cy82c693.c
27367--- linux-3.0.7/drivers/ide/cy82c693.c 2011-07-21 22:17:23.000000000 -0400
27368+++ linux-3.0.7/drivers/ide/cy82c693.c 2011-10-11 10:44:33.000000000 -0400
27369@@ -161,7 +161,7 @@ static const struct ide_port_ops cy82c69
27370 .set_dma_mode = cy82c693_set_dma_mode,
27371 };
27372
27373-static const struct ide_port_info cy82c693_chipset __devinitdata = {
27374+static const struct ide_port_info cy82c693_chipset __devinitconst = {
27375 .name = DRV_NAME,
27376 .init_iops = init_iops_cy82c693,
27377 .port_ops = &cy82c693_port_ops,
27378diff -urNp linux-3.0.7/drivers/ide/hpt366.c linux-3.0.7/drivers/ide/hpt366.c
27379--- linux-3.0.7/drivers/ide/hpt366.c 2011-07-21 22:17:23.000000000 -0400
27380+++ linux-3.0.7/drivers/ide/hpt366.c 2011-10-11 10:44:33.000000000 -0400
27381@@ -443,7 +443,7 @@ static struct hpt_timings hpt37x_timings
27382 }
27383 };
27384
27385-static const struct hpt_info hpt36x __devinitdata = {
27386+static const struct hpt_info hpt36x __devinitconst = {
27387 .chip_name = "HPT36x",
27388 .chip_type = HPT36x,
27389 .udma_mask = HPT366_ALLOW_ATA66_3 ? (HPT366_ALLOW_ATA66_4 ? ATA_UDMA4 : ATA_UDMA3) : ATA_UDMA2,
27390@@ -451,7 +451,7 @@ static const struct hpt_info hpt36x __de
27391 .timings = &hpt36x_timings
27392 };
27393
27394-static const struct hpt_info hpt370 __devinitdata = {
27395+static const struct hpt_info hpt370 __devinitconst = {
27396 .chip_name = "HPT370",
27397 .chip_type = HPT370,
27398 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27399@@ -459,7 +459,7 @@ static const struct hpt_info hpt370 __de
27400 .timings = &hpt37x_timings
27401 };
27402
27403-static const struct hpt_info hpt370a __devinitdata = {
27404+static const struct hpt_info hpt370a __devinitconst = {
27405 .chip_name = "HPT370A",
27406 .chip_type = HPT370A,
27407 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27408@@ -467,7 +467,7 @@ static const struct hpt_info hpt370a __d
27409 .timings = &hpt37x_timings
27410 };
27411
27412-static const struct hpt_info hpt374 __devinitdata = {
27413+static const struct hpt_info hpt374 __devinitconst = {
27414 .chip_name = "HPT374",
27415 .chip_type = HPT374,
27416 .udma_mask = ATA_UDMA5,
27417@@ -475,7 +475,7 @@ static const struct hpt_info hpt374 __de
27418 .timings = &hpt37x_timings
27419 };
27420
27421-static const struct hpt_info hpt372 __devinitdata = {
27422+static const struct hpt_info hpt372 __devinitconst = {
27423 .chip_name = "HPT372",
27424 .chip_type = HPT372,
27425 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27426@@ -483,7 +483,7 @@ static const struct hpt_info hpt372 __de
27427 .timings = &hpt37x_timings
27428 };
27429
27430-static const struct hpt_info hpt372a __devinitdata = {
27431+static const struct hpt_info hpt372a __devinitconst = {
27432 .chip_name = "HPT372A",
27433 .chip_type = HPT372A,
27434 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27435@@ -491,7 +491,7 @@ static const struct hpt_info hpt372a __d
27436 .timings = &hpt37x_timings
27437 };
27438
27439-static const struct hpt_info hpt302 __devinitdata = {
27440+static const struct hpt_info hpt302 __devinitconst = {
27441 .chip_name = "HPT302",
27442 .chip_type = HPT302,
27443 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27444@@ -499,7 +499,7 @@ static const struct hpt_info hpt302 __de
27445 .timings = &hpt37x_timings
27446 };
27447
27448-static const struct hpt_info hpt371 __devinitdata = {
27449+static const struct hpt_info hpt371 __devinitconst = {
27450 .chip_name = "HPT371",
27451 .chip_type = HPT371,
27452 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27453@@ -507,7 +507,7 @@ static const struct hpt_info hpt371 __de
27454 .timings = &hpt37x_timings
27455 };
27456
27457-static const struct hpt_info hpt372n __devinitdata = {
27458+static const struct hpt_info hpt372n __devinitconst = {
27459 .chip_name = "HPT372N",
27460 .chip_type = HPT372N,
27461 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27462@@ -515,7 +515,7 @@ static const struct hpt_info hpt372n __d
27463 .timings = &hpt37x_timings
27464 };
27465
27466-static const struct hpt_info hpt302n __devinitdata = {
27467+static const struct hpt_info hpt302n __devinitconst = {
27468 .chip_name = "HPT302N",
27469 .chip_type = HPT302N,
27470 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27471@@ -523,7 +523,7 @@ static const struct hpt_info hpt302n __d
27472 .timings = &hpt37x_timings
27473 };
27474
27475-static const struct hpt_info hpt371n __devinitdata = {
27476+static const struct hpt_info hpt371n __devinitconst = {
27477 .chip_name = "HPT371N",
27478 .chip_type = HPT371N,
27479 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27480@@ -1361,7 +1361,7 @@ static const struct ide_dma_ops hpt36x_d
27481 .dma_sff_read_status = ide_dma_sff_read_status,
27482 };
27483
27484-static const struct ide_port_info hpt366_chipsets[] __devinitdata = {
27485+static const struct ide_port_info hpt366_chipsets[] __devinitconst = {
27486 { /* 0: HPT36x */
27487 .name = DRV_NAME,
27488 .init_chipset = init_chipset_hpt366,
27489diff -urNp linux-3.0.7/drivers/ide/ide-cd.c linux-3.0.7/drivers/ide/ide-cd.c
27490--- linux-3.0.7/drivers/ide/ide-cd.c 2011-07-21 22:17:23.000000000 -0400
27491+++ linux-3.0.7/drivers/ide/ide-cd.c 2011-08-23 21:47:55.000000000 -0400
27492@@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
27493 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
27494 if ((unsigned long)buf & alignment
27495 || blk_rq_bytes(rq) & q->dma_pad_mask
27496- || object_is_on_stack(buf))
27497+ || object_starts_on_stack(buf))
27498 drive->dma = 0;
27499 }
27500 }
27501diff -urNp linux-3.0.7/drivers/ide/ide-floppy.c linux-3.0.7/drivers/ide/ide-floppy.c
27502--- linux-3.0.7/drivers/ide/ide-floppy.c 2011-07-21 22:17:23.000000000 -0400
27503+++ linux-3.0.7/drivers/ide/ide-floppy.c 2011-08-23 21:48:14.000000000 -0400
27504@@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
27505 u8 pc_buf[256], header_len, desc_cnt;
27506 int i, rc = 1, blocks, length;
27507
27508+ pax_track_stack();
27509+
27510 ide_debug_log(IDE_DBG_FUNC, "enter");
27511
27512 drive->bios_cyl = 0;
27513diff -urNp linux-3.0.7/drivers/ide/ide-pci-generic.c linux-3.0.7/drivers/ide/ide-pci-generic.c
27514--- linux-3.0.7/drivers/ide/ide-pci-generic.c 2011-07-21 22:17:23.000000000 -0400
27515+++ linux-3.0.7/drivers/ide/ide-pci-generic.c 2011-10-11 10:44:33.000000000 -0400
27516@@ -53,7 +53,7 @@ static const struct ide_port_ops netcell
27517 .udma_mask = ATA_UDMA6, \
27518 }
27519
27520-static const struct ide_port_info generic_chipsets[] __devinitdata = {
27521+static const struct ide_port_info generic_chipsets[] __devinitconst = {
27522 /* 0: Unknown */
27523 DECLARE_GENERIC_PCI_DEV(0),
27524
27525diff -urNp linux-3.0.7/drivers/ide/it8172.c linux-3.0.7/drivers/ide/it8172.c
27526--- linux-3.0.7/drivers/ide/it8172.c 2011-07-21 22:17:23.000000000 -0400
27527+++ linux-3.0.7/drivers/ide/it8172.c 2011-10-11 10:44:33.000000000 -0400
27528@@ -115,7 +115,7 @@ static const struct ide_port_ops it8172_
27529 .set_dma_mode = it8172_set_dma_mode,
27530 };
27531
27532-static const struct ide_port_info it8172_port_info __devinitdata = {
27533+static const struct ide_port_info it8172_port_info __devinitconst = {
27534 .name = DRV_NAME,
27535 .port_ops = &it8172_port_ops,
27536 .enablebits = { {0x41, 0x80, 0x80}, {0x00, 0x00, 0x00} },
27537diff -urNp linux-3.0.7/drivers/ide/it8213.c linux-3.0.7/drivers/ide/it8213.c
27538--- linux-3.0.7/drivers/ide/it8213.c 2011-07-21 22:17:23.000000000 -0400
27539+++ linux-3.0.7/drivers/ide/it8213.c 2011-10-11 10:44:33.000000000 -0400
27540@@ -156,7 +156,7 @@ static const struct ide_port_ops it8213_
27541 .cable_detect = it8213_cable_detect,
27542 };
27543
27544-static const struct ide_port_info it8213_chipset __devinitdata = {
27545+static const struct ide_port_info it8213_chipset __devinitconst = {
27546 .name = DRV_NAME,
27547 .enablebits = { {0x41, 0x80, 0x80} },
27548 .port_ops = &it8213_port_ops,
27549diff -urNp linux-3.0.7/drivers/ide/it821x.c linux-3.0.7/drivers/ide/it821x.c
27550--- linux-3.0.7/drivers/ide/it821x.c 2011-07-21 22:17:23.000000000 -0400
27551+++ linux-3.0.7/drivers/ide/it821x.c 2011-10-11 10:44:33.000000000 -0400
27552@@ -630,7 +630,7 @@ static const struct ide_port_ops it821x_
27553 .cable_detect = it821x_cable_detect,
27554 };
27555
27556-static const struct ide_port_info it821x_chipset __devinitdata = {
27557+static const struct ide_port_info it821x_chipset __devinitconst = {
27558 .name = DRV_NAME,
27559 .init_chipset = init_chipset_it821x,
27560 .init_hwif = init_hwif_it821x,
27561diff -urNp linux-3.0.7/drivers/ide/jmicron.c linux-3.0.7/drivers/ide/jmicron.c
27562--- linux-3.0.7/drivers/ide/jmicron.c 2011-07-21 22:17:23.000000000 -0400
27563+++ linux-3.0.7/drivers/ide/jmicron.c 2011-10-11 10:44:33.000000000 -0400
27564@@ -102,7 +102,7 @@ static const struct ide_port_ops jmicron
27565 .cable_detect = jmicron_cable_detect,
27566 };
27567
27568-static const struct ide_port_info jmicron_chipset __devinitdata = {
27569+static const struct ide_port_info jmicron_chipset __devinitconst = {
27570 .name = DRV_NAME,
27571 .enablebits = { { 0x40, 0x01, 0x01 }, { 0x40, 0x10, 0x10 } },
27572 .port_ops = &jmicron_port_ops,
27573diff -urNp linux-3.0.7/drivers/ide/ns87415.c linux-3.0.7/drivers/ide/ns87415.c
27574--- linux-3.0.7/drivers/ide/ns87415.c 2011-07-21 22:17:23.000000000 -0400
27575+++ linux-3.0.7/drivers/ide/ns87415.c 2011-10-11 10:44:33.000000000 -0400
27576@@ -293,7 +293,7 @@ static const struct ide_dma_ops ns87415_
27577 .dma_sff_read_status = superio_dma_sff_read_status,
27578 };
27579
27580-static const struct ide_port_info ns87415_chipset __devinitdata = {
27581+static const struct ide_port_info ns87415_chipset __devinitconst = {
27582 .name = DRV_NAME,
27583 .init_hwif = init_hwif_ns87415,
27584 .tp_ops = &ns87415_tp_ops,
27585diff -urNp linux-3.0.7/drivers/ide/opti621.c linux-3.0.7/drivers/ide/opti621.c
27586--- linux-3.0.7/drivers/ide/opti621.c 2011-07-21 22:17:23.000000000 -0400
27587+++ linux-3.0.7/drivers/ide/opti621.c 2011-10-11 10:44:33.000000000 -0400
27588@@ -131,7 +131,7 @@ static const struct ide_port_ops opti621
27589 .set_pio_mode = opti621_set_pio_mode,
27590 };
27591
27592-static const struct ide_port_info opti621_chipset __devinitdata = {
27593+static const struct ide_port_info opti621_chipset __devinitconst = {
27594 .name = DRV_NAME,
27595 .enablebits = { {0x45, 0x80, 0x00}, {0x40, 0x08, 0x00} },
27596 .port_ops = &opti621_port_ops,
27597diff -urNp linux-3.0.7/drivers/ide/pdc202xx_new.c linux-3.0.7/drivers/ide/pdc202xx_new.c
27598--- linux-3.0.7/drivers/ide/pdc202xx_new.c 2011-07-21 22:17:23.000000000 -0400
27599+++ linux-3.0.7/drivers/ide/pdc202xx_new.c 2011-10-11 10:44:33.000000000 -0400
27600@@ -465,7 +465,7 @@ static const struct ide_port_ops pdcnew_
27601 .udma_mask = udma, \
27602 }
27603
27604-static const struct ide_port_info pdcnew_chipsets[] __devinitdata = {
27605+static const struct ide_port_info pdcnew_chipsets[] __devinitconst = {
27606 /* 0: PDC202{68,70} */ DECLARE_PDCNEW_DEV(ATA_UDMA5),
27607 /* 1: PDC202{69,71,75,76,77} */ DECLARE_PDCNEW_DEV(ATA_UDMA6),
27608 };
27609diff -urNp linux-3.0.7/drivers/ide/pdc202xx_old.c linux-3.0.7/drivers/ide/pdc202xx_old.c
27610--- linux-3.0.7/drivers/ide/pdc202xx_old.c 2011-07-21 22:17:23.000000000 -0400
27611+++ linux-3.0.7/drivers/ide/pdc202xx_old.c 2011-10-11 10:44:33.000000000 -0400
27612@@ -270,7 +270,7 @@ static const struct ide_dma_ops pdc2026x
27613 .max_sectors = sectors, \
27614 }
27615
27616-static const struct ide_port_info pdc202xx_chipsets[] __devinitdata = {
27617+static const struct ide_port_info pdc202xx_chipsets[] __devinitconst = {
27618 { /* 0: PDC20246 */
27619 .name = DRV_NAME,
27620 .init_chipset = init_chipset_pdc202xx,
27621diff -urNp linux-3.0.7/drivers/ide/piix.c linux-3.0.7/drivers/ide/piix.c
27622--- linux-3.0.7/drivers/ide/piix.c 2011-07-21 22:17:23.000000000 -0400
27623+++ linux-3.0.7/drivers/ide/piix.c 2011-10-11 10:44:33.000000000 -0400
27624@@ -344,7 +344,7 @@ static const struct ide_port_ops ich_por
27625 .udma_mask = udma, \
27626 }
27627
27628-static const struct ide_port_info piix_pci_info[] __devinitdata = {
27629+static const struct ide_port_info piix_pci_info[] __devinitconst = {
27630 /* 0: MPIIX */
27631 { /*
27632 * MPIIX actually has only a single IDE channel mapped to
27633diff -urNp linux-3.0.7/drivers/ide/rz1000.c linux-3.0.7/drivers/ide/rz1000.c
27634--- linux-3.0.7/drivers/ide/rz1000.c 2011-07-21 22:17:23.000000000 -0400
27635+++ linux-3.0.7/drivers/ide/rz1000.c 2011-10-11 10:44:33.000000000 -0400
27636@@ -38,7 +38,7 @@ static int __devinit rz1000_disable_read
27637 }
27638 }
27639
27640-static const struct ide_port_info rz1000_chipset __devinitdata = {
27641+static const struct ide_port_info rz1000_chipset __devinitconst = {
27642 .name = DRV_NAME,
27643 .host_flags = IDE_HFLAG_NO_DMA,
27644 };
27645diff -urNp linux-3.0.7/drivers/ide/sc1200.c linux-3.0.7/drivers/ide/sc1200.c
27646--- linux-3.0.7/drivers/ide/sc1200.c 2011-07-21 22:17:23.000000000 -0400
27647+++ linux-3.0.7/drivers/ide/sc1200.c 2011-10-11 10:44:33.000000000 -0400
27648@@ -291,7 +291,7 @@ static const struct ide_dma_ops sc1200_d
27649 .dma_sff_read_status = ide_dma_sff_read_status,
27650 };
27651
27652-static const struct ide_port_info sc1200_chipset __devinitdata = {
27653+static const struct ide_port_info sc1200_chipset __devinitconst = {
27654 .name = DRV_NAME,
27655 .port_ops = &sc1200_port_ops,
27656 .dma_ops = &sc1200_dma_ops,
27657diff -urNp linux-3.0.7/drivers/ide/scc_pata.c linux-3.0.7/drivers/ide/scc_pata.c
27658--- linux-3.0.7/drivers/ide/scc_pata.c 2011-07-21 22:17:23.000000000 -0400
27659+++ linux-3.0.7/drivers/ide/scc_pata.c 2011-10-11 10:44:33.000000000 -0400
27660@@ -811,7 +811,7 @@ static const struct ide_dma_ops scc_dma_
27661 .dma_sff_read_status = scc_dma_sff_read_status,
27662 };
27663
27664-static const struct ide_port_info scc_chipset __devinitdata = {
27665+static const struct ide_port_info scc_chipset __devinitconst = {
27666 .name = "sccIDE",
27667 .init_iops = init_iops_scc,
27668 .init_dma = scc_init_dma,
27669diff -urNp linux-3.0.7/drivers/ide/serverworks.c linux-3.0.7/drivers/ide/serverworks.c
27670--- linux-3.0.7/drivers/ide/serverworks.c 2011-07-21 22:17:23.000000000 -0400
27671+++ linux-3.0.7/drivers/ide/serverworks.c 2011-10-11 10:44:33.000000000 -0400
27672@@ -337,7 +337,7 @@ static const struct ide_port_ops svwks_p
27673 .cable_detect = svwks_cable_detect,
27674 };
27675
27676-static const struct ide_port_info serverworks_chipsets[] __devinitdata = {
27677+static const struct ide_port_info serverworks_chipsets[] __devinitconst = {
27678 { /* 0: OSB4 */
27679 .name = DRV_NAME,
27680 .init_chipset = init_chipset_svwks,
27681diff -urNp linux-3.0.7/drivers/ide/setup-pci.c linux-3.0.7/drivers/ide/setup-pci.c
27682--- linux-3.0.7/drivers/ide/setup-pci.c 2011-07-21 22:17:23.000000000 -0400
27683+++ linux-3.0.7/drivers/ide/setup-pci.c 2011-08-23 21:48:14.000000000 -0400
27684@@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
27685 int ret, i, n_ports = dev2 ? 4 : 2;
27686 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
27687
27688+ pax_track_stack();
27689+
27690 for (i = 0; i < n_ports / 2; i++) {
27691 ret = ide_setup_pci_controller(pdev[i], d, !i);
27692 if (ret < 0)
27693diff -urNp linux-3.0.7/drivers/ide/siimage.c linux-3.0.7/drivers/ide/siimage.c
27694--- linux-3.0.7/drivers/ide/siimage.c 2011-07-21 22:17:23.000000000 -0400
27695+++ linux-3.0.7/drivers/ide/siimage.c 2011-10-11 10:44:33.000000000 -0400
27696@@ -719,7 +719,7 @@ static const struct ide_dma_ops sil_dma_
27697 .udma_mask = ATA_UDMA6, \
27698 }
27699
27700-static const struct ide_port_info siimage_chipsets[] __devinitdata = {
27701+static const struct ide_port_info siimage_chipsets[] __devinitconst = {
27702 /* 0: SiI680 */ DECLARE_SII_DEV(&sil_pata_port_ops),
27703 /* 1: SiI3112 */ DECLARE_SII_DEV(&sil_sata_port_ops)
27704 };
27705diff -urNp linux-3.0.7/drivers/ide/sis5513.c linux-3.0.7/drivers/ide/sis5513.c
27706--- linux-3.0.7/drivers/ide/sis5513.c 2011-07-21 22:17:23.000000000 -0400
27707+++ linux-3.0.7/drivers/ide/sis5513.c 2011-10-11 10:44:33.000000000 -0400
27708@@ -563,7 +563,7 @@ static const struct ide_port_ops sis_ata
27709 .cable_detect = sis_cable_detect,
27710 };
27711
27712-static const struct ide_port_info sis5513_chipset __devinitdata = {
27713+static const struct ide_port_info sis5513_chipset __devinitconst = {
27714 .name = DRV_NAME,
27715 .init_chipset = init_chipset_sis5513,
27716 .enablebits = { {0x4a, 0x02, 0x02}, {0x4a, 0x04, 0x04} },
27717diff -urNp linux-3.0.7/drivers/ide/sl82c105.c linux-3.0.7/drivers/ide/sl82c105.c
27718--- linux-3.0.7/drivers/ide/sl82c105.c 2011-07-21 22:17:23.000000000 -0400
27719+++ linux-3.0.7/drivers/ide/sl82c105.c 2011-10-11 10:44:33.000000000 -0400
27720@@ -299,7 +299,7 @@ static const struct ide_dma_ops sl82c105
27721 .dma_sff_read_status = ide_dma_sff_read_status,
27722 };
27723
27724-static const struct ide_port_info sl82c105_chipset __devinitdata = {
27725+static const struct ide_port_info sl82c105_chipset __devinitconst = {
27726 .name = DRV_NAME,
27727 .init_chipset = init_chipset_sl82c105,
27728 .enablebits = {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
27729diff -urNp linux-3.0.7/drivers/ide/slc90e66.c linux-3.0.7/drivers/ide/slc90e66.c
27730--- linux-3.0.7/drivers/ide/slc90e66.c 2011-07-21 22:17:23.000000000 -0400
27731+++ linux-3.0.7/drivers/ide/slc90e66.c 2011-10-11 10:44:33.000000000 -0400
27732@@ -132,7 +132,7 @@ static const struct ide_port_ops slc90e6
27733 .cable_detect = slc90e66_cable_detect,
27734 };
27735
27736-static const struct ide_port_info slc90e66_chipset __devinitdata = {
27737+static const struct ide_port_info slc90e66_chipset __devinitconst = {
27738 .name = DRV_NAME,
27739 .enablebits = { {0x41, 0x80, 0x80}, {0x43, 0x80, 0x80} },
27740 .port_ops = &slc90e66_port_ops,
27741diff -urNp linux-3.0.7/drivers/ide/tc86c001.c linux-3.0.7/drivers/ide/tc86c001.c
27742--- linux-3.0.7/drivers/ide/tc86c001.c 2011-07-21 22:17:23.000000000 -0400
27743+++ linux-3.0.7/drivers/ide/tc86c001.c 2011-10-11 10:44:33.000000000 -0400
27744@@ -191,7 +191,7 @@ static const struct ide_dma_ops tc86c001
27745 .dma_sff_read_status = ide_dma_sff_read_status,
27746 };
27747
27748-static const struct ide_port_info tc86c001_chipset __devinitdata = {
27749+static const struct ide_port_info tc86c001_chipset __devinitconst = {
27750 .name = DRV_NAME,
27751 .init_hwif = init_hwif_tc86c001,
27752 .port_ops = &tc86c001_port_ops,
27753diff -urNp linux-3.0.7/drivers/ide/triflex.c linux-3.0.7/drivers/ide/triflex.c
27754--- linux-3.0.7/drivers/ide/triflex.c 2011-07-21 22:17:23.000000000 -0400
27755+++ linux-3.0.7/drivers/ide/triflex.c 2011-10-11 10:44:33.000000000 -0400
27756@@ -92,7 +92,7 @@ static const struct ide_port_ops triflex
27757 .set_dma_mode = triflex_set_mode,
27758 };
27759
27760-static const struct ide_port_info triflex_device __devinitdata = {
27761+static const struct ide_port_info triflex_device __devinitconst = {
27762 .name = DRV_NAME,
27763 .enablebits = {{0x80, 0x01, 0x01}, {0x80, 0x02, 0x02}},
27764 .port_ops = &triflex_port_ops,
27765diff -urNp linux-3.0.7/drivers/ide/trm290.c linux-3.0.7/drivers/ide/trm290.c
27766--- linux-3.0.7/drivers/ide/trm290.c 2011-07-21 22:17:23.000000000 -0400
27767+++ linux-3.0.7/drivers/ide/trm290.c 2011-10-11 10:44:33.000000000 -0400
27768@@ -324,7 +324,7 @@ static struct ide_dma_ops trm290_dma_ops
27769 .dma_check = trm290_dma_check,
27770 };
27771
27772-static const struct ide_port_info trm290_chipset __devinitdata = {
27773+static const struct ide_port_info trm290_chipset __devinitconst = {
27774 .name = DRV_NAME,
27775 .init_hwif = init_hwif_trm290,
27776 .tp_ops = &trm290_tp_ops,
27777diff -urNp linux-3.0.7/drivers/ide/via82cxxx.c linux-3.0.7/drivers/ide/via82cxxx.c
27778--- linux-3.0.7/drivers/ide/via82cxxx.c 2011-07-21 22:17:23.000000000 -0400
27779+++ linux-3.0.7/drivers/ide/via82cxxx.c 2011-10-11 10:44:33.000000000 -0400
27780@@ -403,7 +403,7 @@ static const struct ide_port_ops via_por
27781 .cable_detect = via82cxxx_cable_detect,
27782 };
27783
27784-static const struct ide_port_info via82cxxx_chipset __devinitdata = {
27785+static const struct ide_port_info via82cxxx_chipset __devinitconst = {
27786 .name = DRV_NAME,
27787 .init_chipset = init_chipset_via82cxxx,
27788 .enablebits = { { 0x40, 0x02, 0x02 }, { 0x40, 0x01, 0x01 } },
27789diff -urNp linux-3.0.7/drivers/infiniband/core/cm.c linux-3.0.7/drivers/infiniband/core/cm.c
27790--- linux-3.0.7/drivers/infiniband/core/cm.c 2011-07-21 22:17:23.000000000 -0400
27791+++ linux-3.0.7/drivers/infiniband/core/cm.c 2011-08-23 21:47:55.000000000 -0400
27792@@ -113,7 +113,7 @@ static char const counter_group_names[CM
27793
27794 struct cm_counter_group {
27795 struct kobject obj;
27796- atomic_long_t counter[CM_ATTR_COUNT];
27797+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
27798 };
27799
27800 struct cm_counter_attribute {
27801@@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
27802 struct ib_mad_send_buf *msg = NULL;
27803 int ret;
27804
27805- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27806+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27807 counter[CM_REQ_COUNTER]);
27808
27809 /* Quick state check to discard duplicate REQs. */
27810@@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
27811 if (!cm_id_priv)
27812 return;
27813
27814- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27815+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27816 counter[CM_REP_COUNTER]);
27817 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
27818 if (ret)
27819@@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
27820 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
27821 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
27822 spin_unlock_irq(&cm_id_priv->lock);
27823- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27824+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27825 counter[CM_RTU_COUNTER]);
27826 goto out;
27827 }
27828@@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
27829 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
27830 dreq_msg->local_comm_id);
27831 if (!cm_id_priv) {
27832- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27833+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27834 counter[CM_DREQ_COUNTER]);
27835 cm_issue_drep(work->port, work->mad_recv_wc);
27836 return -EINVAL;
27837@@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
27838 case IB_CM_MRA_REP_RCVD:
27839 break;
27840 case IB_CM_TIMEWAIT:
27841- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27842+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27843 counter[CM_DREQ_COUNTER]);
27844 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
27845 goto unlock;
27846@@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
27847 cm_free_msg(msg);
27848 goto deref;
27849 case IB_CM_DREQ_RCVD:
27850- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27851+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27852 counter[CM_DREQ_COUNTER]);
27853 goto unlock;
27854 default:
27855@@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
27856 ib_modify_mad(cm_id_priv->av.port->mad_agent,
27857 cm_id_priv->msg, timeout)) {
27858 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
27859- atomic_long_inc(&work->port->
27860+ atomic_long_inc_unchecked(&work->port->
27861 counter_group[CM_RECV_DUPLICATES].
27862 counter[CM_MRA_COUNTER]);
27863 goto out;
27864@@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
27865 break;
27866 case IB_CM_MRA_REQ_RCVD:
27867 case IB_CM_MRA_REP_RCVD:
27868- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27869+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27870 counter[CM_MRA_COUNTER]);
27871 /* fall through */
27872 default:
27873@@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
27874 case IB_CM_LAP_IDLE:
27875 break;
27876 case IB_CM_MRA_LAP_SENT:
27877- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27878+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27879 counter[CM_LAP_COUNTER]);
27880 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
27881 goto unlock;
27882@@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
27883 cm_free_msg(msg);
27884 goto deref;
27885 case IB_CM_LAP_RCVD:
27886- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27887+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27888 counter[CM_LAP_COUNTER]);
27889 goto unlock;
27890 default:
27891@@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
27892 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
27893 if (cur_cm_id_priv) {
27894 spin_unlock_irq(&cm.lock);
27895- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
27896+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
27897 counter[CM_SIDR_REQ_COUNTER]);
27898 goto out; /* Duplicate message. */
27899 }
27900@@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
27901 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
27902 msg->retries = 1;
27903
27904- atomic_long_add(1 + msg->retries,
27905+ atomic_long_add_unchecked(1 + msg->retries,
27906 &port->counter_group[CM_XMIT].counter[attr_index]);
27907 if (msg->retries)
27908- atomic_long_add(msg->retries,
27909+ atomic_long_add_unchecked(msg->retries,
27910 &port->counter_group[CM_XMIT_RETRIES].
27911 counter[attr_index]);
27912
27913@@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
27914 }
27915
27916 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
27917- atomic_long_inc(&port->counter_group[CM_RECV].
27918+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
27919 counter[attr_id - CM_ATTR_ID_OFFSET]);
27920
27921 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
27922@@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
27923 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
27924
27925 return sprintf(buf, "%ld\n",
27926- atomic_long_read(&group->counter[cm_attr->index]));
27927+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
27928 }
27929
27930 static const struct sysfs_ops cm_counter_ops = {
27931diff -urNp linux-3.0.7/drivers/infiniband/core/fmr_pool.c linux-3.0.7/drivers/infiniband/core/fmr_pool.c
27932--- linux-3.0.7/drivers/infiniband/core/fmr_pool.c 2011-07-21 22:17:23.000000000 -0400
27933+++ linux-3.0.7/drivers/infiniband/core/fmr_pool.c 2011-08-23 21:47:55.000000000 -0400
27934@@ -97,8 +97,8 @@ struct ib_fmr_pool {
27935
27936 struct task_struct *thread;
27937
27938- atomic_t req_ser;
27939- atomic_t flush_ser;
27940+ atomic_unchecked_t req_ser;
27941+ atomic_unchecked_t flush_ser;
27942
27943 wait_queue_head_t force_wait;
27944 };
27945@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
27946 struct ib_fmr_pool *pool = pool_ptr;
27947
27948 do {
27949- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
27950+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
27951 ib_fmr_batch_release(pool);
27952
27953- atomic_inc(&pool->flush_ser);
27954+ atomic_inc_unchecked(&pool->flush_ser);
27955 wake_up_interruptible(&pool->force_wait);
27956
27957 if (pool->flush_function)
27958@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
27959 }
27960
27961 set_current_state(TASK_INTERRUPTIBLE);
27962- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
27963+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
27964 !kthread_should_stop())
27965 schedule();
27966 __set_current_state(TASK_RUNNING);
27967@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
27968 pool->dirty_watermark = params->dirty_watermark;
27969 pool->dirty_len = 0;
27970 spin_lock_init(&pool->pool_lock);
27971- atomic_set(&pool->req_ser, 0);
27972- atomic_set(&pool->flush_ser, 0);
27973+ atomic_set_unchecked(&pool->req_ser, 0);
27974+ atomic_set_unchecked(&pool->flush_ser, 0);
27975 init_waitqueue_head(&pool->force_wait);
27976
27977 pool->thread = kthread_run(ib_fmr_cleanup_thread,
27978@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
27979 }
27980 spin_unlock_irq(&pool->pool_lock);
27981
27982- serial = atomic_inc_return(&pool->req_ser);
27983+ serial = atomic_inc_return_unchecked(&pool->req_ser);
27984 wake_up_process(pool->thread);
27985
27986 if (wait_event_interruptible(pool->force_wait,
27987- atomic_read(&pool->flush_ser) - serial >= 0))
27988+ atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
27989 return -EINTR;
27990
27991 return 0;
27992@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
27993 } else {
27994 list_add_tail(&fmr->list, &pool->dirty_list);
27995 if (++pool->dirty_len >= pool->dirty_watermark) {
27996- atomic_inc(&pool->req_ser);
27997+ atomic_inc_unchecked(&pool->req_ser);
27998 wake_up_process(pool->thread);
27999 }
28000 }
28001diff -urNp linux-3.0.7/drivers/infiniband/hw/cxgb4/mem.c linux-3.0.7/drivers/infiniband/hw/cxgb4/mem.c
28002--- linux-3.0.7/drivers/infiniband/hw/cxgb4/mem.c 2011-07-21 22:17:23.000000000 -0400
28003+++ linux-3.0.7/drivers/infiniband/hw/cxgb4/mem.c 2011-08-23 21:47:55.000000000 -0400
28004@@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
28005 int err;
28006 struct fw_ri_tpte tpt;
28007 u32 stag_idx;
28008- static atomic_t key;
28009+ static atomic_unchecked_t key;
28010
28011 if (c4iw_fatal_error(rdev))
28012 return -EIO;
28013@@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
28014 &rdev->resource.tpt_fifo_lock);
28015 if (!stag_idx)
28016 return -ENOMEM;
28017- *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
28018+ *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
28019 }
28020 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
28021 __func__, stag_state, type, pdid, stag_idx);
28022diff -urNp linux-3.0.7/drivers/infiniband/hw/ipath/ipath_fs.c linux-3.0.7/drivers/infiniband/hw/ipath/ipath_fs.c
28023--- linux-3.0.7/drivers/infiniband/hw/ipath/ipath_fs.c 2011-07-21 22:17:23.000000000 -0400
28024+++ linux-3.0.7/drivers/infiniband/hw/ipath/ipath_fs.c 2011-08-23 21:48:14.000000000 -0400
28025@@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
28026 struct infinipath_counters counters;
28027 struct ipath_devdata *dd;
28028
28029+ pax_track_stack();
28030+
28031 dd = file->f_path.dentry->d_inode->i_private;
28032 dd->ipath_f_read_counters(dd, &counters);
28033
28034diff -urNp linux-3.0.7/drivers/infiniband/hw/ipath/ipath_rc.c linux-3.0.7/drivers/infiniband/hw/ipath/ipath_rc.c
28035--- linux-3.0.7/drivers/infiniband/hw/ipath/ipath_rc.c 2011-07-21 22:17:23.000000000 -0400
28036+++ linux-3.0.7/drivers/infiniband/hw/ipath/ipath_rc.c 2011-08-23 21:47:55.000000000 -0400
28037@@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28038 struct ib_atomic_eth *ateth;
28039 struct ipath_ack_entry *e;
28040 u64 vaddr;
28041- atomic64_t *maddr;
28042+ atomic64_unchecked_t *maddr;
28043 u64 sdata;
28044 u32 rkey;
28045 u8 next;
28046@@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28047 IB_ACCESS_REMOTE_ATOMIC)))
28048 goto nack_acc_unlck;
28049 /* Perform atomic OP and save result. */
28050- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28051+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28052 sdata = be64_to_cpu(ateth->swap_data);
28053 e = &qp->s_ack_queue[qp->r_head_ack_queue];
28054 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
28055- (u64) atomic64_add_return(sdata, maddr) - sdata :
28056+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28057 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28058 be64_to_cpu(ateth->compare_data),
28059 sdata);
28060diff -urNp linux-3.0.7/drivers/infiniband/hw/ipath/ipath_ruc.c linux-3.0.7/drivers/infiniband/hw/ipath/ipath_ruc.c
28061--- linux-3.0.7/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-07-21 22:17:23.000000000 -0400
28062+++ linux-3.0.7/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-08-23 21:47:55.000000000 -0400
28063@@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
28064 unsigned long flags;
28065 struct ib_wc wc;
28066 u64 sdata;
28067- atomic64_t *maddr;
28068+ atomic64_unchecked_t *maddr;
28069 enum ib_wc_status send_status;
28070
28071 /*
28072@@ -382,11 +382,11 @@ again:
28073 IB_ACCESS_REMOTE_ATOMIC)))
28074 goto acc_err;
28075 /* Perform atomic OP and save result. */
28076- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28077+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28078 sdata = wqe->wr.wr.atomic.compare_add;
28079 *(u64 *) sqp->s_sge.sge.vaddr =
28080 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
28081- (u64) atomic64_add_return(sdata, maddr) - sdata :
28082+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28083 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28084 sdata, wqe->wr.wr.atomic.swap);
28085 goto send_comp;
28086diff -urNp linux-3.0.7/drivers/infiniband/hw/nes/nes.c linux-3.0.7/drivers/infiniband/hw/nes/nes.c
28087--- linux-3.0.7/drivers/infiniband/hw/nes/nes.c 2011-07-21 22:17:23.000000000 -0400
28088+++ linux-3.0.7/drivers/infiniband/hw/nes/nes.c 2011-08-23 21:47:55.000000000 -0400
28089@@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
28090 LIST_HEAD(nes_adapter_list);
28091 static LIST_HEAD(nes_dev_list);
28092
28093-atomic_t qps_destroyed;
28094+atomic_unchecked_t qps_destroyed;
28095
28096 static unsigned int ee_flsh_adapter;
28097 static unsigned int sysfs_nonidx_addr;
28098@@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
28099 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
28100 struct nes_adapter *nesadapter = nesdev->nesadapter;
28101
28102- atomic_inc(&qps_destroyed);
28103+ atomic_inc_unchecked(&qps_destroyed);
28104
28105 /* Free the control structures */
28106
28107diff -urNp linux-3.0.7/drivers/infiniband/hw/nes/nes.h linux-3.0.7/drivers/infiniband/hw/nes/nes.h
28108--- linux-3.0.7/drivers/infiniband/hw/nes/nes.h 2011-07-21 22:17:23.000000000 -0400
28109+++ linux-3.0.7/drivers/infiniband/hw/nes/nes.h 2011-08-23 21:47:55.000000000 -0400
28110@@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
28111 extern unsigned int wqm_quanta;
28112 extern struct list_head nes_adapter_list;
28113
28114-extern atomic_t cm_connects;
28115-extern atomic_t cm_accepts;
28116-extern atomic_t cm_disconnects;
28117-extern atomic_t cm_closes;
28118-extern atomic_t cm_connecteds;
28119-extern atomic_t cm_connect_reqs;
28120-extern atomic_t cm_rejects;
28121-extern atomic_t mod_qp_timouts;
28122-extern atomic_t qps_created;
28123-extern atomic_t qps_destroyed;
28124-extern atomic_t sw_qps_destroyed;
28125+extern atomic_unchecked_t cm_connects;
28126+extern atomic_unchecked_t cm_accepts;
28127+extern atomic_unchecked_t cm_disconnects;
28128+extern atomic_unchecked_t cm_closes;
28129+extern atomic_unchecked_t cm_connecteds;
28130+extern atomic_unchecked_t cm_connect_reqs;
28131+extern atomic_unchecked_t cm_rejects;
28132+extern atomic_unchecked_t mod_qp_timouts;
28133+extern atomic_unchecked_t qps_created;
28134+extern atomic_unchecked_t qps_destroyed;
28135+extern atomic_unchecked_t sw_qps_destroyed;
28136 extern u32 mh_detected;
28137 extern u32 mh_pauses_sent;
28138 extern u32 cm_packets_sent;
28139@@ -194,14 +194,14 @@ extern u32 cm_packets_created;
28140 extern u32 cm_packets_received;
28141 extern u32 cm_packets_dropped;
28142 extern u32 cm_packets_retrans;
28143-extern atomic_t cm_listens_created;
28144-extern atomic_t cm_listens_destroyed;
28145+extern atomic_unchecked_t cm_listens_created;
28146+extern atomic_unchecked_t cm_listens_destroyed;
28147 extern u32 cm_backlog_drops;
28148-extern atomic_t cm_loopbacks;
28149-extern atomic_t cm_nodes_created;
28150-extern atomic_t cm_nodes_destroyed;
28151-extern atomic_t cm_accel_dropped_pkts;
28152-extern atomic_t cm_resets_recvd;
28153+extern atomic_unchecked_t cm_loopbacks;
28154+extern atomic_unchecked_t cm_nodes_created;
28155+extern atomic_unchecked_t cm_nodes_destroyed;
28156+extern atomic_unchecked_t cm_accel_dropped_pkts;
28157+extern atomic_unchecked_t cm_resets_recvd;
28158
28159 extern u32 int_mod_timer_init;
28160 extern u32 int_mod_cq_depth_256;
28161diff -urNp linux-3.0.7/drivers/infiniband/hw/nes/nes_cm.c linux-3.0.7/drivers/infiniband/hw/nes/nes_cm.c
28162--- linux-3.0.7/drivers/infiniband/hw/nes/nes_cm.c 2011-07-21 22:17:23.000000000 -0400
28163+++ linux-3.0.7/drivers/infiniband/hw/nes/nes_cm.c 2011-08-23 21:47:55.000000000 -0400
28164@@ -68,14 +68,14 @@ u32 cm_packets_dropped;
28165 u32 cm_packets_retrans;
28166 u32 cm_packets_created;
28167 u32 cm_packets_received;
28168-atomic_t cm_listens_created;
28169-atomic_t cm_listens_destroyed;
28170+atomic_unchecked_t cm_listens_created;
28171+atomic_unchecked_t cm_listens_destroyed;
28172 u32 cm_backlog_drops;
28173-atomic_t cm_loopbacks;
28174-atomic_t cm_nodes_created;
28175-atomic_t cm_nodes_destroyed;
28176-atomic_t cm_accel_dropped_pkts;
28177-atomic_t cm_resets_recvd;
28178+atomic_unchecked_t cm_loopbacks;
28179+atomic_unchecked_t cm_nodes_created;
28180+atomic_unchecked_t cm_nodes_destroyed;
28181+atomic_unchecked_t cm_accel_dropped_pkts;
28182+atomic_unchecked_t cm_resets_recvd;
28183
28184 static inline int mini_cm_accelerated(struct nes_cm_core *,
28185 struct nes_cm_node *);
28186@@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
28187
28188 static struct nes_cm_core *g_cm_core;
28189
28190-atomic_t cm_connects;
28191-atomic_t cm_accepts;
28192-atomic_t cm_disconnects;
28193-atomic_t cm_closes;
28194-atomic_t cm_connecteds;
28195-atomic_t cm_connect_reqs;
28196-atomic_t cm_rejects;
28197+atomic_unchecked_t cm_connects;
28198+atomic_unchecked_t cm_accepts;
28199+atomic_unchecked_t cm_disconnects;
28200+atomic_unchecked_t cm_closes;
28201+atomic_unchecked_t cm_connecteds;
28202+atomic_unchecked_t cm_connect_reqs;
28203+atomic_unchecked_t cm_rejects;
28204
28205
28206 /**
28207@@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
28208 kfree(listener);
28209 listener = NULL;
28210 ret = 0;
28211- atomic_inc(&cm_listens_destroyed);
28212+ atomic_inc_unchecked(&cm_listens_destroyed);
28213 } else {
28214 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
28215 }
28216@@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
28217 cm_node->rem_mac);
28218
28219 add_hte_node(cm_core, cm_node);
28220- atomic_inc(&cm_nodes_created);
28221+ atomic_inc_unchecked(&cm_nodes_created);
28222
28223 return cm_node;
28224 }
28225@@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
28226 }
28227
28228 atomic_dec(&cm_core->node_cnt);
28229- atomic_inc(&cm_nodes_destroyed);
28230+ atomic_inc_unchecked(&cm_nodes_destroyed);
28231 nesqp = cm_node->nesqp;
28232 if (nesqp) {
28233 nesqp->cm_node = NULL;
28234@@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
28235
28236 static void drop_packet(struct sk_buff *skb)
28237 {
28238- atomic_inc(&cm_accel_dropped_pkts);
28239+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
28240 dev_kfree_skb_any(skb);
28241 }
28242
28243@@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
28244 {
28245
28246 int reset = 0; /* whether to send reset in case of err.. */
28247- atomic_inc(&cm_resets_recvd);
28248+ atomic_inc_unchecked(&cm_resets_recvd);
28249 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
28250 " refcnt=%d\n", cm_node, cm_node->state,
28251 atomic_read(&cm_node->ref_count));
28252@@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
28253 rem_ref_cm_node(cm_node->cm_core, cm_node);
28254 return NULL;
28255 }
28256- atomic_inc(&cm_loopbacks);
28257+ atomic_inc_unchecked(&cm_loopbacks);
28258 loopbackremotenode->loopbackpartner = cm_node;
28259 loopbackremotenode->tcp_cntxt.rcv_wscale =
28260 NES_CM_DEFAULT_RCV_WND_SCALE;
28261@@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
28262 add_ref_cm_node(cm_node);
28263 } else if (cm_node->state == NES_CM_STATE_TSA) {
28264 rem_ref_cm_node(cm_core, cm_node);
28265- atomic_inc(&cm_accel_dropped_pkts);
28266+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
28267 dev_kfree_skb_any(skb);
28268 break;
28269 }
28270@@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
28271
28272 if ((cm_id) && (cm_id->event_handler)) {
28273 if (issue_disconn) {
28274- atomic_inc(&cm_disconnects);
28275+ atomic_inc_unchecked(&cm_disconnects);
28276 cm_event.event = IW_CM_EVENT_DISCONNECT;
28277 cm_event.status = disconn_status;
28278 cm_event.local_addr = cm_id->local_addr;
28279@@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
28280 }
28281
28282 if (issue_close) {
28283- atomic_inc(&cm_closes);
28284+ atomic_inc_unchecked(&cm_closes);
28285 nes_disconnect(nesqp, 1);
28286
28287 cm_id->provider_data = nesqp;
28288@@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
28289
28290 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
28291 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
28292- atomic_inc(&cm_accepts);
28293+ atomic_inc_unchecked(&cm_accepts);
28294
28295 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
28296 netdev_refcnt_read(nesvnic->netdev));
28297@@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
28298
28299 struct nes_cm_core *cm_core;
28300
28301- atomic_inc(&cm_rejects);
28302+ atomic_inc_unchecked(&cm_rejects);
28303 cm_node = (struct nes_cm_node *) cm_id->provider_data;
28304 loopback = cm_node->loopbackpartner;
28305 cm_core = cm_node->cm_core;
28306@@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
28307 ntohl(cm_id->local_addr.sin_addr.s_addr),
28308 ntohs(cm_id->local_addr.sin_port));
28309
28310- atomic_inc(&cm_connects);
28311+ atomic_inc_unchecked(&cm_connects);
28312 nesqp->active_conn = 1;
28313
28314 /* cache the cm_id in the qp */
28315@@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
28316 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
28317 return err;
28318 }
28319- atomic_inc(&cm_listens_created);
28320+ atomic_inc_unchecked(&cm_listens_created);
28321 }
28322
28323 cm_id->add_ref(cm_id);
28324@@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
28325 if (nesqp->destroyed) {
28326 return;
28327 }
28328- atomic_inc(&cm_connecteds);
28329+ atomic_inc_unchecked(&cm_connecteds);
28330 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
28331 " local port 0x%04X. jiffies = %lu.\n",
28332 nesqp->hwqp.qp_id,
28333@@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
28334
28335 cm_id->add_ref(cm_id);
28336 ret = cm_id->event_handler(cm_id, &cm_event);
28337- atomic_inc(&cm_closes);
28338+ atomic_inc_unchecked(&cm_closes);
28339 cm_event.event = IW_CM_EVENT_CLOSE;
28340 cm_event.status = 0;
28341 cm_event.provider_data = cm_id->provider_data;
28342@@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
28343 return;
28344 cm_id = cm_node->cm_id;
28345
28346- atomic_inc(&cm_connect_reqs);
28347+ atomic_inc_unchecked(&cm_connect_reqs);
28348 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28349 cm_node, cm_id, jiffies);
28350
28351@@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
28352 return;
28353 cm_id = cm_node->cm_id;
28354
28355- atomic_inc(&cm_connect_reqs);
28356+ atomic_inc_unchecked(&cm_connect_reqs);
28357 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28358 cm_node, cm_id, jiffies);
28359
28360diff -urNp linux-3.0.7/drivers/infiniband/hw/nes/nes_nic.c linux-3.0.7/drivers/infiniband/hw/nes/nes_nic.c
28361--- linux-3.0.7/drivers/infiniband/hw/nes/nes_nic.c 2011-07-21 22:17:23.000000000 -0400
28362+++ linux-3.0.7/drivers/infiniband/hw/nes/nes_nic.c 2011-08-23 21:47:55.000000000 -0400
28363@@ -1274,31 +1274,31 @@ static void nes_netdev_get_ethtool_stats
28364 target_stat_values[++index] = mh_detected;
28365 target_stat_values[++index] = mh_pauses_sent;
28366 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
28367- target_stat_values[++index] = atomic_read(&cm_connects);
28368- target_stat_values[++index] = atomic_read(&cm_accepts);
28369- target_stat_values[++index] = atomic_read(&cm_disconnects);
28370- target_stat_values[++index] = atomic_read(&cm_connecteds);
28371- target_stat_values[++index] = atomic_read(&cm_connect_reqs);
28372- target_stat_values[++index] = atomic_read(&cm_rejects);
28373- target_stat_values[++index] = atomic_read(&mod_qp_timouts);
28374- target_stat_values[++index] = atomic_read(&qps_created);
28375- target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
28376- target_stat_values[++index] = atomic_read(&qps_destroyed);
28377- target_stat_values[++index] = atomic_read(&cm_closes);
28378+ target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
28379+ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
28380+ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
28381+ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
28382+ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
28383+ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
28384+ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
28385+ target_stat_values[++index] = atomic_read_unchecked(&qps_created);
28386+ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
28387+ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
28388+ target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
28389 target_stat_values[++index] = cm_packets_sent;
28390 target_stat_values[++index] = cm_packets_bounced;
28391 target_stat_values[++index] = cm_packets_created;
28392 target_stat_values[++index] = cm_packets_received;
28393 target_stat_values[++index] = cm_packets_dropped;
28394 target_stat_values[++index] = cm_packets_retrans;
28395- target_stat_values[++index] = atomic_read(&cm_listens_created);
28396- target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
28397+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
28398+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
28399 target_stat_values[++index] = cm_backlog_drops;
28400- target_stat_values[++index] = atomic_read(&cm_loopbacks);
28401- target_stat_values[++index] = atomic_read(&cm_nodes_created);
28402- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
28403- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
28404- target_stat_values[++index] = atomic_read(&cm_resets_recvd);
28405+ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
28406+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
28407+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
28408+ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
28409+ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
28410 target_stat_values[++index] = nesadapter->free_4kpbl;
28411 target_stat_values[++index] = nesadapter->free_256pbl;
28412 target_stat_values[++index] = int_mod_timer_init;
28413diff -urNp linux-3.0.7/drivers/infiniband/hw/nes/nes_verbs.c linux-3.0.7/drivers/infiniband/hw/nes/nes_verbs.c
28414--- linux-3.0.7/drivers/infiniband/hw/nes/nes_verbs.c 2011-07-21 22:17:23.000000000 -0400
28415+++ linux-3.0.7/drivers/infiniband/hw/nes/nes_verbs.c 2011-08-23 21:47:55.000000000 -0400
28416@@ -46,9 +46,9 @@
28417
28418 #include <rdma/ib_umem.h>
28419
28420-atomic_t mod_qp_timouts;
28421-atomic_t qps_created;
28422-atomic_t sw_qps_destroyed;
28423+atomic_unchecked_t mod_qp_timouts;
28424+atomic_unchecked_t qps_created;
28425+atomic_unchecked_t sw_qps_destroyed;
28426
28427 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
28428
28429@@ -1141,7 +1141,7 @@ static struct ib_qp *nes_create_qp(struc
28430 if (init_attr->create_flags)
28431 return ERR_PTR(-EINVAL);
28432
28433- atomic_inc(&qps_created);
28434+ atomic_inc_unchecked(&qps_created);
28435 switch (init_attr->qp_type) {
28436 case IB_QPT_RC:
28437 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
28438@@ -1470,7 +1470,7 @@ static int nes_destroy_qp(struct ib_qp *
28439 struct iw_cm_event cm_event;
28440 int ret;
28441
28442- atomic_inc(&sw_qps_destroyed);
28443+ atomic_inc_unchecked(&sw_qps_destroyed);
28444 nesqp->destroyed = 1;
28445
28446 /* Blow away the connection if it exists. */
28447diff -urNp linux-3.0.7/drivers/infiniband/hw/qib/qib.h linux-3.0.7/drivers/infiniband/hw/qib/qib.h
28448--- linux-3.0.7/drivers/infiniband/hw/qib/qib.h 2011-07-21 22:17:23.000000000 -0400
28449+++ linux-3.0.7/drivers/infiniband/hw/qib/qib.h 2011-08-23 21:47:55.000000000 -0400
28450@@ -51,6 +51,7 @@
28451 #include <linux/completion.h>
28452 #include <linux/kref.h>
28453 #include <linux/sched.h>
28454+#include <linux/slab.h>
28455
28456 #include "qib_common.h"
28457 #include "qib_verbs.h"
28458diff -urNp linux-3.0.7/drivers/input/gameport/gameport.c linux-3.0.7/drivers/input/gameport/gameport.c
28459--- linux-3.0.7/drivers/input/gameport/gameport.c 2011-07-21 22:17:23.000000000 -0400
28460+++ linux-3.0.7/drivers/input/gameport/gameport.c 2011-08-23 21:47:55.000000000 -0400
28461@@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
28462 */
28463 static void gameport_init_port(struct gameport *gameport)
28464 {
28465- static atomic_t gameport_no = ATOMIC_INIT(0);
28466+ static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
28467
28468 __module_get(THIS_MODULE);
28469
28470 mutex_init(&gameport->drv_mutex);
28471 device_initialize(&gameport->dev);
28472 dev_set_name(&gameport->dev, "gameport%lu",
28473- (unsigned long)atomic_inc_return(&gameport_no) - 1);
28474+ (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
28475 gameport->dev.bus = &gameport_bus;
28476 gameport->dev.release = gameport_release_port;
28477 if (gameport->parent)
28478diff -urNp linux-3.0.7/drivers/input/input.c linux-3.0.7/drivers/input/input.c
28479--- linux-3.0.7/drivers/input/input.c 2011-07-21 22:17:23.000000000 -0400
28480+++ linux-3.0.7/drivers/input/input.c 2011-08-23 21:47:55.000000000 -0400
28481@@ -1814,7 +1814,7 @@ static void input_cleanse_bitmasks(struc
28482 */
28483 int input_register_device(struct input_dev *dev)
28484 {
28485- static atomic_t input_no = ATOMIC_INIT(0);
28486+ static atomic_unchecked_t input_no = ATOMIC_INIT(0);
28487 struct input_handler *handler;
28488 const char *path;
28489 int error;
28490@@ -1851,7 +1851,7 @@ int input_register_device(struct input_d
28491 dev->setkeycode = input_default_setkeycode;
28492
28493 dev_set_name(&dev->dev, "input%ld",
28494- (unsigned long) atomic_inc_return(&input_no) - 1);
28495+ (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
28496
28497 error = device_add(&dev->dev);
28498 if (error)
28499diff -urNp linux-3.0.7/drivers/input/joystick/sidewinder.c linux-3.0.7/drivers/input/joystick/sidewinder.c
28500--- linux-3.0.7/drivers/input/joystick/sidewinder.c 2011-07-21 22:17:23.000000000 -0400
28501+++ linux-3.0.7/drivers/input/joystick/sidewinder.c 2011-08-23 21:48:14.000000000 -0400
28502@@ -30,6 +30,7 @@
28503 #include <linux/kernel.h>
28504 #include <linux/module.h>
28505 #include <linux/slab.h>
28506+#include <linux/sched.h>
28507 #include <linux/init.h>
28508 #include <linux/input.h>
28509 #include <linux/gameport.h>
28510@@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
28511 unsigned char buf[SW_LENGTH];
28512 int i;
28513
28514+ pax_track_stack();
28515+
28516 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
28517
28518 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
28519diff -urNp linux-3.0.7/drivers/input/joystick/xpad.c linux-3.0.7/drivers/input/joystick/xpad.c
28520--- linux-3.0.7/drivers/input/joystick/xpad.c 2011-07-21 22:17:23.000000000 -0400
28521+++ linux-3.0.7/drivers/input/joystick/xpad.c 2011-08-23 21:47:55.000000000 -0400
28522@@ -689,7 +689,7 @@ static void xpad_led_set(struct led_clas
28523
28524 static int xpad_led_probe(struct usb_xpad *xpad)
28525 {
28526- static atomic_t led_seq = ATOMIC_INIT(0);
28527+ static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
28528 long led_no;
28529 struct xpad_led *led;
28530 struct led_classdev *led_cdev;
28531@@ -702,7 +702,7 @@ static int xpad_led_probe(struct usb_xpa
28532 if (!led)
28533 return -ENOMEM;
28534
28535- led_no = (long)atomic_inc_return(&led_seq) - 1;
28536+ led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
28537
28538 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
28539 led->xpad = xpad;
28540diff -urNp linux-3.0.7/drivers/input/mousedev.c linux-3.0.7/drivers/input/mousedev.c
28541--- linux-3.0.7/drivers/input/mousedev.c 2011-07-21 22:17:23.000000000 -0400
28542+++ linux-3.0.7/drivers/input/mousedev.c 2011-08-23 21:47:55.000000000 -0400
28543@@ -763,7 +763,7 @@ static ssize_t mousedev_read(struct file
28544
28545 spin_unlock_irq(&client->packet_lock);
28546
28547- if (copy_to_user(buffer, data, count))
28548+ if (count > sizeof(data) || copy_to_user(buffer, data, count))
28549 return -EFAULT;
28550
28551 return count;
28552diff -urNp linux-3.0.7/drivers/input/serio/serio.c linux-3.0.7/drivers/input/serio/serio.c
28553--- linux-3.0.7/drivers/input/serio/serio.c 2011-07-21 22:17:23.000000000 -0400
28554+++ linux-3.0.7/drivers/input/serio/serio.c 2011-08-23 21:47:55.000000000 -0400
28555@@ -497,7 +497,7 @@ static void serio_release_port(struct de
28556 */
28557 static void serio_init_port(struct serio *serio)
28558 {
28559- static atomic_t serio_no = ATOMIC_INIT(0);
28560+ static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
28561
28562 __module_get(THIS_MODULE);
28563
28564@@ -508,7 +508,7 @@ static void serio_init_port(struct serio
28565 mutex_init(&serio->drv_mutex);
28566 device_initialize(&serio->dev);
28567 dev_set_name(&serio->dev, "serio%ld",
28568- (long)atomic_inc_return(&serio_no) - 1);
28569+ (long)atomic_inc_return_unchecked(&serio_no) - 1);
28570 serio->dev.bus = &serio_bus;
28571 serio->dev.release = serio_release_port;
28572 serio->dev.groups = serio_device_attr_groups;
28573diff -urNp linux-3.0.7/drivers/isdn/capi/capi.c linux-3.0.7/drivers/isdn/capi/capi.c
28574--- linux-3.0.7/drivers/isdn/capi/capi.c 2011-07-21 22:17:23.000000000 -0400
28575+++ linux-3.0.7/drivers/isdn/capi/capi.c 2011-08-23 21:47:55.000000000 -0400
28576@@ -83,8 +83,8 @@ struct capiminor {
28577
28578 struct capi20_appl *ap;
28579 u32 ncci;
28580- atomic_t datahandle;
28581- atomic_t msgid;
28582+ atomic_unchecked_t datahandle;
28583+ atomic_unchecked_t msgid;
28584
28585 struct tty_port port;
28586 int ttyinstop;
28587@@ -397,7 +397,7 @@ gen_data_b3_resp_for(struct capiminor *m
28588 capimsg_setu16(s, 2, mp->ap->applid);
28589 capimsg_setu8 (s, 4, CAPI_DATA_B3);
28590 capimsg_setu8 (s, 5, CAPI_RESP);
28591- capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
28592+ capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
28593 capimsg_setu32(s, 8, mp->ncci);
28594 capimsg_setu16(s, 12, datahandle);
28595 }
28596@@ -518,14 +518,14 @@ static void handle_minor_send(struct cap
28597 mp->outbytes -= len;
28598 spin_unlock_bh(&mp->outlock);
28599
28600- datahandle = atomic_inc_return(&mp->datahandle);
28601+ datahandle = atomic_inc_return_unchecked(&mp->datahandle);
28602 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
28603 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28604 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28605 capimsg_setu16(skb->data, 2, mp->ap->applid);
28606 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
28607 capimsg_setu8 (skb->data, 5, CAPI_REQ);
28608- capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
28609+ capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
28610 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
28611 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
28612 capimsg_setu16(skb->data, 16, len); /* Data length */
28613diff -urNp linux-3.0.7/drivers/isdn/gigaset/common.c linux-3.0.7/drivers/isdn/gigaset/common.c
28614--- linux-3.0.7/drivers/isdn/gigaset/common.c 2011-07-21 22:17:23.000000000 -0400
28615+++ linux-3.0.7/drivers/isdn/gigaset/common.c 2011-08-23 21:47:55.000000000 -0400
28616@@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
28617 cs->commands_pending = 0;
28618 cs->cur_at_seq = 0;
28619 cs->gotfwver = -1;
28620- cs->open_count = 0;
28621+ local_set(&cs->open_count, 0);
28622 cs->dev = NULL;
28623 cs->tty = NULL;
28624 cs->tty_dev = NULL;
28625diff -urNp linux-3.0.7/drivers/isdn/gigaset/gigaset.h linux-3.0.7/drivers/isdn/gigaset/gigaset.h
28626--- linux-3.0.7/drivers/isdn/gigaset/gigaset.h 2011-07-21 22:17:23.000000000 -0400
28627+++ linux-3.0.7/drivers/isdn/gigaset/gigaset.h 2011-08-23 21:47:55.000000000 -0400
28628@@ -35,6 +35,7 @@
28629 #include <linux/tty_driver.h>
28630 #include <linux/list.h>
28631 #include <asm/atomic.h>
28632+#include <asm/local.h>
28633
28634 #define GIG_VERSION {0, 5, 0, 0}
28635 #define GIG_COMPAT {0, 4, 0, 0}
28636@@ -433,7 +434,7 @@ struct cardstate {
28637 spinlock_t cmdlock;
28638 unsigned curlen, cmdbytes;
28639
28640- unsigned open_count;
28641+ local_t open_count;
28642 struct tty_struct *tty;
28643 struct tasklet_struct if_wake_tasklet;
28644 unsigned control_state;
28645diff -urNp linux-3.0.7/drivers/isdn/gigaset/interface.c linux-3.0.7/drivers/isdn/gigaset/interface.c
28646--- linux-3.0.7/drivers/isdn/gigaset/interface.c 2011-07-21 22:17:23.000000000 -0400
28647+++ linux-3.0.7/drivers/isdn/gigaset/interface.c 2011-08-23 21:47:55.000000000 -0400
28648@@ -162,9 +162,7 @@ static int if_open(struct tty_struct *tt
28649 }
28650 tty->driver_data = cs;
28651
28652- ++cs->open_count;
28653-
28654- if (cs->open_count == 1) {
28655+ if (local_inc_return(&cs->open_count) == 1) {
28656 spin_lock_irqsave(&cs->lock, flags);
28657 cs->tty = tty;
28658 spin_unlock_irqrestore(&cs->lock, flags);
28659@@ -192,10 +190,10 @@ static void if_close(struct tty_struct *
28660
28661 if (!cs->connected)
28662 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
28663- else if (!cs->open_count)
28664+ else if (!local_read(&cs->open_count))
28665 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28666 else {
28667- if (!--cs->open_count) {
28668+ if (!local_dec_return(&cs->open_count)) {
28669 spin_lock_irqsave(&cs->lock, flags);
28670 cs->tty = NULL;
28671 spin_unlock_irqrestore(&cs->lock, flags);
28672@@ -230,7 +228,7 @@ static int if_ioctl(struct tty_struct *t
28673 if (!cs->connected) {
28674 gig_dbg(DEBUG_IF, "not connected");
28675 retval = -ENODEV;
28676- } else if (!cs->open_count)
28677+ } else if (!local_read(&cs->open_count))
28678 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28679 else {
28680 retval = 0;
28681@@ -360,7 +358,7 @@ static int if_write(struct tty_struct *t
28682 retval = -ENODEV;
28683 goto done;
28684 }
28685- if (!cs->open_count) {
28686+ if (!local_read(&cs->open_count)) {
28687 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28688 retval = -ENODEV;
28689 goto done;
28690@@ -413,7 +411,7 @@ static int if_write_room(struct tty_stru
28691 if (!cs->connected) {
28692 gig_dbg(DEBUG_IF, "not connected");
28693 retval = -ENODEV;
28694- } else if (!cs->open_count)
28695+ } else if (!local_read(&cs->open_count))
28696 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28697 else if (cs->mstate != MS_LOCKED) {
28698 dev_warn(cs->dev, "can't write to unlocked device\n");
28699@@ -443,7 +441,7 @@ static int if_chars_in_buffer(struct tty
28700
28701 if (!cs->connected)
28702 gig_dbg(DEBUG_IF, "not connected");
28703- else if (!cs->open_count)
28704+ else if (!local_read(&cs->open_count))
28705 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28706 else if (cs->mstate != MS_LOCKED)
28707 dev_warn(cs->dev, "can't write to unlocked device\n");
28708@@ -471,7 +469,7 @@ static void if_throttle(struct tty_struc
28709
28710 if (!cs->connected)
28711 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
28712- else if (!cs->open_count)
28713+ else if (!local_read(&cs->open_count))
28714 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28715 else
28716 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
28717@@ -495,7 +493,7 @@ static void if_unthrottle(struct tty_str
28718
28719 if (!cs->connected)
28720 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
28721- else if (!cs->open_count)
28722+ else if (!local_read(&cs->open_count))
28723 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28724 else
28725 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
28726@@ -526,7 +524,7 @@ static void if_set_termios(struct tty_st
28727 goto out;
28728 }
28729
28730- if (!cs->open_count) {
28731+ if (!local_read(&cs->open_count)) {
28732 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28733 goto out;
28734 }
28735diff -urNp linux-3.0.7/drivers/isdn/hardware/avm/b1.c linux-3.0.7/drivers/isdn/hardware/avm/b1.c
28736--- linux-3.0.7/drivers/isdn/hardware/avm/b1.c 2011-07-21 22:17:23.000000000 -0400
28737+++ linux-3.0.7/drivers/isdn/hardware/avm/b1.c 2011-08-23 21:47:55.000000000 -0400
28738@@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
28739 }
28740 if (left) {
28741 if (t4file->user) {
28742- if (copy_from_user(buf, dp, left))
28743+ if (left > sizeof buf || copy_from_user(buf, dp, left))
28744 return -EFAULT;
28745 } else {
28746 memcpy(buf, dp, left);
28747@@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
28748 }
28749 if (left) {
28750 if (config->user) {
28751- if (copy_from_user(buf, dp, left))
28752+ if (left > sizeof buf || copy_from_user(buf, dp, left))
28753 return -EFAULT;
28754 } else {
28755 memcpy(buf, dp, left);
28756diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/capidtmf.c linux-3.0.7/drivers/isdn/hardware/eicon/capidtmf.c
28757--- linux-3.0.7/drivers/isdn/hardware/eicon/capidtmf.c 2011-07-21 22:17:23.000000000 -0400
28758+++ linux-3.0.7/drivers/isdn/hardware/eicon/capidtmf.c 2011-08-23 21:48:14.000000000 -0400
28759@@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
28760 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
28761 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
28762
28763+ pax_track_stack();
28764
28765 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
28766 {
28767diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/capifunc.c linux-3.0.7/drivers/isdn/hardware/eicon/capifunc.c
28768--- linux-3.0.7/drivers/isdn/hardware/eicon/capifunc.c 2011-07-21 22:17:23.000000000 -0400
28769+++ linux-3.0.7/drivers/isdn/hardware/eicon/capifunc.c 2011-08-23 21:48:14.000000000 -0400
28770@@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
28771 IDI_SYNC_REQ req;
28772 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
28773
28774+ pax_track_stack();
28775+
28776 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
28777
28778 for (x = 0; x < MAX_DESCRIPTORS; x++) {
28779diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/diddfunc.c linux-3.0.7/drivers/isdn/hardware/eicon/diddfunc.c
28780--- linux-3.0.7/drivers/isdn/hardware/eicon/diddfunc.c 2011-07-21 22:17:23.000000000 -0400
28781+++ linux-3.0.7/drivers/isdn/hardware/eicon/diddfunc.c 2011-08-23 21:48:14.000000000 -0400
28782@@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
28783 IDI_SYNC_REQ req;
28784 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
28785
28786+ pax_track_stack();
28787+
28788 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
28789
28790 for (x = 0; x < MAX_DESCRIPTORS; x++) {
28791diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/divasfunc.c linux-3.0.7/drivers/isdn/hardware/eicon/divasfunc.c
28792--- linux-3.0.7/drivers/isdn/hardware/eicon/divasfunc.c 2011-07-21 22:17:23.000000000 -0400
28793+++ linux-3.0.7/drivers/isdn/hardware/eicon/divasfunc.c 2011-08-23 21:48:14.000000000 -0400
28794@@ -160,6 +160,8 @@ static int DIVA_INIT_FUNCTION connect_di
28795 IDI_SYNC_REQ req;
28796 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
28797
28798+ pax_track_stack();
28799+
28800 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
28801
28802 for (x = 0; x < MAX_DESCRIPTORS; x++) {
28803diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/divasync.h linux-3.0.7/drivers/isdn/hardware/eicon/divasync.h
28804--- linux-3.0.7/drivers/isdn/hardware/eicon/divasync.h 2011-07-21 22:17:23.000000000 -0400
28805+++ linux-3.0.7/drivers/isdn/hardware/eicon/divasync.h 2011-08-23 21:47:55.000000000 -0400
28806@@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
28807 } diva_didd_add_adapter_t;
28808 typedef struct _diva_didd_remove_adapter {
28809 IDI_CALL p_request;
28810-} diva_didd_remove_adapter_t;
28811+} __no_const diva_didd_remove_adapter_t;
28812 typedef struct _diva_didd_read_adapter_array {
28813 void * buffer;
28814 dword length;
28815diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/idifunc.c linux-3.0.7/drivers/isdn/hardware/eicon/idifunc.c
28816--- linux-3.0.7/drivers/isdn/hardware/eicon/idifunc.c 2011-07-21 22:17:23.000000000 -0400
28817+++ linux-3.0.7/drivers/isdn/hardware/eicon/idifunc.c 2011-08-23 21:48:14.000000000 -0400
28818@@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
28819 IDI_SYNC_REQ req;
28820 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
28821
28822+ pax_track_stack();
28823+
28824 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
28825
28826 for (x = 0; x < MAX_DESCRIPTORS; x++) {
28827diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/message.c linux-3.0.7/drivers/isdn/hardware/eicon/message.c
28828--- linux-3.0.7/drivers/isdn/hardware/eicon/message.c 2011-07-21 22:17:23.000000000 -0400
28829+++ linux-3.0.7/drivers/isdn/hardware/eicon/message.c 2011-08-23 21:48:14.000000000 -0400
28830@@ -4886,6 +4886,8 @@ static void sig_ind(PLCI *plci)
28831 dword d;
28832 word w;
28833
28834+ pax_track_stack();
28835+
28836 a = plci->adapter;
28837 Id = ((word)plci->Id<<8)|a->Id;
28838 PUT_WORD(&SS_Ind[4],0x0000);
28839@@ -7480,6 +7482,8 @@ static word add_b1(PLCI *plci, API_PARSE
28840 word j, n, w;
28841 dword d;
28842
28843+ pax_track_stack();
28844+
28845
28846 for(i=0;i<8;i++) bp_parms[i].length = 0;
28847 for(i=0;i<2;i++) global_config[i].length = 0;
28848@@ -7954,6 +7958,8 @@ static word add_b23(PLCI *plci, API_PARS
28849 const byte llc3[] = {4,3,2,2,6,6,0};
28850 const byte header[] = {0,2,3,3,0,0,0};
28851
28852+ pax_track_stack();
28853+
28854 for(i=0;i<8;i++) bp_parms[i].length = 0;
28855 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
28856 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
28857@@ -14741,6 +14747,8 @@ static void group_optimization(DIVA_CAPI
28858 word appl_number_group_type[MAX_APPL];
28859 PLCI *auxplci;
28860
28861+ pax_track_stack();
28862+
28863 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
28864
28865 if(!a->group_optimization_enabled)
28866diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/mntfunc.c linux-3.0.7/drivers/isdn/hardware/eicon/mntfunc.c
28867--- linux-3.0.7/drivers/isdn/hardware/eicon/mntfunc.c 2011-07-21 22:17:23.000000000 -0400
28868+++ linux-3.0.7/drivers/isdn/hardware/eicon/mntfunc.c 2011-08-23 21:48:14.000000000 -0400
28869@@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
28870 IDI_SYNC_REQ req;
28871 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
28872
28873+ pax_track_stack();
28874+
28875 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
28876
28877 for (x = 0; x < MAX_DESCRIPTORS; x++) {
28878diff -urNp linux-3.0.7/drivers/isdn/hardware/eicon/xdi_adapter.h linux-3.0.7/drivers/isdn/hardware/eicon/xdi_adapter.h
28879--- linux-3.0.7/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-07-21 22:17:23.000000000 -0400
28880+++ linux-3.0.7/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-08-23 21:47:55.000000000 -0400
28881@@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
28882 typedef struct _diva_os_idi_adapter_interface {
28883 diva_init_card_proc_t cleanup_adapter_proc;
28884 diva_cmd_card_proc_t cmd_proc;
28885-} diva_os_idi_adapter_interface_t;
28886+} __no_const diva_os_idi_adapter_interface_t;
28887
28888 typedef struct _diva_os_xdi_adapter {
28889 struct list_head link;
28890diff -urNp linux-3.0.7/drivers/isdn/i4l/isdn_common.c linux-3.0.7/drivers/isdn/i4l/isdn_common.c
28891--- linux-3.0.7/drivers/isdn/i4l/isdn_common.c 2011-07-21 22:17:23.000000000 -0400
28892+++ linux-3.0.7/drivers/isdn/i4l/isdn_common.c 2011-08-23 21:48:14.000000000 -0400
28893@@ -1286,6 +1286,8 @@ isdn_ioctl(struct file *file, uint cmd,
28894 } iocpar;
28895 void __user *argp = (void __user *)arg;
28896
28897+ pax_track_stack();
28898+
28899 #define name iocpar.name
28900 #define bname iocpar.bname
28901 #define iocts iocpar.iocts
28902diff -urNp linux-3.0.7/drivers/isdn/icn/icn.c linux-3.0.7/drivers/isdn/icn/icn.c
28903--- linux-3.0.7/drivers/isdn/icn/icn.c 2011-07-21 22:17:23.000000000 -0400
28904+++ linux-3.0.7/drivers/isdn/icn/icn.c 2011-08-23 21:47:55.000000000 -0400
28905@@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
28906 if (count > len)
28907 count = len;
28908 if (user) {
28909- if (copy_from_user(msg, buf, count))
28910+ if (count > sizeof msg || copy_from_user(msg, buf, count))
28911 return -EFAULT;
28912 } else
28913 memcpy(msg, buf, count);
28914diff -urNp linux-3.0.7/drivers/lguest/core.c linux-3.0.7/drivers/lguest/core.c
28915--- linux-3.0.7/drivers/lguest/core.c 2011-07-21 22:17:23.000000000 -0400
28916+++ linux-3.0.7/drivers/lguest/core.c 2011-08-23 21:47:55.000000000 -0400
28917@@ -92,9 +92,17 @@ static __init int map_switcher(void)
28918 * it's worked so far. The end address needs +1 because __get_vm_area
28919 * allocates an extra guard page, so we need space for that.
28920 */
28921+
28922+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
28923+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
28924+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
28925+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
28926+#else
28927 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
28928 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
28929 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
28930+#endif
28931+
28932 if (!switcher_vma) {
28933 err = -ENOMEM;
28934 printk("lguest: could not map switcher pages high\n");
28935@@ -119,7 +127,7 @@ static __init int map_switcher(void)
28936 * Now the Switcher is mapped at the right address, we can't fail!
28937 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
28938 */
28939- memcpy(switcher_vma->addr, start_switcher_text,
28940+ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
28941 end_switcher_text - start_switcher_text);
28942
28943 printk(KERN_INFO "lguest: mapped switcher at %p\n",
28944diff -urNp linux-3.0.7/drivers/lguest/x86/core.c linux-3.0.7/drivers/lguest/x86/core.c
28945--- linux-3.0.7/drivers/lguest/x86/core.c 2011-07-21 22:17:23.000000000 -0400
28946+++ linux-3.0.7/drivers/lguest/x86/core.c 2011-08-23 21:47:55.000000000 -0400
28947@@ -59,7 +59,7 @@ static struct {
28948 /* Offset from where switcher.S was compiled to where we've copied it */
28949 static unsigned long switcher_offset(void)
28950 {
28951- return SWITCHER_ADDR - (unsigned long)start_switcher_text;
28952+ return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
28953 }
28954
28955 /* This cpu's struct lguest_pages. */
28956@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
28957 * These copies are pretty cheap, so we do them unconditionally: */
28958 /* Save the current Host top-level page directory.
28959 */
28960+
28961+#ifdef CONFIG_PAX_PER_CPU_PGD
28962+ pages->state.host_cr3 = read_cr3();
28963+#else
28964 pages->state.host_cr3 = __pa(current->mm->pgd);
28965+#endif
28966+
28967 /*
28968 * Set up the Guest's page tables to see this CPU's pages (and no
28969 * other CPU's pages).
28970@@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
28971 * compiled-in switcher code and the high-mapped copy we just made.
28972 */
28973 for (i = 0; i < IDT_ENTRIES; i++)
28974- default_idt_entries[i] += switcher_offset();
28975+ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
28976
28977 /*
28978 * Set up the Switcher's per-cpu areas.
28979@@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
28980 * it will be undisturbed when we switch. To change %cs and jump we
28981 * need this structure to feed to Intel's "lcall" instruction.
28982 */
28983- lguest_entry.offset = (long)switch_to_guest + switcher_offset();
28984+ lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
28985 lguest_entry.segment = LGUEST_CS;
28986
28987 /*
28988diff -urNp linux-3.0.7/drivers/lguest/x86/switcher_32.S linux-3.0.7/drivers/lguest/x86/switcher_32.S
28989--- linux-3.0.7/drivers/lguest/x86/switcher_32.S 2011-07-21 22:17:23.000000000 -0400
28990+++ linux-3.0.7/drivers/lguest/x86/switcher_32.S 2011-08-23 21:47:55.000000000 -0400
28991@@ -87,6 +87,7 @@
28992 #include <asm/page.h>
28993 #include <asm/segment.h>
28994 #include <asm/lguest.h>
28995+#include <asm/processor-flags.h>
28996
28997 // We mark the start of the code to copy
28998 // It's placed in .text tho it's never run here
28999@@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
29000 // Changes type when we load it: damn Intel!
29001 // For after we switch over our page tables
29002 // That entry will be read-only: we'd crash.
29003+
29004+#ifdef CONFIG_PAX_KERNEXEC
29005+ mov %cr0, %edx
29006+ xor $X86_CR0_WP, %edx
29007+ mov %edx, %cr0
29008+#endif
29009+
29010 movl $(GDT_ENTRY_TSS*8), %edx
29011 ltr %dx
29012
29013@@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
29014 // Let's clear it again for our return.
29015 // The GDT descriptor of the Host
29016 // Points to the table after two "size" bytes
29017- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
29018+ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
29019 // Clear "used" from type field (byte 5, bit 2)
29020- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
29021+ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
29022+
29023+#ifdef CONFIG_PAX_KERNEXEC
29024+ mov %cr0, %eax
29025+ xor $X86_CR0_WP, %eax
29026+ mov %eax, %cr0
29027+#endif
29028
29029 // Once our page table's switched, the Guest is live!
29030 // The Host fades as we run this final step.
29031@@ -295,13 +309,12 @@ deliver_to_host:
29032 // I consulted gcc, and it gave
29033 // These instructions, which I gladly credit:
29034 leal (%edx,%ebx,8), %eax
29035- movzwl (%eax),%edx
29036- movl 4(%eax), %eax
29037- xorw %ax, %ax
29038- orl %eax, %edx
29039+ movl 4(%eax), %edx
29040+ movw (%eax), %dx
29041 // Now the address of the handler's in %edx
29042 // We call it now: its "iret" drops us home.
29043- jmp *%edx
29044+ ljmp $__KERNEL_CS, $1f
29045+1: jmp *%edx
29046
29047 // Every interrupt can come to us here
29048 // But we must truly tell each apart.
29049diff -urNp linux-3.0.7/drivers/macintosh/macio_asic.c linux-3.0.7/drivers/macintosh/macio_asic.c
29050--- linux-3.0.7/drivers/macintosh/macio_asic.c 2011-07-21 22:17:23.000000000 -0400
29051+++ linux-3.0.7/drivers/macintosh/macio_asic.c 2011-10-11 10:44:33.000000000 -0400
29052@@ -748,7 +748,7 @@ static void __devexit macio_pci_remove(s
29053 * MacIO is matched against any Apple ID, it's probe() function
29054 * will then decide wether it applies or not
29055 */
29056-static const struct pci_device_id __devinitdata pci_ids [] = { {
29057+static const struct pci_device_id __devinitconst pci_ids [] = { {
29058 .vendor = PCI_VENDOR_ID_APPLE,
29059 .device = PCI_ANY_ID,
29060 .subvendor = PCI_ANY_ID,
29061diff -urNp linux-3.0.7/drivers/md/dm-ioctl.c linux-3.0.7/drivers/md/dm-ioctl.c
29062--- linux-3.0.7/drivers/md/dm-ioctl.c 2011-07-21 22:17:23.000000000 -0400
29063+++ linux-3.0.7/drivers/md/dm-ioctl.c 2011-08-23 21:47:55.000000000 -0400
29064@@ -1551,7 +1551,7 @@ static int validate_params(uint cmd, str
29065 cmd == DM_LIST_VERSIONS_CMD)
29066 return 0;
29067
29068- if ((cmd == DM_DEV_CREATE_CMD)) {
29069+ if (cmd == DM_DEV_CREATE_CMD) {
29070 if (!*param->name) {
29071 DMWARN("name not supplied when creating device");
29072 return -EINVAL;
29073diff -urNp linux-3.0.7/drivers/md/dm-raid1.c linux-3.0.7/drivers/md/dm-raid1.c
29074--- linux-3.0.7/drivers/md/dm-raid1.c 2011-07-21 22:17:23.000000000 -0400
29075+++ linux-3.0.7/drivers/md/dm-raid1.c 2011-08-23 21:47:55.000000000 -0400
29076@@ -40,7 +40,7 @@ enum dm_raid1_error {
29077
29078 struct mirror {
29079 struct mirror_set *ms;
29080- atomic_t error_count;
29081+ atomic_unchecked_t error_count;
29082 unsigned long error_type;
29083 struct dm_dev *dev;
29084 sector_t offset;
29085@@ -185,7 +185,7 @@ static struct mirror *get_valid_mirror(s
29086 struct mirror *m;
29087
29088 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
29089- if (!atomic_read(&m->error_count))
29090+ if (!atomic_read_unchecked(&m->error_count))
29091 return m;
29092
29093 return NULL;
29094@@ -217,7 +217,7 @@ static void fail_mirror(struct mirror *m
29095 * simple way to tell if a device has encountered
29096 * errors.
29097 */
29098- atomic_inc(&m->error_count);
29099+ atomic_inc_unchecked(&m->error_count);
29100
29101 if (test_and_set_bit(error_type, &m->error_type))
29102 return;
29103@@ -408,7 +408,7 @@ static struct mirror *choose_mirror(stru
29104 struct mirror *m = get_default_mirror(ms);
29105
29106 do {
29107- if (likely(!atomic_read(&m->error_count)))
29108+ if (likely(!atomic_read_unchecked(&m->error_count)))
29109 return m;
29110
29111 if (m-- == ms->mirror)
29112@@ -422,7 +422,7 @@ static int default_ok(struct mirror *m)
29113 {
29114 struct mirror *default_mirror = get_default_mirror(m->ms);
29115
29116- return !atomic_read(&default_mirror->error_count);
29117+ return !atomic_read_unchecked(&default_mirror->error_count);
29118 }
29119
29120 static int mirror_available(struct mirror_set *ms, struct bio *bio)
29121@@ -559,7 +559,7 @@ static void do_reads(struct mirror_set *
29122 */
29123 if (likely(region_in_sync(ms, region, 1)))
29124 m = choose_mirror(ms, bio->bi_sector);
29125- else if (m && atomic_read(&m->error_count))
29126+ else if (m && atomic_read_unchecked(&m->error_count))
29127 m = NULL;
29128
29129 if (likely(m))
29130@@ -937,7 +937,7 @@ static int get_mirror(struct mirror_set
29131 }
29132
29133 ms->mirror[mirror].ms = ms;
29134- atomic_set(&(ms->mirror[mirror].error_count), 0);
29135+ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
29136 ms->mirror[mirror].error_type = 0;
29137 ms->mirror[mirror].offset = offset;
29138
29139@@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
29140 */
29141 static char device_status_char(struct mirror *m)
29142 {
29143- if (!atomic_read(&(m->error_count)))
29144+ if (!atomic_read_unchecked(&(m->error_count)))
29145 return 'A';
29146
29147 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
29148diff -urNp linux-3.0.7/drivers/md/dm-stripe.c linux-3.0.7/drivers/md/dm-stripe.c
29149--- linux-3.0.7/drivers/md/dm-stripe.c 2011-07-21 22:17:23.000000000 -0400
29150+++ linux-3.0.7/drivers/md/dm-stripe.c 2011-08-23 21:47:55.000000000 -0400
29151@@ -20,7 +20,7 @@ struct stripe {
29152 struct dm_dev *dev;
29153 sector_t physical_start;
29154
29155- atomic_t error_count;
29156+ atomic_unchecked_t error_count;
29157 };
29158
29159 struct stripe_c {
29160@@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
29161 kfree(sc);
29162 return r;
29163 }
29164- atomic_set(&(sc->stripe[i].error_count), 0);
29165+ atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
29166 }
29167
29168 ti->private = sc;
29169@@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
29170 DMEMIT("%d ", sc->stripes);
29171 for (i = 0; i < sc->stripes; i++) {
29172 DMEMIT("%s ", sc->stripe[i].dev->name);
29173- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
29174+ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
29175 'D' : 'A';
29176 }
29177 buffer[i] = '\0';
29178@@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
29179 */
29180 for (i = 0; i < sc->stripes; i++)
29181 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
29182- atomic_inc(&(sc->stripe[i].error_count));
29183- if (atomic_read(&(sc->stripe[i].error_count)) <
29184+ atomic_inc_unchecked(&(sc->stripe[i].error_count));
29185+ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
29186 DM_IO_ERROR_THRESHOLD)
29187 schedule_work(&sc->trigger_event);
29188 }
29189diff -urNp linux-3.0.7/drivers/md/dm-table.c linux-3.0.7/drivers/md/dm-table.c
29190--- linux-3.0.7/drivers/md/dm-table.c 2011-10-17 23:17:09.000000000 -0400
29191+++ linux-3.0.7/drivers/md/dm-table.c 2011-10-17 23:17:19.000000000 -0400
29192@@ -390,7 +390,7 @@ static int device_area_is_invalid(struct
29193 if (!dev_size)
29194 return 0;
29195
29196- if ((start >= dev_size) || (start + len > dev_size)) {
29197+ if ((start >= dev_size) || (len > dev_size - start)) {
29198 DMWARN("%s: %s too small for target: "
29199 "start=%llu, len=%llu, dev_size=%llu",
29200 dm_device_name(ti->table->md), bdevname(bdev, b),
29201diff -urNp linux-3.0.7/drivers/md/dm.c linux-3.0.7/drivers/md/dm.c
29202--- linux-3.0.7/drivers/md/dm.c 2011-09-02 18:11:21.000000000 -0400
29203+++ linux-3.0.7/drivers/md/dm.c 2011-08-23 21:47:55.000000000 -0400
29204@@ -164,9 +164,9 @@ struct mapped_device {
29205 /*
29206 * Event handling.
29207 */
29208- atomic_t event_nr;
29209+ atomic_unchecked_t event_nr;
29210 wait_queue_head_t eventq;
29211- atomic_t uevent_seq;
29212+ atomic_unchecked_t uevent_seq;
29213 struct list_head uevent_list;
29214 spinlock_t uevent_lock; /* Protect access to uevent_list */
29215
29216@@ -1842,8 +1842,8 @@ static struct mapped_device *alloc_dev(i
29217 rwlock_init(&md->map_lock);
29218 atomic_set(&md->holders, 1);
29219 atomic_set(&md->open_count, 0);
29220- atomic_set(&md->event_nr, 0);
29221- atomic_set(&md->uevent_seq, 0);
29222+ atomic_set_unchecked(&md->event_nr, 0);
29223+ atomic_set_unchecked(&md->uevent_seq, 0);
29224 INIT_LIST_HEAD(&md->uevent_list);
29225 spin_lock_init(&md->uevent_lock);
29226
29227@@ -1977,7 +1977,7 @@ static void event_callback(void *context
29228
29229 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
29230
29231- atomic_inc(&md->event_nr);
29232+ atomic_inc_unchecked(&md->event_nr);
29233 wake_up(&md->eventq);
29234 }
29235
29236@@ -2553,18 +2553,18 @@ int dm_kobject_uevent(struct mapped_devi
29237
29238 uint32_t dm_next_uevent_seq(struct mapped_device *md)
29239 {
29240- return atomic_add_return(1, &md->uevent_seq);
29241+ return atomic_add_return_unchecked(1, &md->uevent_seq);
29242 }
29243
29244 uint32_t dm_get_event_nr(struct mapped_device *md)
29245 {
29246- return atomic_read(&md->event_nr);
29247+ return atomic_read_unchecked(&md->event_nr);
29248 }
29249
29250 int dm_wait_event(struct mapped_device *md, int event_nr)
29251 {
29252 return wait_event_interruptible(md->eventq,
29253- (event_nr != atomic_read(&md->event_nr)));
29254+ (event_nr != atomic_read_unchecked(&md->event_nr)));
29255 }
29256
29257 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
29258diff -urNp linux-3.0.7/drivers/md/md.c linux-3.0.7/drivers/md/md.c
29259--- linux-3.0.7/drivers/md/md.c 2011-10-17 23:17:09.000000000 -0400
29260+++ linux-3.0.7/drivers/md/md.c 2011-10-17 23:17:19.000000000 -0400
29261@@ -231,10 +231,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
29262 * start build, activate spare
29263 */
29264 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
29265-static atomic_t md_event_count;
29266+static atomic_unchecked_t md_event_count;
29267 void md_new_event(mddev_t *mddev)
29268 {
29269- atomic_inc(&md_event_count);
29270+ atomic_inc_unchecked(&md_event_count);
29271 wake_up(&md_event_waiters);
29272 }
29273 EXPORT_SYMBOL_GPL(md_new_event);
29274@@ -244,7 +244,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
29275 */
29276 static void md_new_event_inintr(mddev_t *mddev)
29277 {
29278- atomic_inc(&md_event_count);
29279+ atomic_inc_unchecked(&md_event_count);
29280 wake_up(&md_event_waiters);
29281 }
29282
29283@@ -1475,7 +1475,7 @@ static int super_1_load(mdk_rdev_t *rdev
29284
29285 rdev->preferred_minor = 0xffff;
29286 rdev->data_offset = le64_to_cpu(sb->data_offset);
29287- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29288+ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29289
29290 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
29291 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
29292@@ -1653,7 +1653,7 @@ static void super_1_sync(mddev_t *mddev,
29293 else
29294 sb->resync_offset = cpu_to_le64(0);
29295
29296- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
29297+ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
29298
29299 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
29300 sb->size = cpu_to_le64(mddev->dev_sectors);
29301@@ -2446,7 +2446,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
29302 static ssize_t
29303 errors_show(mdk_rdev_t *rdev, char *page)
29304 {
29305- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
29306+ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
29307 }
29308
29309 static ssize_t
29310@@ -2455,7 +2455,7 @@ errors_store(mdk_rdev_t *rdev, const cha
29311 char *e;
29312 unsigned long n = simple_strtoul(buf, &e, 10);
29313 if (*buf && (*e == 0 || *e == '\n')) {
29314- atomic_set(&rdev->corrected_errors, n);
29315+ atomic_set_unchecked(&rdev->corrected_errors, n);
29316 return len;
29317 }
29318 return -EINVAL;
29319@@ -2811,8 +2811,8 @@ void md_rdev_init(mdk_rdev_t *rdev)
29320 rdev->last_read_error.tv_sec = 0;
29321 rdev->last_read_error.tv_nsec = 0;
29322 atomic_set(&rdev->nr_pending, 0);
29323- atomic_set(&rdev->read_errors, 0);
29324- atomic_set(&rdev->corrected_errors, 0);
29325+ atomic_set_unchecked(&rdev->read_errors, 0);
29326+ atomic_set_unchecked(&rdev->corrected_errors, 0);
29327
29328 INIT_LIST_HEAD(&rdev->same_set);
29329 init_waitqueue_head(&rdev->blocked_wait);
29330@@ -6440,7 +6440,7 @@ static int md_seq_show(struct seq_file *
29331
29332 spin_unlock(&pers_lock);
29333 seq_printf(seq, "\n");
29334- mi->event = atomic_read(&md_event_count);
29335+ mi->event = atomic_read_unchecked(&md_event_count);
29336 return 0;
29337 }
29338 if (v == (void*)2) {
29339@@ -6529,7 +6529,7 @@ static int md_seq_show(struct seq_file *
29340 chunk_kb ? "KB" : "B");
29341 if (bitmap->file) {
29342 seq_printf(seq, ", file: ");
29343- seq_path(seq, &bitmap->file->f_path, " \t\n");
29344+ seq_path(seq, &bitmap->file->f_path, " \t\n\\");
29345 }
29346
29347 seq_printf(seq, "\n");
29348@@ -6563,7 +6563,7 @@ static int md_seq_open(struct inode *ino
29349 else {
29350 struct seq_file *p = file->private_data;
29351 p->private = mi;
29352- mi->event = atomic_read(&md_event_count);
29353+ mi->event = atomic_read_unchecked(&md_event_count);
29354 }
29355 return error;
29356 }
29357@@ -6579,7 +6579,7 @@ static unsigned int mdstat_poll(struct f
29358 /* always allow read */
29359 mask = POLLIN | POLLRDNORM;
29360
29361- if (mi->event != atomic_read(&md_event_count))
29362+ if (mi->event != atomic_read_unchecked(&md_event_count))
29363 mask |= POLLERR | POLLPRI;
29364 return mask;
29365 }
29366@@ -6623,7 +6623,7 @@ static int is_mddev_idle(mddev_t *mddev,
29367 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
29368 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
29369 (int)part_stat_read(&disk->part0, sectors[1]) -
29370- atomic_read(&disk->sync_io);
29371+ atomic_read_unchecked(&disk->sync_io);
29372 /* sync IO will cause sync_io to increase before the disk_stats
29373 * as sync_io is counted when a request starts, and
29374 * disk_stats is counted when it completes.
29375diff -urNp linux-3.0.7/drivers/md/md.h linux-3.0.7/drivers/md/md.h
29376--- linux-3.0.7/drivers/md/md.h 2011-10-17 23:17:09.000000000 -0400
29377+++ linux-3.0.7/drivers/md/md.h 2011-10-17 23:17:19.000000000 -0400
29378@@ -97,13 +97,13 @@ struct mdk_rdev_s
29379 * only maintained for arrays that
29380 * support hot removal
29381 */
29382- atomic_t read_errors; /* number of consecutive read errors that
29383+ atomic_unchecked_t read_errors; /* number of consecutive read errors that
29384 * we have tried to ignore.
29385 */
29386 struct timespec last_read_error; /* monotonic time since our
29387 * last read error
29388 */
29389- atomic_t corrected_errors; /* number of corrected read errors,
29390+ atomic_unchecked_t corrected_errors; /* number of corrected read errors,
29391 * for reporting to userspace and storing
29392 * in superblock.
29393 */
29394@@ -344,7 +344,7 @@ static inline void rdev_dec_pending(mdk_
29395
29396 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
29397 {
29398- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29399+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29400 }
29401
29402 struct mdk_personality
29403diff -urNp linux-3.0.7/drivers/md/raid1.c linux-3.0.7/drivers/md/raid1.c
29404--- linux-3.0.7/drivers/md/raid1.c 2011-10-17 23:17:09.000000000 -0400
29405+++ linux-3.0.7/drivers/md/raid1.c 2011-10-17 23:17:19.000000000 -0400
29406@@ -1263,7 +1263,7 @@ static int fix_sync_read_error(r1bio_t *
29407 rdev_dec_pending(rdev, mddev);
29408 md_error(mddev, rdev);
29409 } else
29410- atomic_add(s, &rdev->corrected_errors);
29411+ atomic_add_unchecked(s, &rdev->corrected_errors);
29412 }
29413 d = start;
29414 while (d != r1_bio->read_disk) {
29415@@ -1492,7 +1492,7 @@ static void fix_read_error(conf_t *conf,
29416 /* Well, this device is dead */
29417 md_error(mddev, rdev);
29418 else {
29419- atomic_add(s, &rdev->corrected_errors);
29420+ atomic_add_unchecked(s, &rdev->corrected_errors);
29421 printk(KERN_INFO
29422 "md/raid1:%s: read error corrected "
29423 "(%d sectors at %llu on %s)\n",
29424diff -urNp linux-3.0.7/drivers/md/raid10.c linux-3.0.7/drivers/md/raid10.c
29425--- linux-3.0.7/drivers/md/raid10.c 2011-10-17 23:17:09.000000000 -0400
29426+++ linux-3.0.7/drivers/md/raid10.c 2011-10-17 23:17:19.000000000 -0400
29427@@ -1186,7 +1186,7 @@ static void end_sync_read(struct bio *bi
29428 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
29429 set_bit(R10BIO_Uptodate, &r10_bio->state);
29430 else {
29431- atomic_add(r10_bio->sectors,
29432+ atomic_add_unchecked(r10_bio->sectors,
29433 &conf->mirrors[d].rdev->corrected_errors);
29434 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
29435 md_error(r10_bio->mddev,
29436@@ -1394,7 +1394,7 @@ static void check_decay_read_errors(mdde
29437 {
29438 struct timespec cur_time_mon;
29439 unsigned long hours_since_last;
29440- unsigned int read_errors = atomic_read(&rdev->read_errors);
29441+ unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
29442
29443 ktime_get_ts(&cur_time_mon);
29444
29445@@ -1416,9 +1416,9 @@ static void check_decay_read_errors(mdde
29446 * overflowing the shift of read_errors by hours_since_last.
29447 */
29448 if (hours_since_last >= 8 * sizeof(read_errors))
29449- atomic_set(&rdev->read_errors, 0);
29450+ atomic_set_unchecked(&rdev->read_errors, 0);
29451 else
29452- atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
29453+ atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
29454 }
29455
29456 /*
29457@@ -1448,8 +1448,8 @@ static void fix_read_error(conf_t *conf,
29458 return;
29459
29460 check_decay_read_errors(mddev, rdev);
29461- atomic_inc(&rdev->read_errors);
29462- if (atomic_read(&rdev->read_errors) > max_read_errors) {
29463+ atomic_inc_unchecked(&rdev->read_errors);
29464+ if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
29465 char b[BDEVNAME_SIZE];
29466 bdevname(rdev->bdev, b);
29467
29468@@ -1457,7 +1457,7 @@ static void fix_read_error(conf_t *conf,
29469 "md/raid10:%s: %s: Raid device exceeded "
29470 "read_error threshold [cur %d:max %d]\n",
29471 mdname(mddev), b,
29472- atomic_read(&rdev->read_errors), max_read_errors);
29473+ atomic_read_unchecked(&rdev->read_errors), max_read_errors);
29474 printk(KERN_NOTICE
29475 "md/raid10:%s: %s: Failing raid device\n",
29476 mdname(mddev), b);
29477@@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
29478 test_bit(In_sync, &rdev->flags)) {
29479 atomic_inc(&rdev->nr_pending);
29480 rcu_read_unlock();
29481- atomic_add(s, &rdev->corrected_errors);
29482+ atomic_add_unchecked(s, &rdev->corrected_errors);
29483 if (sync_page_io(rdev,
29484 r10_bio->devs[sl].addr +
29485 sect,
29486diff -urNp linux-3.0.7/drivers/md/raid5.c linux-3.0.7/drivers/md/raid5.c
29487--- linux-3.0.7/drivers/md/raid5.c 2011-10-17 23:17:09.000000000 -0400
29488+++ linux-3.0.7/drivers/md/raid5.c 2011-10-17 23:17:19.000000000 -0400
29489@@ -550,7 +550,7 @@ static void ops_run_io(struct stripe_hea
29490 bi->bi_next = NULL;
29491 if ((rw & WRITE) &&
29492 test_bit(R5_ReWrite, &sh->dev[i].flags))
29493- atomic_add(STRIPE_SECTORS,
29494+ atomic_add_unchecked(STRIPE_SECTORS,
29495 &rdev->corrected_errors);
29496 generic_make_request(bi);
29497 } else {
29498@@ -1596,15 +1596,15 @@ static void raid5_end_read_request(struc
29499 clear_bit(R5_ReadError, &sh->dev[i].flags);
29500 clear_bit(R5_ReWrite, &sh->dev[i].flags);
29501 }
29502- if (atomic_read(&conf->disks[i].rdev->read_errors))
29503- atomic_set(&conf->disks[i].rdev->read_errors, 0);
29504+ if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
29505+ atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
29506 } else {
29507 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
29508 int retry = 0;
29509 rdev = conf->disks[i].rdev;
29510
29511 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
29512- atomic_inc(&rdev->read_errors);
29513+ atomic_inc_unchecked(&rdev->read_errors);
29514 if (conf->mddev->degraded >= conf->max_degraded)
29515 printk_rl(KERN_WARNING
29516 "md/raid:%s: read error not correctable "
29517@@ -1622,7 +1622,7 @@ static void raid5_end_read_request(struc
29518 (unsigned long long)(sh->sector
29519 + rdev->data_offset),
29520 bdn);
29521- else if (atomic_read(&rdev->read_errors)
29522+ else if (atomic_read_unchecked(&rdev->read_errors)
29523 > conf->max_nr_stripes)
29524 printk(KERN_WARNING
29525 "md/raid:%s: Too many read errors, failing device %s.\n",
29526@@ -1945,6 +1945,7 @@ static sector_t compute_blocknr(struct s
29527 sector_t r_sector;
29528 struct stripe_head sh2;
29529
29530+ pax_track_stack();
29531
29532 chunk_offset = sector_div(new_sector, sectors_per_chunk);
29533 stripe = new_sector;
29534diff -urNp linux-3.0.7/drivers/media/common/saa7146_hlp.c linux-3.0.7/drivers/media/common/saa7146_hlp.c
29535--- linux-3.0.7/drivers/media/common/saa7146_hlp.c 2011-07-21 22:17:23.000000000 -0400
29536+++ linux-3.0.7/drivers/media/common/saa7146_hlp.c 2011-08-23 21:48:14.000000000 -0400
29537@@ -353,6 +353,8 @@ static void calculate_clipping_registers
29538
29539 int x[32], y[32], w[32], h[32];
29540
29541+ pax_track_stack();
29542+
29543 /* clear out memory */
29544 memset(&line_list[0], 0x00, sizeof(u32)*32);
29545 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
29546diff -urNp linux-3.0.7/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-3.0.7/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
29547--- linux-3.0.7/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-07-21 22:17:23.000000000 -0400
29548+++ linux-3.0.7/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-08-23 21:48:14.000000000 -0400
29549@@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
29550 u8 buf[HOST_LINK_BUF_SIZE];
29551 int i;
29552
29553+ pax_track_stack();
29554+
29555 dprintk("%s\n", __func__);
29556
29557 /* check if we have space for a link buf in the rx_buffer */
29558@@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
29559 unsigned long timeout;
29560 int written;
29561
29562+ pax_track_stack();
29563+
29564 dprintk("%s\n", __func__);
29565
29566 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
29567diff -urNp linux-3.0.7/drivers/media/dvb/dvb-core/dvb_demux.h linux-3.0.7/drivers/media/dvb/dvb-core/dvb_demux.h
29568--- linux-3.0.7/drivers/media/dvb/dvb-core/dvb_demux.h 2011-07-21 22:17:23.000000000 -0400
29569+++ linux-3.0.7/drivers/media/dvb/dvb-core/dvb_demux.h 2011-08-24 18:24:40.000000000 -0400
29570@@ -68,12 +68,12 @@ struct dvb_demux_feed {
29571 union {
29572 struct dmx_ts_feed ts;
29573 struct dmx_section_feed sec;
29574- } feed;
29575+ } __no_const feed;
29576
29577 union {
29578 dmx_ts_cb ts;
29579 dmx_section_cb sec;
29580- } cb;
29581+ } __no_const cb;
29582
29583 struct dvb_demux *demux;
29584 void *priv;
29585diff -urNp linux-3.0.7/drivers/media/dvb/dvb-core/dvbdev.c linux-3.0.7/drivers/media/dvb/dvb-core/dvbdev.c
29586--- linux-3.0.7/drivers/media/dvb/dvb-core/dvbdev.c 2011-07-21 22:17:23.000000000 -0400
29587+++ linux-3.0.7/drivers/media/dvb/dvb-core/dvbdev.c 2011-08-24 18:24:19.000000000 -0400
29588@@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
29589 const struct dvb_device *template, void *priv, int type)
29590 {
29591 struct dvb_device *dvbdev;
29592- struct file_operations *dvbdevfops;
29593+ file_operations_no_const *dvbdevfops;
29594 struct device *clsdev;
29595 int minor;
29596 int id;
29597diff -urNp linux-3.0.7/drivers/media/dvb/dvb-usb/cxusb.c linux-3.0.7/drivers/media/dvb/dvb-usb/cxusb.c
29598--- linux-3.0.7/drivers/media/dvb/dvb-usb/cxusb.c 2011-07-21 22:17:23.000000000 -0400
29599+++ linux-3.0.7/drivers/media/dvb/dvb-usb/cxusb.c 2011-08-24 18:26:33.000000000 -0400
29600@@ -1059,7 +1059,7 @@ static struct dib0070_config dib7070p_di
29601 struct dib0700_adapter_state {
29602 int (*set_param_save) (struct dvb_frontend *,
29603 struct dvb_frontend_parameters *);
29604-};
29605+} __no_const;
29606
29607 static int dib7070_set_param_override(struct dvb_frontend *fe,
29608 struct dvb_frontend_parameters *fep)
29609diff -urNp linux-3.0.7/drivers/media/dvb/dvb-usb/dib0700_core.c linux-3.0.7/drivers/media/dvb/dvb-usb/dib0700_core.c
29610--- linux-3.0.7/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-07-21 22:17:23.000000000 -0400
29611+++ linux-3.0.7/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-08-23 21:48:14.000000000 -0400
29612@@ -434,6 +434,8 @@ int dib0700_download_firmware(struct usb
29613 if (!buf)
29614 return -ENOMEM;
29615
29616+ pax_track_stack();
29617+
29618 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
29619 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
29620 hx.addr, hx.len, hx.chk);
29621diff -urNp linux-3.0.7/drivers/media/dvb/dvb-usb/dibusb.h linux-3.0.7/drivers/media/dvb/dvb-usb/dibusb.h
29622--- linux-3.0.7/drivers/media/dvb/dvb-usb/dibusb.h 2011-07-21 22:17:23.000000000 -0400
29623+++ linux-3.0.7/drivers/media/dvb/dvb-usb/dibusb.h 2011-08-24 18:27:27.000000000 -0400
29624@@ -97,7 +97,7 @@
29625 #define DIBUSB_IOCTL_CMD_DISABLE_STREAM 0x02
29626
29627 struct dibusb_state {
29628- struct dib_fe_xfer_ops ops;
29629+ dib_fe_xfer_ops_no_const ops;
29630 int mt2060_present;
29631 u8 tuner_addr;
29632 };
29633diff -urNp linux-3.0.7/drivers/media/dvb/dvb-usb/dw2102.c linux-3.0.7/drivers/media/dvb/dvb-usb/dw2102.c
29634--- linux-3.0.7/drivers/media/dvb/dvb-usb/dw2102.c 2011-07-21 22:17:23.000000000 -0400
29635+++ linux-3.0.7/drivers/media/dvb/dvb-usb/dw2102.c 2011-08-24 18:27:45.000000000 -0400
29636@@ -95,7 +95,7 @@ struct su3000_state {
29637
29638 struct s6x0_state {
29639 int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v);
29640-};
29641+} __no_const;
29642
29643 /* debug */
29644 static int dvb_usb_dw2102_debug;
29645diff -urNp linux-3.0.7/drivers/media/dvb/dvb-usb/lmedm04.c linux-3.0.7/drivers/media/dvb/dvb-usb/lmedm04.c
29646--- linux-3.0.7/drivers/media/dvb/dvb-usb/lmedm04.c 2011-07-21 22:17:23.000000000 -0400
29647+++ linux-3.0.7/drivers/media/dvb/dvb-usb/lmedm04.c 2011-08-23 21:48:14.000000000 -0400
29648@@ -742,6 +742,7 @@ static int lme2510_download_firmware(str
29649 usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
29650 0x06, 0x80, 0x0200, 0x00, data, 0x0109, 1000);
29651
29652+ pax_track_stack();
29653
29654 data[0] = 0x8a;
29655 len_in = 1;
29656@@ -764,6 +765,8 @@ static void lme_coldreset(struct usb_dev
29657 int ret = 0, len_in;
29658 u8 data[512] = {0};
29659
29660+ pax_track_stack();
29661+
29662 data[0] = 0x0a;
29663 len_in = 1;
29664 info("FRM Firmware Cold Reset");
29665diff -urNp linux-3.0.7/drivers/media/dvb/frontends/dib3000.h linux-3.0.7/drivers/media/dvb/frontends/dib3000.h
29666--- linux-3.0.7/drivers/media/dvb/frontends/dib3000.h 2011-07-21 22:17:23.000000000 -0400
29667+++ linux-3.0.7/drivers/media/dvb/frontends/dib3000.h 2011-10-07 19:07:39.000000000 -0400
29668@@ -40,10 +40,11 @@ struct dib_fe_xfer_ops
29669 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
29670 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
29671 };
29672+typedef struct dib_fe_xfer_ops __no_const dib_fe_xfer_ops_no_const;
29673
29674 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
29675 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
29676- struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops);
29677+ struct i2c_adapter* i2c, dib_fe_xfer_ops_no_const *xfer_ops);
29678 #else
29679 static inline struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
29680 struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops)
29681diff -urNp linux-3.0.7/drivers/media/dvb/frontends/dib3000mb.c linux-3.0.7/drivers/media/dvb/frontends/dib3000mb.c
29682--- linux-3.0.7/drivers/media/dvb/frontends/dib3000mb.c 2011-07-21 22:17:23.000000000 -0400
29683+++ linux-3.0.7/drivers/media/dvb/frontends/dib3000mb.c 2011-08-24 18:28:42.000000000 -0400
29684@@ -756,7 +756,7 @@ static int dib3000mb_tuner_pass_ctrl(str
29685 static struct dvb_frontend_ops dib3000mb_ops;
29686
29687 struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
29688- struct i2c_adapter* i2c, struct dib_fe_xfer_ops *xfer_ops)
29689+ struct i2c_adapter* i2c, dib_fe_xfer_ops_no_const *xfer_ops)
29690 {
29691 struct dib3000_state* state = NULL;
29692
29693diff -urNp linux-3.0.7/drivers/media/dvb/frontends/mb86a16.c linux-3.0.7/drivers/media/dvb/frontends/mb86a16.c
29694--- linux-3.0.7/drivers/media/dvb/frontends/mb86a16.c 2011-07-21 22:17:23.000000000 -0400
29695+++ linux-3.0.7/drivers/media/dvb/frontends/mb86a16.c 2011-08-23 21:48:14.000000000 -0400
29696@@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
29697 int ret = -1;
29698 int sync;
29699
29700+ pax_track_stack();
29701+
29702 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
29703
29704 fcp = 3000;
29705diff -urNp linux-3.0.7/drivers/media/dvb/frontends/or51211.c linux-3.0.7/drivers/media/dvb/frontends/or51211.c
29706--- linux-3.0.7/drivers/media/dvb/frontends/or51211.c 2011-07-21 22:17:23.000000000 -0400
29707+++ linux-3.0.7/drivers/media/dvb/frontends/or51211.c 2011-08-23 21:48:14.000000000 -0400
29708@@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
29709 u8 tudata[585];
29710 int i;
29711
29712+ pax_track_stack();
29713+
29714 dprintk("Firmware is %zd bytes\n",fw->size);
29715
29716 /* Get eprom data */
29717diff -urNp linux-3.0.7/drivers/media/dvb/ngene/ngene-cards.c linux-3.0.7/drivers/media/dvb/ngene/ngene-cards.c
29718--- linux-3.0.7/drivers/media/dvb/ngene/ngene-cards.c 2011-07-21 22:17:23.000000000 -0400
29719+++ linux-3.0.7/drivers/media/dvb/ngene/ngene-cards.c 2011-10-11 10:44:33.000000000 -0400
29720@@ -379,7 +379,7 @@ static struct ngene_info ngene_info_m780
29721
29722 /****************************************************************************/
29723
29724-static const struct pci_device_id ngene_id_tbl[] __devinitdata = {
29725+static const struct pci_device_id ngene_id_tbl[] __devinitconst = {
29726 NGENE_ID(0x18c3, 0xabc3, ngene_info_cineS2),
29727 NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2),
29728 NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2),
29729diff -urNp linux-3.0.7/drivers/media/video/cx18/cx18-driver.c linux-3.0.7/drivers/media/video/cx18/cx18-driver.c
29730--- linux-3.0.7/drivers/media/video/cx18/cx18-driver.c 2011-07-21 22:17:23.000000000 -0400
29731+++ linux-3.0.7/drivers/media/video/cx18/cx18-driver.c 2011-08-23 21:48:14.000000000 -0400
29732@@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
29733 struct i2c_client c;
29734 u8 eedata[256];
29735
29736+ pax_track_stack();
29737+
29738 memset(&c, 0, sizeof(c));
29739 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
29740 c.adapter = &cx->i2c_adap[0];
29741diff -urNp linux-3.0.7/drivers/media/video/cx23885/cx23885-input.c linux-3.0.7/drivers/media/video/cx23885/cx23885-input.c
29742--- linux-3.0.7/drivers/media/video/cx23885/cx23885-input.c 2011-07-21 22:17:23.000000000 -0400
29743+++ linux-3.0.7/drivers/media/video/cx23885/cx23885-input.c 2011-08-23 21:48:14.000000000 -0400
29744@@ -53,6 +53,8 @@ static void cx23885_input_process_measur
29745 bool handle = false;
29746 struct ir_raw_event ir_core_event[64];
29747
29748+ pax_track_stack();
29749+
29750 do {
29751 num = 0;
29752 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
29753diff -urNp linux-3.0.7/drivers/media/video/cx88/cx88-alsa.c linux-3.0.7/drivers/media/video/cx88/cx88-alsa.c
29754--- linux-3.0.7/drivers/media/video/cx88/cx88-alsa.c 2011-07-21 22:17:23.000000000 -0400
29755+++ linux-3.0.7/drivers/media/video/cx88/cx88-alsa.c 2011-10-11 10:44:33.000000000 -0400
29756@@ -764,7 +764,7 @@ static struct snd_kcontrol_new snd_cx88_
29757 * Only boards with eeprom and byte 1 at eeprom=1 have it
29758 */
29759
29760-static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitdata = {
29761+static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitconst = {
29762 {0x14f1,0x8801,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
29763 {0x14f1,0x8811,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
29764 {0, }
29765diff -urNp linux-3.0.7/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-3.0.7/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
29766--- linux-3.0.7/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-07-21 22:17:23.000000000 -0400
29767+++ linux-3.0.7/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-08-23 21:48:14.000000000 -0400
29768@@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
29769 u8 *eeprom;
29770 struct tveeprom tvdata;
29771
29772+ pax_track_stack();
29773+
29774 memset(&tvdata,0,sizeof(tvdata));
29775
29776 eeprom = pvr2_eeprom_fetch(hdw);
29777diff -urNp linux-3.0.7/drivers/media/video/saa7134/saa6752hs.c linux-3.0.7/drivers/media/video/saa7134/saa6752hs.c
29778--- linux-3.0.7/drivers/media/video/saa7134/saa6752hs.c 2011-07-21 22:17:23.000000000 -0400
29779+++ linux-3.0.7/drivers/media/video/saa7134/saa6752hs.c 2011-08-23 21:48:14.000000000 -0400
29780@@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
29781 unsigned char localPAT[256];
29782 unsigned char localPMT[256];
29783
29784+ pax_track_stack();
29785+
29786 /* Set video format - must be done first as it resets other settings */
29787 set_reg8(client, 0x41, h->video_format);
29788
29789diff -urNp linux-3.0.7/drivers/media/video/saa7164/saa7164-cmd.c linux-3.0.7/drivers/media/video/saa7164/saa7164-cmd.c
29790--- linux-3.0.7/drivers/media/video/saa7164/saa7164-cmd.c 2011-07-21 22:17:23.000000000 -0400
29791+++ linux-3.0.7/drivers/media/video/saa7164/saa7164-cmd.c 2011-08-23 21:48:14.000000000 -0400
29792@@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
29793 u8 tmp[512];
29794 dprintk(DBGLVL_CMD, "%s()\n", __func__);
29795
29796+ pax_track_stack();
29797+
29798 /* While any outstand message on the bus exists... */
29799 do {
29800
29801@@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
29802 u8 tmp[512];
29803 dprintk(DBGLVL_CMD, "%s()\n", __func__);
29804
29805+ pax_track_stack();
29806+
29807 while (loop) {
29808
29809 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
29810diff -urNp linux-3.0.7/drivers/media/video/timblogiw.c linux-3.0.7/drivers/media/video/timblogiw.c
29811--- linux-3.0.7/drivers/media/video/timblogiw.c 2011-07-21 22:17:23.000000000 -0400
29812+++ linux-3.0.7/drivers/media/video/timblogiw.c 2011-08-24 18:29:20.000000000 -0400
29813@@ -745,7 +745,7 @@ static int timblogiw_mmap(struct file *f
29814
29815 /* Platform device functions */
29816
29817-static __devinitconst struct v4l2_ioctl_ops timblogiw_ioctl_ops = {
29818+static __devinitconst v4l2_ioctl_ops_no_const timblogiw_ioctl_ops = {
29819 .vidioc_querycap = timblogiw_querycap,
29820 .vidioc_enum_fmt_vid_cap = timblogiw_enum_fmt,
29821 .vidioc_g_fmt_vid_cap = timblogiw_g_fmt,
29822diff -urNp linux-3.0.7/drivers/media/video/usbvision/usbvision-core.c linux-3.0.7/drivers/media/video/usbvision/usbvision-core.c
29823--- linux-3.0.7/drivers/media/video/usbvision/usbvision-core.c 2011-07-21 22:17:23.000000000 -0400
29824+++ linux-3.0.7/drivers/media/video/usbvision/usbvision-core.c 2011-08-23 21:48:14.000000000 -0400
29825@@ -707,6 +707,8 @@ static enum parse_state usbvision_parse_
29826 unsigned char rv, gv, bv;
29827 static unsigned char *Y, *U, *V;
29828
29829+ pax_track_stack();
29830+
29831 frame = usbvision->cur_frame;
29832 image_size = frame->frmwidth * frame->frmheight;
29833 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
29834diff -urNp linux-3.0.7/drivers/media/video/videobuf-dma-sg.c linux-3.0.7/drivers/media/video/videobuf-dma-sg.c
29835--- linux-3.0.7/drivers/media/video/videobuf-dma-sg.c 2011-07-21 22:17:23.000000000 -0400
29836+++ linux-3.0.7/drivers/media/video/videobuf-dma-sg.c 2011-08-23 21:48:14.000000000 -0400
29837@@ -606,6 +606,8 @@ void *videobuf_sg_alloc(size_t size)
29838 {
29839 struct videobuf_queue q;
29840
29841+ pax_track_stack();
29842+
29843 /* Required to make generic handler to call __videobuf_alloc */
29844 q.int_ops = &sg_ops;
29845
29846diff -urNp linux-3.0.7/drivers/message/fusion/mptbase.c linux-3.0.7/drivers/message/fusion/mptbase.c
29847--- linux-3.0.7/drivers/message/fusion/mptbase.c 2011-07-21 22:17:23.000000000 -0400
29848+++ linux-3.0.7/drivers/message/fusion/mptbase.c 2011-08-23 21:48:14.000000000 -0400
29849@@ -6681,8 +6681,13 @@ static int mpt_iocinfo_proc_show(struct
29850 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
29851 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
29852
29853+#ifdef CONFIG_GRKERNSEC_HIDESYM
29854+ seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
29855+#else
29856 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
29857 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
29858+#endif
29859+
29860 /*
29861 * Rounding UP to nearest 4-kB boundary here...
29862 */
29863diff -urNp linux-3.0.7/drivers/message/fusion/mptsas.c linux-3.0.7/drivers/message/fusion/mptsas.c
29864--- linux-3.0.7/drivers/message/fusion/mptsas.c 2011-07-21 22:17:23.000000000 -0400
29865+++ linux-3.0.7/drivers/message/fusion/mptsas.c 2011-08-23 21:47:55.000000000 -0400
29866@@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
29867 return 0;
29868 }
29869
29870+static inline void
29871+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
29872+{
29873+ if (phy_info->port_details) {
29874+ phy_info->port_details->rphy = rphy;
29875+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
29876+ ioc->name, rphy));
29877+ }
29878+
29879+ if (rphy) {
29880+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
29881+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
29882+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
29883+ ioc->name, rphy, rphy->dev.release));
29884+ }
29885+}
29886+
29887 /* no mutex */
29888 static void
29889 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
29890@@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
29891 return NULL;
29892 }
29893
29894-static inline void
29895-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
29896-{
29897- if (phy_info->port_details) {
29898- phy_info->port_details->rphy = rphy;
29899- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
29900- ioc->name, rphy));
29901- }
29902-
29903- if (rphy) {
29904- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
29905- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
29906- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
29907- ioc->name, rphy, rphy->dev.release));
29908- }
29909-}
29910-
29911 static inline struct sas_port *
29912 mptsas_get_port(struct mptsas_phyinfo *phy_info)
29913 {
29914diff -urNp linux-3.0.7/drivers/message/fusion/mptscsih.c linux-3.0.7/drivers/message/fusion/mptscsih.c
29915--- linux-3.0.7/drivers/message/fusion/mptscsih.c 2011-07-21 22:17:23.000000000 -0400
29916+++ linux-3.0.7/drivers/message/fusion/mptscsih.c 2011-08-23 21:47:55.000000000 -0400
29917@@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
29918
29919 h = shost_priv(SChost);
29920
29921- if (h) {
29922- if (h->info_kbuf == NULL)
29923- if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
29924- return h->info_kbuf;
29925- h->info_kbuf[0] = '\0';
29926+ if (!h)
29927+ return NULL;
29928
29929- mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
29930- h->info_kbuf[size-1] = '\0';
29931- }
29932+ if (h->info_kbuf == NULL)
29933+ if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
29934+ return h->info_kbuf;
29935+ h->info_kbuf[0] = '\0';
29936+
29937+ mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
29938+ h->info_kbuf[size-1] = '\0';
29939
29940 return h->info_kbuf;
29941 }
29942diff -urNp linux-3.0.7/drivers/message/i2o/i2o_config.c linux-3.0.7/drivers/message/i2o/i2o_config.c
29943--- linux-3.0.7/drivers/message/i2o/i2o_config.c 2011-07-21 22:17:23.000000000 -0400
29944+++ linux-3.0.7/drivers/message/i2o/i2o_config.c 2011-08-23 21:48:14.000000000 -0400
29945@@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
29946 struct i2o_message *msg;
29947 unsigned int iop;
29948
29949+ pax_track_stack();
29950+
29951 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
29952 return -EFAULT;
29953
29954diff -urNp linux-3.0.7/drivers/message/i2o/i2o_proc.c linux-3.0.7/drivers/message/i2o/i2o_proc.c
29955--- linux-3.0.7/drivers/message/i2o/i2o_proc.c 2011-07-21 22:17:23.000000000 -0400
29956+++ linux-3.0.7/drivers/message/i2o/i2o_proc.c 2011-08-23 21:47:55.000000000 -0400
29957@@ -255,13 +255,6 @@ static char *scsi_devices[] = {
29958 "Array Controller Device"
29959 };
29960
29961-static char *chtostr(u8 * chars, int n)
29962-{
29963- char tmp[256];
29964- tmp[0] = 0;
29965- return strncat(tmp, (char *)chars, n);
29966-}
29967-
29968 static int i2o_report_query_status(struct seq_file *seq, int block_status,
29969 char *group)
29970 {
29971@@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
29972
29973 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
29974 seq_printf(seq, "%-#8x", ddm_table.module_id);
29975- seq_printf(seq, "%-29s",
29976- chtostr(ddm_table.module_name_version, 28));
29977+ seq_printf(seq, "%-.28s", ddm_table.module_name_version);
29978 seq_printf(seq, "%9d ", ddm_table.data_size);
29979 seq_printf(seq, "%8d", ddm_table.code_size);
29980
29981@@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
29982
29983 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
29984 seq_printf(seq, "%-#8x", dst->module_id);
29985- seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
29986- seq_printf(seq, "%-9s", chtostr(dst->date, 8));
29987+ seq_printf(seq, "%-.28s", dst->module_name_version);
29988+ seq_printf(seq, "%-.8s", dst->date);
29989 seq_printf(seq, "%8d ", dst->module_size);
29990 seq_printf(seq, "%8d ", dst->mpb_size);
29991 seq_printf(seq, "0x%04x", dst->module_flags);
29992@@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
29993 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
29994 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
29995 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
29996- seq_printf(seq, "Vendor info : %s\n",
29997- chtostr((u8 *) (work32 + 2), 16));
29998- seq_printf(seq, "Product info : %s\n",
29999- chtostr((u8 *) (work32 + 6), 16));
30000- seq_printf(seq, "Description : %s\n",
30001- chtostr((u8 *) (work32 + 10), 16));
30002- seq_printf(seq, "Product rev. : %s\n",
30003- chtostr((u8 *) (work32 + 14), 8));
30004+ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
30005+ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
30006+ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
30007+ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
30008
30009 seq_printf(seq, "Serial number : ");
30010 print_serial_number(seq, (u8 *) (work32 + 16),
30011@@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
30012 }
30013
30014 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
30015- seq_printf(seq, "Module name : %s\n",
30016- chtostr(result.module_name, 24));
30017- seq_printf(seq, "Module revision : %s\n",
30018- chtostr(result.module_rev, 8));
30019+ seq_printf(seq, "Module name : %.24s\n", result.module_name);
30020+ seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
30021
30022 seq_printf(seq, "Serial number : ");
30023 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
30024@@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
30025 return 0;
30026 }
30027
30028- seq_printf(seq, "Device name : %s\n",
30029- chtostr(result.device_name, 64));
30030- seq_printf(seq, "Service name : %s\n",
30031- chtostr(result.service_name, 64));
30032- seq_printf(seq, "Physical name : %s\n",
30033- chtostr(result.physical_location, 64));
30034- seq_printf(seq, "Instance number : %s\n",
30035- chtostr(result.instance_number, 4));
30036+ seq_printf(seq, "Device name : %.64s\n", result.device_name);
30037+ seq_printf(seq, "Service name : %.64s\n", result.service_name);
30038+ seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
30039+ seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
30040
30041 return 0;
30042 }
30043diff -urNp linux-3.0.7/drivers/message/i2o/iop.c linux-3.0.7/drivers/message/i2o/iop.c
30044--- linux-3.0.7/drivers/message/i2o/iop.c 2011-07-21 22:17:23.000000000 -0400
30045+++ linux-3.0.7/drivers/message/i2o/iop.c 2011-08-23 21:47:55.000000000 -0400
30046@@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
30047
30048 spin_lock_irqsave(&c->context_list_lock, flags);
30049
30050- if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
30051- atomic_inc(&c->context_list_counter);
30052+ if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
30053+ atomic_inc_unchecked(&c->context_list_counter);
30054
30055- entry->context = atomic_read(&c->context_list_counter);
30056+ entry->context = atomic_read_unchecked(&c->context_list_counter);
30057
30058 list_add(&entry->list, &c->context_list);
30059
30060@@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
30061
30062 #if BITS_PER_LONG == 64
30063 spin_lock_init(&c->context_list_lock);
30064- atomic_set(&c->context_list_counter, 0);
30065+ atomic_set_unchecked(&c->context_list_counter, 0);
30066 INIT_LIST_HEAD(&c->context_list);
30067 #endif
30068
30069diff -urNp linux-3.0.7/drivers/mfd/ab3100-core.c linux-3.0.7/drivers/mfd/ab3100-core.c
30070--- linux-3.0.7/drivers/mfd/ab3100-core.c 2011-07-21 22:17:23.000000000 -0400
30071+++ linux-3.0.7/drivers/mfd/ab3100-core.c 2011-10-11 10:44:33.000000000 -0400
30072@@ -809,7 +809,7 @@ struct ab_family_id {
30073 char *name;
30074 };
30075
30076-static const struct ab_family_id ids[] __devinitdata = {
30077+static const struct ab_family_id ids[] __devinitconst = {
30078 /* AB3100 */
30079 {
30080 .id = 0xc0,
30081diff -urNp linux-3.0.7/drivers/mfd/abx500-core.c linux-3.0.7/drivers/mfd/abx500-core.c
30082--- linux-3.0.7/drivers/mfd/abx500-core.c 2011-07-21 22:17:23.000000000 -0400
30083+++ linux-3.0.7/drivers/mfd/abx500-core.c 2011-08-23 21:47:55.000000000 -0400
30084@@ -14,7 +14,7 @@ static LIST_HEAD(abx500_list);
30085
30086 struct abx500_device_entry {
30087 struct list_head list;
30088- struct abx500_ops ops;
30089+ abx500_ops_no_const ops;
30090 struct device *dev;
30091 };
30092
30093diff -urNp linux-3.0.7/drivers/mfd/janz-cmodio.c linux-3.0.7/drivers/mfd/janz-cmodio.c
30094--- linux-3.0.7/drivers/mfd/janz-cmodio.c 2011-07-21 22:17:23.000000000 -0400
30095+++ linux-3.0.7/drivers/mfd/janz-cmodio.c 2011-08-23 21:47:55.000000000 -0400
30096@@ -13,6 +13,7 @@
30097
30098 #include <linux/kernel.h>
30099 #include <linux/module.h>
30100+#include <linux/slab.h>
30101 #include <linux/init.h>
30102 #include <linux/pci.h>
30103 #include <linux/interrupt.h>
30104diff -urNp linux-3.0.7/drivers/mfd/wm8350-i2c.c linux-3.0.7/drivers/mfd/wm8350-i2c.c
30105--- linux-3.0.7/drivers/mfd/wm8350-i2c.c 2011-07-21 22:17:23.000000000 -0400
30106+++ linux-3.0.7/drivers/mfd/wm8350-i2c.c 2011-08-23 21:48:14.000000000 -0400
30107@@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
30108 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
30109 int ret;
30110
30111+ pax_track_stack();
30112+
30113 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
30114 return -EINVAL;
30115
30116diff -urNp linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.c linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.c
30117--- linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.c 2011-10-17 23:17:09.000000000 -0400
30118+++ linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.c 2011-10-17 23:17:19.000000000 -0400
30119@@ -437,7 +437,7 @@ static irqreturn_t lis302dl_interrupt(in
30120 * the lid is closed. This leads to interrupts as soon as a little move
30121 * is done.
30122 */
30123- atomic_inc(&lis3_dev.count);
30124+ atomic_inc_unchecked(&lis3_dev.count);
30125
30126 wake_up_interruptible(&lis3_dev.misc_wait);
30127 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
30128@@ -520,7 +520,7 @@ static int lis3lv02d_misc_open(struct in
30129 if (lis3_dev.pm_dev)
30130 pm_runtime_get_sync(lis3_dev.pm_dev);
30131
30132- atomic_set(&lis3_dev.count, 0);
30133+ atomic_set_unchecked(&lis3_dev.count, 0);
30134 return 0;
30135 }
30136
30137@@ -547,7 +547,7 @@ static ssize_t lis3lv02d_misc_read(struc
30138 add_wait_queue(&lis3_dev.misc_wait, &wait);
30139 while (true) {
30140 set_current_state(TASK_INTERRUPTIBLE);
30141- data = atomic_xchg(&lis3_dev.count, 0);
30142+ data = atomic_xchg_unchecked(&lis3_dev.count, 0);
30143 if (data)
30144 break;
30145
30146@@ -585,7 +585,7 @@ out:
30147 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
30148 {
30149 poll_wait(file, &lis3_dev.misc_wait, wait);
30150- if (atomic_read(&lis3_dev.count))
30151+ if (atomic_read_unchecked(&lis3_dev.count))
30152 return POLLIN | POLLRDNORM;
30153 return 0;
30154 }
30155diff -urNp linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.h linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.h
30156--- linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.h 2011-07-21 22:17:23.000000000 -0400
30157+++ linux-3.0.7/drivers/misc/lis3lv02d/lis3lv02d.h 2011-08-23 21:47:55.000000000 -0400
30158@@ -265,7 +265,7 @@ struct lis3lv02d {
30159 struct input_polled_dev *idev; /* input device */
30160 struct platform_device *pdev; /* platform device */
30161 struct regulator_bulk_data regulators[2];
30162- atomic_t count; /* interrupt count after last read */
30163+ atomic_unchecked_t count; /* interrupt count after last read */
30164 union axis_conversion ac; /* hw -> logical axis */
30165 int mapped_btns[3];
30166
30167diff -urNp linux-3.0.7/drivers/misc/sgi-gru/gruhandles.c linux-3.0.7/drivers/misc/sgi-gru/gruhandles.c
30168--- linux-3.0.7/drivers/misc/sgi-gru/gruhandles.c 2011-07-21 22:17:23.000000000 -0400
30169+++ linux-3.0.7/drivers/misc/sgi-gru/gruhandles.c 2011-08-23 21:47:55.000000000 -0400
30170@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
30171 unsigned long nsec;
30172
30173 nsec = CLKS2NSEC(clks);
30174- atomic_long_inc(&mcs_op_statistics[op].count);
30175- atomic_long_add(nsec, &mcs_op_statistics[op].total);
30176+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
30177+ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
30178 if (mcs_op_statistics[op].max < nsec)
30179 mcs_op_statistics[op].max = nsec;
30180 }
30181diff -urNp linux-3.0.7/drivers/misc/sgi-gru/gruprocfs.c linux-3.0.7/drivers/misc/sgi-gru/gruprocfs.c
30182--- linux-3.0.7/drivers/misc/sgi-gru/gruprocfs.c 2011-07-21 22:17:23.000000000 -0400
30183+++ linux-3.0.7/drivers/misc/sgi-gru/gruprocfs.c 2011-08-23 21:47:55.000000000 -0400
30184@@ -32,9 +32,9 @@
30185
30186 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
30187
30188-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
30189+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
30190 {
30191- unsigned long val = atomic_long_read(v);
30192+ unsigned long val = atomic_long_read_unchecked(v);
30193
30194 seq_printf(s, "%16lu %s\n", val, id);
30195 }
30196@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
30197
30198 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
30199 for (op = 0; op < mcsop_last; op++) {
30200- count = atomic_long_read(&mcs_op_statistics[op].count);
30201- total = atomic_long_read(&mcs_op_statistics[op].total);
30202+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
30203+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
30204 max = mcs_op_statistics[op].max;
30205 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
30206 count ? total / count : 0, max);
30207diff -urNp linux-3.0.7/drivers/misc/sgi-gru/grutables.h linux-3.0.7/drivers/misc/sgi-gru/grutables.h
30208--- linux-3.0.7/drivers/misc/sgi-gru/grutables.h 2011-07-21 22:17:23.000000000 -0400
30209+++ linux-3.0.7/drivers/misc/sgi-gru/grutables.h 2011-08-23 21:47:55.000000000 -0400
30210@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
30211 * GRU statistics.
30212 */
30213 struct gru_stats_s {
30214- atomic_long_t vdata_alloc;
30215- atomic_long_t vdata_free;
30216- atomic_long_t gts_alloc;
30217- atomic_long_t gts_free;
30218- atomic_long_t gms_alloc;
30219- atomic_long_t gms_free;
30220- atomic_long_t gts_double_allocate;
30221- atomic_long_t assign_context;
30222- atomic_long_t assign_context_failed;
30223- atomic_long_t free_context;
30224- atomic_long_t load_user_context;
30225- atomic_long_t load_kernel_context;
30226- atomic_long_t lock_kernel_context;
30227- atomic_long_t unlock_kernel_context;
30228- atomic_long_t steal_user_context;
30229- atomic_long_t steal_kernel_context;
30230- atomic_long_t steal_context_failed;
30231- atomic_long_t nopfn;
30232- atomic_long_t asid_new;
30233- atomic_long_t asid_next;
30234- atomic_long_t asid_wrap;
30235- atomic_long_t asid_reuse;
30236- atomic_long_t intr;
30237- atomic_long_t intr_cbr;
30238- atomic_long_t intr_tfh;
30239- atomic_long_t intr_spurious;
30240- atomic_long_t intr_mm_lock_failed;
30241- atomic_long_t call_os;
30242- atomic_long_t call_os_wait_queue;
30243- atomic_long_t user_flush_tlb;
30244- atomic_long_t user_unload_context;
30245- atomic_long_t user_exception;
30246- atomic_long_t set_context_option;
30247- atomic_long_t check_context_retarget_intr;
30248- atomic_long_t check_context_unload;
30249- atomic_long_t tlb_dropin;
30250- atomic_long_t tlb_preload_page;
30251- atomic_long_t tlb_dropin_fail_no_asid;
30252- atomic_long_t tlb_dropin_fail_upm;
30253- atomic_long_t tlb_dropin_fail_invalid;
30254- atomic_long_t tlb_dropin_fail_range_active;
30255- atomic_long_t tlb_dropin_fail_idle;
30256- atomic_long_t tlb_dropin_fail_fmm;
30257- atomic_long_t tlb_dropin_fail_no_exception;
30258- atomic_long_t tfh_stale_on_fault;
30259- atomic_long_t mmu_invalidate_range;
30260- atomic_long_t mmu_invalidate_page;
30261- atomic_long_t flush_tlb;
30262- atomic_long_t flush_tlb_gru;
30263- atomic_long_t flush_tlb_gru_tgh;
30264- atomic_long_t flush_tlb_gru_zero_asid;
30265-
30266- atomic_long_t copy_gpa;
30267- atomic_long_t read_gpa;
30268-
30269- atomic_long_t mesq_receive;
30270- atomic_long_t mesq_receive_none;
30271- atomic_long_t mesq_send;
30272- atomic_long_t mesq_send_failed;
30273- atomic_long_t mesq_noop;
30274- atomic_long_t mesq_send_unexpected_error;
30275- atomic_long_t mesq_send_lb_overflow;
30276- atomic_long_t mesq_send_qlimit_reached;
30277- atomic_long_t mesq_send_amo_nacked;
30278- atomic_long_t mesq_send_put_nacked;
30279- atomic_long_t mesq_page_overflow;
30280- atomic_long_t mesq_qf_locked;
30281- atomic_long_t mesq_qf_noop_not_full;
30282- atomic_long_t mesq_qf_switch_head_failed;
30283- atomic_long_t mesq_qf_unexpected_error;
30284- atomic_long_t mesq_noop_unexpected_error;
30285- atomic_long_t mesq_noop_lb_overflow;
30286- atomic_long_t mesq_noop_qlimit_reached;
30287- atomic_long_t mesq_noop_amo_nacked;
30288- atomic_long_t mesq_noop_put_nacked;
30289- atomic_long_t mesq_noop_page_overflow;
30290+ atomic_long_unchecked_t vdata_alloc;
30291+ atomic_long_unchecked_t vdata_free;
30292+ atomic_long_unchecked_t gts_alloc;
30293+ atomic_long_unchecked_t gts_free;
30294+ atomic_long_unchecked_t gms_alloc;
30295+ atomic_long_unchecked_t gms_free;
30296+ atomic_long_unchecked_t gts_double_allocate;
30297+ atomic_long_unchecked_t assign_context;
30298+ atomic_long_unchecked_t assign_context_failed;
30299+ atomic_long_unchecked_t free_context;
30300+ atomic_long_unchecked_t load_user_context;
30301+ atomic_long_unchecked_t load_kernel_context;
30302+ atomic_long_unchecked_t lock_kernel_context;
30303+ atomic_long_unchecked_t unlock_kernel_context;
30304+ atomic_long_unchecked_t steal_user_context;
30305+ atomic_long_unchecked_t steal_kernel_context;
30306+ atomic_long_unchecked_t steal_context_failed;
30307+ atomic_long_unchecked_t nopfn;
30308+ atomic_long_unchecked_t asid_new;
30309+ atomic_long_unchecked_t asid_next;
30310+ atomic_long_unchecked_t asid_wrap;
30311+ atomic_long_unchecked_t asid_reuse;
30312+ atomic_long_unchecked_t intr;
30313+ atomic_long_unchecked_t intr_cbr;
30314+ atomic_long_unchecked_t intr_tfh;
30315+ atomic_long_unchecked_t intr_spurious;
30316+ atomic_long_unchecked_t intr_mm_lock_failed;
30317+ atomic_long_unchecked_t call_os;
30318+ atomic_long_unchecked_t call_os_wait_queue;
30319+ atomic_long_unchecked_t user_flush_tlb;
30320+ atomic_long_unchecked_t user_unload_context;
30321+ atomic_long_unchecked_t user_exception;
30322+ atomic_long_unchecked_t set_context_option;
30323+ atomic_long_unchecked_t check_context_retarget_intr;
30324+ atomic_long_unchecked_t check_context_unload;
30325+ atomic_long_unchecked_t tlb_dropin;
30326+ atomic_long_unchecked_t tlb_preload_page;
30327+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
30328+ atomic_long_unchecked_t tlb_dropin_fail_upm;
30329+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
30330+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
30331+ atomic_long_unchecked_t tlb_dropin_fail_idle;
30332+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
30333+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
30334+ atomic_long_unchecked_t tfh_stale_on_fault;
30335+ atomic_long_unchecked_t mmu_invalidate_range;
30336+ atomic_long_unchecked_t mmu_invalidate_page;
30337+ atomic_long_unchecked_t flush_tlb;
30338+ atomic_long_unchecked_t flush_tlb_gru;
30339+ atomic_long_unchecked_t flush_tlb_gru_tgh;
30340+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
30341+
30342+ atomic_long_unchecked_t copy_gpa;
30343+ atomic_long_unchecked_t read_gpa;
30344+
30345+ atomic_long_unchecked_t mesq_receive;
30346+ atomic_long_unchecked_t mesq_receive_none;
30347+ atomic_long_unchecked_t mesq_send;
30348+ atomic_long_unchecked_t mesq_send_failed;
30349+ atomic_long_unchecked_t mesq_noop;
30350+ atomic_long_unchecked_t mesq_send_unexpected_error;
30351+ atomic_long_unchecked_t mesq_send_lb_overflow;
30352+ atomic_long_unchecked_t mesq_send_qlimit_reached;
30353+ atomic_long_unchecked_t mesq_send_amo_nacked;
30354+ atomic_long_unchecked_t mesq_send_put_nacked;
30355+ atomic_long_unchecked_t mesq_page_overflow;
30356+ atomic_long_unchecked_t mesq_qf_locked;
30357+ atomic_long_unchecked_t mesq_qf_noop_not_full;
30358+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
30359+ atomic_long_unchecked_t mesq_qf_unexpected_error;
30360+ atomic_long_unchecked_t mesq_noop_unexpected_error;
30361+ atomic_long_unchecked_t mesq_noop_lb_overflow;
30362+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
30363+ atomic_long_unchecked_t mesq_noop_amo_nacked;
30364+ atomic_long_unchecked_t mesq_noop_put_nacked;
30365+ atomic_long_unchecked_t mesq_noop_page_overflow;
30366
30367 };
30368
30369@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
30370 tghop_invalidate, mcsop_last};
30371
30372 struct mcs_op_statistic {
30373- atomic_long_t count;
30374- atomic_long_t total;
30375+ atomic_long_unchecked_t count;
30376+ atomic_long_unchecked_t total;
30377 unsigned long max;
30378 };
30379
30380@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
30381
30382 #define STAT(id) do { \
30383 if (gru_options & OPT_STATS) \
30384- atomic_long_inc(&gru_stats.id); \
30385+ atomic_long_inc_unchecked(&gru_stats.id); \
30386 } while (0)
30387
30388 #ifdef CONFIG_SGI_GRU_DEBUG
30389diff -urNp linux-3.0.7/drivers/misc/sgi-xp/xp.h linux-3.0.7/drivers/misc/sgi-xp/xp.h
30390--- linux-3.0.7/drivers/misc/sgi-xp/xp.h 2011-07-21 22:17:23.000000000 -0400
30391+++ linux-3.0.7/drivers/misc/sgi-xp/xp.h 2011-08-23 21:47:55.000000000 -0400
30392@@ -289,7 +289,7 @@ struct xpc_interface {
30393 xpc_notify_func, void *);
30394 void (*received) (short, int, void *);
30395 enum xp_retval (*partid_to_nasids) (short, void *);
30396-};
30397+} __no_const;
30398
30399 extern struct xpc_interface xpc_interface;
30400
30401diff -urNp linux-3.0.7/drivers/misc/sgi-xp/xpc.h linux-3.0.7/drivers/misc/sgi-xp/xpc.h
30402--- linux-3.0.7/drivers/misc/sgi-xp/xpc.h 2011-07-21 22:17:23.000000000 -0400
30403+++ linux-3.0.7/drivers/misc/sgi-xp/xpc.h 2011-10-11 10:44:33.000000000 -0400
30404@@ -835,6 +835,7 @@ struct xpc_arch_operations {
30405 void (*received_payload) (struct xpc_channel *, void *);
30406 void (*notify_senders_of_disconnect) (struct xpc_channel *);
30407 };
30408+typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
30409
30410 /* struct xpc_partition act_state values (for XPC HB) */
30411
30412@@ -876,7 +877,7 @@ extern struct xpc_registration xpc_regis
30413 /* found in xpc_main.c */
30414 extern struct device *xpc_part;
30415 extern struct device *xpc_chan;
30416-extern struct xpc_arch_operations xpc_arch_ops;
30417+extern xpc_arch_operations_no_const xpc_arch_ops;
30418 extern int xpc_disengage_timelimit;
30419 extern int xpc_disengage_timedout;
30420 extern int xpc_activate_IRQ_rcvd;
30421diff -urNp linux-3.0.7/drivers/misc/sgi-xp/xpc_main.c linux-3.0.7/drivers/misc/sgi-xp/xpc_main.c
30422--- linux-3.0.7/drivers/misc/sgi-xp/xpc_main.c 2011-07-21 22:17:23.000000000 -0400
30423+++ linux-3.0.7/drivers/misc/sgi-xp/xpc_main.c 2011-10-11 10:44:33.000000000 -0400
30424@@ -162,7 +162,7 @@ static struct notifier_block xpc_die_not
30425 .notifier_call = xpc_system_die,
30426 };
30427
30428-struct xpc_arch_operations xpc_arch_ops;
30429+xpc_arch_operations_no_const xpc_arch_ops;
30430
30431 /*
30432 * Timer function to enforce the timelimit on the partition disengage.
30433diff -urNp linux-3.0.7/drivers/mmc/host/sdhci-pci.c linux-3.0.7/drivers/mmc/host/sdhci-pci.c
30434--- linux-3.0.7/drivers/mmc/host/sdhci-pci.c 2011-07-21 22:17:23.000000000 -0400
30435+++ linux-3.0.7/drivers/mmc/host/sdhci-pci.c 2011-10-11 10:44:33.000000000 -0400
30436@@ -524,7 +524,7 @@ static const struct sdhci_pci_fixes sdhc
30437 .probe = via_probe,
30438 };
30439
30440-static const struct pci_device_id pci_ids[] __devinitdata = {
30441+static const struct pci_device_id pci_ids[] __devinitconst = {
30442 {
30443 .vendor = PCI_VENDOR_ID_RICOH,
30444 .device = PCI_DEVICE_ID_RICOH_R5C822,
30445diff -urNp linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0001.c linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0001.c
30446--- linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0001.c 2011-07-21 22:17:23.000000000 -0400
30447+++ linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0001.c 2011-08-23 21:48:14.000000000 -0400
30448@@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
30449 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
30450 unsigned long timeo = jiffies + HZ;
30451
30452+ pax_track_stack();
30453+
30454 /* Prevent setting state FL_SYNCING for chip in suspended state. */
30455 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
30456 goto sleep;
30457@@ -1653,6 +1655,8 @@ static int __xipram do_write_buffer(stru
30458 unsigned long initial_adr;
30459 int initial_len = len;
30460
30461+ pax_track_stack();
30462+
30463 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
30464 adr += chip->start;
30465 initial_adr = adr;
30466@@ -1871,6 +1875,8 @@ static int __xipram do_erase_oneblock(st
30467 int retries = 3;
30468 int ret;
30469
30470+ pax_track_stack();
30471+
30472 adr += chip->start;
30473
30474 retry:
30475diff -urNp linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0020.c linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0020.c
30476--- linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0020.c 2011-07-21 22:17:23.000000000 -0400
30477+++ linux-3.0.7/drivers/mtd/chips/cfi_cmdset_0020.c 2011-08-23 21:48:14.000000000 -0400
30478@@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
30479 unsigned long cmd_addr;
30480 struct cfi_private *cfi = map->fldrv_priv;
30481
30482+ pax_track_stack();
30483+
30484 adr += chip->start;
30485
30486 /* Ensure cmd read/writes are aligned. */
30487@@ -429,6 +431,8 @@ static inline int do_write_buffer(struct
30488 DECLARE_WAITQUEUE(wait, current);
30489 int wbufsize, z;
30490
30491+ pax_track_stack();
30492+
30493 /* M58LW064A requires bus alignment for buffer wriets -- saw */
30494 if (adr & (map_bankwidth(map)-1))
30495 return -EINVAL;
30496@@ -743,6 +747,8 @@ static inline int do_erase_oneblock(stru
30497 DECLARE_WAITQUEUE(wait, current);
30498 int ret = 0;
30499
30500+ pax_track_stack();
30501+
30502 adr += chip->start;
30503
30504 /* Let's determine this according to the interleave only once */
30505@@ -1048,6 +1054,8 @@ static inline int do_lock_oneblock(struc
30506 unsigned long timeo = jiffies + HZ;
30507 DECLARE_WAITQUEUE(wait, current);
30508
30509+ pax_track_stack();
30510+
30511 adr += chip->start;
30512
30513 /* Let's determine this according to the interleave only once */
30514@@ -1197,6 +1205,8 @@ static inline int do_unlock_oneblock(str
30515 unsigned long timeo = jiffies + HZ;
30516 DECLARE_WAITQUEUE(wait, current);
30517
30518+ pax_track_stack();
30519+
30520 adr += chip->start;
30521
30522 /* Let's determine this according to the interleave only once */
30523diff -urNp linux-3.0.7/drivers/mtd/devices/doc2000.c linux-3.0.7/drivers/mtd/devices/doc2000.c
30524--- linux-3.0.7/drivers/mtd/devices/doc2000.c 2011-07-21 22:17:23.000000000 -0400
30525+++ linux-3.0.7/drivers/mtd/devices/doc2000.c 2011-08-23 21:47:55.000000000 -0400
30526@@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
30527
30528 /* The ECC will not be calculated correctly if less than 512 is written */
30529 /* DBB-
30530- if (len != 0x200 && eccbuf)
30531+ if (len != 0x200)
30532 printk(KERN_WARNING
30533 "ECC needs a full sector write (adr: %lx size %lx)\n",
30534 (long) to, (long) len);
30535diff -urNp linux-3.0.7/drivers/mtd/devices/doc2001.c linux-3.0.7/drivers/mtd/devices/doc2001.c
30536--- linux-3.0.7/drivers/mtd/devices/doc2001.c 2011-07-21 22:17:23.000000000 -0400
30537+++ linux-3.0.7/drivers/mtd/devices/doc2001.c 2011-08-23 21:47:55.000000000 -0400
30538@@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
30539 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
30540
30541 /* Don't allow read past end of device */
30542- if (from >= this->totlen)
30543+ if (from >= this->totlen || !len)
30544 return -EINVAL;
30545
30546 /* Don't allow a single read to cross a 512-byte block boundary */
30547diff -urNp linux-3.0.7/drivers/mtd/ftl.c linux-3.0.7/drivers/mtd/ftl.c
30548--- linux-3.0.7/drivers/mtd/ftl.c 2011-07-21 22:17:23.000000000 -0400
30549+++ linux-3.0.7/drivers/mtd/ftl.c 2011-08-23 21:48:14.000000000 -0400
30550@@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
30551 loff_t offset;
30552 uint16_t srcunitswap = cpu_to_le16(srcunit);
30553
30554+ pax_track_stack();
30555+
30556 eun = &part->EUNInfo[srcunit];
30557 xfer = &part->XferInfo[xferunit];
30558 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
30559diff -urNp linux-3.0.7/drivers/mtd/inftlcore.c linux-3.0.7/drivers/mtd/inftlcore.c
30560--- linux-3.0.7/drivers/mtd/inftlcore.c 2011-07-21 22:17:23.000000000 -0400
30561+++ linux-3.0.7/drivers/mtd/inftlcore.c 2011-08-23 21:48:14.000000000 -0400
30562@@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
30563 struct inftl_oob oob;
30564 size_t retlen;
30565
30566+ pax_track_stack();
30567+
30568 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
30569 "pending=%d)\n", inftl, thisVUC, pendingblock);
30570
30571diff -urNp linux-3.0.7/drivers/mtd/inftlmount.c linux-3.0.7/drivers/mtd/inftlmount.c
30572--- linux-3.0.7/drivers/mtd/inftlmount.c 2011-07-21 22:17:23.000000000 -0400
30573+++ linux-3.0.7/drivers/mtd/inftlmount.c 2011-08-23 21:48:14.000000000 -0400
30574@@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
30575 struct INFTLPartition *ip;
30576 size_t retlen;
30577
30578+ pax_track_stack();
30579+
30580 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
30581
30582 /*
30583diff -urNp linux-3.0.7/drivers/mtd/lpddr/qinfo_probe.c linux-3.0.7/drivers/mtd/lpddr/qinfo_probe.c
30584--- linux-3.0.7/drivers/mtd/lpddr/qinfo_probe.c 2011-07-21 22:17:23.000000000 -0400
30585+++ linux-3.0.7/drivers/mtd/lpddr/qinfo_probe.c 2011-08-23 21:48:14.000000000 -0400
30586@@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
30587 {
30588 map_word pfow_val[4];
30589
30590+ pax_track_stack();
30591+
30592 /* Check identification string */
30593 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
30594 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
30595diff -urNp linux-3.0.7/drivers/mtd/mtdchar.c linux-3.0.7/drivers/mtd/mtdchar.c
30596--- linux-3.0.7/drivers/mtd/mtdchar.c 2011-07-21 22:17:23.000000000 -0400
30597+++ linux-3.0.7/drivers/mtd/mtdchar.c 2011-08-23 21:48:14.000000000 -0400
30598@@ -553,6 +553,8 @@ static int mtd_ioctl(struct file *file,
30599 u_long size;
30600 struct mtd_info_user info;
30601
30602+ pax_track_stack();
30603+
30604 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
30605
30606 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
30607diff -urNp linux-3.0.7/drivers/mtd/nand/denali.c linux-3.0.7/drivers/mtd/nand/denali.c
30608--- linux-3.0.7/drivers/mtd/nand/denali.c 2011-07-21 22:17:23.000000000 -0400
30609+++ linux-3.0.7/drivers/mtd/nand/denali.c 2011-08-23 21:47:55.000000000 -0400
30610@@ -26,6 +26,7 @@
30611 #include <linux/pci.h>
30612 #include <linux/mtd/mtd.h>
30613 #include <linux/module.h>
30614+#include <linux/slab.h>
30615
30616 #include "denali.h"
30617
30618diff -urNp linux-3.0.7/drivers/mtd/nftlcore.c linux-3.0.7/drivers/mtd/nftlcore.c
30619--- linux-3.0.7/drivers/mtd/nftlcore.c 2011-07-21 22:17:23.000000000 -0400
30620+++ linux-3.0.7/drivers/mtd/nftlcore.c 2011-08-23 21:48:14.000000000 -0400
30621@@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
30622 int inplace = 1;
30623 size_t retlen;
30624
30625+ pax_track_stack();
30626+
30627 memset(BlockMap, 0xff, sizeof(BlockMap));
30628 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
30629
30630diff -urNp linux-3.0.7/drivers/mtd/nftlmount.c linux-3.0.7/drivers/mtd/nftlmount.c
30631--- linux-3.0.7/drivers/mtd/nftlmount.c 2011-07-21 22:17:23.000000000 -0400
30632+++ linux-3.0.7/drivers/mtd/nftlmount.c 2011-08-23 21:48:14.000000000 -0400
30633@@ -24,6 +24,7 @@
30634 #include <asm/errno.h>
30635 #include <linux/delay.h>
30636 #include <linux/slab.h>
30637+#include <linux/sched.h>
30638 #include <linux/mtd/mtd.h>
30639 #include <linux/mtd/nand.h>
30640 #include <linux/mtd/nftl.h>
30641@@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
30642 struct mtd_info *mtd = nftl->mbd.mtd;
30643 unsigned int i;
30644
30645+ pax_track_stack();
30646+
30647 /* Assume logical EraseSize == physical erasesize for starting the scan.
30648 We'll sort it out later if we find a MediaHeader which says otherwise */
30649 /* Actually, we won't. The new DiskOnChip driver has already scanned
30650diff -urNp linux-3.0.7/drivers/mtd/ubi/build.c linux-3.0.7/drivers/mtd/ubi/build.c
30651--- linux-3.0.7/drivers/mtd/ubi/build.c 2011-07-21 22:17:23.000000000 -0400
30652+++ linux-3.0.7/drivers/mtd/ubi/build.c 2011-08-23 21:47:55.000000000 -0400
30653@@ -1287,7 +1287,7 @@ module_exit(ubi_exit);
30654 static int __init bytes_str_to_int(const char *str)
30655 {
30656 char *endp;
30657- unsigned long result;
30658+ unsigned long result, scale = 1;
30659
30660 result = simple_strtoul(str, &endp, 0);
30661 if (str == endp || result >= INT_MAX) {
30662@@ -1298,11 +1298,11 @@ static int __init bytes_str_to_int(const
30663
30664 switch (*endp) {
30665 case 'G':
30666- result *= 1024;
30667+ scale *= 1024;
30668 case 'M':
30669- result *= 1024;
30670+ scale *= 1024;
30671 case 'K':
30672- result *= 1024;
30673+ scale *= 1024;
30674 if (endp[1] == 'i' && endp[2] == 'B')
30675 endp += 2;
30676 case '\0':
30677@@ -1313,7 +1313,13 @@ static int __init bytes_str_to_int(const
30678 return -EINVAL;
30679 }
30680
30681- return result;
30682+ if ((intoverflow_t)result*scale >= INT_MAX) {
30683+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
30684+ str);
30685+ return -EINVAL;
30686+ }
30687+
30688+ return result*scale;
30689 }
30690
30691 /**
30692diff -urNp linux-3.0.7/drivers/net/atlx/atl2.c linux-3.0.7/drivers/net/atlx/atl2.c
30693--- linux-3.0.7/drivers/net/atlx/atl2.c 2011-07-21 22:17:23.000000000 -0400
30694+++ linux-3.0.7/drivers/net/atlx/atl2.c 2011-10-11 10:44:33.000000000 -0400
30695@@ -2840,7 +2840,7 @@ static void atl2_force_ps(struct atl2_hw
30696 */
30697
30698 #define ATL2_PARAM(X, desc) \
30699- static const int __devinitdata X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
30700+ static const int __devinitconst X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
30701 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
30702 MODULE_PARM_DESC(X, desc);
30703 #else
30704diff -urNp linux-3.0.7/drivers/net/bna/bfa_ioc_ct.c linux-3.0.7/drivers/net/bna/bfa_ioc_ct.c
30705--- linux-3.0.7/drivers/net/bna/bfa_ioc_ct.c 2011-07-21 22:17:23.000000000 -0400
30706+++ linux-3.0.7/drivers/net/bna/bfa_ioc_ct.c 2011-08-23 21:47:55.000000000 -0400
30707@@ -48,7 +48,21 @@ static void bfa_ioc_ct_sync_ack(struct b
30708 static bool bfa_ioc_ct_sync_complete(struct bfa_ioc *ioc);
30709 static enum bfa_status bfa_ioc_ct_pll_init(void __iomem *rb, bool fcmode);
30710
30711-static struct bfa_ioc_hwif nw_hwif_ct;
30712+static struct bfa_ioc_hwif nw_hwif_ct = {
30713+ .ioc_pll_init = bfa_ioc_ct_pll_init,
30714+ .ioc_firmware_lock = bfa_ioc_ct_firmware_lock,
30715+ .ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock,
30716+ .ioc_reg_init = bfa_ioc_ct_reg_init,
30717+ .ioc_map_port = bfa_ioc_ct_map_port,
30718+ .ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set,
30719+ .ioc_notify_fail = bfa_ioc_ct_notify_fail,
30720+ .ioc_ownership_reset = bfa_ioc_ct_ownership_reset,
30721+ .ioc_sync_start = bfa_ioc_ct_sync_start,
30722+ .ioc_sync_join = bfa_ioc_ct_sync_join,
30723+ .ioc_sync_leave = bfa_ioc_ct_sync_leave,
30724+ .ioc_sync_ack = bfa_ioc_ct_sync_ack,
30725+ .ioc_sync_complete = bfa_ioc_ct_sync_complete
30726+};
30727
30728 /**
30729 * Called from bfa_ioc_attach() to map asic specific calls.
30730@@ -56,20 +70,6 @@ static struct bfa_ioc_hwif nw_hwif_ct;
30731 void
30732 bfa_nw_ioc_set_ct_hwif(struct bfa_ioc *ioc)
30733 {
30734- nw_hwif_ct.ioc_pll_init = bfa_ioc_ct_pll_init;
30735- nw_hwif_ct.ioc_firmware_lock = bfa_ioc_ct_firmware_lock;
30736- nw_hwif_ct.ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock;
30737- nw_hwif_ct.ioc_reg_init = bfa_ioc_ct_reg_init;
30738- nw_hwif_ct.ioc_map_port = bfa_ioc_ct_map_port;
30739- nw_hwif_ct.ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set;
30740- nw_hwif_ct.ioc_notify_fail = bfa_ioc_ct_notify_fail;
30741- nw_hwif_ct.ioc_ownership_reset = bfa_ioc_ct_ownership_reset;
30742- nw_hwif_ct.ioc_sync_start = bfa_ioc_ct_sync_start;
30743- nw_hwif_ct.ioc_sync_join = bfa_ioc_ct_sync_join;
30744- nw_hwif_ct.ioc_sync_leave = bfa_ioc_ct_sync_leave;
30745- nw_hwif_ct.ioc_sync_ack = bfa_ioc_ct_sync_ack;
30746- nw_hwif_ct.ioc_sync_complete = bfa_ioc_ct_sync_complete;
30747-
30748 ioc->ioc_hwif = &nw_hwif_ct;
30749 }
30750
30751diff -urNp linux-3.0.7/drivers/net/bna/bnad.c linux-3.0.7/drivers/net/bna/bnad.c
30752--- linux-3.0.7/drivers/net/bna/bnad.c 2011-07-21 22:17:23.000000000 -0400
30753+++ linux-3.0.7/drivers/net/bna/bnad.c 2011-08-23 21:47:55.000000000 -0400
30754@@ -1681,7 +1681,14 @@ bnad_setup_tx(struct bnad *bnad, uint tx
30755 struct bna_intr_info *intr_info =
30756 &res_info[BNA_TX_RES_INTR_T_TXCMPL].res_u.intr_info;
30757 struct bna_tx_config *tx_config = &bnad->tx_config[tx_id];
30758- struct bna_tx_event_cbfn tx_cbfn;
30759+ static struct bna_tx_event_cbfn tx_cbfn = {
30760+ /* Initialize the tx event handlers */
30761+ .tcb_setup_cbfn = bnad_cb_tcb_setup,
30762+ .tcb_destroy_cbfn = bnad_cb_tcb_destroy,
30763+ .tx_stall_cbfn = bnad_cb_tx_stall,
30764+ .tx_resume_cbfn = bnad_cb_tx_resume,
30765+ .tx_cleanup_cbfn = bnad_cb_tx_cleanup
30766+ };
30767 struct bna_tx *tx;
30768 unsigned long flags;
30769
30770@@ -1690,13 +1697,6 @@ bnad_setup_tx(struct bnad *bnad, uint tx
30771 tx_config->txq_depth = bnad->txq_depth;
30772 tx_config->tx_type = BNA_TX_T_REGULAR;
30773
30774- /* Initialize the tx event handlers */
30775- tx_cbfn.tcb_setup_cbfn = bnad_cb_tcb_setup;
30776- tx_cbfn.tcb_destroy_cbfn = bnad_cb_tcb_destroy;
30777- tx_cbfn.tx_stall_cbfn = bnad_cb_tx_stall;
30778- tx_cbfn.tx_resume_cbfn = bnad_cb_tx_resume;
30779- tx_cbfn.tx_cleanup_cbfn = bnad_cb_tx_cleanup;
30780-
30781 /* Get BNA's resource requirement for one tx object */
30782 spin_lock_irqsave(&bnad->bna_lock, flags);
30783 bna_tx_res_req(bnad->num_txq_per_tx,
30784@@ -1827,21 +1827,21 @@ bnad_setup_rx(struct bnad *bnad, uint rx
30785 struct bna_intr_info *intr_info =
30786 &res_info[BNA_RX_RES_T_INTR].res_u.intr_info;
30787 struct bna_rx_config *rx_config = &bnad->rx_config[rx_id];
30788- struct bna_rx_event_cbfn rx_cbfn;
30789+ static struct bna_rx_event_cbfn rx_cbfn = {
30790+ /* Initialize the Rx event handlers */
30791+ .rcb_setup_cbfn = bnad_cb_rcb_setup,
30792+ .rcb_destroy_cbfn = bnad_cb_rcb_destroy,
30793+ .ccb_setup_cbfn = bnad_cb_ccb_setup,
30794+ .ccb_destroy_cbfn = bnad_cb_ccb_destroy,
30795+ .rx_cleanup_cbfn = bnad_cb_rx_cleanup,
30796+ .rx_post_cbfn = bnad_cb_rx_post
30797+ };
30798 struct bna_rx *rx;
30799 unsigned long flags;
30800
30801 /* Initialize the Rx object configuration */
30802 bnad_init_rx_config(bnad, rx_config);
30803
30804- /* Initialize the Rx event handlers */
30805- rx_cbfn.rcb_setup_cbfn = bnad_cb_rcb_setup;
30806- rx_cbfn.rcb_destroy_cbfn = bnad_cb_rcb_destroy;
30807- rx_cbfn.ccb_setup_cbfn = bnad_cb_ccb_setup;
30808- rx_cbfn.ccb_destroy_cbfn = bnad_cb_ccb_destroy;
30809- rx_cbfn.rx_cleanup_cbfn = bnad_cb_rx_cleanup;
30810- rx_cbfn.rx_post_cbfn = bnad_cb_rx_post;
30811-
30812 /* Get BNA's resource requirement for one Rx object */
30813 spin_lock_irqsave(&bnad->bna_lock, flags);
30814 bna_rx_res_req(rx_config, res_info);
30815diff -urNp linux-3.0.7/drivers/net/bnx2.c linux-3.0.7/drivers/net/bnx2.c
30816--- linux-3.0.7/drivers/net/bnx2.c 2011-10-16 21:54:54.000000000 -0400
30817+++ linux-3.0.7/drivers/net/bnx2.c 2011-10-16 21:55:27.000000000 -0400
30818@@ -5831,6 +5831,8 @@ bnx2_test_nvram(struct bnx2 *bp)
30819 int rc = 0;
30820 u32 magic, csum;
30821
30822+ pax_track_stack();
30823+
30824 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
30825 goto test_nvram_done;
30826
30827diff -urNp linux-3.0.7/drivers/net/bnx2x/bnx2x_ethtool.c linux-3.0.7/drivers/net/bnx2x/bnx2x_ethtool.c
30828--- linux-3.0.7/drivers/net/bnx2x/bnx2x_ethtool.c 2011-07-21 22:17:23.000000000 -0400
30829+++ linux-3.0.7/drivers/net/bnx2x/bnx2x_ethtool.c 2011-08-23 21:48:14.000000000 -0400
30830@@ -1705,6 +1705,8 @@ static int bnx2x_test_nvram(struct bnx2x
30831 int i, rc;
30832 u32 magic, crc;
30833
30834+ pax_track_stack();
30835+
30836 if (BP_NOMCP(bp))
30837 return 0;
30838
30839diff -urNp linux-3.0.7/drivers/net/can/mscan/mscan.c linux-3.0.7/drivers/net/can/mscan/mscan.c
30840--- linux-3.0.7/drivers/net/can/mscan/mscan.c 2011-07-21 22:17:23.000000000 -0400
30841+++ linux-3.0.7/drivers/net/can/mscan/mscan.c 2011-10-17 02:51:46.000000000 -0400
30842@@ -261,11 +261,13 @@ static netdev_tx_t mscan_start_xmit(stru
30843 void __iomem *data = &regs->tx.dsr1_0;
30844 u16 *payload = (u16 *)frame->data;
30845
30846- /* It is safe to write into dsr[dlc+1] */
30847- for (i = 0; i < (frame->can_dlc + 1) / 2; i++) {
30848+ for (i = 0; i < frame->can_dlc / 2; i++) {
30849 out_be16(data, *payload++);
30850 data += 2 + _MSCAN_RESERVED_DSR_SIZE;
30851 }
30852+ /* write remaining byte if necessary */
30853+ if (frame->can_dlc & 1)
30854+ out_8(data, frame->data[frame->can_dlc - 1]);
30855 }
30856
30857 out_8(&regs->tx.dlr, frame->can_dlc);
30858@@ -330,10 +332,13 @@ static void mscan_get_rx_frame(struct ne
30859 void __iomem *data = &regs->rx.dsr1_0;
30860 u16 *payload = (u16 *)frame->data;
30861
30862- for (i = 0; i < (frame->can_dlc + 1) / 2; i++) {
30863+ for (i = 0; i < frame->can_dlc / 2; i++) {
30864 *payload++ = in_be16(data);
30865 data += 2 + _MSCAN_RESERVED_DSR_SIZE;
30866 }
30867+ /* read remaining byte if necessary */
30868+ if (frame->can_dlc & 1)
30869+ frame->data[frame->can_dlc - 1] = in_8(data);
30870 }
30871
30872 out_8(&regs->canrflg, MSCAN_RXF);
30873diff -urNp linux-3.0.7/drivers/net/cxgb3/l2t.h linux-3.0.7/drivers/net/cxgb3/l2t.h
30874--- linux-3.0.7/drivers/net/cxgb3/l2t.h 2011-10-16 21:54:54.000000000 -0400
30875+++ linux-3.0.7/drivers/net/cxgb3/l2t.h 2011-10-16 21:55:27.000000000 -0400
30876@@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)
30877 */
30878 struct l2t_skb_cb {
30879 arp_failure_handler_func arp_failure_handler;
30880-};
30881+} __no_const;
30882
30883 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
30884
30885diff -urNp linux-3.0.7/drivers/net/cxgb4/cxgb4_main.c linux-3.0.7/drivers/net/cxgb4/cxgb4_main.c
30886--- linux-3.0.7/drivers/net/cxgb4/cxgb4_main.c 2011-07-21 22:17:23.000000000 -0400
30887+++ linux-3.0.7/drivers/net/cxgb4/cxgb4_main.c 2011-08-23 21:48:14.000000000 -0400
30888@@ -3396,6 +3396,8 @@ static int __devinit enable_msix(struct
30889 unsigned int nchan = adap->params.nports;
30890 struct msix_entry entries[MAX_INGQ + 1];
30891
30892+ pax_track_stack();
30893+
30894 for (i = 0; i < ARRAY_SIZE(entries); ++i)
30895 entries[i].entry = i;
30896
30897diff -urNp linux-3.0.7/drivers/net/cxgb4/t4_hw.c linux-3.0.7/drivers/net/cxgb4/t4_hw.c
30898--- linux-3.0.7/drivers/net/cxgb4/t4_hw.c 2011-07-21 22:17:23.000000000 -0400
30899+++ linux-3.0.7/drivers/net/cxgb4/t4_hw.c 2011-08-23 21:48:14.000000000 -0400
30900@@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
30901 u8 vpd[VPD_LEN], csum;
30902 unsigned int vpdr_len, kw_offset, id_len;
30903
30904+ pax_track_stack();
30905+
30906 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
30907 if (ret < 0)
30908 return ret;
30909diff -urNp linux-3.0.7/drivers/net/e1000e/82571.c linux-3.0.7/drivers/net/e1000e/82571.c
30910--- linux-3.0.7/drivers/net/e1000e/82571.c 2011-07-21 22:17:23.000000000 -0400
30911+++ linux-3.0.7/drivers/net/e1000e/82571.c 2011-08-23 21:47:55.000000000 -0400
30912@@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
30913 {
30914 struct e1000_hw *hw = &adapter->hw;
30915 struct e1000_mac_info *mac = &hw->mac;
30916- struct e1000_mac_operations *func = &mac->ops;
30917+ e1000_mac_operations_no_const *func = &mac->ops;
30918 u32 swsm = 0;
30919 u32 swsm2 = 0;
30920 bool force_clear_smbi = false;
30921diff -urNp linux-3.0.7/drivers/net/e1000e/es2lan.c linux-3.0.7/drivers/net/e1000e/es2lan.c
30922--- linux-3.0.7/drivers/net/e1000e/es2lan.c 2011-07-21 22:17:23.000000000 -0400
30923+++ linux-3.0.7/drivers/net/e1000e/es2lan.c 2011-08-23 21:47:55.000000000 -0400
30924@@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
30925 {
30926 struct e1000_hw *hw = &adapter->hw;
30927 struct e1000_mac_info *mac = &hw->mac;
30928- struct e1000_mac_operations *func = &mac->ops;
30929+ e1000_mac_operations_no_const *func = &mac->ops;
30930
30931 /* Set media type */
30932 switch (adapter->pdev->device) {
30933diff -urNp linux-3.0.7/drivers/net/e1000e/hw.h linux-3.0.7/drivers/net/e1000e/hw.h
30934--- linux-3.0.7/drivers/net/e1000e/hw.h 2011-07-21 22:17:23.000000000 -0400
30935+++ linux-3.0.7/drivers/net/e1000e/hw.h 2011-08-23 21:47:55.000000000 -0400
30936@@ -776,6 +776,7 @@ struct e1000_mac_operations {
30937 void (*write_vfta)(struct e1000_hw *, u32, u32);
30938 s32 (*read_mac_addr)(struct e1000_hw *);
30939 };
30940+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
30941
30942 /* Function pointers for the PHY. */
30943 struct e1000_phy_operations {
30944@@ -799,6 +800,7 @@ struct e1000_phy_operations {
30945 void (*power_up)(struct e1000_hw *);
30946 void (*power_down)(struct e1000_hw *);
30947 };
30948+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
30949
30950 /* Function pointers for the NVM. */
30951 struct e1000_nvm_operations {
30952@@ -810,9 +812,10 @@ struct e1000_nvm_operations {
30953 s32 (*validate)(struct e1000_hw *);
30954 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
30955 };
30956+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
30957
30958 struct e1000_mac_info {
30959- struct e1000_mac_operations ops;
30960+ e1000_mac_operations_no_const ops;
30961 u8 addr[ETH_ALEN];
30962 u8 perm_addr[ETH_ALEN];
30963
30964@@ -853,7 +856,7 @@ struct e1000_mac_info {
30965 };
30966
30967 struct e1000_phy_info {
30968- struct e1000_phy_operations ops;
30969+ e1000_phy_operations_no_const ops;
30970
30971 enum e1000_phy_type type;
30972
30973@@ -887,7 +890,7 @@ struct e1000_phy_info {
30974 };
30975
30976 struct e1000_nvm_info {
30977- struct e1000_nvm_operations ops;
30978+ e1000_nvm_operations_no_const ops;
30979
30980 enum e1000_nvm_type type;
30981 enum e1000_nvm_override override;
30982diff -urNp linux-3.0.7/drivers/net/fealnx.c linux-3.0.7/drivers/net/fealnx.c
30983--- linux-3.0.7/drivers/net/fealnx.c 2011-07-21 22:17:23.000000000 -0400
30984+++ linux-3.0.7/drivers/net/fealnx.c 2011-10-11 10:44:33.000000000 -0400
30985@@ -150,7 +150,7 @@ struct chip_info {
30986 int flags;
30987 };
30988
30989-static const struct chip_info skel_netdrv_tbl[] __devinitdata = {
30990+static const struct chip_info skel_netdrv_tbl[] __devinitconst = {
30991 { "100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
30992 { "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR },
30993 { "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
30994diff -urNp linux-3.0.7/drivers/net/hamradio/6pack.c linux-3.0.7/drivers/net/hamradio/6pack.c
30995--- linux-3.0.7/drivers/net/hamradio/6pack.c 2011-07-21 22:17:23.000000000 -0400
30996+++ linux-3.0.7/drivers/net/hamradio/6pack.c 2011-08-23 21:48:14.000000000 -0400
30997@@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
30998 unsigned char buf[512];
30999 int count1;
31000
31001+ pax_track_stack();
31002+
31003 if (!count)
31004 return;
31005
31006diff -urNp linux-3.0.7/drivers/net/igb/e1000_hw.h linux-3.0.7/drivers/net/igb/e1000_hw.h
31007--- linux-3.0.7/drivers/net/igb/e1000_hw.h 2011-07-21 22:17:23.000000000 -0400
31008+++ linux-3.0.7/drivers/net/igb/e1000_hw.h 2011-08-23 21:47:55.000000000 -0400
31009@@ -314,6 +314,7 @@ struct e1000_mac_operations {
31010 s32 (*read_mac_addr)(struct e1000_hw *);
31011 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
31012 };
31013+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31014
31015 struct e1000_phy_operations {
31016 s32 (*acquire)(struct e1000_hw *);
31017@@ -330,6 +331,7 @@ struct e1000_phy_operations {
31018 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
31019 s32 (*write_reg)(struct e1000_hw *, u32, u16);
31020 };
31021+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
31022
31023 struct e1000_nvm_operations {
31024 s32 (*acquire)(struct e1000_hw *);
31025@@ -339,6 +341,7 @@ struct e1000_nvm_operations {
31026 s32 (*update)(struct e1000_hw *);
31027 s32 (*validate)(struct e1000_hw *);
31028 };
31029+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
31030
31031 struct e1000_info {
31032 s32 (*get_invariants)(struct e1000_hw *);
31033@@ -350,7 +353,7 @@ struct e1000_info {
31034 extern const struct e1000_info e1000_82575_info;
31035
31036 struct e1000_mac_info {
31037- struct e1000_mac_operations ops;
31038+ e1000_mac_operations_no_const ops;
31039
31040 u8 addr[6];
31041 u8 perm_addr[6];
31042@@ -388,7 +391,7 @@ struct e1000_mac_info {
31043 };
31044
31045 struct e1000_phy_info {
31046- struct e1000_phy_operations ops;
31047+ e1000_phy_operations_no_const ops;
31048
31049 enum e1000_phy_type type;
31050
31051@@ -423,7 +426,7 @@ struct e1000_phy_info {
31052 };
31053
31054 struct e1000_nvm_info {
31055- struct e1000_nvm_operations ops;
31056+ e1000_nvm_operations_no_const ops;
31057 enum e1000_nvm_type type;
31058 enum e1000_nvm_override override;
31059
31060@@ -468,6 +471,7 @@ struct e1000_mbx_operations {
31061 s32 (*check_for_ack)(struct e1000_hw *, u16);
31062 s32 (*check_for_rst)(struct e1000_hw *, u16);
31063 };
31064+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31065
31066 struct e1000_mbx_stats {
31067 u32 msgs_tx;
31068@@ -479,7 +483,7 @@ struct e1000_mbx_stats {
31069 };
31070
31071 struct e1000_mbx_info {
31072- struct e1000_mbx_operations ops;
31073+ e1000_mbx_operations_no_const ops;
31074 struct e1000_mbx_stats stats;
31075 u32 timeout;
31076 u32 usec_delay;
31077diff -urNp linux-3.0.7/drivers/net/igbvf/vf.h linux-3.0.7/drivers/net/igbvf/vf.h
31078--- linux-3.0.7/drivers/net/igbvf/vf.h 2011-07-21 22:17:23.000000000 -0400
31079+++ linux-3.0.7/drivers/net/igbvf/vf.h 2011-08-23 21:47:55.000000000 -0400
31080@@ -189,9 +189,10 @@ struct e1000_mac_operations {
31081 s32 (*read_mac_addr)(struct e1000_hw *);
31082 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
31083 };
31084+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31085
31086 struct e1000_mac_info {
31087- struct e1000_mac_operations ops;
31088+ e1000_mac_operations_no_const ops;
31089 u8 addr[6];
31090 u8 perm_addr[6];
31091
31092@@ -213,6 +214,7 @@ struct e1000_mbx_operations {
31093 s32 (*check_for_ack)(struct e1000_hw *);
31094 s32 (*check_for_rst)(struct e1000_hw *);
31095 };
31096+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31097
31098 struct e1000_mbx_stats {
31099 u32 msgs_tx;
31100@@ -224,7 +226,7 @@ struct e1000_mbx_stats {
31101 };
31102
31103 struct e1000_mbx_info {
31104- struct e1000_mbx_operations ops;
31105+ e1000_mbx_operations_no_const ops;
31106 struct e1000_mbx_stats stats;
31107 u32 timeout;
31108 u32 usec_delay;
31109diff -urNp linux-3.0.7/drivers/net/ixgb/ixgb_main.c linux-3.0.7/drivers/net/ixgb/ixgb_main.c
31110--- linux-3.0.7/drivers/net/ixgb/ixgb_main.c 2011-07-21 22:17:23.000000000 -0400
31111+++ linux-3.0.7/drivers/net/ixgb/ixgb_main.c 2011-08-23 21:48:14.000000000 -0400
31112@@ -1070,6 +1070,8 @@ ixgb_set_multi(struct net_device *netdev
31113 u32 rctl;
31114 int i;
31115
31116+ pax_track_stack();
31117+
31118 /* Check for Promiscuous and All Multicast modes */
31119
31120 rctl = IXGB_READ_REG(hw, RCTL);
31121diff -urNp linux-3.0.7/drivers/net/ixgb/ixgb_param.c linux-3.0.7/drivers/net/ixgb/ixgb_param.c
31122--- linux-3.0.7/drivers/net/ixgb/ixgb_param.c 2011-07-21 22:17:23.000000000 -0400
31123+++ linux-3.0.7/drivers/net/ixgb/ixgb_param.c 2011-08-23 21:48:14.000000000 -0400
31124@@ -261,6 +261,9 @@ void __devinit
31125 ixgb_check_options(struct ixgb_adapter *adapter)
31126 {
31127 int bd = adapter->bd_number;
31128+
31129+ pax_track_stack();
31130+
31131 if (bd >= IXGB_MAX_NIC) {
31132 pr_notice("Warning: no configuration for board #%i\n", bd);
31133 pr_notice("Using defaults for all values\n");
31134diff -urNp linux-3.0.7/drivers/net/ixgbe/ixgbe_type.h linux-3.0.7/drivers/net/ixgbe/ixgbe_type.h
31135--- linux-3.0.7/drivers/net/ixgbe/ixgbe_type.h 2011-07-21 22:17:23.000000000 -0400
31136+++ linux-3.0.7/drivers/net/ixgbe/ixgbe_type.h 2011-08-23 21:47:55.000000000 -0400
31137@@ -2584,6 +2584,7 @@ struct ixgbe_eeprom_operations {
31138 s32 (*update_checksum)(struct ixgbe_hw *);
31139 u16 (*calc_checksum)(struct ixgbe_hw *);
31140 };
31141+typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
31142
31143 struct ixgbe_mac_operations {
31144 s32 (*init_hw)(struct ixgbe_hw *);
31145@@ -2639,6 +2640,7 @@ struct ixgbe_mac_operations {
31146 /* Flow Control */
31147 s32 (*fc_enable)(struct ixgbe_hw *, s32);
31148 };
31149+typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31150
31151 struct ixgbe_phy_operations {
31152 s32 (*identify)(struct ixgbe_hw *);
31153@@ -2658,9 +2660,10 @@ struct ixgbe_phy_operations {
31154 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
31155 s32 (*check_overtemp)(struct ixgbe_hw *);
31156 };
31157+typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
31158
31159 struct ixgbe_eeprom_info {
31160- struct ixgbe_eeprom_operations ops;
31161+ ixgbe_eeprom_operations_no_const ops;
31162 enum ixgbe_eeprom_type type;
31163 u32 semaphore_delay;
31164 u16 word_size;
31165@@ -2670,7 +2673,7 @@ struct ixgbe_eeprom_info {
31166
31167 #define IXGBE_FLAGS_DOUBLE_RESET_REQUIRED 0x01
31168 struct ixgbe_mac_info {
31169- struct ixgbe_mac_operations ops;
31170+ ixgbe_mac_operations_no_const ops;
31171 enum ixgbe_mac_type type;
31172 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31173 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31174@@ -2698,7 +2701,7 @@ struct ixgbe_mac_info {
31175 };
31176
31177 struct ixgbe_phy_info {
31178- struct ixgbe_phy_operations ops;
31179+ ixgbe_phy_operations_no_const ops;
31180 struct mdio_if_info mdio;
31181 enum ixgbe_phy_type type;
31182 u32 id;
31183@@ -2726,6 +2729,7 @@ struct ixgbe_mbx_operations {
31184 s32 (*check_for_ack)(struct ixgbe_hw *, u16);
31185 s32 (*check_for_rst)(struct ixgbe_hw *, u16);
31186 };
31187+typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31188
31189 struct ixgbe_mbx_stats {
31190 u32 msgs_tx;
31191@@ -2737,7 +2741,7 @@ struct ixgbe_mbx_stats {
31192 };
31193
31194 struct ixgbe_mbx_info {
31195- struct ixgbe_mbx_operations ops;
31196+ ixgbe_mbx_operations_no_const ops;
31197 struct ixgbe_mbx_stats stats;
31198 u32 timeout;
31199 u32 usec_delay;
31200diff -urNp linux-3.0.7/drivers/net/ixgbevf/vf.h linux-3.0.7/drivers/net/ixgbevf/vf.h
31201--- linux-3.0.7/drivers/net/ixgbevf/vf.h 2011-07-21 22:17:23.000000000 -0400
31202+++ linux-3.0.7/drivers/net/ixgbevf/vf.h 2011-08-23 21:47:55.000000000 -0400
31203@@ -70,6 +70,7 @@ struct ixgbe_mac_operations {
31204 s32 (*clear_vfta)(struct ixgbe_hw *);
31205 s32 (*set_vfta)(struct ixgbe_hw *, u32, u32, bool);
31206 };
31207+typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31208
31209 enum ixgbe_mac_type {
31210 ixgbe_mac_unknown = 0,
31211@@ -79,7 +80,7 @@ enum ixgbe_mac_type {
31212 };
31213
31214 struct ixgbe_mac_info {
31215- struct ixgbe_mac_operations ops;
31216+ ixgbe_mac_operations_no_const ops;
31217 u8 addr[6];
31218 u8 perm_addr[6];
31219
31220@@ -103,6 +104,7 @@ struct ixgbe_mbx_operations {
31221 s32 (*check_for_ack)(struct ixgbe_hw *);
31222 s32 (*check_for_rst)(struct ixgbe_hw *);
31223 };
31224+typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31225
31226 struct ixgbe_mbx_stats {
31227 u32 msgs_tx;
31228@@ -114,7 +116,7 @@ struct ixgbe_mbx_stats {
31229 };
31230
31231 struct ixgbe_mbx_info {
31232- struct ixgbe_mbx_operations ops;
31233+ ixgbe_mbx_operations_no_const ops;
31234 struct ixgbe_mbx_stats stats;
31235 u32 timeout;
31236 u32 udelay;
31237diff -urNp linux-3.0.7/drivers/net/ksz884x.c linux-3.0.7/drivers/net/ksz884x.c
31238--- linux-3.0.7/drivers/net/ksz884x.c 2011-07-21 22:17:23.000000000 -0400
31239+++ linux-3.0.7/drivers/net/ksz884x.c 2011-08-23 21:48:14.000000000 -0400
31240@@ -6534,6 +6534,8 @@ static void netdev_get_ethtool_stats(str
31241 int rc;
31242 u64 counter[TOTAL_PORT_COUNTER_NUM];
31243
31244+ pax_track_stack();
31245+
31246 mutex_lock(&hw_priv->lock);
31247 n = SWITCH_PORT_NUM;
31248 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
31249diff -urNp linux-3.0.7/drivers/net/mlx4/main.c linux-3.0.7/drivers/net/mlx4/main.c
31250--- linux-3.0.7/drivers/net/mlx4/main.c 2011-07-21 22:17:23.000000000 -0400
31251+++ linux-3.0.7/drivers/net/mlx4/main.c 2011-08-23 21:48:14.000000000 -0400
31252@@ -40,6 +40,7 @@
31253 #include <linux/dma-mapping.h>
31254 #include <linux/slab.h>
31255 #include <linux/io-mapping.h>
31256+#include <linux/sched.h>
31257
31258 #include <linux/mlx4/device.h>
31259 #include <linux/mlx4/doorbell.h>
31260@@ -764,6 +765,8 @@ static int mlx4_init_hca(struct mlx4_dev
31261 u64 icm_size;
31262 int err;
31263
31264+ pax_track_stack();
31265+
31266 err = mlx4_QUERY_FW(dev);
31267 if (err) {
31268 if (err == -EACCES)
31269diff -urNp linux-3.0.7/drivers/net/niu.c linux-3.0.7/drivers/net/niu.c
31270--- linux-3.0.7/drivers/net/niu.c 2011-09-02 18:11:21.000000000 -0400
31271+++ linux-3.0.7/drivers/net/niu.c 2011-08-23 21:48:14.000000000 -0400
31272@@ -9056,6 +9056,8 @@ static void __devinit niu_try_msix(struc
31273 int i, num_irqs, err;
31274 u8 first_ldg;
31275
31276+ pax_track_stack();
31277+
31278 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
31279 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
31280 ldg_num_map[i] = first_ldg + i;
31281diff -urNp linux-3.0.7/drivers/net/pcnet32.c linux-3.0.7/drivers/net/pcnet32.c
31282--- linux-3.0.7/drivers/net/pcnet32.c 2011-07-21 22:17:23.000000000 -0400
31283+++ linux-3.0.7/drivers/net/pcnet32.c 2011-08-23 21:47:55.000000000 -0400
31284@@ -82,7 +82,7 @@ static int cards_found;
31285 /*
31286 * VLB I/O addresses
31287 */
31288-static unsigned int pcnet32_portlist[] __initdata =
31289+static unsigned int pcnet32_portlist[] __devinitdata =
31290 { 0x300, 0x320, 0x340, 0x360, 0 };
31291
31292 static int pcnet32_debug;
31293@@ -270,7 +270,7 @@ struct pcnet32_private {
31294 struct sk_buff **rx_skbuff;
31295 dma_addr_t *tx_dma_addr;
31296 dma_addr_t *rx_dma_addr;
31297- struct pcnet32_access a;
31298+ struct pcnet32_access *a;
31299 spinlock_t lock; /* Guard lock */
31300 unsigned int cur_rx, cur_tx; /* The next free ring entry */
31301 unsigned int rx_ring_size; /* current rx ring size */
31302@@ -460,9 +460,9 @@ static void pcnet32_netif_start(struct n
31303 u16 val;
31304
31305 netif_wake_queue(dev);
31306- val = lp->a.read_csr(ioaddr, CSR3);
31307+ val = lp->a->read_csr(ioaddr, CSR3);
31308 val &= 0x00ff;
31309- lp->a.write_csr(ioaddr, CSR3, val);
31310+ lp->a->write_csr(ioaddr, CSR3, val);
31311 napi_enable(&lp->napi);
31312 }
31313
31314@@ -730,7 +730,7 @@ static u32 pcnet32_get_link(struct net_d
31315 r = mii_link_ok(&lp->mii_if);
31316 } else if (lp->chip_version >= PCNET32_79C970A) {
31317 ulong ioaddr = dev->base_addr; /* card base I/O address */
31318- r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
31319+ r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
31320 } else { /* can not detect link on really old chips */
31321 r = 1;
31322 }
31323@@ -792,7 +792,7 @@ static int pcnet32_set_ringparam(struct
31324 pcnet32_netif_stop(dev);
31325
31326 spin_lock_irqsave(&lp->lock, flags);
31327- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31328+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31329
31330 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
31331
31332@@ -868,7 +868,7 @@ static void pcnet32_ethtool_test(struct
31333 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
31334 {
31335 struct pcnet32_private *lp = netdev_priv(dev);
31336- struct pcnet32_access *a = &lp->a; /* access to registers */
31337+ struct pcnet32_access *a = lp->a; /* access to registers */
31338 ulong ioaddr = dev->base_addr; /* card base I/O address */
31339 struct sk_buff *skb; /* sk buff */
31340 int x, i; /* counters */
31341@@ -888,21 +888,21 @@ static int pcnet32_loopback_test(struct
31342 pcnet32_netif_stop(dev);
31343
31344 spin_lock_irqsave(&lp->lock, flags);
31345- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31346+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31347
31348 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
31349
31350 /* Reset the PCNET32 */
31351- lp->a.reset(ioaddr);
31352- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31353+ lp->a->reset(ioaddr);
31354+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31355
31356 /* switch pcnet32 to 32bit mode */
31357- lp->a.write_bcr(ioaddr, 20, 2);
31358+ lp->a->write_bcr(ioaddr, 20, 2);
31359
31360 /* purge & init rings but don't actually restart */
31361 pcnet32_restart(dev, 0x0000);
31362
31363- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31364+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31365
31366 /* Initialize Transmit buffers. */
31367 size = data_len + 15;
31368@@ -947,10 +947,10 @@ static int pcnet32_loopback_test(struct
31369
31370 /* set int loopback in CSR15 */
31371 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
31372- lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
31373+ lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
31374
31375 teststatus = cpu_to_le16(0x8000);
31376- lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31377+ lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31378
31379 /* Check status of descriptors */
31380 for (x = 0; x < numbuffs; x++) {
31381@@ -969,7 +969,7 @@ static int pcnet32_loopback_test(struct
31382 }
31383 }
31384
31385- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31386+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31387 wmb();
31388 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
31389 netdev_printk(KERN_DEBUG, dev, "RX loopback packets:\n");
31390@@ -1015,7 +1015,7 @@ clean_up:
31391 pcnet32_restart(dev, CSR0_NORMAL);
31392 } else {
31393 pcnet32_purge_rx_ring(dev);
31394- lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31395+ lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31396 }
31397 spin_unlock_irqrestore(&lp->lock, flags);
31398
31399@@ -1026,7 +1026,7 @@ static int pcnet32_set_phys_id(struct ne
31400 enum ethtool_phys_id_state state)
31401 {
31402 struct pcnet32_private *lp = netdev_priv(dev);
31403- struct pcnet32_access *a = &lp->a;
31404+ struct pcnet32_access *a = lp->a;
31405 ulong ioaddr = dev->base_addr;
31406 unsigned long flags;
31407 int i;
31408@@ -1067,7 +1067,7 @@ static int pcnet32_suspend(struct net_de
31409 {
31410 int csr5;
31411 struct pcnet32_private *lp = netdev_priv(dev);
31412- struct pcnet32_access *a = &lp->a;
31413+ struct pcnet32_access *a = lp->a;
31414 ulong ioaddr = dev->base_addr;
31415 int ticks;
31416
31417@@ -1324,8 +1324,8 @@ static int pcnet32_poll(struct napi_stru
31418 spin_lock_irqsave(&lp->lock, flags);
31419 if (pcnet32_tx(dev)) {
31420 /* reset the chip to clear the error condition, then restart */
31421- lp->a.reset(ioaddr);
31422- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31423+ lp->a->reset(ioaddr);
31424+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31425 pcnet32_restart(dev, CSR0_START);
31426 netif_wake_queue(dev);
31427 }
31428@@ -1337,12 +1337,12 @@ static int pcnet32_poll(struct napi_stru
31429 __napi_complete(napi);
31430
31431 /* clear interrupt masks */
31432- val = lp->a.read_csr(ioaddr, CSR3);
31433+ val = lp->a->read_csr(ioaddr, CSR3);
31434 val &= 0x00ff;
31435- lp->a.write_csr(ioaddr, CSR3, val);
31436+ lp->a->write_csr(ioaddr, CSR3, val);
31437
31438 /* Set interrupt enable. */
31439- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
31440+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
31441
31442 spin_unlock_irqrestore(&lp->lock, flags);
31443 }
31444@@ -1365,7 +1365,7 @@ static void pcnet32_get_regs(struct net_
31445 int i, csr0;
31446 u16 *buff = ptr;
31447 struct pcnet32_private *lp = netdev_priv(dev);
31448- struct pcnet32_access *a = &lp->a;
31449+ struct pcnet32_access *a = lp->a;
31450 ulong ioaddr = dev->base_addr;
31451 unsigned long flags;
31452
31453@@ -1401,9 +1401,9 @@ static void pcnet32_get_regs(struct net_
31454 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
31455 if (lp->phymask & (1 << j)) {
31456 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
31457- lp->a.write_bcr(ioaddr, 33,
31458+ lp->a->write_bcr(ioaddr, 33,
31459 (j << 5) | i);
31460- *buff++ = lp->a.read_bcr(ioaddr, 34);
31461+ *buff++ = lp->a->read_bcr(ioaddr, 34);
31462 }
31463 }
31464 }
31465@@ -1785,7 +1785,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31466 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
31467 lp->options |= PCNET32_PORT_FD;
31468
31469- lp->a = *a;
31470+ lp->a = a;
31471
31472 /* prior to register_netdev, dev->name is not yet correct */
31473 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
31474@@ -1844,7 +1844,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31475 if (lp->mii) {
31476 /* lp->phycount and lp->phymask are set to 0 by memset above */
31477
31478- lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31479+ lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31480 /* scan for PHYs */
31481 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31482 unsigned short id1, id2;
31483@@ -1864,7 +1864,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31484 pr_info("Found PHY %04x:%04x at address %d\n",
31485 id1, id2, i);
31486 }
31487- lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31488+ lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31489 if (lp->phycount > 1)
31490 lp->options |= PCNET32_PORT_MII;
31491 }
31492@@ -2020,10 +2020,10 @@ static int pcnet32_open(struct net_devic
31493 }
31494
31495 /* Reset the PCNET32 */
31496- lp->a.reset(ioaddr);
31497+ lp->a->reset(ioaddr);
31498
31499 /* switch pcnet32 to 32bit mode */
31500- lp->a.write_bcr(ioaddr, 20, 2);
31501+ lp->a->write_bcr(ioaddr, 20, 2);
31502
31503 netif_printk(lp, ifup, KERN_DEBUG, dev,
31504 "%s() irq %d tx/rx rings %#x/%#x init %#x\n",
31505@@ -2032,14 +2032,14 @@ static int pcnet32_open(struct net_devic
31506 (u32) (lp->init_dma_addr));
31507
31508 /* set/reset autoselect bit */
31509- val = lp->a.read_bcr(ioaddr, 2) & ~2;
31510+ val = lp->a->read_bcr(ioaddr, 2) & ~2;
31511 if (lp->options & PCNET32_PORT_ASEL)
31512 val |= 2;
31513- lp->a.write_bcr(ioaddr, 2, val);
31514+ lp->a->write_bcr(ioaddr, 2, val);
31515
31516 /* handle full duplex setting */
31517 if (lp->mii_if.full_duplex) {
31518- val = lp->a.read_bcr(ioaddr, 9) & ~3;
31519+ val = lp->a->read_bcr(ioaddr, 9) & ~3;
31520 if (lp->options & PCNET32_PORT_FD) {
31521 val |= 1;
31522 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
31523@@ -2049,14 +2049,14 @@ static int pcnet32_open(struct net_devic
31524 if (lp->chip_version == 0x2627)
31525 val |= 3;
31526 }
31527- lp->a.write_bcr(ioaddr, 9, val);
31528+ lp->a->write_bcr(ioaddr, 9, val);
31529 }
31530
31531 /* set/reset GPSI bit in test register */
31532- val = lp->a.read_csr(ioaddr, 124) & ~0x10;
31533+ val = lp->a->read_csr(ioaddr, 124) & ~0x10;
31534 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
31535 val |= 0x10;
31536- lp->a.write_csr(ioaddr, 124, val);
31537+ lp->a->write_csr(ioaddr, 124, val);
31538
31539 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
31540 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
31541@@ -2075,24 +2075,24 @@ static int pcnet32_open(struct net_devic
31542 * duplex, and/or enable auto negotiation, and clear DANAS
31543 */
31544 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
31545- lp->a.write_bcr(ioaddr, 32,
31546- lp->a.read_bcr(ioaddr, 32) | 0x0080);
31547+ lp->a->write_bcr(ioaddr, 32,
31548+ lp->a->read_bcr(ioaddr, 32) | 0x0080);
31549 /* disable Auto Negotiation, set 10Mpbs, HD */
31550- val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
31551+ val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
31552 if (lp->options & PCNET32_PORT_FD)
31553 val |= 0x10;
31554 if (lp->options & PCNET32_PORT_100)
31555 val |= 0x08;
31556- lp->a.write_bcr(ioaddr, 32, val);
31557+ lp->a->write_bcr(ioaddr, 32, val);
31558 } else {
31559 if (lp->options & PCNET32_PORT_ASEL) {
31560- lp->a.write_bcr(ioaddr, 32,
31561- lp->a.read_bcr(ioaddr,
31562+ lp->a->write_bcr(ioaddr, 32,
31563+ lp->a->read_bcr(ioaddr,
31564 32) | 0x0080);
31565 /* enable auto negotiate, setup, disable fd */
31566- val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
31567+ val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
31568 val |= 0x20;
31569- lp->a.write_bcr(ioaddr, 32, val);
31570+ lp->a->write_bcr(ioaddr, 32, val);
31571 }
31572 }
31573 } else {
31574@@ -2105,10 +2105,10 @@ static int pcnet32_open(struct net_devic
31575 * There is really no good other way to handle multiple PHYs
31576 * other than turning off all automatics
31577 */
31578- val = lp->a.read_bcr(ioaddr, 2);
31579- lp->a.write_bcr(ioaddr, 2, val & ~2);
31580- val = lp->a.read_bcr(ioaddr, 32);
31581- lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31582+ val = lp->a->read_bcr(ioaddr, 2);
31583+ lp->a->write_bcr(ioaddr, 2, val & ~2);
31584+ val = lp->a->read_bcr(ioaddr, 32);
31585+ lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31586
31587 if (!(lp->options & PCNET32_PORT_ASEL)) {
31588 /* setup ecmd */
31589@@ -2118,7 +2118,7 @@ static int pcnet32_open(struct net_devic
31590 ethtool_cmd_speed_set(&ecmd,
31591 (lp->options & PCNET32_PORT_100) ?
31592 SPEED_100 : SPEED_10);
31593- bcr9 = lp->a.read_bcr(ioaddr, 9);
31594+ bcr9 = lp->a->read_bcr(ioaddr, 9);
31595
31596 if (lp->options & PCNET32_PORT_FD) {
31597 ecmd.duplex = DUPLEX_FULL;
31598@@ -2127,7 +2127,7 @@ static int pcnet32_open(struct net_devic
31599 ecmd.duplex = DUPLEX_HALF;
31600 bcr9 |= ~(1 << 0);
31601 }
31602- lp->a.write_bcr(ioaddr, 9, bcr9);
31603+ lp->a->write_bcr(ioaddr, 9, bcr9);
31604 }
31605
31606 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31607@@ -2158,9 +2158,9 @@ static int pcnet32_open(struct net_devic
31608
31609 #ifdef DO_DXSUFLO
31610 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
31611- val = lp->a.read_csr(ioaddr, CSR3);
31612+ val = lp->a->read_csr(ioaddr, CSR3);
31613 val |= 0x40;
31614- lp->a.write_csr(ioaddr, CSR3, val);
31615+ lp->a->write_csr(ioaddr, CSR3, val);
31616 }
31617 #endif
31618
31619@@ -2176,11 +2176,11 @@ static int pcnet32_open(struct net_devic
31620 napi_enable(&lp->napi);
31621
31622 /* Re-initialize the PCNET32, and start it when done. */
31623- lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31624- lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31625+ lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31626+ lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31627
31628- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31629- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
31630+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31631+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
31632
31633 netif_start_queue(dev);
31634
31635@@ -2192,19 +2192,19 @@ static int pcnet32_open(struct net_devic
31636
31637 i = 0;
31638 while (i++ < 100)
31639- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
31640+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
31641 break;
31642 /*
31643 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
31644 * reports that doing so triggers a bug in the '974.
31645 */
31646- lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
31647+ lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
31648
31649 netif_printk(lp, ifup, KERN_DEBUG, dev,
31650 "pcnet32 open after %d ticks, init block %#x csr0 %4.4x\n",
31651 i,
31652 (u32) (lp->init_dma_addr),
31653- lp->a.read_csr(ioaddr, CSR0));
31654+ lp->a->read_csr(ioaddr, CSR0));
31655
31656 spin_unlock_irqrestore(&lp->lock, flags);
31657
31658@@ -2218,7 +2218,7 @@ err_free_ring:
31659 * Switch back to 16bit mode to avoid problems with dumb
31660 * DOS packet driver after a warm reboot
31661 */
31662- lp->a.write_bcr(ioaddr, 20, 4);
31663+ lp->a->write_bcr(ioaddr, 20, 4);
31664
31665 err_free_irq:
31666 spin_unlock_irqrestore(&lp->lock, flags);
31667@@ -2323,7 +2323,7 @@ static void pcnet32_restart(struct net_d
31668
31669 /* wait for stop */
31670 for (i = 0; i < 100; i++)
31671- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
31672+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
31673 break;
31674
31675 if (i >= 100)
31676@@ -2335,13 +2335,13 @@ static void pcnet32_restart(struct net_d
31677 return;
31678
31679 /* ReInit Ring */
31680- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
31681+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
31682 i = 0;
31683 while (i++ < 1000)
31684- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
31685+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
31686 break;
31687
31688- lp->a.write_csr(ioaddr, CSR0, csr0_bits);
31689+ lp->a->write_csr(ioaddr, CSR0, csr0_bits);
31690 }
31691
31692 static void pcnet32_tx_timeout(struct net_device *dev)
31693@@ -2353,8 +2353,8 @@ static void pcnet32_tx_timeout(struct ne
31694 /* Transmitter timeout, serious problems. */
31695 if (pcnet32_debug & NETIF_MSG_DRV)
31696 pr_err("%s: transmit timed out, status %4.4x, resetting\n",
31697- dev->name, lp->a.read_csr(ioaddr, CSR0));
31698- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
31699+ dev->name, lp->a->read_csr(ioaddr, CSR0));
31700+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
31701 dev->stats.tx_errors++;
31702 if (netif_msg_tx_err(lp)) {
31703 int i;
31704@@ -2397,7 +2397,7 @@ static netdev_tx_t pcnet32_start_xmit(st
31705
31706 netif_printk(lp, tx_queued, KERN_DEBUG, dev,
31707 "%s() called, csr0 %4.4x\n",
31708- __func__, lp->a.read_csr(ioaddr, CSR0));
31709+ __func__, lp->a->read_csr(ioaddr, CSR0));
31710
31711 /* Default status -- will not enable Successful-TxDone
31712 * interrupt when that option is available to us.
31713@@ -2427,7 +2427,7 @@ static netdev_tx_t pcnet32_start_xmit(st
31714 dev->stats.tx_bytes += skb->len;
31715
31716 /* Trigger an immediate send poll. */
31717- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
31718+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
31719
31720 if (lp->tx_ring[(entry + 1) & lp->tx_mod_mask].base != 0) {
31721 lp->tx_full = 1;
31722@@ -2452,16 +2452,16 @@ pcnet32_interrupt(int irq, void *dev_id)
31723
31724 spin_lock(&lp->lock);
31725
31726- csr0 = lp->a.read_csr(ioaddr, CSR0);
31727+ csr0 = lp->a->read_csr(ioaddr, CSR0);
31728 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
31729 if (csr0 == 0xffff)
31730 break; /* PCMCIA remove happened */
31731 /* Acknowledge all of the current interrupt sources ASAP. */
31732- lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
31733+ lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
31734
31735 netif_printk(lp, intr, KERN_DEBUG, dev,
31736 "interrupt csr0=%#2.2x new csr=%#2.2x\n",
31737- csr0, lp->a.read_csr(ioaddr, CSR0));
31738+ csr0, lp->a->read_csr(ioaddr, CSR0));
31739
31740 /* Log misc errors. */
31741 if (csr0 & 0x4000)
31742@@ -2488,19 +2488,19 @@ pcnet32_interrupt(int irq, void *dev_id)
31743 if (napi_schedule_prep(&lp->napi)) {
31744 u16 val;
31745 /* set interrupt masks */
31746- val = lp->a.read_csr(ioaddr, CSR3);
31747+ val = lp->a->read_csr(ioaddr, CSR3);
31748 val |= 0x5f00;
31749- lp->a.write_csr(ioaddr, CSR3, val);
31750+ lp->a->write_csr(ioaddr, CSR3, val);
31751
31752 __napi_schedule(&lp->napi);
31753 break;
31754 }
31755- csr0 = lp->a.read_csr(ioaddr, CSR0);
31756+ csr0 = lp->a->read_csr(ioaddr, CSR0);
31757 }
31758
31759 netif_printk(lp, intr, KERN_DEBUG, dev,
31760 "exiting interrupt, csr0=%#4.4x\n",
31761- lp->a.read_csr(ioaddr, CSR0));
31762+ lp->a->read_csr(ioaddr, CSR0));
31763
31764 spin_unlock(&lp->lock);
31765
31766@@ -2520,20 +2520,20 @@ static int pcnet32_close(struct net_devi
31767
31768 spin_lock_irqsave(&lp->lock, flags);
31769
31770- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
31771+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
31772
31773 netif_printk(lp, ifdown, KERN_DEBUG, dev,
31774 "Shutting down ethercard, status was %2.2x\n",
31775- lp->a.read_csr(ioaddr, CSR0));
31776+ lp->a->read_csr(ioaddr, CSR0));
31777
31778 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
31779- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
31780+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
31781
31782 /*
31783 * Switch back to 16bit mode to avoid problems with dumb
31784 * DOS packet driver after a warm reboot
31785 */
31786- lp->a.write_bcr(ioaddr, 20, 4);
31787+ lp->a->write_bcr(ioaddr, 20, 4);
31788
31789 spin_unlock_irqrestore(&lp->lock, flags);
31790
31791@@ -2556,7 +2556,7 @@ static struct net_device_stats *pcnet32_
31792 unsigned long flags;
31793
31794 spin_lock_irqsave(&lp->lock, flags);
31795- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
31796+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
31797 spin_unlock_irqrestore(&lp->lock, flags);
31798
31799 return &dev->stats;
31800@@ -2578,10 +2578,10 @@ static void pcnet32_load_multicast(struc
31801 if (dev->flags & IFF_ALLMULTI) {
31802 ib->filter[0] = cpu_to_le32(~0U);
31803 ib->filter[1] = cpu_to_le32(~0U);
31804- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
31805- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
31806- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
31807- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
31808+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
31809+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
31810+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
31811+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
31812 return;
31813 }
31814 /* clear the multicast filter */
31815@@ -2601,7 +2601,7 @@ static void pcnet32_load_multicast(struc
31816 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
31817 }
31818 for (i = 0; i < 4; i++)
31819- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
31820+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
31821 le16_to_cpu(mcast_table[i]));
31822 }
31823
31824@@ -2616,28 +2616,28 @@ static void pcnet32_set_multicast_list(s
31825
31826 spin_lock_irqsave(&lp->lock, flags);
31827 suspended = pcnet32_suspend(dev, &flags, 0);
31828- csr15 = lp->a.read_csr(ioaddr, CSR15);
31829+ csr15 = lp->a->read_csr(ioaddr, CSR15);
31830 if (dev->flags & IFF_PROMISC) {
31831 /* Log any net taps. */
31832 netif_info(lp, hw, dev, "Promiscuous mode enabled\n");
31833 lp->init_block->mode =
31834 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
31835 7);
31836- lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
31837+ lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
31838 } else {
31839 lp->init_block->mode =
31840 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
31841- lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
31842+ lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
31843 pcnet32_load_multicast(dev);
31844 }
31845
31846 if (suspended) {
31847 int csr5;
31848 /* clear SUSPEND (SPND) - CSR5 bit 0 */
31849- csr5 = lp->a.read_csr(ioaddr, CSR5);
31850- lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
31851+ csr5 = lp->a->read_csr(ioaddr, CSR5);
31852+ lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
31853 } else {
31854- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
31855+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
31856 pcnet32_restart(dev, CSR0_NORMAL);
31857 netif_wake_queue(dev);
31858 }
31859@@ -2655,8 +2655,8 @@ static int mdio_read(struct net_device *
31860 if (!lp->mii)
31861 return 0;
31862
31863- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
31864- val_out = lp->a.read_bcr(ioaddr, 34);
31865+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
31866+ val_out = lp->a->read_bcr(ioaddr, 34);
31867
31868 return val_out;
31869 }
31870@@ -2670,8 +2670,8 @@ static void mdio_write(struct net_device
31871 if (!lp->mii)
31872 return;
31873
31874- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
31875- lp->a.write_bcr(ioaddr, 34, val);
31876+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
31877+ lp->a->write_bcr(ioaddr, 34, val);
31878 }
31879
31880 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
31881@@ -2748,7 +2748,7 @@ static void pcnet32_check_media(struct n
31882 curr_link = mii_link_ok(&lp->mii_if);
31883 } else {
31884 ulong ioaddr = dev->base_addr; /* card base I/O address */
31885- curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
31886+ curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
31887 }
31888 if (!curr_link) {
31889 if (prev_link || verbose) {
31890@@ -2771,13 +2771,13 @@ static void pcnet32_check_media(struct n
31891 (ecmd.duplex == DUPLEX_FULL)
31892 ? "full" : "half");
31893 }
31894- bcr9 = lp->a.read_bcr(dev->base_addr, 9);
31895+ bcr9 = lp->a->read_bcr(dev->base_addr, 9);
31896 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
31897 if (lp->mii_if.full_duplex)
31898 bcr9 |= (1 << 0);
31899 else
31900 bcr9 &= ~(1 << 0);
31901- lp->a.write_bcr(dev->base_addr, 9, bcr9);
31902+ lp->a->write_bcr(dev->base_addr, 9, bcr9);
31903 }
31904 } else {
31905 netif_info(lp, link, dev, "link up\n");
31906diff -urNp linux-3.0.7/drivers/net/ppp_generic.c linux-3.0.7/drivers/net/ppp_generic.c
31907--- linux-3.0.7/drivers/net/ppp_generic.c 2011-07-21 22:17:23.000000000 -0400
31908+++ linux-3.0.7/drivers/net/ppp_generic.c 2011-08-23 21:47:55.000000000 -0400
31909@@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
31910 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
31911 struct ppp_stats stats;
31912 struct ppp_comp_stats cstats;
31913- char *vers;
31914
31915 switch (cmd) {
31916 case SIOCGPPPSTATS:
31917@@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
31918 break;
31919
31920 case SIOCGPPPVER:
31921- vers = PPP_VERSION;
31922- if (copy_to_user(addr, vers, strlen(vers) + 1))
31923+ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
31924 break;
31925 err = 0;
31926 break;
31927diff -urNp linux-3.0.7/drivers/net/r8169.c linux-3.0.7/drivers/net/r8169.c
31928--- linux-3.0.7/drivers/net/r8169.c 2011-09-02 18:11:21.000000000 -0400
31929+++ linux-3.0.7/drivers/net/r8169.c 2011-08-23 21:47:55.000000000 -0400
31930@@ -645,12 +645,12 @@ struct rtl8169_private {
31931 struct mdio_ops {
31932 void (*write)(void __iomem *, int, int);
31933 int (*read)(void __iomem *, int);
31934- } mdio_ops;
31935+ } __no_const mdio_ops;
31936
31937 struct pll_power_ops {
31938 void (*down)(struct rtl8169_private *);
31939 void (*up)(struct rtl8169_private *);
31940- } pll_power_ops;
31941+ } __no_const pll_power_ops;
31942
31943 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
31944 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
31945diff -urNp linux-3.0.7/drivers/net/sis190.c linux-3.0.7/drivers/net/sis190.c
31946--- linux-3.0.7/drivers/net/sis190.c 2011-09-02 18:11:21.000000000 -0400
31947+++ linux-3.0.7/drivers/net/sis190.c 2011-10-11 10:44:33.000000000 -0400
31948@@ -1623,7 +1623,7 @@ static int __devinit sis190_get_mac_addr
31949 static int __devinit sis190_get_mac_addr_from_apc(struct pci_dev *pdev,
31950 struct net_device *dev)
31951 {
31952- static const u16 __devinitdata ids[] = { 0x0965, 0x0966, 0x0968 };
31953+ static const u16 __devinitconst ids[] = { 0x0965, 0x0966, 0x0968 };
31954 struct sis190_private *tp = netdev_priv(dev);
31955 struct pci_dev *isa_bridge;
31956 u8 reg, tmp8;
31957diff -urNp linux-3.0.7/drivers/net/sundance.c linux-3.0.7/drivers/net/sundance.c
31958--- linux-3.0.7/drivers/net/sundance.c 2011-07-21 22:17:23.000000000 -0400
31959+++ linux-3.0.7/drivers/net/sundance.c 2011-10-11 10:44:33.000000000 -0400
31960@@ -218,7 +218,7 @@ enum {
31961 struct pci_id_info {
31962 const char *name;
31963 };
31964-static const struct pci_id_info pci_id_tbl[] __devinitdata = {
31965+static const struct pci_id_info pci_id_tbl[] __devinitconst = {
31966 {"D-Link DFE-550TX FAST Ethernet Adapter"},
31967 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"},
31968 {"D-Link DFE-580TX 4 port Server Adapter"},
31969diff -urNp linux-3.0.7/drivers/net/tg3.h linux-3.0.7/drivers/net/tg3.h
31970--- linux-3.0.7/drivers/net/tg3.h 2011-07-21 22:17:23.000000000 -0400
31971+++ linux-3.0.7/drivers/net/tg3.h 2011-08-23 21:47:55.000000000 -0400
31972@@ -134,6 +134,7 @@
31973 #define CHIPREV_ID_5750_A0 0x4000
31974 #define CHIPREV_ID_5750_A1 0x4001
31975 #define CHIPREV_ID_5750_A3 0x4003
31976+#define CHIPREV_ID_5750_C1 0x4201
31977 #define CHIPREV_ID_5750_C2 0x4202
31978 #define CHIPREV_ID_5752_A0_HW 0x5000
31979 #define CHIPREV_ID_5752_A0 0x6000
31980diff -urNp linux-3.0.7/drivers/net/tokenring/abyss.c linux-3.0.7/drivers/net/tokenring/abyss.c
31981--- linux-3.0.7/drivers/net/tokenring/abyss.c 2011-07-21 22:17:23.000000000 -0400
31982+++ linux-3.0.7/drivers/net/tokenring/abyss.c 2011-08-23 21:47:55.000000000 -0400
31983@@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
31984
31985 static int __init abyss_init (void)
31986 {
31987- abyss_netdev_ops = tms380tr_netdev_ops;
31988+ pax_open_kernel();
31989+ memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
31990
31991- abyss_netdev_ops.ndo_open = abyss_open;
31992- abyss_netdev_ops.ndo_stop = abyss_close;
31993+ *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
31994+ *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
31995+ pax_close_kernel();
31996
31997 return pci_register_driver(&abyss_driver);
31998 }
31999diff -urNp linux-3.0.7/drivers/net/tokenring/madgemc.c linux-3.0.7/drivers/net/tokenring/madgemc.c
32000--- linux-3.0.7/drivers/net/tokenring/madgemc.c 2011-07-21 22:17:23.000000000 -0400
32001+++ linux-3.0.7/drivers/net/tokenring/madgemc.c 2011-08-23 21:47:55.000000000 -0400
32002@@ -744,9 +744,11 @@ static struct mca_driver madgemc_driver
32003
32004 static int __init madgemc_init (void)
32005 {
32006- madgemc_netdev_ops = tms380tr_netdev_ops;
32007- madgemc_netdev_ops.ndo_open = madgemc_open;
32008- madgemc_netdev_ops.ndo_stop = madgemc_close;
32009+ pax_open_kernel();
32010+ memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32011+ *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
32012+ *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
32013+ pax_close_kernel();
32014
32015 return mca_register_driver (&madgemc_driver);
32016 }
32017diff -urNp linux-3.0.7/drivers/net/tokenring/proteon.c linux-3.0.7/drivers/net/tokenring/proteon.c
32018--- linux-3.0.7/drivers/net/tokenring/proteon.c 2011-07-21 22:17:23.000000000 -0400
32019+++ linux-3.0.7/drivers/net/tokenring/proteon.c 2011-08-23 21:47:55.000000000 -0400
32020@@ -353,9 +353,11 @@ static int __init proteon_init(void)
32021 struct platform_device *pdev;
32022 int i, num = 0, err = 0;
32023
32024- proteon_netdev_ops = tms380tr_netdev_ops;
32025- proteon_netdev_ops.ndo_open = proteon_open;
32026- proteon_netdev_ops.ndo_stop = tms380tr_close;
32027+ pax_open_kernel();
32028+ memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32029+ *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
32030+ *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
32031+ pax_close_kernel();
32032
32033 err = platform_driver_register(&proteon_driver);
32034 if (err)
32035diff -urNp linux-3.0.7/drivers/net/tokenring/skisa.c linux-3.0.7/drivers/net/tokenring/skisa.c
32036--- linux-3.0.7/drivers/net/tokenring/skisa.c 2011-07-21 22:17:23.000000000 -0400
32037+++ linux-3.0.7/drivers/net/tokenring/skisa.c 2011-08-23 21:47:55.000000000 -0400
32038@@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
32039 struct platform_device *pdev;
32040 int i, num = 0, err = 0;
32041
32042- sk_isa_netdev_ops = tms380tr_netdev_ops;
32043- sk_isa_netdev_ops.ndo_open = sk_isa_open;
32044- sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32045+ pax_open_kernel();
32046+ memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32047+ *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
32048+ *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32049+ pax_close_kernel();
32050
32051 err = platform_driver_register(&sk_isa_driver);
32052 if (err)
32053diff -urNp linux-3.0.7/drivers/net/tulip/de2104x.c linux-3.0.7/drivers/net/tulip/de2104x.c
32054--- linux-3.0.7/drivers/net/tulip/de2104x.c 2011-07-21 22:17:23.000000000 -0400
32055+++ linux-3.0.7/drivers/net/tulip/de2104x.c 2011-08-23 21:48:14.000000000 -0400
32056@@ -1794,6 +1794,8 @@ static void __devinit de21041_get_srom_i
32057 struct de_srom_info_leaf *il;
32058 void *bufp;
32059
32060+ pax_track_stack();
32061+
32062 /* download entire eeprom */
32063 for (i = 0; i < DE_EEPROM_WORDS; i++)
32064 ((__le16 *)ee_data)[i] =
32065diff -urNp linux-3.0.7/drivers/net/tulip/de4x5.c linux-3.0.7/drivers/net/tulip/de4x5.c
32066--- linux-3.0.7/drivers/net/tulip/de4x5.c 2011-07-21 22:17:23.000000000 -0400
32067+++ linux-3.0.7/drivers/net/tulip/de4x5.c 2011-08-23 21:47:55.000000000 -0400
32068@@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
32069 for (i=0; i<ETH_ALEN; i++) {
32070 tmp.addr[i] = dev->dev_addr[i];
32071 }
32072- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32073+ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32074 break;
32075
32076 case DE4X5_SET_HWADDR: /* Set the hardware address */
32077@@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
32078 spin_lock_irqsave(&lp->lock, flags);
32079 memcpy(&statbuf, &lp->pktStats, ioc->len);
32080 spin_unlock_irqrestore(&lp->lock, flags);
32081- if (copy_to_user(ioc->data, &statbuf, ioc->len))
32082+ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
32083 return -EFAULT;
32084 break;
32085 }
32086diff -urNp linux-3.0.7/drivers/net/tulip/eeprom.c linux-3.0.7/drivers/net/tulip/eeprom.c
32087--- linux-3.0.7/drivers/net/tulip/eeprom.c 2011-07-21 22:17:23.000000000 -0400
32088+++ linux-3.0.7/drivers/net/tulip/eeprom.c 2011-10-11 10:44:33.000000000 -0400
32089@@ -81,7 +81,7 @@ static struct eeprom_fixup eeprom_fixups
32090 {NULL}};
32091
32092
32093-static const char *block_name[] __devinitdata = {
32094+static const char *block_name[] __devinitconst = {
32095 "21140 non-MII",
32096 "21140 MII PHY",
32097 "21142 Serial PHY",
32098diff -urNp linux-3.0.7/drivers/net/tulip/winbond-840.c linux-3.0.7/drivers/net/tulip/winbond-840.c
32099--- linux-3.0.7/drivers/net/tulip/winbond-840.c 2011-07-21 22:17:23.000000000 -0400
32100+++ linux-3.0.7/drivers/net/tulip/winbond-840.c 2011-10-11 10:44:33.000000000 -0400
32101@@ -236,7 +236,7 @@ struct pci_id_info {
32102 int drv_flags; /* Driver use, intended as capability flags. */
32103 };
32104
32105-static const struct pci_id_info pci_id_tbl[] __devinitdata = {
32106+static const struct pci_id_info pci_id_tbl[] __devinitconst = {
32107 { /* Sometime a Level-One switch card. */
32108 "Winbond W89c840", CanHaveMII | HasBrokenTx | FDXOnNoMII},
32109 { "Winbond W89c840", CanHaveMII | HasBrokenTx},
32110diff -urNp linux-3.0.7/drivers/net/usb/hso.c linux-3.0.7/drivers/net/usb/hso.c
32111--- linux-3.0.7/drivers/net/usb/hso.c 2011-07-21 22:17:23.000000000 -0400
32112+++ linux-3.0.7/drivers/net/usb/hso.c 2011-08-23 21:47:55.000000000 -0400
32113@@ -71,7 +71,7 @@
32114 #include <asm/byteorder.h>
32115 #include <linux/serial_core.h>
32116 #include <linux/serial.h>
32117-
32118+#include <asm/local.h>
32119
32120 #define MOD_AUTHOR "Option Wireless"
32121 #define MOD_DESCRIPTION "USB High Speed Option driver"
32122@@ -257,7 +257,7 @@ struct hso_serial {
32123
32124 /* from usb_serial_port */
32125 struct tty_struct *tty;
32126- int open_count;
32127+ local_t open_count;
32128 spinlock_t serial_lock;
32129
32130 int (*write_data) (struct hso_serial *serial);
32131@@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
32132 struct urb *urb;
32133
32134 urb = serial->rx_urb[0];
32135- if (serial->open_count > 0) {
32136+ if (local_read(&serial->open_count) > 0) {
32137 count = put_rxbuf_data(urb, serial);
32138 if (count == -1)
32139 return;
32140@@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
32141 DUMP1(urb->transfer_buffer, urb->actual_length);
32142
32143 /* Anyone listening? */
32144- if (serial->open_count == 0)
32145+ if (local_read(&serial->open_count) == 0)
32146 return;
32147
32148 if (status == 0) {
32149@@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
32150 spin_unlock_irq(&serial->serial_lock);
32151
32152 /* check for port already opened, if not set the termios */
32153- serial->open_count++;
32154- if (serial->open_count == 1) {
32155+ if (local_inc_return(&serial->open_count) == 1) {
32156 serial->rx_state = RX_IDLE;
32157 /* Force default termio settings */
32158 _hso_serial_set_termios(tty, NULL);
32159@@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
32160 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
32161 if (result) {
32162 hso_stop_serial_device(serial->parent);
32163- serial->open_count--;
32164+ local_dec(&serial->open_count);
32165 kref_put(&serial->parent->ref, hso_serial_ref_free);
32166 }
32167 } else {
32168@@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
32169
32170 /* reset the rts and dtr */
32171 /* do the actual close */
32172- serial->open_count--;
32173+ local_dec(&serial->open_count);
32174
32175- if (serial->open_count <= 0) {
32176- serial->open_count = 0;
32177+ if (local_read(&serial->open_count) <= 0) {
32178+ local_set(&serial->open_count, 0);
32179 spin_lock_irq(&serial->serial_lock);
32180 if (serial->tty == tty) {
32181 serial->tty->driver_data = NULL;
32182@@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
32183
32184 /* the actual setup */
32185 spin_lock_irqsave(&serial->serial_lock, flags);
32186- if (serial->open_count)
32187+ if (local_read(&serial->open_count))
32188 _hso_serial_set_termios(tty, old);
32189 else
32190 tty->termios = old;
32191@@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
32192 D1("Pending read interrupt on port %d\n", i);
32193 spin_lock(&serial->serial_lock);
32194 if (serial->rx_state == RX_IDLE &&
32195- serial->open_count > 0) {
32196+ local_read(&serial->open_count) > 0) {
32197 /* Setup and send a ctrl req read on
32198 * port i */
32199 if (!serial->rx_urb_filled[0]) {
32200@@ -3098,7 +3097,7 @@ static int hso_resume(struct usb_interfa
32201 /* Start all serial ports */
32202 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
32203 if (serial_table[i] && (serial_table[i]->interface == iface)) {
32204- if (dev2ser(serial_table[i])->open_count) {
32205+ if (local_read(&dev2ser(serial_table[i])->open_count)) {
32206 result =
32207 hso_start_serial_device(serial_table[i], GFP_NOIO);
32208 hso_kick_transmit(dev2ser(serial_table[i]));
32209diff -urNp linux-3.0.7/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-3.0.7/drivers/net/vmxnet3/vmxnet3_ethtool.c
32210--- linux-3.0.7/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-07-21 22:17:23.000000000 -0400
32211+++ linux-3.0.7/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-08-23 21:47:55.000000000 -0400
32212@@ -594,8 +594,7 @@ vmxnet3_set_rss_indir(struct net_device
32213 * Return with error code if any of the queue indices
32214 * is out of range
32215 */
32216- if (p->ring_index[i] < 0 ||
32217- p->ring_index[i] >= adapter->num_rx_queues)
32218+ if (p->ring_index[i] >= adapter->num_rx_queues)
32219 return -EINVAL;
32220 }
32221
32222diff -urNp linux-3.0.7/drivers/net/vxge/vxge-config.h linux-3.0.7/drivers/net/vxge/vxge-config.h
32223--- linux-3.0.7/drivers/net/vxge/vxge-config.h 2011-07-21 22:17:23.000000000 -0400
32224+++ linux-3.0.7/drivers/net/vxge/vxge-config.h 2011-08-23 21:47:55.000000000 -0400
32225@@ -512,7 +512,7 @@ struct vxge_hw_uld_cbs {
32226 void (*link_down)(struct __vxge_hw_device *devh);
32227 void (*crit_err)(struct __vxge_hw_device *devh,
32228 enum vxge_hw_event type, u64 ext_data);
32229-};
32230+} __no_const;
32231
32232 /*
32233 * struct __vxge_hw_blockpool_entry - Block private data structure
32234diff -urNp linux-3.0.7/drivers/net/vxge/vxge-main.c linux-3.0.7/drivers/net/vxge/vxge-main.c
32235--- linux-3.0.7/drivers/net/vxge/vxge-main.c 2011-07-21 22:17:23.000000000 -0400
32236+++ linux-3.0.7/drivers/net/vxge/vxge-main.c 2011-08-23 21:48:14.000000000 -0400
32237@@ -98,6 +98,8 @@ static inline void VXGE_COMPLETE_VPATH_T
32238 struct sk_buff *completed[NR_SKB_COMPLETED];
32239 int more;
32240
32241+ pax_track_stack();
32242+
32243 do {
32244 more = 0;
32245 skb_ptr = completed;
32246@@ -1920,6 +1922,8 @@ static enum vxge_hw_status vxge_rth_conf
32247 u8 mtable[256] = {0}; /* CPU to vpath mapping */
32248 int index;
32249
32250+ pax_track_stack();
32251+
32252 /*
32253 * Filling
32254 * - itable with bucket numbers
32255diff -urNp linux-3.0.7/drivers/net/vxge/vxge-traffic.h linux-3.0.7/drivers/net/vxge/vxge-traffic.h
32256--- linux-3.0.7/drivers/net/vxge/vxge-traffic.h 2011-07-21 22:17:23.000000000 -0400
32257+++ linux-3.0.7/drivers/net/vxge/vxge-traffic.h 2011-08-23 21:47:55.000000000 -0400
32258@@ -2088,7 +2088,7 @@ struct vxge_hw_mempool_cbs {
32259 struct vxge_hw_mempool_dma *dma_object,
32260 u32 index,
32261 u32 is_last);
32262-};
32263+} __no_const;
32264
32265 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \
32266 ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next)
32267diff -urNp linux-3.0.7/drivers/net/wan/cycx_x25.c linux-3.0.7/drivers/net/wan/cycx_x25.c
32268--- linux-3.0.7/drivers/net/wan/cycx_x25.c 2011-07-21 22:17:23.000000000 -0400
32269+++ linux-3.0.7/drivers/net/wan/cycx_x25.c 2011-08-23 21:48:14.000000000 -0400
32270@@ -1018,6 +1018,8 @@ static void hex_dump(char *msg, unsigned
32271 unsigned char hex[1024],
32272 * phex = hex;
32273
32274+ pax_track_stack();
32275+
32276 if (len >= (sizeof(hex) / 2))
32277 len = (sizeof(hex) / 2) - 1;
32278
32279diff -urNp linux-3.0.7/drivers/net/wan/hdlc_x25.c linux-3.0.7/drivers/net/wan/hdlc_x25.c
32280--- linux-3.0.7/drivers/net/wan/hdlc_x25.c 2011-07-21 22:17:23.000000000 -0400
32281+++ linux-3.0.7/drivers/net/wan/hdlc_x25.c 2011-08-23 21:47:55.000000000 -0400
32282@@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
32283
32284 static int x25_open(struct net_device *dev)
32285 {
32286- struct lapb_register_struct cb;
32287+ static struct lapb_register_struct cb = {
32288+ .connect_confirmation = x25_connected,
32289+ .connect_indication = x25_connected,
32290+ .disconnect_confirmation = x25_disconnected,
32291+ .disconnect_indication = x25_disconnected,
32292+ .data_indication = x25_data_indication,
32293+ .data_transmit = x25_data_transmit
32294+ };
32295 int result;
32296
32297- cb.connect_confirmation = x25_connected;
32298- cb.connect_indication = x25_connected;
32299- cb.disconnect_confirmation = x25_disconnected;
32300- cb.disconnect_indication = x25_disconnected;
32301- cb.data_indication = x25_data_indication;
32302- cb.data_transmit = x25_data_transmit;
32303-
32304 result = lapb_register(dev, &cb);
32305 if (result != LAPB_OK)
32306 return result;
32307diff -urNp linux-3.0.7/drivers/net/wimax/i2400m/usb-fw.c linux-3.0.7/drivers/net/wimax/i2400m/usb-fw.c
32308--- linux-3.0.7/drivers/net/wimax/i2400m/usb-fw.c 2011-07-21 22:17:23.000000000 -0400
32309+++ linux-3.0.7/drivers/net/wimax/i2400m/usb-fw.c 2011-08-23 21:48:14.000000000 -0400
32310@@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
32311 int do_autopm = 1;
32312 DECLARE_COMPLETION_ONSTACK(notif_completion);
32313
32314+ pax_track_stack();
32315+
32316 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
32317 i2400m, ack, ack_size);
32318 BUG_ON(_ack == i2400m->bm_ack_buf);
32319diff -urNp linux-3.0.7/drivers/net/wireless/airo.c linux-3.0.7/drivers/net/wireless/airo.c
32320--- linux-3.0.7/drivers/net/wireless/airo.c 2011-09-02 18:11:21.000000000 -0400
32321+++ linux-3.0.7/drivers/net/wireless/airo.c 2011-08-23 21:48:14.000000000 -0400
32322@@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
32323 BSSListElement * loop_net;
32324 BSSListElement * tmp_net;
32325
32326+ pax_track_stack();
32327+
32328 /* Blow away current list of scan results */
32329 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
32330 list_move_tail (&loop_net->list, &ai->network_free_list);
32331@@ -3794,6 +3796,8 @@ static u16 setup_card(struct airo_info *
32332 WepKeyRid wkr;
32333 int rc;
32334
32335+ pax_track_stack();
32336+
32337 memset( &mySsid, 0, sizeof( mySsid ) );
32338 kfree (ai->flash);
32339 ai->flash = NULL;
32340@@ -4753,6 +4757,8 @@ static int proc_stats_rid_open( struct i
32341 __le32 *vals = stats.vals;
32342 int len;
32343
32344+ pax_track_stack();
32345+
32346 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32347 return -ENOMEM;
32348 data = file->private_data;
32349@@ -5476,6 +5482,8 @@ static int proc_BSSList_open( struct ino
32350 /* If doLoseSync is not 1, we won't do a Lose Sync */
32351 int doLoseSync = -1;
32352
32353+ pax_track_stack();
32354+
32355 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32356 return -ENOMEM;
32357 data = file->private_data;
32358@@ -7181,6 +7189,8 @@ static int airo_get_aplist(struct net_de
32359 int i;
32360 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
32361
32362+ pax_track_stack();
32363+
32364 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
32365 if (!qual)
32366 return -ENOMEM;
32367@@ -7741,6 +7751,8 @@ static void airo_read_wireless_stats(str
32368 CapabilityRid cap_rid;
32369 __le32 *vals = stats_rid.vals;
32370
32371+ pax_track_stack();
32372+
32373 /* Get stats out of the card */
32374 clear_bit(JOB_WSTATS, &local->jobs);
32375 if (local->power.event) {
32376diff -urNp linux-3.0.7/drivers/net/wireless/ath/ath.h linux-3.0.7/drivers/net/wireless/ath/ath.h
32377--- linux-3.0.7/drivers/net/wireless/ath/ath.h 2011-07-21 22:17:23.000000000 -0400
32378+++ linux-3.0.7/drivers/net/wireless/ath/ath.h 2011-08-23 21:47:55.000000000 -0400
32379@@ -121,6 +121,7 @@ struct ath_ops {
32380 void (*write_flush) (void *);
32381 u32 (*rmw)(void *, u32 reg_offset, u32 set, u32 clr);
32382 };
32383+typedef struct ath_ops __no_const ath_ops_no_const;
32384
32385 struct ath_common;
32386 struct ath_bus_ops;
32387diff -urNp linux-3.0.7/drivers/net/wireless/ath/ath5k/debug.c linux-3.0.7/drivers/net/wireless/ath/ath5k/debug.c
32388--- linux-3.0.7/drivers/net/wireless/ath/ath5k/debug.c 2011-07-21 22:17:23.000000000 -0400
32389+++ linux-3.0.7/drivers/net/wireless/ath/ath5k/debug.c 2011-08-23 21:48:14.000000000 -0400
32390@@ -204,6 +204,8 @@ static ssize_t read_file_beacon(struct f
32391 unsigned int v;
32392 u64 tsf;
32393
32394+ pax_track_stack();
32395+
32396 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
32397 len += snprintf(buf+len, sizeof(buf)-len,
32398 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
32399@@ -323,6 +325,8 @@ static ssize_t read_file_debug(struct fi
32400 unsigned int len = 0;
32401 unsigned int i;
32402
32403+ pax_track_stack();
32404+
32405 len += snprintf(buf+len, sizeof(buf)-len,
32406 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
32407
32408@@ -384,6 +388,8 @@ static ssize_t read_file_antenna(struct
32409 unsigned int i;
32410 unsigned int v;
32411
32412+ pax_track_stack();
32413+
32414 len += snprintf(buf+len, sizeof(buf)-len, "antenna mode\t%d\n",
32415 sc->ah->ah_ant_mode);
32416 len += snprintf(buf+len, sizeof(buf)-len, "default antenna\t%d\n",
32417@@ -494,6 +500,8 @@ static ssize_t read_file_misc(struct fil
32418 unsigned int len = 0;
32419 u32 filt = ath5k_hw_get_rx_filter(sc->ah);
32420
32421+ pax_track_stack();
32422+
32423 len += snprintf(buf+len, sizeof(buf)-len, "bssid-mask: %pM\n",
32424 sc->bssidmask);
32425 len += snprintf(buf+len, sizeof(buf)-len, "filter-flags: 0x%x ",
32426@@ -550,6 +558,8 @@ static ssize_t read_file_frameerrors(str
32427 unsigned int len = 0;
32428 int i;
32429
32430+ pax_track_stack();
32431+
32432 len += snprintf(buf+len, sizeof(buf)-len,
32433 "RX\n---------------------\n");
32434 len += snprintf(buf+len, sizeof(buf)-len, "CRC\t%u\t(%u%%)\n",
32435@@ -667,6 +677,8 @@ static ssize_t read_file_ani(struct file
32436 char buf[700];
32437 unsigned int len = 0;
32438
32439+ pax_track_stack();
32440+
32441 len += snprintf(buf+len, sizeof(buf)-len,
32442 "HW has PHY error counters:\t%s\n",
32443 sc->ah->ah_capabilities.cap_has_phyerr_counters ?
32444@@ -827,6 +839,8 @@ static ssize_t read_file_queue(struct fi
32445 struct ath5k_buf *bf, *bf0;
32446 int i, n;
32447
32448+ pax_track_stack();
32449+
32450 len += snprintf(buf+len, sizeof(buf)-len,
32451 "available txbuffers: %d\n", sc->txbuf_len);
32452
32453diff -urNp linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_calib.c
32454--- linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-07-21 22:17:23.000000000 -0400
32455+++ linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-08-23 21:48:14.000000000 -0400
32456@@ -757,6 +757,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
32457 int i, im, j;
32458 int nmeasurement;
32459
32460+ pax_track_stack();
32461+
32462 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
32463 if (ah->txchainmask & (1 << i))
32464 num_chains++;
32465diff -urNp linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
32466--- linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-07-21 22:17:23.000000000 -0400
32467+++ linux-3.0.7/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-08-23 21:48:14.000000000 -0400
32468@@ -356,6 +356,8 @@ static bool create_pa_curve(u32 *data_L,
32469 int theta_low_bin = 0;
32470 int i;
32471
32472+ pax_track_stack();
32473+
32474 /* disregard any bin that contains <= 16 samples */
32475 thresh_accum_cnt = 16;
32476 scale_factor = 5;
32477diff -urNp linux-3.0.7/drivers/net/wireless/ath/ath9k/debug.c linux-3.0.7/drivers/net/wireless/ath/ath9k/debug.c
32478--- linux-3.0.7/drivers/net/wireless/ath/ath9k/debug.c 2011-07-21 22:17:23.000000000 -0400
32479+++ linux-3.0.7/drivers/net/wireless/ath/ath9k/debug.c 2011-08-23 21:48:14.000000000 -0400
32480@@ -337,6 +337,8 @@ static ssize_t read_file_interrupt(struc
32481 char buf[512];
32482 unsigned int len = 0;
32483
32484+ pax_track_stack();
32485+
32486 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
32487 len += snprintf(buf + len, sizeof(buf) - len,
32488 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
32489@@ -427,6 +429,8 @@ static ssize_t read_file_wiphy(struct fi
32490 u8 addr[ETH_ALEN];
32491 u32 tmp;
32492
32493+ pax_track_stack();
32494+
32495 len += snprintf(buf + len, sizeof(buf) - len,
32496 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
32497 wiphy_name(sc->hw->wiphy),
32498diff -urNp linux-3.0.7/drivers/net/wireless/ath/ath9k/htc_drv_debug.c linux-3.0.7/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
32499--- linux-3.0.7/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-07-21 22:17:23.000000000 -0400
32500+++ linux-3.0.7/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-08-23 21:48:14.000000000 -0400
32501@@ -31,6 +31,8 @@ static ssize_t read_file_tgt_int_stats(s
32502 unsigned int len = 0;
32503 int ret = 0;
32504
32505+ pax_track_stack();
32506+
32507 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32508
32509 ath9k_htc_ps_wakeup(priv);
32510@@ -89,6 +91,8 @@ static ssize_t read_file_tgt_tx_stats(st
32511 unsigned int len = 0;
32512 int ret = 0;
32513
32514+ pax_track_stack();
32515+
32516 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32517
32518 ath9k_htc_ps_wakeup(priv);
32519@@ -159,6 +163,8 @@ static ssize_t read_file_tgt_rx_stats(st
32520 unsigned int len = 0;
32521 int ret = 0;
32522
32523+ pax_track_stack();
32524+
32525 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32526
32527 ath9k_htc_ps_wakeup(priv);
32528@@ -203,6 +209,8 @@ static ssize_t read_file_xmit(struct fil
32529 char buf[512];
32530 unsigned int len = 0;
32531
32532+ pax_track_stack();
32533+
32534 len += snprintf(buf + len, sizeof(buf) - len,
32535 "%20s : %10u\n", "Buffers queued",
32536 priv->debug.tx_stats.buf_queued);
32537@@ -376,6 +384,8 @@ static ssize_t read_file_slot(struct fil
32538 char buf[512];
32539 unsigned int len = 0;
32540
32541+ pax_track_stack();
32542+
32543 spin_lock_bh(&priv->tx.tx_lock);
32544
32545 len += snprintf(buf + len, sizeof(buf) - len, "TX slot bitmap : ");
32546@@ -411,6 +421,8 @@ static ssize_t read_file_queue(struct fi
32547 char buf[512];
32548 unsigned int len = 0;
32549
32550+ pax_track_stack();
32551+
32552 len += snprintf(buf + len, sizeof(buf) - len, "%20s : %10u\n",
32553 "Mgmt endpoint", skb_queue_len(&priv->tx.mgmt_ep_queue));
32554
32555diff -urNp linux-3.0.7/drivers/net/wireless/ath/ath9k/hw.h linux-3.0.7/drivers/net/wireless/ath/ath9k/hw.h
32556--- linux-3.0.7/drivers/net/wireless/ath/ath9k/hw.h 2011-09-02 18:11:21.000000000 -0400
32557+++ linux-3.0.7/drivers/net/wireless/ath/ath9k/hw.h 2011-08-23 21:47:55.000000000 -0400
32558@@ -585,7 +585,7 @@ struct ath_hw_private_ops {
32559
32560 /* ANI */
32561 void (*ani_cache_ini_regs)(struct ath_hw *ah);
32562-};
32563+} __no_const;
32564
32565 /**
32566 * struct ath_hw_ops - callbacks used by hardware code and driver code
32567@@ -637,7 +637,7 @@ struct ath_hw_ops {
32568 void (*antdiv_comb_conf_set)(struct ath_hw *ah,
32569 struct ath_hw_antcomb_conf *antconf);
32570
32571-};
32572+} __no_const;
32573
32574 struct ath_nf_limits {
32575 s16 max;
32576@@ -650,7 +650,7 @@ struct ath_nf_limits {
32577 #define AH_UNPLUGGED 0x2 /* The card has been physically removed. */
32578
32579 struct ath_hw {
32580- struct ath_ops reg_ops;
32581+ ath_ops_no_const reg_ops;
32582
32583 struct ieee80211_hw *hw;
32584 struct ath_common common;
32585diff -urNp linux-3.0.7/drivers/net/wireless/ipw2x00/ipw2100.c linux-3.0.7/drivers/net/wireless/ipw2x00/ipw2100.c
32586--- linux-3.0.7/drivers/net/wireless/ipw2x00/ipw2100.c 2011-07-21 22:17:23.000000000 -0400
32587+++ linux-3.0.7/drivers/net/wireless/ipw2x00/ipw2100.c 2011-08-23 21:48:14.000000000 -0400
32588@@ -2100,6 +2100,8 @@ static int ipw2100_set_essid(struct ipw2
32589 int err;
32590 DECLARE_SSID_BUF(ssid);
32591
32592+ pax_track_stack();
32593+
32594 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
32595
32596 if (ssid_len)
32597@@ -5449,6 +5451,8 @@ static int ipw2100_set_key(struct ipw210
32598 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
32599 int err;
32600
32601+ pax_track_stack();
32602+
32603 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
32604 idx, keylen, len);
32605
32606diff -urNp linux-3.0.7/drivers/net/wireless/ipw2x00/libipw_rx.c linux-3.0.7/drivers/net/wireless/ipw2x00/libipw_rx.c
32607--- linux-3.0.7/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-07-21 22:17:23.000000000 -0400
32608+++ linux-3.0.7/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-08-23 21:48:14.000000000 -0400
32609@@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
32610 unsigned long flags;
32611 DECLARE_SSID_BUF(ssid);
32612
32613+ pax_track_stack();
32614+
32615 LIBIPW_DEBUG_SCAN("'%s' (%pM"
32616 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
32617 print_ssid(ssid, info_element->data, info_element->len),
32618diff -urNp linux-3.0.7/drivers/net/wireless/iwlegacy/iwl3945-base.c linux-3.0.7/drivers/net/wireless/iwlegacy/iwl3945-base.c
32619--- linux-3.0.7/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-10-16 21:54:54.000000000 -0400
32620+++ linux-3.0.7/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-10-16 21:55:27.000000000 -0400
32621@@ -3962,7 +3962,9 @@ static int iwl3945_pci_probe(struct pci_
32622 */
32623 if (iwl3945_mod_params.disable_hw_scan) {
32624 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
32625- iwl3945_hw_ops.hw_scan = NULL;
32626+ pax_open_kernel();
32627+ *(void **)&iwl3945_hw_ops.hw_scan = NULL;
32628+ pax_close_kernel();
32629 }
32630
32631 IWL_DEBUG_INFO(priv, "*** LOAD DRIVER ***\n");
32632diff -urNp linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
32633--- linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-07-21 22:17:23.000000000 -0400
32634+++ linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-08-23 21:48:14.000000000 -0400
32635@@ -910,6 +910,8 @@ static void rs_tx_status(void *priv_r, s
32636 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
32637 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
32638
32639+ pax_track_stack();
32640+
32641 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
32642
32643 /* Treat uninitialized rate scaling data same as non-existing. */
32644@@ -2918,6 +2920,8 @@ static void rs_fill_link_cmd(struct iwl_
32645 container_of(lq_sta, struct iwl_station_priv, lq_sta);
32646 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
32647
32648+ pax_track_stack();
32649+
32650 /* Override starting rate (index 0) if needed for debug purposes */
32651 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
32652
32653diff -urNp linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debug.h linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debug.h
32654--- linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-07-21 22:17:23.000000000 -0400
32655+++ linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-08-23 21:47:55.000000000 -0400
32656@@ -68,8 +68,8 @@ do {
32657 } while (0)
32658
32659 #else
32660-#define IWL_DEBUG(__priv, level, fmt, args...)
32661-#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
32662+#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
32663+#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
32664 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
32665 const void *p, u32 len)
32666 {}
32667diff -urNp linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debugfs.c
32668--- linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-07-21 22:17:23.000000000 -0400
32669+++ linux-3.0.7/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-08-23 21:48:14.000000000 -0400
32670@@ -548,6 +548,8 @@ static ssize_t iwl_dbgfs_status_read(str
32671 int pos = 0;
32672 const size_t bufsz = sizeof(buf);
32673
32674+ pax_track_stack();
32675+
32676 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
32677 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
32678 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
32679@@ -680,6 +682,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
32680 char buf[256 * NUM_IWL_RXON_CTX];
32681 const size_t bufsz = sizeof(buf);
32682
32683+ pax_track_stack();
32684+
32685 for_each_context(priv, ctx) {
32686 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
32687 ctx->ctxid);
32688diff -urNp linux-3.0.7/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-3.0.7/drivers/net/wireless/iwmc3200wifi/debugfs.c
32689--- linux-3.0.7/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-07-21 22:17:23.000000000 -0400
32690+++ linux-3.0.7/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-08-23 21:48:14.000000000 -0400
32691@@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
32692 int buf_len = 512;
32693 size_t len = 0;
32694
32695+ pax_track_stack();
32696+
32697 if (*ppos != 0)
32698 return 0;
32699 if (count < sizeof(buf))
32700diff -urNp linux-3.0.7/drivers/net/wireless/mac80211_hwsim.c linux-3.0.7/drivers/net/wireless/mac80211_hwsim.c
32701--- linux-3.0.7/drivers/net/wireless/mac80211_hwsim.c 2011-07-21 22:17:23.000000000 -0400
32702+++ linux-3.0.7/drivers/net/wireless/mac80211_hwsim.c 2011-08-23 21:47:55.000000000 -0400
32703@@ -1260,9 +1260,11 @@ static int __init init_mac80211_hwsim(vo
32704 return -EINVAL;
32705
32706 if (fake_hw_scan) {
32707- mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
32708- mac80211_hwsim_ops.sw_scan_start = NULL;
32709- mac80211_hwsim_ops.sw_scan_complete = NULL;
32710+ pax_open_kernel();
32711+ *(void **)&mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
32712+ *(void **)&mac80211_hwsim_ops.sw_scan_start = NULL;
32713+ *(void **)&mac80211_hwsim_ops.sw_scan_complete = NULL;
32714+ pax_close_kernel();
32715 }
32716
32717 spin_lock_init(&hwsim_radio_lock);
32718diff -urNp linux-3.0.7/drivers/net/wireless/rndis_wlan.c linux-3.0.7/drivers/net/wireless/rndis_wlan.c
32719--- linux-3.0.7/drivers/net/wireless/rndis_wlan.c 2011-07-21 22:17:23.000000000 -0400
32720+++ linux-3.0.7/drivers/net/wireless/rndis_wlan.c 2011-08-23 21:47:55.000000000 -0400
32721@@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
32722
32723 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
32724
32725- if (rts_threshold < 0 || rts_threshold > 2347)
32726+ if (rts_threshold > 2347)
32727 rts_threshold = 2347;
32728
32729 tmp = cpu_to_le32(rts_threshold);
32730diff -urNp linux-3.0.7/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-3.0.7/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
32731--- linux-3.0.7/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-07-21 22:17:23.000000000 -0400
32732+++ linux-3.0.7/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-08-23 21:48:14.000000000 -0400
32733@@ -837,6 +837,8 @@ bool _rtl92c_phy_sw_chnl_step_by_step(st
32734 u8 rfpath;
32735 u8 num_total_rfpath = rtlphy->num_total_rfpath;
32736
32737+ pax_track_stack();
32738+
32739 precommoncmdcnt = 0;
32740 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
32741 MAX_PRECMD_CNT,
32742diff -urNp linux-3.0.7/drivers/net/wireless/wl1251/wl1251.h linux-3.0.7/drivers/net/wireless/wl1251/wl1251.h
32743--- linux-3.0.7/drivers/net/wireless/wl1251/wl1251.h 2011-07-21 22:17:23.000000000 -0400
32744+++ linux-3.0.7/drivers/net/wireless/wl1251/wl1251.h 2011-08-23 21:47:55.000000000 -0400
32745@@ -266,7 +266,7 @@ struct wl1251_if_operations {
32746 void (*reset)(struct wl1251 *wl);
32747 void (*enable_irq)(struct wl1251 *wl);
32748 void (*disable_irq)(struct wl1251 *wl);
32749-};
32750+} __no_const;
32751
32752 struct wl1251 {
32753 struct ieee80211_hw *hw;
32754diff -urNp linux-3.0.7/drivers/net/wireless/wl12xx/spi.c linux-3.0.7/drivers/net/wireless/wl12xx/spi.c
32755--- linux-3.0.7/drivers/net/wireless/wl12xx/spi.c 2011-07-21 22:17:23.000000000 -0400
32756+++ linux-3.0.7/drivers/net/wireless/wl12xx/spi.c 2011-08-23 21:48:14.000000000 -0400
32757@@ -280,6 +280,8 @@ static void wl1271_spi_raw_write(struct
32758 u32 chunk_len;
32759 int i;
32760
32761+ pax_track_stack();
32762+
32763 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
32764
32765 spi_message_init(&m);
32766diff -urNp linux-3.0.7/drivers/oprofile/buffer_sync.c linux-3.0.7/drivers/oprofile/buffer_sync.c
32767--- linux-3.0.7/drivers/oprofile/buffer_sync.c 2011-07-21 22:17:23.000000000 -0400
32768+++ linux-3.0.7/drivers/oprofile/buffer_sync.c 2011-08-23 21:47:55.000000000 -0400
32769@@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
32770 if (cookie == NO_COOKIE)
32771 offset = pc;
32772 if (cookie == INVALID_COOKIE) {
32773- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
32774+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
32775 offset = pc;
32776 }
32777 if (cookie != last_cookie) {
32778@@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
32779 /* add userspace sample */
32780
32781 if (!mm) {
32782- atomic_inc(&oprofile_stats.sample_lost_no_mm);
32783+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
32784 return 0;
32785 }
32786
32787 cookie = lookup_dcookie(mm, s->eip, &offset);
32788
32789 if (cookie == INVALID_COOKIE) {
32790- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
32791+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
32792 return 0;
32793 }
32794
32795@@ -563,7 +563,7 @@ void sync_buffer(int cpu)
32796 /* ignore backtraces if failed to add a sample */
32797 if (state == sb_bt_start) {
32798 state = sb_bt_ignore;
32799- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
32800+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
32801 }
32802 }
32803 release_mm(mm);
32804diff -urNp linux-3.0.7/drivers/oprofile/event_buffer.c linux-3.0.7/drivers/oprofile/event_buffer.c
32805--- linux-3.0.7/drivers/oprofile/event_buffer.c 2011-07-21 22:17:23.000000000 -0400
32806+++ linux-3.0.7/drivers/oprofile/event_buffer.c 2011-08-23 21:47:55.000000000 -0400
32807@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
32808 }
32809
32810 if (buffer_pos == buffer_size) {
32811- atomic_inc(&oprofile_stats.event_lost_overflow);
32812+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
32813 return;
32814 }
32815
32816diff -urNp linux-3.0.7/drivers/oprofile/oprof.c linux-3.0.7/drivers/oprofile/oprof.c
32817--- linux-3.0.7/drivers/oprofile/oprof.c 2011-07-21 22:17:23.000000000 -0400
32818+++ linux-3.0.7/drivers/oprofile/oprof.c 2011-08-23 21:47:55.000000000 -0400
32819@@ -110,7 +110,7 @@ static void switch_worker(struct work_st
32820 if (oprofile_ops.switch_events())
32821 return;
32822
32823- atomic_inc(&oprofile_stats.multiplex_counter);
32824+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
32825 start_switch_worker();
32826 }
32827
32828diff -urNp linux-3.0.7/drivers/oprofile/oprofile_stats.c linux-3.0.7/drivers/oprofile/oprofile_stats.c
32829--- linux-3.0.7/drivers/oprofile/oprofile_stats.c 2011-07-21 22:17:23.000000000 -0400
32830+++ linux-3.0.7/drivers/oprofile/oprofile_stats.c 2011-08-23 21:47:55.000000000 -0400
32831@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
32832 cpu_buf->sample_invalid_eip = 0;
32833 }
32834
32835- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
32836- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
32837- atomic_set(&oprofile_stats.event_lost_overflow, 0);
32838- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
32839- atomic_set(&oprofile_stats.multiplex_counter, 0);
32840+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
32841+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
32842+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
32843+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
32844+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
32845 }
32846
32847
32848diff -urNp linux-3.0.7/drivers/oprofile/oprofile_stats.h linux-3.0.7/drivers/oprofile/oprofile_stats.h
32849--- linux-3.0.7/drivers/oprofile/oprofile_stats.h 2011-07-21 22:17:23.000000000 -0400
32850+++ linux-3.0.7/drivers/oprofile/oprofile_stats.h 2011-08-23 21:47:55.000000000 -0400
32851@@ -13,11 +13,11 @@
32852 #include <asm/atomic.h>
32853
32854 struct oprofile_stat_struct {
32855- atomic_t sample_lost_no_mm;
32856- atomic_t sample_lost_no_mapping;
32857- atomic_t bt_lost_no_mapping;
32858- atomic_t event_lost_overflow;
32859- atomic_t multiplex_counter;
32860+ atomic_unchecked_t sample_lost_no_mm;
32861+ atomic_unchecked_t sample_lost_no_mapping;
32862+ atomic_unchecked_t bt_lost_no_mapping;
32863+ atomic_unchecked_t event_lost_overflow;
32864+ atomic_unchecked_t multiplex_counter;
32865 };
32866
32867 extern struct oprofile_stat_struct oprofile_stats;
32868diff -urNp linux-3.0.7/drivers/oprofile/oprofilefs.c linux-3.0.7/drivers/oprofile/oprofilefs.c
32869--- linux-3.0.7/drivers/oprofile/oprofilefs.c 2011-07-21 22:17:23.000000000 -0400
32870+++ linux-3.0.7/drivers/oprofile/oprofilefs.c 2011-08-23 21:47:55.000000000 -0400
32871@@ -186,7 +186,7 @@ static const struct file_operations atom
32872
32873
32874 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
32875- char const *name, atomic_t *val)
32876+ char const *name, atomic_unchecked_t *val)
32877 {
32878 return __oprofilefs_create_file(sb, root, name,
32879 &atomic_ro_fops, 0444, val);
32880diff -urNp linux-3.0.7/drivers/parport/procfs.c linux-3.0.7/drivers/parport/procfs.c
32881--- linux-3.0.7/drivers/parport/procfs.c 2011-07-21 22:17:23.000000000 -0400
32882+++ linux-3.0.7/drivers/parport/procfs.c 2011-08-23 21:47:55.000000000 -0400
32883@@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
32884
32885 *ppos += len;
32886
32887- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
32888+ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
32889 }
32890
32891 #ifdef CONFIG_PARPORT_1284
32892@@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
32893
32894 *ppos += len;
32895
32896- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
32897+ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
32898 }
32899 #endif /* IEEE1284.3 support. */
32900
32901diff -urNp linux-3.0.7/drivers/pci/hotplug/cpci_hotplug.h linux-3.0.7/drivers/pci/hotplug/cpci_hotplug.h
32902--- linux-3.0.7/drivers/pci/hotplug/cpci_hotplug.h 2011-07-21 22:17:23.000000000 -0400
32903+++ linux-3.0.7/drivers/pci/hotplug/cpci_hotplug.h 2011-08-23 21:47:55.000000000 -0400
32904@@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
32905 int (*hardware_test) (struct slot* slot, u32 value);
32906 u8 (*get_power) (struct slot* slot);
32907 int (*set_power) (struct slot* slot, int value);
32908-};
32909+} __no_const;
32910
32911 struct cpci_hp_controller {
32912 unsigned int irq;
32913diff -urNp linux-3.0.7/drivers/pci/hotplug/cpqphp_nvram.c linux-3.0.7/drivers/pci/hotplug/cpqphp_nvram.c
32914--- linux-3.0.7/drivers/pci/hotplug/cpqphp_nvram.c 2011-07-21 22:17:23.000000000 -0400
32915+++ linux-3.0.7/drivers/pci/hotplug/cpqphp_nvram.c 2011-08-23 21:47:55.000000000 -0400
32916@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
32917
32918 void compaq_nvram_init (void __iomem *rom_start)
32919 {
32920+
32921+#ifndef CONFIG_PAX_KERNEXEC
32922 if (rom_start) {
32923 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
32924 }
32925+#endif
32926+
32927 dbg("int15 entry = %p\n", compaq_int15_entry_point);
32928
32929 /* initialize our int15 lock */
32930diff -urNp linux-3.0.7/drivers/pci/pcie/aspm.c linux-3.0.7/drivers/pci/pcie/aspm.c
32931--- linux-3.0.7/drivers/pci/pcie/aspm.c 2011-07-21 22:17:23.000000000 -0400
32932+++ linux-3.0.7/drivers/pci/pcie/aspm.c 2011-08-23 21:47:55.000000000 -0400
32933@@ -27,9 +27,9 @@
32934 #define MODULE_PARAM_PREFIX "pcie_aspm."
32935
32936 /* Note: those are not register definitions */
32937-#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
32938-#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
32939-#define ASPM_STATE_L1 (4) /* L1 state */
32940+#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
32941+#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
32942+#define ASPM_STATE_L1 (4U) /* L1 state */
32943 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
32944 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
32945
32946diff -urNp linux-3.0.7/drivers/pci/probe.c linux-3.0.7/drivers/pci/probe.c
32947--- linux-3.0.7/drivers/pci/probe.c 2011-07-21 22:17:23.000000000 -0400
32948+++ linux-3.0.7/drivers/pci/probe.c 2011-08-23 21:47:55.000000000 -0400
32949@@ -129,7 +129,7 @@ int __pci_read_base(struct pci_dev *dev,
32950 u32 l, sz, mask;
32951 u16 orig_cmd;
32952
32953- mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
32954+ mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
32955
32956 if (!dev->mmio_always_on) {
32957 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
32958diff -urNp linux-3.0.7/drivers/pci/proc.c linux-3.0.7/drivers/pci/proc.c
32959--- linux-3.0.7/drivers/pci/proc.c 2011-07-21 22:17:23.000000000 -0400
32960+++ linux-3.0.7/drivers/pci/proc.c 2011-08-23 21:48:14.000000000 -0400
32961@@ -476,7 +476,16 @@ static const struct file_operations proc
32962 static int __init pci_proc_init(void)
32963 {
32964 struct pci_dev *dev = NULL;
32965+
32966+#ifdef CONFIG_GRKERNSEC_PROC_ADD
32967+#ifdef CONFIG_GRKERNSEC_PROC_USER
32968+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
32969+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32970+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
32971+#endif
32972+#else
32973 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
32974+#endif
32975 proc_create("devices", 0, proc_bus_pci_dir,
32976 &proc_bus_pci_dev_operations);
32977 proc_initialized = 1;
32978diff -urNp linux-3.0.7/drivers/pci/xen-pcifront.c linux-3.0.7/drivers/pci/xen-pcifront.c
32979--- linux-3.0.7/drivers/pci/xen-pcifront.c 2011-07-21 22:17:23.000000000 -0400
32980+++ linux-3.0.7/drivers/pci/xen-pcifront.c 2011-08-23 21:48:14.000000000 -0400
32981@@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
32982 struct pcifront_sd *sd = bus->sysdata;
32983 struct pcifront_device *pdev = pcifront_get_pdev(sd);
32984
32985+ pax_track_stack();
32986+
32987 if (verbose_request)
32988 dev_info(&pdev->xdev->dev,
32989 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
32990@@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
32991 struct pcifront_sd *sd = bus->sysdata;
32992 struct pcifront_device *pdev = pcifront_get_pdev(sd);
32993
32994+ pax_track_stack();
32995+
32996 if (verbose_request)
32997 dev_info(&pdev->xdev->dev,
32998 "write dev=%04x:%02x:%02x.%01x - "
32999@@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
33000 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33001 struct msi_desc *entry;
33002
33003+ pax_track_stack();
33004+
33005 if (nvec > SH_INFO_MAX_VEC) {
33006 dev_err(&dev->dev, "too much vector for pci frontend: %x."
33007 " Increase SH_INFO_MAX_VEC.\n", nvec);
33008@@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
33009 struct pcifront_sd *sd = dev->bus->sysdata;
33010 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33011
33012+ pax_track_stack();
33013+
33014 err = do_pci_op(pdev, &op);
33015
33016 /* What should do for error ? */
33017@@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
33018 struct pcifront_sd *sd = dev->bus->sysdata;
33019 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33020
33021+ pax_track_stack();
33022+
33023 err = do_pci_op(pdev, &op);
33024 if (likely(!err)) {
33025 vector[0] = op.value;
33026diff -urNp linux-3.0.7/drivers/platform/x86/thinkpad_acpi.c linux-3.0.7/drivers/platform/x86/thinkpad_acpi.c
33027--- linux-3.0.7/drivers/platform/x86/thinkpad_acpi.c 2011-07-21 22:17:23.000000000 -0400
33028+++ linux-3.0.7/drivers/platform/x86/thinkpad_acpi.c 2011-08-23 21:47:55.000000000 -0400
33029@@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void)
33030 return 0;
33031 }
33032
33033-void static hotkey_mask_warn_incomplete_mask(void)
33034+static void hotkey_mask_warn_incomplete_mask(void)
33035 {
33036 /* log only what the user can fix... */
33037 const u32 wantedmask = hotkey_driver_mask &
33038diff -urNp linux-3.0.7/drivers/pnp/pnpbios/bioscalls.c linux-3.0.7/drivers/pnp/pnpbios/bioscalls.c
33039--- linux-3.0.7/drivers/pnp/pnpbios/bioscalls.c 2011-07-21 22:17:23.000000000 -0400
33040+++ linux-3.0.7/drivers/pnp/pnpbios/bioscalls.c 2011-08-23 21:47:55.000000000 -0400
33041@@ -59,7 +59,7 @@ do { \
33042 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
33043 } while(0)
33044
33045-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
33046+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
33047 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
33048
33049 /*
33050@@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
33051
33052 cpu = get_cpu();
33053 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
33054+
33055+ pax_open_kernel();
33056 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
33057+ pax_close_kernel();
33058
33059 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
33060 spin_lock_irqsave(&pnp_bios_lock, flags);
33061@@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
33062 :"memory");
33063 spin_unlock_irqrestore(&pnp_bios_lock, flags);
33064
33065+ pax_open_kernel();
33066 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
33067+ pax_close_kernel();
33068+
33069 put_cpu();
33070
33071 /* If we get here and this is set then the PnP BIOS faulted on us. */
33072@@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
33073 return status;
33074 }
33075
33076-void pnpbios_calls_init(union pnp_bios_install_struct *header)
33077+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
33078 {
33079 int i;
33080
33081@@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
33082 pnp_bios_callpoint.offset = header->fields.pm16offset;
33083 pnp_bios_callpoint.segment = PNP_CS16;
33084
33085+ pax_open_kernel();
33086+
33087 for_each_possible_cpu(i) {
33088 struct desc_struct *gdt = get_cpu_gdt_table(i);
33089 if (!gdt)
33090@@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
33091 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
33092 (unsigned long)__va(header->fields.pm16dseg));
33093 }
33094+
33095+ pax_close_kernel();
33096 }
33097diff -urNp linux-3.0.7/drivers/pnp/resource.c linux-3.0.7/drivers/pnp/resource.c
33098--- linux-3.0.7/drivers/pnp/resource.c 2011-07-21 22:17:23.000000000 -0400
33099+++ linux-3.0.7/drivers/pnp/resource.c 2011-08-23 21:47:55.000000000 -0400
33100@@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
33101 return 1;
33102
33103 /* check if the resource is valid */
33104- if (*irq < 0 || *irq > 15)
33105+ if (*irq > 15)
33106 return 0;
33107
33108 /* check if the resource is reserved */
33109@@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
33110 return 1;
33111
33112 /* check if the resource is valid */
33113- if (*dma < 0 || *dma == 4 || *dma > 7)
33114+ if (*dma == 4 || *dma > 7)
33115 return 0;
33116
33117 /* check if the resource is reserved */
33118diff -urNp linux-3.0.7/drivers/power/bq27x00_battery.c linux-3.0.7/drivers/power/bq27x00_battery.c
33119--- linux-3.0.7/drivers/power/bq27x00_battery.c 2011-07-21 22:17:23.000000000 -0400
33120+++ linux-3.0.7/drivers/power/bq27x00_battery.c 2011-08-23 21:47:55.000000000 -0400
33121@@ -67,7 +67,7 @@
33122 struct bq27x00_device_info;
33123 struct bq27x00_access_methods {
33124 int (*read)(struct bq27x00_device_info *di, u8 reg, bool single);
33125-};
33126+} __no_const;
33127
33128 enum bq27x00_chip { BQ27000, BQ27500 };
33129
33130diff -urNp linux-3.0.7/drivers/regulator/max8660.c linux-3.0.7/drivers/regulator/max8660.c
33131--- linux-3.0.7/drivers/regulator/max8660.c 2011-07-21 22:17:23.000000000 -0400
33132+++ linux-3.0.7/drivers/regulator/max8660.c 2011-08-23 21:47:55.000000000 -0400
33133@@ -383,8 +383,10 @@ static int __devinit max8660_probe(struc
33134 max8660->shadow_regs[MAX8660_OVER1] = 5;
33135 } else {
33136 /* Otherwise devices can be toggled via software */
33137- max8660_dcdc_ops.enable = max8660_dcdc_enable;
33138- max8660_dcdc_ops.disable = max8660_dcdc_disable;
33139+ pax_open_kernel();
33140+ *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
33141+ *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
33142+ pax_close_kernel();
33143 }
33144
33145 /*
33146diff -urNp linux-3.0.7/drivers/regulator/mc13892-regulator.c linux-3.0.7/drivers/regulator/mc13892-regulator.c
33147--- linux-3.0.7/drivers/regulator/mc13892-regulator.c 2011-07-21 22:17:23.000000000 -0400
33148+++ linux-3.0.7/drivers/regulator/mc13892-regulator.c 2011-08-23 21:47:55.000000000 -0400
33149@@ -564,10 +564,12 @@ static int __devinit mc13892_regulator_p
33150 }
33151 mc13xxx_unlock(mc13892);
33152
33153- mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33154+ pax_open_kernel();
33155+ *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33156 = mc13892_vcam_set_mode;
33157- mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33158+ *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33159 = mc13892_vcam_get_mode;
33160+ pax_close_kernel();
33161 for (i = 0; i < pdata->num_regulators; i++) {
33162 init_data = &pdata->regulators[i];
33163 priv->regulators[i] = regulator_register(
33164diff -urNp linux-3.0.7/drivers/rtc/rtc-dev.c linux-3.0.7/drivers/rtc/rtc-dev.c
33165--- linux-3.0.7/drivers/rtc/rtc-dev.c 2011-07-21 22:17:23.000000000 -0400
33166+++ linux-3.0.7/drivers/rtc/rtc-dev.c 2011-08-23 21:48:14.000000000 -0400
33167@@ -14,6 +14,7 @@
33168 #include <linux/module.h>
33169 #include <linux/rtc.h>
33170 #include <linux/sched.h>
33171+#include <linux/grsecurity.h>
33172 #include "rtc-core.h"
33173
33174 static dev_t rtc_devt;
33175@@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
33176 if (copy_from_user(&tm, uarg, sizeof(tm)))
33177 return -EFAULT;
33178
33179+ gr_log_timechange();
33180+
33181 return rtc_set_time(rtc, &tm);
33182
33183 case RTC_PIE_ON:
33184diff -urNp linux-3.0.7/drivers/scsi/BusLogic.c linux-3.0.7/drivers/scsi/BusLogic.c
33185--- linux-3.0.7/drivers/scsi/BusLogic.c 2011-07-21 22:17:23.000000000 -0400
33186+++ linux-3.0.7/drivers/scsi/BusLogic.c 2011-08-23 21:48:14.000000000 -0400
33187@@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
33188 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
33189 *PrototypeHostAdapter)
33190 {
33191+ pax_track_stack();
33192+
33193 /*
33194 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
33195 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
33196diff -urNp linux-3.0.7/drivers/scsi/aacraid/aacraid.h linux-3.0.7/drivers/scsi/aacraid/aacraid.h
33197--- linux-3.0.7/drivers/scsi/aacraid/aacraid.h 2011-07-21 22:17:23.000000000 -0400
33198+++ linux-3.0.7/drivers/scsi/aacraid/aacraid.h 2011-08-23 21:47:55.000000000 -0400
33199@@ -492,7 +492,7 @@ struct adapter_ops
33200 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
33201 /* Administrative operations */
33202 int (*adapter_comm)(struct aac_dev * dev, int comm);
33203-};
33204+} __no_const;
33205
33206 /*
33207 * Define which interrupt handler needs to be installed
33208diff -urNp linux-3.0.7/drivers/scsi/aacraid/commctrl.c linux-3.0.7/drivers/scsi/aacraid/commctrl.c
33209--- linux-3.0.7/drivers/scsi/aacraid/commctrl.c 2011-07-21 22:17:23.000000000 -0400
33210+++ linux-3.0.7/drivers/scsi/aacraid/commctrl.c 2011-08-23 21:48:14.000000000 -0400
33211@@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
33212 u32 actual_fibsize64, actual_fibsize = 0;
33213 int i;
33214
33215+ pax_track_stack();
33216
33217 if (dev->in_reset) {
33218 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
33219diff -urNp linux-3.0.7/drivers/scsi/aacraid/linit.c linux-3.0.7/drivers/scsi/aacraid/linit.c
33220--- linux-3.0.7/drivers/scsi/aacraid/linit.c 2011-07-21 22:17:23.000000000 -0400
33221+++ linux-3.0.7/drivers/scsi/aacraid/linit.c 2011-10-11 10:44:33.000000000 -0400
33222@@ -92,7 +92,7 @@ static DECLARE_PCI_DEVICE_TABLE(aac_pci_
33223 #elif defined(__devinitconst)
33224 static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33225 #else
33226-static const struct pci_device_id aac_pci_tbl[] __devinitdata = {
33227+static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33228 #endif
33229 { 0x1028, 0x0001, 0x1028, 0x0001, 0, 0, 0 }, /* PERC 2/Si (Iguana/PERC2Si) */
33230 { 0x1028, 0x0002, 0x1028, 0x0002, 0, 0, 1 }, /* PERC 3/Di (Opal/PERC3Di) */
33231diff -urNp linux-3.0.7/drivers/scsi/aic94xx/aic94xx_init.c linux-3.0.7/drivers/scsi/aic94xx/aic94xx_init.c
33232--- linux-3.0.7/drivers/scsi/aic94xx/aic94xx_init.c 2011-07-21 22:17:23.000000000 -0400
33233+++ linux-3.0.7/drivers/scsi/aic94xx/aic94xx_init.c 2011-10-11 10:44:33.000000000 -0400
33234@@ -1012,7 +1012,7 @@ static struct sas_domain_function_templa
33235 .lldd_control_phy = asd_control_phy,
33236 };
33237
33238-static const struct pci_device_id aic94xx_pci_table[] __devinitdata = {
33239+static const struct pci_device_id aic94xx_pci_table[] __devinitconst = {
33240 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x410),0, 0, 1},
33241 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x412),0, 0, 1},
33242 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x416),0, 0, 1},
33243diff -urNp linux-3.0.7/drivers/scsi/bfa/bfa.h linux-3.0.7/drivers/scsi/bfa/bfa.h
33244--- linux-3.0.7/drivers/scsi/bfa/bfa.h 2011-07-21 22:17:23.000000000 -0400
33245+++ linux-3.0.7/drivers/scsi/bfa/bfa.h 2011-08-23 21:47:55.000000000 -0400
33246@@ -238,7 +238,7 @@ struct bfa_hwif_s {
33247 u32 *nvecs, u32 *maxvec);
33248 void (*hw_msix_get_rme_range) (struct bfa_s *bfa, u32 *start,
33249 u32 *end);
33250-};
33251+} __no_const;
33252 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
33253
33254 struct bfa_iocfc_s {
33255diff -urNp linux-3.0.7/drivers/scsi/bfa/bfa_fcs_lport.c linux-3.0.7/drivers/scsi/bfa/bfa_fcs_lport.c
33256--- linux-3.0.7/drivers/scsi/bfa/bfa_fcs_lport.c 2011-07-21 22:17:23.000000000 -0400
33257+++ linux-3.0.7/drivers/scsi/bfa/bfa_fcs_lport.c 2011-08-23 21:48:14.000000000 -0400
33258@@ -1559,6 +1559,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
33259 u16 len, count;
33260 u16 templen;
33261
33262+ pax_track_stack();
33263+
33264 /*
33265 * get hba attributes
33266 */
33267@@ -1836,6 +1838,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
33268 u8 count = 0;
33269 u16 templen;
33270
33271+ pax_track_stack();
33272+
33273 /*
33274 * get port attributes
33275 */
33276diff -urNp linux-3.0.7/drivers/scsi/bfa/bfa_fcs_rport.c linux-3.0.7/drivers/scsi/bfa/bfa_fcs_rport.c
33277--- linux-3.0.7/drivers/scsi/bfa/bfa_fcs_rport.c 2011-07-21 22:17:23.000000000 -0400
33278+++ linux-3.0.7/drivers/scsi/bfa/bfa_fcs_rport.c 2011-08-23 21:48:14.000000000 -0400
33279@@ -1844,6 +1844,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
33280 struct fc_rpsc_speed_info_s speeds;
33281 struct bfa_port_attr_s pport_attr;
33282
33283+ pax_track_stack();
33284+
33285 bfa_trc(port->fcs, rx_fchs->s_id);
33286 bfa_trc(port->fcs, rx_fchs->d_id);
33287
33288diff -urNp linux-3.0.7/drivers/scsi/bfa/bfa_ioc.h linux-3.0.7/drivers/scsi/bfa/bfa_ioc.h
33289--- linux-3.0.7/drivers/scsi/bfa/bfa_ioc.h 2011-07-21 22:17:23.000000000 -0400
33290+++ linux-3.0.7/drivers/scsi/bfa/bfa_ioc.h 2011-08-23 21:47:55.000000000 -0400
33291@@ -196,7 +196,7 @@ struct bfa_ioc_cbfn_s {
33292 bfa_ioc_disable_cbfn_t disable_cbfn;
33293 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
33294 bfa_ioc_reset_cbfn_t reset_cbfn;
33295-};
33296+} __no_const;
33297
33298 /*
33299 * Heartbeat failure notification queue element.
33300@@ -268,7 +268,7 @@ struct bfa_ioc_hwif_s {
33301 void (*ioc_sync_leave) (struct bfa_ioc_s *ioc);
33302 void (*ioc_sync_ack) (struct bfa_ioc_s *ioc);
33303 bfa_boolean_t (*ioc_sync_complete) (struct bfa_ioc_s *ioc);
33304-};
33305+} __no_const;
33306
33307 #define bfa_ioc_pcifn(__ioc) ((__ioc)->pcidev.pci_func)
33308 #define bfa_ioc_devid(__ioc) ((__ioc)->pcidev.device_id)
33309diff -urNp linux-3.0.7/drivers/scsi/bfa/bfad.c linux-3.0.7/drivers/scsi/bfa/bfad.c
33310--- linux-3.0.7/drivers/scsi/bfa/bfad.c 2011-07-21 22:17:23.000000000 -0400
33311+++ linux-3.0.7/drivers/scsi/bfa/bfad.c 2011-08-23 21:48:14.000000000 -0400
33312@@ -1032,6 +1032,8 @@ bfad_start_ops(struct bfad_s *bfad) {
33313 struct bfad_vport_s *vport, *vport_new;
33314 struct bfa_fcs_driver_info_s driver_info;
33315
33316+ pax_track_stack();
33317+
33318 /* Fill the driver_info info to fcs*/
33319 memset(&driver_info, 0, sizeof(driver_info));
33320 strncpy(driver_info.version, BFAD_DRIVER_VERSION,
33321diff -urNp linux-3.0.7/drivers/scsi/dpt_i2o.c linux-3.0.7/drivers/scsi/dpt_i2o.c
33322--- linux-3.0.7/drivers/scsi/dpt_i2o.c 2011-07-21 22:17:23.000000000 -0400
33323+++ linux-3.0.7/drivers/scsi/dpt_i2o.c 2011-08-23 21:48:14.000000000 -0400
33324@@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
33325 dma_addr_t addr;
33326 ulong flags = 0;
33327
33328+ pax_track_stack();
33329+
33330 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
33331 // get user msg size in u32s
33332 if(get_user(size, &user_msg[0])){
33333@@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
33334 s32 rcode;
33335 dma_addr_t addr;
33336
33337+ pax_track_stack();
33338+
33339 memset(msg, 0 , sizeof(msg));
33340 len = scsi_bufflen(cmd);
33341 direction = 0x00000000;
33342diff -urNp linux-3.0.7/drivers/scsi/eata.c linux-3.0.7/drivers/scsi/eata.c
33343--- linux-3.0.7/drivers/scsi/eata.c 2011-07-21 22:17:23.000000000 -0400
33344+++ linux-3.0.7/drivers/scsi/eata.c 2011-08-23 21:48:14.000000000 -0400
33345@@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
33346 struct hostdata *ha;
33347 char name[16];
33348
33349+ pax_track_stack();
33350+
33351 sprintf(name, "%s%d", driver_name, j);
33352
33353 if (!request_region(port_base, REGION_SIZE, driver_name)) {
33354diff -urNp linux-3.0.7/drivers/scsi/fcoe/fcoe_ctlr.c linux-3.0.7/drivers/scsi/fcoe/fcoe_ctlr.c
33355--- linux-3.0.7/drivers/scsi/fcoe/fcoe_ctlr.c 2011-07-21 22:17:23.000000000 -0400
33356+++ linux-3.0.7/drivers/scsi/fcoe/fcoe_ctlr.c 2011-08-23 21:48:14.000000000 -0400
33357@@ -2503,6 +2503,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
33358 } buf;
33359 int rc;
33360
33361+ pax_track_stack();
33362+
33363 fiph = (struct fip_header *)skb->data;
33364 sub = fiph->fip_subcode;
33365
33366diff -urNp linux-3.0.7/drivers/scsi/gdth.c linux-3.0.7/drivers/scsi/gdth.c
33367--- linux-3.0.7/drivers/scsi/gdth.c 2011-07-21 22:17:23.000000000 -0400
33368+++ linux-3.0.7/drivers/scsi/gdth.c 2011-08-23 21:48:14.000000000 -0400
33369@@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
33370 unsigned long flags;
33371 gdth_ha_str *ha;
33372
33373+ pax_track_stack();
33374+
33375 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
33376 return -EFAULT;
33377 ha = gdth_find_ha(ldrv.ionode);
33378@@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
33379 gdth_ha_str *ha;
33380 int rval;
33381
33382+ pax_track_stack();
33383+
33384 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
33385 res.number >= MAX_HDRIVES)
33386 return -EFAULT;
33387@@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
33388 gdth_ha_str *ha;
33389 int rval;
33390
33391+ pax_track_stack();
33392+
33393 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
33394 return -EFAULT;
33395 ha = gdth_find_ha(gen.ionode);
33396@@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
33397 int i;
33398 gdth_cmd_str gdtcmd;
33399 char cmnd[MAX_COMMAND_SIZE];
33400+
33401+ pax_track_stack();
33402+
33403 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
33404
33405 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
33406diff -urNp linux-3.0.7/drivers/scsi/gdth_proc.c linux-3.0.7/drivers/scsi/gdth_proc.c
33407--- linux-3.0.7/drivers/scsi/gdth_proc.c 2011-07-21 22:17:23.000000000 -0400
33408+++ linux-3.0.7/drivers/scsi/gdth_proc.c 2011-08-23 21:48:14.000000000 -0400
33409@@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
33410 u64 paddr;
33411
33412 char cmnd[MAX_COMMAND_SIZE];
33413+
33414+ pax_track_stack();
33415+
33416 memset(cmnd, 0xff, 12);
33417 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
33418
33419@@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
33420 gdth_hget_str *phg;
33421 char cmnd[MAX_COMMAND_SIZE];
33422
33423+ pax_track_stack();
33424+
33425 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
33426 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
33427 if (!gdtcmd || !estr)
33428diff -urNp linux-3.0.7/drivers/scsi/hosts.c linux-3.0.7/drivers/scsi/hosts.c
33429--- linux-3.0.7/drivers/scsi/hosts.c 2011-07-21 22:17:23.000000000 -0400
33430+++ linux-3.0.7/drivers/scsi/hosts.c 2011-08-23 21:47:55.000000000 -0400
33431@@ -42,7 +42,7 @@
33432 #include "scsi_logging.h"
33433
33434
33435-static atomic_t scsi_host_next_hn; /* host_no for next new host */
33436+static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
33437
33438
33439 static void scsi_host_cls_release(struct device *dev)
33440@@ -354,7 +354,7 @@ struct Scsi_Host *scsi_host_alloc(struct
33441 * subtract one because we increment first then return, but we need to
33442 * know what the next host number was before increment
33443 */
33444- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
33445+ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
33446 shost->dma_channel = 0xff;
33447
33448 /* These three are default values which can be overridden */
33449diff -urNp linux-3.0.7/drivers/scsi/hpsa.c linux-3.0.7/drivers/scsi/hpsa.c
33450--- linux-3.0.7/drivers/scsi/hpsa.c 2011-10-16 21:54:54.000000000 -0400
33451+++ linux-3.0.7/drivers/scsi/hpsa.c 2011-10-16 21:55:27.000000000 -0400
33452@@ -498,7 +498,7 @@ static inline u32 next_command(struct ct
33453 u32 a;
33454
33455 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
33456- return h->access.command_completed(h);
33457+ return h->access->command_completed(h);
33458
33459 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
33460 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
33461@@ -2955,7 +2955,7 @@ static void start_io(struct ctlr_info *h
33462 while (!list_empty(&h->reqQ)) {
33463 c = list_entry(h->reqQ.next, struct CommandList, list);
33464 /* can't do anything if fifo is full */
33465- if ((h->access.fifo_full(h))) {
33466+ if ((h->access->fifo_full(h))) {
33467 dev_warn(&h->pdev->dev, "fifo full\n");
33468 break;
33469 }
33470@@ -2965,7 +2965,7 @@ static void start_io(struct ctlr_info *h
33471 h->Qdepth--;
33472
33473 /* Tell the controller execute command */
33474- h->access.submit_command(h, c);
33475+ h->access->submit_command(h, c);
33476
33477 /* Put job onto the completed Q */
33478 addQ(&h->cmpQ, c);
33479@@ -2974,17 +2974,17 @@ static void start_io(struct ctlr_info *h
33480
33481 static inline unsigned long get_next_completion(struct ctlr_info *h)
33482 {
33483- return h->access.command_completed(h);
33484+ return h->access->command_completed(h);
33485 }
33486
33487 static inline bool interrupt_pending(struct ctlr_info *h)
33488 {
33489- return h->access.intr_pending(h);
33490+ return h->access->intr_pending(h);
33491 }
33492
33493 static inline long interrupt_not_for_us(struct ctlr_info *h)
33494 {
33495- return (h->access.intr_pending(h) == 0) ||
33496+ return (h->access->intr_pending(h) == 0) ||
33497 (h->interrupts_enabled == 0);
33498 }
33499
33500@@ -3874,7 +3874,7 @@ static int __devinit hpsa_pci_init(struc
33501 if (prod_index < 0)
33502 return -ENODEV;
33503 h->product_name = products[prod_index].product_name;
33504- h->access = *(products[prod_index].access);
33505+ h->access = products[prod_index].access;
33506
33507 if (hpsa_board_disabled(h->pdev)) {
33508 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
33509@@ -4151,7 +4151,7 @@ reinit_after_soft_reset:
33510 }
33511
33512 /* make sure the board interrupts are off */
33513- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33514+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33515
33516 if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
33517 goto clean2;
33518@@ -4185,7 +4185,7 @@ reinit_after_soft_reset:
33519 * fake ones to scoop up any residual completions.
33520 */
33521 spin_lock_irqsave(&h->lock, flags);
33522- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33523+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33524 spin_unlock_irqrestore(&h->lock, flags);
33525 free_irq(h->intr[h->intr_mode], h);
33526 rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
33527@@ -4204,9 +4204,9 @@ reinit_after_soft_reset:
33528 dev_info(&h->pdev->dev, "Board READY.\n");
33529 dev_info(&h->pdev->dev,
33530 "Waiting for stale completions to drain.\n");
33531- h->access.set_intr_mask(h, HPSA_INTR_ON);
33532+ h->access->set_intr_mask(h, HPSA_INTR_ON);
33533 msleep(10000);
33534- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33535+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33536
33537 rc = controller_reset_failed(h->cfgtable);
33538 if (rc)
33539@@ -4227,7 +4227,7 @@ reinit_after_soft_reset:
33540 }
33541
33542 /* Turn the interrupts on so we can service requests */
33543- h->access.set_intr_mask(h, HPSA_INTR_ON);
33544+ h->access->set_intr_mask(h, HPSA_INTR_ON);
33545
33546 hpsa_hba_inquiry(h);
33547 hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
33548@@ -4280,7 +4280,7 @@ static void hpsa_shutdown(struct pci_dev
33549 * To write all data in the battery backed cache to disks
33550 */
33551 hpsa_flush_cache(h);
33552- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33553+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33554 free_irq(h->intr[h->intr_mode], h);
33555 #ifdef CONFIG_PCI_MSI
33556 if (h->msix_vector)
33557@@ -4443,7 +4443,7 @@ static __devinit void hpsa_enter_perform
33558 return;
33559 }
33560 /* Change the access methods to the performant access methods */
33561- h->access = SA5_performant_access;
33562+ h->access = &SA5_performant_access;
33563 h->transMethod = CFGTBL_Trans_Performant;
33564 }
33565
33566diff -urNp linux-3.0.7/drivers/scsi/hpsa.h linux-3.0.7/drivers/scsi/hpsa.h
33567--- linux-3.0.7/drivers/scsi/hpsa.h 2011-09-02 18:11:21.000000000 -0400
33568+++ linux-3.0.7/drivers/scsi/hpsa.h 2011-08-23 21:47:55.000000000 -0400
33569@@ -73,7 +73,7 @@ struct ctlr_info {
33570 unsigned int msix_vector;
33571 unsigned int msi_vector;
33572 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
33573- struct access_method access;
33574+ struct access_method *access;
33575
33576 /* queue and queue Info */
33577 struct list_head reqQ;
33578diff -urNp linux-3.0.7/drivers/scsi/ips.h linux-3.0.7/drivers/scsi/ips.h
33579--- linux-3.0.7/drivers/scsi/ips.h 2011-07-21 22:17:23.000000000 -0400
33580+++ linux-3.0.7/drivers/scsi/ips.h 2011-08-23 21:47:55.000000000 -0400
33581@@ -1027,7 +1027,7 @@ typedef struct {
33582 int (*intr)(struct ips_ha *);
33583 void (*enableint)(struct ips_ha *);
33584 uint32_t (*statupd)(struct ips_ha *);
33585-} ips_hw_func_t;
33586+} __no_const ips_hw_func_t;
33587
33588 typedef struct ips_ha {
33589 uint8_t ha_id[IPS_MAX_CHANNELS+1];
33590diff -urNp linux-3.0.7/drivers/scsi/libfc/fc_exch.c linux-3.0.7/drivers/scsi/libfc/fc_exch.c
33591--- linux-3.0.7/drivers/scsi/libfc/fc_exch.c 2011-07-21 22:17:23.000000000 -0400
33592+++ linux-3.0.7/drivers/scsi/libfc/fc_exch.c 2011-08-23 21:47:55.000000000 -0400
33593@@ -105,12 +105,12 @@ struct fc_exch_mgr {
33594 * all together if not used XXX
33595 */
33596 struct {
33597- atomic_t no_free_exch;
33598- atomic_t no_free_exch_xid;
33599- atomic_t xid_not_found;
33600- atomic_t xid_busy;
33601- atomic_t seq_not_found;
33602- atomic_t non_bls_resp;
33603+ atomic_unchecked_t no_free_exch;
33604+ atomic_unchecked_t no_free_exch_xid;
33605+ atomic_unchecked_t xid_not_found;
33606+ atomic_unchecked_t xid_busy;
33607+ atomic_unchecked_t seq_not_found;
33608+ atomic_unchecked_t non_bls_resp;
33609 } stats;
33610 };
33611
33612@@ -700,7 +700,7 @@ static struct fc_exch *fc_exch_em_alloc(
33613 /* allocate memory for exchange */
33614 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
33615 if (!ep) {
33616- atomic_inc(&mp->stats.no_free_exch);
33617+ atomic_inc_unchecked(&mp->stats.no_free_exch);
33618 goto out;
33619 }
33620 memset(ep, 0, sizeof(*ep));
33621@@ -761,7 +761,7 @@ out:
33622 return ep;
33623 err:
33624 spin_unlock_bh(&pool->lock);
33625- atomic_inc(&mp->stats.no_free_exch_xid);
33626+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
33627 mempool_free(ep, mp->ep_pool);
33628 return NULL;
33629 }
33630@@ -906,7 +906,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33631 xid = ntohs(fh->fh_ox_id); /* we originated exch */
33632 ep = fc_exch_find(mp, xid);
33633 if (!ep) {
33634- atomic_inc(&mp->stats.xid_not_found);
33635+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33636 reject = FC_RJT_OX_ID;
33637 goto out;
33638 }
33639@@ -936,7 +936,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33640 ep = fc_exch_find(mp, xid);
33641 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
33642 if (ep) {
33643- atomic_inc(&mp->stats.xid_busy);
33644+ atomic_inc_unchecked(&mp->stats.xid_busy);
33645 reject = FC_RJT_RX_ID;
33646 goto rel;
33647 }
33648@@ -947,7 +947,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33649 }
33650 xid = ep->xid; /* get our XID */
33651 } else if (!ep) {
33652- atomic_inc(&mp->stats.xid_not_found);
33653+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33654 reject = FC_RJT_RX_ID; /* XID not found */
33655 goto out;
33656 }
33657@@ -964,7 +964,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33658 } else {
33659 sp = &ep->seq;
33660 if (sp->id != fh->fh_seq_id) {
33661- atomic_inc(&mp->stats.seq_not_found);
33662+ atomic_inc_unchecked(&mp->stats.seq_not_found);
33663 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
33664 goto rel;
33665 }
33666@@ -1392,22 +1392,22 @@ static void fc_exch_recv_seq_resp(struct
33667
33668 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
33669 if (!ep) {
33670- atomic_inc(&mp->stats.xid_not_found);
33671+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33672 goto out;
33673 }
33674 if (ep->esb_stat & ESB_ST_COMPLETE) {
33675- atomic_inc(&mp->stats.xid_not_found);
33676+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33677 goto rel;
33678 }
33679 if (ep->rxid == FC_XID_UNKNOWN)
33680 ep->rxid = ntohs(fh->fh_rx_id);
33681 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
33682- atomic_inc(&mp->stats.xid_not_found);
33683+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33684 goto rel;
33685 }
33686 if (ep->did != ntoh24(fh->fh_s_id) &&
33687 ep->did != FC_FID_FLOGI) {
33688- atomic_inc(&mp->stats.xid_not_found);
33689+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33690 goto rel;
33691 }
33692 sof = fr_sof(fp);
33693@@ -1416,7 +1416,7 @@ static void fc_exch_recv_seq_resp(struct
33694 sp->ssb_stat |= SSB_ST_RESP;
33695 sp->id = fh->fh_seq_id;
33696 } else if (sp->id != fh->fh_seq_id) {
33697- atomic_inc(&mp->stats.seq_not_found);
33698+ atomic_inc_unchecked(&mp->stats.seq_not_found);
33699 goto rel;
33700 }
33701
33702@@ -1480,9 +1480,9 @@ static void fc_exch_recv_resp(struct fc_
33703 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
33704
33705 if (!sp)
33706- atomic_inc(&mp->stats.xid_not_found);
33707+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33708 else
33709- atomic_inc(&mp->stats.non_bls_resp);
33710+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
33711
33712 fc_frame_free(fp);
33713 }
33714diff -urNp linux-3.0.7/drivers/scsi/libsas/sas_ata.c linux-3.0.7/drivers/scsi/libsas/sas_ata.c
33715--- linux-3.0.7/drivers/scsi/libsas/sas_ata.c 2011-07-21 22:17:23.000000000 -0400
33716+++ linux-3.0.7/drivers/scsi/libsas/sas_ata.c 2011-08-23 21:47:55.000000000 -0400
33717@@ -368,7 +368,7 @@ static struct ata_port_operations sas_sa
33718 .postreset = ata_std_postreset,
33719 .error_handler = ata_std_error_handler,
33720 .post_internal_cmd = sas_ata_post_internal,
33721- .qc_defer = ata_std_qc_defer,
33722+ .qc_defer = ata_std_qc_defer,
33723 .qc_prep = ata_noop_qc_prep,
33724 .qc_issue = sas_ata_qc_issue,
33725 .qc_fill_rtf = sas_ata_qc_fill_rtf,
33726diff -urNp linux-3.0.7/drivers/scsi/lpfc/lpfc.h linux-3.0.7/drivers/scsi/lpfc/lpfc.h
33727--- linux-3.0.7/drivers/scsi/lpfc/lpfc.h 2011-10-16 21:54:54.000000000 -0400
33728+++ linux-3.0.7/drivers/scsi/lpfc/lpfc.h 2011-10-16 21:55:27.000000000 -0400
33729@@ -425,7 +425,7 @@ struct lpfc_vport {
33730 struct dentry *debug_nodelist;
33731 struct dentry *vport_debugfs_root;
33732 struct lpfc_debugfs_trc *disc_trc;
33733- atomic_t disc_trc_cnt;
33734+ atomic_unchecked_t disc_trc_cnt;
33735 #endif
33736 uint8_t stat_data_enabled;
33737 uint8_t stat_data_blocked;
33738@@ -832,8 +832,8 @@ struct lpfc_hba {
33739 struct timer_list fabric_block_timer;
33740 unsigned long bit_flags;
33741 #define FABRIC_COMANDS_BLOCKED 0
33742- atomic_t num_rsrc_err;
33743- atomic_t num_cmd_success;
33744+ atomic_unchecked_t num_rsrc_err;
33745+ atomic_unchecked_t num_cmd_success;
33746 unsigned long last_rsrc_error_time;
33747 unsigned long last_ramp_down_time;
33748 unsigned long last_ramp_up_time;
33749@@ -847,7 +847,7 @@ struct lpfc_hba {
33750 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
33751 struct dentry *debug_slow_ring_trc;
33752 struct lpfc_debugfs_trc *slow_ring_trc;
33753- atomic_t slow_ring_trc_cnt;
33754+ atomic_unchecked_t slow_ring_trc_cnt;
33755 /* iDiag debugfs sub-directory */
33756 struct dentry *idiag_root;
33757 struct dentry *idiag_pci_cfg;
33758diff -urNp linux-3.0.7/drivers/scsi/lpfc/lpfc_debugfs.c linux-3.0.7/drivers/scsi/lpfc/lpfc_debugfs.c
33759--- linux-3.0.7/drivers/scsi/lpfc/lpfc_debugfs.c 2011-07-21 22:17:23.000000000 -0400
33760+++ linux-3.0.7/drivers/scsi/lpfc/lpfc_debugfs.c 2011-08-23 21:48:14.000000000 -0400
33761@@ -104,7 +104,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
33762
33763 #include <linux/debugfs.h>
33764
33765-static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
33766+static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
33767 static unsigned long lpfc_debugfs_start_time = 0L;
33768
33769 /* iDiag */
33770@@ -141,7 +141,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
33771 lpfc_debugfs_enable = 0;
33772
33773 len = 0;
33774- index = (atomic_read(&vport->disc_trc_cnt) + 1) &
33775+ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
33776 (lpfc_debugfs_max_disc_trc - 1);
33777 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
33778 dtp = vport->disc_trc + i;
33779@@ -202,7 +202,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
33780 lpfc_debugfs_enable = 0;
33781
33782 len = 0;
33783- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
33784+ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
33785 (lpfc_debugfs_max_slow_ring_trc - 1);
33786 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
33787 dtp = phba->slow_ring_trc + i;
33788@@ -380,6 +380,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
33789 uint32_t *ptr;
33790 char buffer[1024];
33791
33792+ pax_track_stack();
33793+
33794 off = 0;
33795 spin_lock_irq(&phba->hbalock);
33796
33797@@ -617,14 +619,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
33798 !vport || !vport->disc_trc)
33799 return;
33800
33801- index = atomic_inc_return(&vport->disc_trc_cnt) &
33802+ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
33803 (lpfc_debugfs_max_disc_trc - 1);
33804 dtp = vport->disc_trc + index;
33805 dtp->fmt = fmt;
33806 dtp->data1 = data1;
33807 dtp->data2 = data2;
33808 dtp->data3 = data3;
33809- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
33810+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
33811 dtp->jif = jiffies;
33812 #endif
33813 return;
33814@@ -655,14 +657,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
33815 !phba || !phba->slow_ring_trc)
33816 return;
33817
33818- index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
33819+ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
33820 (lpfc_debugfs_max_slow_ring_trc - 1);
33821 dtp = phba->slow_ring_trc + index;
33822 dtp->fmt = fmt;
33823 dtp->data1 = data1;
33824 dtp->data2 = data2;
33825 dtp->data3 = data3;
33826- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
33827+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
33828 dtp->jif = jiffies;
33829 #endif
33830 return;
33831@@ -2606,7 +2608,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
33832 "slow_ring buffer\n");
33833 goto debug_failed;
33834 }
33835- atomic_set(&phba->slow_ring_trc_cnt, 0);
33836+ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
33837 memset(phba->slow_ring_trc, 0,
33838 (sizeof(struct lpfc_debugfs_trc) *
33839 lpfc_debugfs_max_slow_ring_trc));
33840@@ -2652,7 +2654,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
33841 "buffer\n");
33842 goto debug_failed;
33843 }
33844- atomic_set(&vport->disc_trc_cnt, 0);
33845+ atomic_set_unchecked(&vport->disc_trc_cnt, 0);
33846
33847 snprintf(name, sizeof(name), "discovery_trace");
33848 vport->debug_disc_trc =
33849diff -urNp linux-3.0.7/drivers/scsi/lpfc/lpfc_init.c linux-3.0.7/drivers/scsi/lpfc/lpfc_init.c
33850--- linux-3.0.7/drivers/scsi/lpfc/lpfc_init.c 2011-10-16 21:54:54.000000000 -0400
33851+++ linux-3.0.7/drivers/scsi/lpfc/lpfc_init.c 2011-10-16 21:55:27.000000000 -0400
33852@@ -9971,8 +9971,10 @@ lpfc_init(void)
33853 printk(LPFC_COPYRIGHT "\n");
33854
33855 if (lpfc_enable_npiv) {
33856- lpfc_transport_functions.vport_create = lpfc_vport_create;
33857- lpfc_transport_functions.vport_delete = lpfc_vport_delete;
33858+ pax_open_kernel();
33859+ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
33860+ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
33861+ pax_close_kernel();
33862 }
33863 lpfc_transport_template =
33864 fc_attach_transport(&lpfc_transport_functions);
33865diff -urNp linux-3.0.7/drivers/scsi/lpfc/lpfc_scsi.c linux-3.0.7/drivers/scsi/lpfc/lpfc_scsi.c
33866--- linux-3.0.7/drivers/scsi/lpfc/lpfc_scsi.c 2011-10-16 21:54:54.000000000 -0400
33867+++ linux-3.0.7/drivers/scsi/lpfc/lpfc_scsi.c 2011-10-16 21:55:27.000000000 -0400
33868@@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
33869 uint32_t evt_posted;
33870
33871 spin_lock_irqsave(&phba->hbalock, flags);
33872- atomic_inc(&phba->num_rsrc_err);
33873+ atomic_inc_unchecked(&phba->num_rsrc_err);
33874 phba->last_rsrc_error_time = jiffies;
33875
33876 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
33877@@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
33878 unsigned long flags;
33879 struct lpfc_hba *phba = vport->phba;
33880 uint32_t evt_posted;
33881- atomic_inc(&phba->num_cmd_success);
33882+ atomic_inc_unchecked(&phba->num_cmd_success);
33883
33884 if (vport->cfg_lun_queue_depth <= queue_depth)
33885 return;
33886@@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
33887 unsigned long num_rsrc_err, num_cmd_success;
33888 int i;
33889
33890- num_rsrc_err = atomic_read(&phba->num_rsrc_err);
33891- num_cmd_success = atomic_read(&phba->num_cmd_success);
33892+ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
33893+ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
33894
33895 vports = lpfc_create_vport_work_array(phba);
33896 if (vports != NULL)
33897@@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
33898 }
33899 }
33900 lpfc_destroy_vport_work_array(phba, vports);
33901- atomic_set(&phba->num_rsrc_err, 0);
33902- atomic_set(&phba->num_cmd_success, 0);
33903+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
33904+ atomic_set_unchecked(&phba->num_cmd_success, 0);
33905 }
33906
33907 /**
33908@@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
33909 }
33910 }
33911 lpfc_destroy_vport_work_array(phba, vports);
33912- atomic_set(&phba->num_rsrc_err, 0);
33913- atomic_set(&phba->num_cmd_success, 0);
33914+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
33915+ atomic_set_unchecked(&phba->num_cmd_success, 0);
33916 }
33917
33918 /**
33919diff -urNp linux-3.0.7/drivers/scsi/megaraid/megaraid_mbox.c linux-3.0.7/drivers/scsi/megaraid/megaraid_mbox.c
33920--- linux-3.0.7/drivers/scsi/megaraid/megaraid_mbox.c 2011-07-21 22:17:23.000000000 -0400
33921+++ linux-3.0.7/drivers/scsi/megaraid/megaraid_mbox.c 2011-08-23 21:48:14.000000000 -0400
33922@@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
33923 int rval;
33924 int i;
33925
33926+ pax_track_stack();
33927+
33928 // Allocate memory for the base list of scb for management module.
33929 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
33930
33931diff -urNp linux-3.0.7/drivers/scsi/osd/osd_initiator.c linux-3.0.7/drivers/scsi/osd/osd_initiator.c
33932--- linux-3.0.7/drivers/scsi/osd/osd_initiator.c 2011-07-21 22:17:23.000000000 -0400
33933+++ linux-3.0.7/drivers/scsi/osd/osd_initiator.c 2011-08-23 21:48:14.000000000 -0400
33934@@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
33935 int nelem = ARRAY_SIZE(get_attrs), a = 0;
33936 int ret;
33937
33938+ pax_track_stack();
33939+
33940 or = osd_start_request(od, GFP_KERNEL);
33941 if (!or)
33942 return -ENOMEM;
33943diff -urNp linux-3.0.7/drivers/scsi/pmcraid.c linux-3.0.7/drivers/scsi/pmcraid.c
33944--- linux-3.0.7/drivers/scsi/pmcraid.c 2011-09-02 18:11:21.000000000 -0400
33945+++ linux-3.0.7/drivers/scsi/pmcraid.c 2011-08-23 21:47:56.000000000 -0400
33946@@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
33947 res->scsi_dev = scsi_dev;
33948 scsi_dev->hostdata = res;
33949 res->change_detected = 0;
33950- atomic_set(&res->read_failures, 0);
33951- atomic_set(&res->write_failures, 0);
33952+ atomic_set_unchecked(&res->read_failures, 0);
33953+ atomic_set_unchecked(&res->write_failures, 0);
33954 rc = 0;
33955 }
33956 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
33957@@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
33958
33959 /* If this was a SCSI read/write command keep count of errors */
33960 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
33961- atomic_inc(&res->read_failures);
33962+ atomic_inc_unchecked(&res->read_failures);
33963 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
33964- atomic_inc(&res->write_failures);
33965+ atomic_inc_unchecked(&res->write_failures);
33966
33967 if (!RES_IS_GSCSI(res->cfg_entry) &&
33968 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
33969@@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
33970 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
33971 * hrrq_id assigned here in queuecommand
33972 */
33973- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
33974+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
33975 pinstance->num_hrrq;
33976 cmd->cmd_done = pmcraid_io_done;
33977
33978@@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
33979 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
33980 * hrrq_id assigned here in queuecommand
33981 */
33982- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
33983+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
33984 pinstance->num_hrrq;
33985
33986 if (request_size) {
33987@@ -4498,7 +4498,7 @@ static void pmcraid_worker_function(stru
33988
33989 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
33990 /* add resources only after host is added into system */
33991- if (!atomic_read(&pinstance->expose_resources))
33992+ if (!atomic_read_unchecked(&pinstance->expose_resources))
33993 return;
33994
33995 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
33996@@ -5332,8 +5332,8 @@ static int __devinit pmcraid_init_instan
33997 init_waitqueue_head(&pinstance->reset_wait_q);
33998
33999 atomic_set(&pinstance->outstanding_cmds, 0);
34000- atomic_set(&pinstance->last_message_id, 0);
34001- atomic_set(&pinstance->expose_resources, 0);
34002+ atomic_set_unchecked(&pinstance->last_message_id, 0);
34003+ atomic_set_unchecked(&pinstance->expose_resources, 0);
34004
34005 INIT_LIST_HEAD(&pinstance->free_res_q);
34006 INIT_LIST_HEAD(&pinstance->used_res_q);
34007@@ -6048,7 +6048,7 @@ static int __devinit pmcraid_probe(
34008 /* Schedule worker thread to handle CCN and take care of adding and
34009 * removing devices to OS
34010 */
34011- atomic_set(&pinstance->expose_resources, 1);
34012+ atomic_set_unchecked(&pinstance->expose_resources, 1);
34013 schedule_work(&pinstance->worker_q);
34014 return rc;
34015
34016diff -urNp linux-3.0.7/drivers/scsi/pmcraid.h linux-3.0.7/drivers/scsi/pmcraid.h
34017--- linux-3.0.7/drivers/scsi/pmcraid.h 2011-07-21 22:17:23.000000000 -0400
34018+++ linux-3.0.7/drivers/scsi/pmcraid.h 2011-08-23 21:47:56.000000000 -0400
34019@@ -749,7 +749,7 @@ struct pmcraid_instance {
34020 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
34021
34022 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
34023- atomic_t last_message_id;
34024+ atomic_unchecked_t last_message_id;
34025
34026 /* configuration table */
34027 struct pmcraid_config_table *cfg_table;
34028@@ -778,7 +778,7 @@ struct pmcraid_instance {
34029 atomic_t outstanding_cmds;
34030
34031 /* should add/delete resources to mid-layer now ?*/
34032- atomic_t expose_resources;
34033+ atomic_unchecked_t expose_resources;
34034
34035
34036
34037@@ -814,8 +814,8 @@ struct pmcraid_resource_entry {
34038 struct pmcraid_config_table_entry_ext cfg_entry_ext;
34039 };
34040 struct scsi_device *scsi_dev; /* Link scsi_device structure */
34041- atomic_t read_failures; /* count of failed READ commands */
34042- atomic_t write_failures; /* count of failed WRITE commands */
34043+ atomic_unchecked_t read_failures; /* count of failed READ commands */
34044+ atomic_unchecked_t write_failures; /* count of failed WRITE commands */
34045
34046 /* To indicate add/delete/modify during CCN */
34047 u8 change_detected;
34048diff -urNp linux-3.0.7/drivers/scsi/qla2xxx/qla_def.h linux-3.0.7/drivers/scsi/qla2xxx/qla_def.h
34049--- linux-3.0.7/drivers/scsi/qla2xxx/qla_def.h 2011-07-21 22:17:23.000000000 -0400
34050+++ linux-3.0.7/drivers/scsi/qla2xxx/qla_def.h 2011-08-23 21:47:56.000000000 -0400
34051@@ -2244,7 +2244,7 @@ struct isp_operations {
34052 int (*get_flash_version) (struct scsi_qla_host *, void *);
34053 int (*start_scsi) (srb_t *);
34054 int (*abort_isp) (struct scsi_qla_host *);
34055-};
34056+} __no_const;
34057
34058 /* MSI-X Support *************************************************************/
34059
34060diff -urNp linux-3.0.7/drivers/scsi/qla4xxx/ql4_def.h linux-3.0.7/drivers/scsi/qla4xxx/ql4_def.h
34061--- linux-3.0.7/drivers/scsi/qla4xxx/ql4_def.h 2011-07-21 22:17:23.000000000 -0400
34062+++ linux-3.0.7/drivers/scsi/qla4xxx/ql4_def.h 2011-08-23 21:47:56.000000000 -0400
34063@@ -256,7 +256,7 @@ struct ddb_entry {
34064 atomic_t retry_relogin_timer; /* Min Time between relogins
34065 * (4000 only) */
34066 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
34067- atomic_t relogin_retry_count; /* Num of times relogin has been
34068+ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
34069 * retried */
34070
34071 uint16_t port;
34072diff -urNp linux-3.0.7/drivers/scsi/qla4xxx/ql4_init.c linux-3.0.7/drivers/scsi/qla4xxx/ql4_init.c
34073--- linux-3.0.7/drivers/scsi/qla4xxx/ql4_init.c 2011-07-21 22:17:23.000000000 -0400
34074+++ linux-3.0.7/drivers/scsi/qla4xxx/ql4_init.c 2011-08-23 21:47:56.000000000 -0400
34075@@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
34076 ddb_entry->fw_ddb_index = fw_ddb_index;
34077 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
34078 atomic_set(&ddb_entry->relogin_timer, 0);
34079- atomic_set(&ddb_entry->relogin_retry_count, 0);
34080+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34081 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34082 list_add_tail(&ddb_entry->list, &ha->ddb_list);
34083 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
34084@@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
34085 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
34086 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
34087 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34088- atomic_set(&ddb_entry->relogin_retry_count, 0);
34089+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34090 atomic_set(&ddb_entry->relogin_timer, 0);
34091 clear_bit(DF_RELOGIN, &ddb_entry->flags);
34092 iscsi_unblock_session(ddb_entry->sess);
34093diff -urNp linux-3.0.7/drivers/scsi/qla4xxx/ql4_os.c linux-3.0.7/drivers/scsi/qla4xxx/ql4_os.c
34094--- linux-3.0.7/drivers/scsi/qla4xxx/ql4_os.c 2011-07-21 22:17:23.000000000 -0400
34095+++ linux-3.0.7/drivers/scsi/qla4xxx/ql4_os.c 2011-08-23 21:47:56.000000000 -0400
34096@@ -811,13 +811,13 @@ static void qla4xxx_timer(struct scsi_ql
34097 ddb_entry->fw_ddb_device_state ==
34098 DDB_DS_SESSION_FAILED) {
34099 /* Reset retry relogin timer */
34100- atomic_inc(&ddb_entry->relogin_retry_count);
34101+ atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
34102 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
34103 " timed out-retrying"
34104 " relogin (%d)\n",
34105 ha->host_no,
34106 ddb_entry->fw_ddb_index,
34107- atomic_read(&ddb_entry->
34108+ atomic_read_unchecked(&ddb_entry->
34109 relogin_retry_count))
34110 );
34111 start_dpc++;
34112diff -urNp linux-3.0.7/drivers/scsi/scsi.c linux-3.0.7/drivers/scsi/scsi.c
34113--- linux-3.0.7/drivers/scsi/scsi.c 2011-07-21 22:17:23.000000000 -0400
34114+++ linux-3.0.7/drivers/scsi/scsi.c 2011-08-23 21:47:56.000000000 -0400
34115@@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
34116 unsigned long timeout;
34117 int rtn = 0;
34118
34119- atomic_inc(&cmd->device->iorequest_cnt);
34120+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34121
34122 /* check if the device is still usable */
34123 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
34124diff -urNp linux-3.0.7/drivers/scsi/scsi_debug.c linux-3.0.7/drivers/scsi/scsi_debug.c
34125--- linux-3.0.7/drivers/scsi/scsi_debug.c 2011-07-21 22:17:23.000000000 -0400
34126+++ linux-3.0.7/drivers/scsi/scsi_debug.c 2011-08-23 21:48:14.000000000 -0400
34127@@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
34128 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
34129 unsigned char *cmd = (unsigned char *)scp->cmnd;
34130
34131+ pax_track_stack();
34132+
34133 if ((errsts = check_readiness(scp, 1, devip)))
34134 return errsts;
34135 memset(arr, 0, sizeof(arr));
34136@@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
34137 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
34138 unsigned char *cmd = (unsigned char *)scp->cmnd;
34139
34140+ pax_track_stack();
34141+
34142 if ((errsts = check_readiness(scp, 1, devip)))
34143 return errsts;
34144 memset(arr, 0, sizeof(arr));
34145diff -urNp linux-3.0.7/drivers/scsi/scsi_lib.c linux-3.0.7/drivers/scsi/scsi_lib.c
34146--- linux-3.0.7/drivers/scsi/scsi_lib.c 2011-09-02 18:11:21.000000000 -0400
34147+++ linux-3.0.7/drivers/scsi/scsi_lib.c 2011-08-23 21:47:56.000000000 -0400
34148@@ -1412,7 +1412,7 @@ static void scsi_kill_request(struct req
34149 shost = sdev->host;
34150 scsi_init_cmd_errh(cmd);
34151 cmd->result = DID_NO_CONNECT << 16;
34152- atomic_inc(&cmd->device->iorequest_cnt);
34153+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34154
34155 /*
34156 * SCSI request completion path will do scsi_device_unbusy(),
34157@@ -1438,9 +1438,9 @@ static void scsi_softirq_done(struct req
34158
34159 INIT_LIST_HEAD(&cmd->eh_entry);
34160
34161- atomic_inc(&cmd->device->iodone_cnt);
34162+ atomic_inc_unchecked(&cmd->device->iodone_cnt);
34163 if (cmd->result)
34164- atomic_inc(&cmd->device->ioerr_cnt);
34165+ atomic_inc_unchecked(&cmd->device->ioerr_cnt);
34166
34167 disposition = scsi_decide_disposition(cmd);
34168 if (disposition != SUCCESS &&
34169diff -urNp linux-3.0.7/drivers/scsi/scsi_sysfs.c linux-3.0.7/drivers/scsi/scsi_sysfs.c
34170--- linux-3.0.7/drivers/scsi/scsi_sysfs.c 2011-07-21 22:17:23.000000000 -0400
34171+++ linux-3.0.7/drivers/scsi/scsi_sysfs.c 2011-08-23 21:47:56.000000000 -0400
34172@@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
34173 char *buf) \
34174 { \
34175 struct scsi_device *sdev = to_scsi_device(dev); \
34176- unsigned long long count = atomic_read(&sdev->field); \
34177+ unsigned long long count = atomic_read_unchecked(&sdev->field); \
34178 return snprintf(buf, 20, "0x%llx\n", count); \
34179 } \
34180 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
34181diff -urNp linux-3.0.7/drivers/scsi/scsi_tgt_lib.c linux-3.0.7/drivers/scsi/scsi_tgt_lib.c
34182--- linux-3.0.7/drivers/scsi/scsi_tgt_lib.c 2011-07-21 22:17:23.000000000 -0400
34183+++ linux-3.0.7/drivers/scsi/scsi_tgt_lib.c 2011-10-06 04:17:55.000000000 -0400
34184@@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
34185 int err;
34186
34187 dprintk("%lx %u\n", uaddr, len);
34188- err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
34189+ err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
34190 if (err) {
34191 /*
34192 * TODO: need to fixup sg_tablesize, max_segment_size,
34193diff -urNp linux-3.0.7/drivers/scsi/scsi_transport_fc.c linux-3.0.7/drivers/scsi/scsi_transport_fc.c
34194--- linux-3.0.7/drivers/scsi/scsi_transport_fc.c 2011-07-21 22:17:23.000000000 -0400
34195+++ linux-3.0.7/drivers/scsi/scsi_transport_fc.c 2011-08-23 21:47:56.000000000 -0400
34196@@ -484,7 +484,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
34197 * Netlink Infrastructure
34198 */
34199
34200-static atomic_t fc_event_seq;
34201+static atomic_unchecked_t fc_event_seq;
34202
34203 /**
34204 * fc_get_event_number - Obtain the next sequential FC event number
34205@@ -497,7 +497,7 @@ static atomic_t fc_event_seq;
34206 u32
34207 fc_get_event_number(void)
34208 {
34209- return atomic_add_return(1, &fc_event_seq);
34210+ return atomic_add_return_unchecked(1, &fc_event_seq);
34211 }
34212 EXPORT_SYMBOL(fc_get_event_number);
34213
34214@@ -645,7 +645,7 @@ static __init int fc_transport_init(void
34215 {
34216 int error;
34217
34218- atomic_set(&fc_event_seq, 0);
34219+ atomic_set_unchecked(&fc_event_seq, 0);
34220
34221 error = transport_class_register(&fc_host_class);
34222 if (error)
34223@@ -835,7 +835,7 @@ static int fc_str_to_dev_loss(const char
34224 char *cp;
34225
34226 *val = simple_strtoul(buf, &cp, 0);
34227- if ((*cp && (*cp != '\n')) || (*val < 0))
34228+ if (*cp && (*cp != '\n'))
34229 return -EINVAL;
34230 /*
34231 * Check for overflow; dev_loss_tmo is u32
34232diff -urNp linux-3.0.7/drivers/scsi/scsi_transport_iscsi.c linux-3.0.7/drivers/scsi/scsi_transport_iscsi.c
34233--- linux-3.0.7/drivers/scsi/scsi_transport_iscsi.c 2011-07-21 22:17:23.000000000 -0400
34234+++ linux-3.0.7/drivers/scsi/scsi_transport_iscsi.c 2011-08-23 21:47:56.000000000 -0400
34235@@ -83,7 +83,7 @@ struct iscsi_internal {
34236 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
34237 };
34238
34239-static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
34240+static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
34241 static struct workqueue_struct *iscsi_eh_timer_workq;
34242
34243 /*
34244@@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
34245 int err;
34246
34247 ihost = shost->shost_data;
34248- session->sid = atomic_add_return(1, &iscsi_session_nr);
34249+ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
34250
34251 if (id == ISCSI_MAX_TARGET) {
34252 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
34253@@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
34254 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
34255 ISCSI_TRANSPORT_VERSION);
34256
34257- atomic_set(&iscsi_session_nr, 0);
34258+ atomic_set_unchecked(&iscsi_session_nr, 0);
34259
34260 err = class_register(&iscsi_transport_class);
34261 if (err)
34262diff -urNp linux-3.0.7/drivers/scsi/scsi_transport_srp.c linux-3.0.7/drivers/scsi/scsi_transport_srp.c
34263--- linux-3.0.7/drivers/scsi/scsi_transport_srp.c 2011-07-21 22:17:23.000000000 -0400
34264+++ linux-3.0.7/drivers/scsi/scsi_transport_srp.c 2011-08-23 21:47:56.000000000 -0400
34265@@ -33,7 +33,7 @@
34266 #include "scsi_transport_srp_internal.h"
34267
34268 struct srp_host_attrs {
34269- atomic_t next_port_id;
34270+ atomic_unchecked_t next_port_id;
34271 };
34272 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
34273
34274@@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
34275 struct Scsi_Host *shost = dev_to_shost(dev);
34276 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
34277
34278- atomic_set(&srp_host->next_port_id, 0);
34279+ atomic_set_unchecked(&srp_host->next_port_id, 0);
34280 return 0;
34281 }
34282
34283@@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
34284 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
34285 rport->roles = ids->roles;
34286
34287- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
34288+ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
34289 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
34290
34291 transport_setup_device(&rport->dev);
34292diff -urNp linux-3.0.7/drivers/scsi/sg.c linux-3.0.7/drivers/scsi/sg.c
34293--- linux-3.0.7/drivers/scsi/sg.c 2011-07-21 22:17:23.000000000 -0400
34294+++ linux-3.0.7/drivers/scsi/sg.c 2011-10-06 04:17:55.000000000 -0400
34295@@ -1075,7 +1075,7 @@ sg_ioctl(struct file *filp, unsigned int
34296 sdp->disk->disk_name,
34297 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
34298 NULL,
34299- (char *)arg);
34300+ (char __user *)arg);
34301 case BLKTRACESTART:
34302 return blk_trace_startstop(sdp->device->request_queue, 1);
34303 case BLKTRACESTOP:
34304@@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
34305 const struct file_operations * fops;
34306 };
34307
34308-static struct sg_proc_leaf sg_proc_leaf_arr[] = {
34309+static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
34310 {"allow_dio", &adio_fops},
34311 {"debug", &debug_fops},
34312 {"def_reserved_size", &dressz_fops},
34313@@ -2325,7 +2325,7 @@ sg_proc_init(void)
34314 {
34315 int k, mask;
34316 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
34317- struct sg_proc_leaf * leaf;
34318+ const struct sg_proc_leaf * leaf;
34319
34320 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
34321 if (!sg_proc_sgp)
34322diff -urNp linux-3.0.7/drivers/scsi/sym53c8xx_2/sym_glue.c linux-3.0.7/drivers/scsi/sym53c8xx_2/sym_glue.c
34323--- linux-3.0.7/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-07-21 22:17:23.000000000 -0400
34324+++ linux-3.0.7/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-08-23 21:48:14.000000000 -0400
34325@@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
34326 int do_iounmap = 0;
34327 int do_disable_device = 1;
34328
34329+ pax_track_stack();
34330+
34331 memset(&sym_dev, 0, sizeof(sym_dev));
34332 memset(&nvram, 0, sizeof(nvram));
34333 sym_dev.pdev = pdev;
34334diff -urNp linux-3.0.7/drivers/scsi/vmw_pvscsi.c linux-3.0.7/drivers/scsi/vmw_pvscsi.c
34335--- linux-3.0.7/drivers/scsi/vmw_pvscsi.c 2011-07-21 22:17:23.000000000 -0400
34336+++ linux-3.0.7/drivers/scsi/vmw_pvscsi.c 2011-08-23 21:48:14.000000000 -0400
34337@@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
34338 dma_addr_t base;
34339 unsigned i;
34340
34341+ pax_track_stack();
34342+
34343 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
34344 cmd.reqRingNumPages = adapter->req_pages;
34345 cmd.cmpRingNumPages = adapter->cmp_pages;
34346diff -urNp linux-3.0.7/drivers/spi/dw_spi_pci.c linux-3.0.7/drivers/spi/dw_spi_pci.c
34347--- linux-3.0.7/drivers/spi/dw_spi_pci.c 2011-07-21 22:17:23.000000000 -0400
34348+++ linux-3.0.7/drivers/spi/dw_spi_pci.c 2011-10-11 10:44:33.000000000 -0400
34349@@ -148,7 +148,7 @@ static int spi_resume(struct pci_dev *pd
34350 #define spi_resume NULL
34351 #endif
34352
34353-static const struct pci_device_id pci_ids[] __devinitdata = {
34354+static const struct pci_device_id pci_ids[] __devinitconst = {
34355 /* Intel MID platform SPI controller 0 */
34356 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0800) },
34357 {},
34358diff -urNp linux-3.0.7/drivers/spi/spi.c linux-3.0.7/drivers/spi/spi.c
34359--- linux-3.0.7/drivers/spi/spi.c 2011-07-21 22:17:23.000000000 -0400
34360+++ linux-3.0.7/drivers/spi/spi.c 2011-08-23 21:47:56.000000000 -0400
34361@@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
34362 EXPORT_SYMBOL_GPL(spi_bus_unlock);
34363
34364 /* portable code must never pass more than 32 bytes */
34365-#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
34366+#define SPI_BUFSIZ max(32UL,SMP_CACHE_BYTES)
34367
34368 static u8 *buf;
34369
34370diff -urNp linux-3.0.7/drivers/staging/ath6kl/os/linux/ar6000_drv.c linux-3.0.7/drivers/staging/ath6kl/os/linux/ar6000_drv.c
34371--- linux-3.0.7/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-09-02 18:11:21.000000000 -0400
34372+++ linux-3.0.7/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-08-23 21:48:14.000000000 -0400
34373@@ -362,7 +362,7 @@ static struct ar_cookie s_ar_cookie_mem[
34374 (((ar)->arTargetType == TARGET_TYPE_AR6003) ? AR6003_HOST_INTEREST_ITEM_ADDRESS(item) : 0))
34375
34376
34377-static struct net_device_ops ar6000_netdev_ops = {
34378+static net_device_ops_no_const ar6000_netdev_ops = {
34379 .ndo_init = NULL,
34380 .ndo_open = ar6000_open,
34381 .ndo_stop = ar6000_close,
34382diff -urNp linux-3.0.7/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h linux-3.0.7/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h
34383--- linux-3.0.7/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-07-21 22:17:23.000000000 -0400
34384+++ linux-3.0.7/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-08-23 21:47:56.000000000 -0400
34385@@ -30,7 +30,7 @@ typedef bool (*ar6k_pal_recv_pkt_t)(void
34386 typedef struct ar6k_pal_config_s
34387 {
34388 ar6k_pal_recv_pkt_t fpar6k_pal_recv_pkt;
34389-}ar6k_pal_config_t;
34390+} __no_const ar6k_pal_config_t;
34391
34392 void register_pal_cb(ar6k_pal_config_t *palConfig_p);
34393 #endif /* _AR6K_PAL_H_ */
34394diff -urNp linux-3.0.7/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-3.0.7/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
34395--- linux-3.0.7/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-07-21 22:17:23.000000000 -0400
34396+++ linux-3.0.7/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-08-23 21:47:56.000000000 -0400
34397@@ -853,14 +853,14 @@ static void dhd_op_if(dhd_if_t *ifp)
34398 free_netdev(ifp->net);
34399 }
34400 /* Allocate etherdev, including space for private structure */
34401- ifp->net = alloc_etherdev(sizeof(dhd));
34402+ ifp->net = alloc_etherdev(sizeof(*dhd));
34403 if (!ifp->net) {
34404 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34405 ret = -ENOMEM;
34406 }
34407 if (ret == 0) {
34408 strcpy(ifp->net->name, ifp->name);
34409- memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
34410+ memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
34411 err = dhd_net_attach(&dhd->pub, ifp->idx);
34412 if (err != 0) {
34413 DHD_ERROR(("%s: dhd_net_attach failed, "
34414@@ -1872,7 +1872,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
34415 strcpy(nv_path, nvram_path);
34416
34417 /* Allocate etherdev, including space for private structure */
34418- net = alloc_etherdev(sizeof(dhd));
34419+ net = alloc_etherdev(sizeof(*dhd));
34420 if (!net) {
34421 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34422 goto fail;
34423@@ -1888,7 +1888,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
34424 /*
34425 * Save the dhd_info into the priv
34426 */
34427- memcpy(netdev_priv(net), &dhd, sizeof(dhd));
34428+ memcpy(netdev_priv(net), dhd, sizeof(*dhd));
34429
34430 /* Set network interface name if it was provided as module parameter */
34431 if (iface_name[0]) {
34432@@ -2004,7 +2004,7 @@ dhd_pub_t *dhd_attach(struct dhd_bus *bu
34433 /*
34434 * Save the dhd_info into the priv
34435 */
34436- memcpy(netdev_priv(net), &dhd, sizeof(dhd));
34437+ memcpy(netdev_priv(net), dhd, sizeof(*dhd));
34438
34439 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
34440 g_bus = bus;
34441diff -urNp linux-3.0.7/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h linux-3.0.7/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h
34442--- linux-3.0.7/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h 2011-07-21 22:17:23.000000000 -0400
34443+++ linux-3.0.7/drivers/staging/brcm80211/brcmsmac/phy/wlc_phy_int.h 2011-08-23 21:47:56.000000000 -0400
34444@@ -593,7 +593,7 @@ struct phy_func_ptr {
34445 initfn_t carrsuppr;
34446 rxsigpwrfn_t rxsigpwr;
34447 detachfn_t detach;
34448-};
34449+} __no_const;
34450 typedef struct phy_func_ptr phy_func_ptr_t;
34451
34452 struct phy_info {
34453diff -urNp linux-3.0.7/drivers/staging/brcm80211/include/bcmsdh.h linux-3.0.7/drivers/staging/brcm80211/include/bcmsdh.h
34454--- linux-3.0.7/drivers/staging/brcm80211/include/bcmsdh.h 2011-07-21 22:17:23.000000000 -0400
34455+++ linux-3.0.7/drivers/staging/brcm80211/include/bcmsdh.h 2011-08-23 21:47:56.000000000 -0400
34456@@ -185,7 +185,7 @@ typedef struct {
34457 u16 func, uint bustype, void *regsva, void *param);
34458 /* detach from device */
34459 void (*detach) (void *ch);
34460-} bcmsdh_driver_t;
34461+} __no_const bcmsdh_driver_t;
34462
34463 /* platform specific/high level functions */
34464 extern int bcmsdh_register(bcmsdh_driver_t *driver);
34465diff -urNp linux-3.0.7/drivers/staging/et131x/et1310_tx.c linux-3.0.7/drivers/staging/et131x/et1310_tx.c
34466--- linux-3.0.7/drivers/staging/et131x/et1310_tx.c 2011-07-21 22:17:23.000000000 -0400
34467+++ linux-3.0.7/drivers/staging/et131x/et1310_tx.c 2011-08-23 21:47:56.000000000 -0400
34468@@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
34469 struct net_device_stats *stats = &etdev->net_stats;
34470
34471 if (tcb->flags & fMP_DEST_BROAD)
34472- atomic_inc(&etdev->Stats.brdcstxmt);
34473+ atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
34474 else if (tcb->flags & fMP_DEST_MULTI)
34475- atomic_inc(&etdev->Stats.multixmt);
34476+ atomic_inc_unchecked(&etdev->Stats.multixmt);
34477 else
34478- atomic_inc(&etdev->Stats.unixmt);
34479+ atomic_inc_unchecked(&etdev->Stats.unixmt);
34480
34481 if (tcb->skb) {
34482 stats->tx_bytes += tcb->skb->len;
34483diff -urNp linux-3.0.7/drivers/staging/et131x/et131x_adapter.h linux-3.0.7/drivers/staging/et131x/et131x_adapter.h
34484--- linux-3.0.7/drivers/staging/et131x/et131x_adapter.h 2011-07-21 22:17:23.000000000 -0400
34485+++ linux-3.0.7/drivers/staging/et131x/et131x_adapter.h 2011-08-23 21:47:56.000000000 -0400
34486@@ -110,11 +110,11 @@ typedef struct _ce_stats_t {
34487 * operations
34488 */
34489 u32 unircv; /* # multicast packets received */
34490- atomic_t unixmt; /* # multicast packets for Tx */
34491+ atomic_unchecked_t unixmt; /* # multicast packets for Tx */
34492 u32 multircv; /* # multicast packets received */
34493- atomic_t multixmt; /* # multicast packets for Tx */
34494+ atomic_unchecked_t multixmt; /* # multicast packets for Tx */
34495 u32 brdcstrcv; /* # broadcast packets received */
34496- atomic_t brdcstxmt; /* # broadcast packets for Tx */
34497+ atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
34498 u32 norcvbuf; /* # Rx packets discarded */
34499 u32 noxmtbuf; /* # Tx packets discarded */
34500
34501diff -urNp linux-3.0.7/drivers/staging/hv/channel.c linux-3.0.7/drivers/staging/hv/channel.c
34502--- linux-3.0.7/drivers/staging/hv/channel.c 2011-09-02 18:11:21.000000000 -0400
34503+++ linux-3.0.7/drivers/staging/hv/channel.c 2011-08-23 21:47:56.000000000 -0400
34504@@ -433,8 +433,8 @@ int vmbus_establish_gpadl(struct vmbus_c
34505 int ret = 0;
34506 int t;
34507
34508- next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
34509- atomic_inc(&vmbus_connection.next_gpadl_handle);
34510+ next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
34511+ atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
34512
34513 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
34514 if (ret)
34515diff -urNp linux-3.0.7/drivers/staging/hv/hv.c linux-3.0.7/drivers/staging/hv/hv.c
34516--- linux-3.0.7/drivers/staging/hv/hv.c 2011-07-21 22:17:23.000000000 -0400
34517+++ linux-3.0.7/drivers/staging/hv/hv.c 2011-08-23 21:47:56.000000000 -0400
34518@@ -132,7 +132,7 @@ static u64 do_hypercall(u64 control, voi
34519 u64 output_address = (output) ? virt_to_phys(output) : 0;
34520 u32 output_address_hi = output_address >> 32;
34521 u32 output_address_lo = output_address & 0xFFFFFFFF;
34522- volatile void *hypercall_page = hv_context.hypercall_page;
34523+ volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
34524
34525 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
34526 "=a"(hv_status_lo) : "d" (control_hi),
34527diff -urNp linux-3.0.7/drivers/staging/hv/hv_mouse.c linux-3.0.7/drivers/staging/hv/hv_mouse.c
34528--- linux-3.0.7/drivers/staging/hv/hv_mouse.c 2011-07-21 22:17:23.000000000 -0400
34529+++ linux-3.0.7/drivers/staging/hv/hv_mouse.c 2011-08-23 21:47:56.000000000 -0400
34530@@ -879,8 +879,10 @@ static void reportdesc_callback(struct h
34531 if (hid_dev) {
34532 DPRINT_INFO(INPUTVSC_DRV, "hid_device created");
34533
34534- hid_dev->ll_driver->open = mousevsc_hid_open;
34535- hid_dev->ll_driver->close = mousevsc_hid_close;
34536+ pax_open_kernel();
34537+ *(void **)&hid_dev->ll_driver->open = mousevsc_hid_open;
34538+ *(void **)&hid_dev->ll_driver->close = mousevsc_hid_close;
34539+ pax_close_kernel();
34540
34541 hid_dev->bus = BUS_VIRTUAL;
34542 hid_dev->vendor = input_device_ctx->device_info.vendor;
34543diff -urNp linux-3.0.7/drivers/staging/hv/hyperv_vmbus.h linux-3.0.7/drivers/staging/hv/hyperv_vmbus.h
34544--- linux-3.0.7/drivers/staging/hv/hyperv_vmbus.h 2011-07-21 22:17:23.000000000 -0400
34545+++ linux-3.0.7/drivers/staging/hv/hyperv_vmbus.h 2011-08-23 21:47:56.000000000 -0400
34546@@ -559,7 +559,7 @@ enum vmbus_connect_state {
34547 struct vmbus_connection {
34548 enum vmbus_connect_state conn_state;
34549
34550- atomic_t next_gpadl_handle;
34551+ atomic_unchecked_t next_gpadl_handle;
34552
34553 /*
34554 * Represents channel interrupts. Each bit position represents a
34555diff -urNp linux-3.0.7/drivers/staging/hv/rndis_filter.c linux-3.0.7/drivers/staging/hv/rndis_filter.c
34556--- linux-3.0.7/drivers/staging/hv/rndis_filter.c 2011-09-02 18:11:21.000000000 -0400
34557+++ linux-3.0.7/drivers/staging/hv/rndis_filter.c 2011-08-23 21:47:56.000000000 -0400
34558@@ -43,7 +43,7 @@ struct rndis_device {
34559
34560 enum rndis_device_state state;
34561 u32 link_stat;
34562- atomic_t new_req_id;
34563+ atomic_unchecked_t new_req_id;
34564
34565 spinlock_t request_lock;
34566 struct list_head req_list;
34567@@ -117,7 +117,7 @@ static struct rndis_request *get_rndis_r
34568 * template
34569 */
34570 set = &rndis_msg->msg.set_req;
34571- set->req_id = atomic_inc_return(&dev->new_req_id);
34572+ set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34573
34574 /* Add to the request list */
34575 spin_lock_irqsave(&dev->request_lock, flags);
34576@@ -637,7 +637,7 @@ static void rndis_filter_halt_device(str
34577
34578 /* Setup the rndis set */
34579 halt = &request->request_msg.msg.halt_req;
34580- halt->req_id = atomic_inc_return(&dev->new_req_id);
34581+ halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34582
34583 /* Ignore return since this msg is optional. */
34584 rndis_filter_send_request(dev, request);
34585diff -urNp linux-3.0.7/drivers/staging/hv/vmbus_drv.c linux-3.0.7/drivers/staging/hv/vmbus_drv.c
34586--- linux-3.0.7/drivers/staging/hv/vmbus_drv.c 2011-07-21 22:17:23.000000000 -0400
34587+++ linux-3.0.7/drivers/staging/hv/vmbus_drv.c 2011-08-23 21:47:56.000000000 -0400
34588@@ -668,11 +668,11 @@ int vmbus_child_device_register(struct h
34589 {
34590 int ret = 0;
34591
34592- static atomic_t device_num = ATOMIC_INIT(0);
34593+ static atomic_unchecked_t device_num = ATOMIC_INIT(0);
34594
34595 /* Set the device name. Otherwise, device_register() will fail. */
34596 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
34597- atomic_inc_return(&device_num));
34598+ atomic_inc_return_unchecked(&device_num));
34599
34600 /* The new device belongs to this bus */
34601 child_device_obj->device.bus = &hv_bus; /* device->dev.bus; */
34602diff -urNp linux-3.0.7/drivers/staging/iio/ring_generic.h linux-3.0.7/drivers/staging/iio/ring_generic.h
34603--- linux-3.0.7/drivers/staging/iio/ring_generic.h 2011-07-21 22:17:23.000000000 -0400
34604+++ linux-3.0.7/drivers/staging/iio/ring_generic.h 2011-08-23 21:47:56.000000000 -0400
34605@@ -62,7 +62,7 @@ struct iio_ring_access_funcs {
34606
34607 int (*is_enabled)(struct iio_ring_buffer *ring);
34608 int (*enable)(struct iio_ring_buffer *ring);
34609-};
34610+} __no_const;
34611
34612 struct iio_ring_setup_ops {
34613 int (*preenable)(struct iio_dev *);
34614diff -urNp linux-3.0.7/drivers/staging/octeon/ethernet-rx.c linux-3.0.7/drivers/staging/octeon/ethernet-rx.c
34615--- linux-3.0.7/drivers/staging/octeon/ethernet-rx.c 2011-07-21 22:17:23.000000000 -0400
34616+++ linux-3.0.7/drivers/staging/octeon/ethernet-rx.c 2011-08-23 21:47:56.000000000 -0400
34617@@ -417,11 +417,11 @@ static int cvm_oct_napi_poll(struct napi
34618 /* Increment RX stats for virtual ports */
34619 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
34620 #ifdef CONFIG_64BIT
34621- atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
34622- atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
34623+ atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
34624+ atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
34625 #else
34626- atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
34627- atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
34628+ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
34629+ atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
34630 #endif
34631 }
34632 netif_receive_skb(skb);
34633@@ -433,9 +433,9 @@ static int cvm_oct_napi_poll(struct napi
34634 dev->name);
34635 */
34636 #ifdef CONFIG_64BIT
34637- atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
34638+ atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
34639 #else
34640- atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
34641+ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
34642 #endif
34643 dev_kfree_skb_irq(skb);
34644 }
34645diff -urNp linux-3.0.7/drivers/staging/octeon/ethernet.c linux-3.0.7/drivers/staging/octeon/ethernet.c
34646--- linux-3.0.7/drivers/staging/octeon/ethernet.c 2011-07-21 22:17:23.000000000 -0400
34647+++ linux-3.0.7/drivers/staging/octeon/ethernet.c 2011-08-23 21:47:56.000000000 -0400
34648@@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
34649 * since the RX tasklet also increments it.
34650 */
34651 #ifdef CONFIG_64BIT
34652- atomic64_add(rx_status.dropped_packets,
34653- (atomic64_t *)&priv->stats.rx_dropped);
34654+ atomic64_add_unchecked(rx_status.dropped_packets,
34655+ (atomic64_unchecked_t *)&priv->stats.rx_dropped);
34656 #else
34657- atomic_add(rx_status.dropped_packets,
34658- (atomic_t *)&priv->stats.rx_dropped);
34659+ atomic_add_unchecked(rx_status.dropped_packets,
34660+ (atomic_unchecked_t *)&priv->stats.rx_dropped);
34661 #endif
34662 }
34663
34664diff -urNp linux-3.0.7/drivers/staging/pohmelfs/inode.c linux-3.0.7/drivers/staging/pohmelfs/inode.c
34665--- linux-3.0.7/drivers/staging/pohmelfs/inode.c 2011-07-21 22:17:23.000000000 -0400
34666+++ linux-3.0.7/drivers/staging/pohmelfs/inode.c 2011-08-23 21:47:56.000000000 -0400
34667@@ -1856,7 +1856,7 @@ static int pohmelfs_fill_super(struct su
34668 mutex_init(&psb->mcache_lock);
34669 psb->mcache_root = RB_ROOT;
34670 psb->mcache_timeout = msecs_to_jiffies(5000);
34671- atomic_long_set(&psb->mcache_gen, 0);
34672+ atomic_long_set_unchecked(&psb->mcache_gen, 0);
34673
34674 psb->trans_max_pages = 100;
34675
34676@@ -1871,7 +1871,7 @@ static int pohmelfs_fill_super(struct su
34677 INIT_LIST_HEAD(&psb->crypto_ready_list);
34678 INIT_LIST_HEAD(&psb->crypto_active_list);
34679
34680- atomic_set(&psb->trans_gen, 1);
34681+ atomic_set_unchecked(&psb->trans_gen, 1);
34682 atomic_long_set(&psb->total_inodes, 0);
34683
34684 mutex_init(&psb->state_lock);
34685diff -urNp linux-3.0.7/drivers/staging/pohmelfs/mcache.c linux-3.0.7/drivers/staging/pohmelfs/mcache.c
34686--- linux-3.0.7/drivers/staging/pohmelfs/mcache.c 2011-07-21 22:17:23.000000000 -0400
34687+++ linux-3.0.7/drivers/staging/pohmelfs/mcache.c 2011-08-23 21:47:56.000000000 -0400
34688@@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
34689 m->data = data;
34690 m->start = start;
34691 m->size = size;
34692- m->gen = atomic_long_inc_return(&psb->mcache_gen);
34693+ m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
34694
34695 mutex_lock(&psb->mcache_lock);
34696 err = pohmelfs_mcache_insert(psb, m);
34697diff -urNp linux-3.0.7/drivers/staging/pohmelfs/netfs.h linux-3.0.7/drivers/staging/pohmelfs/netfs.h
34698--- linux-3.0.7/drivers/staging/pohmelfs/netfs.h 2011-07-21 22:17:23.000000000 -0400
34699+++ linux-3.0.7/drivers/staging/pohmelfs/netfs.h 2011-08-23 21:47:56.000000000 -0400
34700@@ -571,14 +571,14 @@ struct pohmelfs_config;
34701 struct pohmelfs_sb {
34702 struct rb_root mcache_root;
34703 struct mutex mcache_lock;
34704- atomic_long_t mcache_gen;
34705+ atomic_long_unchecked_t mcache_gen;
34706 unsigned long mcache_timeout;
34707
34708 unsigned int idx;
34709
34710 unsigned int trans_retries;
34711
34712- atomic_t trans_gen;
34713+ atomic_unchecked_t trans_gen;
34714
34715 unsigned int crypto_attached_size;
34716 unsigned int crypto_align_size;
34717diff -urNp linux-3.0.7/drivers/staging/pohmelfs/trans.c linux-3.0.7/drivers/staging/pohmelfs/trans.c
34718--- linux-3.0.7/drivers/staging/pohmelfs/trans.c 2011-07-21 22:17:23.000000000 -0400
34719+++ linux-3.0.7/drivers/staging/pohmelfs/trans.c 2011-08-23 21:47:56.000000000 -0400
34720@@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
34721 int err;
34722 struct netfs_cmd *cmd = t->iovec.iov_base;
34723
34724- t->gen = atomic_inc_return(&psb->trans_gen);
34725+ t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
34726
34727 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
34728 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
34729diff -urNp linux-3.0.7/drivers/staging/rtl8712/rtl871x_io.h linux-3.0.7/drivers/staging/rtl8712/rtl871x_io.h
34730--- linux-3.0.7/drivers/staging/rtl8712/rtl871x_io.h 2011-07-21 22:17:23.000000000 -0400
34731+++ linux-3.0.7/drivers/staging/rtl8712/rtl871x_io.h 2011-08-23 21:47:56.000000000 -0400
34732@@ -83,7 +83,7 @@ struct _io_ops {
34733 u8 *pmem);
34734 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
34735 u8 *pmem);
34736-};
34737+} __no_const;
34738
34739 struct io_req {
34740 struct list_head list;
34741diff -urNp linux-3.0.7/drivers/staging/sbe-2t3e3/netdev.c linux-3.0.7/drivers/staging/sbe-2t3e3/netdev.c
34742--- linux-3.0.7/drivers/staging/sbe-2t3e3/netdev.c 2011-07-21 22:17:23.000000000 -0400
34743+++ linux-3.0.7/drivers/staging/sbe-2t3e3/netdev.c 2011-08-24 18:21:41.000000000 -0400
34744@@ -51,7 +51,7 @@ int t3e3_ioctl(struct net_device *dev, s
34745 t3e3_if_config(sc, cmd_2t3e3, (char *)&param, &resp, &rlen);
34746
34747 if (rlen)
34748- if (copy_to_user(data, &resp, rlen))
34749+ if (rlen > sizeof resp || copy_to_user(data, &resp, rlen))
34750 return -EFAULT;
34751
34752 return 0;
34753diff -urNp linux-3.0.7/drivers/staging/tty/stallion.c linux-3.0.7/drivers/staging/tty/stallion.c
34754--- linux-3.0.7/drivers/staging/tty/stallion.c 2011-07-21 22:17:23.000000000 -0400
34755+++ linux-3.0.7/drivers/staging/tty/stallion.c 2011-08-23 21:48:14.000000000 -0400
34756@@ -2406,6 +2406,8 @@ static int stl_getportstruct(struct stlp
34757 struct stlport stl_dummyport;
34758 struct stlport *portp;
34759
34760+ pax_track_stack();
34761+
34762 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
34763 return -EFAULT;
34764 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
34765diff -urNp linux-3.0.7/drivers/staging/usbip/usbip_common.h linux-3.0.7/drivers/staging/usbip/usbip_common.h
34766--- linux-3.0.7/drivers/staging/usbip/usbip_common.h 2011-07-21 22:17:23.000000000 -0400
34767+++ linux-3.0.7/drivers/staging/usbip/usbip_common.h 2011-08-23 21:47:56.000000000 -0400
34768@@ -315,7 +315,7 @@ struct usbip_device {
34769 void (*shutdown)(struct usbip_device *);
34770 void (*reset)(struct usbip_device *);
34771 void (*unusable)(struct usbip_device *);
34772- } eh_ops;
34773+ } __no_const eh_ops;
34774 };
34775
34776 void usbip_pack_pdu(struct usbip_header *pdu, struct urb *urb, int cmd,
34777diff -urNp linux-3.0.7/drivers/staging/usbip/vhci.h linux-3.0.7/drivers/staging/usbip/vhci.h
34778--- linux-3.0.7/drivers/staging/usbip/vhci.h 2011-07-21 22:17:23.000000000 -0400
34779+++ linux-3.0.7/drivers/staging/usbip/vhci.h 2011-08-23 21:47:56.000000000 -0400
34780@@ -94,7 +94,7 @@ struct vhci_hcd {
34781 unsigned resuming:1;
34782 unsigned long re_timeout;
34783
34784- atomic_t seqnum;
34785+ atomic_unchecked_t seqnum;
34786
34787 /*
34788 * NOTE:
34789diff -urNp linux-3.0.7/drivers/staging/usbip/vhci_hcd.c linux-3.0.7/drivers/staging/usbip/vhci_hcd.c
34790--- linux-3.0.7/drivers/staging/usbip/vhci_hcd.c 2011-09-02 18:11:21.000000000 -0400
34791+++ linux-3.0.7/drivers/staging/usbip/vhci_hcd.c 2011-08-23 21:47:56.000000000 -0400
34792@@ -511,7 +511,7 @@ static void vhci_tx_urb(struct urb *urb)
34793 return;
34794 }
34795
34796- priv->seqnum = atomic_inc_return(&the_controller->seqnum);
34797+ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
34798 if (priv->seqnum == 0xffff)
34799 dev_info(&urb->dev->dev, "seqnum max\n");
34800
34801@@ -765,7 +765,7 @@ static int vhci_urb_dequeue(struct usb_h
34802 return -ENOMEM;
34803 }
34804
34805- unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
34806+ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
34807 if (unlink->seqnum == 0xffff)
34808 pr_info("seqnum max\n");
34809
34810@@ -955,7 +955,7 @@ static int vhci_start(struct usb_hcd *hc
34811 vdev->rhport = rhport;
34812 }
34813
34814- atomic_set(&vhci->seqnum, 0);
34815+ atomic_set_unchecked(&vhci->seqnum, 0);
34816 spin_lock_init(&vhci->lock);
34817
34818 hcd->power_budget = 0; /* no limit */
34819diff -urNp linux-3.0.7/drivers/staging/usbip/vhci_rx.c linux-3.0.7/drivers/staging/usbip/vhci_rx.c
34820--- linux-3.0.7/drivers/staging/usbip/vhci_rx.c 2011-07-21 22:17:23.000000000 -0400
34821+++ linux-3.0.7/drivers/staging/usbip/vhci_rx.c 2011-08-23 21:47:56.000000000 -0400
34822@@ -76,7 +76,7 @@ static void vhci_recv_ret_submit(struct
34823 if (!urb) {
34824 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
34825 pr_info("max seqnum %d\n",
34826- atomic_read(&the_controller->seqnum));
34827+ atomic_read_unchecked(&the_controller->seqnum));
34828 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
34829 return;
34830 }
34831diff -urNp linux-3.0.7/drivers/staging/vt6655/hostap.c linux-3.0.7/drivers/staging/vt6655/hostap.c
34832--- linux-3.0.7/drivers/staging/vt6655/hostap.c 2011-07-21 22:17:23.000000000 -0400
34833+++ linux-3.0.7/drivers/staging/vt6655/hostap.c 2011-08-23 21:47:56.000000000 -0400
34834@@ -79,14 +79,13 @@ static int msglevel
34835 *
34836 */
34837
34838+static net_device_ops_no_const apdev_netdev_ops;
34839+
34840 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
34841 {
34842 PSDevice apdev_priv;
34843 struct net_device *dev = pDevice->dev;
34844 int ret;
34845- const struct net_device_ops apdev_netdev_ops = {
34846- .ndo_start_xmit = pDevice->tx_80211,
34847- };
34848
34849 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
34850
34851@@ -98,6 +97,8 @@ static int hostap_enable_hostapd(PSDevic
34852 *apdev_priv = *pDevice;
34853 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
34854
34855+ /* only half broken now */
34856+ apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
34857 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
34858
34859 pDevice->apdev->type = ARPHRD_IEEE80211;
34860diff -urNp linux-3.0.7/drivers/staging/vt6656/hostap.c linux-3.0.7/drivers/staging/vt6656/hostap.c
34861--- linux-3.0.7/drivers/staging/vt6656/hostap.c 2011-07-21 22:17:23.000000000 -0400
34862+++ linux-3.0.7/drivers/staging/vt6656/hostap.c 2011-08-23 21:47:56.000000000 -0400
34863@@ -80,14 +80,13 @@ static int msglevel
34864 *
34865 */
34866
34867+static net_device_ops_no_const apdev_netdev_ops;
34868+
34869 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
34870 {
34871 PSDevice apdev_priv;
34872 struct net_device *dev = pDevice->dev;
34873 int ret;
34874- const struct net_device_ops apdev_netdev_ops = {
34875- .ndo_start_xmit = pDevice->tx_80211,
34876- };
34877
34878 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
34879
34880@@ -99,6 +98,8 @@ static int hostap_enable_hostapd(PSDevic
34881 *apdev_priv = *pDevice;
34882 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
34883
34884+ /* only half broken now */
34885+ apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
34886 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
34887
34888 pDevice->apdev->type = ARPHRD_IEEE80211;
34889diff -urNp linux-3.0.7/drivers/staging/wlan-ng/hfa384x_usb.c linux-3.0.7/drivers/staging/wlan-ng/hfa384x_usb.c
34890--- linux-3.0.7/drivers/staging/wlan-ng/hfa384x_usb.c 2011-07-21 22:17:23.000000000 -0400
34891+++ linux-3.0.7/drivers/staging/wlan-ng/hfa384x_usb.c 2011-08-23 21:47:56.000000000 -0400
34892@@ -204,7 +204,7 @@ static void unlocked_usbctlx_complete(hf
34893
34894 struct usbctlx_completor {
34895 int (*complete) (struct usbctlx_completor *);
34896-};
34897+} __no_const;
34898
34899 static int
34900 hfa384x_usbctlx_complete_sync(hfa384x_t *hw,
34901diff -urNp linux-3.0.7/drivers/staging/zcache/tmem.c linux-3.0.7/drivers/staging/zcache/tmem.c
34902--- linux-3.0.7/drivers/staging/zcache/tmem.c 2011-07-21 22:17:23.000000000 -0400
34903+++ linux-3.0.7/drivers/staging/zcache/tmem.c 2011-08-23 21:47:56.000000000 -0400
34904@@ -39,7 +39,7 @@
34905 * A tmem host implementation must use this function to register callbacks
34906 * for memory allocation.
34907 */
34908-static struct tmem_hostops tmem_hostops;
34909+static tmem_hostops_no_const tmem_hostops;
34910
34911 static void tmem_objnode_tree_init(void);
34912
34913@@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
34914 * A tmem host implementation must use this function to register
34915 * callbacks for a page-accessible memory (PAM) implementation
34916 */
34917-static struct tmem_pamops tmem_pamops;
34918+static tmem_pamops_no_const tmem_pamops;
34919
34920 void tmem_register_pamops(struct tmem_pamops *m)
34921 {
34922diff -urNp linux-3.0.7/drivers/staging/zcache/tmem.h linux-3.0.7/drivers/staging/zcache/tmem.h
34923--- linux-3.0.7/drivers/staging/zcache/tmem.h 2011-07-21 22:17:23.000000000 -0400
34924+++ linux-3.0.7/drivers/staging/zcache/tmem.h 2011-08-23 21:47:56.000000000 -0400
34925@@ -171,6 +171,7 @@ struct tmem_pamops {
34926 int (*get_data)(struct page *, void *, struct tmem_pool *);
34927 void (*free)(void *, struct tmem_pool *);
34928 };
34929+typedef struct tmem_pamops __no_const tmem_pamops_no_const;
34930 extern void tmem_register_pamops(struct tmem_pamops *m);
34931
34932 /* memory allocation methods provided by the host implementation */
34933@@ -180,6 +181,7 @@ struct tmem_hostops {
34934 struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *);
34935 void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *);
34936 };
34937+typedef struct tmem_hostops __no_const tmem_hostops_no_const;
34938 extern void tmem_register_hostops(struct tmem_hostops *m);
34939
34940 /* core tmem accessor functions */
34941diff -urNp linux-3.0.7/drivers/target/target_core_alua.c linux-3.0.7/drivers/target/target_core_alua.c
34942--- linux-3.0.7/drivers/target/target_core_alua.c 2011-07-21 22:17:23.000000000 -0400
34943+++ linux-3.0.7/drivers/target/target_core_alua.c 2011-08-23 21:48:14.000000000 -0400
34944@@ -675,6 +675,8 @@ static int core_alua_update_tpg_primary_
34945 char path[ALUA_METADATA_PATH_LEN];
34946 int len;
34947
34948+ pax_track_stack();
34949+
34950 memset(path, 0, ALUA_METADATA_PATH_LEN);
34951
34952 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
34953@@ -938,6 +940,8 @@ static int core_alua_update_tpg_secondar
34954 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
34955 int len;
34956
34957+ pax_track_stack();
34958+
34959 memset(path, 0, ALUA_METADATA_PATH_LEN);
34960 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
34961
34962diff -urNp linux-3.0.7/drivers/target/target_core_cdb.c linux-3.0.7/drivers/target/target_core_cdb.c
34963--- linux-3.0.7/drivers/target/target_core_cdb.c 2011-07-21 22:17:23.000000000 -0400
34964+++ linux-3.0.7/drivers/target/target_core_cdb.c 2011-08-23 21:48:14.000000000 -0400
34965@@ -838,6 +838,8 @@ target_emulate_modesense(struct se_cmd *
34966 int length = 0;
34967 unsigned char buf[SE_MODE_PAGE_BUF];
34968
34969+ pax_track_stack();
34970+
34971 memset(buf, 0, SE_MODE_PAGE_BUF);
34972
34973 switch (cdb[2] & 0x3f) {
34974diff -urNp linux-3.0.7/drivers/target/target_core_configfs.c linux-3.0.7/drivers/target/target_core_configfs.c
34975--- linux-3.0.7/drivers/target/target_core_configfs.c 2011-07-21 22:17:23.000000000 -0400
34976+++ linux-3.0.7/drivers/target/target_core_configfs.c 2011-08-23 21:48:14.000000000 -0400
34977@@ -1276,6 +1276,8 @@ static ssize_t target_core_dev_pr_show_a
34978 ssize_t len = 0;
34979 int reg_count = 0, prf_isid;
34980
34981+ pax_track_stack();
34982+
34983 if (!(su_dev->se_dev_ptr))
34984 return -ENODEV;
34985
34986diff -urNp linux-3.0.7/drivers/target/target_core_pr.c linux-3.0.7/drivers/target/target_core_pr.c
34987--- linux-3.0.7/drivers/target/target_core_pr.c 2011-07-21 22:17:23.000000000 -0400
34988+++ linux-3.0.7/drivers/target/target_core_pr.c 2011-08-23 21:48:14.000000000 -0400
34989@@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
34990 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
34991 u16 tpgt;
34992
34993+ pax_track_stack();
34994+
34995 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
34996 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
34997 /*
34998@@ -1861,6 +1863,8 @@ static int __core_scsi3_update_aptpl_buf
34999 ssize_t len = 0;
35000 int reg_count = 0;
35001
35002+ pax_track_stack();
35003+
35004 memset(buf, 0, pr_aptpl_buf_len);
35005 /*
35006 * Called to clear metadata once APTPL has been deactivated.
35007@@ -1983,6 +1987,8 @@ static int __core_scsi3_write_aptpl_to_f
35008 char path[512];
35009 int ret;
35010
35011+ pax_track_stack();
35012+
35013 memset(iov, 0, sizeof(struct iovec));
35014 memset(path, 0, 512);
35015
35016diff -urNp linux-3.0.7/drivers/target/target_core_tmr.c linux-3.0.7/drivers/target/target_core_tmr.c
35017--- linux-3.0.7/drivers/target/target_core_tmr.c 2011-07-21 22:17:23.000000000 -0400
35018+++ linux-3.0.7/drivers/target/target_core_tmr.c 2011-08-23 21:47:56.000000000 -0400
35019@@ -269,7 +269,7 @@ int core_tmr_lun_reset(
35020 CMD_TFO(cmd)->get_task_tag(cmd), cmd->pr_res_key,
35021 T_TASK(cmd)->t_task_cdbs,
35022 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
35023- atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
35024+ atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
35025 atomic_read(&T_TASK(cmd)->t_transport_active),
35026 atomic_read(&T_TASK(cmd)->t_transport_stop),
35027 atomic_read(&T_TASK(cmd)->t_transport_sent));
35028@@ -311,7 +311,7 @@ int core_tmr_lun_reset(
35029 DEBUG_LR("LUN_RESET: got t_transport_active = 1 for"
35030 " task: %p, t_fe_count: %d dev: %p\n", task,
35031 fe_count, dev);
35032- atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
35033+ atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
35034 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock,
35035 flags);
35036 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35037@@ -321,7 +321,7 @@ int core_tmr_lun_reset(
35038 }
35039 DEBUG_LR("LUN_RESET: Got t_transport_active = 0 for task: %p,"
35040 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
35041- atomic_set(&T_TASK(cmd)->t_transport_aborted, 1);
35042+ atomic_set_unchecked(&T_TASK(cmd)->t_transport_aborted, 1);
35043 spin_unlock_irqrestore(&T_TASK(cmd)->t_state_lock, flags);
35044 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35045
35046diff -urNp linux-3.0.7/drivers/target/target_core_transport.c linux-3.0.7/drivers/target/target_core_transport.c
35047--- linux-3.0.7/drivers/target/target_core_transport.c 2011-07-21 22:17:23.000000000 -0400
35048+++ linux-3.0.7/drivers/target/target_core_transport.c 2011-08-23 21:47:56.000000000 -0400
35049@@ -1681,7 +1681,7 @@ struct se_device *transport_add_device_t
35050
35051 dev->queue_depth = dev_limits->queue_depth;
35052 atomic_set(&dev->depth_left, dev->queue_depth);
35053- atomic_set(&dev->dev_ordered_id, 0);
35054+ atomic_set_unchecked(&dev->dev_ordered_id, 0);
35055
35056 se_dev_set_default_attribs(dev, dev_limits);
35057
35058@@ -1882,7 +1882,7 @@ static int transport_check_alloc_task_at
35059 * Used to determine when ORDERED commands should go from
35060 * Dormant to Active status.
35061 */
35062- cmd->se_ordered_id = atomic_inc_return(&SE_DEV(cmd)->dev_ordered_id);
35063+ cmd->se_ordered_id = atomic_inc_return_unchecked(&SE_DEV(cmd)->dev_ordered_id);
35064 smp_mb__after_atomic_inc();
35065 DEBUG_STA("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
35066 cmd->se_ordered_id, cmd->sam_task_attr,
35067@@ -2169,7 +2169,7 @@ static void transport_generic_request_fa
35068 " t_transport_active: %d t_transport_stop: %d"
35069 " t_transport_sent: %d\n", T_TASK(cmd)->t_task_cdbs,
35070 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
35071- atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
35072+ atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
35073 atomic_read(&T_TASK(cmd)->t_task_cdbs_ex_left),
35074 atomic_read(&T_TASK(cmd)->t_transport_active),
35075 atomic_read(&T_TASK(cmd)->t_transport_stop),
35076@@ -2673,9 +2673,9 @@ check_depth:
35077 spin_lock_irqsave(&T_TASK(cmd)->t_state_lock, flags);
35078 atomic_set(&task->task_active, 1);
35079 atomic_set(&task->task_sent, 1);
35080- atomic_inc(&T_TASK(cmd)->t_task_cdbs_sent);
35081+ atomic_inc_unchecked(&T_TASK(cmd)->t_task_cdbs_sent);
35082
35083- if (atomic_read(&T_TASK(cmd)->t_task_cdbs_sent) ==
35084+ if (atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent) ==
35085 T_TASK(cmd)->t_task_cdbs)
35086 atomic_set(&cmd->transport_sent, 1);
35087
35088@@ -5568,7 +5568,7 @@ static void transport_generic_wait_for_t
35089 atomic_set(&T_TASK(cmd)->transport_lun_stop, 0);
35090 }
35091 if (!atomic_read(&T_TASK(cmd)->t_transport_active) ||
35092- atomic_read(&T_TASK(cmd)->t_transport_aborted))
35093+ atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted))
35094 goto remove;
35095
35096 atomic_set(&T_TASK(cmd)->t_transport_stop, 1);
35097@@ -5797,7 +5797,7 @@ int transport_check_aborted_status(struc
35098 {
35099 int ret = 0;
35100
35101- if (atomic_read(&T_TASK(cmd)->t_transport_aborted) != 0) {
35102+ if (atomic_read_unchecked(&T_TASK(cmd)->t_transport_aborted) != 0) {
35103 if (!(send_status) ||
35104 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
35105 return 1;
35106@@ -5825,7 +5825,7 @@ void transport_send_task_abort(struct se
35107 */
35108 if (cmd->data_direction == DMA_TO_DEVICE) {
35109 if (CMD_TFO(cmd)->write_pending_status(cmd) != 0) {
35110- atomic_inc(&T_TASK(cmd)->t_transport_aborted);
35111+ atomic_inc_unchecked(&T_TASK(cmd)->t_transport_aborted);
35112 smp_mb__after_atomic_inc();
35113 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
35114 transport_new_cmd_failure(cmd);
35115@@ -5949,7 +5949,7 @@ static void transport_processing_shutdow
35116 CMD_TFO(cmd)->get_task_tag(cmd),
35117 T_TASK(cmd)->t_task_cdbs,
35118 atomic_read(&T_TASK(cmd)->t_task_cdbs_left),
35119- atomic_read(&T_TASK(cmd)->t_task_cdbs_sent),
35120+ atomic_read_unchecked(&T_TASK(cmd)->t_task_cdbs_sent),
35121 atomic_read(&T_TASK(cmd)->t_transport_active),
35122 atomic_read(&T_TASK(cmd)->t_transport_stop),
35123 atomic_read(&T_TASK(cmd)->t_transport_sent));
35124diff -urNp linux-3.0.7/drivers/telephony/ixj.c linux-3.0.7/drivers/telephony/ixj.c
35125--- linux-3.0.7/drivers/telephony/ixj.c 2011-07-21 22:17:23.000000000 -0400
35126+++ linux-3.0.7/drivers/telephony/ixj.c 2011-08-23 21:48:14.000000000 -0400
35127@@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
35128 bool mContinue;
35129 char *pIn, *pOut;
35130
35131+ pax_track_stack();
35132+
35133 if (!SCI_Prepare(j))
35134 return 0;
35135
35136diff -urNp linux-3.0.7/drivers/tty/hvc/hvcs.c linux-3.0.7/drivers/tty/hvc/hvcs.c
35137--- linux-3.0.7/drivers/tty/hvc/hvcs.c 2011-07-21 22:17:23.000000000 -0400
35138+++ linux-3.0.7/drivers/tty/hvc/hvcs.c 2011-08-23 21:47:56.000000000 -0400
35139@@ -83,6 +83,7 @@
35140 #include <asm/hvcserver.h>
35141 #include <asm/uaccess.h>
35142 #include <asm/vio.h>
35143+#include <asm/local.h>
35144
35145 /*
35146 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
35147@@ -270,7 +271,7 @@ struct hvcs_struct {
35148 unsigned int index;
35149
35150 struct tty_struct *tty;
35151- int open_count;
35152+ local_t open_count;
35153
35154 /*
35155 * Used to tell the driver kernel_thread what operations need to take
35156@@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
35157
35158 spin_lock_irqsave(&hvcsd->lock, flags);
35159
35160- if (hvcsd->open_count > 0) {
35161+ if (local_read(&hvcsd->open_count) > 0) {
35162 spin_unlock_irqrestore(&hvcsd->lock, flags);
35163 printk(KERN_INFO "HVCS: vterm state unchanged. "
35164 "The hvcs device node is still in use.\n");
35165@@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
35166 if ((retval = hvcs_partner_connect(hvcsd)))
35167 goto error_release;
35168
35169- hvcsd->open_count = 1;
35170+ local_set(&hvcsd->open_count, 1);
35171 hvcsd->tty = tty;
35172 tty->driver_data = hvcsd;
35173
35174@@ -1179,7 +1180,7 @@ fast_open:
35175
35176 spin_lock_irqsave(&hvcsd->lock, flags);
35177 kref_get(&hvcsd->kref);
35178- hvcsd->open_count++;
35179+ local_inc(&hvcsd->open_count);
35180 hvcsd->todo_mask |= HVCS_SCHED_READ;
35181 spin_unlock_irqrestore(&hvcsd->lock, flags);
35182
35183@@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
35184 hvcsd = tty->driver_data;
35185
35186 spin_lock_irqsave(&hvcsd->lock, flags);
35187- if (--hvcsd->open_count == 0) {
35188+ if (local_dec_and_test(&hvcsd->open_count)) {
35189
35190 vio_disable_interrupts(hvcsd->vdev);
35191
35192@@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
35193 free_irq(irq, hvcsd);
35194 kref_put(&hvcsd->kref, destroy_hvcs_struct);
35195 return;
35196- } else if (hvcsd->open_count < 0) {
35197+ } else if (local_read(&hvcsd->open_count) < 0) {
35198 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
35199 " is missmanaged.\n",
35200- hvcsd->vdev->unit_address, hvcsd->open_count);
35201+ hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
35202 }
35203
35204 spin_unlock_irqrestore(&hvcsd->lock, flags);
35205@@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
35206
35207 spin_lock_irqsave(&hvcsd->lock, flags);
35208 /* Preserve this so that we know how many kref refs to put */
35209- temp_open_count = hvcsd->open_count;
35210+ temp_open_count = local_read(&hvcsd->open_count);
35211
35212 /*
35213 * Don't kref put inside the spinlock because the destruction
35214@@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
35215 hvcsd->tty->driver_data = NULL;
35216 hvcsd->tty = NULL;
35217
35218- hvcsd->open_count = 0;
35219+ local_set(&hvcsd->open_count, 0);
35220
35221 /* This will drop any buffered data on the floor which is OK in a hangup
35222 * scenario. */
35223@@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
35224 * the middle of a write operation? This is a crummy place to do this
35225 * but we want to keep it all in the spinlock.
35226 */
35227- if (hvcsd->open_count <= 0) {
35228+ if (local_read(&hvcsd->open_count) <= 0) {
35229 spin_unlock_irqrestore(&hvcsd->lock, flags);
35230 return -ENODEV;
35231 }
35232@@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
35233 {
35234 struct hvcs_struct *hvcsd = tty->driver_data;
35235
35236- if (!hvcsd || hvcsd->open_count <= 0)
35237+ if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
35238 return 0;
35239
35240 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
35241diff -urNp linux-3.0.7/drivers/tty/ipwireless/tty.c linux-3.0.7/drivers/tty/ipwireless/tty.c
35242--- linux-3.0.7/drivers/tty/ipwireless/tty.c 2011-07-21 22:17:23.000000000 -0400
35243+++ linux-3.0.7/drivers/tty/ipwireless/tty.c 2011-08-23 21:47:56.000000000 -0400
35244@@ -29,6 +29,7 @@
35245 #include <linux/tty_driver.h>
35246 #include <linux/tty_flip.h>
35247 #include <linux/uaccess.h>
35248+#include <asm/local.h>
35249
35250 #include "tty.h"
35251 #include "network.h"
35252@@ -51,7 +52,7 @@ struct ipw_tty {
35253 int tty_type;
35254 struct ipw_network *network;
35255 struct tty_struct *linux_tty;
35256- int open_count;
35257+ local_t open_count;
35258 unsigned int control_lines;
35259 struct mutex ipw_tty_mutex;
35260 int tx_bytes_queued;
35261@@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
35262 mutex_unlock(&tty->ipw_tty_mutex);
35263 return -ENODEV;
35264 }
35265- if (tty->open_count == 0)
35266+ if (local_read(&tty->open_count) == 0)
35267 tty->tx_bytes_queued = 0;
35268
35269- tty->open_count++;
35270+ local_inc(&tty->open_count);
35271
35272 tty->linux_tty = linux_tty;
35273 linux_tty->driver_data = tty;
35274@@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
35275
35276 static void do_ipw_close(struct ipw_tty *tty)
35277 {
35278- tty->open_count--;
35279-
35280- if (tty->open_count == 0) {
35281+ if (local_dec_return(&tty->open_count) == 0) {
35282 struct tty_struct *linux_tty = tty->linux_tty;
35283
35284 if (linux_tty != NULL) {
35285@@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
35286 return;
35287
35288 mutex_lock(&tty->ipw_tty_mutex);
35289- if (tty->open_count == 0) {
35290+ if (local_read(&tty->open_count) == 0) {
35291 mutex_unlock(&tty->ipw_tty_mutex);
35292 return;
35293 }
35294@@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
35295 return;
35296 }
35297
35298- if (!tty->open_count) {
35299+ if (!local_read(&tty->open_count)) {
35300 mutex_unlock(&tty->ipw_tty_mutex);
35301 return;
35302 }
35303@@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
35304 return -ENODEV;
35305
35306 mutex_lock(&tty->ipw_tty_mutex);
35307- if (!tty->open_count) {
35308+ if (!local_read(&tty->open_count)) {
35309 mutex_unlock(&tty->ipw_tty_mutex);
35310 return -EINVAL;
35311 }
35312@@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
35313 if (!tty)
35314 return -ENODEV;
35315
35316- if (!tty->open_count)
35317+ if (!local_read(&tty->open_count))
35318 return -EINVAL;
35319
35320 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
35321@@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
35322 if (!tty)
35323 return 0;
35324
35325- if (!tty->open_count)
35326+ if (!local_read(&tty->open_count))
35327 return 0;
35328
35329 return tty->tx_bytes_queued;
35330@@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
35331 if (!tty)
35332 return -ENODEV;
35333
35334- if (!tty->open_count)
35335+ if (!local_read(&tty->open_count))
35336 return -EINVAL;
35337
35338 return get_control_lines(tty);
35339@@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
35340 if (!tty)
35341 return -ENODEV;
35342
35343- if (!tty->open_count)
35344+ if (!local_read(&tty->open_count))
35345 return -EINVAL;
35346
35347 return set_control_lines(tty, set, clear);
35348@@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
35349 if (!tty)
35350 return -ENODEV;
35351
35352- if (!tty->open_count)
35353+ if (!local_read(&tty->open_count))
35354 return -EINVAL;
35355
35356 /* FIXME: Exactly how is the tty object locked here .. */
35357@@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
35358 against a parallel ioctl etc */
35359 mutex_lock(&ttyj->ipw_tty_mutex);
35360 }
35361- while (ttyj->open_count)
35362+ while (local_read(&ttyj->open_count))
35363 do_ipw_close(ttyj);
35364 ipwireless_disassociate_network_ttys(network,
35365 ttyj->channel_idx);
35366diff -urNp linux-3.0.7/drivers/tty/n_gsm.c linux-3.0.7/drivers/tty/n_gsm.c
35367--- linux-3.0.7/drivers/tty/n_gsm.c 2011-09-02 18:11:21.000000000 -0400
35368+++ linux-3.0.7/drivers/tty/n_gsm.c 2011-08-23 21:47:56.000000000 -0400
35369@@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
35370 return NULL;
35371 spin_lock_init(&dlci->lock);
35372 dlci->fifo = &dlci->_fifo;
35373- if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
35374+ if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
35375 kfree(dlci);
35376 return NULL;
35377 }
35378diff -urNp linux-3.0.7/drivers/tty/n_tty.c linux-3.0.7/drivers/tty/n_tty.c
35379--- linux-3.0.7/drivers/tty/n_tty.c 2011-07-21 22:17:23.000000000 -0400
35380+++ linux-3.0.7/drivers/tty/n_tty.c 2011-08-23 21:47:56.000000000 -0400
35381@@ -2123,6 +2123,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
35382 {
35383 *ops = tty_ldisc_N_TTY;
35384 ops->owner = NULL;
35385- ops->refcount = ops->flags = 0;
35386+ atomic_set(&ops->refcount, 0);
35387+ ops->flags = 0;
35388 }
35389 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
35390diff -urNp linux-3.0.7/drivers/tty/pty.c linux-3.0.7/drivers/tty/pty.c
35391--- linux-3.0.7/drivers/tty/pty.c 2011-10-16 21:54:54.000000000 -0400
35392+++ linux-3.0.7/drivers/tty/pty.c 2011-10-16 21:55:28.000000000 -0400
35393@@ -767,8 +767,10 @@ static void __init unix98_pty_init(void)
35394 register_sysctl_table(pty_root_table);
35395
35396 /* Now create the /dev/ptmx special device */
35397+ pax_open_kernel();
35398 tty_default_fops(&ptmx_fops);
35399- ptmx_fops.open = ptmx_open;
35400+ *(void **)&ptmx_fops.open = ptmx_open;
35401+ pax_close_kernel();
35402
35403 cdev_init(&ptmx_cdev, &ptmx_fops);
35404 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
35405diff -urNp linux-3.0.7/drivers/tty/rocket.c linux-3.0.7/drivers/tty/rocket.c
35406--- linux-3.0.7/drivers/tty/rocket.c 2011-07-21 22:17:23.000000000 -0400
35407+++ linux-3.0.7/drivers/tty/rocket.c 2011-08-23 21:48:14.000000000 -0400
35408@@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
35409 struct rocket_ports tmp;
35410 int board;
35411
35412+ pax_track_stack();
35413+
35414 if (!retports)
35415 return -EFAULT;
35416 memset(&tmp, 0, sizeof (tmp));
35417diff -urNp linux-3.0.7/drivers/tty/serial/kgdboc.c linux-3.0.7/drivers/tty/serial/kgdboc.c
35418--- linux-3.0.7/drivers/tty/serial/kgdboc.c 2011-07-21 22:17:23.000000000 -0400
35419+++ linux-3.0.7/drivers/tty/serial/kgdboc.c 2011-08-23 21:47:56.000000000 -0400
35420@@ -23,8 +23,9 @@
35421 #define MAX_CONFIG_LEN 40
35422
35423 static struct kgdb_io kgdboc_io_ops;
35424+static struct kgdb_io kgdboc_io_ops_console;
35425
35426-/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
35427+/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
35428 static int configured = -1;
35429
35430 static char config[MAX_CONFIG_LEN];
35431@@ -147,6 +148,8 @@ static void cleanup_kgdboc(void)
35432 kgdboc_unregister_kbd();
35433 if (configured == 1)
35434 kgdb_unregister_io_module(&kgdboc_io_ops);
35435+ else if (configured == 2)
35436+ kgdb_unregister_io_module(&kgdboc_io_ops_console);
35437 }
35438
35439 static int configure_kgdboc(void)
35440@@ -156,13 +159,13 @@ static int configure_kgdboc(void)
35441 int err;
35442 char *cptr = config;
35443 struct console *cons;
35444+ int is_console = 0;
35445
35446 err = kgdboc_option_setup(config);
35447 if (err || !strlen(config) || isspace(config[0]))
35448 goto noconfig;
35449
35450 err = -ENODEV;
35451- kgdboc_io_ops.is_console = 0;
35452 kgdb_tty_driver = NULL;
35453
35454 kgdboc_use_kms = 0;
35455@@ -183,7 +186,7 @@ static int configure_kgdboc(void)
35456 int idx;
35457 if (cons->device && cons->device(cons, &idx) == p &&
35458 idx == tty_line) {
35459- kgdboc_io_ops.is_console = 1;
35460+ is_console = 1;
35461 break;
35462 }
35463 cons = cons->next;
35464@@ -193,12 +196,16 @@ static int configure_kgdboc(void)
35465 kgdb_tty_line = tty_line;
35466
35467 do_register:
35468- err = kgdb_register_io_module(&kgdboc_io_ops);
35469+ if (is_console) {
35470+ err = kgdb_register_io_module(&kgdboc_io_ops_console);
35471+ configured = 2;
35472+ } else {
35473+ err = kgdb_register_io_module(&kgdboc_io_ops);
35474+ configured = 1;
35475+ }
35476 if (err)
35477 goto noconfig;
35478
35479- configured = 1;
35480-
35481 return 0;
35482
35483 noconfig:
35484@@ -212,7 +219,7 @@ noconfig:
35485 static int __init init_kgdboc(void)
35486 {
35487 /* Already configured? */
35488- if (configured == 1)
35489+ if (configured >= 1)
35490 return 0;
35491
35492 return configure_kgdboc();
35493@@ -261,7 +268,7 @@ static int param_set_kgdboc_var(const ch
35494 if (config[len - 1] == '\n')
35495 config[len - 1] = '\0';
35496
35497- if (configured == 1)
35498+ if (configured >= 1)
35499 cleanup_kgdboc();
35500
35501 /* Go and configure with the new params. */
35502@@ -301,6 +308,15 @@ static struct kgdb_io kgdboc_io_ops = {
35503 .post_exception = kgdboc_post_exp_handler,
35504 };
35505
35506+static struct kgdb_io kgdboc_io_ops_console = {
35507+ .name = "kgdboc",
35508+ .read_char = kgdboc_get_char,
35509+ .write_char = kgdboc_put_char,
35510+ .pre_exception = kgdboc_pre_exp_handler,
35511+ .post_exception = kgdboc_post_exp_handler,
35512+ .is_console = 1
35513+};
35514+
35515 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
35516 /* This is only available if kgdboc is a built in for early debugging */
35517 static int __init kgdboc_early_init(char *opt)
35518diff -urNp linux-3.0.7/drivers/tty/serial/mfd.c linux-3.0.7/drivers/tty/serial/mfd.c
35519--- linux-3.0.7/drivers/tty/serial/mfd.c 2011-07-21 22:17:23.000000000 -0400
35520+++ linux-3.0.7/drivers/tty/serial/mfd.c 2011-10-11 10:44:33.000000000 -0400
35521@@ -1423,7 +1423,7 @@ static void serial_hsu_remove(struct pci
35522 }
35523
35524 /* First 3 are UART ports, and the 4th is the DMA */
35525-static const struct pci_device_id pci_ids[] __devinitdata = {
35526+static const struct pci_device_id pci_ids[] __devinitconst = {
35527 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081B) },
35528 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081C) },
35529 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081D) },
35530diff -urNp linux-3.0.7/drivers/tty/serial/mrst_max3110.c linux-3.0.7/drivers/tty/serial/mrst_max3110.c
35531--- linux-3.0.7/drivers/tty/serial/mrst_max3110.c 2011-10-16 21:54:54.000000000 -0400
35532+++ linux-3.0.7/drivers/tty/serial/mrst_max3110.c 2011-10-16 21:55:28.000000000 -0400
35533@@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
35534 int loop = 1, num, total = 0;
35535 u8 recv_buf[512], *pbuf;
35536
35537+ pax_track_stack();
35538+
35539 pbuf = recv_buf;
35540 do {
35541 num = max3110_read_multi(max, pbuf);
35542diff -urNp linux-3.0.7/drivers/tty/tty_io.c linux-3.0.7/drivers/tty/tty_io.c
35543--- linux-3.0.7/drivers/tty/tty_io.c 2011-10-16 21:54:54.000000000 -0400
35544+++ linux-3.0.7/drivers/tty/tty_io.c 2011-10-16 21:55:28.000000000 -0400
35545@@ -3214,7 +3214,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
35546
35547 void tty_default_fops(struct file_operations *fops)
35548 {
35549- *fops = tty_fops;
35550+ memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
35551 }
35552
35553 /*
35554diff -urNp linux-3.0.7/drivers/tty/tty_ldisc.c linux-3.0.7/drivers/tty/tty_ldisc.c
35555--- linux-3.0.7/drivers/tty/tty_ldisc.c 2011-07-21 22:17:23.000000000 -0400
35556+++ linux-3.0.7/drivers/tty/tty_ldisc.c 2011-08-23 21:47:56.000000000 -0400
35557@@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
35558 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
35559 struct tty_ldisc_ops *ldo = ld->ops;
35560
35561- ldo->refcount--;
35562+ atomic_dec(&ldo->refcount);
35563 module_put(ldo->owner);
35564 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35565
35566@@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
35567 spin_lock_irqsave(&tty_ldisc_lock, flags);
35568 tty_ldiscs[disc] = new_ldisc;
35569 new_ldisc->num = disc;
35570- new_ldisc->refcount = 0;
35571+ atomic_set(&new_ldisc->refcount, 0);
35572 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35573
35574 return ret;
35575@@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
35576 return -EINVAL;
35577
35578 spin_lock_irqsave(&tty_ldisc_lock, flags);
35579- if (tty_ldiscs[disc]->refcount)
35580+ if (atomic_read(&tty_ldiscs[disc]->refcount))
35581 ret = -EBUSY;
35582 else
35583 tty_ldiscs[disc] = NULL;
35584@@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
35585 if (ldops) {
35586 ret = ERR_PTR(-EAGAIN);
35587 if (try_module_get(ldops->owner)) {
35588- ldops->refcount++;
35589+ atomic_inc(&ldops->refcount);
35590 ret = ldops;
35591 }
35592 }
35593@@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
35594 unsigned long flags;
35595
35596 spin_lock_irqsave(&tty_ldisc_lock, flags);
35597- ldops->refcount--;
35598+ atomic_dec(&ldops->refcount);
35599 module_put(ldops->owner);
35600 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35601 }
35602diff -urNp linux-3.0.7/drivers/tty/vt/keyboard.c linux-3.0.7/drivers/tty/vt/keyboard.c
35603--- linux-3.0.7/drivers/tty/vt/keyboard.c 2011-07-21 22:17:23.000000000 -0400
35604+++ linux-3.0.7/drivers/tty/vt/keyboard.c 2011-08-23 21:48:14.000000000 -0400
35605@@ -656,6 +656,16 @@ static void k_spec(struct vc_data *vc, u
35606 kbd->kbdmode == VC_OFF) &&
35607 value != KVAL(K_SAK))
35608 return; /* SAK is allowed even in raw mode */
35609+
35610+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
35611+ {
35612+ void *func = fn_handler[value];
35613+ if (func == fn_show_state || func == fn_show_ptregs ||
35614+ func == fn_show_mem)
35615+ return;
35616+ }
35617+#endif
35618+
35619 fn_handler[value](vc);
35620 }
35621
35622diff -urNp linux-3.0.7/drivers/tty/vt/vt.c linux-3.0.7/drivers/tty/vt/vt.c
35623--- linux-3.0.7/drivers/tty/vt/vt.c 2011-07-21 22:17:23.000000000 -0400
35624+++ linux-3.0.7/drivers/tty/vt/vt.c 2011-08-23 21:47:56.000000000 -0400
35625@@ -259,7 +259,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
35626
35627 static void notify_write(struct vc_data *vc, unsigned int unicode)
35628 {
35629- struct vt_notifier_param param = { .vc = vc, unicode = unicode };
35630+ struct vt_notifier_param param = { .vc = vc, .c = unicode };
35631 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
35632 }
35633
35634diff -urNp linux-3.0.7/drivers/tty/vt/vt_ioctl.c linux-3.0.7/drivers/tty/vt/vt_ioctl.c
35635--- linux-3.0.7/drivers/tty/vt/vt_ioctl.c 2011-07-21 22:17:23.000000000 -0400
35636+++ linux-3.0.7/drivers/tty/vt/vt_ioctl.c 2011-08-23 21:48:14.000000000 -0400
35637@@ -207,9 +207,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35638 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
35639 return -EFAULT;
35640
35641- if (!capable(CAP_SYS_TTY_CONFIG))
35642- perm = 0;
35643-
35644 switch (cmd) {
35645 case KDGKBENT:
35646 key_map = key_maps[s];
35647@@ -221,6 +218,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35648 val = (i ? K_HOLE : K_NOSUCHMAP);
35649 return put_user(val, &user_kbe->kb_value);
35650 case KDSKBENT:
35651+ if (!capable(CAP_SYS_TTY_CONFIG))
35652+ perm = 0;
35653+
35654 if (!perm)
35655 return -EPERM;
35656 if (!i && v == K_NOSUCHMAP) {
35657@@ -322,9 +322,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
35658 int i, j, k;
35659 int ret;
35660
35661- if (!capable(CAP_SYS_TTY_CONFIG))
35662- perm = 0;
35663-
35664 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
35665 if (!kbs) {
35666 ret = -ENOMEM;
35667@@ -358,6 +355,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
35668 kfree(kbs);
35669 return ((p && *p) ? -EOVERFLOW : 0);
35670 case KDSKBSENT:
35671+ if (!capable(CAP_SYS_TTY_CONFIG))
35672+ perm = 0;
35673+
35674 if (!perm) {
35675 ret = -EPERM;
35676 goto reterr;
35677diff -urNp linux-3.0.7/drivers/uio/uio.c linux-3.0.7/drivers/uio/uio.c
35678--- linux-3.0.7/drivers/uio/uio.c 2011-07-21 22:17:23.000000000 -0400
35679+++ linux-3.0.7/drivers/uio/uio.c 2011-08-23 21:47:56.000000000 -0400
35680@@ -25,6 +25,7 @@
35681 #include <linux/kobject.h>
35682 #include <linux/cdev.h>
35683 #include <linux/uio_driver.h>
35684+#include <asm/local.h>
35685
35686 #define UIO_MAX_DEVICES (1U << MINORBITS)
35687
35688@@ -32,10 +33,10 @@ struct uio_device {
35689 struct module *owner;
35690 struct device *dev;
35691 int minor;
35692- atomic_t event;
35693+ atomic_unchecked_t event;
35694 struct fasync_struct *async_queue;
35695 wait_queue_head_t wait;
35696- int vma_count;
35697+ local_t vma_count;
35698 struct uio_info *info;
35699 struct kobject *map_dir;
35700 struct kobject *portio_dir;
35701@@ -242,7 +243,7 @@ static ssize_t show_event(struct device
35702 struct device_attribute *attr, char *buf)
35703 {
35704 struct uio_device *idev = dev_get_drvdata(dev);
35705- return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
35706+ return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
35707 }
35708
35709 static struct device_attribute uio_class_attributes[] = {
35710@@ -408,7 +409,7 @@ void uio_event_notify(struct uio_info *i
35711 {
35712 struct uio_device *idev = info->uio_dev;
35713
35714- atomic_inc(&idev->event);
35715+ atomic_inc_unchecked(&idev->event);
35716 wake_up_interruptible(&idev->wait);
35717 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
35718 }
35719@@ -461,7 +462,7 @@ static int uio_open(struct inode *inode,
35720 }
35721
35722 listener->dev = idev;
35723- listener->event_count = atomic_read(&idev->event);
35724+ listener->event_count = atomic_read_unchecked(&idev->event);
35725 filep->private_data = listener;
35726
35727 if (idev->info->open) {
35728@@ -512,7 +513,7 @@ static unsigned int uio_poll(struct file
35729 return -EIO;
35730
35731 poll_wait(filep, &idev->wait, wait);
35732- if (listener->event_count != atomic_read(&idev->event))
35733+ if (listener->event_count != atomic_read_unchecked(&idev->event))
35734 return POLLIN | POLLRDNORM;
35735 return 0;
35736 }
35737@@ -537,7 +538,7 @@ static ssize_t uio_read(struct file *fil
35738 do {
35739 set_current_state(TASK_INTERRUPTIBLE);
35740
35741- event_count = atomic_read(&idev->event);
35742+ event_count = atomic_read_unchecked(&idev->event);
35743 if (event_count != listener->event_count) {
35744 if (copy_to_user(buf, &event_count, count))
35745 retval = -EFAULT;
35746@@ -606,13 +607,13 @@ static int uio_find_mem_index(struct vm_
35747 static void uio_vma_open(struct vm_area_struct *vma)
35748 {
35749 struct uio_device *idev = vma->vm_private_data;
35750- idev->vma_count++;
35751+ local_inc(&idev->vma_count);
35752 }
35753
35754 static void uio_vma_close(struct vm_area_struct *vma)
35755 {
35756 struct uio_device *idev = vma->vm_private_data;
35757- idev->vma_count--;
35758+ local_dec(&idev->vma_count);
35759 }
35760
35761 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
35762@@ -823,7 +824,7 @@ int __uio_register_device(struct module
35763 idev->owner = owner;
35764 idev->info = info;
35765 init_waitqueue_head(&idev->wait);
35766- atomic_set(&idev->event, 0);
35767+ atomic_set_unchecked(&idev->event, 0);
35768
35769 ret = uio_get_minor(idev);
35770 if (ret)
35771diff -urNp linux-3.0.7/drivers/usb/atm/cxacru.c linux-3.0.7/drivers/usb/atm/cxacru.c
35772--- linux-3.0.7/drivers/usb/atm/cxacru.c 2011-07-21 22:17:23.000000000 -0400
35773+++ linux-3.0.7/drivers/usb/atm/cxacru.c 2011-08-23 21:47:56.000000000 -0400
35774@@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
35775 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
35776 if (ret < 2)
35777 return -EINVAL;
35778- if (index < 0 || index > 0x7f)
35779+ if (index > 0x7f)
35780 return -EINVAL;
35781 pos += tmp;
35782
35783diff -urNp linux-3.0.7/drivers/usb/atm/usbatm.c linux-3.0.7/drivers/usb/atm/usbatm.c
35784--- linux-3.0.7/drivers/usb/atm/usbatm.c 2011-07-21 22:17:23.000000000 -0400
35785+++ linux-3.0.7/drivers/usb/atm/usbatm.c 2011-08-23 21:47:56.000000000 -0400
35786@@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
35787 if (printk_ratelimit())
35788 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
35789 __func__, vpi, vci);
35790- atomic_inc(&vcc->stats->rx_err);
35791+ atomic_inc_unchecked(&vcc->stats->rx_err);
35792 return;
35793 }
35794
35795@@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
35796 if (length > ATM_MAX_AAL5_PDU) {
35797 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
35798 __func__, length, vcc);
35799- atomic_inc(&vcc->stats->rx_err);
35800+ atomic_inc_unchecked(&vcc->stats->rx_err);
35801 goto out;
35802 }
35803
35804@@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
35805 if (sarb->len < pdu_length) {
35806 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
35807 __func__, pdu_length, sarb->len, vcc);
35808- atomic_inc(&vcc->stats->rx_err);
35809+ atomic_inc_unchecked(&vcc->stats->rx_err);
35810 goto out;
35811 }
35812
35813 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
35814 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
35815 __func__, vcc);
35816- atomic_inc(&vcc->stats->rx_err);
35817+ atomic_inc_unchecked(&vcc->stats->rx_err);
35818 goto out;
35819 }
35820
35821@@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
35822 if (printk_ratelimit())
35823 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
35824 __func__, length);
35825- atomic_inc(&vcc->stats->rx_drop);
35826+ atomic_inc_unchecked(&vcc->stats->rx_drop);
35827 goto out;
35828 }
35829
35830@@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
35831
35832 vcc->push(vcc, skb);
35833
35834- atomic_inc(&vcc->stats->rx);
35835+ atomic_inc_unchecked(&vcc->stats->rx);
35836 out:
35837 skb_trim(sarb, 0);
35838 }
35839@@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
35840 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
35841
35842 usbatm_pop(vcc, skb);
35843- atomic_inc(&vcc->stats->tx);
35844+ atomic_inc_unchecked(&vcc->stats->tx);
35845
35846 skb = skb_dequeue(&instance->sndqueue);
35847 }
35848@@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
35849 if (!left--)
35850 return sprintf(page,
35851 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
35852- atomic_read(&atm_dev->stats.aal5.tx),
35853- atomic_read(&atm_dev->stats.aal5.tx_err),
35854- atomic_read(&atm_dev->stats.aal5.rx),
35855- atomic_read(&atm_dev->stats.aal5.rx_err),
35856- atomic_read(&atm_dev->stats.aal5.rx_drop));
35857+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
35858+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
35859+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
35860+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
35861+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
35862
35863 if (!left--) {
35864 if (instance->disconnected)
35865diff -urNp linux-3.0.7/drivers/usb/core/devices.c linux-3.0.7/drivers/usb/core/devices.c
35866--- linux-3.0.7/drivers/usb/core/devices.c 2011-07-21 22:17:23.000000000 -0400
35867+++ linux-3.0.7/drivers/usb/core/devices.c 2011-08-23 21:47:56.000000000 -0400
35868@@ -126,7 +126,7 @@ static const char format_endpt[] =
35869 * time it gets called.
35870 */
35871 static struct device_connect_event {
35872- atomic_t count;
35873+ atomic_unchecked_t count;
35874 wait_queue_head_t wait;
35875 } device_event = {
35876 .count = ATOMIC_INIT(1),
35877@@ -164,7 +164,7 @@ static const struct class_info clas_info
35878
35879 void usbfs_conn_disc_event(void)
35880 {
35881- atomic_add(2, &device_event.count);
35882+ atomic_add_unchecked(2, &device_event.count);
35883 wake_up(&device_event.wait);
35884 }
35885
35886@@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
35887
35888 poll_wait(file, &device_event.wait, wait);
35889
35890- event_count = atomic_read(&device_event.count);
35891+ event_count = atomic_read_unchecked(&device_event.count);
35892 if (file->f_version != event_count) {
35893 file->f_version = event_count;
35894 return POLLIN | POLLRDNORM;
35895diff -urNp linux-3.0.7/drivers/usb/core/message.c linux-3.0.7/drivers/usb/core/message.c
35896--- linux-3.0.7/drivers/usb/core/message.c 2011-07-21 22:17:23.000000000 -0400
35897+++ linux-3.0.7/drivers/usb/core/message.c 2011-08-23 21:47:56.000000000 -0400
35898@@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
35899 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
35900 if (buf) {
35901 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
35902- if (len > 0) {
35903- smallbuf = kmalloc(++len, GFP_NOIO);
35904+ if (len++ > 0) {
35905+ smallbuf = kmalloc(len, GFP_NOIO);
35906 if (!smallbuf)
35907 return buf;
35908 memcpy(smallbuf, buf, len);
35909diff -urNp linux-3.0.7/drivers/usb/early/ehci-dbgp.c linux-3.0.7/drivers/usb/early/ehci-dbgp.c
35910--- linux-3.0.7/drivers/usb/early/ehci-dbgp.c 2011-07-21 22:17:23.000000000 -0400
35911+++ linux-3.0.7/drivers/usb/early/ehci-dbgp.c 2011-08-23 21:47:56.000000000 -0400
35912@@ -97,7 +97,8 @@ static inline u32 dbgp_len_update(u32 x,
35913
35914 #ifdef CONFIG_KGDB
35915 static struct kgdb_io kgdbdbgp_io_ops;
35916-#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
35917+static struct kgdb_io kgdbdbgp_io_ops_console;
35918+#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
35919 #else
35920 #define dbgp_kgdb_mode (0)
35921 #endif
35922@@ -1035,6 +1036,13 @@ static struct kgdb_io kgdbdbgp_io_ops =
35923 .write_char = kgdbdbgp_write_char,
35924 };
35925
35926+static struct kgdb_io kgdbdbgp_io_ops_console = {
35927+ .name = "kgdbdbgp",
35928+ .read_char = kgdbdbgp_read_char,
35929+ .write_char = kgdbdbgp_write_char,
35930+ .is_console = 1
35931+};
35932+
35933 static int kgdbdbgp_wait_time;
35934
35935 static int __init kgdbdbgp_parse_config(char *str)
35936@@ -1050,8 +1058,10 @@ static int __init kgdbdbgp_parse_config(
35937 ptr++;
35938 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
35939 }
35940- kgdb_register_io_module(&kgdbdbgp_io_ops);
35941- kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
35942+ if (early_dbgp_console.index != -1)
35943+ kgdb_register_io_module(&kgdbdbgp_io_ops_console);
35944+ else
35945+ kgdb_register_io_module(&kgdbdbgp_io_ops);
35946
35947 return 0;
35948 }
35949diff -urNp linux-3.0.7/drivers/usb/host/xhci-mem.c linux-3.0.7/drivers/usb/host/xhci-mem.c
35950--- linux-3.0.7/drivers/usb/host/xhci-mem.c 2011-07-21 22:17:23.000000000 -0400
35951+++ linux-3.0.7/drivers/usb/host/xhci-mem.c 2011-08-23 21:48:14.000000000 -0400
35952@@ -1685,6 +1685,8 @@ static int xhci_check_trb_in_td_math(str
35953 unsigned int num_tests;
35954 int i, ret;
35955
35956+ pax_track_stack();
35957+
35958 num_tests = ARRAY_SIZE(simple_test_vector);
35959 for (i = 0; i < num_tests; i++) {
35960 ret = xhci_test_trb_in_td(xhci,
35961diff -urNp linux-3.0.7/drivers/usb/wusbcore/wa-hc.h linux-3.0.7/drivers/usb/wusbcore/wa-hc.h
35962--- linux-3.0.7/drivers/usb/wusbcore/wa-hc.h 2011-07-21 22:17:23.000000000 -0400
35963+++ linux-3.0.7/drivers/usb/wusbcore/wa-hc.h 2011-08-23 21:47:56.000000000 -0400
35964@@ -192,7 +192,7 @@ struct wahc {
35965 struct list_head xfer_delayed_list;
35966 spinlock_t xfer_list_lock;
35967 struct work_struct xfer_work;
35968- atomic_t xfer_id_count;
35969+ atomic_unchecked_t xfer_id_count;
35970 };
35971
35972
35973@@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
35974 INIT_LIST_HEAD(&wa->xfer_delayed_list);
35975 spin_lock_init(&wa->xfer_list_lock);
35976 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
35977- atomic_set(&wa->xfer_id_count, 1);
35978+ atomic_set_unchecked(&wa->xfer_id_count, 1);
35979 }
35980
35981 /**
35982diff -urNp linux-3.0.7/drivers/usb/wusbcore/wa-xfer.c linux-3.0.7/drivers/usb/wusbcore/wa-xfer.c
35983--- linux-3.0.7/drivers/usb/wusbcore/wa-xfer.c 2011-07-21 22:17:23.000000000 -0400
35984+++ linux-3.0.7/drivers/usb/wusbcore/wa-xfer.c 2011-08-23 21:47:56.000000000 -0400
35985@@ -294,7 +294,7 @@ out:
35986 */
35987 static void wa_xfer_id_init(struct wa_xfer *xfer)
35988 {
35989- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
35990+ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
35991 }
35992
35993 /*
35994diff -urNp linux-3.0.7/drivers/vhost/vhost.c linux-3.0.7/drivers/vhost/vhost.c
35995--- linux-3.0.7/drivers/vhost/vhost.c 2011-07-21 22:17:23.000000000 -0400
35996+++ linux-3.0.7/drivers/vhost/vhost.c 2011-08-23 21:47:56.000000000 -0400
35997@@ -589,7 +589,7 @@ static int init_used(struct vhost_virtqu
35998 return get_user(vq->last_used_idx, &used->idx);
35999 }
36000
36001-static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
36002+static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
36003 {
36004 struct file *eventfp, *filep = NULL,
36005 *pollstart = NULL, *pollstop = NULL;
36006diff -urNp linux-3.0.7/drivers/video/aty/aty128fb.c linux-3.0.7/drivers/video/aty/aty128fb.c
36007--- linux-3.0.7/drivers/video/aty/aty128fb.c 2011-07-21 22:17:23.000000000 -0400
36008+++ linux-3.0.7/drivers/video/aty/aty128fb.c 2011-10-11 10:44:33.000000000 -0400
36009@@ -148,7 +148,7 @@ enum {
36010 };
36011
36012 /* Must match above enum */
36013-static const char *r128_family[] __devinitdata = {
36014+static const char *r128_family[] __devinitconst = {
36015 "AGP",
36016 "PCI",
36017 "PRO AGP",
36018diff -urNp linux-3.0.7/drivers/video/fbcmap.c linux-3.0.7/drivers/video/fbcmap.c
36019--- linux-3.0.7/drivers/video/fbcmap.c 2011-07-21 22:17:23.000000000 -0400
36020+++ linux-3.0.7/drivers/video/fbcmap.c 2011-08-23 21:47:56.000000000 -0400
36021@@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
36022 rc = -ENODEV;
36023 goto out;
36024 }
36025- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
36026- !info->fbops->fb_setcmap)) {
36027+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
36028 rc = -EINVAL;
36029 goto out1;
36030 }
36031diff -urNp linux-3.0.7/drivers/video/fbmem.c linux-3.0.7/drivers/video/fbmem.c
36032--- linux-3.0.7/drivers/video/fbmem.c 2011-07-21 22:17:23.000000000 -0400
36033+++ linux-3.0.7/drivers/video/fbmem.c 2011-08-23 21:48:14.000000000 -0400
36034@@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
36035 image->dx += image->width + 8;
36036 }
36037 } else if (rotate == FB_ROTATE_UD) {
36038- for (x = 0; x < num && image->dx >= 0; x++) {
36039+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
36040 info->fbops->fb_imageblit(info, image);
36041 image->dx -= image->width + 8;
36042 }
36043@@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
36044 image->dy += image->height + 8;
36045 }
36046 } else if (rotate == FB_ROTATE_CCW) {
36047- for (x = 0; x < num && image->dy >= 0; x++) {
36048+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
36049 info->fbops->fb_imageblit(info, image);
36050 image->dy -= image->height + 8;
36051 }
36052@@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
36053 int flags = info->flags;
36054 int ret = 0;
36055
36056+ pax_track_stack();
36057+
36058 if (var->activate & FB_ACTIVATE_INV_MODE) {
36059 struct fb_videomode mode1, mode2;
36060
36061@@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
36062 void __user *argp = (void __user *)arg;
36063 long ret = 0;
36064
36065+ pax_track_stack();
36066+
36067 switch (cmd) {
36068 case FBIOGET_VSCREENINFO:
36069 if (!lock_fb_info(info))
36070@@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
36071 return -EFAULT;
36072 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
36073 return -EINVAL;
36074- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
36075+ if (con2fb.framebuffer >= FB_MAX)
36076 return -EINVAL;
36077 if (!registered_fb[con2fb.framebuffer])
36078 request_module("fb%d", con2fb.framebuffer);
36079diff -urNp linux-3.0.7/drivers/video/geode/gx1fb_core.c linux-3.0.7/drivers/video/geode/gx1fb_core.c
36080--- linux-3.0.7/drivers/video/geode/gx1fb_core.c 2011-07-21 22:17:23.000000000 -0400
36081+++ linux-3.0.7/drivers/video/geode/gx1fb_core.c 2011-10-11 10:44:33.000000000 -0400
36082@@ -29,7 +29,7 @@ static int crt_option = 1;
36083 static char panel_option[32] = "";
36084
36085 /* Modes relevant to the GX1 (taken from modedb.c) */
36086-static const struct fb_videomode __devinitdata gx1_modedb[] = {
36087+static const struct fb_videomode __devinitconst gx1_modedb[] = {
36088 /* 640x480-60 VESA */
36089 { NULL, 60, 640, 480, 39682, 48, 16, 33, 10, 96, 2,
36090 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_VESA },
36091diff -urNp linux-3.0.7/drivers/video/gxt4500.c linux-3.0.7/drivers/video/gxt4500.c
36092--- linux-3.0.7/drivers/video/gxt4500.c 2011-07-21 22:17:23.000000000 -0400
36093+++ linux-3.0.7/drivers/video/gxt4500.c 2011-10-11 10:44:33.000000000 -0400
36094@@ -156,7 +156,7 @@ struct gxt4500_par {
36095 static char *mode_option;
36096
36097 /* default mode: 1280x1024 @ 60 Hz, 8 bpp */
36098-static const struct fb_videomode defaultmode __devinitdata = {
36099+static const struct fb_videomode defaultmode __devinitconst = {
36100 .refresh = 60,
36101 .xres = 1280,
36102 .yres = 1024,
36103@@ -581,7 +581,7 @@ static int gxt4500_blank(int blank, stru
36104 return 0;
36105 }
36106
36107-static const struct fb_fix_screeninfo gxt4500_fix __devinitdata = {
36108+static const struct fb_fix_screeninfo gxt4500_fix __devinitconst = {
36109 .id = "IBM GXT4500P",
36110 .type = FB_TYPE_PACKED_PIXELS,
36111 .visual = FB_VISUAL_PSEUDOCOLOR,
36112diff -urNp linux-3.0.7/drivers/video/i810/i810_accel.c linux-3.0.7/drivers/video/i810/i810_accel.c
36113--- linux-3.0.7/drivers/video/i810/i810_accel.c 2011-07-21 22:17:23.000000000 -0400
36114+++ linux-3.0.7/drivers/video/i810/i810_accel.c 2011-08-23 21:47:56.000000000 -0400
36115@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
36116 }
36117 }
36118 printk("ringbuffer lockup!!!\n");
36119+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
36120 i810_report_error(mmio);
36121 par->dev_flags |= LOCKUP;
36122 info->pixmap.scan_align = 1;
36123diff -urNp linux-3.0.7/drivers/video/i810/i810_main.c linux-3.0.7/drivers/video/i810/i810_main.c
36124--- linux-3.0.7/drivers/video/i810/i810_main.c 2011-07-21 22:17:23.000000000 -0400
36125+++ linux-3.0.7/drivers/video/i810/i810_main.c 2011-10-11 10:44:33.000000000 -0400
36126@@ -97,7 +97,7 @@ static int i810fb_blank (int blank_
36127 static void i810fb_release_resource (struct fb_info *info, struct i810fb_par *par);
36128
36129 /* PCI */
36130-static const char *i810_pci_list[] __devinitdata = {
36131+static const char *i810_pci_list[] __devinitconst = {
36132 "Intel(R) 810 Framebuffer Device" ,
36133 "Intel(R) 810-DC100 Framebuffer Device" ,
36134 "Intel(R) 810E Framebuffer Device" ,
36135diff -urNp linux-3.0.7/drivers/video/jz4740_fb.c linux-3.0.7/drivers/video/jz4740_fb.c
36136--- linux-3.0.7/drivers/video/jz4740_fb.c 2011-07-21 22:17:23.000000000 -0400
36137+++ linux-3.0.7/drivers/video/jz4740_fb.c 2011-10-11 10:44:33.000000000 -0400
36138@@ -136,7 +136,7 @@ struct jzfb {
36139 uint32_t pseudo_palette[16];
36140 };
36141
36142-static const struct fb_fix_screeninfo jzfb_fix __devinitdata = {
36143+static const struct fb_fix_screeninfo jzfb_fix __devinitconst = {
36144 .id = "JZ4740 FB",
36145 .type = FB_TYPE_PACKED_PIXELS,
36146 .visual = FB_VISUAL_TRUECOLOR,
36147diff -urNp linux-3.0.7/drivers/video/logo/logo_linux_clut224.ppm linux-3.0.7/drivers/video/logo/logo_linux_clut224.ppm
36148--- linux-3.0.7/drivers/video/logo/logo_linux_clut224.ppm 2011-07-21 22:17:23.000000000 -0400
36149+++ linux-3.0.7/drivers/video/logo/logo_linux_clut224.ppm 2011-08-29 23:49:40.000000000 -0400
36150@@ -1,1604 +1,1123 @@
36151 P3
36152-# Standard 224-color Linux logo
36153 80 80
36154 255
36155- 0 0 0 0 0 0 0 0 0 0 0 0
36156- 0 0 0 0 0 0 0 0 0 0 0 0
36157- 0 0 0 0 0 0 0 0 0 0 0 0
36158- 0 0 0 0 0 0 0 0 0 0 0 0
36159- 0 0 0 0 0 0 0 0 0 0 0 0
36160- 0 0 0 0 0 0 0 0 0 0 0 0
36161- 0 0 0 0 0 0 0 0 0 0 0 0
36162- 0 0 0 0 0 0 0 0 0 0 0 0
36163- 0 0 0 0 0 0 0 0 0 0 0 0
36164- 6 6 6 6 6 6 10 10 10 10 10 10
36165- 10 10 10 6 6 6 6 6 6 6 6 6
36166- 0 0 0 0 0 0 0 0 0 0 0 0
36167- 0 0 0 0 0 0 0 0 0 0 0 0
36168- 0 0 0 0 0 0 0 0 0 0 0 0
36169- 0 0 0 0 0 0 0 0 0 0 0 0
36170- 0 0 0 0 0 0 0 0 0 0 0 0
36171- 0 0 0 0 0 0 0 0 0 0 0 0
36172- 0 0 0 0 0 0 0 0 0 0 0 0
36173- 0 0 0 0 0 0 0 0 0 0 0 0
36174- 0 0 0 0 0 0 0 0 0 0 0 0
36175- 0 0 0 0 0 0 0 0 0 0 0 0
36176- 0 0 0 0 0 0 0 0 0 0 0 0
36177- 0 0 0 0 0 0 0 0 0 0 0 0
36178- 0 0 0 0 0 0 0 0 0 0 0 0
36179- 0 0 0 0 0 0 0 0 0 0 0 0
36180- 0 0 0 0 0 0 0 0 0 0 0 0
36181- 0 0 0 0 0 0 0 0 0 0 0 0
36182- 0 0 0 0 0 0 0 0 0 0 0 0
36183- 0 0 0 6 6 6 10 10 10 14 14 14
36184- 22 22 22 26 26 26 30 30 30 34 34 34
36185- 30 30 30 30 30 30 26 26 26 18 18 18
36186- 14 14 14 10 10 10 6 6 6 0 0 0
36187- 0 0 0 0 0 0 0 0 0 0 0 0
36188- 0 0 0 0 0 0 0 0 0 0 0 0
36189- 0 0 0 0 0 0 0 0 0 0 0 0
36190- 0 0 0 0 0 0 0 0 0 0 0 0
36191- 0 0 0 0 0 0 0 0 0 0 0 0
36192- 0 0 0 0 0 0 0 0 0 0 0 0
36193- 0 0 0 0 0 0 0 0 0 0 0 0
36194- 0 0 0 0 0 0 0 0 0 0 0 0
36195- 0 0 0 0 0 0 0 0 0 0 0 0
36196- 0 0 0 0 0 1 0 0 1 0 0 0
36197- 0 0 0 0 0 0 0 0 0 0 0 0
36198- 0 0 0 0 0 0 0 0 0 0 0 0
36199- 0 0 0 0 0 0 0 0 0 0 0 0
36200- 0 0 0 0 0 0 0 0 0 0 0 0
36201- 0 0 0 0 0 0 0 0 0 0 0 0
36202- 0 0 0 0 0 0 0 0 0 0 0 0
36203- 6 6 6 14 14 14 26 26 26 42 42 42
36204- 54 54 54 66 66 66 78 78 78 78 78 78
36205- 78 78 78 74 74 74 66 66 66 54 54 54
36206- 42 42 42 26 26 26 18 18 18 10 10 10
36207- 6 6 6 0 0 0 0 0 0 0 0 0
36208- 0 0 0 0 0 0 0 0 0 0 0 0
36209- 0 0 0 0 0 0 0 0 0 0 0 0
36210- 0 0 0 0 0 0 0 0 0 0 0 0
36211- 0 0 0 0 0 0 0 0 0 0 0 0
36212- 0 0 0 0 0 0 0 0 0 0 0 0
36213- 0 0 0 0 0 0 0 0 0 0 0 0
36214- 0 0 0 0 0 0 0 0 0 0 0 0
36215- 0 0 0 0 0 0 0 0 0 0 0 0
36216- 0 0 1 0 0 0 0 0 0 0 0 0
36217- 0 0 0 0 0 0 0 0 0 0 0 0
36218- 0 0 0 0 0 0 0 0 0 0 0 0
36219- 0 0 0 0 0 0 0 0 0 0 0 0
36220- 0 0 0 0 0 0 0 0 0 0 0 0
36221- 0 0 0 0 0 0 0 0 0 0 0 0
36222- 0 0 0 0 0 0 0 0 0 10 10 10
36223- 22 22 22 42 42 42 66 66 66 86 86 86
36224- 66 66 66 38 38 38 38 38 38 22 22 22
36225- 26 26 26 34 34 34 54 54 54 66 66 66
36226- 86 86 86 70 70 70 46 46 46 26 26 26
36227- 14 14 14 6 6 6 0 0 0 0 0 0
36228- 0 0 0 0 0 0 0 0 0 0 0 0
36229- 0 0 0 0 0 0 0 0 0 0 0 0
36230- 0 0 0 0 0 0 0 0 0 0 0 0
36231- 0 0 0 0 0 0 0 0 0 0 0 0
36232- 0 0 0 0 0 0 0 0 0 0 0 0
36233- 0 0 0 0 0 0 0 0 0 0 0 0
36234- 0 0 0 0 0 0 0 0 0 0 0 0
36235- 0 0 0 0 0 0 0 0 0 0 0 0
36236- 0 0 1 0 0 1 0 0 1 0 0 0
36237- 0 0 0 0 0 0 0 0 0 0 0 0
36238- 0 0 0 0 0 0 0 0 0 0 0 0
36239- 0 0 0 0 0 0 0 0 0 0 0 0
36240- 0 0 0 0 0 0 0 0 0 0 0 0
36241- 0 0 0 0 0 0 0 0 0 0 0 0
36242- 0 0 0 0 0 0 10 10 10 26 26 26
36243- 50 50 50 82 82 82 58 58 58 6 6 6
36244- 2 2 6 2 2 6 2 2 6 2 2 6
36245- 2 2 6 2 2 6 2 2 6 2 2 6
36246- 6 6 6 54 54 54 86 86 86 66 66 66
36247- 38 38 38 18 18 18 6 6 6 0 0 0
36248- 0 0 0 0 0 0 0 0 0 0 0 0
36249- 0 0 0 0 0 0 0 0 0 0 0 0
36250- 0 0 0 0 0 0 0 0 0 0 0 0
36251- 0 0 0 0 0 0 0 0 0 0 0 0
36252- 0 0 0 0 0 0 0 0 0 0 0 0
36253- 0 0 0 0 0 0 0 0 0 0 0 0
36254- 0 0 0 0 0 0 0 0 0 0 0 0
36255- 0 0 0 0 0 0 0 0 0 0 0 0
36256- 0 0 0 0 0 0 0 0 0 0 0 0
36257- 0 0 0 0 0 0 0 0 0 0 0 0
36258- 0 0 0 0 0 0 0 0 0 0 0 0
36259- 0 0 0 0 0 0 0 0 0 0 0 0
36260- 0 0 0 0 0 0 0 0 0 0 0 0
36261- 0 0 0 0 0 0 0 0 0 0 0 0
36262- 0 0 0 6 6 6 22 22 22 50 50 50
36263- 78 78 78 34 34 34 2 2 6 2 2 6
36264- 2 2 6 2 2 6 2 2 6 2 2 6
36265- 2 2 6 2 2 6 2 2 6 2 2 6
36266- 2 2 6 2 2 6 6 6 6 70 70 70
36267- 78 78 78 46 46 46 22 22 22 6 6 6
36268- 0 0 0 0 0 0 0 0 0 0 0 0
36269- 0 0 0 0 0 0 0 0 0 0 0 0
36270- 0 0 0 0 0 0 0 0 0 0 0 0
36271- 0 0 0 0 0 0 0 0 0 0 0 0
36272- 0 0 0 0 0 0 0 0 0 0 0 0
36273- 0 0 0 0 0 0 0 0 0 0 0 0
36274- 0 0 0 0 0 0 0 0 0 0 0 0
36275- 0 0 0 0 0 0 0 0 0 0 0 0
36276- 0 0 1 0 0 1 0 0 1 0 0 0
36277- 0 0 0 0 0 0 0 0 0 0 0 0
36278- 0 0 0 0 0 0 0 0 0 0 0 0
36279- 0 0 0 0 0 0 0 0 0 0 0 0
36280- 0 0 0 0 0 0 0 0 0 0 0 0
36281- 0 0 0 0 0 0 0 0 0 0 0 0
36282- 6 6 6 18 18 18 42 42 42 82 82 82
36283- 26 26 26 2 2 6 2 2 6 2 2 6
36284- 2 2 6 2 2 6 2 2 6 2 2 6
36285- 2 2 6 2 2 6 2 2 6 14 14 14
36286- 46 46 46 34 34 34 6 6 6 2 2 6
36287- 42 42 42 78 78 78 42 42 42 18 18 18
36288- 6 6 6 0 0 0 0 0 0 0 0 0
36289- 0 0 0 0 0 0 0 0 0 0 0 0
36290- 0 0 0 0 0 0 0 0 0 0 0 0
36291- 0 0 0 0 0 0 0 0 0 0 0 0
36292- 0 0 0 0 0 0 0 0 0 0 0 0
36293- 0 0 0 0 0 0 0 0 0 0 0 0
36294- 0 0 0 0 0 0 0 0 0 0 0 0
36295- 0 0 0 0 0 0 0 0 0 0 0 0
36296- 0 0 1 0 0 0 0 0 1 0 0 0
36297- 0 0 0 0 0 0 0 0 0 0 0 0
36298- 0 0 0 0 0 0 0 0 0 0 0 0
36299- 0 0 0 0 0 0 0 0 0 0 0 0
36300- 0 0 0 0 0 0 0 0 0 0 0 0
36301- 0 0 0 0 0 0 0 0 0 0 0 0
36302- 10 10 10 30 30 30 66 66 66 58 58 58
36303- 2 2 6 2 2 6 2 2 6 2 2 6
36304- 2 2 6 2 2 6 2 2 6 2 2 6
36305- 2 2 6 2 2 6 2 2 6 26 26 26
36306- 86 86 86 101 101 101 46 46 46 10 10 10
36307- 2 2 6 58 58 58 70 70 70 34 34 34
36308- 10 10 10 0 0 0 0 0 0 0 0 0
36309- 0 0 0 0 0 0 0 0 0 0 0 0
36310- 0 0 0 0 0 0 0 0 0 0 0 0
36311- 0 0 0 0 0 0 0 0 0 0 0 0
36312- 0 0 0 0 0 0 0 0 0 0 0 0
36313- 0 0 0 0 0 0 0 0 0 0 0 0
36314- 0 0 0 0 0 0 0 0 0 0 0 0
36315- 0 0 0 0 0 0 0 0 0 0 0 0
36316- 0 0 1 0 0 1 0 0 1 0 0 0
36317- 0 0 0 0 0 0 0 0 0 0 0 0
36318- 0 0 0 0 0 0 0 0 0 0 0 0
36319- 0 0 0 0 0 0 0 0 0 0 0 0
36320- 0 0 0 0 0 0 0 0 0 0 0 0
36321- 0 0 0 0 0 0 0 0 0 0 0 0
36322- 14 14 14 42 42 42 86 86 86 10 10 10
36323- 2 2 6 2 2 6 2 2 6 2 2 6
36324- 2 2 6 2 2 6 2 2 6 2 2 6
36325- 2 2 6 2 2 6 2 2 6 30 30 30
36326- 94 94 94 94 94 94 58 58 58 26 26 26
36327- 2 2 6 6 6 6 78 78 78 54 54 54
36328- 22 22 22 6 6 6 0 0 0 0 0 0
36329- 0 0 0 0 0 0 0 0 0 0 0 0
36330- 0 0 0 0 0 0 0 0 0 0 0 0
36331- 0 0 0 0 0 0 0 0 0 0 0 0
36332- 0 0 0 0 0 0 0 0 0 0 0 0
36333- 0 0 0 0 0 0 0 0 0 0 0 0
36334- 0 0 0 0 0 0 0 0 0 0 0 0
36335- 0 0 0 0 0 0 0 0 0 0 0 0
36336- 0 0 0 0 0 0 0 0 0 0 0 0
36337- 0 0 0 0 0 0 0 0 0 0 0 0
36338- 0 0 0 0 0 0 0 0 0 0 0 0
36339- 0 0 0 0 0 0 0 0 0 0 0 0
36340- 0 0 0 0 0 0 0 0 0 0 0 0
36341- 0 0 0 0 0 0 0 0 0 6 6 6
36342- 22 22 22 62 62 62 62 62 62 2 2 6
36343- 2 2 6 2 2 6 2 2 6 2 2 6
36344- 2 2 6 2 2 6 2 2 6 2 2 6
36345- 2 2 6 2 2 6 2 2 6 26 26 26
36346- 54 54 54 38 38 38 18 18 18 10 10 10
36347- 2 2 6 2 2 6 34 34 34 82 82 82
36348- 38 38 38 14 14 14 0 0 0 0 0 0
36349- 0 0 0 0 0 0 0 0 0 0 0 0
36350- 0 0 0 0 0 0 0 0 0 0 0 0
36351- 0 0 0 0 0 0 0 0 0 0 0 0
36352- 0 0 0 0 0 0 0 0 0 0 0 0
36353- 0 0 0 0 0 0 0 0 0 0 0 0
36354- 0 0 0 0 0 0 0 0 0 0 0 0
36355- 0 0 0 0 0 0 0 0 0 0 0 0
36356- 0 0 0 0 0 1 0 0 1 0 0 0
36357- 0 0 0 0 0 0 0 0 0 0 0 0
36358- 0 0 0 0 0 0 0 0 0 0 0 0
36359- 0 0 0 0 0 0 0 0 0 0 0 0
36360- 0 0 0 0 0 0 0 0 0 0 0 0
36361- 0 0 0 0 0 0 0 0 0 6 6 6
36362- 30 30 30 78 78 78 30 30 30 2 2 6
36363- 2 2 6 2 2 6 2 2 6 2 2 6
36364- 2 2 6 2 2 6 2 2 6 2 2 6
36365- 2 2 6 2 2 6 2 2 6 10 10 10
36366- 10 10 10 2 2 6 2 2 6 2 2 6
36367- 2 2 6 2 2 6 2 2 6 78 78 78
36368- 50 50 50 18 18 18 6 6 6 0 0 0
36369- 0 0 0 0 0 0 0 0 0 0 0 0
36370- 0 0 0 0 0 0 0 0 0 0 0 0
36371- 0 0 0 0 0 0 0 0 0 0 0 0
36372- 0 0 0 0 0 0 0 0 0 0 0 0
36373- 0 0 0 0 0 0 0 0 0 0 0 0
36374- 0 0 0 0 0 0 0 0 0 0 0 0
36375- 0 0 0 0 0 0 0 0 0 0 0 0
36376- 0 0 1 0 0 0 0 0 0 0 0 0
36377- 0 0 0 0 0 0 0 0 0 0 0 0
36378- 0 0 0 0 0 0 0 0 0 0 0 0
36379- 0 0 0 0 0 0 0 0 0 0 0 0
36380- 0 0 0 0 0 0 0 0 0 0 0 0
36381- 0 0 0 0 0 0 0 0 0 10 10 10
36382- 38 38 38 86 86 86 14 14 14 2 2 6
36383- 2 2 6 2 2 6 2 2 6 2 2 6
36384- 2 2 6 2 2 6 2 2 6 2 2 6
36385- 2 2 6 2 2 6 2 2 6 2 2 6
36386- 2 2 6 2 2 6 2 2 6 2 2 6
36387- 2 2 6 2 2 6 2 2 6 54 54 54
36388- 66 66 66 26 26 26 6 6 6 0 0 0
36389- 0 0 0 0 0 0 0 0 0 0 0 0
36390- 0 0 0 0 0 0 0 0 0 0 0 0
36391- 0 0 0 0 0 0 0 0 0 0 0 0
36392- 0 0 0 0 0 0 0 0 0 0 0 0
36393- 0 0 0 0 0 0 0 0 0 0 0 0
36394- 0 0 0 0 0 0 0 0 0 0 0 0
36395- 0 0 0 0 0 0 0 0 0 0 0 0
36396- 0 0 0 0 0 1 0 0 1 0 0 0
36397- 0 0 0 0 0 0 0 0 0 0 0 0
36398- 0 0 0 0 0 0 0 0 0 0 0 0
36399- 0 0 0 0 0 0 0 0 0 0 0 0
36400- 0 0 0 0 0 0 0 0 0 0 0 0
36401- 0 0 0 0 0 0 0 0 0 14 14 14
36402- 42 42 42 82 82 82 2 2 6 2 2 6
36403- 2 2 6 6 6 6 10 10 10 2 2 6
36404- 2 2 6 2 2 6 2 2 6 2 2 6
36405- 2 2 6 2 2 6 2 2 6 6 6 6
36406- 14 14 14 10 10 10 2 2 6 2 2 6
36407- 2 2 6 2 2 6 2 2 6 18 18 18
36408- 82 82 82 34 34 34 10 10 10 0 0 0
36409- 0 0 0 0 0 0 0 0 0 0 0 0
36410- 0 0 0 0 0 0 0 0 0 0 0 0
36411- 0 0 0 0 0 0 0 0 0 0 0 0
36412- 0 0 0 0 0 0 0 0 0 0 0 0
36413- 0 0 0 0 0 0 0 0 0 0 0 0
36414- 0 0 0 0 0 0 0 0 0 0 0 0
36415- 0 0 0 0 0 0 0 0 0 0 0 0
36416- 0 0 1 0 0 0 0 0 0 0 0 0
36417- 0 0 0 0 0 0 0 0 0 0 0 0
36418- 0 0 0 0 0 0 0 0 0 0 0 0
36419- 0 0 0 0 0 0 0 0 0 0 0 0
36420- 0 0 0 0 0 0 0 0 0 0 0 0
36421- 0 0 0 0 0 0 0 0 0 14 14 14
36422- 46 46 46 86 86 86 2 2 6 2 2 6
36423- 6 6 6 6 6 6 22 22 22 34 34 34
36424- 6 6 6 2 2 6 2 2 6 2 2 6
36425- 2 2 6 2 2 6 18 18 18 34 34 34
36426- 10 10 10 50 50 50 22 22 22 2 2 6
36427- 2 2 6 2 2 6 2 2 6 10 10 10
36428- 86 86 86 42 42 42 14 14 14 0 0 0
36429- 0 0 0 0 0 0 0 0 0 0 0 0
36430- 0 0 0 0 0 0 0 0 0 0 0 0
36431- 0 0 0 0 0 0 0 0 0 0 0 0
36432- 0 0 0 0 0 0 0 0 0 0 0 0
36433- 0 0 0 0 0 0 0 0 0 0 0 0
36434- 0 0 0 0 0 0 0 0 0 0 0 0
36435- 0 0 0 0 0 0 0 0 0 0 0 0
36436- 0 0 1 0 0 1 0 0 1 0 0 0
36437- 0 0 0 0 0 0 0 0 0 0 0 0
36438- 0 0 0 0 0 0 0 0 0 0 0 0
36439- 0 0 0 0 0 0 0 0 0 0 0 0
36440- 0 0 0 0 0 0 0 0 0 0 0 0
36441- 0 0 0 0 0 0 0 0 0 14 14 14
36442- 46 46 46 86 86 86 2 2 6 2 2 6
36443- 38 38 38 116 116 116 94 94 94 22 22 22
36444- 22 22 22 2 2 6 2 2 6 2 2 6
36445- 14 14 14 86 86 86 138 138 138 162 162 162
36446-154 154 154 38 38 38 26 26 26 6 6 6
36447- 2 2 6 2 2 6 2 2 6 2 2 6
36448- 86 86 86 46 46 46 14 14 14 0 0 0
36449- 0 0 0 0 0 0 0 0 0 0 0 0
36450- 0 0 0 0 0 0 0 0 0 0 0 0
36451- 0 0 0 0 0 0 0 0 0 0 0 0
36452- 0 0 0 0 0 0 0 0 0 0 0 0
36453- 0 0 0 0 0 0 0 0 0 0 0 0
36454- 0 0 0 0 0 0 0 0 0 0 0 0
36455- 0 0 0 0 0 0 0 0 0 0 0 0
36456- 0 0 0 0 0 0 0 0 0 0 0 0
36457- 0 0 0 0 0 0 0 0 0 0 0 0
36458- 0 0 0 0 0 0 0 0 0 0 0 0
36459- 0 0 0 0 0 0 0 0 0 0 0 0
36460- 0 0 0 0 0 0 0 0 0 0 0 0
36461- 0 0 0 0 0 0 0 0 0 14 14 14
36462- 46 46 46 86 86 86 2 2 6 14 14 14
36463-134 134 134 198 198 198 195 195 195 116 116 116
36464- 10 10 10 2 2 6 2 2 6 6 6 6
36465-101 98 89 187 187 187 210 210 210 218 218 218
36466-214 214 214 134 134 134 14 14 14 6 6 6
36467- 2 2 6 2 2 6 2 2 6 2 2 6
36468- 86 86 86 50 50 50 18 18 18 6 6 6
36469- 0 0 0 0 0 0 0 0 0 0 0 0
36470- 0 0 0 0 0 0 0 0 0 0 0 0
36471- 0 0 0 0 0 0 0 0 0 0 0 0
36472- 0 0 0 0 0 0 0 0 0 0 0 0
36473- 0 0 0 0 0 0 0 0 0 0 0 0
36474- 0 0 0 0 0 0 0 0 0 0 0 0
36475- 0 0 0 0 0 0 0 0 1 0 0 0
36476- 0 0 1 0 0 1 0 0 1 0 0 0
36477- 0 0 0 0 0 0 0 0 0 0 0 0
36478- 0 0 0 0 0 0 0 0 0 0 0 0
36479- 0 0 0 0 0 0 0 0 0 0 0 0
36480- 0 0 0 0 0 0 0 0 0 0 0 0
36481- 0 0 0 0 0 0 0 0 0 14 14 14
36482- 46 46 46 86 86 86 2 2 6 54 54 54
36483-218 218 218 195 195 195 226 226 226 246 246 246
36484- 58 58 58 2 2 6 2 2 6 30 30 30
36485-210 210 210 253 253 253 174 174 174 123 123 123
36486-221 221 221 234 234 234 74 74 74 2 2 6
36487- 2 2 6 2 2 6 2 2 6 2 2 6
36488- 70 70 70 58 58 58 22 22 22 6 6 6
36489- 0 0 0 0 0 0 0 0 0 0 0 0
36490- 0 0 0 0 0 0 0 0 0 0 0 0
36491- 0 0 0 0 0 0 0 0 0 0 0 0
36492- 0 0 0 0 0 0 0 0 0 0 0 0
36493- 0 0 0 0 0 0 0 0 0 0 0 0
36494- 0 0 0 0 0 0 0 0 0 0 0 0
36495- 0 0 0 0 0 0 0 0 0 0 0 0
36496- 0 0 0 0 0 0 0 0 0 0 0 0
36497- 0 0 0 0 0 0 0 0 0 0 0 0
36498- 0 0 0 0 0 0 0 0 0 0 0 0
36499- 0 0 0 0 0 0 0 0 0 0 0 0
36500- 0 0 0 0 0 0 0 0 0 0 0 0
36501- 0 0 0 0 0 0 0 0 0 14 14 14
36502- 46 46 46 82 82 82 2 2 6 106 106 106
36503-170 170 170 26 26 26 86 86 86 226 226 226
36504-123 123 123 10 10 10 14 14 14 46 46 46
36505-231 231 231 190 190 190 6 6 6 70 70 70
36506- 90 90 90 238 238 238 158 158 158 2 2 6
36507- 2 2 6 2 2 6 2 2 6 2 2 6
36508- 70 70 70 58 58 58 22 22 22 6 6 6
36509- 0 0 0 0 0 0 0 0 0 0 0 0
36510- 0 0 0 0 0 0 0 0 0 0 0 0
36511- 0 0 0 0 0 0 0 0 0 0 0 0
36512- 0 0 0 0 0 0 0 0 0 0 0 0
36513- 0 0 0 0 0 0 0 0 0 0 0 0
36514- 0 0 0 0 0 0 0 0 0 0 0 0
36515- 0 0 0 0 0 0 0 0 1 0 0 0
36516- 0 0 1 0 0 1 0 0 1 0 0 0
36517- 0 0 0 0 0 0 0 0 0 0 0 0
36518- 0 0 0 0 0 0 0 0 0 0 0 0
36519- 0 0 0 0 0 0 0 0 0 0 0 0
36520- 0 0 0 0 0 0 0 0 0 0 0 0
36521- 0 0 0 0 0 0 0 0 0 14 14 14
36522- 42 42 42 86 86 86 6 6 6 116 116 116
36523-106 106 106 6 6 6 70 70 70 149 149 149
36524-128 128 128 18 18 18 38 38 38 54 54 54
36525-221 221 221 106 106 106 2 2 6 14 14 14
36526- 46 46 46 190 190 190 198 198 198 2 2 6
36527- 2 2 6 2 2 6 2 2 6 2 2 6
36528- 74 74 74 62 62 62 22 22 22 6 6 6
36529- 0 0 0 0 0 0 0 0 0 0 0 0
36530- 0 0 0 0 0 0 0 0 0 0 0 0
36531- 0 0 0 0 0 0 0 0 0 0 0 0
36532- 0 0 0 0 0 0 0 0 0 0 0 0
36533- 0 0 0 0 0 0 0 0 0 0 0 0
36534- 0 0 0 0 0 0 0 0 0 0 0 0
36535- 0 0 0 0 0 0 0 0 1 0 0 0
36536- 0 0 1 0 0 0 0 0 1 0 0 0
36537- 0 0 0 0 0 0 0 0 0 0 0 0
36538- 0 0 0 0 0 0 0 0 0 0 0 0
36539- 0 0 0 0 0 0 0 0 0 0 0 0
36540- 0 0 0 0 0 0 0 0 0 0 0 0
36541- 0 0 0 0 0 0 0 0 0 14 14 14
36542- 42 42 42 94 94 94 14 14 14 101 101 101
36543-128 128 128 2 2 6 18 18 18 116 116 116
36544-118 98 46 121 92 8 121 92 8 98 78 10
36545-162 162 162 106 106 106 2 2 6 2 2 6
36546- 2 2 6 195 195 195 195 195 195 6 6 6
36547- 2 2 6 2 2 6 2 2 6 2 2 6
36548- 74 74 74 62 62 62 22 22 22 6 6 6
36549- 0 0 0 0 0 0 0 0 0 0 0 0
36550- 0 0 0 0 0 0 0 0 0 0 0 0
36551- 0 0 0 0 0 0 0 0 0 0 0 0
36552- 0 0 0 0 0 0 0 0 0 0 0 0
36553- 0 0 0 0 0 0 0 0 0 0 0 0
36554- 0 0 0 0 0 0 0 0 0 0 0 0
36555- 0 0 0 0 0 0 0 0 1 0 0 1
36556- 0 0 1 0 0 0 0 0 1 0 0 0
36557- 0 0 0 0 0 0 0 0 0 0 0 0
36558- 0 0 0 0 0 0 0 0 0 0 0 0
36559- 0 0 0 0 0 0 0 0 0 0 0 0
36560- 0 0 0 0 0 0 0 0 0 0 0 0
36561- 0 0 0 0 0 0 0 0 0 10 10 10
36562- 38 38 38 90 90 90 14 14 14 58 58 58
36563-210 210 210 26 26 26 54 38 6 154 114 10
36564-226 170 11 236 186 11 225 175 15 184 144 12
36565-215 174 15 175 146 61 37 26 9 2 2 6
36566- 70 70 70 246 246 246 138 138 138 2 2 6
36567- 2 2 6 2 2 6 2 2 6 2 2 6
36568- 70 70 70 66 66 66 26 26 26 6 6 6
36569- 0 0 0 0 0 0 0 0 0 0 0 0
36570- 0 0 0 0 0 0 0 0 0 0 0 0
36571- 0 0 0 0 0 0 0 0 0 0 0 0
36572- 0 0 0 0 0 0 0 0 0 0 0 0
36573- 0 0 0 0 0 0 0 0 0 0 0 0
36574- 0 0 0 0 0 0 0 0 0 0 0 0
36575- 0 0 0 0 0 0 0 0 0 0 0 0
36576- 0 0 0 0 0 0 0 0 0 0 0 0
36577- 0 0 0 0 0 0 0 0 0 0 0 0
36578- 0 0 0 0 0 0 0 0 0 0 0 0
36579- 0 0 0 0 0 0 0 0 0 0 0 0
36580- 0 0 0 0 0 0 0 0 0 0 0 0
36581- 0 0 0 0 0 0 0 0 0 10 10 10
36582- 38 38 38 86 86 86 14 14 14 10 10 10
36583-195 195 195 188 164 115 192 133 9 225 175 15
36584-239 182 13 234 190 10 232 195 16 232 200 30
36585-245 207 45 241 208 19 232 195 16 184 144 12
36586-218 194 134 211 206 186 42 42 42 2 2 6
36587- 2 2 6 2 2 6 2 2 6 2 2 6
36588- 50 50 50 74 74 74 30 30 30 6 6 6
36589- 0 0 0 0 0 0 0 0 0 0 0 0
36590- 0 0 0 0 0 0 0 0 0 0 0 0
36591- 0 0 0 0 0 0 0 0 0 0 0 0
36592- 0 0 0 0 0 0 0 0 0 0 0 0
36593- 0 0 0 0 0 0 0 0 0 0 0 0
36594- 0 0 0 0 0 0 0 0 0 0 0 0
36595- 0 0 0 0 0 0 0 0 0 0 0 0
36596- 0 0 0 0 0 0 0 0 0 0 0 0
36597- 0 0 0 0 0 0 0 0 0 0 0 0
36598- 0 0 0 0 0 0 0 0 0 0 0 0
36599- 0 0 0 0 0 0 0 0 0 0 0 0
36600- 0 0 0 0 0 0 0 0 0 0 0 0
36601- 0 0 0 0 0 0 0 0 0 10 10 10
36602- 34 34 34 86 86 86 14 14 14 2 2 6
36603-121 87 25 192 133 9 219 162 10 239 182 13
36604-236 186 11 232 195 16 241 208 19 244 214 54
36605-246 218 60 246 218 38 246 215 20 241 208 19
36606-241 208 19 226 184 13 121 87 25 2 2 6
36607- 2 2 6 2 2 6 2 2 6 2 2 6
36608- 50 50 50 82 82 82 34 34 34 10 10 10
36609- 0 0 0 0 0 0 0 0 0 0 0 0
36610- 0 0 0 0 0 0 0 0 0 0 0 0
36611- 0 0 0 0 0 0 0 0 0 0 0 0
36612- 0 0 0 0 0 0 0 0 0 0 0 0
36613- 0 0 0 0 0 0 0 0 0 0 0 0
36614- 0 0 0 0 0 0 0 0 0 0 0 0
36615- 0 0 0 0 0 0 0 0 0 0 0 0
36616- 0 0 0 0 0 0 0 0 0 0 0 0
36617- 0 0 0 0 0 0 0 0 0 0 0 0
36618- 0 0 0 0 0 0 0 0 0 0 0 0
36619- 0 0 0 0 0 0 0 0 0 0 0 0
36620- 0 0 0 0 0 0 0 0 0 0 0 0
36621- 0 0 0 0 0 0 0 0 0 10 10 10
36622- 34 34 34 82 82 82 30 30 30 61 42 6
36623-180 123 7 206 145 10 230 174 11 239 182 13
36624-234 190 10 238 202 15 241 208 19 246 218 74
36625-246 218 38 246 215 20 246 215 20 246 215 20
36626-226 184 13 215 174 15 184 144 12 6 6 6
36627- 2 2 6 2 2 6 2 2 6 2 2 6
36628- 26 26 26 94 94 94 42 42 42 14 14 14
36629- 0 0 0 0 0 0 0 0 0 0 0 0
36630- 0 0 0 0 0 0 0 0 0 0 0 0
36631- 0 0 0 0 0 0 0 0 0 0 0 0
36632- 0 0 0 0 0 0 0 0 0 0 0 0
36633- 0 0 0 0 0 0 0 0 0 0 0 0
36634- 0 0 0 0 0 0 0 0 0 0 0 0
36635- 0 0 0 0 0 0 0 0 0 0 0 0
36636- 0 0 0 0 0 0 0 0 0 0 0 0
36637- 0 0 0 0 0 0 0 0 0 0 0 0
36638- 0 0 0 0 0 0 0 0 0 0 0 0
36639- 0 0 0 0 0 0 0 0 0 0 0 0
36640- 0 0 0 0 0 0 0 0 0 0 0 0
36641- 0 0 0 0 0 0 0 0 0 10 10 10
36642- 30 30 30 78 78 78 50 50 50 104 69 6
36643-192 133 9 216 158 10 236 178 12 236 186 11
36644-232 195 16 241 208 19 244 214 54 245 215 43
36645-246 215 20 246 215 20 241 208 19 198 155 10
36646-200 144 11 216 158 10 156 118 10 2 2 6
36647- 2 2 6 2 2 6 2 2 6 2 2 6
36648- 6 6 6 90 90 90 54 54 54 18 18 18
36649- 6 6 6 0 0 0 0 0 0 0 0 0
36650- 0 0 0 0 0 0 0 0 0 0 0 0
36651- 0 0 0 0 0 0 0 0 0 0 0 0
36652- 0 0 0 0 0 0 0 0 0 0 0 0
36653- 0 0 0 0 0 0 0 0 0 0 0 0
36654- 0 0 0 0 0 0 0 0 0 0 0 0
36655- 0 0 0 0 0 0 0 0 0 0 0 0
36656- 0 0 0 0 0 0 0 0 0 0 0 0
36657- 0 0 0 0 0 0 0 0 0 0 0 0
36658- 0 0 0 0 0 0 0 0 0 0 0 0
36659- 0 0 0 0 0 0 0 0 0 0 0 0
36660- 0 0 0 0 0 0 0 0 0 0 0 0
36661- 0 0 0 0 0 0 0 0 0 10 10 10
36662- 30 30 30 78 78 78 46 46 46 22 22 22
36663-137 92 6 210 162 10 239 182 13 238 190 10
36664-238 202 15 241 208 19 246 215 20 246 215 20
36665-241 208 19 203 166 17 185 133 11 210 150 10
36666-216 158 10 210 150 10 102 78 10 2 2 6
36667- 6 6 6 54 54 54 14 14 14 2 2 6
36668- 2 2 6 62 62 62 74 74 74 30 30 30
36669- 10 10 10 0 0 0 0 0 0 0 0 0
36670- 0 0 0 0 0 0 0 0 0 0 0 0
36671- 0 0 0 0 0 0 0 0 0 0 0 0
36672- 0 0 0 0 0 0 0 0 0 0 0 0
36673- 0 0 0 0 0 0 0 0 0 0 0 0
36674- 0 0 0 0 0 0 0 0 0 0 0 0
36675- 0 0 0 0 0 0 0 0 0 0 0 0
36676- 0 0 0 0 0 0 0 0 0 0 0 0
36677- 0 0 0 0 0 0 0 0 0 0 0 0
36678- 0 0 0 0 0 0 0 0 0 0 0 0
36679- 0 0 0 0 0 0 0 0 0 0 0 0
36680- 0 0 0 0 0 0 0 0 0 0 0 0
36681- 0 0 0 0 0 0 0 0 0 10 10 10
36682- 34 34 34 78 78 78 50 50 50 6 6 6
36683- 94 70 30 139 102 15 190 146 13 226 184 13
36684-232 200 30 232 195 16 215 174 15 190 146 13
36685-168 122 10 192 133 9 210 150 10 213 154 11
36686-202 150 34 182 157 106 101 98 89 2 2 6
36687- 2 2 6 78 78 78 116 116 116 58 58 58
36688- 2 2 6 22 22 22 90 90 90 46 46 46
36689- 18 18 18 6 6 6 0 0 0 0 0 0
36690- 0 0 0 0 0 0 0 0 0 0 0 0
36691- 0 0 0 0 0 0 0 0 0 0 0 0
36692- 0 0 0 0 0 0 0 0 0 0 0 0
36693- 0 0 0 0 0 0 0 0 0 0 0 0
36694- 0 0 0 0 0 0 0 0 0 0 0 0
36695- 0 0 0 0 0 0 0 0 0 0 0 0
36696- 0 0 0 0 0 0 0 0 0 0 0 0
36697- 0 0 0 0 0 0 0 0 0 0 0 0
36698- 0 0 0 0 0 0 0 0 0 0 0 0
36699- 0 0 0 0 0 0 0 0 0 0 0 0
36700- 0 0 0 0 0 0 0 0 0 0 0 0
36701- 0 0 0 0 0 0 0 0 0 10 10 10
36702- 38 38 38 86 86 86 50 50 50 6 6 6
36703-128 128 128 174 154 114 156 107 11 168 122 10
36704-198 155 10 184 144 12 197 138 11 200 144 11
36705-206 145 10 206 145 10 197 138 11 188 164 115
36706-195 195 195 198 198 198 174 174 174 14 14 14
36707- 2 2 6 22 22 22 116 116 116 116 116 116
36708- 22 22 22 2 2 6 74 74 74 70 70 70
36709- 30 30 30 10 10 10 0 0 0 0 0 0
36710- 0 0 0 0 0 0 0 0 0 0 0 0
36711- 0 0 0 0 0 0 0 0 0 0 0 0
36712- 0 0 0 0 0 0 0 0 0 0 0 0
36713- 0 0 0 0 0 0 0 0 0 0 0 0
36714- 0 0 0 0 0 0 0 0 0 0 0 0
36715- 0 0 0 0 0 0 0 0 0 0 0 0
36716- 0 0 0 0 0 0 0 0 0 0 0 0
36717- 0 0 0 0 0 0 0 0 0 0 0 0
36718- 0 0 0 0 0 0 0 0 0 0 0 0
36719- 0 0 0 0 0 0 0 0 0 0 0 0
36720- 0 0 0 0 0 0 0 0 0 0 0 0
36721- 0 0 0 0 0 0 6 6 6 18 18 18
36722- 50 50 50 101 101 101 26 26 26 10 10 10
36723-138 138 138 190 190 190 174 154 114 156 107 11
36724-197 138 11 200 144 11 197 138 11 192 133 9
36725-180 123 7 190 142 34 190 178 144 187 187 187
36726-202 202 202 221 221 221 214 214 214 66 66 66
36727- 2 2 6 2 2 6 50 50 50 62 62 62
36728- 6 6 6 2 2 6 10 10 10 90 90 90
36729- 50 50 50 18 18 18 6 6 6 0 0 0
36730- 0 0 0 0 0 0 0 0 0 0 0 0
36731- 0 0 0 0 0 0 0 0 0 0 0 0
36732- 0 0 0 0 0 0 0 0 0 0 0 0
36733- 0 0 0 0 0 0 0 0 0 0 0 0
36734- 0 0 0 0 0 0 0 0 0 0 0 0
36735- 0 0 0 0 0 0 0 0 0 0 0 0
36736- 0 0 0 0 0 0 0 0 0 0 0 0
36737- 0 0 0 0 0 0 0 0 0 0 0 0
36738- 0 0 0 0 0 0 0 0 0 0 0 0
36739- 0 0 0 0 0 0 0 0 0 0 0 0
36740- 0 0 0 0 0 0 0 0 0 0 0 0
36741- 0 0 0 0 0 0 10 10 10 34 34 34
36742- 74 74 74 74 74 74 2 2 6 6 6 6
36743-144 144 144 198 198 198 190 190 190 178 166 146
36744-154 121 60 156 107 11 156 107 11 168 124 44
36745-174 154 114 187 187 187 190 190 190 210 210 210
36746-246 246 246 253 253 253 253 253 253 182 182 182
36747- 6 6 6 2 2 6 2 2 6 2 2 6
36748- 2 2 6 2 2 6 2 2 6 62 62 62
36749- 74 74 74 34 34 34 14 14 14 0 0 0
36750- 0 0 0 0 0 0 0 0 0 0 0 0
36751- 0 0 0 0 0 0 0 0 0 0 0 0
36752- 0 0 0 0 0 0 0 0 0 0 0 0
36753- 0 0 0 0 0 0 0 0 0 0 0 0
36754- 0 0 0 0 0 0 0 0 0 0 0 0
36755- 0 0 0 0 0 0 0 0 0 0 0 0
36756- 0 0 0 0 0 0 0 0 0 0 0 0
36757- 0 0 0 0 0 0 0 0 0 0 0 0
36758- 0 0 0 0 0 0 0 0 0 0 0 0
36759- 0 0 0 0 0 0 0 0 0 0 0 0
36760- 0 0 0 0 0 0 0 0 0 0 0 0
36761- 0 0 0 10 10 10 22 22 22 54 54 54
36762- 94 94 94 18 18 18 2 2 6 46 46 46
36763-234 234 234 221 221 221 190 190 190 190 190 190
36764-190 190 190 187 187 187 187 187 187 190 190 190
36765-190 190 190 195 195 195 214 214 214 242 242 242
36766-253 253 253 253 253 253 253 253 253 253 253 253
36767- 82 82 82 2 2 6 2 2 6 2 2 6
36768- 2 2 6 2 2 6 2 2 6 14 14 14
36769- 86 86 86 54 54 54 22 22 22 6 6 6
36770- 0 0 0 0 0 0 0 0 0 0 0 0
36771- 0 0 0 0 0 0 0 0 0 0 0 0
36772- 0 0 0 0 0 0 0 0 0 0 0 0
36773- 0 0 0 0 0 0 0 0 0 0 0 0
36774- 0 0 0 0 0 0 0 0 0 0 0 0
36775- 0 0 0 0 0 0 0 0 0 0 0 0
36776- 0 0 0 0 0 0 0 0 0 0 0 0
36777- 0 0 0 0 0 0 0 0 0 0 0 0
36778- 0 0 0 0 0 0 0 0 0 0 0 0
36779- 0 0 0 0 0 0 0 0 0 0 0 0
36780- 0 0 0 0 0 0 0 0 0 0 0 0
36781- 6 6 6 18 18 18 46 46 46 90 90 90
36782- 46 46 46 18 18 18 6 6 6 182 182 182
36783-253 253 253 246 246 246 206 206 206 190 190 190
36784-190 190 190 190 190 190 190 190 190 190 190 190
36785-206 206 206 231 231 231 250 250 250 253 253 253
36786-253 253 253 253 253 253 253 253 253 253 253 253
36787-202 202 202 14 14 14 2 2 6 2 2 6
36788- 2 2 6 2 2 6 2 2 6 2 2 6
36789- 42 42 42 86 86 86 42 42 42 18 18 18
36790- 6 6 6 0 0 0 0 0 0 0 0 0
36791- 0 0 0 0 0 0 0 0 0 0 0 0
36792- 0 0 0 0 0 0 0 0 0 0 0 0
36793- 0 0 0 0 0 0 0 0 0 0 0 0
36794- 0 0 0 0 0 0 0 0 0 0 0 0
36795- 0 0 0 0 0 0 0 0 0 0 0 0
36796- 0 0 0 0 0 0 0 0 0 0 0 0
36797- 0 0 0 0 0 0 0 0 0 0 0 0
36798- 0 0 0 0 0 0 0 0 0 0 0 0
36799- 0 0 0 0 0 0 0 0 0 0 0 0
36800- 0 0 0 0 0 0 0 0 0 6 6 6
36801- 14 14 14 38 38 38 74 74 74 66 66 66
36802- 2 2 6 6 6 6 90 90 90 250 250 250
36803-253 253 253 253 253 253 238 238 238 198 198 198
36804-190 190 190 190 190 190 195 195 195 221 221 221
36805-246 246 246 253 253 253 253 253 253 253 253 253
36806-253 253 253 253 253 253 253 253 253 253 253 253
36807-253 253 253 82 82 82 2 2 6 2 2 6
36808- 2 2 6 2 2 6 2 2 6 2 2 6
36809- 2 2 6 78 78 78 70 70 70 34 34 34
36810- 14 14 14 6 6 6 0 0 0 0 0 0
36811- 0 0 0 0 0 0 0 0 0 0 0 0
36812- 0 0 0 0 0 0 0 0 0 0 0 0
36813- 0 0 0 0 0 0 0 0 0 0 0 0
36814- 0 0 0 0 0 0 0 0 0 0 0 0
36815- 0 0 0 0 0 0 0 0 0 0 0 0
36816- 0 0 0 0 0 0 0 0 0 0 0 0
36817- 0 0 0 0 0 0 0 0 0 0 0 0
36818- 0 0 0 0 0 0 0 0 0 0 0 0
36819- 0 0 0 0 0 0 0 0 0 0 0 0
36820- 0 0 0 0 0 0 0 0 0 14 14 14
36821- 34 34 34 66 66 66 78 78 78 6 6 6
36822- 2 2 6 18 18 18 218 218 218 253 253 253
36823-253 253 253 253 253 253 253 253 253 246 246 246
36824-226 226 226 231 231 231 246 246 246 253 253 253
36825-253 253 253 253 253 253 253 253 253 253 253 253
36826-253 253 253 253 253 253 253 253 253 253 253 253
36827-253 253 253 178 178 178 2 2 6 2 2 6
36828- 2 2 6 2 2 6 2 2 6 2 2 6
36829- 2 2 6 18 18 18 90 90 90 62 62 62
36830- 30 30 30 10 10 10 0 0 0 0 0 0
36831- 0 0 0 0 0 0 0 0 0 0 0 0
36832- 0 0 0 0 0 0 0 0 0 0 0 0
36833- 0 0 0 0 0 0 0 0 0 0 0 0
36834- 0 0 0 0 0 0 0 0 0 0 0 0
36835- 0 0 0 0 0 0 0 0 0 0 0 0
36836- 0 0 0 0 0 0 0 0 0 0 0 0
36837- 0 0 0 0 0 0 0 0 0 0 0 0
36838- 0 0 0 0 0 0 0 0 0 0 0 0
36839- 0 0 0 0 0 0 0 0 0 0 0 0
36840- 0 0 0 0 0 0 10 10 10 26 26 26
36841- 58 58 58 90 90 90 18 18 18 2 2 6
36842- 2 2 6 110 110 110 253 253 253 253 253 253
36843-253 253 253 253 253 253 253 253 253 253 253 253
36844-250 250 250 253 253 253 253 253 253 253 253 253
36845-253 253 253 253 253 253 253 253 253 253 253 253
36846-253 253 253 253 253 253 253 253 253 253 253 253
36847-253 253 253 231 231 231 18 18 18 2 2 6
36848- 2 2 6 2 2 6 2 2 6 2 2 6
36849- 2 2 6 2 2 6 18 18 18 94 94 94
36850- 54 54 54 26 26 26 10 10 10 0 0 0
36851- 0 0 0 0 0 0 0 0 0 0 0 0
36852- 0 0 0 0 0 0 0 0 0 0 0 0
36853- 0 0 0 0 0 0 0 0 0 0 0 0
36854- 0 0 0 0 0 0 0 0 0 0 0 0
36855- 0 0 0 0 0 0 0 0 0 0 0 0
36856- 0 0 0 0 0 0 0 0 0 0 0 0
36857- 0 0 0 0 0 0 0 0 0 0 0 0
36858- 0 0 0 0 0 0 0 0 0 0 0 0
36859- 0 0 0 0 0 0 0 0 0 0 0 0
36860- 0 0 0 6 6 6 22 22 22 50 50 50
36861- 90 90 90 26 26 26 2 2 6 2 2 6
36862- 14 14 14 195 195 195 250 250 250 253 253 253
36863-253 253 253 253 253 253 253 253 253 253 253 253
36864-253 253 253 253 253 253 253 253 253 253 253 253
36865-253 253 253 253 253 253 253 253 253 253 253 253
36866-253 253 253 253 253 253 253 253 253 253 253 253
36867-250 250 250 242 242 242 54 54 54 2 2 6
36868- 2 2 6 2 2 6 2 2 6 2 2 6
36869- 2 2 6 2 2 6 2 2 6 38 38 38
36870- 86 86 86 50 50 50 22 22 22 6 6 6
36871- 0 0 0 0 0 0 0 0 0 0 0 0
36872- 0 0 0 0 0 0 0 0 0 0 0 0
36873- 0 0 0 0 0 0 0 0 0 0 0 0
36874- 0 0 0 0 0 0 0 0 0 0 0 0
36875- 0 0 0 0 0 0 0 0 0 0 0 0
36876- 0 0 0 0 0 0 0 0 0 0 0 0
36877- 0 0 0 0 0 0 0 0 0 0 0 0
36878- 0 0 0 0 0 0 0 0 0 0 0 0
36879- 0 0 0 0 0 0 0 0 0 0 0 0
36880- 6 6 6 14 14 14 38 38 38 82 82 82
36881- 34 34 34 2 2 6 2 2 6 2 2 6
36882- 42 42 42 195 195 195 246 246 246 253 253 253
36883-253 253 253 253 253 253 253 253 253 250 250 250
36884-242 242 242 242 242 242 250 250 250 253 253 253
36885-253 253 253 253 253 253 253 253 253 253 253 253
36886-253 253 253 250 250 250 246 246 246 238 238 238
36887-226 226 226 231 231 231 101 101 101 6 6 6
36888- 2 2 6 2 2 6 2 2 6 2 2 6
36889- 2 2 6 2 2 6 2 2 6 2 2 6
36890- 38 38 38 82 82 82 42 42 42 14 14 14
36891- 6 6 6 0 0 0 0 0 0 0 0 0
36892- 0 0 0 0 0 0 0 0 0 0 0 0
36893- 0 0 0 0 0 0 0 0 0 0 0 0
36894- 0 0 0 0 0 0 0 0 0 0 0 0
36895- 0 0 0 0 0 0 0 0 0 0 0 0
36896- 0 0 0 0 0 0 0 0 0 0 0 0
36897- 0 0 0 0 0 0 0 0 0 0 0 0
36898- 0 0 0 0 0 0 0 0 0 0 0 0
36899- 0 0 0 0 0 0 0 0 0 0 0 0
36900- 10 10 10 26 26 26 62 62 62 66 66 66
36901- 2 2 6 2 2 6 2 2 6 6 6 6
36902- 70 70 70 170 170 170 206 206 206 234 234 234
36903-246 246 246 250 250 250 250 250 250 238 238 238
36904-226 226 226 231 231 231 238 238 238 250 250 250
36905-250 250 250 250 250 250 246 246 246 231 231 231
36906-214 214 214 206 206 206 202 202 202 202 202 202
36907-198 198 198 202 202 202 182 182 182 18 18 18
36908- 2 2 6 2 2 6 2 2 6 2 2 6
36909- 2 2 6 2 2 6 2 2 6 2 2 6
36910- 2 2 6 62 62 62 66 66 66 30 30 30
36911- 10 10 10 0 0 0 0 0 0 0 0 0
36912- 0 0 0 0 0 0 0 0 0 0 0 0
36913- 0 0 0 0 0 0 0 0 0 0 0 0
36914- 0 0 0 0 0 0 0 0 0 0 0 0
36915- 0 0 0 0 0 0 0 0 0 0 0 0
36916- 0 0 0 0 0 0 0 0 0 0 0 0
36917- 0 0 0 0 0 0 0 0 0 0 0 0
36918- 0 0 0 0 0 0 0 0 0 0 0 0
36919- 0 0 0 0 0 0 0 0 0 0 0 0
36920- 14 14 14 42 42 42 82 82 82 18 18 18
36921- 2 2 6 2 2 6 2 2 6 10 10 10
36922- 94 94 94 182 182 182 218 218 218 242 242 242
36923-250 250 250 253 253 253 253 253 253 250 250 250
36924-234 234 234 253 253 253 253 253 253 253 253 253
36925-253 253 253 253 253 253 253 253 253 246 246 246
36926-238 238 238 226 226 226 210 210 210 202 202 202
36927-195 195 195 195 195 195 210 210 210 158 158 158
36928- 6 6 6 14 14 14 50 50 50 14 14 14
36929- 2 2 6 2 2 6 2 2 6 2 2 6
36930- 2 2 6 6 6 6 86 86 86 46 46 46
36931- 18 18 18 6 6 6 0 0 0 0 0 0
36932- 0 0 0 0 0 0 0 0 0 0 0 0
36933- 0 0 0 0 0 0 0 0 0 0 0 0
36934- 0 0 0 0 0 0 0 0 0 0 0 0
36935- 0 0 0 0 0 0 0 0 0 0 0 0
36936- 0 0 0 0 0 0 0 0 0 0 0 0
36937- 0 0 0 0 0 0 0 0 0 0 0 0
36938- 0 0 0 0 0 0 0 0 0 0 0 0
36939- 0 0 0 0 0 0 0 0 0 6 6 6
36940- 22 22 22 54 54 54 70 70 70 2 2 6
36941- 2 2 6 10 10 10 2 2 6 22 22 22
36942-166 166 166 231 231 231 250 250 250 253 253 253
36943-253 253 253 253 253 253 253 253 253 250 250 250
36944-242 242 242 253 253 253 253 253 253 253 253 253
36945-253 253 253 253 253 253 253 253 253 253 253 253
36946-253 253 253 253 253 253 253 253 253 246 246 246
36947-231 231 231 206 206 206 198 198 198 226 226 226
36948- 94 94 94 2 2 6 6 6 6 38 38 38
36949- 30 30 30 2 2 6 2 2 6 2 2 6
36950- 2 2 6 2 2 6 62 62 62 66 66 66
36951- 26 26 26 10 10 10 0 0 0 0 0 0
36952- 0 0 0 0 0 0 0 0 0 0 0 0
36953- 0 0 0 0 0 0 0 0 0 0 0 0
36954- 0 0 0 0 0 0 0 0 0 0 0 0
36955- 0 0 0 0 0 0 0 0 0 0 0 0
36956- 0 0 0 0 0 0 0 0 0 0 0 0
36957- 0 0 0 0 0 0 0 0 0 0 0 0
36958- 0 0 0 0 0 0 0 0 0 0 0 0
36959- 0 0 0 0 0 0 0 0 0 10 10 10
36960- 30 30 30 74 74 74 50 50 50 2 2 6
36961- 26 26 26 26 26 26 2 2 6 106 106 106
36962-238 238 238 253 253 253 253 253 253 253 253 253
36963-253 253 253 253 253 253 253 253 253 253 253 253
36964-253 253 253 253 253 253 253 253 253 253 253 253
36965-253 253 253 253 253 253 253 253 253 253 253 253
36966-253 253 253 253 253 253 253 253 253 253 253 253
36967-253 253 253 246 246 246 218 218 218 202 202 202
36968-210 210 210 14 14 14 2 2 6 2 2 6
36969- 30 30 30 22 22 22 2 2 6 2 2 6
36970- 2 2 6 2 2 6 18 18 18 86 86 86
36971- 42 42 42 14 14 14 0 0 0 0 0 0
36972- 0 0 0 0 0 0 0 0 0 0 0 0
36973- 0 0 0 0 0 0 0 0 0 0 0 0
36974- 0 0 0 0 0 0 0 0 0 0 0 0
36975- 0 0 0 0 0 0 0 0 0 0 0 0
36976- 0 0 0 0 0 0 0 0 0 0 0 0
36977- 0 0 0 0 0 0 0 0 0 0 0 0
36978- 0 0 0 0 0 0 0 0 0 0 0 0
36979- 0 0 0 0 0 0 0 0 0 14 14 14
36980- 42 42 42 90 90 90 22 22 22 2 2 6
36981- 42 42 42 2 2 6 18 18 18 218 218 218
36982-253 253 253 253 253 253 253 253 253 253 253 253
36983-253 253 253 253 253 253 253 253 253 253 253 253
36984-253 253 253 253 253 253 253 253 253 253 253 253
36985-253 253 253 253 253 253 253 253 253 253 253 253
36986-253 253 253 253 253 253 253 253 253 253 253 253
36987-253 253 253 253 253 253 250 250 250 221 221 221
36988-218 218 218 101 101 101 2 2 6 14 14 14
36989- 18 18 18 38 38 38 10 10 10 2 2 6
36990- 2 2 6 2 2 6 2 2 6 78 78 78
36991- 58 58 58 22 22 22 6 6 6 0 0 0
36992- 0 0 0 0 0 0 0 0 0 0 0 0
36993- 0 0 0 0 0 0 0 0 0 0 0 0
36994- 0 0 0 0 0 0 0 0 0 0 0 0
36995- 0 0 0 0 0 0 0 0 0 0 0 0
36996- 0 0 0 0 0 0 0 0 0 0 0 0
36997- 0 0 0 0 0 0 0 0 0 0 0 0
36998- 0 0 0 0 0 0 0 0 0 0 0 0
36999- 0 0 0 0 0 0 6 6 6 18 18 18
37000- 54 54 54 82 82 82 2 2 6 26 26 26
37001- 22 22 22 2 2 6 123 123 123 253 253 253
37002-253 253 253 253 253 253 253 253 253 253 253 253
37003-253 253 253 253 253 253 253 253 253 253 253 253
37004-253 253 253 253 253 253 253 253 253 253 253 253
37005-253 253 253 253 253 253 253 253 253 253 253 253
37006-253 253 253 253 253 253 253 253 253 253 253 253
37007-253 253 253 253 253 253 253 253 253 250 250 250
37008-238 238 238 198 198 198 6 6 6 38 38 38
37009- 58 58 58 26 26 26 38 38 38 2 2 6
37010- 2 2 6 2 2 6 2 2 6 46 46 46
37011- 78 78 78 30 30 30 10 10 10 0 0 0
37012- 0 0 0 0 0 0 0 0 0 0 0 0
37013- 0 0 0 0 0 0 0 0 0 0 0 0
37014- 0 0 0 0 0 0 0 0 0 0 0 0
37015- 0 0 0 0 0 0 0 0 0 0 0 0
37016- 0 0 0 0 0 0 0 0 0 0 0 0
37017- 0 0 0 0 0 0 0 0 0 0 0 0
37018- 0 0 0 0 0 0 0 0 0 0 0 0
37019- 0 0 0 0 0 0 10 10 10 30 30 30
37020- 74 74 74 58 58 58 2 2 6 42 42 42
37021- 2 2 6 22 22 22 231 231 231 253 253 253
37022-253 253 253 253 253 253 253 253 253 253 253 253
37023-253 253 253 253 253 253 253 253 253 250 250 250
37024-253 253 253 253 253 253 253 253 253 253 253 253
37025-253 253 253 253 253 253 253 253 253 253 253 253
37026-253 253 253 253 253 253 253 253 253 253 253 253
37027-253 253 253 253 253 253 253 253 253 253 253 253
37028-253 253 253 246 246 246 46 46 46 38 38 38
37029- 42 42 42 14 14 14 38 38 38 14 14 14
37030- 2 2 6 2 2 6 2 2 6 6 6 6
37031- 86 86 86 46 46 46 14 14 14 0 0 0
37032- 0 0 0 0 0 0 0 0 0 0 0 0
37033- 0 0 0 0 0 0 0 0 0 0 0 0
37034- 0 0 0 0 0 0 0 0 0 0 0 0
37035- 0 0 0 0 0 0 0 0 0 0 0 0
37036- 0 0 0 0 0 0 0 0 0 0 0 0
37037- 0 0 0 0 0 0 0 0 0 0 0 0
37038- 0 0 0 0 0 0 0 0 0 0 0 0
37039- 0 0 0 6 6 6 14 14 14 42 42 42
37040- 90 90 90 18 18 18 18 18 18 26 26 26
37041- 2 2 6 116 116 116 253 253 253 253 253 253
37042-253 253 253 253 253 253 253 253 253 253 253 253
37043-253 253 253 253 253 253 250 250 250 238 238 238
37044-253 253 253 253 253 253 253 253 253 253 253 253
37045-253 253 253 253 253 253 253 253 253 253 253 253
37046-253 253 253 253 253 253 253 253 253 253 253 253
37047-253 253 253 253 253 253 253 253 253 253 253 253
37048-253 253 253 253 253 253 94 94 94 6 6 6
37049- 2 2 6 2 2 6 10 10 10 34 34 34
37050- 2 2 6 2 2 6 2 2 6 2 2 6
37051- 74 74 74 58 58 58 22 22 22 6 6 6
37052- 0 0 0 0 0 0 0 0 0 0 0 0
37053- 0 0 0 0 0 0 0 0 0 0 0 0
37054- 0 0 0 0 0 0 0 0 0 0 0 0
37055- 0 0 0 0 0 0 0 0 0 0 0 0
37056- 0 0 0 0 0 0 0 0 0 0 0 0
37057- 0 0 0 0 0 0 0 0 0 0 0 0
37058- 0 0 0 0 0 0 0 0 0 0 0 0
37059- 0 0 0 10 10 10 26 26 26 66 66 66
37060- 82 82 82 2 2 6 38 38 38 6 6 6
37061- 14 14 14 210 210 210 253 253 253 253 253 253
37062-253 253 253 253 253 253 253 253 253 253 253 253
37063-253 253 253 253 253 253 246 246 246 242 242 242
37064-253 253 253 253 253 253 253 253 253 253 253 253
37065-253 253 253 253 253 253 253 253 253 253 253 253
37066-253 253 253 253 253 253 253 253 253 253 253 253
37067-253 253 253 253 253 253 253 253 253 253 253 253
37068-253 253 253 253 253 253 144 144 144 2 2 6
37069- 2 2 6 2 2 6 2 2 6 46 46 46
37070- 2 2 6 2 2 6 2 2 6 2 2 6
37071- 42 42 42 74 74 74 30 30 30 10 10 10
37072- 0 0 0 0 0 0 0 0 0 0 0 0
37073- 0 0 0 0 0 0 0 0 0 0 0 0
37074- 0 0 0 0 0 0 0 0 0 0 0 0
37075- 0 0 0 0 0 0 0 0 0 0 0 0
37076- 0 0 0 0 0 0 0 0 0 0 0 0
37077- 0 0 0 0 0 0 0 0 0 0 0 0
37078- 0 0 0 0 0 0 0 0 0 0 0 0
37079- 6 6 6 14 14 14 42 42 42 90 90 90
37080- 26 26 26 6 6 6 42 42 42 2 2 6
37081- 74 74 74 250 250 250 253 253 253 253 253 253
37082-253 253 253 253 253 253 253 253 253 253 253 253
37083-253 253 253 253 253 253 242 242 242 242 242 242
37084-253 253 253 253 253 253 253 253 253 253 253 253
37085-253 253 253 253 253 253 253 253 253 253 253 253
37086-253 253 253 253 253 253 253 253 253 253 253 253
37087-253 253 253 253 253 253 253 253 253 253 253 253
37088-253 253 253 253 253 253 182 182 182 2 2 6
37089- 2 2 6 2 2 6 2 2 6 46 46 46
37090- 2 2 6 2 2 6 2 2 6 2 2 6
37091- 10 10 10 86 86 86 38 38 38 10 10 10
37092- 0 0 0 0 0 0 0 0 0 0 0 0
37093- 0 0 0 0 0 0 0 0 0 0 0 0
37094- 0 0 0 0 0 0 0 0 0 0 0 0
37095- 0 0 0 0 0 0 0 0 0 0 0 0
37096- 0 0 0 0 0 0 0 0 0 0 0 0
37097- 0 0 0 0 0 0 0 0 0 0 0 0
37098- 0 0 0 0 0 0 0 0 0 0 0 0
37099- 10 10 10 26 26 26 66 66 66 82 82 82
37100- 2 2 6 22 22 22 18 18 18 2 2 6
37101-149 149 149 253 253 253 253 253 253 253 253 253
37102-253 253 253 253 253 253 253 253 253 253 253 253
37103-253 253 253 253 253 253 234 234 234 242 242 242
37104-253 253 253 253 253 253 253 253 253 253 253 253
37105-253 253 253 253 253 253 253 253 253 253 253 253
37106-253 253 253 253 253 253 253 253 253 253 253 253
37107-253 253 253 253 253 253 253 253 253 253 253 253
37108-253 253 253 253 253 253 206 206 206 2 2 6
37109- 2 2 6 2 2 6 2 2 6 38 38 38
37110- 2 2 6 2 2 6 2 2 6 2 2 6
37111- 6 6 6 86 86 86 46 46 46 14 14 14
37112- 0 0 0 0 0 0 0 0 0 0 0 0
37113- 0 0 0 0 0 0 0 0 0 0 0 0
37114- 0 0 0 0 0 0 0 0 0 0 0 0
37115- 0 0 0 0 0 0 0 0 0 0 0 0
37116- 0 0 0 0 0 0 0 0 0 0 0 0
37117- 0 0 0 0 0 0 0 0 0 0 0 0
37118- 0 0 0 0 0 0 0 0 0 6 6 6
37119- 18 18 18 46 46 46 86 86 86 18 18 18
37120- 2 2 6 34 34 34 10 10 10 6 6 6
37121-210 210 210 253 253 253 253 253 253 253 253 253
37122-253 253 253 253 253 253 253 253 253 253 253 253
37123-253 253 253 253 253 253 234 234 234 242 242 242
37124-253 253 253 253 253 253 253 253 253 253 253 253
37125-253 253 253 253 253 253 253 253 253 253 253 253
37126-253 253 253 253 253 253 253 253 253 253 253 253
37127-253 253 253 253 253 253 253 253 253 253 253 253
37128-253 253 253 253 253 253 221 221 221 6 6 6
37129- 2 2 6 2 2 6 6 6 6 30 30 30
37130- 2 2 6 2 2 6 2 2 6 2 2 6
37131- 2 2 6 82 82 82 54 54 54 18 18 18
37132- 6 6 6 0 0 0 0 0 0 0 0 0
37133- 0 0 0 0 0 0 0 0 0 0 0 0
37134- 0 0 0 0 0 0 0 0 0 0 0 0
37135- 0 0 0 0 0 0 0 0 0 0 0 0
37136- 0 0 0 0 0 0 0 0 0 0 0 0
37137- 0 0 0 0 0 0 0 0 0 0 0 0
37138- 0 0 0 0 0 0 0 0 0 10 10 10
37139- 26 26 26 66 66 66 62 62 62 2 2 6
37140- 2 2 6 38 38 38 10 10 10 26 26 26
37141-238 238 238 253 253 253 253 253 253 253 253 253
37142-253 253 253 253 253 253 253 253 253 253 253 253
37143-253 253 253 253 253 253 231 231 231 238 238 238
37144-253 253 253 253 253 253 253 253 253 253 253 253
37145-253 253 253 253 253 253 253 253 253 253 253 253
37146-253 253 253 253 253 253 253 253 253 253 253 253
37147-253 253 253 253 253 253 253 253 253 253 253 253
37148-253 253 253 253 253 253 231 231 231 6 6 6
37149- 2 2 6 2 2 6 10 10 10 30 30 30
37150- 2 2 6 2 2 6 2 2 6 2 2 6
37151- 2 2 6 66 66 66 58 58 58 22 22 22
37152- 6 6 6 0 0 0 0 0 0 0 0 0
37153- 0 0 0 0 0 0 0 0 0 0 0 0
37154- 0 0 0 0 0 0 0 0 0 0 0 0
37155- 0 0 0 0 0 0 0 0 0 0 0 0
37156- 0 0 0 0 0 0 0 0 0 0 0 0
37157- 0 0 0 0 0 0 0 0 0 0 0 0
37158- 0 0 0 0 0 0 0 0 0 10 10 10
37159- 38 38 38 78 78 78 6 6 6 2 2 6
37160- 2 2 6 46 46 46 14 14 14 42 42 42
37161-246 246 246 253 253 253 253 253 253 253 253 253
37162-253 253 253 253 253 253 253 253 253 253 253 253
37163-253 253 253 253 253 253 231 231 231 242 242 242
37164-253 253 253 253 253 253 253 253 253 253 253 253
37165-253 253 253 253 253 253 253 253 253 253 253 253
37166-253 253 253 253 253 253 253 253 253 253 253 253
37167-253 253 253 253 253 253 253 253 253 253 253 253
37168-253 253 253 253 253 253 234 234 234 10 10 10
37169- 2 2 6 2 2 6 22 22 22 14 14 14
37170- 2 2 6 2 2 6 2 2 6 2 2 6
37171- 2 2 6 66 66 66 62 62 62 22 22 22
37172- 6 6 6 0 0 0 0 0 0 0 0 0
37173- 0 0 0 0 0 0 0 0 0 0 0 0
37174- 0 0 0 0 0 0 0 0 0 0 0 0
37175- 0 0 0 0 0 0 0 0 0 0 0 0
37176- 0 0 0 0 0 0 0 0 0 0 0 0
37177- 0 0 0 0 0 0 0 0 0 0 0 0
37178- 0 0 0 0 0 0 6 6 6 18 18 18
37179- 50 50 50 74 74 74 2 2 6 2 2 6
37180- 14 14 14 70 70 70 34 34 34 62 62 62
37181-250 250 250 253 253 253 253 253 253 253 253 253
37182-253 253 253 253 253 253 253 253 253 253 253 253
37183-253 253 253 253 253 253 231 231 231 246 246 246
37184-253 253 253 253 253 253 253 253 253 253 253 253
37185-253 253 253 253 253 253 253 253 253 253 253 253
37186-253 253 253 253 253 253 253 253 253 253 253 253
37187-253 253 253 253 253 253 253 253 253 253 253 253
37188-253 253 253 253 253 253 234 234 234 14 14 14
37189- 2 2 6 2 2 6 30 30 30 2 2 6
37190- 2 2 6 2 2 6 2 2 6 2 2 6
37191- 2 2 6 66 66 66 62 62 62 22 22 22
37192- 6 6 6 0 0 0 0 0 0 0 0 0
37193- 0 0 0 0 0 0 0 0 0 0 0 0
37194- 0 0 0 0 0 0 0 0 0 0 0 0
37195- 0 0 0 0 0 0 0 0 0 0 0 0
37196- 0 0 0 0 0 0 0 0 0 0 0 0
37197- 0 0 0 0 0 0 0 0 0 0 0 0
37198- 0 0 0 0 0 0 6 6 6 18 18 18
37199- 54 54 54 62 62 62 2 2 6 2 2 6
37200- 2 2 6 30 30 30 46 46 46 70 70 70
37201-250 250 250 253 253 253 253 253 253 253 253 253
37202-253 253 253 253 253 253 253 253 253 253 253 253
37203-253 253 253 253 253 253 231 231 231 246 246 246
37204-253 253 253 253 253 253 253 253 253 253 253 253
37205-253 253 253 253 253 253 253 253 253 253 253 253
37206-253 253 253 253 253 253 253 253 253 253 253 253
37207-253 253 253 253 253 253 253 253 253 253 253 253
37208-253 253 253 253 253 253 226 226 226 10 10 10
37209- 2 2 6 6 6 6 30 30 30 2 2 6
37210- 2 2 6 2 2 6 2 2 6 2 2 6
37211- 2 2 6 66 66 66 58 58 58 22 22 22
37212- 6 6 6 0 0 0 0 0 0 0 0 0
37213- 0 0 0 0 0 0 0 0 0 0 0 0
37214- 0 0 0 0 0 0 0 0 0 0 0 0
37215- 0 0 0 0 0 0 0 0 0 0 0 0
37216- 0 0 0 0 0 0 0 0 0 0 0 0
37217- 0 0 0 0 0 0 0 0 0 0 0 0
37218- 0 0 0 0 0 0 6 6 6 22 22 22
37219- 58 58 58 62 62 62 2 2 6 2 2 6
37220- 2 2 6 2 2 6 30 30 30 78 78 78
37221-250 250 250 253 253 253 253 253 253 253 253 253
37222-253 253 253 253 253 253 253 253 253 253 253 253
37223-253 253 253 253 253 253 231 231 231 246 246 246
37224-253 253 253 253 253 253 253 253 253 253 253 253
37225-253 253 253 253 253 253 253 253 253 253 253 253
37226-253 253 253 253 253 253 253 253 253 253 253 253
37227-253 253 253 253 253 253 253 253 253 253 253 253
37228-253 253 253 253 253 253 206 206 206 2 2 6
37229- 22 22 22 34 34 34 18 14 6 22 22 22
37230- 26 26 26 18 18 18 6 6 6 2 2 6
37231- 2 2 6 82 82 82 54 54 54 18 18 18
37232- 6 6 6 0 0 0 0 0 0 0 0 0
37233- 0 0 0 0 0 0 0 0 0 0 0 0
37234- 0 0 0 0 0 0 0 0 0 0 0 0
37235- 0 0 0 0 0 0 0 0 0 0 0 0
37236- 0 0 0 0 0 0 0 0 0 0 0 0
37237- 0 0 0 0 0 0 0 0 0 0 0 0
37238- 0 0 0 0 0 0 6 6 6 26 26 26
37239- 62 62 62 106 106 106 74 54 14 185 133 11
37240-210 162 10 121 92 8 6 6 6 62 62 62
37241-238 238 238 253 253 253 253 253 253 253 253 253
37242-253 253 253 253 253 253 253 253 253 253 253 253
37243-253 253 253 253 253 253 231 231 231 246 246 246
37244-253 253 253 253 253 253 253 253 253 253 253 253
37245-253 253 253 253 253 253 253 253 253 253 253 253
37246-253 253 253 253 253 253 253 253 253 253 253 253
37247-253 253 253 253 253 253 253 253 253 253 253 253
37248-253 253 253 253 253 253 158 158 158 18 18 18
37249- 14 14 14 2 2 6 2 2 6 2 2 6
37250- 6 6 6 18 18 18 66 66 66 38 38 38
37251- 6 6 6 94 94 94 50 50 50 18 18 18
37252- 6 6 6 0 0 0 0 0 0 0 0 0
37253- 0 0 0 0 0 0 0 0 0 0 0 0
37254- 0 0 0 0 0 0 0 0 0 0 0 0
37255- 0 0 0 0 0 0 0 0 0 0 0 0
37256- 0 0 0 0 0 0 0 0 0 0 0 0
37257- 0 0 0 0 0 0 0 0 0 6 6 6
37258- 10 10 10 10 10 10 18 18 18 38 38 38
37259- 78 78 78 142 134 106 216 158 10 242 186 14
37260-246 190 14 246 190 14 156 118 10 10 10 10
37261- 90 90 90 238 238 238 253 253 253 253 253 253
37262-253 253 253 253 253 253 253 253 253 253 253 253
37263-253 253 253 253 253 253 231 231 231 250 250 250
37264-253 253 253 253 253 253 253 253 253 253 253 253
37265-253 253 253 253 253 253 253 253 253 253 253 253
37266-253 253 253 253 253 253 253 253 253 253 253 253
37267-253 253 253 253 253 253 253 253 253 246 230 190
37268-238 204 91 238 204 91 181 142 44 37 26 9
37269- 2 2 6 2 2 6 2 2 6 2 2 6
37270- 2 2 6 2 2 6 38 38 38 46 46 46
37271- 26 26 26 106 106 106 54 54 54 18 18 18
37272- 6 6 6 0 0 0 0 0 0 0 0 0
37273- 0 0 0 0 0 0 0 0 0 0 0 0
37274- 0 0 0 0 0 0 0 0 0 0 0 0
37275- 0 0 0 0 0 0 0 0 0 0 0 0
37276- 0 0 0 0 0 0 0 0 0 0 0 0
37277- 0 0 0 6 6 6 14 14 14 22 22 22
37278- 30 30 30 38 38 38 50 50 50 70 70 70
37279-106 106 106 190 142 34 226 170 11 242 186 14
37280-246 190 14 246 190 14 246 190 14 154 114 10
37281- 6 6 6 74 74 74 226 226 226 253 253 253
37282-253 253 253 253 253 253 253 253 253 253 253 253
37283-253 253 253 253 253 253 231 231 231 250 250 250
37284-253 253 253 253 253 253 253 253 253 253 253 253
37285-253 253 253 253 253 253 253 253 253 253 253 253
37286-253 253 253 253 253 253 253 253 253 253 253 253
37287-253 253 253 253 253 253 253 253 253 228 184 62
37288-241 196 14 241 208 19 232 195 16 38 30 10
37289- 2 2 6 2 2 6 2 2 6 2 2 6
37290- 2 2 6 6 6 6 30 30 30 26 26 26
37291-203 166 17 154 142 90 66 66 66 26 26 26
37292- 6 6 6 0 0 0 0 0 0 0 0 0
37293- 0 0 0 0 0 0 0 0 0 0 0 0
37294- 0 0 0 0 0 0 0 0 0 0 0 0
37295- 0 0 0 0 0 0 0 0 0 0 0 0
37296- 0 0 0 0 0 0 0 0 0 0 0 0
37297- 6 6 6 18 18 18 38 38 38 58 58 58
37298- 78 78 78 86 86 86 101 101 101 123 123 123
37299-175 146 61 210 150 10 234 174 13 246 186 14
37300-246 190 14 246 190 14 246 190 14 238 190 10
37301-102 78 10 2 2 6 46 46 46 198 198 198
37302-253 253 253 253 253 253 253 253 253 253 253 253
37303-253 253 253 253 253 253 234 234 234 242 242 242
37304-253 253 253 253 253 253 253 253 253 253 253 253
37305-253 253 253 253 253 253 253 253 253 253 253 253
37306-253 253 253 253 253 253 253 253 253 253 253 253
37307-253 253 253 253 253 253 253 253 253 224 178 62
37308-242 186 14 241 196 14 210 166 10 22 18 6
37309- 2 2 6 2 2 6 2 2 6 2 2 6
37310- 2 2 6 2 2 6 6 6 6 121 92 8
37311-238 202 15 232 195 16 82 82 82 34 34 34
37312- 10 10 10 0 0 0 0 0 0 0 0 0
37313- 0 0 0 0 0 0 0 0 0 0 0 0
37314- 0 0 0 0 0 0 0 0 0 0 0 0
37315- 0 0 0 0 0 0 0 0 0 0 0 0
37316- 0 0 0 0 0 0 0 0 0 0 0 0
37317- 14 14 14 38 38 38 70 70 70 154 122 46
37318-190 142 34 200 144 11 197 138 11 197 138 11
37319-213 154 11 226 170 11 242 186 14 246 190 14
37320-246 190 14 246 190 14 246 190 14 246 190 14
37321-225 175 15 46 32 6 2 2 6 22 22 22
37322-158 158 158 250 250 250 253 253 253 253 253 253
37323-253 253 253 253 253 253 253 253 253 253 253 253
37324-253 253 253 253 253 253 253 253 253 253 253 253
37325-253 253 253 253 253 253 253 253 253 253 253 253
37326-253 253 253 253 253 253 253 253 253 253 253 253
37327-253 253 253 250 250 250 242 242 242 224 178 62
37328-239 182 13 236 186 11 213 154 11 46 32 6
37329- 2 2 6 2 2 6 2 2 6 2 2 6
37330- 2 2 6 2 2 6 61 42 6 225 175 15
37331-238 190 10 236 186 11 112 100 78 42 42 42
37332- 14 14 14 0 0 0 0 0 0 0 0 0
37333- 0 0 0 0 0 0 0 0 0 0 0 0
37334- 0 0 0 0 0 0 0 0 0 0 0 0
37335- 0 0 0 0 0 0 0 0 0 0 0 0
37336- 0 0 0 0 0 0 0 0 0 6 6 6
37337- 22 22 22 54 54 54 154 122 46 213 154 11
37338-226 170 11 230 174 11 226 170 11 226 170 11
37339-236 178 12 242 186 14 246 190 14 246 190 14
37340-246 190 14 246 190 14 246 190 14 246 190 14
37341-241 196 14 184 144 12 10 10 10 2 2 6
37342- 6 6 6 116 116 116 242 242 242 253 253 253
37343-253 253 253 253 253 253 253 253 253 253 253 253
37344-253 253 253 253 253 253 253 253 253 253 253 253
37345-253 253 253 253 253 253 253 253 253 253 253 253
37346-253 253 253 253 253 253 253 253 253 253 253 253
37347-253 253 253 231 231 231 198 198 198 214 170 54
37348-236 178 12 236 178 12 210 150 10 137 92 6
37349- 18 14 6 2 2 6 2 2 6 2 2 6
37350- 6 6 6 70 47 6 200 144 11 236 178 12
37351-239 182 13 239 182 13 124 112 88 58 58 58
37352- 22 22 22 6 6 6 0 0 0 0 0 0
37353- 0 0 0 0 0 0 0 0 0 0 0 0
37354- 0 0 0 0 0 0 0 0 0 0 0 0
37355- 0 0 0 0 0 0 0 0 0 0 0 0
37356- 0 0 0 0 0 0 0 0 0 10 10 10
37357- 30 30 30 70 70 70 180 133 36 226 170 11
37358-239 182 13 242 186 14 242 186 14 246 186 14
37359-246 190 14 246 190 14 246 190 14 246 190 14
37360-246 190 14 246 190 14 246 190 14 246 190 14
37361-246 190 14 232 195 16 98 70 6 2 2 6
37362- 2 2 6 2 2 6 66 66 66 221 221 221
37363-253 253 253 253 253 253 253 253 253 253 253 253
37364-253 253 253 253 253 253 253 253 253 253 253 253
37365-253 253 253 253 253 253 253 253 253 253 253 253
37366-253 253 253 253 253 253 253 253 253 253 253 253
37367-253 253 253 206 206 206 198 198 198 214 166 58
37368-230 174 11 230 174 11 216 158 10 192 133 9
37369-163 110 8 116 81 8 102 78 10 116 81 8
37370-167 114 7 197 138 11 226 170 11 239 182 13
37371-242 186 14 242 186 14 162 146 94 78 78 78
37372- 34 34 34 14 14 14 6 6 6 0 0 0
37373- 0 0 0 0 0 0 0 0 0 0 0 0
37374- 0 0 0 0 0 0 0 0 0 0 0 0
37375- 0 0 0 0 0 0 0 0 0 0 0 0
37376- 0 0 0 0 0 0 0 0 0 6 6 6
37377- 30 30 30 78 78 78 190 142 34 226 170 11
37378-239 182 13 246 190 14 246 190 14 246 190 14
37379-246 190 14 246 190 14 246 190 14 246 190 14
37380-246 190 14 246 190 14 246 190 14 246 190 14
37381-246 190 14 241 196 14 203 166 17 22 18 6
37382- 2 2 6 2 2 6 2 2 6 38 38 38
37383-218 218 218 253 253 253 253 253 253 253 253 253
37384-253 253 253 253 253 253 253 253 253 253 253 253
37385-253 253 253 253 253 253 253 253 253 253 253 253
37386-253 253 253 253 253 253 253 253 253 253 253 253
37387-250 250 250 206 206 206 198 198 198 202 162 69
37388-226 170 11 236 178 12 224 166 10 210 150 10
37389-200 144 11 197 138 11 192 133 9 197 138 11
37390-210 150 10 226 170 11 242 186 14 246 190 14
37391-246 190 14 246 186 14 225 175 15 124 112 88
37392- 62 62 62 30 30 30 14 14 14 6 6 6
37393- 0 0 0 0 0 0 0 0 0 0 0 0
37394- 0 0 0 0 0 0 0 0 0 0 0 0
37395- 0 0 0 0 0 0 0 0 0 0 0 0
37396- 0 0 0 0 0 0 0 0 0 10 10 10
37397- 30 30 30 78 78 78 174 135 50 224 166 10
37398-239 182 13 246 190 14 246 190 14 246 190 14
37399-246 190 14 246 190 14 246 190 14 246 190 14
37400-246 190 14 246 190 14 246 190 14 246 190 14
37401-246 190 14 246 190 14 241 196 14 139 102 15
37402- 2 2 6 2 2 6 2 2 6 2 2 6
37403- 78 78 78 250 250 250 253 253 253 253 253 253
37404-253 253 253 253 253 253 253 253 253 253 253 253
37405-253 253 253 253 253 253 253 253 253 253 253 253
37406-253 253 253 253 253 253 253 253 253 253 253 253
37407-250 250 250 214 214 214 198 198 198 190 150 46
37408-219 162 10 236 178 12 234 174 13 224 166 10
37409-216 158 10 213 154 11 213 154 11 216 158 10
37410-226 170 11 239 182 13 246 190 14 246 190 14
37411-246 190 14 246 190 14 242 186 14 206 162 42
37412-101 101 101 58 58 58 30 30 30 14 14 14
37413- 6 6 6 0 0 0 0 0 0 0 0 0
37414- 0 0 0 0 0 0 0 0 0 0 0 0
37415- 0 0 0 0 0 0 0 0 0 0 0 0
37416- 0 0 0 0 0 0 0 0 0 10 10 10
37417- 30 30 30 74 74 74 174 135 50 216 158 10
37418-236 178 12 246 190 14 246 190 14 246 190 14
37419-246 190 14 246 190 14 246 190 14 246 190 14
37420-246 190 14 246 190 14 246 190 14 246 190 14
37421-246 190 14 246 190 14 241 196 14 226 184 13
37422- 61 42 6 2 2 6 2 2 6 2 2 6
37423- 22 22 22 238 238 238 253 253 253 253 253 253
37424-253 253 253 253 253 253 253 253 253 253 253 253
37425-253 253 253 253 253 253 253 253 253 253 253 253
37426-253 253 253 253 253 253 253 253 253 253 253 253
37427-253 253 253 226 226 226 187 187 187 180 133 36
37428-216 158 10 236 178 12 239 182 13 236 178 12
37429-230 174 11 226 170 11 226 170 11 230 174 11
37430-236 178 12 242 186 14 246 190 14 246 190 14
37431-246 190 14 246 190 14 246 186 14 239 182 13
37432-206 162 42 106 106 106 66 66 66 34 34 34
37433- 14 14 14 6 6 6 0 0 0 0 0 0
37434- 0 0 0 0 0 0 0 0 0 0 0 0
37435- 0 0 0 0 0 0 0 0 0 0 0 0
37436- 0 0 0 0 0 0 0 0 0 6 6 6
37437- 26 26 26 70 70 70 163 133 67 213 154 11
37438-236 178 12 246 190 14 246 190 14 246 190 14
37439-246 190 14 246 190 14 246 190 14 246 190 14
37440-246 190 14 246 190 14 246 190 14 246 190 14
37441-246 190 14 246 190 14 246 190 14 241 196 14
37442-190 146 13 18 14 6 2 2 6 2 2 6
37443- 46 46 46 246 246 246 253 253 253 253 253 253
37444-253 253 253 253 253 253 253 253 253 253 253 253
37445-253 253 253 253 253 253 253 253 253 253 253 253
37446-253 253 253 253 253 253 253 253 253 253 253 253
37447-253 253 253 221 221 221 86 86 86 156 107 11
37448-216 158 10 236 178 12 242 186 14 246 186 14
37449-242 186 14 239 182 13 239 182 13 242 186 14
37450-242 186 14 246 186 14 246 190 14 246 190 14
37451-246 190 14 246 190 14 246 190 14 246 190 14
37452-242 186 14 225 175 15 142 122 72 66 66 66
37453- 30 30 30 10 10 10 0 0 0 0 0 0
37454- 0 0 0 0 0 0 0 0 0 0 0 0
37455- 0 0 0 0 0 0 0 0 0 0 0 0
37456- 0 0 0 0 0 0 0 0 0 6 6 6
37457- 26 26 26 70 70 70 163 133 67 210 150 10
37458-236 178 12 246 190 14 246 190 14 246 190 14
37459-246 190 14 246 190 14 246 190 14 246 190 14
37460-246 190 14 246 190 14 246 190 14 246 190 14
37461-246 190 14 246 190 14 246 190 14 246 190 14
37462-232 195 16 121 92 8 34 34 34 106 106 106
37463-221 221 221 253 253 253 253 253 253 253 253 253
37464-253 253 253 253 253 253 253 253 253 253 253 253
37465-253 253 253 253 253 253 253 253 253 253 253 253
37466-253 253 253 253 253 253 253 253 253 253 253 253
37467-242 242 242 82 82 82 18 14 6 163 110 8
37468-216 158 10 236 178 12 242 186 14 246 190 14
37469-246 190 14 246 190 14 246 190 14 246 190 14
37470-246 190 14 246 190 14 246 190 14 246 190 14
37471-246 190 14 246 190 14 246 190 14 246 190 14
37472-246 190 14 246 190 14 242 186 14 163 133 67
37473- 46 46 46 18 18 18 6 6 6 0 0 0
37474- 0 0 0 0 0 0 0 0 0 0 0 0
37475- 0 0 0 0 0 0 0 0 0 0 0 0
37476- 0 0 0 0 0 0 0 0 0 10 10 10
37477- 30 30 30 78 78 78 163 133 67 210 150 10
37478-236 178 12 246 186 14 246 190 14 246 190 14
37479-246 190 14 246 190 14 246 190 14 246 190 14
37480-246 190 14 246 190 14 246 190 14 246 190 14
37481-246 190 14 246 190 14 246 190 14 246 190 14
37482-241 196 14 215 174 15 190 178 144 253 253 253
37483-253 253 253 253 253 253 253 253 253 253 253 253
37484-253 253 253 253 253 253 253 253 253 253 253 253
37485-253 253 253 253 253 253 253 253 253 253 253 253
37486-253 253 253 253 253 253 253 253 253 218 218 218
37487- 58 58 58 2 2 6 22 18 6 167 114 7
37488-216 158 10 236 178 12 246 186 14 246 190 14
37489-246 190 14 246 190 14 246 190 14 246 190 14
37490-246 190 14 246 190 14 246 190 14 246 190 14
37491-246 190 14 246 190 14 246 190 14 246 190 14
37492-246 190 14 246 186 14 242 186 14 190 150 46
37493- 54 54 54 22 22 22 6 6 6 0 0 0
37494- 0 0 0 0 0 0 0 0 0 0 0 0
37495- 0 0 0 0 0 0 0 0 0 0 0 0
37496- 0 0 0 0 0 0 0 0 0 14 14 14
37497- 38 38 38 86 86 86 180 133 36 213 154 11
37498-236 178 12 246 186 14 246 190 14 246 190 14
37499-246 190 14 246 190 14 246 190 14 246 190 14
37500-246 190 14 246 190 14 246 190 14 246 190 14
37501-246 190 14 246 190 14 246 190 14 246 190 14
37502-246 190 14 232 195 16 190 146 13 214 214 214
37503-253 253 253 253 253 253 253 253 253 253 253 253
37504-253 253 253 253 253 253 253 253 253 253 253 253
37505-253 253 253 253 253 253 253 253 253 253 253 253
37506-253 253 253 250 250 250 170 170 170 26 26 26
37507- 2 2 6 2 2 6 37 26 9 163 110 8
37508-219 162 10 239 182 13 246 186 14 246 190 14
37509-246 190 14 246 190 14 246 190 14 246 190 14
37510-246 190 14 246 190 14 246 190 14 246 190 14
37511-246 190 14 246 190 14 246 190 14 246 190 14
37512-246 186 14 236 178 12 224 166 10 142 122 72
37513- 46 46 46 18 18 18 6 6 6 0 0 0
37514- 0 0 0 0 0 0 0 0 0 0 0 0
37515- 0 0 0 0 0 0 0 0 0 0 0 0
37516- 0 0 0 0 0 0 6 6 6 18 18 18
37517- 50 50 50 109 106 95 192 133 9 224 166 10
37518-242 186 14 246 190 14 246 190 14 246 190 14
37519-246 190 14 246 190 14 246 190 14 246 190 14
37520-246 190 14 246 190 14 246 190 14 246 190 14
37521-246 190 14 246 190 14 246 190 14 246 190 14
37522-242 186 14 226 184 13 210 162 10 142 110 46
37523-226 226 226 253 253 253 253 253 253 253 253 253
37524-253 253 253 253 253 253 253 253 253 253 253 253
37525-253 253 253 253 253 253 253 253 253 253 253 253
37526-198 198 198 66 66 66 2 2 6 2 2 6
37527- 2 2 6 2 2 6 50 34 6 156 107 11
37528-219 162 10 239 182 13 246 186 14 246 190 14
37529-246 190 14 246 190 14 246 190 14 246 190 14
37530-246 190 14 246 190 14 246 190 14 246 190 14
37531-246 190 14 246 190 14 246 190 14 242 186 14
37532-234 174 13 213 154 11 154 122 46 66 66 66
37533- 30 30 30 10 10 10 0 0 0 0 0 0
37534- 0 0 0 0 0 0 0 0 0 0 0 0
37535- 0 0 0 0 0 0 0 0 0 0 0 0
37536- 0 0 0 0 0 0 6 6 6 22 22 22
37537- 58 58 58 154 121 60 206 145 10 234 174 13
37538-242 186 14 246 186 14 246 190 14 246 190 14
37539-246 190 14 246 190 14 246 190 14 246 190 14
37540-246 190 14 246 190 14 246 190 14 246 190 14
37541-246 190 14 246 190 14 246 190 14 246 190 14
37542-246 186 14 236 178 12 210 162 10 163 110 8
37543- 61 42 6 138 138 138 218 218 218 250 250 250
37544-253 253 253 253 253 253 253 253 253 250 250 250
37545-242 242 242 210 210 210 144 144 144 66 66 66
37546- 6 6 6 2 2 6 2 2 6 2 2 6
37547- 2 2 6 2 2 6 61 42 6 163 110 8
37548-216 158 10 236 178 12 246 190 14 246 190 14
37549-246 190 14 246 190 14 246 190 14 246 190 14
37550-246 190 14 246 190 14 246 190 14 246 190 14
37551-246 190 14 239 182 13 230 174 11 216 158 10
37552-190 142 34 124 112 88 70 70 70 38 38 38
37553- 18 18 18 6 6 6 0 0 0 0 0 0
37554- 0 0 0 0 0 0 0 0 0 0 0 0
37555- 0 0 0 0 0 0 0 0 0 0 0 0
37556- 0 0 0 0 0 0 6 6 6 22 22 22
37557- 62 62 62 168 124 44 206 145 10 224 166 10
37558-236 178 12 239 182 13 242 186 14 242 186 14
37559-246 186 14 246 190 14 246 190 14 246 190 14
37560-246 190 14 246 190 14 246 190 14 246 190 14
37561-246 190 14 246 190 14 246 190 14 246 190 14
37562-246 190 14 236 178 12 216 158 10 175 118 6
37563- 80 54 7 2 2 6 6 6 6 30 30 30
37564- 54 54 54 62 62 62 50 50 50 38 38 38
37565- 14 14 14 2 2 6 2 2 6 2 2 6
37566- 2 2 6 2 2 6 2 2 6 2 2 6
37567- 2 2 6 6 6 6 80 54 7 167 114 7
37568-213 154 11 236 178 12 246 190 14 246 190 14
37569-246 190 14 246 190 14 246 190 14 246 190 14
37570-246 190 14 242 186 14 239 182 13 239 182 13
37571-230 174 11 210 150 10 174 135 50 124 112 88
37572- 82 82 82 54 54 54 34 34 34 18 18 18
37573- 6 6 6 0 0 0 0 0 0 0 0 0
37574- 0 0 0 0 0 0 0 0 0 0 0 0
37575- 0 0 0 0 0 0 0 0 0 0 0 0
37576- 0 0 0 0 0 0 6 6 6 18 18 18
37577- 50 50 50 158 118 36 192 133 9 200 144 11
37578-216 158 10 219 162 10 224 166 10 226 170 11
37579-230 174 11 236 178 12 239 182 13 239 182 13
37580-242 186 14 246 186 14 246 190 14 246 190 14
37581-246 190 14 246 190 14 246 190 14 246 190 14
37582-246 186 14 230 174 11 210 150 10 163 110 8
37583-104 69 6 10 10 10 2 2 6 2 2 6
37584- 2 2 6 2 2 6 2 2 6 2 2 6
37585- 2 2 6 2 2 6 2 2 6 2 2 6
37586- 2 2 6 2 2 6 2 2 6 2 2 6
37587- 2 2 6 6 6 6 91 60 6 167 114 7
37588-206 145 10 230 174 11 242 186 14 246 190 14
37589-246 190 14 246 190 14 246 186 14 242 186 14
37590-239 182 13 230 174 11 224 166 10 213 154 11
37591-180 133 36 124 112 88 86 86 86 58 58 58
37592- 38 38 38 22 22 22 10 10 10 6 6 6
37593- 0 0 0 0 0 0 0 0 0 0 0 0
37594- 0 0 0 0 0 0 0 0 0 0 0 0
37595- 0 0 0 0 0 0 0 0 0 0 0 0
37596- 0 0 0 0 0 0 0 0 0 14 14 14
37597- 34 34 34 70 70 70 138 110 50 158 118 36
37598-167 114 7 180 123 7 192 133 9 197 138 11
37599-200 144 11 206 145 10 213 154 11 219 162 10
37600-224 166 10 230 174 11 239 182 13 242 186 14
37601-246 186 14 246 186 14 246 186 14 246 186 14
37602-239 182 13 216 158 10 185 133 11 152 99 6
37603-104 69 6 18 14 6 2 2 6 2 2 6
37604- 2 2 6 2 2 6 2 2 6 2 2 6
37605- 2 2 6 2 2 6 2 2 6 2 2 6
37606- 2 2 6 2 2 6 2 2 6 2 2 6
37607- 2 2 6 6 6 6 80 54 7 152 99 6
37608-192 133 9 219 162 10 236 178 12 239 182 13
37609-246 186 14 242 186 14 239 182 13 236 178 12
37610-224 166 10 206 145 10 192 133 9 154 121 60
37611- 94 94 94 62 62 62 42 42 42 22 22 22
37612- 14 14 14 6 6 6 0 0 0 0 0 0
37613- 0 0 0 0 0 0 0 0 0 0 0 0
37614- 0 0 0 0 0 0 0 0 0 0 0 0
37615- 0 0 0 0 0 0 0 0 0 0 0 0
37616- 0 0 0 0 0 0 0 0 0 6 6 6
37617- 18 18 18 34 34 34 58 58 58 78 78 78
37618-101 98 89 124 112 88 142 110 46 156 107 11
37619-163 110 8 167 114 7 175 118 6 180 123 7
37620-185 133 11 197 138 11 210 150 10 219 162 10
37621-226 170 11 236 178 12 236 178 12 234 174 13
37622-219 162 10 197 138 11 163 110 8 130 83 6
37623- 91 60 6 10 10 10 2 2 6 2 2 6
37624- 18 18 18 38 38 38 38 38 38 38 38 38
37625- 38 38 38 38 38 38 38 38 38 38 38 38
37626- 38 38 38 38 38 38 26 26 26 2 2 6
37627- 2 2 6 6 6 6 70 47 6 137 92 6
37628-175 118 6 200 144 11 219 162 10 230 174 11
37629-234 174 13 230 174 11 219 162 10 210 150 10
37630-192 133 9 163 110 8 124 112 88 82 82 82
37631- 50 50 50 30 30 30 14 14 14 6 6 6
37632- 0 0 0 0 0 0 0 0 0 0 0 0
37633- 0 0 0 0 0 0 0 0 0 0 0 0
37634- 0 0 0 0 0 0 0 0 0 0 0 0
37635- 0 0 0 0 0 0 0 0 0 0 0 0
37636- 0 0 0 0 0 0 0 0 0 0 0 0
37637- 6 6 6 14 14 14 22 22 22 34 34 34
37638- 42 42 42 58 58 58 74 74 74 86 86 86
37639-101 98 89 122 102 70 130 98 46 121 87 25
37640-137 92 6 152 99 6 163 110 8 180 123 7
37641-185 133 11 197 138 11 206 145 10 200 144 11
37642-180 123 7 156 107 11 130 83 6 104 69 6
37643- 50 34 6 54 54 54 110 110 110 101 98 89
37644- 86 86 86 82 82 82 78 78 78 78 78 78
37645- 78 78 78 78 78 78 78 78 78 78 78 78
37646- 78 78 78 82 82 82 86 86 86 94 94 94
37647-106 106 106 101 101 101 86 66 34 124 80 6
37648-156 107 11 180 123 7 192 133 9 200 144 11
37649-206 145 10 200 144 11 192 133 9 175 118 6
37650-139 102 15 109 106 95 70 70 70 42 42 42
37651- 22 22 22 10 10 10 0 0 0 0 0 0
37652- 0 0 0 0 0 0 0 0 0 0 0 0
37653- 0 0 0 0 0 0 0 0 0 0 0 0
37654- 0 0 0 0 0 0 0 0 0 0 0 0
37655- 0 0 0 0 0 0 0 0 0 0 0 0
37656- 0 0 0 0 0 0 0 0 0 0 0 0
37657- 0 0 0 0 0 0 6 6 6 10 10 10
37658- 14 14 14 22 22 22 30 30 30 38 38 38
37659- 50 50 50 62 62 62 74 74 74 90 90 90
37660-101 98 89 112 100 78 121 87 25 124 80 6
37661-137 92 6 152 99 6 152 99 6 152 99 6
37662-138 86 6 124 80 6 98 70 6 86 66 30
37663-101 98 89 82 82 82 58 58 58 46 46 46
37664- 38 38 38 34 34 34 34 34 34 34 34 34
37665- 34 34 34 34 34 34 34 34 34 34 34 34
37666- 34 34 34 34 34 34 38 38 38 42 42 42
37667- 54 54 54 82 82 82 94 86 76 91 60 6
37668-134 86 6 156 107 11 167 114 7 175 118 6
37669-175 118 6 167 114 7 152 99 6 121 87 25
37670-101 98 89 62 62 62 34 34 34 18 18 18
37671- 6 6 6 0 0 0 0 0 0 0 0 0
37672- 0 0 0 0 0 0 0 0 0 0 0 0
37673- 0 0 0 0 0 0 0 0 0 0 0 0
37674- 0 0 0 0 0 0 0 0 0 0 0 0
37675- 0 0 0 0 0 0 0 0 0 0 0 0
37676- 0 0 0 0 0 0 0 0 0 0 0 0
37677- 0 0 0 0 0 0 0 0 0 0 0 0
37678- 0 0 0 6 6 6 6 6 6 10 10 10
37679- 18 18 18 22 22 22 30 30 30 42 42 42
37680- 50 50 50 66 66 66 86 86 86 101 98 89
37681-106 86 58 98 70 6 104 69 6 104 69 6
37682-104 69 6 91 60 6 82 62 34 90 90 90
37683- 62 62 62 38 38 38 22 22 22 14 14 14
37684- 10 10 10 10 10 10 10 10 10 10 10 10
37685- 10 10 10 10 10 10 6 6 6 10 10 10
37686- 10 10 10 10 10 10 10 10 10 14 14 14
37687- 22 22 22 42 42 42 70 70 70 89 81 66
37688- 80 54 7 104 69 6 124 80 6 137 92 6
37689-134 86 6 116 81 8 100 82 52 86 86 86
37690- 58 58 58 30 30 30 14 14 14 6 6 6
37691- 0 0 0 0 0 0 0 0 0 0 0 0
37692- 0 0 0 0 0 0 0 0 0 0 0 0
37693- 0 0 0 0 0 0 0 0 0 0 0 0
37694- 0 0 0 0 0 0 0 0 0 0 0 0
37695- 0 0 0 0 0 0 0 0 0 0 0 0
37696- 0 0 0 0 0 0 0 0 0 0 0 0
37697- 0 0 0 0 0 0 0 0 0 0 0 0
37698- 0 0 0 0 0 0 0 0 0 0 0 0
37699- 0 0 0 6 6 6 10 10 10 14 14 14
37700- 18 18 18 26 26 26 38 38 38 54 54 54
37701- 70 70 70 86 86 86 94 86 76 89 81 66
37702- 89 81 66 86 86 86 74 74 74 50 50 50
37703- 30 30 30 14 14 14 6 6 6 0 0 0
37704- 0 0 0 0 0 0 0 0 0 0 0 0
37705- 0 0 0 0 0 0 0 0 0 0 0 0
37706- 0 0 0 0 0 0 0 0 0 0 0 0
37707- 6 6 6 18 18 18 34 34 34 58 58 58
37708- 82 82 82 89 81 66 89 81 66 89 81 66
37709- 94 86 66 94 86 76 74 74 74 50 50 50
37710- 26 26 26 14 14 14 6 6 6 0 0 0
37711- 0 0 0 0 0 0 0 0 0 0 0 0
37712- 0 0 0 0 0 0 0 0 0 0 0 0
37713- 0 0 0 0 0 0 0 0 0 0 0 0
37714- 0 0 0 0 0 0 0 0 0 0 0 0
37715- 0 0 0 0 0 0 0 0 0 0 0 0
37716- 0 0 0 0 0 0 0 0 0 0 0 0
37717- 0 0 0 0 0 0 0 0 0 0 0 0
37718- 0 0 0 0 0 0 0 0 0 0 0 0
37719- 0 0 0 0 0 0 0 0 0 0 0 0
37720- 6 6 6 6 6 6 14 14 14 18 18 18
37721- 30 30 30 38 38 38 46 46 46 54 54 54
37722- 50 50 50 42 42 42 30 30 30 18 18 18
37723- 10 10 10 0 0 0 0 0 0 0 0 0
37724- 0 0 0 0 0 0 0 0 0 0 0 0
37725- 0 0 0 0 0 0 0 0 0 0 0 0
37726- 0 0 0 0 0 0 0 0 0 0 0 0
37727- 0 0 0 6 6 6 14 14 14 26 26 26
37728- 38 38 38 50 50 50 58 58 58 58 58 58
37729- 54 54 54 42 42 42 30 30 30 18 18 18
37730- 10 10 10 0 0 0 0 0 0 0 0 0
37731- 0 0 0 0 0 0 0 0 0 0 0 0
37732- 0 0 0 0 0 0 0 0 0 0 0 0
37733- 0 0 0 0 0 0 0 0 0 0 0 0
37734- 0 0 0 0 0 0 0 0 0 0 0 0
37735- 0 0 0 0 0 0 0 0 0 0 0 0
37736- 0 0 0 0 0 0 0 0 0 0 0 0
37737- 0 0 0 0 0 0 0 0 0 0 0 0
37738- 0 0 0 0 0 0 0 0 0 0 0 0
37739- 0 0 0 0 0 0 0 0 0 0 0 0
37740- 0 0 0 0 0 0 0 0 0 6 6 6
37741- 6 6 6 10 10 10 14 14 14 18 18 18
37742- 18 18 18 14 14 14 10 10 10 6 6 6
37743- 0 0 0 0 0 0 0 0 0 0 0 0
37744- 0 0 0 0 0 0 0 0 0 0 0 0
37745- 0 0 0 0 0 0 0 0 0 0 0 0
37746- 0 0 0 0 0 0 0 0 0 0 0 0
37747- 0 0 0 0 0 0 0 0 0 6 6 6
37748- 14 14 14 18 18 18 22 22 22 22 22 22
37749- 18 18 18 14 14 14 10 10 10 6 6 6
37750- 0 0 0 0 0 0 0 0 0 0 0 0
37751- 0 0 0 0 0 0 0 0 0 0 0 0
37752- 0 0 0 0 0 0 0 0 0 0 0 0
37753- 0 0 0 0 0 0 0 0 0 0 0 0
37754- 0 0 0 0 0 0 0 0 0 0 0 0
37755+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37756+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37757+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37758+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37759+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37760+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37761+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37762+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37763+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37764+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37765+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37766+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37767+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37768+4 4 4 4 4 4
37769+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37770+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37771+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37772+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37773+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37774+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37775+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37776+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37777+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37778+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37779+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37780+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37781+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37782+4 4 4 4 4 4
37783+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37784+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37785+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37786+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37787+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37788+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37789+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37790+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37791+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37792+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37793+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37794+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37795+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37796+4 4 4 4 4 4
37797+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37798+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37799+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37800+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37801+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37802+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37803+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37804+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37805+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37806+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37807+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37808+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37809+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37810+4 4 4 4 4 4
37811+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37812+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37813+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37814+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37815+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37816+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37817+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37818+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37819+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37820+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37821+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37822+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37823+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37824+4 4 4 4 4 4
37825+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37826+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37827+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37828+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37829+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37830+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37831+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37832+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37833+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37834+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37835+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37836+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37837+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37838+4 4 4 4 4 4
37839+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37840+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37841+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37842+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37843+4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
37844+0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
37845+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37846+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37847+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37848+4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
37849+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
37850+4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
37851+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37852+4 4 4 4 4 4
37853+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37854+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37855+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37856+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37857+4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
37858+37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
37859+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37860+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37861+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37862+4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
37863+2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
37864+4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
37865+1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37866+4 4 4 4 4 4
37867+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37868+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37869+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37870+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37871+2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
37872+153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
37873+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
37874+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37875+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37876+4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
37877+60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
37878+4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
37879+2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
37880+4 4 4 4 4 4
37881+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37882+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37883+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37884+4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
37885+4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
37886+165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
37887+1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
37888+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37889+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
37890+3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
37891+163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
37892+0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
37893+37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
37894+4 4 4 4 4 4
37895+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37896+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37897+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37898+4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
37899+37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
37900+156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
37901+125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
37902+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
37903+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
37904+0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
37905+174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
37906+0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
37907+64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
37908+4 4 4 4 4 4
37909+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37910+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37911+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
37912+5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
37913+156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
37914+156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
37915+174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
37916+1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
37917+4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
37918+13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
37919+174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
37920+22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
37921+90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
37922+4 4 4 4 4 4
37923+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37924+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37925+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
37926+0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
37927+174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
37928+156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
37929+163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
37930+4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
37931+5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
37932+131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
37933+190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
37934+90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
37935+31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
37936+4 4 4 4 4 4
37937+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37938+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37939+4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
37940+4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
37941+155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
37942+167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
37943+153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
37944+41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
37945+1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
37946+177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
37947+125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
37948+136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
37949+7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
37950+4 4 4 4 4 4
37951+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37952+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37953+4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
37954+125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
37955+156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
37956+137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
37957+156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
37958+167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
37959+0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
37960+166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
37961+6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
37962+90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
37963+1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
37964+4 4 4 4 4 4
37965+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37966+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37967+1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
37968+167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
37969+157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
37970+26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
37971+158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
37972+165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
37973+60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
37974+137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
37975+52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
37976+13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
37977+4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
37978+4 4 4 4 4 4
37979+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37980+4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
37981+0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
37982+158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
37983+167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
37984+4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
37985+174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
37986+155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
37987+137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
37988+16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
37989+136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
37990+2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
37991+4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
37992+4 4 4 4 4 4
37993+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
37994+4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
37995+37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
37996+157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
37997+153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
37998+4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
37999+125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
38000+156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
38001+174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
38002+4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
38003+136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
38004+1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
38005+2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
38006+0 0 0 4 4 4
38007+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
38008+4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
38009+158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
38010+153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
38011+37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
38012+4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
38013+4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
38014+154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
38015+174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
38016+32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
38017+28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
38018+50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
38019+0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
38020+2 0 0 0 0 0
38021+4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
38022+0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
38023+174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
38024+165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
38025+4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
38026+4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
38027+4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
38028+174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
38029+60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
38030+136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
38031+22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
38032+136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
38033+26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
38034+37 38 37 0 0 0
38035+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38036+13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
38037+153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
38038+177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
38039+4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
38040+5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
38041+6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
38042+166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
38043+4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
38044+146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
38045+71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
38046+90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
38047+125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
38048+85 115 134 4 0 0
38049+4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
38050+125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
38051+155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
38052+125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
38053+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
38054+0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
38055+5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
38056+37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
38057+4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
38058+90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
38059+2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
38060+13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
38061+166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
38062+60 73 81 4 0 0
38063+4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
38064+174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
38065+156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
38066+4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
38067+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
38068+10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
38069+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
38070+4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
38071+80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
38072+28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
38073+50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
38074+1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
38075+167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
38076+16 19 21 4 0 0
38077+4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
38078+158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
38079+167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
38080+4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
38081+4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
38082+80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
38083+4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
38084+3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
38085+146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
38086+68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
38087+136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
38088+24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
38089+163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
38090+4 0 0 4 3 3
38091+3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
38092+156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
38093+155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
38094+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
38095+2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
38096+136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
38097+0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
38098+0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
38099+136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
38100+28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
38101+22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
38102+137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
38103+60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
38104+3 2 2 4 4 4
38105+3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
38106+157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
38107+37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
38108+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38109+0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
38110+101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
38111+14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
38112+22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
38113+136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
38114+17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
38115+2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
38116+166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
38117+13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
38118+4 4 4 4 4 4
38119+1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
38120+163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
38121+4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
38122+4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
38123+40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
38124+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
38125+101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
38126+136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
38127+136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
38128+136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
38129+3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
38130+174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
38131+4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
38132+4 4 4 4 4 4
38133+4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
38134+155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
38135+4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
38136+4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
38137+101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
38138+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38139+136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
38140+136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
38141+136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
38142+90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
38143+85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
38144+167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
38145+6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
38146+5 5 5 5 5 5
38147+1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
38148+131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
38149+6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
38150+0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
38151+101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
38152+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38153+101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
38154+136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
38155+101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
38156+7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
38157+174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
38158+24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
38159+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
38160+5 5 5 4 4 4
38161+4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
38162+131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
38163+6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
38164+13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
38165+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38166+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
38167+101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
38168+136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
38169+136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
38170+2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
38171+174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
38172+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38173+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38174+4 4 4 4 4 4
38175+1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
38176+137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
38177+4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
38178+64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
38179+90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
38180+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38181+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38182+136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
38183+101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
38184+37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
38185+167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
38186+3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
38187+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38188+4 4 4 4 4 4
38189+4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
38190+153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
38191+4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
38192+90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
38193+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38194+90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
38195+101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
38196+101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
38197+35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
38198+154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
38199+60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
38200+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38201+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38202+4 4 4 4 4 4
38203+1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
38204+153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
38205+4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
38206+64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
38207+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38208+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38209+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38210+136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
38211+13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
38212+174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
38213+6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
38214+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38215+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38216+4 4 4 4 4 4
38217+4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
38218+156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
38219+4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
38220+90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
38221+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38222+90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
38223+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38224+101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
38225+2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
38226+174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
38227+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38228+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38229+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38230+4 4 4 4 4 4
38231+3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
38232+158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
38233+4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
38234+37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
38235+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38236+90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
38237+101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
38238+90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
38239+5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
38240+167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
38241+6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
38242+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38243+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38244+4 4 4 4 4 4
38245+4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
38246+163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
38247+4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
38248+18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
38249+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38250+90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
38251+101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
38252+13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
38253+3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
38254+174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
38255+4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
38256+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38257+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38258+4 4 4 4 4 4
38259+1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
38260+167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
38261+4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
38262+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38263+26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
38264+90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
38265+101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
38266+7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
38267+4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
38268+174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
38269+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38270+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38271+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38272+4 4 4 4 4 4
38273+4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
38274+174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
38275+5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
38276+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38277+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38278+90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
38279+101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
38280+2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
38281+3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
38282+153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
38283+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38284+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38285+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38286+4 4 4 4 4 4
38287+1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
38288+174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
38289+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38290+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38291+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38292+26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
38293+35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
38294+2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
38295+3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
38296+131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
38297+4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38298+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38299+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38300+4 4 4 4 4 4
38301+3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
38302+174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
38303+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38304+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38305+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38306+26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
38307+7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
38308+4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
38309+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38310+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38311+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38312+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38313+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38314+4 4 4 4 4 4
38315+1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38316+174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
38317+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38318+18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
38319+18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
38320+26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
38321+28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
38322+3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
38323+4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38324+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38325+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38326+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38327+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38328+4 4 4 4 4 4
38329+4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38330+174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
38331+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38332+10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
38333+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38334+18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
38335+90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
38336+3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
38337+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38338+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38339+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38340+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38341+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38342+4 4 4 4 4 4
38343+1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
38344+177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
38345+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38346+10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
38347+26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
38348+6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
38349+10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
38350+2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
38351+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38352+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38353+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38354+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38355+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38356+4 4 4 4 4 4
38357+4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
38358+177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
38359+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38360+10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
38361+26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
38362+7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
38363+3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
38364+21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
38365+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38366+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38367+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38368+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38369+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38370+4 4 4 4 4 4
38371+3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38372+190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
38373+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38374+10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
38375+24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
38376+18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
38377+28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
38378+26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
38379+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38380+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38381+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38382+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38383+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38384+4 4 4 4 4 4
38385+4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
38386+190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
38387+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38388+10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
38389+0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
38390+26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
38391+37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
38392+90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
38393+4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
38394+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38395+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38396+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38397+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38398+4 4 4 4 4 4
38399+4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38400+193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
38401+5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
38402+10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
38403+1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
38404+26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
38405+22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
38406+26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
38407+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38408+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38409+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38410+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38411+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38412+4 4 4 4 4 4
38413+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38414+190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
38415+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38416+10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
38417+2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
38418+26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
38419+10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
38420+26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
38421+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38422+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38423+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38424+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38425+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38426+4 4 4 4 4 4
38427+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38428+193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
38429+5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
38430+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
38431+13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
38432+10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
38433+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38434+26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
38435+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38436+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38437+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38438+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38439+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38440+4 4 4 4 4 4
38441+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38442+190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
38443+5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
38444+28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38445+10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
38446+28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
38447+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38448+26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
38449+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38450+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38451+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38452+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38453+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38454+4 4 4 4 4 4
38455+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38456+193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
38457+5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
38458+4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
38459+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
38460+10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
38461+18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
38462+22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
38463+4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
38464+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38465+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38466+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38467+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38468+4 4 4 4 4 4
38469+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38470+190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
38471+6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
38472+1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
38473+18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
38474+10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
38475+26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
38476+1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
38477+5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
38478+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38479+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38480+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38481+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38482+4 4 4 4 4 4
38483+4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
38484+193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
38485+2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
38486+4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
38487+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38488+10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
38489+26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
38490+2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
38491+3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
38492+131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38493+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38494+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38495+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38496+4 4 4 4 4 4
38497+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38498+193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
38499+0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
38500+4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
38501+13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
38502+10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
38503+28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
38504+4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
38505+0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
38506+125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38507+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38508+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38509+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38510+4 4 4 4 4 4
38511+4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
38512+193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
38513+120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
38514+4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
38515+4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
38516+10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
38517+4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
38518+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
38519+24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
38520+125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
38521+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38522+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38523+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38524+4 4 4 4 4 4
38525+4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
38526+174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38527+220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
38528+3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
38529+4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
38530+10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
38531+1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
38532+5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
38533+137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
38534+125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
38535+0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38536+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38537+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38538+4 4 4 4 4 4
38539+5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
38540+193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38541+220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
38542+4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
38543+4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
38544+22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
38545+4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38546+1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
38547+166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
38548+125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
38549+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38550+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38551+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38552+4 4 4 4 4 4
38553+4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
38554+220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
38555+205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
38556+24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
38557+4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
38558+4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
38559+4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
38560+2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
38561+156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
38562+137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
38563+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38564+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38565+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38566+4 4 4 4 4 4
38567+5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
38568+125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
38569+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38570+193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
38571+5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
38572+1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
38573+5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
38574+60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
38575+153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
38576+125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
38577+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38578+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38579+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38580+4 4 4 4 4 4
38581+4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38582+6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
38583+193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
38584+244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
38585+0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
38586+4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
38587+3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
38588+220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
38589+153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
38590+13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
38591+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38592+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38593+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38594+4 4 4 4 4 4
38595+5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
38596+6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
38597+244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
38598+220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
38599+3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
38600+4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
38601+0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
38602+177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
38603+158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
38604+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38605+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38606+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38607+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38608+4 4 4 4 4 4
38609+5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
38610+6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
38611+177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
38612+220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
38613+125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
38614+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
38615+37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
38616+174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
38617+158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
38618+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38619+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38620+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38621+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38622+4 4 4 4 4 4
38623+4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
38624+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38625+26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
38626+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38627+244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
38628+0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
38629+177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
38630+174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
38631+60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
38632+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38633+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38634+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38635+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38636+4 4 4 4 4 4
38637+5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
38638+6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
38639+6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
38640+220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
38641+220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
38642+0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
38643+220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
38644+174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
38645+4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
38646+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38647+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38648+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38649+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38650+4 4 4 4 4 4
38651+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
38652+6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
38653+4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
38654+220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
38655+205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
38656+60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
38657+177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
38658+190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
38659+4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38660+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38661+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38662+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38663+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38664+4 4 4 4 4 4
38665+4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
38666+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
38667+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
38668+125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
38669+205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
38670+193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
38671+190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
38672+153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
38673+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38674+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38675+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38676+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38677+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38678+4 4 4 4 4 4
38679+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
38680+6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
38681+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
38682+4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
38683+205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
38684+220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
38685+174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
38686+6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
38687+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38688+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38689+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38690+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38691+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38692+4 4 4 4 4 4
38693+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
38694+5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
38695+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
38696+4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
38697+220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
38698+190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
38699+193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
38700+4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
38701+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38702+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38703+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38704+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38705+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38706+4 4 4 4 4 4
38707+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38708+4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
38709+4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
38710+6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
38711+174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
38712+193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
38713+193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
38714+6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
38715+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38716+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38717+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38718+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38719+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38720+4 4 4 4 4 4
38721+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38722+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
38723+5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
38724+5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
38725+6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
38726+193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
38727+60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
38728+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38729+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38730+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38731+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38732+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38733+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38734+4 4 4 4 4 4
38735+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38736+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38737+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
38738+5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
38739+4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
38740+193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
38741+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
38742+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38743+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38744+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38745+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38746+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38747+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38748+4 4 4 4 4 4
38749+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38750+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38751+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
38752+4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
38753+6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
38754+153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
38755+6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
38756+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38757+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38758+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38759+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38760+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38761+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38762+4 4 4 4 4 4
38763+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38764+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38765+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38766+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
38767+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
38768+24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
38769+6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
38770+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38771+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38772+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38773+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38774+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38775+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38776+4 4 4 4 4 4
38777+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38778+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38779+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38780+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
38781+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38782+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
38783+4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
38784+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38785+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38786+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38787+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38788+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38789+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38790+4 4 4 4 4 4
38791+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38792+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38793+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38794+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
38795+5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
38796+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
38797+6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
38798+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38799+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38800+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38801+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38802+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38803+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38804+4 4 4 4 4 4
38805+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38806+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38807+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38808+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
38809+4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
38810+4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
38811+6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38812+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38813+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38814+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38815+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38816+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38817+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38818+4 4 4 4 4 4
38819+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38820+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38821+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38822+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38823+4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
38824+6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
38825+4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
38826+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38827+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38828+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38829+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38830+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38831+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38832+4 4 4 4 4 4
38833+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38834+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38835+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38836+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38837+4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
38838+4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
38839+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38840+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38841+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38842+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38843+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38844+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38845+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38846+4 4 4 4 4 4
38847+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38848+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38849+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38850+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38851+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
38852+5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
38853+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38854+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38855+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38856+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38857+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38858+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38859+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38860+4 4 4 4 4 4
38861+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38862+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38863+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38864+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38865+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
38866+5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
38867+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38868+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38869+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38870+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38871+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38872+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38873+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38874+4 4 4 4 4 4
38875diff -urNp linux-3.0.7/drivers/video/udlfb.c linux-3.0.7/drivers/video/udlfb.c
38876--- linux-3.0.7/drivers/video/udlfb.c 2011-07-21 22:17:23.000000000 -0400
38877+++ linux-3.0.7/drivers/video/udlfb.c 2011-08-23 21:47:56.000000000 -0400
38878@@ -586,11 +586,11 @@ int dlfb_handle_damage(struct dlfb_data
38879 dlfb_urb_completion(urb);
38880
38881 error:
38882- atomic_add(bytes_sent, &dev->bytes_sent);
38883- atomic_add(bytes_identical, &dev->bytes_identical);
38884- atomic_add(width*height*2, &dev->bytes_rendered);
38885+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
38886+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
38887+ atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
38888 end_cycles = get_cycles();
38889- atomic_add(((unsigned int) ((end_cycles - start_cycles)
38890+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
38891 >> 10)), /* Kcycles */
38892 &dev->cpu_kcycles_used);
38893
38894@@ -711,11 +711,11 @@ static void dlfb_dpy_deferred_io(struct
38895 dlfb_urb_completion(urb);
38896
38897 error:
38898- atomic_add(bytes_sent, &dev->bytes_sent);
38899- atomic_add(bytes_identical, &dev->bytes_identical);
38900- atomic_add(bytes_rendered, &dev->bytes_rendered);
38901+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
38902+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
38903+ atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
38904 end_cycles = get_cycles();
38905- atomic_add(((unsigned int) ((end_cycles - start_cycles)
38906+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
38907 >> 10)), /* Kcycles */
38908 &dev->cpu_kcycles_used);
38909 }
38910@@ -1307,7 +1307,7 @@ static ssize_t metrics_bytes_rendered_sh
38911 struct fb_info *fb_info = dev_get_drvdata(fbdev);
38912 struct dlfb_data *dev = fb_info->par;
38913 return snprintf(buf, PAGE_SIZE, "%u\n",
38914- atomic_read(&dev->bytes_rendered));
38915+ atomic_read_unchecked(&dev->bytes_rendered));
38916 }
38917
38918 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
38919@@ -1315,7 +1315,7 @@ static ssize_t metrics_bytes_identical_s
38920 struct fb_info *fb_info = dev_get_drvdata(fbdev);
38921 struct dlfb_data *dev = fb_info->par;
38922 return snprintf(buf, PAGE_SIZE, "%u\n",
38923- atomic_read(&dev->bytes_identical));
38924+ atomic_read_unchecked(&dev->bytes_identical));
38925 }
38926
38927 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
38928@@ -1323,7 +1323,7 @@ static ssize_t metrics_bytes_sent_show(s
38929 struct fb_info *fb_info = dev_get_drvdata(fbdev);
38930 struct dlfb_data *dev = fb_info->par;
38931 return snprintf(buf, PAGE_SIZE, "%u\n",
38932- atomic_read(&dev->bytes_sent));
38933+ atomic_read_unchecked(&dev->bytes_sent));
38934 }
38935
38936 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
38937@@ -1331,7 +1331,7 @@ static ssize_t metrics_cpu_kcycles_used_
38938 struct fb_info *fb_info = dev_get_drvdata(fbdev);
38939 struct dlfb_data *dev = fb_info->par;
38940 return snprintf(buf, PAGE_SIZE, "%u\n",
38941- atomic_read(&dev->cpu_kcycles_used));
38942+ atomic_read_unchecked(&dev->cpu_kcycles_used));
38943 }
38944
38945 static ssize_t edid_show(
38946@@ -1388,10 +1388,10 @@ static ssize_t metrics_reset_store(struc
38947 struct fb_info *fb_info = dev_get_drvdata(fbdev);
38948 struct dlfb_data *dev = fb_info->par;
38949
38950- atomic_set(&dev->bytes_rendered, 0);
38951- atomic_set(&dev->bytes_identical, 0);
38952- atomic_set(&dev->bytes_sent, 0);
38953- atomic_set(&dev->cpu_kcycles_used, 0);
38954+ atomic_set_unchecked(&dev->bytes_rendered, 0);
38955+ atomic_set_unchecked(&dev->bytes_identical, 0);
38956+ atomic_set_unchecked(&dev->bytes_sent, 0);
38957+ atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
38958
38959 return count;
38960 }
38961diff -urNp linux-3.0.7/drivers/video/uvesafb.c linux-3.0.7/drivers/video/uvesafb.c
38962--- linux-3.0.7/drivers/video/uvesafb.c 2011-07-21 22:17:23.000000000 -0400
38963+++ linux-3.0.7/drivers/video/uvesafb.c 2011-08-23 21:47:56.000000000 -0400
38964@@ -19,6 +19,7 @@
38965 #include <linux/io.h>
38966 #include <linux/mutex.h>
38967 #include <linux/slab.h>
38968+#include <linux/moduleloader.h>
38969 #include <video/edid.h>
38970 #include <video/uvesafb.h>
38971 #ifdef CONFIG_X86
38972@@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
38973 NULL,
38974 };
38975
38976- return call_usermodehelper(v86d_path, argv, envp, 1);
38977+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
38978 }
38979
38980 /*
38981@@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
38982 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
38983 par->pmi_setpal = par->ypan = 0;
38984 } else {
38985+
38986+#ifdef CONFIG_PAX_KERNEXEC
38987+#ifdef CONFIG_MODULES
38988+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
38989+#endif
38990+ if (!par->pmi_code) {
38991+ par->pmi_setpal = par->ypan = 0;
38992+ return 0;
38993+ }
38994+#endif
38995+
38996 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
38997 + task->t.regs.edi);
38998+
38999+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39000+ pax_open_kernel();
39001+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
39002+ pax_close_kernel();
39003+
39004+ par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
39005+ par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
39006+#else
39007 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
39008 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
39009+#endif
39010+
39011 printk(KERN_INFO "uvesafb: protected mode interface info at "
39012 "%04x:%04x\n",
39013 (u16)task->t.regs.es, (u16)task->t.regs.edi);
39014@@ -1821,6 +1844,11 @@ out:
39015 if (par->vbe_modes)
39016 kfree(par->vbe_modes);
39017
39018+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39019+ if (par->pmi_code)
39020+ module_free_exec(NULL, par->pmi_code);
39021+#endif
39022+
39023 framebuffer_release(info);
39024 return err;
39025 }
39026@@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
39027 kfree(par->vbe_state_orig);
39028 if (par->vbe_state_saved)
39029 kfree(par->vbe_state_saved);
39030+
39031+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39032+ if (par->pmi_code)
39033+ module_free_exec(NULL, par->pmi_code);
39034+#endif
39035+
39036 }
39037
39038 framebuffer_release(info);
39039diff -urNp linux-3.0.7/drivers/video/vesafb.c linux-3.0.7/drivers/video/vesafb.c
39040--- linux-3.0.7/drivers/video/vesafb.c 2011-07-21 22:17:23.000000000 -0400
39041+++ linux-3.0.7/drivers/video/vesafb.c 2011-08-23 21:47:56.000000000 -0400
39042@@ -9,6 +9,7 @@
39043 */
39044
39045 #include <linux/module.h>
39046+#include <linux/moduleloader.h>
39047 #include <linux/kernel.h>
39048 #include <linux/errno.h>
39049 #include <linux/string.h>
39050@@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
39051 static int vram_total __initdata; /* Set total amount of memory */
39052 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
39053 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
39054-static void (*pmi_start)(void) __read_mostly;
39055-static void (*pmi_pal) (void) __read_mostly;
39056+static void (*pmi_start)(void) __read_only;
39057+static void (*pmi_pal) (void) __read_only;
39058 static int depth __read_mostly;
39059 static int vga_compat __read_mostly;
39060 /* --------------------------------------------------------------------- */
39061@@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
39062 unsigned int size_vmode;
39063 unsigned int size_remap;
39064 unsigned int size_total;
39065+ void *pmi_code = NULL;
39066
39067 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
39068 return -ENODEV;
39069@@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
39070 size_remap = size_total;
39071 vesafb_fix.smem_len = size_remap;
39072
39073-#ifndef __i386__
39074- screen_info.vesapm_seg = 0;
39075-#endif
39076-
39077 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
39078 printk(KERN_WARNING
39079 "vesafb: cannot reserve video memory at 0x%lx\n",
39080@@ -307,9 +305,21 @@ static int __init vesafb_probe(struct pl
39081 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
39082 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
39083
39084+#ifdef __i386__
39085+
39086+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39087+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
39088+ if (!pmi_code)
39089+#elif !defined(CONFIG_PAX_KERNEXEC)
39090+ if (0)
39091+#endif
39092+
39093+#endif
39094+ screen_info.vesapm_seg = 0;
39095+
39096 if (screen_info.vesapm_seg) {
39097- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
39098- screen_info.vesapm_seg,screen_info.vesapm_off);
39099+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
39100+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
39101 }
39102
39103 if (screen_info.vesapm_seg < 0xc000)
39104@@ -317,9 +327,25 @@ static int __init vesafb_probe(struct pl
39105
39106 if (ypan || pmi_setpal) {
39107 unsigned short *pmi_base;
39108+
39109 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
39110- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
39111- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
39112+
39113+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39114+ pax_open_kernel();
39115+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
39116+#else
39117+ pmi_code = pmi_base;
39118+#endif
39119+
39120+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
39121+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
39122+
39123+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39124+ pmi_start = ktva_ktla(pmi_start);
39125+ pmi_pal = ktva_ktla(pmi_pal);
39126+ pax_close_kernel();
39127+#endif
39128+
39129 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
39130 if (pmi_base[3]) {
39131 printk(KERN_INFO "vesafb: pmi: ports = ");
39132@@ -488,6 +514,11 @@ static int __init vesafb_probe(struct pl
39133 info->node, info->fix.id);
39134 return 0;
39135 err:
39136+
39137+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39138+ module_free_exec(NULL, pmi_code);
39139+#endif
39140+
39141 if (info->screen_base)
39142 iounmap(info->screen_base);
39143 framebuffer_release(info);
39144diff -urNp linux-3.0.7/drivers/video/via/via_clock.h linux-3.0.7/drivers/video/via/via_clock.h
39145--- linux-3.0.7/drivers/video/via/via_clock.h 2011-07-21 22:17:23.000000000 -0400
39146+++ linux-3.0.7/drivers/video/via/via_clock.h 2011-08-23 21:47:56.000000000 -0400
39147@@ -56,7 +56,7 @@ struct via_clock {
39148
39149 void (*set_engine_pll_state)(u8 state);
39150 void (*set_engine_pll)(struct via_pll_config config);
39151-};
39152+} __no_const;
39153
39154
39155 static inline u32 get_pll_internal_frequency(u32 ref_freq,
39156diff -urNp linux-3.0.7/drivers/virtio/virtio_balloon.c linux-3.0.7/drivers/virtio/virtio_balloon.c
39157--- linux-3.0.7/drivers/virtio/virtio_balloon.c 2011-07-21 22:17:23.000000000 -0400
39158+++ linux-3.0.7/drivers/virtio/virtio_balloon.c 2011-08-23 21:48:14.000000000 -0400
39159@@ -174,6 +174,8 @@ static void update_balloon_stats(struct
39160 struct sysinfo i;
39161 int idx = 0;
39162
39163+ pax_track_stack();
39164+
39165 all_vm_events(events);
39166 si_meminfo(&i);
39167
39168diff -urNp linux-3.0.7/fs/9p/vfs_inode.c linux-3.0.7/fs/9p/vfs_inode.c
39169--- linux-3.0.7/fs/9p/vfs_inode.c 2011-10-16 21:54:54.000000000 -0400
39170+++ linux-3.0.7/fs/9p/vfs_inode.c 2011-10-16 21:55:28.000000000 -0400
39171@@ -1264,7 +1264,7 @@ static void *v9fs_vfs_follow_link(struct
39172 void
39173 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
39174 {
39175- char *s = nd_get_link(nd);
39176+ const char *s = nd_get_link(nd);
39177
39178 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
39179 IS_ERR(s) ? "<error>" : s);
39180diff -urNp linux-3.0.7/fs/Kconfig.binfmt linux-3.0.7/fs/Kconfig.binfmt
39181--- linux-3.0.7/fs/Kconfig.binfmt 2011-07-21 22:17:23.000000000 -0400
39182+++ linux-3.0.7/fs/Kconfig.binfmt 2011-08-23 21:47:56.000000000 -0400
39183@@ -86,7 +86,7 @@ config HAVE_AOUT
39184
39185 config BINFMT_AOUT
39186 tristate "Kernel support for a.out and ECOFF binaries"
39187- depends on HAVE_AOUT
39188+ depends on HAVE_AOUT && BROKEN
39189 ---help---
39190 A.out (Assembler.OUTput) is a set of formats for libraries and
39191 executables used in the earliest versions of UNIX. Linux used
39192diff -urNp linux-3.0.7/fs/aio.c linux-3.0.7/fs/aio.c
39193--- linux-3.0.7/fs/aio.c 2011-07-21 22:17:23.000000000 -0400
39194+++ linux-3.0.7/fs/aio.c 2011-08-23 21:48:14.000000000 -0400
39195@@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
39196 size += sizeof(struct io_event) * nr_events;
39197 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
39198
39199- if (nr_pages < 0)
39200+ if (nr_pages <= 0)
39201 return -EINVAL;
39202
39203 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
39204@@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
39205 struct aio_timeout to;
39206 int retry = 0;
39207
39208+ pax_track_stack();
39209+
39210 /* needed to zero any padding within an entry (there shouldn't be
39211 * any, but C is fun!
39212 */
39213@@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
39214 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
39215 {
39216 ssize_t ret;
39217+ struct iovec iovstack;
39218
39219 #ifdef CONFIG_COMPAT
39220 if (compat)
39221 ret = compat_rw_copy_check_uvector(type,
39222 (struct compat_iovec __user *)kiocb->ki_buf,
39223- kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39224+ kiocb->ki_nbytes, 1, &iovstack,
39225 &kiocb->ki_iovec);
39226 else
39227 #endif
39228 ret = rw_copy_check_uvector(type,
39229 (struct iovec __user *)kiocb->ki_buf,
39230- kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39231+ kiocb->ki_nbytes, 1, &iovstack,
39232 &kiocb->ki_iovec);
39233 if (ret < 0)
39234 goto out;
39235
39236+ if (kiocb->ki_iovec == &iovstack) {
39237+ kiocb->ki_inline_vec = iovstack;
39238+ kiocb->ki_iovec = &kiocb->ki_inline_vec;
39239+ }
39240 kiocb->ki_nr_segs = kiocb->ki_nbytes;
39241 kiocb->ki_cur_seg = 0;
39242 /* ki_nbytes/left now reflect bytes instead of segs */
39243diff -urNp linux-3.0.7/fs/attr.c linux-3.0.7/fs/attr.c
39244--- linux-3.0.7/fs/attr.c 2011-07-21 22:17:23.000000000 -0400
39245+++ linux-3.0.7/fs/attr.c 2011-08-23 21:48:14.000000000 -0400
39246@@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
39247 unsigned long limit;
39248
39249 limit = rlimit(RLIMIT_FSIZE);
39250+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
39251 if (limit != RLIM_INFINITY && offset > limit)
39252 goto out_sig;
39253 if (offset > inode->i_sb->s_maxbytes)
39254diff -urNp linux-3.0.7/fs/autofs4/waitq.c linux-3.0.7/fs/autofs4/waitq.c
39255--- linux-3.0.7/fs/autofs4/waitq.c 2011-07-21 22:17:23.000000000 -0400
39256+++ linux-3.0.7/fs/autofs4/waitq.c 2011-10-06 04:17:55.000000000 -0400
39257@@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
39258 {
39259 unsigned long sigpipe, flags;
39260 mm_segment_t fs;
39261- const char *data = (const char *)addr;
39262+ const char __user *data = (const char __force_user *)addr;
39263 ssize_t wr = 0;
39264
39265 /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
39266diff -urNp linux-3.0.7/fs/befs/linuxvfs.c linux-3.0.7/fs/befs/linuxvfs.c
39267--- linux-3.0.7/fs/befs/linuxvfs.c 2011-09-02 18:11:26.000000000 -0400
39268+++ linux-3.0.7/fs/befs/linuxvfs.c 2011-08-29 23:26:27.000000000 -0400
39269@@ -503,7 +503,7 @@ static void befs_put_link(struct dentry
39270 {
39271 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
39272 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
39273- char *link = nd_get_link(nd);
39274+ const char *link = nd_get_link(nd);
39275 if (!IS_ERR(link))
39276 kfree(link);
39277 }
39278diff -urNp linux-3.0.7/fs/binfmt_aout.c linux-3.0.7/fs/binfmt_aout.c
39279--- linux-3.0.7/fs/binfmt_aout.c 2011-07-21 22:17:23.000000000 -0400
39280+++ linux-3.0.7/fs/binfmt_aout.c 2011-08-23 21:48:14.000000000 -0400
39281@@ -16,6 +16,7 @@
39282 #include <linux/string.h>
39283 #include <linux/fs.h>
39284 #include <linux/file.h>
39285+#include <linux/security.h>
39286 #include <linux/stat.h>
39287 #include <linux/fcntl.h>
39288 #include <linux/ptrace.h>
39289@@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
39290 #endif
39291 # define START_STACK(u) ((void __user *)u.start_stack)
39292
39293+ memset(&dump, 0, sizeof(dump));
39294+
39295 fs = get_fs();
39296 set_fs(KERNEL_DS);
39297 has_dumped = 1;
39298@@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
39299
39300 /* If the size of the dump file exceeds the rlimit, then see what would happen
39301 if we wrote the stack, but not the data area. */
39302+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
39303 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
39304 dump.u_dsize = 0;
39305
39306 /* Make sure we have enough room to write the stack and data areas. */
39307+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
39308 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
39309 dump.u_ssize = 0;
39310
39311@@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
39312 rlim = rlimit(RLIMIT_DATA);
39313 if (rlim >= RLIM_INFINITY)
39314 rlim = ~0;
39315+
39316+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
39317 if (ex.a_data + ex.a_bss > rlim)
39318 return -ENOMEM;
39319
39320@@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
39321 install_exec_creds(bprm);
39322 current->flags &= ~PF_FORKNOEXEC;
39323
39324+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
39325+ current->mm->pax_flags = 0UL;
39326+#endif
39327+
39328+#ifdef CONFIG_PAX_PAGEEXEC
39329+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
39330+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
39331+
39332+#ifdef CONFIG_PAX_EMUTRAMP
39333+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
39334+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
39335+#endif
39336+
39337+#ifdef CONFIG_PAX_MPROTECT
39338+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
39339+ current->mm->pax_flags |= MF_PAX_MPROTECT;
39340+#endif
39341+
39342+ }
39343+#endif
39344+
39345 if (N_MAGIC(ex) == OMAGIC) {
39346 unsigned long text_addr, map_size;
39347 loff_t pos;
39348@@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
39349
39350 down_write(&current->mm->mmap_sem);
39351 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
39352- PROT_READ | PROT_WRITE | PROT_EXEC,
39353+ PROT_READ | PROT_WRITE,
39354 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
39355 fd_offset + ex.a_text);
39356 up_write(&current->mm->mmap_sem);
39357diff -urNp linux-3.0.7/fs/binfmt_elf.c linux-3.0.7/fs/binfmt_elf.c
39358--- linux-3.0.7/fs/binfmt_elf.c 2011-07-21 22:17:23.000000000 -0400
39359+++ linux-3.0.7/fs/binfmt_elf.c 2011-08-23 21:48:14.000000000 -0400
39360@@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
39361 #define elf_core_dump NULL
39362 #endif
39363
39364+#ifdef CONFIG_PAX_MPROTECT
39365+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
39366+#endif
39367+
39368 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
39369 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
39370 #else
39371@@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
39372 .load_binary = load_elf_binary,
39373 .load_shlib = load_elf_library,
39374 .core_dump = elf_core_dump,
39375+
39376+#ifdef CONFIG_PAX_MPROTECT
39377+ .handle_mprotect= elf_handle_mprotect,
39378+#endif
39379+
39380 .min_coredump = ELF_EXEC_PAGESIZE,
39381 };
39382
39383@@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
39384
39385 static int set_brk(unsigned long start, unsigned long end)
39386 {
39387+ unsigned long e = end;
39388+
39389 start = ELF_PAGEALIGN(start);
39390 end = ELF_PAGEALIGN(end);
39391 if (end > start) {
39392@@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
39393 if (BAD_ADDR(addr))
39394 return addr;
39395 }
39396- current->mm->start_brk = current->mm->brk = end;
39397+ current->mm->start_brk = current->mm->brk = e;
39398 return 0;
39399 }
39400
39401@@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
39402 elf_addr_t __user *u_rand_bytes;
39403 const char *k_platform = ELF_PLATFORM;
39404 const char *k_base_platform = ELF_BASE_PLATFORM;
39405- unsigned char k_rand_bytes[16];
39406+ u32 k_rand_bytes[4];
39407 int items;
39408 elf_addr_t *elf_info;
39409 int ei_index = 0;
39410 const struct cred *cred = current_cred();
39411 struct vm_area_struct *vma;
39412+ unsigned long saved_auxv[AT_VECTOR_SIZE];
39413+
39414+ pax_track_stack();
39415
39416 /*
39417 * In some cases (e.g. Hyper-Threading), we want to avoid L1
39418@@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
39419 * Generate 16 random bytes for userspace PRNG seeding.
39420 */
39421 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
39422- u_rand_bytes = (elf_addr_t __user *)
39423- STACK_ALLOC(p, sizeof(k_rand_bytes));
39424+ srandom32(k_rand_bytes[0] ^ random32());
39425+ srandom32(k_rand_bytes[1] ^ random32());
39426+ srandom32(k_rand_bytes[2] ^ random32());
39427+ srandom32(k_rand_bytes[3] ^ random32());
39428+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
39429+ u_rand_bytes = (elf_addr_t __user *) p;
39430 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
39431 return -EFAULT;
39432
39433@@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
39434 return -EFAULT;
39435 current->mm->env_end = p;
39436
39437+ memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
39438+
39439 /* Put the elf_info on the stack in the right place. */
39440 sp = (elf_addr_t __user *)envp + 1;
39441- if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
39442+ if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
39443 return -EFAULT;
39444 return 0;
39445 }
39446@@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
39447 {
39448 struct elf_phdr *elf_phdata;
39449 struct elf_phdr *eppnt;
39450- unsigned long load_addr = 0;
39451+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
39452 int load_addr_set = 0;
39453 unsigned long last_bss = 0, elf_bss = 0;
39454- unsigned long error = ~0UL;
39455+ unsigned long error = -EINVAL;
39456 unsigned long total_size;
39457 int retval, i, size;
39458
39459@@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
39460 goto out_close;
39461 }
39462
39463+#ifdef CONFIG_PAX_SEGMEXEC
39464+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
39465+ pax_task_size = SEGMEXEC_TASK_SIZE;
39466+#endif
39467+
39468 eppnt = elf_phdata;
39469 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
39470 if (eppnt->p_type == PT_LOAD) {
39471@@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
39472 k = load_addr + eppnt->p_vaddr;
39473 if (BAD_ADDR(k) ||
39474 eppnt->p_filesz > eppnt->p_memsz ||
39475- eppnt->p_memsz > TASK_SIZE ||
39476- TASK_SIZE - eppnt->p_memsz < k) {
39477+ eppnt->p_memsz > pax_task_size ||
39478+ pax_task_size - eppnt->p_memsz < k) {
39479 error = -ENOMEM;
39480 goto out_close;
39481 }
39482@@ -528,6 +553,193 @@ out:
39483 return error;
39484 }
39485
39486+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
39487+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
39488+{
39489+ unsigned long pax_flags = 0UL;
39490+
39491+#ifdef CONFIG_PAX_PAGEEXEC
39492+ if (elf_phdata->p_flags & PF_PAGEEXEC)
39493+ pax_flags |= MF_PAX_PAGEEXEC;
39494+#endif
39495+
39496+#ifdef CONFIG_PAX_SEGMEXEC
39497+ if (elf_phdata->p_flags & PF_SEGMEXEC)
39498+ pax_flags |= MF_PAX_SEGMEXEC;
39499+#endif
39500+
39501+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39502+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39503+ if ((__supported_pte_mask & _PAGE_NX))
39504+ pax_flags &= ~MF_PAX_SEGMEXEC;
39505+ else
39506+ pax_flags &= ~MF_PAX_PAGEEXEC;
39507+ }
39508+#endif
39509+
39510+#ifdef CONFIG_PAX_EMUTRAMP
39511+ if (elf_phdata->p_flags & PF_EMUTRAMP)
39512+ pax_flags |= MF_PAX_EMUTRAMP;
39513+#endif
39514+
39515+#ifdef CONFIG_PAX_MPROTECT
39516+ if (elf_phdata->p_flags & PF_MPROTECT)
39517+ pax_flags |= MF_PAX_MPROTECT;
39518+#endif
39519+
39520+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39521+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
39522+ pax_flags |= MF_PAX_RANDMMAP;
39523+#endif
39524+
39525+ return pax_flags;
39526+}
39527+#endif
39528+
39529+#ifdef CONFIG_PAX_PT_PAX_FLAGS
39530+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
39531+{
39532+ unsigned long pax_flags = 0UL;
39533+
39534+#ifdef CONFIG_PAX_PAGEEXEC
39535+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
39536+ pax_flags |= MF_PAX_PAGEEXEC;
39537+#endif
39538+
39539+#ifdef CONFIG_PAX_SEGMEXEC
39540+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
39541+ pax_flags |= MF_PAX_SEGMEXEC;
39542+#endif
39543+
39544+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39545+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39546+ if ((__supported_pte_mask & _PAGE_NX))
39547+ pax_flags &= ~MF_PAX_SEGMEXEC;
39548+ else
39549+ pax_flags &= ~MF_PAX_PAGEEXEC;
39550+ }
39551+#endif
39552+
39553+#ifdef CONFIG_PAX_EMUTRAMP
39554+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
39555+ pax_flags |= MF_PAX_EMUTRAMP;
39556+#endif
39557+
39558+#ifdef CONFIG_PAX_MPROTECT
39559+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
39560+ pax_flags |= MF_PAX_MPROTECT;
39561+#endif
39562+
39563+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39564+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
39565+ pax_flags |= MF_PAX_RANDMMAP;
39566+#endif
39567+
39568+ return pax_flags;
39569+}
39570+#endif
39571+
39572+#ifdef CONFIG_PAX_EI_PAX
39573+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
39574+{
39575+ unsigned long pax_flags = 0UL;
39576+
39577+#ifdef CONFIG_PAX_PAGEEXEC
39578+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
39579+ pax_flags |= MF_PAX_PAGEEXEC;
39580+#endif
39581+
39582+#ifdef CONFIG_PAX_SEGMEXEC
39583+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
39584+ pax_flags |= MF_PAX_SEGMEXEC;
39585+#endif
39586+
39587+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39588+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39589+ if ((__supported_pte_mask & _PAGE_NX))
39590+ pax_flags &= ~MF_PAX_SEGMEXEC;
39591+ else
39592+ pax_flags &= ~MF_PAX_PAGEEXEC;
39593+ }
39594+#endif
39595+
39596+#ifdef CONFIG_PAX_EMUTRAMP
39597+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
39598+ pax_flags |= MF_PAX_EMUTRAMP;
39599+#endif
39600+
39601+#ifdef CONFIG_PAX_MPROTECT
39602+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
39603+ pax_flags |= MF_PAX_MPROTECT;
39604+#endif
39605+
39606+#ifdef CONFIG_PAX_ASLR
39607+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
39608+ pax_flags |= MF_PAX_RANDMMAP;
39609+#endif
39610+
39611+ return pax_flags;
39612+}
39613+#endif
39614+
39615+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
39616+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
39617+{
39618+ unsigned long pax_flags = 0UL;
39619+
39620+#ifdef CONFIG_PAX_PT_PAX_FLAGS
39621+ unsigned long i;
39622+ int found_flags = 0;
39623+#endif
39624+
39625+#ifdef CONFIG_PAX_EI_PAX
39626+ pax_flags = pax_parse_ei_pax(elf_ex);
39627+#endif
39628+
39629+#ifdef CONFIG_PAX_PT_PAX_FLAGS
39630+ for (i = 0UL; i < elf_ex->e_phnum; i++)
39631+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
39632+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
39633+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
39634+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
39635+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
39636+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
39637+ return -EINVAL;
39638+
39639+#ifdef CONFIG_PAX_SOFTMODE
39640+ if (pax_softmode)
39641+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
39642+ else
39643+#endif
39644+
39645+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
39646+ found_flags = 1;
39647+ break;
39648+ }
39649+#endif
39650+
39651+#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
39652+ if (found_flags == 0) {
39653+ struct elf_phdr phdr;
39654+ memset(&phdr, 0, sizeof(phdr));
39655+ phdr.p_flags = PF_NOEMUTRAMP;
39656+#ifdef CONFIG_PAX_SOFTMODE
39657+ if (pax_softmode)
39658+ pax_flags = pax_parse_softmode(&phdr);
39659+ else
39660+#endif
39661+ pax_flags = pax_parse_hardmode(&phdr);
39662+ }
39663+#endif
39664+
39665+ if (0 > pax_check_flags(&pax_flags))
39666+ return -EINVAL;
39667+
39668+ current->mm->pax_flags = pax_flags;
39669+ return 0;
39670+}
39671+#endif
39672+
39673 /*
39674 * These are the functions used to load ELF style executables and shared
39675 * libraries. There is no binary dependent code anywhere else.
39676@@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
39677 {
39678 unsigned int random_variable = 0;
39679
39680+#ifdef CONFIG_PAX_RANDUSTACK
39681+ if (randomize_va_space)
39682+ return stack_top - current->mm->delta_stack;
39683+#endif
39684+
39685 if ((current->flags & PF_RANDOMIZE) &&
39686 !(current->personality & ADDR_NO_RANDOMIZE)) {
39687 random_variable = get_random_int() & STACK_RND_MASK;
39688@@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
39689 unsigned long load_addr = 0, load_bias = 0;
39690 int load_addr_set = 0;
39691 char * elf_interpreter = NULL;
39692- unsigned long error;
39693+ unsigned long error = 0;
39694 struct elf_phdr *elf_ppnt, *elf_phdata;
39695 unsigned long elf_bss, elf_brk;
39696 int retval, i;
39697@@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
39698 unsigned long start_code, end_code, start_data, end_data;
39699 unsigned long reloc_func_desc __maybe_unused = 0;
39700 int executable_stack = EXSTACK_DEFAULT;
39701- unsigned long def_flags = 0;
39702 struct {
39703 struct elfhdr elf_ex;
39704 struct elfhdr interp_elf_ex;
39705 } *loc;
39706+ unsigned long pax_task_size = TASK_SIZE;
39707
39708 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
39709 if (!loc) {
39710@@ -714,11 +931,81 @@ static int load_elf_binary(struct linux_
39711
39712 /* OK, This is the point of no return */
39713 current->flags &= ~PF_FORKNOEXEC;
39714- current->mm->def_flags = def_flags;
39715+
39716+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
39717+ current->mm->pax_flags = 0UL;
39718+#endif
39719+
39720+#ifdef CONFIG_PAX_DLRESOLVE
39721+ current->mm->call_dl_resolve = 0UL;
39722+#endif
39723+
39724+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
39725+ current->mm->call_syscall = 0UL;
39726+#endif
39727+
39728+#ifdef CONFIG_PAX_ASLR
39729+ current->mm->delta_mmap = 0UL;
39730+ current->mm->delta_stack = 0UL;
39731+#endif
39732+
39733+ current->mm->def_flags = 0;
39734+
39735+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
39736+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
39737+ send_sig(SIGKILL, current, 0);
39738+ goto out_free_dentry;
39739+ }
39740+#endif
39741+
39742+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
39743+ pax_set_initial_flags(bprm);
39744+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
39745+ if (pax_set_initial_flags_func)
39746+ (pax_set_initial_flags_func)(bprm);
39747+#endif
39748+
39749+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
39750+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
39751+ current->mm->context.user_cs_limit = PAGE_SIZE;
39752+ current->mm->def_flags |= VM_PAGEEXEC;
39753+ }
39754+#endif
39755+
39756+#ifdef CONFIG_PAX_SEGMEXEC
39757+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
39758+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
39759+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
39760+ pax_task_size = SEGMEXEC_TASK_SIZE;
39761+ current->mm->def_flags |= VM_NOHUGEPAGE;
39762+ }
39763+#endif
39764+
39765+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
39766+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39767+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
39768+ put_cpu();
39769+ }
39770+#endif
39771
39772 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
39773 may depend on the personality. */
39774 SET_PERSONALITY(loc->elf_ex);
39775+
39776+#ifdef CONFIG_PAX_ASLR
39777+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
39778+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
39779+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
39780+ }
39781+#endif
39782+
39783+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
39784+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39785+ executable_stack = EXSTACK_DISABLE_X;
39786+ current->personality &= ~READ_IMPLIES_EXEC;
39787+ } else
39788+#endif
39789+
39790 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
39791 current->personality |= READ_IMPLIES_EXEC;
39792
39793@@ -800,6 +1087,20 @@ static int load_elf_binary(struct linux_
39794 #else
39795 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
39796 #endif
39797+
39798+#ifdef CONFIG_PAX_RANDMMAP
39799+ /* PaX: randomize base address at the default exe base if requested */
39800+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
39801+#ifdef CONFIG_SPARC64
39802+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
39803+#else
39804+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
39805+#endif
39806+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
39807+ elf_flags |= MAP_FIXED;
39808+ }
39809+#endif
39810+
39811 }
39812
39813 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
39814@@ -832,9 +1133,9 @@ static int load_elf_binary(struct linux_
39815 * allowed task size. Note that p_filesz must always be
39816 * <= p_memsz so it is only necessary to check p_memsz.
39817 */
39818- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
39819- elf_ppnt->p_memsz > TASK_SIZE ||
39820- TASK_SIZE - elf_ppnt->p_memsz < k) {
39821+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
39822+ elf_ppnt->p_memsz > pax_task_size ||
39823+ pax_task_size - elf_ppnt->p_memsz < k) {
39824 /* set_brk can never work. Avoid overflows. */
39825 send_sig(SIGKILL, current, 0);
39826 retval = -EINVAL;
39827@@ -862,6 +1163,11 @@ static int load_elf_binary(struct linux_
39828 start_data += load_bias;
39829 end_data += load_bias;
39830
39831+#ifdef CONFIG_PAX_RANDMMAP
39832+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
39833+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
39834+#endif
39835+
39836 /* Calling set_brk effectively mmaps the pages that we need
39837 * for the bss and break sections. We must do this before
39838 * mapping in the interpreter, to make sure it doesn't wind
39839@@ -873,9 +1179,11 @@ static int load_elf_binary(struct linux_
39840 goto out_free_dentry;
39841 }
39842 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
39843- send_sig(SIGSEGV, current, 0);
39844- retval = -EFAULT; /* Nobody gets to see this, but.. */
39845- goto out_free_dentry;
39846+ /*
39847+ * This bss-zeroing can fail if the ELF
39848+ * file specifies odd protections. So
39849+ * we don't check the return value
39850+ */
39851 }
39852
39853 if (elf_interpreter) {
39854@@ -1090,7 +1398,7 @@ out:
39855 * Decide what to dump of a segment, part, all or none.
39856 */
39857 static unsigned long vma_dump_size(struct vm_area_struct *vma,
39858- unsigned long mm_flags)
39859+ unsigned long mm_flags, long signr)
39860 {
39861 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
39862
39863@@ -1124,7 +1432,7 @@ static unsigned long vma_dump_size(struc
39864 if (vma->vm_file == NULL)
39865 return 0;
39866
39867- if (FILTER(MAPPED_PRIVATE))
39868+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
39869 goto whole;
39870
39871 /*
39872@@ -1346,9 +1654,9 @@ static void fill_auxv_note(struct memelf
39873 {
39874 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
39875 int i = 0;
39876- do
39877+ do {
39878 i += 2;
39879- while (auxv[i - 2] != AT_NULL);
39880+ } while (auxv[i - 2] != AT_NULL);
39881 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
39882 }
39883
39884@@ -1854,14 +2162,14 @@ static void fill_extnum_info(struct elfh
39885 }
39886
39887 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
39888- unsigned long mm_flags)
39889+ struct coredump_params *cprm)
39890 {
39891 struct vm_area_struct *vma;
39892 size_t size = 0;
39893
39894 for (vma = first_vma(current, gate_vma); vma != NULL;
39895 vma = next_vma(vma, gate_vma))
39896- size += vma_dump_size(vma, mm_flags);
39897+ size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
39898 return size;
39899 }
39900
39901@@ -1955,7 +2263,7 @@ static int elf_core_dump(struct coredump
39902
39903 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
39904
39905- offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
39906+ offset += elf_core_vma_data_size(gate_vma, cprm);
39907 offset += elf_core_extra_data_size();
39908 e_shoff = offset;
39909
39910@@ -1969,10 +2277,12 @@ static int elf_core_dump(struct coredump
39911 offset = dataoff;
39912
39913 size += sizeof(*elf);
39914+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
39915 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
39916 goto end_coredump;
39917
39918 size += sizeof(*phdr4note);
39919+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
39920 if (size > cprm->limit
39921 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
39922 goto end_coredump;
39923@@ -1986,7 +2296,7 @@ static int elf_core_dump(struct coredump
39924 phdr.p_offset = offset;
39925 phdr.p_vaddr = vma->vm_start;
39926 phdr.p_paddr = 0;
39927- phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
39928+ phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
39929 phdr.p_memsz = vma->vm_end - vma->vm_start;
39930 offset += phdr.p_filesz;
39931 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
39932@@ -1997,6 +2307,7 @@ static int elf_core_dump(struct coredump
39933 phdr.p_align = ELF_EXEC_PAGESIZE;
39934
39935 size += sizeof(phdr);
39936+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
39937 if (size > cprm->limit
39938 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
39939 goto end_coredump;
39940@@ -2021,7 +2332,7 @@ static int elf_core_dump(struct coredump
39941 unsigned long addr;
39942 unsigned long end;
39943
39944- end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
39945+ end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
39946
39947 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
39948 struct page *page;
39949@@ -2030,6 +2341,7 @@ static int elf_core_dump(struct coredump
39950 page = get_dump_page(addr);
39951 if (page) {
39952 void *kaddr = kmap(page);
39953+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
39954 stop = ((size += PAGE_SIZE) > cprm->limit) ||
39955 !dump_write(cprm->file, kaddr,
39956 PAGE_SIZE);
39957@@ -2047,6 +2359,7 @@ static int elf_core_dump(struct coredump
39958
39959 if (e_phnum == PN_XNUM) {
39960 size += sizeof(*shdr4extnum);
39961+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
39962 if (size > cprm->limit
39963 || !dump_write(cprm->file, shdr4extnum,
39964 sizeof(*shdr4extnum)))
39965@@ -2067,6 +2380,97 @@ out:
39966
39967 #endif /* CONFIG_ELF_CORE */
39968
39969+#ifdef CONFIG_PAX_MPROTECT
39970+/* PaX: non-PIC ELF libraries need relocations on their executable segments
39971+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
39972+ * we'll remove VM_MAYWRITE for good on RELRO segments.
39973+ *
39974+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
39975+ * basis because we want to allow the common case and not the special ones.
39976+ */
39977+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
39978+{
39979+ struct elfhdr elf_h;
39980+ struct elf_phdr elf_p;
39981+ unsigned long i;
39982+ unsigned long oldflags;
39983+ bool is_textrel_rw, is_textrel_rx, is_relro;
39984+
39985+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
39986+ return;
39987+
39988+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
39989+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
39990+
39991+#ifdef CONFIG_PAX_ELFRELOCS
39992+ /* possible TEXTREL */
39993+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
39994+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
39995+#else
39996+ is_textrel_rw = false;
39997+ is_textrel_rx = false;
39998+#endif
39999+
40000+ /* possible RELRO */
40001+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
40002+
40003+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
40004+ return;
40005+
40006+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
40007+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
40008+
40009+#ifdef CONFIG_PAX_ETEXECRELOCS
40010+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40011+#else
40012+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
40013+#endif
40014+
40015+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40016+ !elf_check_arch(&elf_h) ||
40017+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
40018+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
40019+ return;
40020+
40021+ for (i = 0UL; i < elf_h.e_phnum; i++) {
40022+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
40023+ return;
40024+ switch (elf_p.p_type) {
40025+ case PT_DYNAMIC:
40026+ if (!is_textrel_rw && !is_textrel_rx)
40027+ continue;
40028+ i = 0UL;
40029+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
40030+ elf_dyn dyn;
40031+
40032+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
40033+ return;
40034+ if (dyn.d_tag == DT_NULL)
40035+ return;
40036+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
40037+ gr_log_textrel(vma);
40038+ if (is_textrel_rw)
40039+ vma->vm_flags |= VM_MAYWRITE;
40040+ else
40041+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
40042+ vma->vm_flags &= ~VM_MAYWRITE;
40043+ return;
40044+ }
40045+ i++;
40046+ }
40047+ return;
40048+
40049+ case PT_GNU_RELRO:
40050+ if (!is_relro)
40051+ continue;
40052+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
40053+ vma->vm_flags &= ~VM_MAYWRITE;
40054+ return;
40055+ }
40056+ }
40057+}
40058+#endif
40059+
40060 static int __init init_elf_binfmt(void)
40061 {
40062 return register_binfmt(&elf_format);
40063diff -urNp linux-3.0.7/fs/binfmt_flat.c linux-3.0.7/fs/binfmt_flat.c
40064--- linux-3.0.7/fs/binfmt_flat.c 2011-07-21 22:17:23.000000000 -0400
40065+++ linux-3.0.7/fs/binfmt_flat.c 2011-08-23 21:47:56.000000000 -0400
40066@@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
40067 realdatastart = (unsigned long) -ENOMEM;
40068 printk("Unable to allocate RAM for process data, errno %d\n",
40069 (int)-realdatastart);
40070+ down_write(&current->mm->mmap_sem);
40071 do_munmap(current->mm, textpos, text_len);
40072+ up_write(&current->mm->mmap_sem);
40073 ret = realdatastart;
40074 goto err;
40075 }
40076@@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
40077 }
40078 if (IS_ERR_VALUE(result)) {
40079 printk("Unable to read data+bss, errno %d\n", (int)-result);
40080+ down_write(&current->mm->mmap_sem);
40081 do_munmap(current->mm, textpos, text_len);
40082 do_munmap(current->mm, realdatastart, len);
40083+ up_write(&current->mm->mmap_sem);
40084 ret = result;
40085 goto err;
40086 }
40087@@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
40088 }
40089 if (IS_ERR_VALUE(result)) {
40090 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
40091+ down_write(&current->mm->mmap_sem);
40092 do_munmap(current->mm, textpos, text_len + data_len + extra +
40093 MAX_SHARED_LIBS * sizeof(unsigned long));
40094+ up_write(&current->mm->mmap_sem);
40095 ret = result;
40096 goto err;
40097 }
40098diff -urNp linux-3.0.7/fs/bio.c linux-3.0.7/fs/bio.c
40099--- linux-3.0.7/fs/bio.c 2011-07-21 22:17:23.000000000 -0400
40100+++ linux-3.0.7/fs/bio.c 2011-10-06 04:17:55.000000000 -0400
40101@@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
40102 const int read = bio_data_dir(bio) == READ;
40103 struct bio_map_data *bmd = bio->bi_private;
40104 int i;
40105- char *p = bmd->sgvecs[0].iov_base;
40106+ char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
40107
40108 __bio_for_each_segment(bvec, bio, i, 0) {
40109 char *addr = page_address(bvec->bv_page);
40110diff -urNp linux-3.0.7/fs/block_dev.c linux-3.0.7/fs/block_dev.c
40111--- linux-3.0.7/fs/block_dev.c 2011-10-16 21:54:54.000000000 -0400
40112+++ linux-3.0.7/fs/block_dev.c 2011-10-16 21:55:28.000000000 -0400
40113@@ -671,7 +671,7 @@ static bool bd_may_claim(struct block_de
40114 else if (bdev->bd_contains == bdev)
40115 return true; /* is a whole device which isn't held */
40116
40117- else if (whole->bd_holder == bd_may_claim)
40118+ else if (whole->bd_holder == (void *)bd_may_claim)
40119 return true; /* is a partition of a device that is being partitioned */
40120 else if (whole->bd_holder != NULL)
40121 return false; /* is a partition of a held device */
40122diff -urNp linux-3.0.7/fs/btrfs/ctree.c linux-3.0.7/fs/btrfs/ctree.c
40123--- linux-3.0.7/fs/btrfs/ctree.c 2011-07-21 22:17:23.000000000 -0400
40124+++ linux-3.0.7/fs/btrfs/ctree.c 2011-08-23 21:47:56.000000000 -0400
40125@@ -454,9 +454,12 @@ static noinline int __btrfs_cow_block(st
40126 free_extent_buffer(buf);
40127 add_root_to_dirty_list(root);
40128 } else {
40129- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
40130- parent_start = parent->start;
40131- else
40132+ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
40133+ if (parent)
40134+ parent_start = parent->start;
40135+ else
40136+ parent_start = 0;
40137+ } else
40138 parent_start = 0;
40139
40140 WARN_ON(trans->transid != btrfs_header_generation(parent));
40141diff -urNp linux-3.0.7/fs/btrfs/inode.c linux-3.0.7/fs/btrfs/inode.c
40142--- linux-3.0.7/fs/btrfs/inode.c 2011-10-16 21:54:54.000000000 -0400
40143+++ linux-3.0.7/fs/btrfs/inode.c 2011-10-16 21:55:28.000000000 -0400
40144@@ -6896,7 +6896,7 @@ fail:
40145 return -ENOMEM;
40146 }
40147
40148-static int btrfs_getattr(struct vfsmount *mnt,
40149+int btrfs_getattr(struct vfsmount *mnt,
40150 struct dentry *dentry, struct kstat *stat)
40151 {
40152 struct inode *inode = dentry->d_inode;
40153@@ -6908,6 +6908,14 @@ static int btrfs_getattr(struct vfsmount
40154 return 0;
40155 }
40156
40157+EXPORT_SYMBOL(btrfs_getattr);
40158+
40159+dev_t get_btrfs_dev_from_inode(struct inode *inode)
40160+{
40161+ return BTRFS_I(inode)->root->anon_super.s_dev;
40162+}
40163+EXPORT_SYMBOL(get_btrfs_dev_from_inode);
40164+
40165 /*
40166 * If a file is moved, it will inherit the cow and compression flags of the new
40167 * directory.
40168diff -urNp linux-3.0.7/fs/btrfs/ioctl.c linux-3.0.7/fs/btrfs/ioctl.c
40169--- linux-3.0.7/fs/btrfs/ioctl.c 2011-07-21 22:17:23.000000000 -0400
40170+++ linux-3.0.7/fs/btrfs/ioctl.c 2011-10-06 04:17:55.000000000 -0400
40171@@ -2676,9 +2676,12 @@ long btrfs_ioctl_space_info(struct btrfs
40172 for (i = 0; i < num_types; i++) {
40173 struct btrfs_space_info *tmp;
40174
40175+ /* Don't copy in more than we allocated */
40176 if (!slot_count)
40177 break;
40178
40179+ slot_count--;
40180+
40181 info = NULL;
40182 rcu_read_lock();
40183 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
40184@@ -2700,15 +2703,12 @@ long btrfs_ioctl_space_info(struct btrfs
40185 memcpy(dest, &space, sizeof(space));
40186 dest++;
40187 space_args.total_spaces++;
40188- slot_count--;
40189 }
40190- if (!slot_count)
40191- break;
40192 }
40193 up_read(&info->groups_sem);
40194 }
40195
40196- user_dest = (struct btrfs_ioctl_space_info *)
40197+ user_dest = (struct btrfs_ioctl_space_info __user *)
40198 (arg + sizeof(struct btrfs_ioctl_space_args));
40199
40200 if (copy_to_user(user_dest, dest_orig, alloc_size))
40201diff -urNp linux-3.0.7/fs/btrfs/relocation.c linux-3.0.7/fs/btrfs/relocation.c
40202--- linux-3.0.7/fs/btrfs/relocation.c 2011-07-21 22:17:23.000000000 -0400
40203+++ linux-3.0.7/fs/btrfs/relocation.c 2011-08-23 21:47:56.000000000 -0400
40204@@ -1242,7 +1242,7 @@ static int __update_reloc_root(struct bt
40205 }
40206 spin_unlock(&rc->reloc_root_tree.lock);
40207
40208- BUG_ON((struct btrfs_root *)node->data != root);
40209+ BUG_ON(!node || (struct btrfs_root *)node->data != root);
40210
40211 if (!del) {
40212 spin_lock(&rc->reloc_root_tree.lock);
40213diff -urNp linux-3.0.7/fs/cachefiles/bind.c linux-3.0.7/fs/cachefiles/bind.c
40214--- linux-3.0.7/fs/cachefiles/bind.c 2011-07-21 22:17:23.000000000 -0400
40215+++ linux-3.0.7/fs/cachefiles/bind.c 2011-08-23 21:47:56.000000000 -0400
40216@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
40217 args);
40218
40219 /* start by checking things over */
40220- ASSERT(cache->fstop_percent >= 0 &&
40221- cache->fstop_percent < cache->fcull_percent &&
40222+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
40223 cache->fcull_percent < cache->frun_percent &&
40224 cache->frun_percent < 100);
40225
40226- ASSERT(cache->bstop_percent >= 0 &&
40227- cache->bstop_percent < cache->bcull_percent &&
40228+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
40229 cache->bcull_percent < cache->brun_percent &&
40230 cache->brun_percent < 100);
40231
40232diff -urNp linux-3.0.7/fs/cachefiles/daemon.c linux-3.0.7/fs/cachefiles/daemon.c
40233--- linux-3.0.7/fs/cachefiles/daemon.c 2011-07-21 22:17:23.000000000 -0400
40234+++ linux-3.0.7/fs/cachefiles/daemon.c 2011-08-23 21:47:56.000000000 -0400
40235@@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
40236 if (n > buflen)
40237 return -EMSGSIZE;
40238
40239- if (copy_to_user(_buffer, buffer, n) != 0)
40240+ if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
40241 return -EFAULT;
40242
40243 return n;
40244@@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
40245 if (test_bit(CACHEFILES_DEAD, &cache->flags))
40246 return -EIO;
40247
40248- if (datalen < 0 || datalen > PAGE_SIZE - 1)
40249+ if (datalen > PAGE_SIZE - 1)
40250 return -EOPNOTSUPP;
40251
40252 /* drag the command string into the kernel so we can parse it */
40253@@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
40254 if (args[0] != '%' || args[1] != '\0')
40255 return -EINVAL;
40256
40257- if (fstop < 0 || fstop >= cache->fcull_percent)
40258+ if (fstop >= cache->fcull_percent)
40259 return cachefiles_daemon_range_error(cache, args);
40260
40261 cache->fstop_percent = fstop;
40262@@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
40263 if (args[0] != '%' || args[1] != '\0')
40264 return -EINVAL;
40265
40266- if (bstop < 0 || bstop >= cache->bcull_percent)
40267+ if (bstop >= cache->bcull_percent)
40268 return cachefiles_daemon_range_error(cache, args);
40269
40270 cache->bstop_percent = bstop;
40271diff -urNp linux-3.0.7/fs/cachefiles/internal.h linux-3.0.7/fs/cachefiles/internal.h
40272--- linux-3.0.7/fs/cachefiles/internal.h 2011-07-21 22:17:23.000000000 -0400
40273+++ linux-3.0.7/fs/cachefiles/internal.h 2011-08-23 21:47:56.000000000 -0400
40274@@ -57,7 +57,7 @@ struct cachefiles_cache {
40275 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
40276 struct rb_root active_nodes; /* active nodes (can't be culled) */
40277 rwlock_t active_lock; /* lock for active_nodes */
40278- atomic_t gravecounter; /* graveyard uniquifier */
40279+ atomic_unchecked_t gravecounter; /* graveyard uniquifier */
40280 unsigned frun_percent; /* when to stop culling (% files) */
40281 unsigned fcull_percent; /* when to start culling (% files) */
40282 unsigned fstop_percent; /* when to stop allocating (% files) */
40283@@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
40284 * proc.c
40285 */
40286 #ifdef CONFIG_CACHEFILES_HISTOGRAM
40287-extern atomic_t cachefiles_lookup_histogram[HZ];
40288-extern atomic_t cachefiles_mkdir_histogram[HZ];
40289-extern atomic_t cachefiles_create_histogram[HZ];
40290+extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40291+extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40292+extern atomic_unchecked_t cachefiles_create_histogram[HZ];
40293
40294 extern int __init cachefiles_proc_init(void);
40295 extern void cachefiles_proc_cleanup(void);
40296 static inline
40297-void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
40298+void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
40299 {
40300 unsigned long jif = jiffies - start_jif;
40301 if (jif >= HZ)
40302 jif = HZ - 1;
40303- atomic_inc(&histogram[jif]);
40304+ atomic_inc_unchecked(&histogram[jif]);
40305 }
40306
40307 #else
40308diff -urNp linux-3.0.7/fs/cachefiles/namei.c linux-3.0.7/fs/cachefiles/namei.c
40309--- linux-3.0.7/fs/cachefiles/namei.c 2011-07-21 22:17:23.000000000 -0400
40310+++ linux-3.0.7/fs/cachefiles/namei.c 2011-08-23 21:47:56.000000000 -0400
40311@@ -318,7 +318,7 @@ try_again:
40312 /* first step is to make up a grave dentry in the graveyard */
40313 sprintf(nbuffer, "%08x%08x",
40314 (uint32_t) get_seconds(),
40315- (uint32_t) atomic_inc_return(&cache->gravecounter));
40316+ (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
40317
40318 /* do the multiway lock magic */
40319 trap = lock_rename(cache->graveyard, dir);
40320diff -urNp linux-3.0.7/fs/cachefiles/proc.c linux-3.0.7/fs/cachefiles/proc.c
40321--- linux-3.0.7/fs/cachefiles/proc.c 2011-07-21 22:17:23.000000000 -0400
40322+++ linux-3.0.7/fs/cachefiles/proc.c 2011-08-23 21:47:56.000000000 -0400
40323@@ -14,9 +14,9 @@
40324 #include <linux/seq_file.h>
40325 #include "internal.h"
40326
40327-atomic_t cachefiles_lookup_histogram[HZ];
40328-atomic_t cachefiles_mkdir_histogram[HZ];
40329-atomic_t cachefiles_create_histogram[HZ];
40330+atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40331+atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40332+atomic_unchecked_t cachefiles_create_histogram[HZ];
40333
40334 /*
40335 * display the latency histogram
40336@@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
40337 return 0;
40338 default:
40339 index = (unsigned long) v - 3;
40340- x = atomic_read(&cachefiles_lookup_histogram[index]);
40341- y = atomic_read(&cachefiles_mkdir_histogram[index]);
40342- z = atomic_read(&cachefiles_create_histogram[index]);
40343+ x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
40344+ y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
40345+ z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
40346 if (x == 0 && y == 0 && z == 0)
40347 return 0;
40348
40349diff -urNp linux-3.0.7/fs/cachefiles/rdwr.c linux-3.0.7/fs/cachefiles/rdwr.c
40350--- linux-3.0.7/fs/cachefiles/rdwr.c 2011-07-21 22:17:23.000000000 -0400
40351+++ linux-3.0.7/fs/cachefiles/rdwr.c 2011-10-06 04:17:55.000000000 -0400
40352@@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
40353 old_fs = get_fs();
40354 set_fs(KERNEL_DS);
40355 ret = file->f_op->write(
40356- file, (const void __user *) data, len, &pos);
40357+ file, (const void __force_user *) data, len, &pos);
40358 set_fs(old_fs);
40359 kunmap(page);
40360 if (ret != len)
40361diff -urNp linux-3.0.7/fs/ceph/dir.c linux-3.0.7/fs/ceph/dir.c
40362--- linux-3.0.7/fs/ceph/dir.c 2011-07-21 22:17:23.000000000 -0400
40363+++ linux-3.0.7/fs/ceph/dir.c 2011-08-23 21:47:56.000000000 -0400
40364@@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
40365 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
40366 struct ceph_mds_client *mdsc = fsc->mdsc;
40367 unsigned frag = fpos_frag(filp->f_pos);
40368- int off = fpos_off(filp->f_pos);
40369+ unsigned int off = fpos_off(filp->f_pos);
40370 int err;
40371 u32 ftype;
40372 struct ceph_mds_reply_info_parsed *rinfo;
40373diff -urNp linux-3.0.7/fs/cifs/cifs_debug.c linux-3.0.7/fs/cifs/cifs_debug.c
40374--- linux-3.0.7/fs/cifs/cifs_debug.c 2011-07-21 22:17:23.000000000 -0400
40375+++ linux-3.0.7/fs/cifs/cifs_debug.c 2011-08-25 17:18:05.000000000 -0400
40376@@ -265,8 +265,8 @@ static ssize_t cifs_stats_proc_write(str
40377
40378 if (c == '1' || c == 'y' || c == 'Y' || c == '0') {
40379 #ifdef CONFIG_CIFS_STATS2
40380- atomic_set(&totBufAllocCount, 0);
40381- atomic_set(&totSmBufAllocCount, 0);
40382+ atomic_set_unchecked(&totBufAllocCount, 0);
40383+ atomic_set_unchecked(&totSmBufAllocCount, 0);
40384 #endif /* CONFIG_CIFS_STATS2 */
40385 spin_lock(&cifs_tcp_ses_lock);
40386 list_for_each(tmp1, &cifs_tcp_ses_list) {
40387@@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
40388 tcon = list_entry(tmp3,
40389 struct cifs_tcon,
40390 tcon_list);
40391- atomic_set(&tcon->num_smbs_sent, 0);
40392- atomic_set(&tcon->num_writes, 0);
40393- atomic_set(&tcon->num_reads, 0);
40394- atomic_set(&tcon->num_oplock_brks, 0);
40395- atomic_set(&tcon->num_opens, 0);
40396- atomic_set(&tcon->num_posixopens, 0);
40397- atomic_set(&tcon->num_posixmkdirs, 0);
40398- atomic_set(&tcon->num_closes, 0);
40399- atomic_set(&tcon->num_deletes, 0);
40400- atomic_set(&tcon->num_mkdirs, 0);
40401- atomic_set(&tcon->num_rmdirs, 0);
40402- atomic_set(&tcon->num_renames, 0);
40403- atomic_set(&tcon->num_t2renames, 0);
40404- atomic_set(&tcon->num_ffirst, 0);
40405- atomic_set(&tcon->num_fnext, 0);
40406- atomic_set(&tcon->num_fclose, 0);
40407- atomic_set(&tcon->num_hardlinks, 0);
40408- atomic_set(&tcon->num_symlinks, 0);
40409- atomic_set(&tcon->num_locks, 0);
40410+ atomic_set_unchecked(&tcon->num_smbs_sent, 0);
40411+ atomic_set_unchecked(&tcon->num_writes, 0);
40412+ atomic_set_unchecked(&tcon->num_reads, 0);
40413+ atomic_set_unchecked(&tcon->num_oplock_brks, 0);
40414+ atomic_set_unchecked(&tcon->num_opens, 0);
40415+ atomic_set_unchecked(&tcon->num_posixopens, 0);
40416+ atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
40417+ atomic_set_unchecked(&tcon->num_closes, 0);
40418+ atomic_set_unchecked(&tcon->num_deletes, 0);
40419+ atomic_set_unchecked(&tcon->num_mkdirs, 0);
40420+ atomic_set_unchecked(&tcon->num_rmdirs, 0);
40421+ atomic_set_unchecked(&tcon->num_renames, 0);
40422+ atomic_set_unchecked(&tcon->num_t2renames, 0);
40423+ atomic_set_unchecked(&tcon->num_ffirst, 0);
40424+ atomic_set_unchecked(&tcon->num_fnext, 0);
40425+ atomic_set_unchecked(&tcon->num_fclose, 0);
40426+ atomic_set_unchecked(&tcon->num_hardlinks, 0);
40427+ atomic_set_unchecked(&tcon->num_symlinks, 0);
40428+ atomic_set_unchecked(&tcon->num_locks, 0);
40429 }
40430 }
40431 }
40432@@ -327,8 +327,8 @@ static int cifs_stats_proc_show(struct s
40433 smBufAllocCount.counter, cifs_min_small);
40434 #ifdef CONFIG_CIFS_STATS2
40435 seq_printf(m, "Total Large %d Small %d Allocations\n",
40436- atomic_read(&totBufAllocCount),
40437- atomic_read(&totSmBufAllocCount));
40438+ atomic_read_unchecked(&totBufAllocCount),
40439+ atomic_read_unchecked(&totSmBufAllocCount));
40440 #endif /* CONFIG_CIFS_STATS2 */
40441
40442 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
40443@@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
40444 if (tcon->need_reconnect)
40445 seq_puts(m, "\tDISCONNECTED ");
40446 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
40447- atomic_read(&tcon->num_smbs_sent),
40448- atomic_read(&tcon->num_oplock_brks));
40449+ atomic_read_unchecked(&tcon->num_smbs_sent),
40450+ atomic_read_unchecked(&tcon->num_oplock_brks));
40451 seq_printf(m, "\nReads: %d Bytes: %lld",
40452- atomic_read(&tcon->num_reads),
40453+ atomic_read_unchecked(&tcon->num_reads),
40454 (long long)(tcon->bytes_read));
40455 seq_printf(m, "\nWrites: %d Bytes: %lld",
40456- atomic_read(&tcon->num_writes),
40457+ atomic_read_unchecked(&tcon->num_writes),
40458 (long long)(tcon->bytes_written));
40459 seq_printf(m, "\nFlushes: %d",
40460- atomic_read(&tcon->num_flushes));
40461+ atomic_read_unchecked(&tcon->num_flushes));
40462 seq_printf(m, "\nLocks: %d HardLinks: %d "
40463 "Symlinks: %d",
40464- atomic_read(&tcon->num_locks),
40465- atomic_read(&tcon->num_hardlinks),
40466- atomic_read(&tcon->num_symlinks));
40467+ atomic_read_unchecked(&tcon->num_locks),
40468+ atomic_read_unchecked(&tcon->num_hardlinks),
40469+ atomic_read_unchecked(&tcon->num_symlinks));
40470 seq_printf(m, "\nOpens: %d Closes: %d "
40471 "Deletes: %d",
40472- atomic_read(&tcon->num_opens),
40473- atomic_read(&tcon->num_closes),
40474- atomic_read(&tcon->num_deletes));
40475+ atomic_read_unchecked(&tcon->num_opens),
40476+ atomic_read_unchecked(&tcon->num_closes),
40477+ atomic_read_unchecked(&tcon->num_deletes));
40478 seq_printf(m, "\nPosix Opens: %d "
40479 "Posix Mkdirs: %d",
40480- atomic_read(&tcon->num_posixopens),
40481- atomic_read(&tcon->num_posixmkdirs));
40482+ atomic_read_unchecked(&tcon->num_posixopens),
40483+ atomic_read_unchecked(&tcon->num_posixmkdirs));
40484 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
40485- atomic_read(&tcon->num_mkdirs),
40486- atomic_read(&tcon->num_rmdirs));
40487+ atomic_read_unchecked(&tcon->num_mkdirs),
40488+ atomic_read_unchecked(&tcon->num_rmdirs));
40489 seq_printf(m, "\nRenames: %d T2 Renames %d",
40490- atomic_read(&tcon->num_renames),
40491- atomic_read(&tcon->num_t2renames));
40492+ atomic_read_unchecked(&tcon->num_renames),
40493+ atomic_read_unchecked(&tcon->num_t2renames));
40494 seq_printf(m, "\nFindFirst: %d FNext %d "
40495 "FClose %d",
40496- atomic_read(&tcon->num_ffirst),
40497- atomic_read(&tcon->num_fnext),
40498- atomic_read(&tcon->num_fclose));
40499+ atomic_read_unchecked(&tcon->num_ffirst),
40500+ atomic_read_unchecked(&tcon->num_fnext),
40501+ atomic_read_unchecked(&tcon->num_fclose));
40502 }
40503 }
40504 }
40505diff -urNp linux-3.0.7/fs/cifs/cifsfs.c linux-3.0.7/fs/cifs/cifsfs.c
40506--- linux-3.0.7/fs/cifs/cifsfs.c 2011-09-02 18:11:21.000000000 -0400
40507+++ linux-3.0.7/fs/cifs/cifsfs.c 2011-08-25 17:18:05.000000000 -0400
40508@@ -994,7 +994,7 @@ cifs_init_request_bufs(void)
40509 cifs_req_cachep = kmem_cache_create("cifs_request",
40510 CIFSMaxBufSize +
40511 MAX_CIFS_HDR_SIZE, 0,
40512- SLAB_HWCACHE_ALIGN, NULL);
40513+ SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
40514 if (cifs_req_cachep == NULL)
40515 return -ENOMEM;
40516
40517@@ -1021,7 +1021,7 @@ cifs_init_request_bufs(void)
40518 efficient to alloc 1 per page off the slab compared to 17K (5page)
40519 alloc of large cifs buffers even when page debugging is on */
40520 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
40521- MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
40522+ MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
40523 NULL);
40524 if (cifs_sm_req_cachep == NULL) {
40525 mempool_destroy(cifs_req_poolp);
40526@@ -1106,8 +1106,8 @@ init_cifs(void)
40527 atomic_set(&bufAllocCount, 0);
40528 atomic_set(&smBufAllocCount, 0);
40529 #ifdef CONFIG_CIFS_STATS2
40530- atomic_set(&totBufAllocCount, 0);
40531- atomic_set(&totSmBufAllocCount, 0);
40532+ atomic_set_unchecked(&totBufAllocCount, 0);
40533+ atomic_set_unchecked(&totSmBufAllocCount, 0);
40534 #endif /* CONFIG_CIFS_STATS2 */
40535
40536 atomic_set(&midCount, 0);
40537diff -urNp linux-3.0.7/fs/cifs/cifsglob.h linux-3.0.7/fs/cifs/cifsglob.h
40538--- linux-3.0.7/fs/cifs/cifsglob.h 2011-07-21 22:17:23.000000000 -0400
40539+++ linux-3.0.7/fs/cifs/cifsglob.h 2011-08-25 17:18:05.000000000 -0400
40540@@ -381,28 +381,28 @@ struct cifs_tcon {
40541 __u16 Flags; /* optional support bits */
40542 enum statusEnum tidStatus;
40543 #ifdef CONFIG_CIFS_STATS
40544- atomic_t num_smbs_sent;
40545- atomic_t num_writes;
40546- atomic_t num_reads;
40547- atomic_t num_flushes;
40548- atomic_t num_oplock_brks;
40549- atomic_t num_opens;
40550- atomic_t num_closes;
40551- atomic_t num_deletes;
40552- atomic_t num_mkdirs;
40553- atomic_t num_posixopens;
40554- atomic_t num_posixmkdirs;
40555- atomic_t num_rmdirs;
40556- atomic_t num_renames;
40557- atomic_t num_t2renames;
40558- atomic_t num_ffirst;
40559- atomic_t num_fnext;
40560- atomic_t num_fclose;
40561- atomic_t num_hardlinks;
40562- atomic_t num_symlinks;
40563- atomic_t num_locks;
40564- atomic_t num_acl_get;
40565- atomic_t num_acl_set;
40566+ atomic_unchecked_t num_smbs_sent;
40567+ atomic_unchecked_t num_writes;
40568+ atomic_unchecked_t num_reads;
40569+ atomic_unchecked_t num_flushes;
40570+ atomic_unchecked_t num_oplock_brks;
40571+ atomic_unchecked_t num_opens;
40572+ atomic_unchecked_t num_closes;
40573+ atomic_unchecked_t num_deletes;
40574+ atomic_unchecked_t num_mkdirs;
40575+ atomic_unchecked_t num_posixopens;
40576+ atomic_unchecked_t num_posixmkdirs;
40577+ atomic_unchecked_t num_rmdirs;
40578+ atomic_unchecked_t num_renames;
40579+ atomic_unchecked_t num_t2renames;
40580+ atomic_unchecked_t num_ffirst;
40581+ atomic_unchecked_t num_fnext;
40582+ atomic_unchecked_t num_fclose;
40583+ atomic_unchecked_t num_hardlinks;
40584+ atomic_unchecked_t num_symlinks;
40585+ atomic_unchecked_t num_locks;
40586+ atomic_unchecked_t num_acl_get;
40587+ atomic_unchecked_t num_acl_set;
40588 #ifdef CONFIG_CIFS_STATS2
40589 unsigned long long time_writes;
40590 unsigned long long time_reads;
40591@@ -613,7 +613,7 @@ convert_delimiter(char *path, char delim
40592 }
40593
40594 #ifdef CONFIG_CIFS_STATS
40595-#define cifs_stats_inc atomic_inc
40596+#define cifs_stats_inc atomic_inc_unchecked
40597
40598 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
40599 unsigned int bytes)
40600@@ -911,8 +911,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
40601 /* Various Debug counters */
40602 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
40603 #ifdef CONFIG_CIFS_STATS2
40604-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
40605-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
40606+GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
40607+GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
40608 #endif
40609 GLOBAL_EXTERN atomic_t smBufAllocCount;
40610 GLOBAL_EXTERN atomic_t midCount;
40611diff -urNp linux-3.0.7/fs/cifs/link.c linux-3.0.7/fs/cifs/link.c
40612--- linux-3.0.7/fs/cifs/link.c 2011-07-21 22:17:23.000000000 -0400
40613+++ linux-3.0.7/fs/cifs/link.c 2011-08-23 21:47:56.000000000 -0400
40614@@ -587,7 +587,7 @@ symlink_exit:
40615
40616 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
40617 {
40618- char *p = nd_get_link(nd);
40619+ const char *p = nd_get_link(nd);
40620 if (!IS_ERR(p))
40621 kfree(p);
40622 }
40623diff -urNp linux-3.0.7/fs/cifs/misc.c linux-3.0.7/fs/cifs/misc.c
40624--- linux-3.0.7/fs/cifs/misc.c 2011-07-21 22:17:23.000000000 -0400
40625+++ linux-3.0.7/fs/cifs/misc.c 2011-08-25 17:18:05.000000000 -0400
40626@@ -156,7 +156,7 @@ cifs_buf_get(void)
40627 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
40628 atomic_inc(&bufAllocCount);
40629 #ifdef CONFIG_CIFS_STATS2
40630- atomic_inc(&totBufAllocCount);
40631+ atomic_inc_unchecked(&totBufAllocCount);
40632 #endif /* CONFIG_CIFS_STATS2 */
40633 }
40634
40635@@ -191,7 +191,7 @@ cifs_small_buf_get(void)
40636 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
40637 atomic_inc(&smBufAllocCount);
40638 #ifdef CONFIG_CIFS_STATS2
40639- atomic_inc(&totSmBufAllocCount);
40640+ atomic_inc_unchecked(&totSmBufAllocCount);
40641 #endif /* CONFIG_CIFS_STATS2 */
40642
40643 }
40644diff -urNp linux-3.0.7/fs/coda/cache.c linux-3.0.7/fs/coda/cache.c
40645--- linux-3.0.7/fs/coda/cache.c 2011-07-21 22:17:23.000000000 -0400
40646+++ linux-3.0.7/fs/coda/cache.c 2011-08-23 21:47:56.000000000 -0400
40647@@ -24,7 +24,7 @@
40648 #include "coda_linux.h"
40649 #include "coda_cache.h"
40650
40651-static atomic_t permission_epoch = ATOMIC_INIT(0);
40652+static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
40653
40654 /* replace or extend an acl cache hit */
40655 void coda_cache_enter(struct inode *inode, int mask)
40656@@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
40657 struct coda_inode_info *cii = ITOC(inode);
40658
40659 spin_lock(&cii->c_lock);
40660- cii->c_cached_epoch = atomic_read(&permission_epoch);
40661+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
40662 if (cii->c_uid != current_fsuid()) {
40663 cii->c_uid = current_fsuid();
40664 cii->c_cached_perm = mask;
40665@@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
40666 {
40667 struct coda_inode_info *cii = ITOC(inode);
40668 spin_lock(&cii->c_lock);
40669- cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
40670+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
40671 spin_unlock(&cii->c_lock);
40672 }
40673
40674 /* remove all acl caches */
40675 void coda_cache_clear_all(struct super_block *sb)
40676 {
40677- atomic_inc(&permission_epoch);
40678+ atomic_inc_unchecked(&permission_epoch);
40679 }
40680
40681
40682@@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
40683 spin_lock(&cii->c_lock);
40684 hit = (mask & cii->c_cached_perm) == mask &&
40685 cii->c_uid == current_fsuid() &&
40686- cii->c_cached_epoch == atomic_read(&permission_epoch);
40687+ cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
40688 spin_unlock(&cii->c_lock);
40689
40690 return hit;
40691diff -urNp linux-3.0.7/fs/compat.c linux-3.0.7/fs/compat.c
40692--- linux-3.0.7/fs/compat.c 2011-07-21 22:17:23.000000000 -0400
40693+++ linux-3.0.7/fs/compat.c 2011-10-06 04:17:55.000000000 -0400
40694@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(const
40695 static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
40696 {
40697 compat_ino_t ino = stat->ino;
40698- typeof(ubuf->st_uid) uid = 0;
40699- typeof(ubuf->st_gid) gid = 0;
40700+ typeof(((struct compat_stat *)0)->st_uid) uid = 0;
40701+ typeof(((struct compat_stat *)0)->st_gid) gid = 0;
40702 int err;
40703
40704 SET_UID(uid, stat->uid);
40705@@ -508,7 +508,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
40706
40707 set_fs(KERNEL_DS);
40708 /* The __user pointer cast is valid because of the set_fs() */
40709- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
40710+ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
40711 set_fs(oldfs);
40712 /* truncating is ok because it's a user address */
40713 if (!ret)
40714@@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
40715 goto out;
40716
40717 ret = -EINVAL;
40718- if (nr_segs > UIO_MAXIOV || nr_segs < 0)
40719+ if (nr_segs > UIO_MAXIOV)
40720 goto out;
40721 if (nr_segs > fast_segs) {
40722 ret = -ENOMEM;
40723@@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
40724
40725 struct compat_readdir_callback {
40726 struct compat_old_linux_dirent __user *dirent;
40727+ struct file * file;
40728 int result;
40729 };
40730
40731@@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
40732 buf->result = -EOVERFLOW;
40733 return -EOVERFLOW;
40734 }
40735+
40736+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
40737+ return 0;
40738+
40739 buf->result++;
40740 dirent = buf->dirent;
40741 if (!access_ok(VERIFY_WRITE, dirent,
40742@@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
40743
40744 buf.result = 0;
40745 buf.dirent = dirent;
40746+ buf.file = file;
40747
40748 error = vfs_readdir(file, compat_fillonedir, &buf);
40749 if (buf.result)
40750@@ -917,6 +923,7 @@ struct compat_linux_dirent {
40751 struct compat_getdents_callback {
40752 struct compat_linux_dirent __user *current_dir;
40753 struct compat_linux_dirent __user *previous;
40754+ struct file * file;
40755 int count;
40756 int error;
40757 };
40758@@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
40759 buf->error = -EOVERFLOW;
40760 return -EOVERFLOW;
40761 }
40762+
40763+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
40764+ return 0;
40765+
40766 dirent = buf->previous;
40767 if (dirent) {
40768 if (__put_user(offset, &dirent->d_off))
40769@@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
40770 buf.previous = NULL;
40771 buf.count = count;
40772 buf.error = 0;
40773+ buf.file = file;
40774
40775 error = vfs_readdir(file, compat_filldir, &buf);
40776 if (error >= 0)
40777@@ -1006,6 +1018,7 @@ out:
40778 struct compat_getdents_callback64 {
40779 struct linux_dirent64 __user *current_dir;
40780 struct linux_dirent64 __user *previous;
40781+ struct file * file;
40782 int count;
40783 int error;
40784 };
40785@@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
40786 buf->error = -EINVAL; /* only used if we fail.. */
40787 if (reclen > buf->count)
40788 return -EINVAL;
40789+
40790+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
40791+ return 0;
40792+
40793 dirent = buf->previous;
40794
40795 if (dirent) {
40796@@ -1073,13 +1090,14 @@ asmlinkage long compat_sys_getdents64(un
40797 buf.previous = NULL;
40798 buf.count = count;
40799 buf.error = 0;
40800+ buf.file = file;
40801
40802 error = vfs_readdir(file, compat_filldir64, &buf);
40803 if (error >= 0)
40804 error = buf.error;
40805 lastdirent = buf.previous;
40806 if (lastdirent) {
40807- typeof(lastdirent->d_off) d_off = file->f_pos;
40808+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
40809 if (__put_user_unaligned(d_off, &lastdirent->d_off))
40810 error = -EFAULT;
40811 else
40812@@ -1446,6 +1464,8 @@ int compat_core_sys_select(int n, compat
40813 struct fdtable *fdt;
40814 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
40815
40816+ pax_track_stack();
40817+
40818 if (n < 0)
40819 goto out_nofds;
40820
40821@@ -1904,7 +1924,7 @@ asmlinkage long compat_sys_nfsservctl(in
40822 oldfs = get_fs();
40823 set_fs(KERNEL_DS);
40824 /* The __user pointer casts are valid because of the set_fs() */
40825- err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres);
40826+ err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres);
40827 set_fs(oldfs);
40828
40829 if (err)
40830diff -urNp linux-3.0.7/fs/compat_binfmt_elf.c linux-3.0.7/fs/compat_binfmt_elf.c
40831--- linux-3.0.7/fs/compat_binfmt_elf.c 2011-07-21 22:17:23.000000000 -0400
40832+++ linux-3.0.7/fs/compat_binfmt_elf.c 2011-08-23 21:47:56.000000000 -0400
40833@@ -30,11 +30,13 @@
40834 #undef elf_phdr
40835 #undef elf_shdr
40836 #undef elf_note
40837+#undef elf_dyn
40838 #undef elf_addr_t
40839 #define elfhdr elf32_hdr
40840 #define elf_phdr elf32_phdr
40841 #define elf_shdr elf32_shdr
40842 #define elf_note elf32_note
40843+#define elf_dyn Elf32_Dyn
40844 #define elf_addr_t Elf32_Addr
40845
40846 /*
40847diff -urNp linux-3.0.7/fs/compat_ioctl.c linux-3.0.7/fs/compat_ioctl.c
40848--- linux-3.0.7/fs/compat_ioctl.c 2011-07-21 22:17:23.000000000 -0400
40849+++ linux-3.0.7/fs/compat_ioctl.c 2011-10-06 04:17:55.000000000 -0400
40850@@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
40851
40852 err = get_user(palp, &up->palette);
40853 err |= get_user(length, &up->length);
40854+ if (err)
40855+ return -EFAULT;
40856
40857 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
40858 err = put_user(compat_ptr(palp), &up_native->palette);
40859@@ -619,7 +621,7 @@ static int serial_struct_ioctl(unsigned
40860 return -EFAULT;
40861 if (__get_user(udata, &ss32->iomem_base))
40862 return -EFAULT;
40863- ss.iomem_base = compat_ptr(udata);
40864+ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
40865 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
40866 __get_user(ss.port_high, &ss32->port_high))
40867 return -EFAULT;
40868@@ -794,7 +796,7 @@ static int compat_ioctl_preallocate(stru
40869 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
40870 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
40871 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
40872- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
40873+ copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
40874 return -EFAULT;
40875
40876 return ioctl_preallocate(file, p);
40877@@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
40878 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
40879 {
40880 unsigned int a, b;
40881- a = *(unsigned int *)p;
40882- b = *(unsigned int *)q;
40883+ a = *(const unsigned int *)p;
40884+ b = *(const unsigned int *)q;
40885 if (a > b)
40886 return 1;
40887 if (a < b)
40888diff -urNp linux-3.0.7/fs/configfs/dir.c linux-3.0.7/fs/configfs/dir.c
40889--- linux-3.0.7/fs/configfs/dir.c 2011-07-21 22:17:23.000000000 -0400
40890+++ linux-3.0.7/fs/configfs/dir.c 2011-08-23 21:47:56.000000000 -0400
40891@@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
40892 }
40893 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
40894 struct configfs_dirent *next;
40895- const char * name;
40896+ const unsigned char * name;
40897+ char d_name[sizeof(next->s_dentry->d_iname)];
40898 int len;
40899 struct inode *inode = NULL;
40900
40901@@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
40902 continue;
40903
40904 name = configfs_get_name(next);
40905- len = strlen(name);
40906+ if (next->s_dentry && name == next->s_dentry->d_iname) {
40907+ len = next->s_dentry->d_name.len;
40908+ memcpy(d_name, name, len);
40909+ name = d_name;
40910+ } else
40911+ len = strlen(name);
40912
40913 /*
40914 * We'll have a dentry and an inode for
40915diff -urNp linux-3.0.7/fs/dcache.c linux-3.0.7/fs/dcache.c
40916--- linux-3.0.7/fs/dcache.c 2011-07-21 22:17:23.000000000 -0400
40917+++ linux-3.0.7/fs/dcache.c 2011-08-23 21:47:56.000000000 -0400
40918@@ -3089,7 +3089,7 @@ void __init vfs_caches_init(unsigned lon
40919 mempages -= reserve;
40920
40921 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
40922- SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
40923+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
40924
40925 dcache_init();
40926 inode_init();
40927diff -urNp linux-3.0.7/fs/ecryptfs/inode.c linux-3.0.7/fs/ecryptfs/inode.c
40928--- linux-3.0.7/fs/ecryptfs/inode.c 2011-09-02 18:11:21.000000000 -0400
40929+++ linux-3.0.7/fs/ecryptfs/inode.c 2011-10-06 04:17:55.000000000 -0400
40930@@ -704,7 +704,7 @@ static int ecryptfs_readlink_lower(struc
40931 old_fs = get_fs();
40932 set_fs(get_ds());
40933 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
40934- (char __user *)lower_buf,
40935+ (char __force_user *)lower_buf,
40936 lower_bufsiz);
40937 set_fs(old_fs);
40938 if (rc < 0)
40939@@ -750,7 +750,7 @@ static void *ecryptfs_follow_link(struct
40940 }
40941 old_fs = get_fs();
40942 set_fs(get_ds());
40943- rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
40944+ rc = dentry->d_inode->i_op->readlink(dentry, (char __force_user *)buf, len);
40945 set_fs(old_fs);
40946 if (rc < 0) {
40947 kfree(buf);
40948@@ -765,7 +765,7 @@ out:
40949 static void
40950 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
40951 {
40952- char *buf = nd_get_link(nd);
40953+ const char *buf = nd_get_link(nd);
40954 if (!IS_ERR(buf)) {
40955 /* Free the char* */
40956 kfree(buf);
40957diff -urNp linux-3.0.7/fs/ecryptfs/miscdev.c linux-3.0.7/fs/ecryptfs/miscdev.c
40958--- linux-3.0.7/fs/ecryptfs/miscdev.c 2011-07-21 22:17:23.000000000 -0400
40959+++ linux-3.0.7/fs/ecryptfs/miscdev.c 2011-08-23 21:47:56.000000000 -0400
40960@@ -328,7 +328,7 @@ check_list:
40961 goto out_unlock_msg_ctx;
40962 i = 5;
40963 if (msg_ctx->msg) {
40964- if (copy_to_user(&buf[i], packet_length, packet_length_size))
40965+ if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
40966 goto out_unlock_msg_ctx;
40967 i += packet_length_size;
40968 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
40969diff -urNp linux-3.0.7/fs/ecryptfs/read_write.c linux-3.0.7/fs/ecryptfs/read_write.c
40970--- linux-3.0.7/fs/ecryptfs/read_write.c 2011-09-02 18:11:21.000000000 -0400
40971+++ linux-3.0.7/fs/ecryptfs/read_write.c 2011-10-06 04:17:55.000000000 -0400
40972@@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *e
40973 return -EIO;
40974 fs_save = get_fs();
40975 set_fs(get_ds());
40976- rc = vfs_write(lower_file, data, size, &offset);
40977+ rc = vfs_write(lower_file, (const char __force_user *)data, size, &offset);
40978 set_fs(fs_save);
40979 mark_inode_dirty_sync(ecryptfs_inode);
40980 return rc;
40981@@ -235,7 +235,7 @@ int ecryptfs_read_lower(char *data, loff
40982 return -EIO;
40983 fs_save = get_fs();
40984 set_fs(get_ds());
40985- rc = vfs_read(lower_file, data, size, &offset);
40986+ rc = vfs_read(lower_file, (char __force_user *)data, size, &offset);
40987 set_fs(fs_save);
40988 return rc;
40989 }
40990diff -urNp linux-3.0.7/fs/exec.c linux-3.0.7/fs/exec.c
40991--- linux-3.0.7/fs/exec.c 2011-10-17 23:17:09.000000000 -0400
40992+++ linux-3.0.7/fs/exec.c 2011-10-17 23:17:19.000000000 -0400
40993@@ -55,12 +55,24 @@
40994 #include <linux/pipe_fs_i.h>
40995 #include <linux/oom.h>
40996 #include <linux/compat.h>
40997+#include <linux/random.h>
40998+#include <linux/seq_file.h>
40999+
41000+#ifdef CONFIG_PAX_REFCOUNT
41001+#include <linux/kallsyms.h>
41002+#include <linux/kdebug.h>
41003+#endif
41004
41005 #include <asm/uaccess.h>
41006 #include <asm/mmu_context.h>
41007 #include <asm/tlb.h>
41008 #include "internal.h"
41009
41010+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
41011+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
41012+EXPORT_SYMBOL(pax_set_initial_flags_func);
41013+#endif
41014+
41015 int core_uses_pid;
41016 char core_pattern[CORENAME_MAX_SIZE] = "core";
41017 unsigned int core_pipe_limit;
41018@@ -70,7 +82,7 @@ struct core_name {
41019 char *corename;
41020 int used, size;
41021 };
41022-static atomic_t call_count = ATOMIC_INIT(1);
41023+static atomic_unchecked_t call_count = ATOMIC_INIT(1);
41024
41025 /* The maximal length of core_pattern is also specified in sysctl.c */
41026
41027@@ -116,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __use
41028 char *tmp = getname(library);
41029 int error = PTR_ERR(tmp);
41030 static const struct open_flags uselib_flags = {
41031- .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
41032+ .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
41033 .acc_mode = MAY_READ | MAY_EXEC | MAY_OPEN,
41034 .intent = LOOKUP_OPEN
41035 };
41036@@ -195,18 +207,10 @@ static struct page *get_arg_page(struct
41037 int write)
41038 {
41039 struct page *page;
41040- int ret;
41041
41042-#ifdef CONFIG_STACK_GROWSUP
41043- if (write) {
41044- ret = expand_downwards(bprm->vma, pos);
41045- if (ret < 0)
41046- return NULL;
41047- }
41048-#endif
41049- ret = get_user_pages(current, bprm->mm, pos,
41050- 1, write, 1, &page, NULL);
41051- if (ret <= 0)
41052+ if (0 > expand_downwards(bprm->vma, pos))
41053+ return NULL;
41054+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
41055 return NULL;
41056
41057 if (write) {
41058@@ -281,6 +285,11 @@ static int __bprm_mm_init(struct linux_b
41059 vma->vm_end = STACK_TOP_MAX;
41060 vma->vm_start = vma->vm_end - PAGE_SIZE;
41061 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
41062+
41063+#ifdef CONFIG_PAX_SEGMEXEC
41064+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
41065+#endif
41066+
41067 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
41068 INIT_LIST_HEAD(&vma->anon_vma_chain);
41069
41070@@ -295,6 +304,12 @@ static int __bprm_mm_init(struct linux_b
41071 mm->stack_vm = mm->total_vm = 1;
41072 up_write(&mm->mmap_sem);
41073 bprm->p = vma->vm_end - sizeof(void *);
41074+
41075+#ifdef CONFIG_PAX_RANDUSTACK
41076+ if (randomize_va_space)
41077+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
41078+#endif
41079+
41080 return 0;
41081 err:
41082 up_write(&mm->mmap_sem);
41083@@ -403,19 +418,7 @@ err:
41084 return err;
41085 }
41086
41087-struct user_arg_ptr {
41088-#ifdef CONFIG_COMPAT
41089- bool is_compat;
41090-#endif
41091- union {
41092- const char __user *const __user *native;
41093-#ifdef CONFIG_COMPAT
41094- compat_uptr_t __user *compat;
41095-#endif
41096- } ptr;
41097-};
41098-
41099-static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41100+const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41101 {
41102 const char __user *native;
41103
41104@@ -424,14 +427,14 @@ static const char __user *get_user_arg_p
41105 compat_uptr_t compat;
41106
41107 if (get_user(compat, argv.ptr.compat + nr))
41108- return ERR_PTR(-EFAULT);
41109+ return (const char __force_user *)ERR_PTR(-EFAULT);
41110
41111 return compat_ptr(compat);
41112 }
41113 #endif
41114
41115 if (get_user(native, argv.ptr.native + nr))
41116- return ERR_PTR(-EFAULT);
41117+ return (const char __force_user *)ERR_PTR(-EFAULT);
41118
41119 return native;
41120 }
41121@@ -450,7 +453,7 @@ static int count(struct user_arg_ptr arg
41122 if (!p)
41123 break;
41124
41125- if (IS_ERR(p))
41126+ if (IS_ERR((const char __force_kernel *)p))
41127 return -EFAULT;
41128
41129 if (i++ >= max)
41130@@ -484,7 +487,7 @@ static int copy_strings(int argc, struct
41131
41132 ret = -EFAULT;
41133 str = get_user_arg_ptr(argv, argc);
41134- if (IS_ERR(str))
41135+ if (IS_ERR((const char __force_kernel *)str))
41136 goto out;
41137
41138 len = strnlen_user(str, MAX_ARG_STRLEN);
41139@@ -566,7 +569,7 @@ int copy_strings_kernel(int argc, const
41140 int r;
41141 mm_segment_t oldfs = get_fs();
41142 struct user_arg_ptr argv = {
41143- .ptr.native = (const char __user *const __user *)__argv,
41144+ .ptr.native = (const char __force_user *const __force_user *)__argv,
41145 };
41146
41147 set_fs(KERNEL_DS);
41148@@ -601,7 +604,8 @@ static int shift_arg_pages(struct vm_are
41149 unsigned long new_end = old_end - shift;
41150 struct mmu_gather tlb;
41151
41152- BUG_ON(new_start > new_end);
41153+ if (new_start >= new_end || new_start < mmap_min_addr)
41154+ return -ENOMEM;
41155
41156 /*
41157 * ensure there are no vmas between where we want to go
41158@@ -610,6 +614,10 @@ static int shift_arg_pages(struct vm_are
41159 if (vma != find_vma(mm, new_start))
41160 return -EFAULT;
41161
41162+#ifdef CONFIG_PAX_SEGMEXEC
41163+ BUG_ON(pax_find_mirror_vma(vma));
41164+#endif
41165+
41166 /*
41167 * cover the whole range: [new_start, old_end)
41168 */
41169@@ -690,10 +698,6 @@ int setup_arg_pages(struct linux_binprm
41170 stack_top = arch_align_stack(stack_top);
41171 stack_top = PAGE_ALIGN(stack_top);
41172
41173- if (unlikely(stack_top < mmap_min_addr) ||
41174- unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
41175- return -ENOMEM;
41176-
41177 stack_shift = vma->vm_end - stack_top;
41178
41179 bprm->p -= stack_shift;
41180@@ -705,8 +709,28 @@ int setup_arg_pages(struct linux_binprm
41181 bprm->exec -= stack_shift;
41182
41183 down_write(&mm->mmap_sem);
41184+
41185+ /* Move stack pages down in memory. */
41186+ if (stack_shift) {
41187+ ret = shift_arg_pages(vma, stack_shift);
41188+ if (ret)
41189+ goto out_unlock;
41190+ }
41191+
41192 vm_flags = VM_STACK_FLAGS;
41193
41194+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41195+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41196+ vm_flags &= ~VM_EXEC;
41197+
41198+#ifdef CONFIG_PAX_MPROTECT
41199+ if (mm->pax_flags & MF_PAX_MPROTECT)
41200+ vm_flags &= ~VM_MAYEXEC;
41201+#endif
41202+
41203+ }
41204+#endif
41205+
41206 /*
41207 * Adjust stack execute permissions; explicitly enable for
41208 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
41209@@ -725,13 +749,6 @@ int setup_arg_pages(struct linux_binprm
41210 goto out_unlock;
41211 BUG_ON(prev != vma);
41212
41213- /* Move stack pages down in memory. */
41214- if (stack_shift) {
41215- ret = shift_arg_pages(vma, stack_shift);
41216- if (ret)
41217- goto out_unlock;
41218- }
41219-
41220 /* mprotect_fixup is overkill to remove the temporary stack flags */
41221 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
41222
41223@@ -771,7 +788,7 @@ struct file *open_exec(const char *name)
41224 struct file *file;
41225 int err;
41226 static const struct open_flags open_exec_flags = {
41227- .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
41228+ .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC,
41229 .acc_mode = MAY_EXEC | MAY_OPEN,
41230 .intent = LOOKUP_OPEN
41231 };
41232@@ -812,7 +829,7 @@ int kernel_read(struct file *file, loff_
41233 old_fs = get_fs();
41234 set_fs(get_ds());
41235 /* The cast to a user pointer is valid due to the set_fs() */
41236- result = vfs_read(file, (void __user *)addr, count, &pos);
41237+ result = vfs_read(file, (void __force_user *)addr, count, &pos);
41238 set_fs(old_fs);
41239 return result;
41240 }
41241@@ -1236,7 +1253,7 @@ int check_unsafe_exec(struct linux_binpr
41242 }
41243 rcu_read_unlock();
41244
41245- if (p->fs->users > n_fs) {
41246+ if (atomic_read(&p->fs->users) > n_fs) {
41247 bprm->unsafe |= LSM_UNSAFE_SHARE;
41248 } else {
41249 res = -EAGAIN;
41250@@ -1430,11 +1447,35 @@ static int do_execve_common(const char *
41251 struct user_arg_ptr envp,
41252 struct pt_regs *regs)
41253 {
41254+#ifdef CONFIG_GRKERNSEC
41255+ struct file *old_exec_file;
41256+ struct acl_subject_label *old_acl;
41257+ struct rlimit old_rlim[RLIM_NLIMITS];
41258+#endif
41259 struct linux_binprm *bprm;
41260 struct file *file;
41261 struct files_struct *displaced;
41262 bool clear_in_exec;
41263 int retval;
41264+ const struct cred *cred = current_cred();
41265+
41266+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
41267+
41268+ /*
41269+ * We move the actual failure in case of RLIMIT_NPROC excess from
41270+ * set*uid() to execve() because too many poorly written programs
41271+ * don't check setuid() return code. Here we additionally recheck
41272+ * whether NPROC limit is still exceeded.
41273+ */
41274+ if ((current->flags & PF_NPROC_EXCEEDED) &&
41275+ atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
41276+ retval = -EAGAIN;
41277+ goto out_ret;
41278+ }
41279+
41280+ /* We're below the limit (still or again), so we don't want to make
41281+ * further execve() calls fail. */
41282+ current->flags &= ~PF_NPROC_EXCEEDED;
41283
41284 retval = unshare_files(&displaced);
41285 if (retval)
41286@@ -1466,6 +1507,16 @@ static int do_execve_common(const char *
41287 bprm->filename = filename;
41288 bprm->interp = filename;
41289
41290+ if (gr_process_user_ban()) {
41291+ retval = -EPERM;
41292+ goto out_file;
41293+ }
41294+
41295+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
41296+ retval = -EACCES;
41297+ goto out_file;
41298+ }
41299+
41300 retval = bprm_mm_init(bprm);
41301 if (retval)
41302 goto out_file;
41303@@ -1495,9 +1546,40 @@ static int do_execve_common(const char *
41304 if (retval < 0)
41305 goto out;
41306
41307+ if (!gr_tpe_allow(file)) {
41308+ retval = -EACCES;
41309+ goto out;
41310+ }
41311+
41312+ if (gr_check_crash_exec(file)) {
41313+ retval = -EACCES;
41314+ goto out;
41315+ }
41316+
41317+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
41318+
41319+ gr_handle_exec_args(bprm, argv);
41320+
41321+#ifdef CONFIG_GRKERNSEC
41322+ old_acl = current->acl;
41323+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
41324+ old_exec_file = current->exec_file;
41325+ get_file(file);
41326+ current->exec_file = file;
41327+#endif
41328+
41329+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
41330+ bprm->unsafe & LSM_UNSAFE_SHARE);
41331+ if (retval < 0)
41332+ goto out_fail;
41333+
41334 retval = search_binary_handler(bprm,regs);
41335 if (retval < 0)
41336- goto out;
41337+ goto out_fail;
41338+#ifdef CONFIG_GRKERNSEC
41339+ if (old_exec_file)
41340+ fput(old_exec_file);
41341+#endif
41342
41343 /* execve succeeded */
41344 current->fs->in_exec = 0;
41345@@ -1508,6 +1590,14 @@ static int do_execve_common(const char *
41346 put_files_struct(displaced);
41347 return retval;
41348
41349+out_fail:
41350+#ifdef CONFIG_GRKERNSEC
41351+ current->acl = old_acl;
41352+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
41353+ fput(current->exec_file);
41354+ current->exec_file = old_exec_file;
41355+#endif
41356+
41357 out:
41358 if (bprm->mm) {
41359 acct_arg_size(bprm, 0);
41360@@ -1581,7 +1671,7 @@ static int expand_corename(struct core_n
41361 {
41362 char *old_corename = cn->corename;
41363
41364- cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
41365+ cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
41366 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
41367
41368 if (!cn->corename) {
41369@@ -1669,7 +1759,7 @@ static int format_corename(struct core_n
41370 int pid_in_pattern = 0;
41371 int err = 0;
41372
41373- cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
41374+ cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
41375 cn->corename = kmalloc(cn->size, GFP_KERNEL);
41376 cn->used = 0;
41377
41378@@ -1760,6 +1850,219 @@ out:
41379 return ispipe;
41380 }
41381
41382+int pax_check_flags(unsigned long *flags)
41383+{
41384+ int retval = 0;
41385+
41386+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
41387+ if (*flags & MF_PAX_SEGMEXEC)
41388+ {
41389+ *flags &= ~MF_PAX_SEGMEXEC;
41390+ retval = -EINVAL;
41391+ }
41392+#endif
41393+
41394+ if ((*flags & MF_PAX_PAGEEXEC)
41395+
41396+#ifdef CONFIG_PAX_PAGEEXEC
41397+ && (*flags & MF_PAX_SEGMEXEC)
41398+#endif
41399+
41400+ )
41401+ {
41402+ *flags &= ~MF_PAX_PAGEEXEC;
41403+ retval = -EINVAL;
41404+ }
41405+
41406+ if ((*flags & MF_PAX_MPROTECT)
41407+
41408+#ifdef CONFIG_PAX_MPROTECT
41409+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41410+#endif
41411+
41412+ )
41413+ {
41414+ *flags &= ~MF_PAX_MPROTECT;
41415+ retval = -EINVAL;
41416+ }
41417+
41418+ if ((*flags & MF_PAX_EMUTRAMP)
41419+
41420+#ifdef CONFIG_PAX_EMUTRAMP
41421+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41422+#endif
41423+
41424+ )
41425+ {
41426+ *flags &= ~MF_PAX_EMUTRAMP;
41427+ retval = -EINVAL;
41428+ }
41429+
41430+ return retval;
41431+}
41432+
41433+EXPORT_SYMBOL(pax_check_flags);
41434+
41435+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41436+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
41437+{
41438+ struct task_struct *tsk = current;
41439+ struct mm_struct *mm = current->mm;
41440+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
41441+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
41442+ char *path_exec = NULL;
41443+ char *path_fault = NULL;
41444+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
41445+
41446+ if (buffer_exec && buffer_fault) {
41447+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
41448+
41449+ down_read(&mm->mmap_sem);
41450+ vma = mm->mmap;
41451+ while (vma && (!vma_exec || !vma_fault)) {
41452+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
41453+ vma_exec = vma;
41454+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
41455+ vma_fault = vma;
41456+ vma = vma->vm_next;
41457+ }
41458+ if (vma_exec) {
41459+ path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
41460+ if (IS_ERR(path_exec))
41461+ path_exec = "<path too long>";
41462+ else {
41463+ path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
41464+ if (path_exec) {
41465+ *path_exec = 0;
41466+ path_exec = buffer_exec;
41467+ } else
41468+ path_exec = "<path too long>";
41469+ }
41470+ }
41471+ if (vma_fault) {
41472+ start = vma_fault->vm_start;
41473+ end = vma_fault->vm_end;
41474+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
41475+ if (vma_fault->vm_file) {
41476+ path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
41477+ if (IS_ERR(path_fault))
41478+ path_fault = "<path too long>";
41479+ else {
41480+ path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
41481+ if (path_fault) {
41482+ *path_fault = 0;
41483+ path_fault = buffer_fault;
41484+ } else
41485+ path_fault = "<path too long>";
41486+ }
41487+ } else
41488+ path_fault = "<anonymous mapping>";
41489+ }
41490+ up_read(&mm->mmap_sem);
41491+ }
41492+ if (tsk->signal->curr_ip)
41493+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
41494+ else
41495+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
41496+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
41497+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
41498+ task_uid(tsk), task_euid(tsk), pc, sp);
41499+ free_page((unsigned long)buffer_exec);
41500+ free_page((unsigned long)buffer_fault);
41501+ pax_report_insns(pc, sp);
41502+ do_coredump(SIGKILL, SIGKILL, regs);
41503+}
41504+#endif
41505+
41506+#ifdef CONFIG_PAX_REFCOUNT
41507+void pax_report_refcount_overflow(struct pt_regs *regs)
41508+{
41509+ if (current->signal->curr_ip)
41510+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41511+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
41512+ else
41513+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41514+ current->comm, task_pid_nr(current), current_uid(), current_euid());
41515+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
41516+ show_regs(regs);
41517+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
41518+}
41519+#endif
41520+
41521+#ifdef CONFIG_PAX_USERCOPY
41522+/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
41523+int object_is_on_stack(const void *obj, unsigned long len)
41524+{
41525+ const void * const stack = task_stack_page(current);
41526+ const void * const stackend = stack + THREAD_SIZE;
41527+
41528+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41529+ const void *frame = NULL;
41530+ const void *oldframe;
41531+#endif
41532+
41533+ if (obj + len < obj)
41534+ return -1;
41535+
41536+ if (obj + len <= stack || stackend <= obj)
41537+ return 0;
41538+
41539+ if (obj < stack || stackend < obj + len)
41540+ return -1;
41541+
41542+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41543+ oldframe = __builtin_frame_address(1);
41544+ if (oldframe)
41545+ frame = __builtin_frame_address(2);
41546+ /*
41547+ low ----------------------------------------------> high
41548+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
41549+ ^----------------^
41550+ allow copies only within here
41551+ */
41552+ while (stack <= frame && frame < stackend) {
41553+ /* if obj + len extends past the last frame, this
41554+ check won't pass and the next frame will be 0,
41555+ causing us to bail out and correctly report
41556+ the copy as invalid
41557+ */
41558+ if (obj + len <= frame)
41559+ return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
41560+ oldframe = frame;
41561+ frame = *(const void * const *)frame;
41562+ }
41563+ return -1;
41564+#else
41565+ return 1;
41566+#endif
41567+}
41568+
41569+
41570+NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
41571+{
41572+ if (current->signal->curr_ip)
41573+ printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41574+ &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41575+ else
41576+ printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41577+ to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41578+ dump_stack();
41579+ gr_handle_kernel_exploit();
41580+ do_group_exit(SIGKILL);
41581+}
41582+#endif
41583+
41584+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
41585+void pax_track_stack(void)
41586+{
41587+ unsigned long sp = (unsigned long)&sp;
41588+ if (sp < current_thread_info()->lowest_stack &&
41589+ sp > (unsigned long)task_stack_page(current))
41590+ current_thread_info()->lowest_stack = sp;
41591+}
41592+EXPORT_SYMBOL(pax_track_stack);
41593+#endif
41594+
41595 static int zap_process(struct task_struct *start, int exit_code)
41596 {
41597 struct task_struct *t;
41598@@ -1971,17 +2274,17 @@ static void wait_for_dump_helpers(struct
41599 pipe = file->f_path.dentry->d_inode->i_pipe;
41600
41601 pipe_lock(pipe);
41602- pipe->readers++;
41603- pipe->writers--;
41604+ atomic_inc(&pipe->readers);
41605+ atomic_dec(&pipe->writers);
41606
41607- while ((pipe->readers > 1) && (!signal_pending(current))) {
41608+ while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
41609 wake_up_interruptible_sync(&pipe->wait);
41610 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
41611 pipe_wait(pipe);
41612 }
41613
41614- pipe->readers--;
41615- pipe->writers++;
41616+ atomic_dec(&pipe->readers);
41617+ atomic_inc(&pipe->writers);
41618 pipe_unlock(pipe);
41619
41620 }
41621@@ -2042,7 +2345,7 @@ void do_coredump(long signr, int exit_co
41622 int retval = 0;
41623 int flag = 0;
41624 int ispipe;
41625- static atomic_t core_dump_count = ATOMIC_INIT(0);
41626+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
41627 struct coredump_params cprm = {
41628 .signr = signr,
41629 .regs = regs,
41630@@ -2057,6 +2360,9 @@ void do_coredump(long signr, int exit_co
41631
41632 audit_core_dumps(signr);
41633
41634+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
41635+ gr_handle_brute_attach(current, cprm.mm_flags);
41636+
41637 binfmt = mm->binfmt;
41638 if (!binfmt || !binfmt->core_dump)
41639 goto fail;
41640@@ -2097,6 +2403,8 @@ void do_coredump(long signr, int exit_co
41641 goto fail_corename;
41642 }
41643
41644+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
41645+
41646 if (ispipe) {
41647 int dump_count;
41648 char **helper_argv;
41649@@ -2124,7 +2432,7 @@ void do_coredump(long signr, int exit_co
41650 }
41651 cprm.limit = RLIM_INFINITY;
41652
41653- dump_count = atomic_inc_return(&core_dump_count);
41654+ dump_count = atomic_inc_return_unchecked(&core_dump_count);
41655 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
41656 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
41657 task_tgid_vnr(current), current->comm);
41658@@ -2194,7 +2502,7 @@ close_fail:
41659 filp_close(cprm.file, NULL);
41660 fail_dropcount:
41661 if (ispipe)
41662- atomic_dec(&core_dump_count);
41663+ atomic_dec_unchecked(&core_dump_count);
41664 fail_unlock:
41665 kfree(cn.corename);
41666 fail_corename:
41667@@ -2213,7 +2521,7 @@ fail:
41668 */
41669 int dump_write(struct file *file, const void *addr, int nr)
41670 {
41671- return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, addr, nr, &file->f_pos) == nr;
41672+ return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, (const char __force_user *)addr, nr, &file->f_pos) == nr;
41673 }
41674 EXPORT_SYMBOL(dump_write);
41675
41676diff -urNp linux-3.0.7/fs/ext2/balloc.c linux-3.0.7/fs/ext2/balloc.c
41677--- linux-3.0.7/fs/ext2/balloc.c 2011-07-21 22:17:23.000000000 -0400
41678+++ linux-3.0.7/fs/ext2/balloc.c 2011-08-23 21:48:14.000000000 -0400
41679@@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
41680
41681 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
41682 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
41683- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
41684+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
41685 sbi->s_resuid != current_fsuid() &&
41686 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
41687 return 0;
41688diff -urNp linux-3.0.7/fs/ext3/balloc.c linux-3.0.7/fs/ext3/balloc.c
41689--- linux-3.0.7/fs/ext3/balloc.c 2011-07-21 22:17:23.000000000 -0400
41690+++ linux-3.0.7/fs/ext3/balloc.c 2011-08-23 21:48:14.000000000 -0400
41691@@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
41692
41693 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
41694 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
41695- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
41696+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
41697 sbi->s_resuid != current_fsuid() &&
41698 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
41699 return 0;
41700diff -urNp linux-3.0.7/fs/ext3/ioctl.c linux-3.0.7/fs/ext3/ioctl.c
41701--- linux-3.0.7/fs/ext3/ioctl.c 2011-07-21 22:17:23.000000000 -0400
41702+++ linux-3.0.7/fs/ext3/ioctl.c 2011-10-06 04:17:55.000000000 -0400
41703@@ -285,7 +285,7 @@ group_add_out:
41704 if (!capable(CAP_SYS_ADMIN))
41705 return -EPERM;
41706
41707- if (copy_from_user(&range, (struct fstrim_range *)arg,
41708+ if (copy_from_user(&range, (struct fstrim_range __user *)arg,
41709 sizeof(range)))
41710 return -EFAULT;
41711
41712@@ -293,7 +293,7 @@ group_add_out:
41713 if (ret < 0)
41714 return ret;
41715
41716- if (copy_to_user((struct fstrim_range *)arg, &range,
41717+ if (copy_to_user((struct fstrim_range __user *)arg, &range,
41718 sizeof(range)))
41719 return -EFAULT;
41720
41721diff -urNp linux-3.0.7/fs/ext4/balloc.c linux-3.0.7/fs/ext4/balloc.c
41722--- linux-3.0.7/fs/ext4/balloc.c 2011-07-21 22:17:23.000000000 -0400
41723+++ linux-3.0.7/fs/ext4/balloc.c 2011-08-23 21:48:14.000000000 -0400
41724@@ -394,8 +394,8 @@ static int ext4_has_free_blocks(struct e
41725 /* Hm, nope. Are (enough) root reserved blocks available? */
41726 if (sbi->s_resuid == current_fsuid() ||
41727 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
41728- capable(CAP_SYS_RESOURCE) ||
41729- (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
41730+ (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
41731+ capable_nolog(CAP_SYS_RESOURCE)) {
41732
41733 if (free_blocks >= (nblocks + dirty_blocks))
41734 return 1;
41735diff -urNp linux-3.0.7/fs/ext4/ext4.h linux-3.0.7/fs/ext4/ext4.h
41736--- linux-3.0.7/fs/ext4/ext4.h 2011-09-02 18:11:21.000000000 -0400
41737+++ linux-3.0.7/fs/ext4/ext4.h 2011-08-23 21:47:56.000000000 -0400
41738@@ -1177,19 +1177,19 @@ struct ext4_sb_info {
41739 unsigned long s_mb_last_start;
41740
41741 /* stats for buddy allocator */
41742- atomic_t s_bal_reqs; /* number of reqs with len > 1 */
41743- atomic_t s_bal_success; /* we found long enough chunks */
41744- atomic_t s_bal_allocated; /* in blocks */
41745- atomic_t s_bal_ex_scanned; /* total extents scanned */
41746- atomic_t s_bal_goals; /* goal hits */
41747- atomic_t s_bal_breaks; /* too long searches */
41748- atomic_t s_bal_2orders; /* 2^order hits */
41749+ atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
41750+ atomic_unchecked_t s_bal_success; /* we found long enough chunks */
41751+ atomic_unchecked_t s_bal_allocated; /* in blocks */
41752+ atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
41753+ atomic_unchecked_t s_bal_goals; /* goal hits */
41754+ atomic_unchecked_t s_bal_breaks; /* too long searches */
41755+ atomic_unchecked_t s_bal_2orders; /* 2^order hits */
41756 spinlock_t s_bal_lock;
41757 unsigned long s_mb_buddies_generated;
41758 unsigned long long s_mb_generation_time;
41759- atomic_t s_mb_lost_chunks;
41760- atomic_t s_mb_preallocated;
41761- atomic_t s_mb_discarded;
41762+ atomic_unchecked_t s_mb_lost_chunks;
41763+ atomic_unchecked_t s_mb_preallocated;
41764+ atomic_unchecked_t s_mb_discarded;
41765 atomic_t s_lock_busy;
41766
41767 /* locality groups */
41768diff -urNp linux-3.0.7/fs/ext4/file.c linux-3.0.7/fs/ext4/file.c
41769--- linux-3.0.7/fs/ext4/file.c 2011-07-21 22:17:23.000000000 -0400
41770+++ linux-3.0.7/fs/ext4/file.c 2011-10-17 02:30:30.000000000 -0400
41771@@ -181,8 +181,8 @@ static int ext4_file_open(struct inode *
41772 path.dentry = mnt->mnt_root;
41773 cp = d_path(&path, buf, sizeof(buf));
41774 if (!IS_ERR(cp)) {
41775- memcpy(sbi->s_es->s_last_mounted, cp,
41776- sizeof(sbi->s_es->s_last_mounted));
41777+ strlcpy(sbi->s_es->s_last_mounted, cp,
41778+ sizeof(sbi->s_es->s_last_mounted));
41779 ext4_mark_super_dirty(sb);
41780 }
41781 }
41782diff -urNp linux-3.0.7/fs/ext4/ioctl.c linux-3.0.7/fs/ext4/ioctl.c
41783--- linux-3.0.7/fs/ext4/ioctl.c 2011-07-21 22:17:23.000000000 -0400
41784+++ linux-3.0.7/fs/ext4/ioctl.c 2011-10-06 04:17:55.000000000 -0400
41785@@ -344,7 +344,7 @@ mext_out:
41786 if (!blk_queue_discard(q))
41787 return -EOPNOTSUPP;
41788
41789- if (copy_from_user(&range, (struct fstrim_range *)arg,
41790+ if (copy_from_user(&range, (struct fstrim_range __user *)arg,
41791 sizeof(range)))
41792 return -EFAULT;
41793
41794@@ -354,7 +354,7 @@ mext_out:
41795 if (ret < 0)
41796 return ret;
41797
41798- if (copy_to_user((struct fstrim_range *)arg, &range,
41799+ if (copy_to_user((struct fstrim_range __user *)arg, &range,
41800 sizeof(range)))
41801 return -EFAULT;
41802
41803diff -urNp linux-3.0.7/fs/ext4/mballoc.c linux-3.0.7/fs/ext4/mballoc.c
41804--- linux-3.0.7/fs/ext4/mballoc.c 2011-09-02 18:11:21.000000000 -0400
41805+++ linux-3.0.7/fs/ext4/mballoc.c 2011-08-23 21:48:14.000000000 -0400
41806@@ -1793,7 +1793,7 @@ void ext4_mb_simple_scan_group(struct ex
41807 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
41808
41809 if (EXT4_SB(sb)->s_mb_stats)
41810- atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
41811+ atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
41812
41813 break;
41814 }
41815@@ -2087,7 +2087,7 @@ repeat:
41816 ac->ac_status = AC_STATUS_CONTINUE;
41817 ac->ac_flags |= EXT4_MB_HINT_FIRST;
41818 cr = 3;
41819- atomic_inc(&sbi->s_mb_lost_chunks);
41820+ atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
41821 goto repeat;
41822 }
41823 }
41824@@ -2130,6 +2130,8 @@ static int ext4_mb_seq_groups_show(struc
41825 ext4_grpblk_t counters[16];
41826 } sg;
41827
41828+ pax_track_stack();
41829+
41830 group--;
41831 if (group == 0)
41832 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
41833@@ -2553,25 +2555,25 @@ int ext4_mb_release(struct super_block *
41834 if (sbi->s_mb_stats) {
41835 printk(KERN_INFO
41836 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
41837- atomic_read(&sbi->s_bal_allocated),
41838- atomic_read(&sbi->s_bal_reqs),
41839- atomic_read(&sbi->s_bal_success));
41840+ atomic_read_unchecked(&sbi->s_bal_allocated),
41841+ atomic_read_unchecked(&sbi->s_bal_reqs),
41842+ atomic_read_unchecked(&sbi->s_bal_success));
41843 printk(KERN_INFO
41844 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
41845 "%u 2^N hits, %u breaks, %u lost\n",
41846- atomic_read(&sbi->s_bal_ex_scanned),
41847- atomic_read(&sbi->s_bal_goals),
41848- atomic_read(&sbi->s_bal_2orders),
41849- atomic_read(&sbi->s_bal_breaks),
41850- atomic_read(&sbi->s_mb_lost_chunks));
41851+ atomic_read_unchecked(&sbi->s_bal_ex_scanned),
41852+ atomic_read_unchecked(&sbi->s_bal_goals),
41853+ atomic_read_unchecked(&sbi->s_bal_2orders),
41854+ atomic_read_unchecked(&sbi->s_bal_breaks),
41855+ atomic_read_unchecked(&sbi->s_mb_lost_chunks));
41856 printk(KERN_INFO
41857 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
41858 sbi->s_mb_buddies_generated++,
41859 sbi->s_mb_generation_time);
41860 printk(KERN_INFO
41861 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
41862- atomic_read(&sbi->s_mb_preallocated),
41863- atomic_read(&sbi->s_mb_discarded));
41864+ atomic_read_unchecked(&sbi->s_mb_preallocated),
41865+ atomic_read_unchecked(&sbi->s_mb_discarded));
41866 }
41867
41868 free_percpu(sbi->s_locality_groups);
41869@@ -3041,16 +3043,16 @@ static void ext4_mb_collect_stats(struct
41870 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
41871
41872 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
41873- atomic_inc(&sbi->s_bal_reqs);
41874- atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
41875+ atomic_inc_unchecked(&sbi->s_bal_reqs);
41876+ atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
41877 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
41878- atomic_inc(&sbi->s_bal_success);
41879- atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
41880+ atomic_inc_unchecked(&sbi->s_bal_success);
41881+ atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
41882 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
41883 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
41884- atomic_inc(&sbi->s_bal_goals);
41885+ atomic_inc_unchecked(&sbi->s_bal_goals);
41886 if (ac->ac_found > sbi->s_mb_max_to_scan)
41887- atomic_inc(&sbi->s_bal_breaks);
41888+ atomic_inc_unchecked(&sbi->s_bal_breaks);
41889 }
41890
41891 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
41892@@ -3448,7 +3450,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
41893 trace_ext4_mb_new_inode_pa(ac, pa);
41894
41895 ext4_mb_use_inode_pa(ac, pa);
41896- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41897+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41898
41899 ei = EXT4_I(ac->ac_inode);
41900 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
41901@@ -3508,7 +3510,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
41902 trace_ext4_mb_new_group_pa(ac, pa);
41903
41904 ext4_mb_use_group_pa(ac, pa);
41905- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41906+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41907
41908 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
41909 lg = ac->ac_lg;
41910@@ -3595,7 +3597,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
41911 * from the bitmap and continue.
41912 */
41913 }
41914- atomic_add(free, &sbi->s_mb_discarded);
41915+ atomic_add_unchecked(free, &sbi->s_mb_discarded);
41916
41917 return err;
41918 }
41919@@ -3613,7 +3615,7 @@ ext4_mb_release_group_pa(struct ext4_bud
41920 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
41921 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
41922 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
41923- atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
41924+ atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
41925 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
41926
41927 return 0;
41928diff -urNp linux-3.0.7/fs/fcntl.c linux-3.0.7/fs/fcntl.c
41929--- linux-3.0.7/fs/fcntl.c 2011-07-21 22:17:23.000000000 -0400
41930+++ linux-3.0.7/fs/fcntl.c 2011-10-06 04:17:55.000000000 -0400
41931@@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
41932 if (err)
41933 return err;
41934
41935+ if (gr_handle_chroot_fowner(pid, type))
41936+ return -ENOENT;
41937+ if (gr_check_protected_task_fowner(pid, type))
41938+ return -EACCES;
41939+
41940 f_modown(filp, pid, type, force);
41941 return 0;
41942 }
41943@@ -266,7 +271,7 @@ pid_t f_getown(struct file *filp)
41944
41945 static int f_setown_ex(struct file *filp, unsigned long arg)
41946 {
41947- struct f_owner_ex * __user owner_p = (void * __user)arg;
41948+ struct f_owner_ex __user *owner_p = (void __user *)arg;
41949 struct f_owner_ex owner;
41950 struct pid *pid;
41951 int type;
41952@@ -306,7 +311,7 @@ static int f_setown_ex(struct file *filp
41953
41954 static int f_getown_ex(struct file *filp, unsigned long arg)
41955 {
41956- struct f_owner_ex * __user owner_p = (void * __user)arg;
41957+ struct f_owner_ex __user *owner_p = (void __user *)arg;
41958 struct f_owner_ex owner;
41959 int ret = 0;
41960
41961@@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
41962 switch (cmd) {
41963 case F_DUPFD:
41964 case F_DUPFD_CLOEXEC:
41965+ gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
41966 if (arg >= rlimit(RLIMIT_NOFILE))
41967 break;
41968 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
41969@@ -835,14 +841,14 @@ static int __init fcntl_init(void)
41970 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
41971 * is defined as O_NONBLOCK on some platforms and not on others.
41972 */
41973- BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
41974+ BUILD_BUG_ON(20 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
41975 O_RDONLY | O_WRONLY | O_RDWR |
41976 O_CREAT | O_EXCL | O_NOCTTY |
41977 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
41978 __O_SYNC | O_DSYNC | FASYNC |
41979 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
41980 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
41981- __FMODE_EXEC | O_PATH
41982+ __FMODE_EXEC | O_PATH | FMODE_GREXEC
41983 ));
41984
41985 fasync_cache = kmem_cache_create("fasync_cache",
41986diff -urNp linux-3.0.7/fs/fifo.c linux-3.0.7/fs/fifo.c
41987--- linux-3.0.7/fs/fifo.c 2011-07-21 22:17:23.000000000 -0400
41988+++ linux-3.0.7/fs/fifo.c 2011-08-23 21:47:56.000000000 -0400
41989@@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
41990 */
41991 filp->f_op = &read_pipefifo_fops;
41992 pipe->r_counter++;
41993- if (pipe->readers++ == 0)
41994+ if (atomic_inc_return(&pipe->readers) == 1)
41995 wake_up_partner(inode);
41996
41997- if (!pipe->writers) {
41998+ if (!atomic_read(&pipe->writers)) {
41999 if ((filp->f_flags & O_NONBLOCK)) {
42000 /* suppress POLLHUP until we have
42001 * seen a writer */
42002@@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
42003 * errno=ENXIO when there is no process reading the FIFO.
42004 */
42005 ret = -ENXIO;
42006- if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
42007+ if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
42008 goto err;
42009
42010 filp->f_op = &write_pipefifo_fops;
42011 pipe->w_counter++;
42012- if (!pipe->writers++)
42013+ if (atomic_inc_return(&pipe->writers) == 1)
42014 wake_up_partner(inode);
42015
42016- if (!pipe->readers) {
42017+ if (!atomic_read(&pipe->readers)) {
42018 wait_for_partner(inode, &pipe->r_counter);
42019 if (signal_pending(current))
42020 goto err_wr;
42021@@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
42022 */
42023 filp->f_op = &rdwr_pipefifo_fops;
42024
42025- pipe->readers++;
42026- pipe->writers++;
42027+ atomic_inc(&pipe->readers);
42028+ atomic_inc(&pipe->writers);
42029 pipe->r_counter++;
42030 pipe->w_counter++;
42031- if (pipe->readers == 1 || pipe->writers == 1)
42032+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
42033 wake_up_partner(inode);
42034 break;
42035
42036@@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
42037 return 0;
42038
42039 err_rd:
42040- if (!--pipe->readers)
42041+ if (atomic_dec_and_test(&pipe->readers))
42042 wake_up_interruptible(&pipe->wait);
42043 ret = -ERESTARTSYS;
42044 goto err;
42045
42046 err_wr:
42047- if (!--pipe->writers)
42048+ if (atomic_dec_and_test(&pipe->writers))
42049 wake_up_interruptible(&pipe->wait);
42050 ret = -ERESTARTSYS;
42051 goto err;
42052
42053 err:
42054- if (!pipe->readers && !pipe->writers)
42055+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
42056 free_pipe_info(inode);
42057
42058 err_nocleanup:
42059diff -urNp linux-3.0.7/fs/file.c linux-3.0.7/fs/file.c
42060--- linux-3.0.7/fs/file.c 2011-07-21 22:17:23.000000000 -0400
42061+++ linux-3.0.7/fs/file.c 2011-08-23 21:48:14.000000000 -0400
42062@@ -15,6 +15,7 @@
42063 #include <linux/slab.h>
42064 #include <linux/vmalloc.h>
42065 #include <linux/file.h>
42066+#include <linux/security.h>
42067 #include <linux/fdtable.h>
42068 #include <linux/bitops.h>
42069 #include <linux/interrupt.h>
42070@@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
42071 * N.B. For clone tasks sharing a files structure, this test
42072 * will limit the total number of files that can be opened.
42073 */
42074+ gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
42075 if (nr >= rlimit(RLIMIT_NOFILE))
42076 return -EMFILE;
42077
42078diff -urNp linux-3.0.7/fs/filesystems.c linux-3.0.7/fs/filesystems.c
42079--- linux-3.0.7/fs/filesystems.c 2011-07-21 22:17:23.000000000 -0400
42080+++ linux-3.0.7/fs/filesystems.c 2011-08-23 21:48:14.000000000 -0400
42081@@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
42082 int len = dot ? dot - name : strlen(name);
42083
42084 fs = __get_fs_type(name, len);
42085+
42086+#ifdef CONFIG_GRKERNSEC_MODHARDEN
42087+ if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
42088+#else
42089 if (!fs && (request_module("%.*s", len, name) == 0))
42090+#endif
42091 fs = __get_fs_type(name, len);
42092
42093 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
42094diff -urNp linux-3.0.7/fs/fs_struct.c linux-3.0.7/fs/fs_struct.c
42095--- linux-3.0.7/fs/fs_struct.c 2011-07-21 22:17:23.000000000 -0400
42096+++ linux-3.0.7/fs/fs_struct.c 2011-08-23 21:48:14.000000000 -0400
42097@@ -4,6 +4,7 @@
42098 #include <linux/path.h>
42099 #include <linux/slab.h>
42100 #include <linux/fs_struct.h>
42101+#include <linux/grsecurity.h>
42102 #include "internal.h"
42103
42104 static inline void path_get_longterm(struct path *path)
42105@@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
42106 old_root = fs->root;
42107 fs->root = *path;
42108 path_get_longterm(path);
42109+ gr_set_chroot_entries(current, path);
42110 write_seqcount_end(&fs->seq);
42111 spin_unlock(&fs->lock);
42112 if (old_root.dentry)
42113@@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
42114 && fs->root.mnt == old_root->mnt) {
42115 path_get_longterm(new_root);
42116 fs->root = *new_root;
42117+ gr_set_chroot_entries(p, new_root);
42118 count++;
42119 }
42120 if (fs->pwd.dentry == old_root->dentry
42121@@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
42122 spin_lock(&fs->lock);
42123 write_seqcount_begin(&fs->seq);
42124 tsk->fs = NULL;
42125- kill = !--fs->users;
42126+ gr_clear_chroot_entries(tsk);
42127+ kill = !atomic_dec_return(&fs->users);
42128 write_seqcount_end(&fs->seq);
42129 spin_unlock(&fs->lock);
42130 task_unlock(tsk);
42131@@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
42132 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
42133 /* We don't need to lock fs - think why ;-) */
42134 if (fs) {
42135- fs->users = 1;
42136+ atomic_set(&fs->users, 1);
42137 fs->in_exec = 0;
42138 spin_lock_init(&fs->lock);
42139 seqcount_init(&fs->seq);
42140@@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
42141 spin_lock(&old->lock);
42142 fs->root = old->root;
42143 path_get_longterm(&fs->root);
42144+ /* instead of calling gr_set_chroot_entries here,
42145+ we call it from every caller of this function
42146+ */
42147 fs->pwd = old->pwd;
42148 path_get_longterm(&fs->pwd);
42149 spin_unlock(&old->lock);
42150@@ -150,8 +157,9 @@ int unshare_fs_struct(void)
42151
42152 task_lock(current);
42153 spin_lock(&fs->lock);
42154- kill = !--fs->users;
42155+ kill = !atomic_dec_return(&fs->users);
42156 current->fs = new_fs;
42157+ gr_set_chroot_entries(current, &new_fs->root);
42158 spin_unlock(&fs->lock);
42159 task_unlock(current);
42160
42161@@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
42162
42163 /* to be mentioned only in INIT_TASK */
42164 struct fs_struct init_fs = {
42165- .users = 1,
42166+ .users = ATOMIC_INIT(1),
42167 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
42168 .seq = SEQCNT_ZERO,
42169 .umask = 0022,
42170@@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
42171 task_lock(current);
42172
42173 spin_lock(&init_fs.lock);
42174- init_fs.users++;
42175+ atomic_inc(&init_fs.users);
42176 spin_unlock(&init_fs.lock);
42177
42178 spin_lock(&fs->lock);
42179 current->fs = &init_fs;
42180- kill = !--fs->users;
42181+ gr_set_chroot_entries(current, &current->fs->root);
42182+ kill = !atomic_dec_return(&fs->users);
42183 spin_unlock(&fs->lock);
42184
42185 task_unlock(current);
42186diff -urNp linux-3.0.7/fs/fscache/cookie.c linux-3.0.7/fs/fscache/cookie.c
42187--- linux-3.0.7/fs/fscache/cookie.c 2011-07-21 22:17:23.000000000 -0400
42188+++ linux-3.0.7/fs/fscache/cookie.c 2011-08-23 21:47:56.000000000 -0400
42189@@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
42190 parent ? (char *) parent->def->name : "<no-parent>",
42191 def->name, netfs_data);
42192
42193- fscache_stat(&fscache_n_acquires);
42194+ fscache_stat_unchecked(&fscache_n_acquires);
42195
42196 /* if there's no parent cookie, then we don't create one here either */
42197 if (!parent) {
42198- fscache_stat(&fscache_n_acquires_null);
42199+ fscache_stat_unchecked(&fscache_n_acquires_null);
42200 _leave(" [no parent]");
42201 return NULL;
42202 }
42203@@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
42204 /* allocate and initialise a cookie */
42205 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
42206 if (!cookie) {
42207- fscache_stat(&fscache_n_acquires_oom);
42208+ fscache_stat_unchecked(&fscache_n_acquires_oom);
42209 _leave(" [ENOMEM]");
42210 return NULL;
42211 }
42212@@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
42213
42214 switch (cookie->def->type) {
42215 case FSCACHE_COOKIE_TYPE_INDEX:
42216- fscache_stat(&fscache_n_cookie_index);
42217+ fscache_stat_unchecked(&fscache_n_cookie_index);
42218 break;
42219 case FSCACHE_COOKIE_TYPE_DATAFILE:
42220- fscache_stat(&fscache_n_cookie_data);
42221+ fscache_stat_unchecked(&fscache_n_cookie_data);
42222 break;
42223 default:
42224- fscache_stat(&fscache_n_cookie_special);
42225+ fscache_stat_unchecked(&fscache_n_cookie_special);
42226 break;
42227 }
42228
42229@@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
42230 if (fscache_acquire_non_index_cookie(cookie) < 0) {
42231 atomic_dec(&parent->n_children);
42232 __fscache_cookie_put(cookie);
42233- fscache_stat(&fscache_n_acquires_nobufs);
42234+ fscache_stat_unchecked(&fscache_n_acquires_nobufs);
42235 _leave(" = NULL");
42236 return NULL;
42237 }
42238 }
42239
42240- fscache_stat(&fscache_n_acquires_ok);
42241+ fscache_stat_unchecked(&fscache_n_acquires_ok);
42242 _leave(" = %p", cookie);
42243 return cookie;
42244 }
42245@@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
42246 cache = fscache_select_cache_for_object(cookie->parent);
42247 if (!cache) {
42248 up_read(&fscache_addremove_sem);
42249- fscache_stat(&fscache_n_acquires_no_cache);
42250+ fscache_stat_unchecked(&fscache_n_acquires_no_cache);
42251 _leave(" = -ENOMEDIUM [no cache]");
42252 return -ENOMEDIUM;
42253 }
42254@@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
42255 object = cache->ops->alloc_object(cache, cookie);
42256 fscache_stat_d(&fscache_n_cop_alloc_object);
42257 if (IS_ERR(object)) {
42258- fscache_stat(&fscache_n_object_no_alloc);
42259+ fscache_stat_unchecked(&fscache_n_object_no_alloc);
42260 ret = PTR_ERR(object);
42261 goto error;
42262 }
42263
42264- fscache_stat(&fscache_n_object_alloc);
42265+ fscache_stat_unchecked(&fscache_n_object_alloc);
42266
42267 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
42268
42269@@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
42270 struct fscache_object *object;
42271 struct hlist_node *_p;
42272
42273- fscache_stat(&fscache_n_updates);
42274+ fscache_stat_unchecked(&fscache_n_updates);
42275
42276 if (!cookie) {
42277- fscache_stat(&fscache_n_updates_null);
42278+ fscache_stat_unchecked(&fscache_n_updates_null);
42279 _leave(" [no cookie]");
42280 return;
42281 }
42282@@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
42283 struct fscache_object *object;
42284 unsigned long event;
42285
42286- fscache_stat(&fscache_n_relinquishes);
42287+ fscache_stat_unchecked(&fscache_n_relinquishes);
42288 if (retire)
42289- fscache_stat(&fscache_n_relinquishes_retire);
42290+ fscache_stat_unchecked(&fscache_n_relinquishes_retire);
42291
42292 if (!cookie) {
42293- fscache_stat(&fscache_n_relinquishes_null);
42294+ fscache_stat_unchecked(&fscache_n_relinquishes_null);
42295 _leave(" [no cookie]");
42296 return;
42297 }
42298@@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
42299
42300 /* wait for the cookie to finish being instantiated (or to fail) */
42301 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
42302- fscache_stat(&fscache_n_relinquishes_waitcrt);
42303+ fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
42304 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
42305 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
42306 }
42307diff -urNp linux-3.0.7/fs/fscache/internal.h linux-3.0.7/fs/fscache/internal.h
42308--- linux-3.0.7/fs/fscache/internal.h 2011-07-21 22:17:23.000000000 -0400
42309+++ linux-3.0.7/fs/fscache/internal.h 2011-08-23 21:47:56.000000000 -0400
42310@@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
42311 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
42312 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
42313
42314-extern atomic_t fscache_n_op_pend;
42315-extern atomic_t fscache_n_op_run;
42316-extern atomic_t fscache_n_op_enqueue;
42317-extern atomic_t fscache_n_op_deferred_release;
42318-extern atomic_t fscache_n_op_release;
42319-extern atomic_t fscache_n_op_gc;
42320-extern atomic_t fscache_n_op_cancelled;
42321-extern atomic_t fscache_n_op_rejected;
42322-
42323-extern atomic_t fscache_n_attr_changed;
42324-extern atomic_t fscache_n_attr_changed_ok;
42325-extern atomic_t fscache_n_attr_changed_nobufs;
42326-extern atomic_t fscache_n_attr_changed_nomem;
42327-extern atomic_t fscache_n_attr_changed_calls;
42328-
42329-extern atomic_t fscache_n_allocs;
42330-extern atomic_t fscache_n_allocs_ok;
42331-extern atomic_t fscache_n_allocs_wait;
42332-extern atomic_t fscache_n_allocs_nobufs;
42333-extern atomic_t fscache_n_allocs_intr;
42334-extern atomic_t fscache_n_allocs_object_dead;
42335-extern atomic_t fscache_n_alloc_ops;
42336-extern atomic_t fscache_n_alloc_op_waits;
42337-
42338-extern atomic_t fscache_n_retrievals;
42339-extern atomic_t fscache_n_retrievals_ok;
42340-extern atomic_t fscache_n_retrievals_wait;
42341-extern atomic_t fscache_n_retrievals_nodata;
42342-extern atomic_t fscache_n_retrievals_nobufs;
42343-extern atomic_t fscache_n_retrievals_intr;
42344-extern atomic_t fscache_n_retrievals_nomem;
42345-extern atomic_t fscache_n_retrievals_object_dead;
42346-extern atomic_t fscache_n_retrieval_ops;
42347-extern atomic_t fscache_n_retrieval_op_waits;
42348-
42349-extern atomic_t fscache_n_stores;
42350-extern atomic_t fscache_n_stores_ok;
42351-extern atomic_t fscache_n_stores_again;
42352-extern atomic_t fscache_n_stores_nobufs;
42353-extern atomic_t fscache_n_stores_oom;
42354-extern atomic_t fscache_n_store_ops;
42355-extern atomic_t fscache_n_store_calls;
42356-extern atomic_t fscache_n_store_pages;
42357-extern atomic_t fscache_n_store_radix_deletes;
42358-extern atomic_t fscache_n_store_pages_over_limit;
42359-
42360-extern atomic_t fscache_n_store_vmscan_not_storing;
42361-extern atomic_t fscache_n_store_vmscan_gone;
42362-extern atomic_t fscache_n_store_vmscan_busy;
42363-extern atomic_t fscache_n_store_vmscan_cancelled;
42364-
42365-extern atomic_t fscache_n_marks;
42366-extern atomic_t fscache_n_uncaches;
42367-
42368-extern atomic_t fscache_n_acquires;
42369-extern atomic_t fscache_n_acquires_null;
42370-extern atomic_t fscache_n_acquires_no_cache;
42371-extern atomic_t fscache_n_acquires_ok;
42372-extern atomic_t fscache_n_acquires_nobufs;
42373-extern atomic_t fscache_n_acquires_oom;
42374-
42375-extern atomic_t fscache_n_updates;
42376-extern atomic_t fscache_n_updates_null;
42377-extern atomic_t fscache_n_updates_run;
42378-
42379-extern atomic_t fscache_n_relinquishes;
42380-extern atomic_t fscache_n_relinquishes_null;
42381-extern atomic_t fscache_n_relinquishes_waitcrt;
42382-extern atomic_t fscache_n_relinquishes_retire;
42383-
42384-extern atomic_t fscache_n_cookie_index;
42385-extern atomic_t fscache_n_cookie_data;
42386-extern atomic_t fscache_n_cookie_special;
42387-
42388-extern atomic_t fscache_n_object_alloc;
42389-extern atomic_t fscache_n_object_no_alloc;
42390-extern atomic_t fscache_n_object_lookups;
42391-extern atomic_t fscache_n_object_lookups_negative;
42392-extern atomic_t fscache_n_object_lookups_positive;
42393-extern atomic_t fscache_n_object_lookups_timed_out;
42394-extern atomic_t fscache_n_object_created;
42395-extern atomic_t fscache_n_object_avail;
42396-extern atomic_t fscache_n_object_dead;
42397-
42398-extern atomic_t fscache_n_checkaux_none;
42399-extern atomic_t fscache_n_checkaux_okay;
42400-extern atomic_t fscache_n_checkaux_update;
42401-extern atomic_t fscache_n_checkaux_obsolete;
42402+extern atomic_unchecked_t fscache_n_op_pend;
42403+extern atomic_unchecked_t fscache_n_op_run;
42404+extern atomic_unchecked_t fscache_n_op_enqueue;
42405+extern atomic_unchecked_t fscache_n_op_deferred_release;
42406+extern atomic_unchecked_t fscache_n_op_release;
42407+extern atomic_unchecked_t fscache_n_op_gc;
42408+extern atomic_unchecked_t fscache_n_op_cancelled;
42409+extern atomic_unchecked_t fscache_n_op_rejected;
42410+
42411+extern atomic_unchecked_t fscache_n_attr_changed;
42412+extern atomic_unchecked_t fscache_n_attr_changed_ok;
42413+extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
42414+extern atomic_unchecked_t fscache_n_attr_changed_nomem;
42415+extern atomic_unchecked_t fscache_n_attr_changed_calls;
42416+
42417+extern atomic_unchecked_t fscache_n_allocs;
42418+extern atomic_unchecked_t fscache_n_allocs_ok;
42419+extern atomic_unchecked_t fscache_n_allocs_wait;
42420+extern atomic_unchecked_t fscache_n_allocs_nobufs;
42421+extern atomic_unchecked_t fscache_n_allocs_intr;
42422+extern atomic_unchecked_t fscache_n_allocs_object_dead;
42423+extern atomic_unchecked_t fscache_n_alloc_ops;
42424+extern atomic_unchecked_t fscache_n_alloc_op_waits;
42425+
42426+extern atomic_unchecked_t fscache_n_retrievals;
42427+extern atomic_unchecked_t fscache_n_retrievals_ok;
42428+extern atomic_unchecked_t fscache_n_retrievals_wait;
42429+extern atomic_unchecked_t fscache_n_retrievals_nodata;
42430+extern atomic_unchecked_t fscache_n_retrievals_nobufs;
42431+extern atomic_unchecked_t fscache_n_retrievals_intr;
42432+extern atomic_unchecked_t fscache_n_retrievals_nomem;
42433+extern atomic_unchecked_t fscache_n_retrievals_object_dead;
42434+extern atomic_unchecked_t fscache_n_retrieval_ops;
42435+extern atomic_unchecked_t fscache_n_retrieval_op_waits;
42436+
42437+extern atomic_unchecked_t fscache_n_stores;
42438+extern atomic_unchecked_t fscache_n_stores_ok;
42439+extern atomic_unchecked_t fscache_n_stores_again;
42440+extern atomic_unchecked_t fscache_n_stores_nobufs;
42441+extern atomic_unchecked_t fscache_n_stores_oom;
42442+extern atomic_unchecked_t fscache_n_store_ops;
42443+extern atomic_unchecked_t fscache_n_store_calls;
42444+extern atomic_unchecked_t fscache_n_store_pages;
42445+extern atomic_unchecked_t fscache_n_store_radix_deletes;
42446+extern atomic_unchecked_t fscache_n_store_pages_over_limit;
42447+
42448+extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
42449+extern atomic_unchecked_t fscache_n_store_vmscan_gone;
42450+extern atomic_unchecked_t fscache_n_store_vmscan_busy;
42451+extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
42452+
42453+extern atomic_unchecked_t fscache_n_marks;
42454+extern atomic_unchecked_t fscache_n_uncaches;
42455+
42456+extern atomic_unchecked_t fscache_n_acquires;
42457+extern atomic_unchecked_t fscache_n_acquires_null;
42458+extern atomic_unchecked_t fscache_n_acquires_no_cache;
42459+extern atomic_unchecked_t fscache_n_acquires_ok;
42460+extern atomic_unchecked_t fscache_n_acquires_nobufs;
42461+extern atomic_unchecked_t fscache_n_acquires_oom;
42462+
42463+extern atomic_unchecked_t fscache_n_updates;
42464+extern atomic_unchecked_t fscache_n_updates_null;
42465+extern atomic_unchecked_t fscache_n_updates_run;
42466+
42467+extern atomic_unchecked_t fscache_n_relinquishes;
42468+extern atomic_unchecked_t fscache_n_relinquishes_null;
42469+extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
42470+extern atomic_unchecked_t fscache_n_relinquishes_retire;
42471+
42472+extern atomic_unchecked_t fscache_n_cookie_index;
42473+extern atomic_unchecked_t fscache_n_cookie_data;
42474+extern atomic_unchecked_t fscache_n_cookie_special;
42475+
42476+extern atomic_unchecked_t fscache_n_object_alloc;
42477+extern atomic_unchecked_t fscache_n_object_no_alloc;
42478+extern atomic_unchecked_t fscache_n_object_lookups;
42479+extern atomic_unchecked_t fscache_n_object_lookups_negative;
42480+extern atomic_unchecked_t fscache_n_object_lookups_positive;
42481+extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
42482+extern atomic_unchecked_t fscache_n_object_created;
42483+extern atomic_unchecked_t fscache_n_object_avail;
42484+extern atomic_unchecked_t fscache_n_object_dead;
42485+
42486+extern atomic_unchecked_t fscache_n_checkaux_none;
42487+extern atomic_unchecked_t fscache_n_checkaux_okay;
42488+extern atomic_unchecked_t fscache_n_checkaux_update;
42489+extern atomic_unchecked_t fscache_n_checkaux_obsolete;
42490
42491 extern atomic_t fscache_n_cop_alloc_object;
42492 extern atomic_t fscache_n_cop_lookup_object;
42493@@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
42494 atomic_inc(stat);
42495 }
42496
42497+static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
42498+{
42499+ atomic_inc_unchecked(stat);
42500+}
42501+
42502 static inline void fscache_stat_d(atomic_t *stat)
42503 {
42504 atomic_dec(stat);
42505@@ -267,6 +272,7 @@ extern const struct file_operations fsca
42506
42507 #define __fscache_stat(stat) (NULL)
42508 #define fscache_stat(stat) do {} while (0)
42509+#define fscache_stat_unchecked(stat) do {} while (0)
42510 #define fscache_stat_d(stat) do {} while (0)
42511 #endif
42512
42513diff -urNp linux-3.0.7/fs/fscache/object.c linux-3.0.7/fs/fscache/object.c
42514--- linux-3.0.7/fs/fscache/object.c 2011-07-21 22:17:23.000000000 -0400
42515+++ linux-3.0.7/fs/fscache/object.c 2011-08-23 21:47:56.000000000 -0400
42516@@ -128,7 +128,7 @@ static void fscache_object_state_machine
42517 /* update the object metadata on disk */
42518 case FSCACHE_OBJECT_UPDATING:
42519 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
42520- fscache_stat(&fscache_n_updates_run);
42521+ fscache_stat_unchecked(&fscache_n_updates_run);
42522 fscache_stat(&fscache_n_cop_update_object);
42523 object->cache->ops->update_object(object);
42524 fscache_stat_d(&fscache_n_cop_update_object);
42525@@ -217,7 +217,7 @@ static void fscache_object_state_machine
42526 spin_lock(&object->lock);
42527 object->state = FSCACHE_OBJECT_DEAD;
42528 spin_unlock(&object->lock);
42529- fscache_stat(&fscache_n_object_dead);
42530+ fscache_stat_unchecked(&fscache_n_object_dead);
42531 goto terminal_transit;
42532
42533 /* handle the parent cache of this object being withdrawn from
42534@@ -232,7 +232,7 @@ static void fscache_object_state_machine
42535 spin_lock(&object->lock);
42536 object->state = FSCACHE_OBJECT_DEAD;
42537 spin_unlock(&object->lock);
42538- fscache_stat(&fscache_n_object_dead);
42539+ fscache_stat_unchecked(&fscache_n_object_dead);
42540 goto terminal_transit;
42541
42542 /* complain about the object being woken up once it is
42543@@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
42544 parent->cookie->def->name, cookie->def->name,
42545 object->cache->tag->name);
42546
42547- fscache_stat(&fscache_n_object_lookups);
42548+ fscache_stat_unchecked(&fscache_n_object_lookups);
42549 fscache_stat(&fscache_n_cop_lookup_object);
42550 ret = object->cache->ops->lookup_object(object);
42551 fscache_stat_d(&fscache_n_cop_lookup_object);
42552@@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
42553 if (ret == -ETIMEDOUT) {
42554 /* probably stuck behind another object, so move this one to
42555 * the back of the queue */
42556- fscache_stat(&fscache_n_object_lookups_timed_out);
42557+ fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
42558 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42559 }
42560
42561@@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
42562
42563 spin_lock(&object->lock);
42564 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42565- fscache_stat(&fscache_n_object_lookups_negative);
42566+ fscache_stat_unchecked(&fscache_n_object_lookups_negative);
42567
42568 /* transit here to allow write requests to begin stacking up
42569 * and read requests to begin returning ENODATA */
42570@@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
42571 * result, in which case there may be data available */
42572 spin_lock(&object->lock);
42573 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42574- fscache_stat(&fscache_n_object_lookups_positive);
42575+ fscache_stat_unchecked(&fscache_n_object_lookups_positive);
42576
42577 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
42578
42579@@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
42580 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42581 } else {
42582 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
42583- fscache_stat(&fscache_n_object_created);
42584+ fscache_stat_unchecked(&fscache_n_object_created);
42585
42586 object->state = FSCACHE_OBJECT_AVAILABLE;
42587 spin_unlock(&object->lock);
42588@@ -602,7 +602,7 @@ static void fscache_object_available(str
42589 fscache_enqueue_dependents(object);
42590
42591 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
42592- fscache_stat(&fscache_n_object_avail);
42593+ fscache_stat_unchecked(&fscache_n_object_avail);
42594
42595 _leave("");
42596 }
42597@@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
42598 enum fscache_checkaux result;
42599
42600 if (!object->cookie->def->check_aux) {
42601- fscache_stat(&fscache_n_checkaux_none);
42602+ fscache_stat_unchecked(&fscache_n_checkaux_none);
42603 return FSCACHE_CHECKAUX_OKAY;
42604 }
42605
42606@@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
42607 switch (result) {
42608 /* entry okay as is */
42609 case FSCACHE_CHECKAUX_OKAY:
42610- fscache_stat(&fscache_n_checkaux_okay);
42611+ fscache_stat_unchecked(&fscache_n_checkaux_okay);
42612 break;
42613
42614 /* entry requires update */
42615 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
42616- fscache_stat(&fscache_n_checkaux_update);
42617+ fscache_stat_unchecked(&fscache_n_checkaux_update);
42618 break;
42619
42620 /* entry requires deletion */
42621 case FSCACHE_CHECKAUX_OBSOLETE:
42622- fscache_stat(&fscache_n_checkaux_obsolete);
42623+ fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
42624 break;
42625
42626 default:
42627diff -urNp linux-3.0.7/fs/fscache/operation.c linux-3.0.7/fs/fscache/operation.c
42628--- linux-3.0.7/fs/fscache/operation.c 2011-07-21 22:17:23.000000000 -0400
42629+++ linux-3.0.7/fs/fscache/operation.c 2011-08-23 21:47:56.000000000 -0400
42630@@ -17,7 +17,7 @@
42631 #include <linux/slab.h>
42632 #include "internal.h"
42633
42634-atomic_t fscache_op_debug_id;
42635+atomic_unchecked_t fscache_op_debug_id;
42636 EXPORT_SYMBOL(fscache_op_debug_id);
42637
42638 /**
42639@@ -38,7 +38,7 @@ void fscache_enqueue_operation(struct fs
42640 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
42641 ASSERTCMP(atomic_read(&op->usage), >, 0);
42642
42643- fscache_stat(&fscache_n_op_enqueue);
42644+ fscache_stat_unchecked(&fscache_n_op_enqueue);
42645 switch (op->flags & FSCACHE_OP_TYPE) {
42646 case FSCACHE_OP_ASYNC:
42647 _debug("queue async");
42648@@ -69,7 +69,7 @@ static void fscache_run_op(struct fscach
42649 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
42650 if (op->processor)
42651 fscache_enqueue_operation(op);
42652- fscache_stat(&fscache_n_op_run);
42653+ fscache_stat_unchecked(&fscache_n_op_run);
42654 }
42655
42656 /*
42657@@ -98,11 +98,11 @@ int fscache_submit_exclusive_op(struct f
42658 if (object->n_ops > 1) {
42659 atomic_inc(&op->usage);
42660 list_add_tail(&op->pend_link, &object->pending_ops);
42661- fscache_stat(&fscache_n_op_pend);
42662+ fscache_stat_unchecked(&fscache_n_op_pend);
42663 } else if (!list_empty(&object->pending_ops)) {
42664 atomic_inc(&op->usage);
42665 list_add_tail(&op->pend_link, &object->pending_ops);
42666- fscache_stat(&fscache_n_op_pend);
42667+ fscache_stat_unchecked(&fscache_n_op_pend);
42668 fscache_start_operations(object);
42669 } else {
42670 ASSERTCMP(object->n_in_progress, ==, 0);
42671@@ -118,7 +118,7 @@ int fscache_submit_exclusive_op(struct f
42672 object->n_exclusive++; /* reads and writes must wait */
42673 atomic_inc(&op->usage);
42674 list_add_tail(&op->pend_link, &object->pending_ops);
42675- fscache_stat(&fscache_n_op_pend);
42676+ fscache_stat_unchecked(&fscache_n_op_pend);
42677 ret = 0;
42678 } else {
42679 /* not allowed to submit ops in any other state */
42680@@ -203,11 +203,11 @@ int fscache_submit_op(struct fscache_obj
42681 if (object->n_exclusive > 0) {
42682 atomic_inc(&op->usage);
42683 list_add_tail(&op->pend_link, &object->pending_ops);
42684- fscache_stat(&fscache_n_op_pend);
42685+ fscache_stat_unchecked(&fscache_n_op_pend);
42686 } else if (!list_empty(&object->pending_ops)) {
42687 atomic_inc(&op->usage);
42688 list_add_tail(&op->pend_link, &object->pending_ops);
42689- fscache_stat(&fscache_n_op_pend);
42690+ fscache_stat_unchecked(&fscache_n_op_pend);
42691 fscache_start_operations(object);
42692 } else {
42693 ASSERTCMP(object->n_exclusive, ==, 0);
42694@@ -219,12 +219,12 @@ int fscache_submit_op(struct fscache_obj
42695 object->n_ops++;
42696 atomic_inc(&op->usage);
42697 list_add_tail(&op->pend_link, &object->pending_ops);
42698- fscache_stat(&fscache_n_op_pend);
42699+ fscache_stat_unchecked(&fscache_n_op_pend);
42700 ret = 0;
42701 } else if (object->state == FSCACHE_OBJECT_DYING ||
42702 object->state == FSCACHE_OBJECT_LC_DYING ||
42703 object->state == FSCACHE_OBJECT_WITHDRAWING) {
42704- fscache_stat(&fscache_n_op_rejected);
42705+ fscache_stat_unchecked(&fscache_n_op_rejected);
42706 ret = -ENOBUFS;
42707 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
42708 fscache_report_unexpected_submission(object, op, ostate);
42709@@ -294,7 +294,7 @@ int fscache_cancel_op(struct fscache_ope
42710
42711 ret = -EBUSY;
42712 if (!list_empty(&op->pend_link)) {
42713- fscache_stat(&fscache_n_op_cancelled);
42714+ fscache_stat_unchecked(&fscache_n_op_cancelled);
42715 list_del_init(&op->pend_link);
42716 object->n_ops--;
42717 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
42718@@ -331,7 +331,7 @@ void fscache_put_operation(struct fscach
42719 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
42720 BUG();
42721
42722- fscache_stat(&fscache_n_op_release);
42723+ fscache_stat_unchecked(&fscache_n_op_release);
42724
42725 if (op->release) {
42726 op->release(op);
42727@@ -348,7 +348,7 @@ void fscache_put_operation(struct fscach
42728 * lock, and defer it otherwise */
42729 if (!spin_trylock(&object->lock)) {
42730 _debug("defer put");
42731- fscache_stat(&fscache_n_op_deferred_release);
42732+ fscache_stat_unchecked(&fscache_n_op_deferred_release);
42733
42734 cache = object->cache;
42735 spin_lock(&cache->op_gc_list_lock);
42736@@ -410,7 +410,7 @@ void fscache_operation_gc(struct work_st
42737
42738 _debug("GC DEFERRED REL OBJ%x OP%x",
42739 object->debug_id, op->debug_id);
42740- fscache_stat(&fscache_n_op_gc);
42741+ fscache_stat_unchecked(&fscache_n_op_gc);
42742
42743 ASSERTCMP(atomic_read(&op->usage), ==, 0);
42744
42745diff -urNp linux-3.0.7/fs/fscache/page.c linux-3.0.7/fs/fscache/page.c
42746--- linux-3.0.7/fs/fscache/page.c 2011-07-21 22:17:23.000000000 -0400
42747+++ linux-3.0.7/fs/fscache/page.c 2011-08-23 21:47:56.000000000 -0400
42748@@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
42749 val = radix_tree_lookup(&cookie->stores, page->index);
42750 if (!val) {
42751 rcu_read_unlock();
42752- fscache_stat(&fscache_n_store_vmscan_not_storing);
42753+ fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
42754 __fscache_uncache_page(cookie, page);
42755 return true;
42756 }
42757@@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
42758 spin_unlock(&cookie->stores_lock);
42759
42760 if (xpage) {
42761- fscache_stat(&fscache_n_store_vmscan_cancelled);
42762- fscache_stat(&fscache_n_store_radix_deletes);
42763+ fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
42764+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42765 ASSERTCMP(xpage, ==, page);
42766 } else {
42767- fscache_stat(&fscache_n_store_vmscan_gone);
42768+ fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
42769 }
42770
42771 wake_up_bit(&cookie->flags, 0);
42772@@ -107,7 +107,7 @@ page_busy:
42773 /* we might want to wait here, but that could deadlock the allocator as
42774 * the work threads writing to the cache may all end up sleeping
42775 * on memory allocation */
42776- fscache_stat(&fscache_n_store_vmscan_busy);
42777+ fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
42778 return false;
42779 }
42780 EXPORT_SYMBOL(__fscache_maybe_release_page);
42781@@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
42782 FSCACHE_COOKIE_STORING_TAG);
42783 if (!radix_tree_tag_get(&cookie->stores, page->index,
42784 FSCACHE_COOKIE_PENDING_TAG)) {
42785- fscache_stat(&fscache_n_store_radix_deletes);
42786+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42787 xpage = radix_tree_delete(&cookie->stores, page->index);
42788 }
42789 spin_unlock(&cookie->stores_lock);
42790@@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
42791
42792 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
42793
42794- fscache_stat(&fscache_n_attr_changed_calls);
42795+ fscache_stat_unchecked(&fscache_n_attr_changed_calls);
42796
42797 if (fscache_object_is_active(object)) {
42798 fscache_stat(&fscache_n_cop_attr_changed);
42799@@ -177,11 +177,11 @@ int __fscache_attr_changed(struct fscach
42800
42801 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
42802
42803- fscache_stat(&fscache_n_attr_changed);
42804+ fscache_stat_unchecked(&fscache_n_attr_changed);
42805
42806 op = kzalloc(sizeof(*op), GFP_KERNEL);
42807 if (!op) {
42808- fscache_stat(&fscache_n_attr_changed_nomem);
42809+ fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
42810 _leave(" = -ENOMEM");
42811 return -ENOMEM;
42812 }
42813@@ -199,7 +199,7 @@ int __fscache_attr_changed(struct fscach
42814 if (fscache_submit_exclusive_op(object, op) < 0)
42815 goto nobufs;
42816 spin_unlock(&cookie->lock);
42817- fscache_stat(&fscache_n_attr_changed_ok);
42818+ fscache_stat_unchecked(&fscache_n_attr_changed_ok);
42819 fscache_put_operation(op);
42820 _leave(" = 0");
42821 return 0;
42822@@ -207,7 +207,7 @@ int __fscache_attr_changed(struct fscach
42823 nobufs:
42824 spin_unlock(&cookie->lock);
42825 kfree(op);
42826- fscache_stat(&fscache_n_attr_changed_nobufs);
42827+ fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
42828 _leave(" = %d", -ENOBUFS);
42829 return -ENOBUFS;
42830 }
42831@@ -243,7 +243,7 @@ static struct fscache_retrieval *fscache
42832 /* allocate a retrieval operation and attempt to submit it */
42833 op = kzalloc(sizeof(*op), GFP_NOIO);
42834 if (!op) {
42835- fscache_stat(&fscache_n_retrievals_nomem);
42836+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
42837 return NULL;
42838 }
42839
42840@@ -271,13 +271,13 @@ static int fscache_wait_for_deferred_loo
42841 return 0;
42842 }
42843
42844- fscache_stat(&fscache_n_retrievals_wait);
42845+ fscache_stat_unchecked(&fscache_n_retrievals_wait);
42846
42847 jif = jiffies;
42848 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
42849 fscache_wait_bit_interruptible,
42850 TASK_INTERRUPTIBLE) != 0) {
42851- fscache_stat(&fscache_n_retrievals_intr);
42852+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
42853 _leave(" = -ERESTARTSYS");
42854 return -ERESTARTSYS;
42855 }
42856@@ -295,8 +295,8 @@ static int fscache_wait_for_deferred_loo
42857 */
42858 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
42859 struct fscache_retrieval *op,
42860- atomic_t *stat_op_waits,
42861- atomic_t *stat_object_dead)
42862+ atomic_unchecked_t *stat_op_waits,
42863+ atomic_unchecked_t *stat_object_dead)
42864 {
42865 int ret;
42866
42867@@ -304,7 +304,7 @@ static int fscache_wait_for_retrieval_ac
42868 goto check_if_dead;
42869
42870 _debug(">>> WT");
42871- fscache_stat(stat_op_waits);
42872+ fscache_stat_unchecked(stat_op_waits);
42873 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
42874 fscache_wait_bit_interruptible,
42875 TASK_INTERRUPTIBLE) < 0) {
42876@@ -321,7 +321,7 @@ static int fscache_wait_for_retrieval_ac
42877
42878 check_if_dead:
42879 if (unlikely(fscache_object_is_dead(object))) {
42880- fscache_stat(stat_object_dead);
42881+ fscache_stat_unchecked(stat_object_dead);
42882 return -ENOBUFS;
42883 }
42884 return 0;
42885@@ -348,7 +348,7 @@ int __fscache_read_or_alloc_page(struct
42886
42887 _enter("%p,%p,,,", cookie, page);
42888
42889- fscache_stat(&fscache_n_retrievals);
42890+ fscache_stat_unchecked(&fscache_n_retrievals);
42891
42892 if (hlist_empty(&cookie->backing_objects))
42893 goto nobufs;
42894@@ -381,7 +381,7 @@ int __fscache_read_or_alloc_page(struct
42895 goto nobufs_unlock;
42896 spin_unlock(&cookie->lock);
42897
42898- fscache_stat(&fscache_n_retrieval_ops);
42899+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
42900
42901 /* pin the netfs read context in case we need to do the actual netfs
42902 * read because we've encountered a cache read failure */
42903@@ -411,15 +411,15 @@ int __fscache_read_or_alloc_page(struct
42904
42905 error:
42906 if (ret == -ENOMEM)
42907- fscache_stat(&fscache_n_retrievals_nomem);
42908+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
42909 else if (ret == -ERESTARTSYS)
42910- fscache_stat(&fscache_n_retrievals_intr);
42911+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
42912 else if (ret == -ENODATA)
42913- fscache_stat(&fscache_n_retrievals_nodata);
42914+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
42915 else if (ret < 0)
42916- fscache_stat(&fscache_n_retrievals_nobufs);
42917+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42918 else
42919- fscache_stat(&fscache_n_retrievals_ok);
42920+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
42921
42922 fscache_put_retrieval(op);
42923 _leave(" = %d", ret);
42924@@ -429,7 +429,7 @@ nobufs_unlock:
42925 spin_unlock(&cookie->lock);
42926 kfree(op);
42927 nobufs:
42928- fscache_stat(&fscache_n_retrievals_nobufs);
42929+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42930 _leave(" = -ENOBUFS");
42931 return -ENOBUFS;
42932 }
42933@@ -467,7 +467,7 @@ int __fscache_read_or_alloc_pages(struct
42934
42935 _enter("%p,,%d,,,", cookie, *nr_pages);
42936
42937- fscache_stat(&fscache_n_retrievals);
42938+ fscache_stat_unchecked(&fscache_n_retrievals);
42939
42940 if (hlist_empty(&cookie->backing_objects))
42941 goto nobufs;
42942@@ -497,7 +497,7 @@ int __fscache_read_or_alloc_pages(struct
42943 goto nobufs_unlock;
42944 spin_unlock(&cookie->lock);
42945
42946- fscache_stat(&fscache_n_retrieval_ops);
42947+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
42948
42949 /* pin the netfs read context in case we need to do the actual netfs
42950 * read because we've encountered a cache read failure */
42951@@ -527,15 +527,15 @@ int __fscache_read_or_alloc_pages(struct
42952
42953 error:
42954 if (ret == -ENOMEM)
42955- fscache_stat(&fscache_n_retrievals_nomem);
42956+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
42957 else if (ret == -ERESTARTSYS)
42958- fscache_stat(&fscache_n_retrievals_intr);
42959+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
42960 else if (ret == -ENODATA)
42961- fscache_stat(&fscache_n_retrievals_nodata);
42962+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
42963 else if (ret < 0)
42964- fscache_stat(&fscache_n_retrievals_nobufs);
42965+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42966 else
42967- fscache_stat(&fscache_n_retrievals_ok);
42968+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
42969
42970 fscache_put_retrieval(op);
42971 _leave(" = %d", ret);
42972@@ -545,7 +545,7 @@ nobufs_unlock:
42973 spin_unlock(&cookie->lock);
42974 kfree(op);
42975 nobufs:
42976- fscache_stat(&fscache_n_retrievals_nobufs);
42977+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42978 _leave(" = -ENOBUFS");
42979 return -ENOBUFS;
42980 }
42981@@ -569,7 +569,7 @@ int __fscache_alloc_page(struct fscache_
42982
42983 _enter("%p,%p,,,", cookie, page);
42984
42985- fscache_stat(&fscache_n_allocs);
42986+ fscache_stat_unchecked(&fscache_n_allocs);
42987
42988 if (hlist_empty(&cookie->backing_objects))
42989 goto nobufs;
42990@@ -595,7 +595,7 @@ int __fscache_alloc_page(struct fscache_
42991 goto nobufs_unlock;
42992 spin_unlock(&cookie->lock);
42993
42994- fscache_stat(&fscache_n_alloc_ops);
42995+ fscache_stat_unchecked(&fscache_n_alloc_ops);
42996
42997 ret = fscache_wait_for_retrieval_activation(
42998 object, op,
42999@@ -611,11 +611,11 @@ int __fscache_alloc_page(struct fscache_
43000
43001 error:
43002 if (ret == -ERESTARTSYS)
43003- fscache_stat(&fscache_n_allocs_intr);
43004+ fscache_stat_unchecked(&fscache_n_allocs_intr);
43005 else if (ret < 0)
43006- fscache_stat(&fscache_n_allocs_nobufs);
43007+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43008 else
43009- fscache_stat(&fscache_n_allocs_ok);
43010+ fscache_stat_unchecked(&fscache_n_allocs_ok);
43011
43012 fscache_put_retrieval(op);
43013 _leave(" = %d", ret);
43014@@ -625,7 +625,7 @@ nobufs_unlock:
43015 spin_unlock(&cookie->lock);
43016 kfree(op);
43017 nobufs:
43018- fscache_stat(&fscache_n_allocs_nobufs);
43019+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43020 _leave(" = -ENOBUFS");
43021 return -ENOBUFS;
43022 }
43023@@ -666,7 +666,7 @@ static void fscache_write_op(struct fsca
43024
43025 spin_lock(&cookie->stores_lock);
43026
43027- fscache_stat(&fscache_n_store_calls);
43028+ fscache_stat_unchecked(&fscache_n_store_calls);
43029
43030 /* find a page to store */
43031 page = NULL;
43032@@ -677,7 +677,7 @@ static void fscache_write_op(struct fsca
43033 page = results[0];
43034 _debug("gang %d [%lx]", n, page->index);
43035 if (page->index > op->store_limit) {
43036- fscache_stat(&fscache_n_store_pages_over_limit);
43037+ fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
43038 goto superseded;
43039 }
43040
43041@@ -689,7 +689,7 @@ static void fscache_write_op(struct fsca
43042 spin_unlock(&cookie->stores_lock);
43043 spin_unlock(&object->lock);
43044
43045- fscache_stat(&fscache_n_store_pages);
43046+ fscache_stat_unchecked(&fscache_n_store_pages);
43047 fscache_stat(&fscache_n_cop_write_page);
43048 ret = object->cache->ops->write_page(op, page);
43049 fscache_stat_d(&fscache_n_cop_write_page);
43050@@ -757,7 +757,7 @@ int __fscache_write_page(struct fscache_
43051 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43052 ASSERT(PageFsCache(page));
43053
43054- fscache_stat(&fscache_n_stores);
43055+ fscache_stat_unchecked(&fscache_n_stores);
43056
43057 op = kzalloc(sizeof(*op), GFP_NOIO);
43058 if (!op)
43059@@ -808,7 +808,7 @@ int __fscache_write_page(struct fscache_
43060 spin_unlock(&cookie->stores_lock);
43061 spin_unlock(&object->lock);
43062
43063- op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
43064+ op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
43065 op->store_limit = object->store_limit;
43066
43067 if (fscache_submit_op(object, &op->op) < 0)
43068@@ -816,8 +816,8 @@ int __fscache_write_page(struct fscache_
43069
43070 spin_unlock(&cookie->lock);
43071 radix_tree_preload_end();
43072- fscache_stat(&fscache_n_store_ops);
43073- fscache_stat(&fscache_n_stores_ok);
43074+ fscache_stat_unchecked(&fscache_n_store_ops);
43075+ fscache_stat_unchecked(&fscache_n_stores_ok);
43076
43077 /* the work queue now carries its own ref on the object */
43078 fscache_put_operation(&op->op);
43079@@ -825,14 +825,14 @@ int __fscache_write_page(struct fscache_
43080 return 0;
43081
43082 already_queued:
43083- fscache_stat(&fscache_n_stores_again);
43084+ fscache_stat_unchecked(&fscache_n_stores_again);
43085 already_pending:
43086 spin_unlock(&cookie->stores_lock);
43087 spin_unlock(&object->lock);
43088 spin_unlock(&cookie->lock);
43089 radix_tree_preload_end();
43090 kfree(op);
43091- fscache_stat(&fscache_n_stores_ok);
43092+ fscache_stat_unchecked(&fscache_n_stores_ok);
43093 _leave(" = 0");
43094 return 0;
43095
43096@@ -851,14 +851,14 @@ nobufs:
43097 spin_unlock(&cookie->lock);
43098 radix_tree_preload_end();
43099 kfree(op);
43100- fscache_stat(&fscache_n_stores_nobufs);
43101+ fscache_stat_unchecked(&fscache_n_stores_nobufs);
43102 _leave(" = -ENOBUFS");
43103 return -ENOBUFS;
43104
43105 nomem_free:
43106 kfree(op);
43107 nomem:
43108- fscache_stat(&fscache_n_stores_oom);
43109+ fscache_stat_unchecked(&fscache_n_stores_oom);
43110 _leave(" = -ENOMEM");
43111 return -ENOMEM;
43112 }
43113@@ -876,7 +876,7 @@ void __fscache_uncache_page(struct fscac
43114 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43115 ASSERTCMP(page, !=, NULL);
43116
43117- fscache_stat(&fscache_n_uncaches);
43118+ fscache_stat_unchecked(&fscache_n_uncaches);
43119
43120 /* cache withdrawal may beat us to it */
43121 if (!PageFsCache(page))
43122@@ -929,7 +929,7 @@ void fscache_mark_pages_cached(struct fs
43123 unsigned long loop;
43124
43125 #ifdef CONFIG_FSCACHE_STATS
43126- atomic_add(pagevec->nr, &fscache_n_marks);
43127+ atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
43128 #endif
43129
43130 for (loop = 0; loop < pagevec->nr; loop++) {
43131diff -urNp linux-3.0.7/fs/fscache/stats.c linux-3.0.7/fs/fscache/stats.c
43132--- linux-3.0.7/fs/fscache/stats.c 2011-07-21 22:17:23.000000000 -0400
43133+++ linux-3.0.7/fs/fscache/stats.c 2011-08-23 21:47:56.000000000 -0400
43134@@ -18,95 +18,95 @@
43135 /*
43136 * operation counters
43137 */
43138-atomic_t fscache_n_op_pend;
43139-atomic_t fscache_n_op_run;
43140-atomic_t fscache_n_op_enqueue;
43141-atomic_t fscache_n_op_requeue;
43142-atomic_t fscache_n_op_deferred_release;
43143-atomic_t fscache_n_op_release;
43144-atomic_t fscache_n_op_gc;
43145-atomic_t fscache_n_op_cancelled;
43146-atomic_t fscache_n_op_rejected;
43147-
43148-atomic_t fscache_n_attr_changed;
43149-atomic_t fscache_n_attr_changed_ok;
43150-atomic_t fscache_n_attr_changed_nobufs;
43151-atomic_t fscache_n_attr_changed_nomem;
43152-atomic_t fscache_n_attr_changed_calls;
43153-
43154-atomic_t fscache_n_allocs;
43155-atomic_t fscache_n_allocs_ok;
43156-atomic_t fscache_n_allocs_wait;
43157-atomic_t fscache_n_allocs_nobufs;
43158-atomic_t fscache_n_allocs_intr;
43159-atomic_t fscache_n_allocs_object_dead;
43160-atomic_t fscache_n_alloc_ops;
43161-atomic_t fscache_n_alloc_op_waits;
43162-
43163-atomic_t fscache_n_retrievals;
43164-atomic_t fscache_n_retrievals_ok;
43165-atomic_t fscache_n_retrievals_wait;
43166-atomic_t fscache_n_retrievals_nodata;
43167-atomic_t fscache_n_retrievals_nobufs;
43168-atomic_t fscache_n_retrievals_intr;
43169-atomic_t fscache_n_retrievals_nomem;
43170-atomic_t fscache_n_retrievals_object_dead;
43171-atomic_t fscache_n_retrieval_ops;
43172-atomic_t fscache_n_retrieval_op_waits;
43173-
43174-atomic_t fscache_n_stores;
43175-atomic_t fscache_n_stores_ok;
43176-atomic_t fscache_n_stores_again;
43177-atomic_t fscache_n_stores_nobufs;
43178-atomic_t fscache_n_stores_oom;
43179-atomic_t fscache_n_store_ops;
43180-atomic_t fscache_n_store_calls;
43181-atomic_t fscache_n_store_pages;
43182-atomic_t fscache_n_store_radix_deletes;
43183-atomic_t fscache_n_store_pages_over_limit;
43184-
43185-atomic_t fscache_n_store_vmscan_not_storing;
43186-atomic_t fscache_n_store_vmscan_gone;
43187-atomic_t fscache_n_store_vmscan_busy;
43188-atomic_t fscache_n_store_vmscan_cancelled;
43189-
43190-atomic_t fscache_n_marks;
43191-atomic_t fscache_n_uncaches;
43192-
43193-atomic_t fscache_n_acquires;
43194-atomic_t fscache_n_acquires_null;
43195-atomic_t fscache_n_acquires_no_cache;
43196-atomic_t fscache_n_acquires_ok;
43197-atomic_t fscache_n_acquires_nobufs;
43198-atomic_t fscache_n_acquires_oom;
43199-
43200-atomic_t fscache_n_updates;
43201-atomic_t fscache_n_updates_null;
43202-atomic_t fscache_n_updates_run;
43203-
43204-atomic_t fscache_n_relinquishes;
43205-atomic_t fscache_n_relinquishes_null;
43206-atomic_t fscache_n_relinquishes_waitcrt;
43207-atomic_t fscache_n_relinquishes_retire;
43208-
43209-atomic_t fscache_n_cookie_index;
43210-atomic_t fscache_n_cookie_data;
43211-atomic_t fscache_n_cookie_special;
43212-
43213-atomic_t fscache_n_object_alloc;
43214-atomic_t fscache_n_object_no_alloc;
43215-atomic_t fscache_n_object_lookups;
43216-atomic_t fscache_n_object_lookups_negative;
43217-atomic_t fscache_n_object_lookups_positive;
43218-atomic_t fscache_n_object_lookups_timed_out;
43219-atomic_t fscache_n_object_created;
43220-atomic_t fscache_n_object_avail;
43221-atomic_t fscache_n_object_dead;
43222-
43223-atomic_t fscache_n_checkaux_none;
43224-atomic_t fscache_n_checkaux_okay;
43225-atomic_t fscache_n_checkaux_update;
43226-atomic_t fscache_n_checkaux_obsolete;
43227+atomic_unchecked_t fscache_n_op_pend;
43228+atomic_unchecked_t fscache_n_op_run;
43229+atomic_unchecked_t fscache_n_op_enqueue;
43230+atomic_unchecked_t fscache_n_op_requeue;
43231+atomic_unchecked_t fscache_n_op_deferred_release;
43232+atomic_unchecked_t fscache_n_op_release;
43233+atomic_unchecked_t fscache_n_op_gc;
43234+atomic_unchecked_t fscache_n_op_cancelled;
43235+atomic_unchecked_t fscache_n_op_rejected;
43236+
43237+atomic_unchecked_t fscache_n_attr_changed;
43238+atomic_unchecked_t fscache_n_attr_changed_ok;
43239+atomic_unchecked_t fscache_n_attr_changed_nobufs;
43240+atomic_unchecked_t fscache_n_attr_changed_nomem;
43241+atomic_unchecked_t fscache_n_attr_changed_calls;
43242+
43243+atomic_unchecked_t fscache_n_allocs;
43244+atomic_unchecked_t fscache_n_allocs_ok;
43245+atomic_unchecked_t fscache_n_allocs_wait;
43246+atomic_unchecked_t fscache_n_allocs_nobufs;
43247+atomic_unchecked_t fscache_n_allocs_intr;
43248+atomic_unchecked_t fscache_n_allocs_object_dead;
43249+atomic_unchecked_t fscache_n_alloc_ops;
43250+atomic_unchecked_t fscache_n_alloc_op_waits;
43251+
43252+atomic_unchecked_t fscache_n_retrievals;
43253+atomic_unchecked_t fscache_n_retrievals_ok;
43254+atomic_unchecked_t fscache_n_retrievals_wait;
43255+atomic_unchecked_t fscache_n_retrievals_nodata;
43256+atomic_unchecked_t fscache_n_retrievals_nobufs;
43257+atomic_unchecked_t fscache_n_retrievals_intr;
43258+atomic_unchecked_t fscache_n_retrievals_nomem;
43259+atomic_unchecked_t fscache_n_retrievals_object_dead;
43260+atomic_unchecked_t fscache_n_retrieval_ops;
43261+atomic_unchecked_t fscache_n_retrieval_op_waits;
43262+
43263+atomic_unchecked_t fscache_n_stores;
43264+atomic_unchecked_t fscache_n_stores_ok;
43265+atomic_unchecked_t fscache_n_stores_again;
43266+atomic_unchecked_t fscache_n_stores_nobufs;
43267+atomic_unchecked_t fscache_n_stores_oom;
43268+atomic_unchecked_t fscache_n_store_ops;
43269+atomic_unchecked_t fscache_n_store_calls;
43270+atomic_unchecked_t fscache_n_store_pages;
43271+atomic_unchecked_t fscache_n_store_radix_deletes;
43272+atomic_unchecked_t fscache_n_store_pages_over_limit;
43273+
43274+atomic_unchecked_t fscache_n_store_vmscan_not_storing;
43275+atomic_unchecked_t fscache_n_store_vmscan_gone;
43276+atomic_unchecked_t fscache_n_store_vmscan_busy;
43277+atomic_unchecked_t fscache_n_store_vmscan_cancelled;
43278+
43279+atomic_unchecked_t fscache_n_marks;
43280+atomic_unchecked_t fscache_n_uncaches;
43281+
43282+atomic_unchecked_t fscache_n_acquires;
43283+atomic_unchecked_t fscache_n_acquires_null;
43284+atomic_unchecked_t fscache_n_acquires_no_cache;
43285+atomic_unchecked_t fscache_n_acquires_ok;
43286+atomic_unchecked_t fscache_n_acquires_nobufs;
43287+atomic_unchecked_t fscache_n_acquires_oom;
43288+
43289+atomic_unchecked_t fscache_n_updates;
43290+atomic_unchecked_t fscache_n_updates_null;
43291+atomic_unchecked_t fscache_n_updates_run;
43292+
43293+atomic_unchecked_t fscache_n_relinquishes;
43294+atomic_unchecked_t fscache_n_relinquishes_null;
43295+atomic_unchecked_t fscache_n_relinquishes_waitcrt;
43296+atomic_unchecked_t fscache_n_relinquishes_retire;
43297+
43298+atomic_unchecked_t fscache_n_cookie_index;
43299+atomic_unchecked_t fscache_n_cookie_data;
43300+atomic_unchecked_t fscache_n_cookie_special;
43301+
43302+atomic_unchecked_t fscache_n_object_alloc;
43303+atomic_unchecked_t fscache_n_object_no_alloc;
43304+atomic_unchecked_t fscache_n_object_lookups;
43305+atomic_unchecked_t fscache_n_object_lookups_negative;
43306+atomic_unchecked_t fscache_n_object_lookups_positive;
43307+atomic_unchecked_t fscache_n_object_lookups_timed_out;
43308+atomic_unchecked_t fscache_n_object_created;
43309+atomic_unchecked_t fscache_n_object_avail;
43310+atomic_unchecked_t fscache_n_object_dead;
43311+
43312+atomic_unchecked_t fscache_n_checkaux_none;
43313+atomic_unchecked_t fscache_n_checkaux_okay;
43314+atomic_unchecked_t fscache_n_checkaux_update;
43315+atomic_unchecked_t fscache_n_checkaux_obsolete;
43316
43317 atomic_t fscache_n_cop_alloc_object;
43318 atomic_t fscache_n_cop_lookup_object;
43319@@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
43320 seq_puts(m, "FS-Cache statistics\n");
43321
43322 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
43323- atomic_read(&fscache_n_cookie_index),
43324- atomic_read(&fscache_n_cookie_data),
43325- atomic_read(&fscache_n_cookie_special));
43326+ atomic_read_unchecked(&fscache_n_cookie_index),
43327+ atomic_read_unchecked(&fscache_n_cookie_data),
43328+ atomic_read_unchecked(&fscache_n_cookie_special));
43329
43330 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
43331- atomic_read(&fscache_n_object_alloc),
43332- atomic_read(&fscache_n_object_no_alloc),
43333- atomic_read(&fscache_n_object_avail),
43334- atomic_read(&fscache_n_object_dead));
43335+ atomic_read_unchecked(&fscache_n_object_alloc),
43336+ atomic_read_unchecked(&fscache_n_object_no_alloc),
43337+ atomic_read_unchecked(&fscache_n_object_avail),
43338+ atomic_read_unchecked(&fscache_n_object_dead));
43339 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
43340- atomic_read(&fscache_n_checkaux_none),
43341- atomic_read(&fscache_n_checkaux_okay),
43342- atomic_read(&fscache_n_checkaux_update),
43343- atomic_read(&fscache_n_checkaux_obsolete));
43344+ atomic_read_unchecked(&fscache_n_checkaux_none),
43345+ atomic_read_unchecked(&fscache_n_checkaux_okay),
43346+ atomic_read_unchecked(&fscache_n_checkaux_update),
43347+ atomic_read_unchecked(&fscache_n_checkaux_obsolete));
43348
43349 seq_printf(m, "Pages : mrk=%u unc=%u\n",
43350- atomic_read(&fscache_n_marks),
43351- atomic_read(&fscache_n_uncaches));
43352+ atomic_read_unchecked(&fscache_n_marks),
43353+ atomic_read_unchecked(&fscache_n_uncaches));
43354
43355 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
43356 " oom=%u\n",
43357- atomic_read(&fscache_n_acquires),
43358- atomic_read(&fscache_n_acquires_null),
43359- atomic_read(&fscache_n_acquires_no_cache),
43360- atomic_read(&fscache_n_acquires_ok),
43361- atomic_read(&fscache_n_acquires_nobufs),
43362- atomic_read(&fscache_n_acquires_oom));
43363+ atomic_read_unchecked(&fscache_n_acquires),
43364+ atomic_read_unchecked(&fscache_n_acquires_null),
43365+ atomic_read_unchecked(&fscache_n_acquires_no_cache),
43366+ atomic_read_unchecked(&fscache_n_acquires_ok),
43367+ atomic_read_unchecked(&fscache_n_acquires_nobufs),
43368+ atomic_read_unchecked(&fscache_n_acquires_oom));
43369
43370 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
43371- atomic_read(&fscache_n_object_lookups),
43372- atomic_read(&fscache_n_object_lookups_negative),
43373- atomic_read(&fscache_n_object_lookups_positive),
43374- atomic_read(&fscache_n_object_created),
43375- atomic_read(&fscache_n_object_lookups_timed_out));
43376+ atomic_read_unchecked(&fscache_n_object_lookups),
43377+ atomic_read_unchecked(&fscache_n_object_lookups_negative),
43378+ atomic_read_unchecked(&fscache_n_object_lookups_positive),
43379+ atomic_read_unchecked(&fscache_n_object_created),
43380+ atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
43381
43382 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
43383- atomic_read(&fscache_n_updates),
43384- atomic_read(&fscache_n_updates_null),
43385- atomic_read(&fscache_n_updates_run));
43386+ atomic_read_unchecked(&fscache_n_updates),
43387+ atomic_read_unchecked(&fscache_n_updates_null),
43388+ atomic_read_unchecked(&fscache_n_updates_run));
43389
43390 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
43391- atomic_read(&fscache_n_relinquishes),
43392- atomic_read(&fscache_n_relinquishes_null),
43393- atomic_read(&fscache_n_relinquishes_waitcrt),
43394- atomic_read(&fscache_n_relinquishes_retire));
43395+ atomic_read_unchecked(&fscache_n_relinquishes),
43396+ atomic_read_unchecked(&fscache_n_relinquishes_null),
43397+ atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
43398+ atomic_read_unchecked(&fscache_n_relinquishes_retire));
43399
43400 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
43401- atomic_read(&fscache_n_attr_changed),
43402- atomic_read(&fscache_n_attr_changed_ok),
43403- atomic_read(&fscache_n_attr_changed_nobufs),
43404- atomic_read(&fscache_n_attr_changed_nomem),
43405- atomic_read(&fscache_n_attr_changed_calls));
43406+ atomic_read_unchecked(&fscache_n_attr_changed),
43407+ atomic_read_unchecked(&fscache_n_attr_changed_ok),
43408+ atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
43409+ atomic_read_unchecked(&fscache_n_attr_changed_nomem),
43410+ atomic_read_unchecked(&fscache_n_attr_changed_calls));
43411
43412 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
43413- atomic_read(&fscache_n_allocs),
43414- atomic_read(&fscache_n_allocs_ok),
43415- atomic_read(&fscache_n_allocs_wait),
43416- atomic_read(&fscache_n_allocs_nobufs),
43417- atomic_read(&fscache_n_allocs_intr));
43418+ atomic_read_unchecked(&fscache_n_allocs),
43419+ atomic_read_unchecked(&fscache_n_allocs_ok),
43420+ atomic_read_unchecked(&fscache_n_allocs_wait),
43421+ atomic_read_unchecked(&fscache_n_allocs_nobufs),
43422+ atomic_read_unchecked(&fscache_n_allocs_intr));
43423 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
43424- atomic_read(&fscache_n_alloc_ops),
43425- atomic_read(&fscache_n_alloc_op_waits),
43426- atomic_read(&fscache_n_allocs_object_dead));
43427+ atomic_read_unchecked(&fscache_n_alloc_ops),
43428+ atomic_read_unchecked(&fscache_n_alloc_op_waits),
43429+ atomic_read_unchecked(&fscache_n_allocs_object_dead));
43430
43431 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
43432 " int=%u oom=%u\n",
43433- atomic_read(&fscache_n_retrievals),
43434- atomic_read(&fscache_n_retrievals_ok),
43435- atomic_read(&fscache_n_retrievals_wait),
43436- atomic_read(&fscache_n_retrievals_nodata),
43437- atomic_read(&fscache_n_retrievals_nobufs),
43438- atomic_read(&fscache_n_retrievals_intr),
43439- atomic_read(&fscache_n_retrievals_nomem));
43440+ atomic_read_unchecked(&fscache_n_retrievals),
43441+ atomic_read_unchecked(&fscache_n_retrievals_ok),
43442+ atomic_read_unchecked(&fscache_n_retrievals_wait),
43443+ atomic_read_unchecked(&fscache_n_retrievals_nodata),
43444+ atomic_read_unchecked(&fscache_n_retrievals_nobufs),
43445+ atomic_read_unchecked(&fscache_n_retrievals_intr),
43446+ atomic_read_unchecked(&fscache_n_retrievals_nomem));
43447 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
43448- atomic_read(&fscache_n_retrieval_ops),
43449- atomic_read(&fscache_n_retrieval_op_waits),
43450- atomic_read(&fscache_n_retrievals_object_dead));
43451+ atomic_read_unchecked(&fscache_n_retrieval_ops),
43452+ atomic_read_unchecked(&fscache_n_retrieval_op_waits),
43453+ atomic_read_unchecked(&fscache_n_retrievals_object_dead));
43454
43455 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
43456- atomic_read(&fscache_n_stores),
43457- atomic_read(&fscache_n_stores_ok),
43458- atomic_read(&fscache_n_stores_again),
43459- atomic_read(&fscache_n_stores_nobufs),
43460- atomic_read(&fscache_n_stores_oom));
43461+ atomic_read_unchecked(&fscache_n_stores),
43462+ atomic_read_unchecked(&fscache_n_stores_ok),
43463+ atomic_read_unchecked(&fscache_n_stores_again),
43464+ atomic_read_unchecked(&fscache_n_stores_nobufs),
43465+ atomic_read_unchecked(&fscache_n_stores_oom));
43466 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
43467- atomic_read(&fscache_n_store_ops),
43468- atomic_read(&fscache_n_store_calls),
43469- atomic_read(&fscache_n_store_pages),
43470- atomic_read(&fscache_n_store_radix_deletes),
43471- atomic_read(&fscache_n_store_pages_over_limit));
43472+ atomic_read_unchecked(&fscache_n_store_ops),
43473+ atomic_read_unchecked(&fscache_n_store_calls),
43474+ atomic_read_unchecked(&fscache_n_store_pages),
43475+ atomic_read_unchecked(&fscache_n_store_radix_deletes),
43476+ atomic_read_unchecked(&fscache_n_store_pages_over_limit));
43477
43478 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
43479- atomic_read(&fscache_n_store_vmscan_not_storing),
43480- atomic_read(&fscache_n_store_vmscan_gone),
43481- atomic_read(&fscache_n_store_vmscan_busy),
43482- atomic_read(&fscache_n_store_vmscan_cancelled));
43483+ atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
43484+ atomic_read_unchecked(&fscache_n_store_vmscan_gone),
43485+ atomic_read_unchecked(&fscache_n_store_vmscan_busy),
43486+ atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
43487
43488 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
43489- atomic_read(&fscache_n_op_pend),
43490- atomic_read(&fscache_n_op_run),
43491- atomic_read(&fscache_n_op_enqueue),
43492- atomic_read(&fscache_n_op_cancelled),
43493- atomic_read(&fscache_n_op_rejected));
43494+ atomic_read_unchecked(&fscache_n_op_pend),
43495+ atomic_read_unchecked(&fscache_n_op_run),
43496+ atomic_read_unchecked(&fscache_n_op_enqueue),
43497+ atomic_read_unchecked(&fscache_n_op_cancelled),
43498+ atomic_read_unchecked(&fscache_n_op_rejected));
43499 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
43500- atomic_read(&fscache_n_op_deferred_release),
43501- atomic_read(&fscache_n_op_release),
43502- atomic_read(&fscache_n_op_gc));
43503+ atomic_read_unchecked(&fscache_n_op_deferred_release),
43504+ atomic_read_unchecked(&fscache_n_op_release),
43505+ atomic_read_unchecked(&fscache_n_op_gc));
43506
43507 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
43508 atomic_read(&fscache_n_cop_alloc_object),
43509diff -urNp linux-3.0.7/fs/fuse/cuse.c linux-3.0.7/fs/fuse/cuse.c
43510--- linux-3.0.7/fs/fuse/cuse.c 2011-07-21 22:17:23.000000000 -0400
43511+++ linux-3.0.7/fs/fuse/cuse.c 2011-08-23 21:47:56.000000000 -0400
43512@@ -586,10 +586,12 @@ static int __init cuse_init(void)
43513 INIT_LIST_HEAD(&cuse_conntbl[i]);
43514
43515 /* inherit and extend fuse_dev_operations */
43516- cuse_channel_fops = fuse_dev_operations;
43517- cuse_channel_fops.owner = THIS_MODULE;
43518- cuse_channel_fops.open = cuse_channel_open;
43519- cuse_channel_fops.release = cuse_channel_release;
43520+ pax_open_kernel();
43521+ memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
43522+ *(void **)&cuse_channel_fops.owner = THIS_MODULE;
43523+ *(void **)&cuse_channel_fops.open = cuse_channel_open;
43524+ *(void **)&cuse_channel_fops.release = cuse_channel_release;
43525+ pax_close_kernel();
43526
43527 cuse_class = class_create(THIS_MODULE, "cuse");
43528 if (IS_ERR(cuse_class))
43529diff -urNp linux-3.0.7/fs/fuse/dev.c linux-3.0.7/fs/fuse/dev.c
43530--- linux-3.0.7/fs/fuse/dev.c 2011-09-02 18:11:26.000000000 -0400
43531+++ linux-3.0.7/fs/fuse/dev.c 2011-08-29 23:26:27.000000000 -0400
43532@@ -1238,7 +1238,7 @@ static ssize_t fuse_dev_splice_read(stru
43533 ret = 0;
43534 pipe_lock(pipe);
43535
43536- if (!pipe->readers) {
43537+ if (!atomic_read(&pipe->readers)) {
43538 send_sig(SIGPIPE, current, 0);
43539 if (!ret)
43540 ret = -EPIPE;
43541diff -urNp linux-3.0.7/fs/fuse/dir.c linux-3.0.7/fs/fuse/dir.c
43542--- linux-3.0.7/fs/fuse/dir.c 2011-07-21 22:17:23.000000000 -0400
43543+++ linux-3.0.7/fs/fuse/dir.c 2011-08-23 21:47:56.000000000 -0400
43544@@ -1148,7 +1148,7 @@ static char *read_link(struct dentry *de
43545 return link;
43546 }
43547
43548-static void free_link(char *link)
43549+static void free_link(const char *link)
43550 {
43551 if (!IS_ERR(link))
43552 free_page((unsigned long) link);
43553diff -urNp linux-3.0.7/fs/gfs2/inode.c linux-3.0.7/fs/gfs2/inode.c
43554--- linux-3.0.7/fs/gfs2/inode.c 2011-07-21 22:17:23.000000000 -0400
43555+++ linux-3.0.7/fs/gfs2/inode.c 2011-08-23 21:47:56.000000000 -0400
43556@@ -1525,7 +1525,7 @@ out:
43557
43558 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43559 {
43560- char *s = nd_get_link(nd);
43561+ const char *s = nd_get_link(nd);
43562 if (!IS_ERR(s))
43563 kfree(s);
43564 }
43565diff -urNp linux-3.0.7/fs/hfsplus/catalog.c linux-3.0.7/fs/hfsplus/catalog.c
43566--- linux-3.0.7/fs/hfsplus/catalog.c 2011-07-21 22:17:23.000000000 -0400
43567+++ linux-3.0.7/fs/hfsplus/catalog.c 2011-08-23 21:48:14.000000000 -0400
43568@@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
43569 int err;
43570 u16 type;
43571
43572+ pax_track_stack();
43573+
43574 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
43575 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
43576 if (err)
43577@@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
43578 int entry_size;
43579 int err;
43580
43581+ pax_track_stack();
43582+
43583 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
43584 str->name, cnid, inode->i_nlink);
43585 hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
43586@@ -349,6 +353,8 @@ int hfsplus_rename_cat(u32 cnid,
43587 int entry_size, type;
43588 int err = 0;
43589
43590+ pax_track_stack();
43591+
43592 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
43593 cnid, src_dir->i_ino, src_name->name,
43594 dst_dir->i_ino, dst_name->name);
43595diff -urNp linux-3.0.7/fs/hfsplus/dir.c linux-3.0.7/fs/hfsplus/dir.c
43596--- linux-3.0.7/fs/hfsplus/dir.c 2011-07-21 22:17:23.000000000 -0400
43597+++ linux-3.0.7/fs/hfsplus/dir.c 2011-08-23 21:48:14.000000000 -0400
43598@@ -129,6 +129,8 @@ static int hfsplus_readdir(struct file *
43599 struct hfsplus_readdir_data *rd;
43600 u16 type;
43601
43602+ pax_track_stack();
43603+
43604 if (filp->f_pos >= inode->i_size)
43605 return 0;
43606
43607diff -urNp linux-3.0.7/fs/hfsplus/inode.c linux-3.0.7/fs/hfsplus/inode.c
43608--- linux-3.0.7/fs/hfsplus/inode.c 2011-07-21 22:17:23.000000000 -0400
43609+++ linux-3.0.7/fs/hfsplus/inode.c 2011-08-23 21:48:14.000000000 -0400
43610@@ -489,6 +489,8 @@ int hfsplus_cat_read_inode(struct inode
43611 int res = 0;
43612 u16 type;
43613
43614+ pax_track_stack();
43615+
43616 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
43617
43618 HFSPLUS_I(inode)->linkid = 0;
43619@@ -552,6 +554,8 @@ int hfsplus_cat_write_inode(struct inode
43620 struct hfs_find_data fd;
43621 hfsplus_cat_entry entry;
43622
43623+ pax_track_stack();
43624+
43625 if (HFSPLUS_IS_RSRC(inode))
43626 main_inode = HFSPLUS_I(inode)->rsrc_inode;
43627
43628diff -urNp linux-3.0.7/fs/hfsplus/ioctl.c linux-3.0.7/fs/hfsplus/ioctl.c
43629--- linux-3.0.7/fs/hfsplus/ioctl.c 2011-07-21 22:17:23.000000000 -0400
43630+++ linux-3.0.7/fs/hfsplus/ioctl.c 2011-08-23 21:48:14.000000000 -0400
43631@@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
43632 struct hfsplus_cat_file *file;
43633 int res;
43634
43635+ pax_track_stack();
43636+
43637 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43638 return -EOPNOTSUPP;
43639
43640@@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
43641 struct hfsplus_cat_file *file;
43642 ssize_t res = 0;
43643
43644+ pax_track_stack();
43645+
43646 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43647 return -EOPNOTSUPP;
43648
43649diff -urNp linux-3.0.7/fs/hfsplus/super.c linux-3.0.7/fs/hfsplus/super.c
43650--- linux-3.0.7/fs/hfsplus/super.c 2011-07-21 22:17:23.000000000 -0400
43651+++ linux-3.0.7/fs/hfsplus/super.c 2011-08-23 21:48:14.000000000 -0400
43652@@ -340,6 +340,8 @@ static int hfsplus_fill_super(struct sup
43653 struct nls_table *nls = NULL;
43654 int err;
43655
43656+ pax_track_stack();
43657+
43658 err = -EINVAL;
43659 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
43660 if (!sbi)
43661diff -urNp linux-3.0.7/fs/hugetlbfs/inode.c linux-3.0.7/fs/hugetlbfs/inode.c
43662--- linux-3.0.7/fs/hugetlbfs/inode.c 2011-07-21 22:17:23.000000000 -0400
43663+++ linux-3.0.7/fs/hugetlbfs/inode.c 2011-08-23 21:48:14.000000000 -0400
43664@@ -914,7 +914,7 @@ static struct file_system_type hugetlbfs
43665 .kill_sb = kill_litter_super,
43666 };
43667
43668-static struct vfsmount *hugetlbfs_vfsmount;
43669+struct vfsmount *hugetlbfs_vfsmount;
43670
43671 static int can_do_hugetlb_shm(void)
43672 {
43673diff -urNp linux-3.0.7/fs/inode.c linux-3.0.7/fs/inode.c
43674--- linux-3.0.7/fs/inode.c 2011-07-21 22:17:23.000000000 -0400
43675+++ linux-3.0.7/fs/inode.c 2011-08-23 21:47:56.000000000 -0400
43676@@ -829,8 +829,8 @@ unsigned int get_next_ino(void)
43677
43678 #ifdef CONFIG_SMP
43679 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
43680- static atomic_t shared_last_ino;
43681- int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
43682+ static atomic_unchecked_t shared_last_ino;
43683+ int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
43684
43685 res = next - LAST_INO_BATCH;
43686 }
43687diff -urNp linux-3.0.7/fs/jbd/checkpoint.c linux-3.0.7/fs/jbd/checkpoint.c
43688--- linux-3.0.7/fs/jbd/checkpoint.c 2011-07-21 22:17:23.000000000 -0400
43689+++ linux-3.0.7/fs/jbd/checkpoint.c 2011-08-23 21:48:14.000000000 -0400
43690@@ -350,6 +350,8 @@ int log_do_checkpoint(journal_t *journal
43691 tid_t this_tid;
43692 int result;
43693
43694+ pax_track_stack();
43695+
43696 jbd_debug(1, "Start checkpoint\n");
43697
43698 /*
43699diff -urNp linux-3.0.7/fs/jffs2/compr_rtime.c linux-3.0.7/fs/jffs2/compr_rtime.c
43700--- linux-3.0.7/fs/jffs2/compr_rtime.c 2011-07-21 22:17:23.000000000 -0400
43701+++ linux-3.0.7/fs/jffs2/compr_rtime.c 2011-08-23 21:48:14.000000000 -0400
43702@@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
43703 int outpos = 0;
43704 int pos=0;
43705
43706+ pax_track_stack();
43707+
43708 memset(positions,0,sizeof(positions));
43709
43710 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
43711@@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
43712 int outpos = 0;
43713 int pos=0;
43714
43715+ pax_track_stack();
43716+
43717 memset(positions,0,sizeof(positions));
43718
43719 while (outpos<destlen) {
43720diff -urNp linux-3.0.7/fs/jffs2/compr_rubin.c linux-3.0.7/fs/jffs2/compr_rubin.c
43721--- linux-3.0.7/fs/jffs2/compr_rubin.c 2011-07-21 22:17:23.000000000 -0400
43722+++ linux-3.0.7/fs/jffs2/compr_rubin.c 2011-08-23 21:48:14.000000000 -0400
43723@@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
43724 int ret;
43725 uint32_t mysrclen, mydstlen;
43726
43727+ pax_track_stack();
43728+
43729 mysrclen = *sourcelen;
43730 mydstlen = *dstlen - 8;
43731
43732diff -urNp linux-3.0.7/fs/jffs2/erase.c linux-3.0.7/fs/jffs2/erase.c
43733--- linux-3.0.7/fs/jffs2/erase.c 2011-07-21 22:17:23.000000000 -0400
43734+++ linux-3.0.7/fs/jffs2/erase.c 2011-08-23 21:47:56.000000000 -0400
43735@@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
43736 struct jffs2_unknown_node marker = {
43737 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
43738 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
43739- .totlen = cpu_to_je32(c->cleanmarker_size)
43740+ .totlen = cpu_to_je32(c->cleanmarker_size),
43741+ .hdr_crc = cpu_to_je32(0)
43742 };
43743
43744 jffs2_prealloc_raw_node_refs(c, jeb, 1);
43745diff -urNp linux-3.0.7/fs/jffs2/wbuf.c linux-3.0.7/fs/jffs2/wbuf.c
43746--- linux-3.0.7/fs/jffs2/wbuf.c 2011-07-21 22:17:23.000000000 -0400
43747+++ linux-3.0.7/fs/jffs2/wbuf.c 2011-08-23 21:47:56.000000000 -0400
43748@@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
43749 {
43750 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
43751 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
43752- .totlen = constant_cpu_to_je32(8)
43753+ .totlen = constant_cpu_to_je32(8),
43754+ .hdr_crc = constant_cpu_to_je32(0)
43755 };
43756
43757 /*
43758diff -urNp linux-3.0.7/fs/jffs2/xattr.c linux-3.0.7/fs/jffs2/xattr.c
43759--- linux-3.0.7/fs/jffs2/xattr.c 2011-07-21 22:17:23.000000000 -0400
43760+++ linux-3.0.7/fs/jffs2/xattr.c 2011-08-23 21:48:14.000000000 -0400
43761@@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
43762
43763 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
43764
43765+ pax_track_stack();
43766+
43767 /* Phase.1 : Merge same xref */
43768 for (i=0; i < XREF_TMPHASH_SIZE; i++)
43769 xref_tmphash[i] = NULL;
43770diff -urNp linux-3.0.7/fs/jfs/super.c linux-3.0.7/fs/jfs/super.c
43771--- linux-3.0.7/fs/jfs/super.c 2011-07-21 22:17:23.000000000 -0400
43772+++ linux-3.0.7/fs/jfs/super.c 2011-08-23 21:47:56.000000000 -0400
43773@@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
43774
43775 jfs_inode_cachep =
43776 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
43777- SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
43778+ SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
43779 init_once);
43780 if (jfs_inode_cachep == NULL)
43781 return -ENOMEM;
43782diff -urNp linux-3.0.7/fs/libfs.c linux-3.0.7/fs/libfs.c
43783--- linux-3.0.7/fs/libfs.c 2011-07-21 22:17:23.000000000 -0400
43784+++ linux-3.0.7/fs/libfs.c 2011-08-23 21:47:56.000000000 -0400
43785@@ -163,6 +163,9 @@ int dcache_readdir(struct file * filp, v
43786
43787 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
43788 struct dentry *next;
43789+ char d_name[sizeof(next->d_iname)];
43790+ const unsigned char *name;
43791+
43792 next = list_entry(p, struct dentry, d_u.d_child);
43793 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
43794 if (!simple_positive(next)) {
43795@@ -172,7 +175,12 @@ int dcache_readdir(struct file * filp, v
43796
43797 spin_unlock(&next->d_lock);
43798 spin_unlock(&dentry->d_lock);
43799- if (filldir(dirent, next->d_name.name,
43800+ name = next->d_name.name;
43801+ if (name == next->d_iname) {
43802+ memcpy(d_name, name, next->d_name.len);
43803+ name = d_name;
43804+ }
43805+ if (filldir(dirent, name,
43806 next->d_name.len, filp->f_pos,
43807 next->d_inode->i_ino,
43808 dt_type(next->d_inode)) < 0)
43809diff -urNp linux-3.0.7/fs/lockd/clntproc.c linux-3.0.7/fs/lockd/clntproc.c
43810--- linux-3.0.7/fs/lockd/clntproc.c 2011-07-21 22:17:23.000000000 -0400
43811+++ linux-3.0.7/fs/lockd/clntproc.c 2011-08-23 21:48:14.000000000 -0400
43812@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
43813 /*
43814 * Cookie counter for NLM requests
43815 */
43816-static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
43817+static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
43818
43819 void nlmclnt_next_cookie(struct nlm_cookie *c)
43820 {
43821- u32 cookie = atomic_inc_return(&nlm_cookie);
43822+ u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
43823
43824 memcpy(c->data, &cookie, 4);
43825 c->len=4;
43826@@ -620,6 +620,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
43827 struct nlm_rqst reqst, *req;
43828 int status;
43829
43830+ pax_track_stack();
43831+
43832 req = &reqst;
43833 memset(req, 0, sizeof(*req));
43834 locks_init_lock(&req->a_args.lock.fl);
43835diff -urNp linux-3.0.7/fs/locks.c linux-3.0.7/fs/locks.c
43836--- linux-3.0.7/fs/locks.c 2011-07-21 22:17:23.000000000 -0400
43837+++ linux-3.0.7/fs/locks.c 2011-08-23 21:47:56.000000000 -0400
43838@@ -2043,16 +2043,16 @@ void locks_remove_flock(struct file *fil
43839 return;
43840
43841 if (filp->f_op && filp->f_op->flock) {
43842- struct file_lock fl = {
43843+ struct file_lock flock = {
43844 .fl_pid = current->tgid,
43845 .fl_file = filp,
43846 .fl_flags = FL_FLOCK,
43847 .fl_type = F_UNLCK,
43848 .fl_end = OFFSET_MAX,
43849 };
43850- filp->f_op->flock(filp, F_SETLKW, &fl);
43851- if (fl.fl_ops && fl.fl_ops->fl_release_private)
43852- fl.fl_ops->fl_release_private(&fl);
43853+ filp->f_op->flock(filp, F_SETLKW, &flock);
43854+ if (flock.fl_ops && flock.fl_ops->fl_release_private)
43855+ flock.fl_ops->fl_release_private(&flock);
43856 }
43857
43858 lock_flocks();
43859diff -urNp linux-3.0.7/fs/logfs/super.c linux-3.0.7/fs/logfs/super.c
43860--- linux-3.0.7/fs/logfs/super.c 2011-07-21 22:17:23.000000000 -0400
43861+++ linux-3.0.7/fs/logfs/super.c 2011-08-23 21:48:14.000000000 -0400
43862@@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
43863 struct logfs_disk_super _ds1, *ds1 = &_ds1;
43864 int err, valid0, valid1;
43865
43866+ pax_track_stack();
43867+
43868 /* read first superblock */
43869 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
43870 if (err)
43871diff -urNp linux-3.0.7/fs/namei.c linux-3.0.7/fs/namei.c
43872--- linux-3.0.7/fs/namei.c 2011-10-16 21:54:54.000000000 -0400
43873+++ linux-3.0.7/fs/namei.c 2011-10-19 10:09:26.000000000 -0400
43874@@ -237,21 +237,23 @@ int generic_permission(struct inode *ino
43875 return ret;
43876
43877 /*
43878- * Read/write DACs are always overridable.
43879- * Executable DACs are overridable for all directories and
43880- * for non-directories that have least one exec bit set.
43881+ * Searching includes executable on directories, else just read.
43882 */
43883- if (!(mask & MAY_EXEC) || execute_ok(inode))
43884- if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
43885+ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
43886+ if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) {
43887+ if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
43888 return 0;
43889+ }
43890
43891 /*
43892- * Searching includes executable on directories, else just read.
43893+ * Read/write DACs are always overridable.
43894+ * Executable DACs are overridable for all directories and
43895+ * for non-directories that have least one exec bit set.
43896 */
43897- mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
43898- if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
43899- if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
43900+ if (!(mask & MAY_EXEC) || execute_ok(inode)) {
43901+ if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
43902 return 0;
43903+ }
43904
43905 return -EACCES;
43906 }
43907@@ -593,9 +595,12 @@ static inline int exec_permission(struct
43908 if (ret == -ECHILD)
43909 return ret;
43910
43911- if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
43912- ns_capable(ns, CAP_DAC_READ_SEARCH))
43913+ if (ns_capable_nolog(ns, CAP_DAC_OVERRIDE))
43914 goto ok;
43915+ else {
43916+ if (ns_capable(ns, CAP_DAC_READ_SEARCH) || ns_capable(ns, CAP_DAC_OVERRIDE))
43917+ goto ok;
43918+ }
43919
43920 return ret;
43921 ok:
43922@@ -703,11 +708,19 @@ follow_link(struct path *link, struct na
43923 return error;
43924 }
43925
43926+ if (gr_handle_follow_link(dentry->d_parent->d_inode,
43927+ dentry->d_inode, dentry, nd->path.mnt)) {
43928+ error = -EACCES;
43929+ *p = ERR_PTR(error); /* no ->put_link(), please */
43930+ path_put(&nd->path);
43931+ return error;
43932+ }
43933+
43934 nd->last_type = LAST_BIND;
43935 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
43936 error = PTR_ERR(*p);
43937 if (!IS_ERR(*p)) {
43938- char *s = nd_get_link(nd);
43939+ const char *s = nd_get_link(nd);
43940 error = 0;
43941 if (s)
43942 error = __vfs_follow_link(nd, s);
43943@@ -1598,6 +1611,12 @@ static int path_lookupat(int dfd, const
43944 if (!err)
43945 err = complete_walk(nd);
43946
43947+ if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
43948+ if (!err)
43949+ path_put(&nd->path);
43950+ err = -ENOENT;
43951+ }
43952+
43953 if (!err && nd->flags & LOOKUP_DIRECTORY) {
43954 if (!nd->inode->i_op->lookup) {
43955 path_put(&nd->path);
43956@@ -1625,6 +1644,9 @@ static int do_path_lookup(int dfd, const
43957 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
43958
43959 if (likely(!retval)) {
43960+ if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
43961+ return -ENOENT;
43962+
43963 if (unlikely(!audit_dummy_context())) {
43964 if (nd->path.dentry && nd->inode)
43965 audit_inode(name, nd->path.dentry);
43966@@ -1935,6 +1957,30 @@ int vfs_create(struct inode *dir, struct
43967 return error;
43968 }
43969
43970+/*
43971+ * Note that while the flag value (low two bits) for sys_open means:
43972+ * 00 - read-only
43973+ * 01 - write-only
43974+ * 10 - read-write
43975+ * 11 - special
43976+ * it is changed into
43977+ * 00 - no permissions needed
43978+ * 01 - read-permission
43979+ * 10 - write-permission
43980+ * 11 - read-write
43981+ * for the internal routines (ie open_namei()/follow_link() etc)
43982+ * This is more logical, and also allows the 00 "no perm needed"
43983+ * to be used for symlinks (where the permissions are checked
43984+ * later).
43985+ *
43986+*/
43987+static inline int open_to_namei_flags(int flag)
43988+{
43989+ if ((flag+1) & O_ACCMODE)
43990+ flag++;
43991+ return flag;
43992+}
43993+
43994 static int may_open(struct path *path, int acc_mode, int flag)
43995 {
43996 struct dentry *dentry = path->dentry;
43997@@ -1987,7 +2033,27 @@ static int may_open(struct path *path, i
43998 /*
43999 * Ensure there are no outstanding leases on the file.
44000 */
44001- return break_lease(inode, flag);
44002+ error = break_lease(inode, flag);
44003+
44004+ if (error)
44005+ return error;
44006+
44007+ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
44008+ error = -EPERM;
44009+ goto exit;
44010+ }
44011+
44012+ if (gr_handle_rawio(inode)) {
44013+ error = -EPERM;
44014+ goto exit;
44015+ }
44016+
44017+ if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
44018+ error = -EACCES;
44019+ goto exit;
44020+ }
44021+exit:
44022+ return error;
44023 }
44024
44025 static int handle_truncate(struct file *filp)
44026@@ -2013,30 +2079,6 @@ static int handle_truncate(struct file *
44027 }
44028
44029 /*
44030- * Note that while the flag value (low two bits) for sys_open means:
44031- * 00 - read-only
44032- * 01 - write-only
44033- * 10 - read-write
44034- * 11 - special
44035- * it is changed into
44036- * 00 - no permissions needed
44037- * 01 - read-permission
44038- * 10 - write-permission
44039- * 11 - read-write
44040- * for the internal routines (ie open_namei()/follow_link() etc)
44041- * This is more logical, and also allows the 00 "no perm needed"
44042- * to be used for symlinks (where the permissions are checked
44043- * later).
44044- *
44045-*/
44046-static inline int open_to_namei_flags(int flag)
44047-{
44048- if ((flag+1) & O_ACCMODE)
44049- flag++;
44050- return flag;
44051-}
44052-
44053-/*
44054 * Handle the last step of open()
44055 */
44056 static struct file *do_last(struct nameidata *nd, struct path *path,
44057@@ -2045,6 +2087,7 @@ static struct file *do_last(struct namei
44058 struct dentry *dir = nd->path.dentry;
44059 struct dentry *dentry;
44060 int open_flag = op->open_flag;
44061+ int flag = open_to_namei_flags(open_flag);
44062 int will_truncate = open_flag & O_TRUNC;
44063 int want_write = 0;
44064 int acc_mode = op->acc_mode;
44065@@ -2065,6 +2108,10 @@ static struct file *do_last(struct namei
44066 error = complete_walk(nd);
44067 if (error)
44068 return ERR_PTR(error);
44069+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44070+ error = -ENOENT;
44071+ goto exit;
44072+ }
44073 audit_inode(pathname, nd->path.dentry);
44074 if (open_flag & O_CREAT) {
44075 error = -EISDIR;
44076@@ -2075,6 +2122,10 @@ static struct file *do_last(struct namei
44077 error = complete_walk(nd);
44078 if (error)
44079 return ERR_PTR(error);
44080+ if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) {
44081+ error = -ENOENT;
44082+ goto exit;
44083+ }
44084 audit_inode(pathname, dir);
44085 goto ok;
44086 }
44087@@ -2097,6 +2148,11 @@ static struct file *do_last(struct namei
44088 if (error)
44089 return ERR_PTR(-ECHILD);
44090
44091+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44092+ error = -ENOENT;
44093+ goto exit;
44094+ }
44095+
44096 error = -ENOTDIR;
44097 if (nd->flags & LOOKUP_DIRECTORY) {
44098 if (!nd->inode->i_op->lookup)
44099@@ -2132,6 +2188,12 @@ static struct file *do_last(struct namei
44100 /* Negative dentry, just create the file */
44101 if (!dentry->d_inode) {
44102 int mode = op->mode;
44103+
44104+ if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, flag, mode)) {
44105+ error = -EACCES;
44106+ goto exit_mutex_unlock;
44107+ }
44108+
44109 if (!IS_POSIXACL(dir->d_inode))
44110 mode &= ~current_umask();
44111 /*
44112@@ -2155,6 +2217,8 @@ static struct file *do_last(struct namei
44113 error = vfs_create(dir->d_inode, dentry, mode, nd);
44114 if (error)
44115 goto exit_mutex_unlock;
44116+ else
44117+ gr_handle_create(path->dentry, path->mnt);
44118 mutex_unlock(&dir->d_inode->i_mutex);
44119 dput(nd->path.dentry);
44120 nd->path.dentry = dentry;
44121@@ -2164,6 +2228,19 @@ static struct file *do_last(struct namei
44122 /*
44123 * It already exists.
44124 */
44125+
44126+ if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
44127+ error = -ENOENT;
44128+ goto exit_mutex_unlock;
44129+ }
44130+
44131+ /* only check if O_CREAT is specified, all other checks need to go
44132+ into may_open */
44133+ if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
44134+ error = -EACCES;
44135+ goto exit_mutex_unlock;
44136+ }
44137+
44138 mutex_unlock(&dir->d_inode->i_mutex);
44139 audit_inode(pathname, path->dentry);
44140
44141@@ -2373,6 +2450,10 @@ struct dentry *lookup_create(struct name
44142 }
44143 return dentry;
44144 eexist:
44145+ if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
44146+ dput(dentry);
44147+ return ERR_PTR(-ENOENT);
44148+ }
44149 dput(dentry);
44150 dentry = ERR_PTR(-EEXIST);
44151 fail:
44152@@ -2450,6 +2531,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44153 error = may_mknod(mode);
44154 if (error)
44155 goto out_dput;
44156+
44157+ if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
44158+ error = -EPERM;
44159+ goto out_dput;
44160+ }
44161+
44162+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
44163+ error = -EACCES;
44164+ goto out_dput;
44165+ }
44166+
44167 error = mnt_want_write(nd.path.mnt);
44168 if (error)
44169 goto out_dput;
44170@@ -2470,6 +2562,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44171 }
44172 out_drop_write:
44173 mnt_drop_write(nd.path.mnt);
44174+
44175+ if (!error)
44176+ gr_handle_create(dentry, nd.path.mnt);
44177 out_dput:
44178 dput(dentry);
44179 out_unlock:
44180@@ -2522,6 +2617,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
44181 if (IS_ERR(dentry))
44182 goto out_unlock;
44183
44184+ if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
44185+ error = -EACCES;
44186+ goto out_dput;
44187+ }
44188+
44189 if (!IS_POSIXACL(nd.path.dentry->d_inode))
44190 mode &= ~current_umask();
44191 error = mnt_want_write(nd.path.mnt);
44192@@ -2533,6 +2633,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
44193 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
44194 out_drop_write:
44195 mnt_drop_write(nd.path.mnt);
44196+
44197+ if (!error)
44198+ gr_handle_create(dentry, nd.path.mnt);
44199+
44200 out_dput:
44201 dput(dentry);
44202 out_unlock:
44203@@ -2615,6 +2719,8 @@ static long do_rmdir(int dfd, const char
44204 char * name;
44205 struct dentry *dentry;
44206 struct nameidata nd;
44207+ ino_t saved_ino = 0;
44208+ dev_t saved_dev = 0;
44209
44210 error = user_path_parent(dfd, pathname, &nd, &name);
44211 if (error)
44212@@ -2643,6 +2749,17 @@ static long do_rmdir(int dfd, const char
44213 error = -ENOENT;
44214 goto exit3;
44215 }
44216+
44217+ if (dentry->d_inode->i_nlink <= 1) {
44218+ saved_ino = dentry->d_inode->i_ino;
44219+ saved_dev = gr_get_dev_from_dentry(dentry);
44220+ }
44221+
44222+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
44223+ error = -EACCES;
44224+ goto exit3;
44225+ }
44226+
44227 error = mnt_want_write(nd.path.mnt);
44228 if (error)
44229 goto exit3;
44230@@ -2650,6 +2767,8 @@ static long do_rmdir(int dfd, const char
44231 if (error)
44232 goto exit4;
44233 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
44234+ if (!error && (saved_dev || saved_ino))
44235+ gr_handle_delete(saved_ino, saved_dev);
44236 exit4:
44237 mnt_drop_write(nd.path.mnt);
44238 exit3:
44239@@ -2712,6 +2831,8 @@ static long do_unlinkat(int dfd, const c
44240 struct dentry *dentry;
44241 struct nameidata nd;
44242 struct inode *inode = NULL;
44243+ ino_t saved_ino = 0;
44244+ dev_t saved_dev = 0;
44245
44246 error = user_path_parent(dfd, pathname, &nd, &name);
44247 if (error)
44248@@ -2734,6 +2855,16 @@ static long do_unlinkat(int dfd, const c
44249 if (!inode)
44250 goto slashes;
44251 ihold(inode);
44252+
44253+ if (inode->i_nlink <= 1) {
44254+ saved_ino = inode->i_ino;
44255+ saved_dev = gr_get_dev_from_dentry(dentry);
44256+ }
44257+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
44258+ error = -EACCES;
44259+ goto exit2;
44260+ }
44261+
44262 error = mnt_want_write(nd.path.mnt);
44263 if (error)
44264 goto exit2;
44265@@ -2741,6 +2872,8 @@ static long do_unlinkat(int dfd, const c
44266 if (error)
44267 goto exit3;
44268 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
44269+ if (!error && (saved_ino || saved_dev))
44270+ gr_handle_delete(saved_ino, saved_dev);
44271 exit3:
44272 mnt_drop_write(nd.path.mnt);
44273 exit2:
44274@@ -2818,6 +2951,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
44275 if (IS_ERR(dentry))
44276 goto out_unlock;
44277
44278+ if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
44279+ error = -EACCES;
44280+ goto out_dput;
44281+ }
44282+
44283 error = mnt_want_write(nd.path.mnt);
44284 if (error)
44285 goto out_dput;
44286@@ -2825,6 +2963,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
44287 if (error)
44288 goto out_drop_write;
44289 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
44290+ if (!error)
44291+ gr_handle_create(dentry, nd.path.mnt);
44292 out_drop_write:
44293 mnt_drop_write(nd.path.mnt);
44294 out_dput:
44295@@ -2933,6 +3073,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44296 error = PTR_ERR(new_dentry);
44297 if (IS_ERR(new_dentry))
44298 goto out_unlock;
44299+
44300+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
44301+ old_path.dentry->d_inode,
44302+ old_path.dentry->d_inode->i_mode, to)) {
44303+ error = -EACCES;
44304+ goto out_dput;
44305+ }
44306+
44307+ if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
44308+ old_path.dentry, old_path.mnt, to)) {
44309+ error = -EACCES;
44310+ goto out_dput;
44311+ }
44312+
44313 error = mnt_want_write(nd.path.mnt);
44314 if (error)
44315 goto out_dput;
44316@@ -2940,6 +3094,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44317 if (error)
44318 goto out_drop_write;
44319 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
44320+ if (!error)
44321+ gr_handle_create(new_dentry, nd.path.mnt);
44322 out_drop_write:
44323 mnt_drop_write(nd.path.mnt);
44324 out_dput:
44325@@ -3117,6 +3273,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44326 char *to;
44327 int error;
44328
44329+ pax_track_stack();
44330+
44331 error = user_path_parent(olddfd, oldname, &oldnd, &from);
44332 if (error)
44333 goto exit;
44334@@ -3173,6 +3331,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44335 if (new_dentry == trap)
44336 goto exit5;
44337
44338+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
44339+ old_dentry, old_dir->d_inode, oldnd.path.mnt,
44340+ to);
44341+ if (error)
44342+ goto exit5;
44343+
44344 error = mnt_want_write(oldnd.path.mnt);
44345 if (error)
44346 goto exit5;
44347@@ -3182,6 +3346,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44348 goto exit6;
44349 error = vfs_rename(old_dir->d_inode, old_dentry,
44350 new_dir->d_inode, new_dentry);
44351+ if (!error)
44352+ gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
44353+ new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
44354 exit6:
44355 mnt_drop_write(oldnd.path.mnt);
44356 exit5:
44357@@ -3207,6 +3374,8 @@ SYSCALL_DEFINE2(rename, const char __use
44358
44359 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
44360 {
44361+ char tmpbuf[64];
44362+ const char *newlink;
44363 int len;
44364
44365 len = PTR_ERR(link);
44366@@ -3216,7 +3385,14 @@ int vfs_readlink(struct dentry *dentry,
44367 len = strlen(link);
44368 if (len > (unsigned) buflen)
44369 len = buflen;
44370- if (copy_to_user(buffer, link, len))
44371+
44372+ if (len < sizeof(tmpbuf)) {
44373+ memcpy(tmpbuf, link, len);
44374+ newlink = tmpbuf;
44375+ } else
44376+ newlink = link;
44377+
44378+ if (copy_to_user(buffer, newlink, len))
44379 len = -EFAULT;
44380 out:
44381 return len;
44382diff -urNp linux-3.0.7/fs/namespace.c linux-3.0.7/fs/namespace.c
44383--- linux-3.0.7/fs/namespace.c 2011-07-21 22:17:23.000000000 -0400
44384+++ linux-3.0.7/fs/namespace.c 2011-08-23 21:48:14.000000000 -0400
44385@@ -1328,6 +1328,9 @@ static int do_umount(struct vfsmount *mn
44386 if (!(sb->s_flags & MS_RDONLY))
44387 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
44388 up_write(&sb->s_umount);
44389+
44390+ gr_log_remount(mnt->mnt_devname, retval);
44391+
44392 return retval;
44393 }
44394
44395@@ -1347,6 +1350,9 @@ static int do_umount(struct vfsmount *mn
44396 br_write_unlock(vfsmount_lock);
44397 up_write(&namespace_sem);
44398 release_mounts(&umount_list);
44399+
44400+ gr_log_unmount(mnt->mnt_devname, retval);
44401+
44402 return retval;
44403 }
44404
44405@@ -2338,6 +2344,16 @@ long do_mount(char *dev_name, char *dir_
44406 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
44407 MS_STRICTATIME);
44408
44409+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
44410+ retval = -EPERM;
44411+ goto dput_out;
44412+ }
44413+
44414+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
44415+ retval = -EPERM;
44416+ goto dput_out;
44417+ }
44418+
44419 if (flags & MS_REMOUNT)
44420 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
44421 data_page);
44422@@ -2352,6 +2368,9 @@ long do_mount(char *dev_name, char *dir_
44423 dev_name, data_page);
44424 dput_out:
44425 path_put(&path);
44426+
44427+ gr_log_mount(dev_name, dir_name, retval);
44428+
44429 return retval;
44430 }
44431
44432@@ -2575,6 +2594,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
44433 if (error)
44434 goto out2;
44435
44436+ if (gr_handle_chroot_pivot()) {
44437+ error = -EPERM;
44438+ goto out2;
44439+ }
44440+
44441 get_fs_root(current->fs, &root);
44442 error = lock_mount(&old);
44443 if (error)
44444diff -urNp linux-3.0.7/fs/ncpfs/dir.c linux-3.0.7/fs/ncpfs/dir.c
44445--- linux-3.0.7/fs/ncpfs/dir.c 2011-07-21 22:17:23.000000000 -0400
44446+++ linux-3.0.7/fs/ncpfs/dir.c 2011-08-23 21:48:14.000000000 -0400
44447@@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
44448 int res, val = 0, len;
44449 __u8 __name[NCP_MAXPATHLEN + 1];
44450
44451+ pax_track_stack();
44452+
44453 if (dentry == dentry->d_sb->s_root)
44454 return 1;
44455
44456@@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
44457 int error, res, len;
44458 __u8 __name[NCP_MAXPATHLEN + 1];
44459
44460+ pax_track_stack();
44461+
44462 error = -EIO;
44463 if (!ncp_conn_valid(server))
44464 goto finished;
44465@@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
44466 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
44467 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
44468
44469+ pax_track_stack();
44470+
44471 ncp_age_dentry(server, dentry);
44472 len = sizeof(__name);
44473 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
44474@@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
44475 int error, len;
44476 __u8 __name[NCP_MAXPATHLEN + 1];
44477
44478+ pax_track_stack();
44479+
44480 DPRINTK("ncp_mkdir: making %s/%s\n",
44481 dentry->d_parent->d_name.name, dentry->d_name.name);
44482
44483@@ -1140,6 +1148,8 @@ static int ncp_rename(struct inode *old_
44484 int old_len, new_len;
44485 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
44486
44487+ pax_track_stack();
44488+
44489 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
44490 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
44491 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
44492diff -urNp linux-3.0.7/fs/ncpfs/inode.c linux-3.0.7/fs/ncpfs/inode.c
44493--- linux-3.0.7/fs/ncpfs/inode.c 2011-07-21 22:17:23.000000000 -0400
44494+++ linux-3.0.7/fs/ncpfs/inode.c 2011-08-23 21:48:14.000000000 -0400
44495@@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
44496 #endif
44497 struct ncp_entry_info finfo;
44498
44499+ pax_track_stack();
44500+
44501 memset(&data, 0, sizeof(data));
44502 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
44503 if (!server)
44504diff -urNp linux-3.0.7/fs/nfs/inode.c linux-3.0.7/fs/nfs/inode.c
44505--- linux-3.0.7/fs/nfs/inode.c 2011-07-21 22:17:23.000000000 -0400
44506+++ linux-3.0.7/fs/nfs/inode.c 2011-08-23 21:47:56.000000000 -0400
44507@@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct
44508 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
44509 nfsi->attrtimeo_timestamp = jiffies;
44510
44511- memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
44512+ memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
44513 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
44514 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
44515 else
44516@@ -1000,16 +1000,16 @@ static int nfs_size_need_update(const st
44517 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
44518 }
44519
44520-static atomic_long_t nfs_attr_generation_counter;
44521+static atomic_long_unchecked_t nfs_attr_generation_counter;
44522
44523 static unsigned long nfs_read_attr_generation_counter(void)
44524 {
44525- return atomic_long_read(&nfs_attr_generation_counter);
44526+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
44527 }
44528
44529 unsigned long nfs_inc_attr_generation_counter(void)
44530 {
44531- return atomic_long_inc_return(&nfs_attr_generation_counter);
44532+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
44533 }
44534
44535 void nfs_fattr_init(struct nfs_fattr *fattr)
44536diff -urNp linux-3.0.7/fs/nfsd/nfs4state.c linux-3.0.7/fs/nfsd/nfs4state.c
44537--- linux-3.0.7/fs/nfsd/nfs4state.c 2011-09-02 18:11:21.000000000 -0400
44538+++ linux-3.0.7/fs/nfsd/nfs4state.c 2011-08-23 21:48:14.000000000 -0400
44539@@ -3794,6 +3794,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
44540 unsigned int strhashval;
44541 int err;
44542
44543+ pax_track_stack();
44544+
44545 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
44546 (long long) lock->lk_offset,
44547 (long long) lock->lk_length);
44548diff -urNp linux-3.0.7/fs/nfsd/nfs4xdr.c linux-3.0.7/fs/nfsd/nfs4xdr.c
44549--- linux-3.0.7/fs/nfsd/nfs4xdr.c 2011-07-21 22:17:23.000000000 -0400
44550+++ linux-3.0.7/fs/nfsd/nfs4xdr.c 2011-08-23 21:48:14.000000000 -0400
44551@@ -1788,6 +1788,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
44552 .dentry = dentry,
44553 };
44554
44555+ pax_track_stack();
44556+
44557 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
44558 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
44559 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
44560diff -urNp linux-3.0.7/fs/nfsd/vfs.c linux-3.0.7/fs/nfsd/vfs.c
44561--- linux-3.0.7/fs/nfsd/vfs.c 2011-07-21 22:17:23.000000000 -0400
44562+++ linux-3.0.7/fs/nfsd/vfs.c 2011-10-06 04:17:55.000000000 -0400
44563@@ -896,7 +896,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
44564 } else {
44565 oldfs = get_fs();
44566 set_fs(KERNEL_DS);
44567- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
44568+ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
44569 set_fs(oldfs);
44570 }
44571
44572@@ -1000,7 +1000,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
44573
44574 /* Write the data. */
44575 oldfs = get_fs(); set_fs(KERNEL_DS);
44576- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
44577+ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
44578 set_fs(oldfs);
44579 if (host_err < 0)
44580 goto out_nfserr;
44581@@ -1535,7 +1535,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
44582 */
44583
44584 oldfs = get_fs(); set_fs(KERNEL_DS);
44585- host_err = inode->i_op->readlink(dentry, buf, *lenp);
44586+ host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
44587 set_fs(oldfs);
44588
44589 if (host_err < 0)
44590diff -urNp linux-3.0.7/fs/notify/fanotify/fanotify_user.c linux-3.0.7/fs/notify/fanotify/fanotify_user.c
44591--- linux-3.0.7/fs/notify/fanotify/fanotify_user.c 2011-07-21 22:17:23.000000000 -0400
44592+++ linux-3.0.7/fs/notify/fanotify/fanotify_user.c 2011-08-23 21:48:14.000000000 -0400
44593@@ -276,7 +276,8 @@ static ssize_t copy_event_to_user(struct
44594 goto out_close_fd;
44595
44596 ret = -EFAULT;
44597- if (copy_to_user(buf, &fanotify_event_metadata,
44598+ if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
44599+ copy_to_user(buf, &fanotify_event_metadata,
44600 fanotify_event_metadata.event_len))
44601 goto out_kill_access_response;
44602
44603diff -urNp linux-3.0.7/fs/notify/notification.c linux-3.0.7/fs/notify/notification.c
44604--- linux-3.0.7/fs/notify/notification.c 2011-07-21 22:17:23.000000000 -0400
44605+++ linux-3.0.7/fs/notify/notification.c 2011-08-23 21:47:56.000000000 -0400
44606@@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
44607 * get set to 0 so it will never get 'freed'
44608 */
44609 static struct fsnotify_event *q_overflow_event;
44610-static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44611+static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44612
44613 /**
44614 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
44615@@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
44616 */
44617 u32 fsnotify_get_cookie(void)
44618 {
44619- return atomic_inc_return(&fsnotify_sync_cookie);
44620+ return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
44621 }
44622 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
44623
44624diff -urNp linux-3.0.7/fs/ntfs/dir.c linux-3.0.7/fs/ntfs/dir.c
44625--- linux-3.0.7/fs/ntfs/dir.c 2011-07-21 22:17:23.000000000 -0400
44626+++ linux-3.0.7/fs/ntfs/dir.c 2011-08-23 21:47:56.000000000 -0400
44627@@ -1329,7 +1329,7 @@ find_next_index_buffer:
44628 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
44629 ~(s64)(ndir->itype.index.block_size - 1)));
44630 /* Bounds checks. */
44631- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44632+ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44633 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
44634 "inode 0x%lx or driver bug.", vdir->i_ino);
44635 goto err_out;
44636diff -urNp linux-3.0.7/fs/ntfs/file.c linux-3.0.7/fs/ntfs/file.c
44637--- linux-3.0.7/fs/ntfs/file.c 2011-07-21 22:17:23.000000000 -0400
44638+++ linux-3.0.7/fs/ntfs/file.c 2011-08-23 21:47:56.000000000 -0400
44639@@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
44640 #endif /* NTFS_RW */
44641 };
44642
44643-const struct file_operations ntfs_empty_file_ops = {};
44644+const struct file_operations ntfs_empty_file_ops __read_only;
44645
44646-const struct inode_operations ntfs_empty_inode_ops = {};
44647+const struct inode_operations ntfs_empty_inode_ops __read_only;
44648diff -urNp linux-3.0.7/fs/ocfs2/localalloc.c linux-3.0.7/fs/ocfs2/localalloc.c
44649--- linux-3.0.7/fs/ocfs2/localalloc.c 2011-07-21 22:17:23.000000000 -0400
44650+++ linux-3.0.7/fs/ocfs2/localalloc.c 2011-08-23 21:47:56.000000000 -0400
44651@@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
44652 goto bail;
44653 }
44654
44655- atomic_inc(&osb->alloc_stats.moves);
44656+ atomic_inc_unchecked(&osb->alloc_stats.moves);
44657
44658 bail:
44659 if (handle)
44660diff -urNp linux-3.0.7/fs/ocfs2/namei.c linux-3.0.7/fs/ocfs2/namei.c
44661--- linux-3.0.7/fs/ocfs2/namei.c 2011-07-21 22:17:23.000000000 -0400
44662+++ linux-3.0.7/fs/ocfs2/namei.c 2011-08-23 21:48:14.000000000 -0400
44663@@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
44664 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
44665 struct ocfs2_dir_lookup_result target_insert = { NULL, };
44666
44667+ pax_track_stack();
44668+
44669 /* At some point it might be nice to break this function up a
44670 * bit. */
44671
44672diff -urNp linux-3.0.7/fs/ocfs2/ocfs2.h linux-3.0.7/fs/ocfs2/ocfs2.h
44673--- linux-3.0.7/fs/ocfs2/ocfs2.h 2011-07-21 22:17:23.000000000 -0400
44674+++ linux-3.0.7/fs/ocfs2/ocfs2.h 2011-08-23 21:47:56.000000000 -0400
44675@@ -235,11 +235,11 @@ enum ocfs2_vol_state
44676
44677 struct ocfs2_alloc_stats
44678 {
44679- atomic_t moves;
44680- atomic_t local_data;
44681- atomic_t bitmap_data;
44682- atomic_t bg_allocs;
44683- atomic_t bg_extends;
44684+ atomic_unchecked_t moves;
44685+ atomic_unchecked_t local_data;
44686+ atomic_unchecked_t bitmap_data;
44687+ atomic_unchecked_t bg_allocs;
44688+ atomic_unchecked_t bg_extends;
44689 };
44690
44691 enum ocfs2_local_alloc_state
44692diff -urNp linux-3.0.7/fs/ocfs2/suballoc.c linux-3.0.7/fs/ocfs2/suballoc.c
44693--- linux-3.0.7/fs/ocfs2/suballoc.c 2011-07-21 22:17:23.000000000 -0400
44694+++ linux-3.0.7/fs/ocfs2/suballoc.c 2011-08-23 21:47:56.000000000 -0400
44695@@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
44696 mlog_errno(status);
44697 goto bail;
44698 }
44699- atomic_inc(&osb->alloc_stats.bg_extends);
44700+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
44701
44702 /* You should never ask for this much metadata */
44703 BUG_ON(bits_wanted >
44704@@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
44705 mlog_errno(status);
44706 goto bail;
44707 }
44708- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44709+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44710
44711 *suballoc_loc = res.sr_bg_blkno;
44712 *suballoc_bit_start = res.sr_bit_offset;
44713@@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
44714 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
44715 res->sr_bits);
44716
44717- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44718+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44719
44720 BUG_ON(res->sr_bits != 1);
44721
44722@@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
44723 mlog_errno(status);
44724 goto bail;
44725 }
44726- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44727+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
44728
44729 BUG_ON(res.sr_bits != 1);
44730
44731@@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
44732 cluster_start,
44733 num_clusters);
44734 if (!status)
44735- atomic_inc(&osb->alloc_stats.local_data);
44736+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
44737 } else {
44738 if (min_clusters > (osb->bitmap_cpg - 1)) {
44739 /* The only paths asking for contiguousness
44740@@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
44741 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
44742 res.sr_bg_blkno,
44743 res.sr_bit_offset);
44744- atomic_inc(&osb->alloc_stats.bitmap_data);
44745+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
44746 *num_clusters = res.sr_bits;
44747 }
44748 }
44749diff -urNp linux-3.0.7/fs/ocfs2/super.c linux-3.0.7/fs/ocfs2/super.c
44750--- linux-3.0.7/fs/ocfs2/super.c 2011-07-21 22:17:23.000000000 -0400
44751+++ linux-3.0.7/fs/ocfs2/super.c 2011-08-23 21:47:56.000000000 -0400
44752@@ -300,11 +300,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
44753 "%10s => GlobalAllocs: %d LocalAllocs: %d "
44754 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
44755 "Stats",
44756- atomic_read(&osb->alloc_stats.bitmap_data),
44757- atomic_read(&osb->alloc_stats.local_data),
44758- atomic_read(&osb->alloc_stats.bg_allocs),
44759- atomic_read(&osb->alloc_stats.moves),
44760- atomic_read(&osb->alloc_stats.bg_extends));
44761+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
44762+ atomic_read_unchecked(&osb->alloc_stats.local_data),
44763+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
44764+ atomic_read_unchecked(&osb->alloc_stats.moves),
44765+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
44766
44767 out += snprintf(buf + out, len - out,
44768 "%10s => State: %u Descriptor: %llu Size: %u bits "
44769@@ -2112,11 +2112,11 @@ static int ocfs2_initialize_super(struct
44770 spin_lock_init(&osb->osb_xattr_lock);
44771 ocfs2_init_steal_slots(osb);
44772
44773- atomic_set(&osb->alloc_stats.moves, 0);
44774- atomic_set(&osb->alloc_stats.local_data, 0);
44775- atomic_set(&osb->alloc_stats.bitmap_data, 0);
44776- atomic_set(&osb->alloc_stats.bg_allocs, 0);
44777- atomic_set(&osb->alloc_stats.bg_extends, 0);
44778+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
44779+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
44780+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
44781+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
44782+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
44783
44784 /* Copy the blockcheck stats from the superblock probe */
44785 osb->osb_ecc_stats = *stats;
44786diff -urNp linux-3.0.7/fs/ocfs2/symlink.c linux-3.0.7/fs/ocfs2/symlink.c
44787--- linux-3.0.7/fs/ocfs2/symlink.c 2011-07-21 22:17:23.000000000 -0400
44788+++ linux-3.0.7/fs/ocfs2/symlink.c 2011-08-23 21:47:56.000000000 -0400
44789@@ -142,7 +142,7 @@ bail:
44790
44791 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
44792 {
44793- char *link = nd_get_link(nd);
44794+ const char *link = nd_get_link(nd);
44795 if (!IS_ERR(link))
44796 kfree(link);
44797 }
44798diff -urNp linux-3.0.7/fs/open.c linux-3.0.7/fs/open.c
44799--- linux-3.0.7/fs/open.c 2011-07-21 22:17:23.000000000 -0400
44800+++ linux-3.0.7/fs/open.c 2011-09-14 09:16:46.000000000 -0400
44801@@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
44802 error = locks_verify_truncate(inode, NULL, length);
44803 if (!error)
44804 error = security_path_truncate(&path);
44805+
44806+ if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
44807+ error = -EACCES;
44808+
44809 if (!error)
44810 error = do_truncate(path.dentry, length, 0, NULL);
44811
44812@@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
44813 if (__mnt_is_readonly(path.mnt))
44814 res = -EROFS;
44815
44816+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
44817+ res = -EACCES;
44818+
44819 out_path_release:
44820 path_put(&path);
44821 out:
44822@@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
44823 if (error)
44824 goto dput_and_out;
44825
44826+ gr_log_chdir(path.dentry, path.mnt);
44827+
44828 set_fs_pwd(current->fs, &path);
44829
44830 dput_and_out:
44831@@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
44832 goto out_putf;
44833
44834 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
44835+
44836+ if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
44837+ error = -EPERM;
44838+
44839+ if (!error)
44840+ gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
44841+
44842 if (!error)
44843 set_fs_pwd(current->fs, &file->f_path);
44844 out_putf:
44845@@ -438,7 +454,13 @@ SYSCALL_DEFINE1(chroot, const char __use
44846 if (error)
44847 goto dput_and_out;
44848
44849+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
44850+ goto dput_and_out;
44851+
44852 set_fs_root(current->fs, &path);
44853+
44854+ gr_handle_chroot_chdir(&path);
44855+
44856 error = 0;
44857 dput_and_out:
44858 path_put(&path);
44859@@ -466,12 +488,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
44860 err = mnt_want_write_file(file);
44861 if (err)
44862 goto out_putf;
44863+
44864 mutex_lock(&inode->i_mutex);
44865+
44866+ if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
44867+ err = -EACCES;
44868+ goto out_unlock;
44869+ }
44870+
44871 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
44872 if (err)
44873 goto out_unlock;
44874 if (mode == (mode_t) -1)
44875 mode = inode->i_mode;
44876+
44877+ if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
44878+ err = -EACCES;
44879+ goto out_unlock;
44880+ }
44881+
44882 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
44883 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
44884 err = notify_change(dentry, &newattrs);
44885@@ -499,12 +534,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
44886 error = mnt_want_write(path.mnt);
44887 if (error)
44888 goto dput_and_out;
44889+
44890 mutex_lock(&inode->i_mutex);
44891+
44892+ if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
44893+ error = -EACCES;
44894+ goto out_unlock;
44895+ }
44896+
44897 error = security_path_chmod(path.dentry, path.mnt, mode);
44898 if (error)
44899 goto out_unlock;
44900 if (mode == (mode_t) -1)
44901 mode = inode->i_mode;
44902+
44903+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
44904+ error = -EACCES;
44905+ goto out_unlock;
44906+ }
44907+
44908 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
44909 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
44910 error = notify_change(path.dentry, &newattrs);
44911@@ -528,6 +576,9 @@ static int chown_common(struct path *pat
44912 int error;
44913 struct iattr newattrs;
44914
44915+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
44916+ return -EACCES;
44917+
44918 newattrs.ia_valid = ATTR_CTIME;
44919 if (user != (uid_t) -1) {
44920 newattrs.ia_valid |= ATTR_UID;
44921@@ -998,7 +1049,10 @@ long do_sys_open(int dfd, const char __u
44922 if (!IS_ERR(tmp)) {
44923 fd = get_unused_fd_flags(flags);
44924 if (fd >= 0) {
44925- struct file *f = do_filp_open(dfd, tmp, &op, lookup);
44926+ struct file *f;
44927+ /* don't allow to be set by userland */
44928+ flags &= ~FMODE_GREXEC;
44929+ f = do_filp_open(dfd, tmp, &op, lookup);
44930 if (IS_ERR(f)) {
44931 put_unused_fd(fd);
44932 fd = PTR_ERR(f);
44933diff -urNp linux-3.0.7/fs/partitions/ldm.c linux-3.0.7/fs/partitions/ldm.c
44934--- linux-3.0.7/fs/partitions/ldm.c 2011-07-21 22:17:23.000000000 -0400
44935+++ linux-3.0.7/fs/partitions/ldm.c 2011-08-23 21:48:14.000000000 -0400
44936@@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
44937 ldm_error ("A VBLK claims to have %d parts.", num);
44938 return false;
44939 }
44940+
44941 if (rec >= num) {
44942 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
44943 return false;
44944@@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
44945 goto found;
44946 }
44947
44948- f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
44949+ f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
44950 if (!f) {
44951 ldm_crit ("Out of memory.");
44952 return false;
44953diff -urNp linux-3.0.7/fs/pipe.c linux-3.0.7/fs/pipe.c
44954--- linux-3.0.7/fs/pipe.c 2011-07-21 22:17:23.000000000 -0400
44955+++ linux-3.0.7/fs/pipe.c 2011-08-23 21:48:14.000000000 -0400
44956@@ -420,9 +420,9 @@ redo:
44957 }
44958 if (bufs) /* More to do? */
44959 continue;
44960- if (!pipe->writers)
44961+ if (!atomic_read(&pipe->writers))
44962 break;
44963- if (!pipe->waiting_writers) {
44964+ if (!atomic_read(&pipe->waiting_writers)) {
44965 /* syscall merging: Usually we must not sleep
44966 * if O_NONBLOCK is set, or if we got some data.
44967 * But if a writer sleeps in kernel space, then
44968@@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
44969 mutex_lock(&inode->i_mutex);
44970 pipe = inode->i_pipe;
44971
44972- if (!pipe->readers) {
44973+ if (!atomic_read(&pipe->readers)) {
44974 send_sig(SIGPIPE, current, 0);
44975 ret = -EPIPE;
44976 goto out;
44977@@ -530,7 +530,7 @@ redo1:
44978 for (;;) {
44979 int bufs;
44980
44981- if (!pipe->readers) {
44982+ if (!atomic_read(&pipe->readers)) {
44983 send_sig(SIGPIPE, current, 0);
44984 if (!ret)
44985 ret = -EPIPE;
44986@@ -616,9 +616,9 @@ redo2:
44987 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
44988 do_wakeup = 0;
44989 }
44990- pipe->waiting_writers++;
44991+ atomic_inc(&pipe->waiting_writers);
44992 pipe_wait(pipe);
44993- pipe->waiting_writers--;
44994+ atomic_dec(&pipe->waiting_writers);
44995 }
44996 out:
44997 mutex_unlock(&inode->i_mutex);
44998@@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
44999 mask = 0;
45000 if (filp->f_mode & FMODE_READ) {
45001 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
45002- if (!pipe->writers && filp->f_version != pipe->w_counter)
45003+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
45004 mask |= POLLHUP;
45005 }
45006
45007@@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
45008 * Most Unices do not set POLLERR for FIFOs but on Linux they
45009 * behave exactly like pipes for poll().
45010 */
45011- if (!pipe->readers)
45012+ if (!atomic_read(&pipe->readers))
45013 mask |= POLLERR;
45014 }
45015
45016@@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
45017
45018 mutex_lock(&inode->i_mutex);
45019 pipe = inode->i_pipe;
45020- pipe->readers -= decr;
45021- pipe->writers -= decw;
45022+ atomic_sub(decr, &pipe->readers);
45023+ atomic_sub(decw, &pipe->writers);
45024
45025- if (!pipe->readers && !pipe->writers) {
45026+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
45027 free_pipe_info(inode);
45028 } else {
45029 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
45030@@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
45031
45032 if (inode->i_pipe) {
45033 ret = 0;
45034- inode->i_pipe->readers++;
45035+ atomic_inc(&inode->i_pipe->readers);
45036 }
45037
45038 mutex_unlock(&inode->i_mutex);
45039@@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
45040
45041 if (inode->i_pipe) {
45042 ret = 0;
45043- inode->i_pipe->writers++;
45044+ atomic_inc(&inode->i_pipe->writers);
45045 }
45046
45047 mutex_unlock(&inode->i_mutex);
45048@@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
45049 if (inode->i_pipe) {
45050 ret = 0;
45051 if (filp->f_mode & FMODE_READ)
45052- inode->i_pipe->readers++;
45053+ atomic_inc(&inode->i_pipe->readers);
45054 if (filp->f_mode & FMODE_WRITE)
45055- inode->i_pipe->writers++;
45056+ atomic_inc(&inode->i_pipe->writers);
45057 }
45058
45059 mutex_unlock(&inode->i_mutex);
45060@@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
45061 inode->i_pipe = NULL;
45062 }
45063
45064-static struct vfsmount *pipe_mnt __read_mostly;
45065+struct vfsmount *pipe_mnt __read_mostly;
45066
45067 /*
45068 * pipefs_dname() is called from d_path().
45069@@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
45070 goto fail_iput;
45071 inode->i_pipe = pipe;
45072
45073- pipe->readers = pipe->writers = 1;
45074+ atomic_set(&pipe->readers, 1);
45075+ atomic_set(&pipe->writers, 1);
45076 inode->i_fop = &rdwr_pipefifo_fops;
45077
45078 /*
45079diff -urNp linux-3.0.7/fs/proc/Kconfig linux-3.0.7/fs/proc/Kconfig
45080--- linux-3.0.7/fs/proc/Kconfig 2011-07-21 22:17:23.000000000 -0400
45081+++ linux-3.0.7/fs/proc/Kconfig 2011-08-23 21:48:14.000000000 -0400
45082@@ -30,12 +30,12 @@ config PROC_FS
45083
45084 config PROC_KCORE
45085 bool "/proc/kcore support" if !ARM
45086- depends on PROC_FS && MMU
45087+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
45088
45089 config PROC_VMCORE
45090 bool "/proc/vmcore support"
45091- depends on PROC_FS && CRASH_DUMP
45092- default y
45093+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
45094+ default n
45095 help
45096 Exports the dump image of crashed kernel in ELF format.
45097
45098@@ -59,8 +59,8 @@ config PROC_SYSCTL
45099 limited in memory.
45100
45101 config PROC_PAGE_MONITOR
45102- default y
45103- depends on PROC_FS && MMU
45104+ default n
45105+ depends on PROC_FS && MMU && !GRKERNSEC
45106 bool "Enable /proc page monitoring" if EXPERT
45107 help
45108 Various /proc files exist to monitor process memory utilization:
45109diff -urNp linux-3.0.7/fs/proc/array.c linux-3.0.7/fs/proc/array.c
45110--- linux-3.0.7/fs/proc/array.c 2011-07-21 22:17:23.000000000 -0400
45111+++ linux-3.0.7/fs/proc/array.c 2011-08-23 21:48:14.000000000 -0400
45112@@ -60,6 +60,7 @@
45113 #include <linux/tty.h>
45114 #include <linux/string.h>
45115 #include <linux/mman.h>
45116+#include <linux/grsecurity.h>
45117 #include <linux/proc_fs.h>
45118 #include <linux/ioport.h>
45119 #include <linux/uaccess.h>
45120@@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
45121 seq_putc(m, '\n');
45122 }
45123
45124+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45125+static inline void task_pax(struct seq_file *m, struct task_struct *p)
45126+{
45127+ if (p->mm)
45128+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
45129+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
45130+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
45131+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
45132+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
45133+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
45134+ else
45135+ seq_printf(m, "PaX:\t-----\n");
45136+}
45137+#endif
45138+
45139 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
45140 struct pid *pid, struct task_struct *task)
45141 {
45142@@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
45143 task_cpus_allowed(m, task);
45144 cpuset_task_status_allowed(m, task);
45145 task_context_switch_counts(m, task);
45146+
45147+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45148+ task_pax(m, task);
45149+#endif
45150+
45151+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
45152+ task_grsec_rbac(m, task);
45153+#endif
45154+
45155 return 0;
45156 }
45157
45158+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45159+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45160+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
45161+ _mm->pax_flags & MF_PAX_SEGMEXEC))
45162+#endif
45163+
45164 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
45165 struct pid *pid, struct task_struct *task, int whole)
45166 {
45167@@ -375,9 +406,11 @@ static int do_task_stat(struct seq_file
45168 cputime_t cutime, cstime, utime, stime;
45169 cputime_t cgtime, gtime;
45170 unsigned long rsslim = 0;
45171- char tcomm[sizeof(task->comm)];
45172+ char tcomm[sizeof(task->comm)] = { 0 };
45173 unsigned long flags;
45174
45175+ pax_track_stack();
45176+
45177 state = *get_task_state(task);
45178 vsize = eip = esp = 0;
45179 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
45180@@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
45181 gtime = task->gtime;
45182 }
45183
45184+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45185+ if (PAX_RAND_FLAGS(mm)) {
45186+ eip = 0;
45187+ esp = 0;
45188+ wchan = 0;
45189+ }
45190+#endif
45191+#ifdef CONFIG_GRKERNSEC_HIDESYM
45192+ wchan = 0;
45193+ eip =0;
45194+ esp =0;
45195+#endif
45196+
45197 /* scale priority and nice values from timeslices to -20..20 */
45198 /* to make it look like a "normal" Unix priority/nice value */
45199 priority = task_prio(task);
45200@@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
45201 vsize,
45202 mm ? get_mm_rss(mm) : 0,
45203 rsslim,
45204+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45205+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
45206+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
45207+ PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
45208+#else
45209 mm ? (permitted ? mm->start_code : 1) : 0,
45210 mm ? (permitted ? mm->end_code : 1) : 0,
45211 (permitted && mm) ? mm->start_stack : 0,
45212+#endif
45213 esp,
45214 eip,
45215 /* The signal information here is obsolete.
45216@@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
45217
45218 return 0;
45219 }
45220+
45221+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45222+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
45223+{
45224+ u32 curr_ip = 0;
45225+ unsigned long flags;
45226+
45227+ if (lock_task_sighand(task, &flags)) {
45228+ curr_ip = task->signal->curr_ip;
45229+ unlock_task_sighand(task, &flags);
45230+ }
45231+
45232+ return sprintf(buffer, "%pI4\n", &curr_ip);
45233+}
45234+#endif
45235diff -urNp linux-3.0.7/fs/proc/base.c linux-3.0.7/fs/proc/base.c
45236--- linux-3.0.7/fs/proc/base.c 2011-09-02 18:11:21.000000000 -0400
45237+++ linux-3.0.7/fs/proc/base.c 2011-10-19 03:59:32.000000000 -0400
45238@@ -107,6 +107,22 @@ struct pid_entry {
45239 union proc_op op;
45240 };
45241
45242+struct getdents_callback {
45243+ struct linux_dirent __user * current_dir;
45244+ struct linux_dirent __user * previous;
45245+ struct file * file;
45246+ int count;
45247+ int error;
45248+};
45249+
45250+static int gr_fake_filldir(void * __buf, const char *name, int namlen,
45251+ loff_t offset, u64 ino, unsigned int d_type)
45252+{
45253+ struct getdents_callback * buf = (struct getdents_callback *) __buf;
45254+ buf->error = -EINVAL;
45255+ return 0;
45256+}
45257+
45258 #define NOD(NAME, MODE, IOP, FOP, OP) { \
45259 .name = (NAME), \
45260 .len = sizeof(NAME) - 1, \
45261@@ -209,6 +225,9 @@ static struct mm_struct *__check_mem_per
45262 if (task == current)
45263 return mm;
45264
45265+ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
45266+ return ERR_PTR(-EPERM);
45267+
45268 /*
45269 * If current is actively ptrace'ing, and would also be
45270 * permitted to freshly attach with ptrace now, permit it.
45271@@ -282,6 +301,9 @@ static int proc_pid_cmdline(struct task_
45272 if (!mm->arg_end)
45273 goto out_mm; /* Shh! No looking before we're done */
45274
45275+ if (gr_acl_handle_procpidmem(task))
45276+ goto out_mm;
45277+
45278 len = mm->arg_end - mm->arg_start;
45279
45280 if (len > PAGE_SIZE)
45281@@ -309,12 +331,28 @@ out:
45282 return res;
45283 }
45284
45285+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45286+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45287+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
45288+ _mm->pax_flags & MF_PAX_SEGMEXEC))
45289+#endif
45290+
45291 static int proc_pid_auxv(struct task_struct *task, char *buffer)
45292 {
45293 struct mm_struct *mm = mm_for_maps(task);
45294 int res = PTR_ERR(mm);
45295 if (mm && !IS_ERR(mm)) {
45296 unsigned int nwords = 0;
45297+
45298+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45299+ /* allow if we're currently ptracing this task */
45300+ if (PAX_RAND_FLAGS(mm) &&
45301+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
45302+ mmput(mm);
45303+ return 0;
45304+ }
45305+#endif
45306+
45307 do {
45308 nwords += 2;
45309 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
45310@@ -328,7 +366,7 @@ static int proc_pid_auxv(struct task_str
45311 }
45312
45313
45314-#ifdef CONFIG_KALLSYMS
45315+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45316 /*
45317 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
45318 * Returns the resolved symbol. If that fails, simply return the address.
45319@@ -367,7 +405,7 @@ static void unlock_trace(struct task_str
45320 mutex_unlock(&task->signal->cred_guard_mutex);
45321 }
45322
45323-#ifdef CONFIG_STACKTRACE
45324+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45325
45326 #define MAX_STACK_TRACE_DEPTH 64
45327
45328@@ -558,7 +596,7 @@ static int proc_pid_limits(struct task_s
45329 return count;
45330 }
45331
45332-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45333+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45334 static int proc_pid_syscall(struct task_struct *task, char *buffer)
45335 {
45336 long nr;
45337@@ -587,7 +625,7 @@ static int proc_pid_syscall(struct task_
45338 /************************************************************************/
45339
45340 /* permission checks */
45341-static int proc_fd_access_allowed(struct inode *inode)
45342+static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
45343 {
45344 struct task_struct *task;
45345 int allowed = 0;
45346@@ -597,7 +635,10 @@ static int proc_fd_access_allowed(struct
45347 */
45348 task = get_proc_task(inode);
45349 if (task) {
45350- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45351+ if (log)
45352+ allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
45353+ else
45354+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45355 put_task_struct(task);
45356 }
45357 return allowed;
45358@@ -978,6 +1019,9 @@ static ssize_t environ_read(struct file
45359 if (!task)
45360 goto out_no_task;
45361
45362+ if (gr_acl_handle_procpidmem(task))
45363+ goto out;
45364+
45365 ret = -ENOMEM;
45366 page = (char *)__get_free_page(GFP_TEMPORARY);
45367 if (!page)
45368@@ -1614,7 +1658,7 @@ static void *proc_pid_follow_link(struct
45369 path_put(&nd->path);
45370
45371 /* Are we allowed to snoop on the tasks file descriptors? */
45372- if (!proc_fd_access_allowed(inode))
45373+ if (!proc_fd_access_allowed(inode,0))
45374 goto out;
45375
45376 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
45377@@ -1653,8 +1697,18 @@ static int proc_pid_readlink(struct dent
45378 struct path path;
45379
45380 /* Are we allowed to snoop on the tasks file descriptors? */
45381- if (!proc_fd_access_allowed(inode))
45382- goto out;
45383+ /* logging this is needed for learning on chromium to work properly,
45384+ but we don't want to flood the logs from 'ps' which does a readlink
45385+ on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
45386+ CAP_SYS_PTRACE as it's not necessary for its basic functionality
45387+ */
45388+ if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
45389+ if (!proc_fd_access_allowed(inode,0))
45390+ goto out;
45391+ } else {
45392+ if (!proc_fd_access_allowed(inode,1))
45393+ goto out;
45394+ }
45395
45396 error = PROC_I(inode)->op.proc_get_link(inode, &path);
45397 if (error)
45398@@ -1719,7 +1773,11 @@ struct inode *proc_pid_make_inode(struct
45399 rcu_read_lock();
45400 cred = __task_cred(task);
45401 inode->i_uid = cred->euid;
45402+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45403+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45404+#else
45405 inode->i_gid = cred->egid;
45406+#endif
45407 rcu_read_unlock();
45408 }
45409 security_task_to_inode(task, inode);
45410@@ -1737,6 +1795,9 @@ int pid_getattr(struct vfsmount *mnt, st
45411 struct inode *inode = dentry->d_inode;
45412 struct task_struct *task;
45413 const struct cred *cred;
45414+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45415+ const struct cred *tmpcred = current_cred();
45416+#endif
45417
45418 generic_fillattr(inode, stat);
45419
45420@@ -1744,13 +1805,41 @@ int pid_getattr(struct vfsmount *mnt, st
45421 stat->uid = 0;
45422 stat->gid = 0;
45423 task = pid_task(proc_pid(inode), PIDTYPE_PID);
45424+
45425+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
45426+ rcu_read_unlock();
45427+ return -ENOENT;
45428+ }
45429+
45430 if (task) {
45431+ cred = __task_cred(task);
45432+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45433+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
45434+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45435+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45436+#endif
45437+ ) {
45438+#endif
45439 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45440+#ifdef CONFIG_GRKERNSEC_PROC_USER
45441+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45442+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45443+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45444+#endif
45445 task_dumpable(task)) {
45446- cred = __task_cred(task);
45447 stat->uid = cred->euid;
45448+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45449+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
45450+#else
45451 stat->gid = cred->egid;
45452+#endif
45453+ }
45454+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45455+ } else {
45456+ rcu_read_unlock();
45457+ return -ENOENT;
45458 }
45459+#endif
45460 }
45461 rcu_read_unlock();
45462 return 0;
45463@@ -1787,11 +1876,20 @@ int pid_revalidate(struct dentry *dentry
45464
45465 if (task) {
45466 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45467+#ifdef CONFIG_GRKERNSEC_PROC_USER
45468+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45469+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45470+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45471+#endif
45472 task_dumpable(task)) {
45473 rcu_read_lock();
45474 cred = __task_cred(task);
45475 inode->i_uid = cred->euid;
45476+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45477+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45478+#else
45479 inode->i_gid = cred->egid;
45480+#endif
45481 rcu_read_unlock();
45482 } else {
45483 inode->i_uid = 0;
45484@@ -1909,7 +2007,8 @@ static int proc_fd_info(struct inode *in
45485 int fd = proc_fd(inode);
45486
45487 if (task) {
45488- files = get_files_struct(task);
45489+ if (!gr_acl_handle_procpidmem(task))
45490+ files = get_files_struct(task);
45491 put_task_struct(task);
45492 }
45493 if (files) {
45494@@ -2169,11 +2268,21 @@ static const struct file_operations proc
45495 */
45496 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
45497 {
45498+ struct task_struct *task;
45499 int rv = generic_permission(inode, mask, flags, NULL);
45500- if (rv == 0)
45501- return 0;
45502+
45503 if (task_pid(current) == proc_pid(inode))
45504 rv = 0;
45505+
45506+ task = get_proc_task(inode);
45507+ if (task == NULL)
45508+ return rv;
45509+
45510+ if (gr_acl_handle_procpidmem(task))
45511+ rv = -EACCES;
45512+
45513+ put_task_struct(task);
45514+
45515 return rv;
45516 }
45517
45518@@ -2283,6 +2392,9 @@ static struct dentry *proc_pident_lookup
45519 if (!task)
45520 goto out_no_task;
45521
45522+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45523+ goto out;
45524+
45525 /*
45526 * Yes, it does not scale. And it should not. Don't add
45527 * new entries into /proc/<tgid>/ without very good reasons.
45528@@ -2327,6 +2439,9 @@ static int proc_pident_readdir(struct fi
45529 if (!task)
45530 goto out_no_task;
45531
45532+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45533+ goto out;
45534+
45535 ret = 0;
45536 i = filp->f_pos;
45537 switch (i) {
45538@@ -2597,7 +2712,7 @@ static void *proc_self_follow_link(struc
45539 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
45540 void *cookie)
45541 {
45542- char *s = nd_get_link(nd);
45543+ const char *s = nd_get_link(nd);
45544 if (!IS_ERR(s))
45545 __putname(s);
45546 }
45547@@ -2656,6 +2771,7 @@ static struct dentry *proc_base_instanti
45548 if (p->fop)
45549 inode->i_fop = p->fop;
45550 ei->op = p->op;
45551+
45552 d_add(dentry, inode);
45553 error = NULL;
45554 out:
45555@@ -2795,7 +2911,7 @@ static const struct pid_entry tgid_base_
45556 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
45557 #endif
45558 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45559-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45560+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45561 INF("syscall", S_IRUGO, proc_pid_syscall),
45562 #endif
45563 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45564@@ -2820,10 +2936,10 @@ static const struct pid_entry tgid_base_
45565 #ifdef CONFIG_SECURITY
45566 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45567 #endif
45568-#ifdef CONFIG_KALLSYMS
45569+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45570 INF("wchan", S_IRUGO, proc_pid_wchan),
45571 #endif
45572-#ifdef CONFIG_STACKTRACE
45573+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45574 ONE("stack", S_IRUGO, proc_pid_stack),
45575 #endif
45576 #ifdef CONFIG_SCHEDSTATS
45577@@ -2857,6 +2973,9 @@ static const struct pid_entry tgid_base_
45578 #ifdef CONFIG_HARDWALL
45579 INF("hardwall", S_IRUGO, proc_pid_hardwall),
45580 #endif
45581+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45582+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
45583+#endif
45584 };
45585
45586 static int proc_tgid_base_readdir(struct file * filp,
45587@@ -2982,7 +3101,14 @@ static struct dentry *proc_pid_instantia
45588 if (!inode)
45589 goto out;
45590
45591+#ifdef CONFIG_GRKERNSEC_PROC_USER
45592+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
45593+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45594+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45595+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
45596+#else
45597 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
45598+#endif
45599 inode->i_op = &proc_tgid_base_inode_operations;
45600 inode->i_fop = &proc_tgid_base_operations;
45601 inode->i_flags|=S_IMMUTABLE;
45602@@ -3024,7 +3150,14 @@ struct dentry *proc_pid_lookup(struct in
45603 if (!task)
45604 goto out;
45605
45606+ if (!has_group_leader_pid(task))
45607+ goto out_put_task;
45608+
45609+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45610+ goto out_put_task;
45611+
45612 result = proc_pid_instantiate(dir, dentry, task, NULL);
45613+out_put_task:
45614 put_task_struct(task);
45615 out:
45616 return result;
45617@@ -3089,6 +3222,11 @@ int proc_pid_readdir(struct file * filp,
45618 {
45619 unsigned int nr;
45620 struct task_struct *reaper;
45621+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45622+ const struct cred *tmpcred = current_cred();
45623+ const struct cred *itercred;
45624+#endif
45625+ filldir_t __filldir = filldir;
45626 struct tgid_iter iter;
45627 struct pid_namespace *ns;
45628
45629@@ -3112,8 +3250,27 @@ int proc_pid_readdir(struct file * filp,
45630 for (iter = next_tgid(ns, iter);
45631 iter.task;
45632 iter.tgid += 1, iter = next_tgid(ns, iter)) {
45633+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45634+ rcu_read_lock();
45635+ itercred = __task_cred(iter.task);
45636+#endif
45637+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
45638+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45639+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
45640+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45641+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45642+#endif
45643+ )
45644+#endif
45645+ )
45646+ __filldir = &gr_fake_filldir;
45647+ else
45648+ __filldir = filldir;
45649+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45650+ rcu_read_unlock();
45651+#endif
45652 filp->f_pos = iter.tgid + TGID_OFFSET;
45653- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
45654+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
45655 put_task_struct(iter.task);
45656 goto out;
45657 }
45658@@ -3141,7 +3298,7 @@ static const struct pid_entry tid_base_s
45659 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
45660 #endif
45661 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45662-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45663+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45664 INF("syscall", S_IRUGO, proc_pid_syscall),
45665 #endif
45666 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45667@@ -3165,10 +3322,10 @@ static const struct pid_entry tid_base_s
45668 #ifdef CONFIG_SECURITY
45669 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45670 #endif
45671-#ifdef CONFIG_KALLSYMS
45672+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45673 INF("wchan", S_IRUGO, proc_pid_wchan),
45674 #endif
45675-#ifdef CONFIG_STACKTRACE
45676+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45677 ONE("stack", S_IRUGO, proc_pid_stack),
45678 #endif
45679 #ifdef CONFIG_SCHEDSTATS
45680diff -urNp linux-3.0.7/fs/proc/cmdline.c linux-3.0.7/fs/proc/cmdline.c
45681--- linux-3.0.7/fs/proc/cmdline.c 2011-07-21 22:17:23.000000000 -0400
45682+++ linux-3.0.7/fs/proc/cmdline.c 2011-08-23 21:48:14.000000000 -0400
45683@@ -23,7 +23,11 @@ static const struct file_operations cmdl
45684
45685 static int __init proc_cmdline_init(void)
45686 {
45687+#ifdef CONFIG_GRKERNSEC_PROC_ADD
45688+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
45689+#else
45690 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
45691+#endif
45692 return 0;
45693 }
45694 module_init(proc_cmdline_init);
45695diff -urNp linux-3.0.7/fs/proc/devices.c linux-3.0.7/fs/proc/devices.c
45696--- linux-3.0.7/fs/proc/devices.c 2011-07-21 22:17:23.000000000 -0400
45697+++ linux-3.0.7/fs/proc/devices.c 2011-08-23 21:48:14.000000000 -0400
45698@@ -64,7 +64,11 @@ static const struct file_operations proc
45699
45700 static int __init proc_devices_init(void)
45701 {
45702+#ifdef CONFIG_GRKERNSEC_PROC_ADD
45703+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
45704+#else
45705 proc_create("devices", 0, NULL, &proc_devinfo_operations);
45706+#endif
45707 return 0;
45708 }
45709 module_init(proc_devices_init);
45710diff -urNp linux-3.0.7/fs/proc/inode.c linux-3.0.7/fs/proc/inode.c
45711--- linux-3.0.7/fs/proc/inode.c 2011-07-21 22:17:23.000000000 -0400
45712+++ linux-3.0.7/fs/proc/inode.c 2011-10-19 03:59:32.000000000 -0400
45713@@ -18,12 +18,18 @@
45714 #include <linux/module.h>
45715 #include <linux/sysctl.h>
45716 #include <linux/slab.h>
45717+#include <linux/grsecurity.h>
45718
45719 #include <asm/system.h>
45720 #include <asm/uaccess.h>
45721
45722 #include "internal.h"
45723
45724+#ifdef CONFIG_PROC_SYSCTL
45725+extern const struct inode_operations proc_sys_inode_operations;
45726+extern const struct inode_operations proc_sys_dir_operations;
45727+#endif
45728+
45729 static void proc_evict_inode(struct inode *inode)
45730 {
45731 struct proc_dir_entry *de;
45732@@ -49,6 +55,13 @@ static void proc_evict_inode(struct inod
45733 ns_ops = PROC_I(inode)->ns_ops;
45734 if (ns_ops && ns_ops->put)
45735 ns_ops->put(PROC_I(inode)->ns);
45736+
45737+#ifdef CONFIG_PROC_SYSCTL
45738+ if (inode->i_op == &proc_sys_inode_operations ||
45739+ inode->i_op == &proc_sys_dir_operations)
45740+ gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
45741+#endif
45742+
45743 }
45744
45745 static struct kmem_cache * proc_inode_cachep;
45746@@ -440,7 +453,11 @@ struct inode *proc_get_inode(struct supe
45747 if (de->mode) {
45748 inode->i_mode = de->mode;
45749 inode->i_uid = de->uid;
45750+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45751+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45752+#else
45753 inode->i_gid = de->gid;
45754+#endif
45755 }
45756 if (de->size)
45757 inode->i_size = de->size;
45758diff -urNp linux-3.0.7/fs/proc/internal.h linux-3.0.7/fs/proc/internal.h
45759--- linux-3.0.7/fs/proc/internal.h 2011-07-21 22:17:23.000000000 -0400
45760+++ linux-3.0.7/fs/proc/internal.h 2011-08-23 21:48:14.000000000 -0400
45761@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
45762 struct pid *pid, struct task_struct *task);
45763 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
45764 struct pid *pid, struct task_struct *task);
45765+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45766+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
45767+#endif
45768 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
45769
45770 extern const struct file_operations proc_maps_operations;
45771diff -urNp linux-3.0.7/fs/proc/kcore.c linux-3.0.7/fs/proc/kcore.c
45772--- linux-3.0.7/fs/proc/kcore.c 2011-07-21 22:17:23.000000000 -0400
45773+++ linux-3.0.7/fs/proc/kcore.c 2011-08-23 21:48:14.000000000 -0400
45774@@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
45775 off_t offset = 0;
45776 struct kcore_list *m;
45777
45778+ pax_track_stack();
45779+
45780 /* setup ELF header */
45781 elf = (struct elfhdr *) bufp;
45782 bufp += sizeof(struct elfhdr);
45783@@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
45784 * the addresses in the elf_phdr on our list.
45785 */
45786 start = kc_offset_to_vaddr(*fpos - elf_buflen);
45787- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
45788+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
45789+ if (tsz > buflen)
45790 tsz = buflen;
45791-
45792+
45793 while (buflen) {
45794 struct kcore_list *m;
45795
45796@@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
45797 kfree(elf_buf);
45798 } else {
45799 if (kern_addr_valid(start)) {
45800- unsigned long n;
45801+ char *elf_buf;
45802+ mm_segment_t oldfs;
45803
45804- n = copy_to_user(buffer, (char *)start, tsz);
45805- /*
45806- * We cannot distingush between fault on source
45807- * and fault on destination. When this happens
45808- * we clear too and hope it will trigger the
45809- * EFAULT again.
45810- */
45811- if (n) {
45812- if (clear_user(buffer + tsz - n,
45813- n))
45814+ elf_buf = kmalloc(tsz, GFP_KERNEL);
45815+ if (!elf_buf)
45816+ return -ENOMEM;
45817+ oldfs = get_fs();
45818+ set_fs(KERNEL_DS);
45819+ if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
45820+ set_fs(oldfs);
45821+ if (copy_to_user(buffer, elf_buf, tsz)) {
45822+ kfree(elf_buf);
45823 return -EFAULT;
45824+ }
45825 }
45826+ set_fs(oldfs);
45827+ kfree(elf_buf);
45828 } else {
45829 if (clear_user(buffer, tsz))
45830 return -EFAULT;
45831@@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
45832
45833 static int open_kcore(struct inode *inode, struct file *filp)
45834 {
45835+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
45836+ return -EPERM;
45837+#endif
45838 if (!capable(CAP_SYS_RAWIO))
45839 return -EPERM;
45840 if (kcore_need_update)
45841diff -urNp linux-3.0.7/fs/proc/meminfo.c linux-3.0.7/fs/proc/meminfo.c
45842--- linux-3.0.7/fs/proc/meminfo.c 2011-07-21 22:17:23.000000000 -0400
45843+++ linux-3.0.7/fs/proc/meminfo.c 2011-08-23 21:48:14.000000000 -0400
45844@@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
45845 unsigned long pages[NR_LRU_LISTS];
45846 int lru;
45847
45848+ pax_track_stack();
45849+
45850 /*
45851 * display in kilobytes.
45852 */
45853@@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
45854 vmi.used >> 10,
45855 vmi.largest_chunk >> 10
45856 #ifdef CONFIG_MEMORY_FAILURE
45857- ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
45858+ ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
45859 #endif
45860 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
45861 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
45862diff -urNp linux-3.0.7/fs/proc/nommu.c linux-3.0.7/fs/proc/nommu.c
45863--- linux-3.0.7/fs/proc/nommu.c 2011-07-21 22:17:23.000000000 -0400
45864+++ linux-3.0.7/fs/proc/nommu.c 2011-08-23 21:47:56.000000000 -0400
45865@@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
45866 if (len < 1)
45867 len = 1;
45868 seq_printf(m, "%*c", len, ' ');
45869- seq_path(m, &file->f_path, "");
45870+ seq_path(m, &file->f_path, "\n\\");
45871 }
45872
45873 seq_putc(m, '\n');
45874diff -urNp linux-3.0.7/fs/proc/proc_net.c linux-3.0.7/fs/proc/proc_net.c
45875--- linux-3.0.7/fs/proc/proc_net.c 2011-07-21 22:17:23.000000000 -0400
45876+++ linux-3.0.7/fs/proc/proc_net.c 2011-08-23 21:48:14.000000000 -0400
45877@@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
45878 struct task_struct *task;
45879 struct nsproxy *ns;
45880 struct net *net = NULL;
45881+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45882+ const struct cred *cred = current_cred();
45883+#endif
45884+
45885+#ifdef CONFIG_GRKERNSEC_PROC_USER
45886+ if (cred->fsuid)
45887+ return net;
45888+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45889+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
45890+ return net;
45891+#endif
45892
45893 rcu_read_lock();
45894 task = pid_task(proc_pid(dir), PIDTYPE_PID);
45895diff -urNp linux-3.0.7/fs/proc/proc_sysctl.c linux-3.0.7/fs/proc/proc_sysctl.c
45896--- linux-3.0.7/fs/proc/proc_sysctl.c 2011-07-21 22:17:23.000000000 -0400
45897+++ linux-3.0.7/fs/proc/proc_sysctl.c 2011-10-19 03:59:32.000000000 -0400
45898@@ -8,11 +8,13 @@
45899 #include <linux/namei.h>
45900 #include "internal.h"
45901
45902+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
45903+
45904 static const struct dentry_operations proc_sys_dentry_operations;
45905 static const struct file_operations proc_sys_file_operations;
45906-static const struct inode_operations proc_sys_inode_operations;
45907+const struct inode_operations proc_sys_inode_operations;
45908 static const struct file_operations proc_sys_dir_file_operations;
45909-static const struct inode_operations proc_sys_dir_operations;
45910+const struct inode_operations proc_sys_dir_operations;
45911
45912 static struct inode *proc_sys_make_inode(struct super_block *sb,
45913 struct ctl_table_header *head, struct ctl_table *table)
45914@@ -121,8 +123,14 @@ static struct dentry *proc_sys_lookup(st
45915
45916 err = NULL;
45917 d_set_d_op(dentry, &proc_sys_dentry_operations);
45918+
45919+ gr_handle_proc_create(dentry, inode);
45920+
45921 d_add(dentry, inode);
45922
45923+ if (gr_handle_sysctl(p, MAY_EXEC))
45924+ err = ERR_PTR(-ENOENT);
45925+
45926 out:
45927 sysctl_head_finish(head);
45928 return err;
45929@@ -202,6 +210,9 @@ static int proc_sys_fill_cache(struct fi
45930 return -ENOMEM;
45931 } else {
45932 d_set_d_op(child, &proc_sys_dentry_operations);
45933+
45934+ gr_handle_proc_create(child, inode);
45935+
45936 d_add(child, inode);
45937 }
45938 } else {
45939@@ -230,6 +241,9 @@ static int scan(struct ctl_table_header
45940 if (*pos < file->f_pos)
45941 continue;
45942
45943+ if (gr_handle_sysctl(table, 0))
45944+ continue;
45945+
45946 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
45947 if (res)
45948 return res;
45949@@ -355,6 +369,9 @@ static int proc_sys_getattr(struct vfsmo
45950 if (IS_ERR(head))
45951 return PTR_ERR(head);
45952
45953+ if (table && gr_handle_sysctl(table, MAY_EXEC))
45954+ return -ENOENT;
45955+
45956 generic_fillattr(inode, stat);
45957 if (table)
45958 stat->mode = (stat->mode & S_IFMT) | table->mode;
45959@@ -374,13 +391,13 @@ static const struct file_operations proc
45960 .llseek = generic_file_llseek,
45961 };
45962
45963-static const struct inode_operations proc_sys_inode_operations = {
45964+const struct inode_operations proc_sys_inode_operations = {
45965 .permission = proc_sys_permission,
45966 .setattr = proc_sys_setattr,
45967 .getattr = proc_sys_getattr,
45968 };
45969
45970-static const struct inode_operations proc_sys_dir_operations = {
45971+const struct inode_operations proc_sys_dir_operations = {
45972 .lookup = proc_sys_lookup,
45973 .permission = proc_sys_permission,
45974 .setattr = proc_sys_setattr,
45975diff -urNp linux-3.0.7/fs/proc/root.c linux-3.0.7/fs/proc/root.c
45976--- linux-3.0.7/fs/proc/root.c 2011-07-21 22:17:23.000000000 -0400
45977+++ linux-3.0.7/fs/proc/root.c 2011-08-23 21:48:14.000000000 -0400
45978@@ -123,7 +123,15 @@ void __init proc_root_init(void)
45979 #ifdef CONFIG_PROC_DEVICETREE
45980 proc_device_tree_init();
45981 #endif
45982+#ifdef CONFIG_GRKERNSEC_PROC_ADD
45983+#ifdef CONFIG_GRKERNSEC_PROC_USER
45984+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
45985+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45986+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
45987+#endif
45988+#else
45989 proc_mkdir("bus", NULL);
45990+#endif
45991 proc_sys_init();
45992 }
45993
45994diff -urNp linux-3.0.7/fs/proc/task_mmu.c linux-3.0.7/fs/proc/task_mmu.c
45995--- linux-3.0.7/fs/proc/task_mmu.c 2011-10-16 21:54:54.000000000 -0400
45996+++ linux-3.0.7/fs/proc/task_mmu.c 2011-10-16 21:55:28.000000000 -0400
45997@@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
45998 "VmExe:\t%8lu kB\n"
45999 "VmLib:\t%8lu kB\n"
46000 "VmPTE:\t%8lu kB\n"
46001- "VmSwap:\t%8lu kB\n",
46002- hiwater_vm << (PAGE_SHIFT-10),
46003+ "VmSwap:\t%8lu kB\n"
46004+
46005+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46006+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
46007+#endif
46008+
46009+ ,hiwater_vm << (PAGE_SHIFT-10),
46010 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
46011 mm->locked_vm << (PAGE_SHIFT-10),
46012 hiwater_rss << (PAGE_SHIFT-10),
46013@@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
46014 data << (PAGE_SHIFT-10),
46015 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
46016 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
46017- swap << (PAGE_SHIFT-10));
46018+ swap << (PAGE_SHIFT-10)
46019+
46020+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46021+ , mm->context.user_cs_base, mm->context.user_cs_limit
46022+#endif
46023+
46024+ );
46025 }
46026
46027 unsigned long task_vsize(struct mm_struct *mm)
46028@@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
46029 return ret;
46030 }
46031
46032+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46033+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
46034+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
46035+ _mm->pax_flags & MF_PAX_SEGMEXEC))
46036+#endif
46037+
46038 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
46039 {
46040 struct mm_struct *mm = vma->vm_mm;
46041@@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
46042 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
46043 }
46044
46045- /* We don't show the stack guard page in /proc/maps */
46046+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46047+ start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
46048+ end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
46049+#else
46050 start = vma->vm_start;
46051- if (stack_guard_page_start(vma, start))
46052- start += PAGE_SIZE;
46053 end = vma->vm_end;
46054- if (stack_guard_page_end(vma, end))
46055- end -= PAGE_SIZE;
46056+#endif
46057
46058 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
46059 start,
46060@@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
46061 flags & VM_WRITE ? 'w' : '-',
46062 flags & VM_EXEC ? 'x' : '-',
46063 flags & VM_MAYSHARE ? 's' : 'p',
46064+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46065+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
46066+#else
46067 pgoff,
46068+#endif
46069 MAJOR(dev), MINOR(dev), ino, &len);
46070
46071 /*
46072@@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
46073 */
46074 if (file) {
46075 pad_len_spaces(m, len);
46076- seq_path(m, &file->f_path, "\n");
46077+ seq_path(m, &file->f_path, "\n\\");
46078 } else {
46079 const char *name = arch_vma_name(vma);
46080 if (!name) {
46081@@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
46082 if (vma->vm_start <= mm->brk &&
46083 vma->vm_end >= mm->start_brk) {
46084 name = "[heap]";
46085- } else if (vma->vm_start <= mm->start_stack &&
46086- vma->vm_end >= mm->start_stack) {
46087+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
46088+ (vma->vm_start <= mm->start_stack &&
46089+ vma->vm_end >= mm->start_stack)) {
46090 name = "[stack]";
46091 }
46092 } else {
46093@@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
46094 };
46095
46096 memset(&mss, 0, sizeof mss);
46097- mss.vma = vma;
46098- /* mmap_sem is held in m_start */
46099- if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46100- walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46101-
46102+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46103+ if (!PAX_RAND_FLAGS(vma->vm_mm)) {
46104+#endif
46105+ mss.vma = vma;
46106+ /* mmap_sem is held in m_start */
46107+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46108+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46109+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46110+ }
46111+#endif
46112 show_map_vma(m, vma);
46113
46114 seq_printf(m,
46115@@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
46116 "KernelPageSize: %8lu kB\n"
46117 "MMUPageSize: %8lu kB\n"
46118 "Locked: %8lu kB\n",
46119+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46120+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
46121+#else
46122 (vma->vm_end - vma->vm_start) >> 10,
46123+#endif
46124 mss.resident >> 10,
46125 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
46126 mss.shared_clean >> 10,
46127@@ -1031,7 +1062,7 @@ static int show_numa_map(struct seq_file
46128
46129 if (file) {
46130 seq_printf(m, " file=");
46131- seq_path(m, &file->f_path, "\n\t= ");
46132+ seq_path(m, &file->f_path, "\n\t\\= ");
46133 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
46134 seq_printf(m, " heap");
46135 } else if (vma->vm_start <= mm->start_stack &&
46136diff -urNp linux-3.0.7/fs/proc/task_nommu.c linux-3.0.7/fs/proc/task_nommu.c
46137--- linux-3.0.7/fs/proc/task_nommu.c 2011-07-21 22:17:23.000000000 -0400
46138+++ linux-3.0.7/fs/proc/task_nommu.c 2011-08-23 21:47:56.000000000 -0400
46139@@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
46140 else
46141 bytes += kobjsize(mm);
46142
46143- if (current->fs && current->fs->users > 1)
46144+ if (current->fs && atomic_read(&current->fs->users) > 1)
46145 sbytes += kobjsize(current->fs);
46146 else
46147 bytes += kobjsize(current->fs);
46148@@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
46149
46150 if (file) {
46151 pad_len_spaces(m, len);
46152- seq_path(m, &file->f_path, "");
46153+ seq_path(m, &file->f_path, "\n\\");
46154 } else if (mm) {
46155 if (vma->vm_start <= mm->start_stack &&
46156 vma->vm_end >= mm->start_stack) {
46157diff -urNp linux-3.0.7/fs/quota/netlink.c linux-3.0.7/fs/quota/netlink.c
46158--- linux-3.0.7/fs/quota/netlink.c 2011-07-21 22:17:23.000000000 -0400
46159+++ linux-3.0.7/fs/quota/netlink.c 2011-08-23 21:47:56.000000000 -0400
46160@@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
46161 void quota_send_warning(short type, unsigned int id, dev_t dev,
46162 const char warntype)
46163 {
46164- static atomic_t seq;
46165+ static atomic_unchecked_t seq;
46166 struct sk_buff *skb;
46167 void *msg_head;
46168 int ret;
46169@@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
46170 "VFS: Not enough memory to send quota warning.\n");
46171 return;
46172 }
46173- msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
46174+ msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
46175 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
46176 if (!msg_head) {
46177 printk(KERN_ERR
46178diff -urNp linux-3.0.7/fs/readdir.c linux-3.0.7/fs/readdir.c
46179--- linux-3.0.7/fs/readdir.c 2011-07-21 22:17:23.000000000 -0400
46180+++ linux-3.0.7/fs/readdir.c 2011-10-06 04:17:55.000000000 -0400
46181@@ -17,6 +17,7 @@
46182 #include <linux/security.h>
46183 #include <linux/syscalls.h>
46184 #include <linux/unistd.h>
46185+#include <linux/namei.h>
46186
46187 #include <asm/uaccess.h>
46188
46189@@ -67,6 +68,7 @@ struct old_linux_dirent {
46190
46191 struct readdir_callback {
46192 struct old_linux_dirent __user * dirent;
46193+ struct file * file;
46194 int result;
46195 };
46196
46197@@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
46198 buf->result = -EOVERFLOW;
46199 return -EOVERFLOW;
46200 }
46201+
46202+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46203+ return 0;
46204+
46205 buf->result++;
46206 dirent = buf->dirent;
46207 if (!access_ok(VERIFY_WRITE, dirent,
46208@@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
46209
46210 buf.result = 0;
46211 buf.dirent = dirent;
46212+ buf.file = file;
46213
46214 error = vfs_readdir(file, fillonedir, &buf);
46215 if (buf.result)
46216@@ -142,6 +149,7 @@ struct linux_dirent {
46217 struct getdents_callback {
46218 struct linux_dirent __user * current_dir;
46219 struct linux_dirent __user * previous;
46220+ struct file * file;
46221 int count;
46222 int error;
46223 };
46224@@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
46225 buf->error = -EOVERFLOW;
46226 return -EOVERFLOW;
46227 }
46228+
46229+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46230+ return 0;
46231+
46232 dirent = buf->previous;
46233 if (dirent) {
46234 if (__put_user(offset, &dirent->d_off))
46235@@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
46236 buf.previous = NULL;
46237 buf.count = count;
46238 buf.error = 0;
46239+ buf.file = file;
46240
46241 error = vfs_readdir(file, filldir, &buf);
46242 if (error >= 0)
46243@@ -229,6 +242,7 @@ out:
46244 struct getdents_callback64 {
46245 struct linux_dirent64 __user * current_dir;
46246 struct linux_dirent64 __user * previous;
46247+ struct file *file;
46248 int count;
46249 int error;
46250 };
46251@@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
46252 buf->error = -EINVAL; /* only used if we fail.. */
46253 if (reclen > buf->count)
46254 return -EINVAL;
46255+
46256+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46257+ return 0;
46258+
46259 dirent = buf->previous;
46260 if (dirent) {
46261 if (__put_user(offset, &dirent->d_off))
46262@@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46263
46264 buf.current_dir = dirent;
46265 buf.previous = NULL;
46266+ buf.file = file;
46267 buf.count = count;
46268 buf.error = 0;
46269
46270@@ -299,7 +318,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46271 error = buf.error;
46272 lastdirent = buf.previous;
46273 if (lastdirent) {
46274- typeof(lastdirent->d_off) d_off = file->f_pos;
46275+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
46276 if (__put_user(d_off, &lastdirent->d_off))
46277 error = -EFAULT;
46278 else
46279diff -urNp linux-3.0.7/fs/reiserfs/dir.c linux-3.0.7/fs/reiserfs/dir.c
46280--- linux-3.0.7/fs/reiserfs/dir.c 2011-07-21 22:17:23.000000000 -0400
46281+++ linux-3.0.7/fs/reiserfs/dir.c 2011-08-23 21:48:14.000000000 -0400
46282@@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
46283 struct reiserfs_dir_entry de;
46284 int ret = 0;
46285
46286+ pax_track_stack();
46287+
46288 reiserfs_write_lock(inode->i_sb);
46289
46290 reiserfs_check_lock_depth(inode->i_sb, "readdir");
46291diff -urNp linux-3.0.7/fs/reiserfs/do_balan.c linux-3.0.7/fs/reiserfs/do_balan.c
46292--- linux-3.0.7/fs/reiserfs/do_balan.c 2011-07-21 22:17:23.000000000 -0400
46293+++ linux-3.0.7/fs/reiserfs/do_balan.c 2011-08-23 21:47:56.000000000 -0400
46294@@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
46295 return;
46296 }
46297
46298- atomic_inc(&(fs_generation(tb->tb_sb)));
46299+ atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
46300 do_balance_starts(tb);
46301
46302 /* balance leaf returns 0 except if combining L R and S into
46303diff -urNp linux-3.0.7/fs/reiserfs/journal.c linux-3.0.7/fs/reiserfs/journal.c
46304--- linux-3.0.7/fs/reiserfs/journal.c 2011-07-21 22:17:23.000000000 -0400
46305+++ linux-3.0.7/fs/reiserfs/journal.c 2011-08-23 21:48:14.000000000 -0400
46306@@ -2299,6 +2299,8 @@ static struct buffer_head *reiserfs_brea
46307 struct buffer_head *bh;
46308 int i, j;
46309
46310+ pax_track_stack();
46311+
46312 bh = __getblk(dev, block, bufsize);
46313 if (buffer_uptodate(bh))
46314 return (bh);
46315diff -urNp linux-3.0.7/fs/reiserfs/namei.c linux-3.0.7/fs/reiserfs/namei.c
46316--- linux-3.0.7/fs/reiserfs/namei.c 2011-07-21 22:17:23.000000000 -0400
46317+++ linux-3.0.7/fs/reiserfs/namei.c 2011-08-23 21:48:14.000000000 -0400
46318@@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
46319 unsigned long savelink = 1;
46320 struct timespec ctime;
46321
46322+ pax_track_stack();
46323+
46324 /* three balancings: (1) old name removal, (2) new name insertion
46325 and (3) maybe "save" link insertion
46326 stat data updates: (1) old directory,
46327diff -urNp linux-3.0.7/fs/reiserfs/procfs.c linux-3.0.7/fs/reiserfs/procfs.c
46328--- linux-3.0.7/fs/reiserfs/procfs.c 2011-07-21 22:17:23.000000000 -0400
46329+++ linux-3.0.7/fs/reiserfs/procfs.c 2011-08-23 21:48:14.000000000 -0400
46330@@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
46331 "SMALL_TAILS " : "NO_TAILS ",
46332 replay_only(sb) ? "REPLAY_ONLY " : "",
46333 convert_reiserfs(sb) ? "CONV " : "",
46334- atomic_read(&r->s_generation_counter),
46335+ atomic_read_unchecked(&r->s_generation_counter),
46336 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
46337 SF(s_do_balance), SF(s_unneeded_left_neighbor),
46338 SF(s_good_search_by_key_reada), SF(s_bmaps),
46339@@ -299,6 +299,8 @@ static int show_journal(struct seq_file
46340 struct journal_params *jp = &rs->s_v1.s_journal;
46341 char b[BDEVNAME_SIZE];
46342
46343+ pax_track_stack();
46344+
46345 seq_printf(m, /* on-disk fields */
46346 "jp_journal_1st_block: \t%i\n"
46347 "jp_journal_dev: \t%s[%x]\n"
46348diff -urNp linux-3.0.7/fs/reiserfs/stree.c linux-3.0.7/fs/reiserfs/stree.c
46349--- linux-3.0.7/fs/reiserfs/stree.c 2011-07-21 22:17:23.000000000 -0400
46350+++ linux-3.0.7/fs/reiserfs/stree.c 2011-08-23 21:48:14.000000000 -0400
46351@@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
46352 int iter = 0;
46353 #endif
46354
46355+ pax_track_stack();
46356+
46357 BUG_ON(!th->t_trans_id);
46358
46359 init_tb_struct(th, &s_del_balance, sb, path,
46360@@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
46361 int retval;
46362 int quota_cut_bytes = 0;
46363
46364+ pax_track_stack();
46365+
46366 BUG_ON(!th->t_trans_id);
46367
46368 le_key2cpu_key(&cpu_key, key);
46369@@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
46370 int quota_cut_bytes;
46371 loff_t tail_pos = 0;
46372
46373+ pax_track_stack();
46374+
46375 BUG_ON(!th->t_trans_id);
46376
46377 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
46378@@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
46379 int retval;
46380 int fs_gen;
46381
46382+ pax_track_stack();
46383+
46384 BUG_ON(!th->t_trans_id);
46385
46386 fs_gen = get_generation(inode->i_sb);
46387@@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
46388 int fs_gen = 0;
46389 int quota_bytes = 0;
46390
46391+ pax_track_stack();
46392+
46393 BUG_ON(!th->t_trans_id);
46394
46395 if (inode) { /* Do we count quotas for item? */
46396diff -urNp linux-3.0.7/fs/reiserfs/super.c linux-3.0.7/fs/reiserfs/super.c
46397--- linux-3.0.7/fs/reiserfs/super.c 2011-07-21 22:17:23.000000000 -0400
46398+++ linux-3.0.7/fs/reiserfs/super.c 2011-08-23 21:48:14.000000000 -0400
46399@@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
46400 {.option_name = NULL}
46401 };
46402
46403+ pax_track_stack();
46404+
46405 *blocks = 0;
46406 if (!options || !*options)
46407 /* use default configuration: create tails, journaling on, no
46408diff -urNp linux-3.0.7/fs/select.c linux-3.0.7/fs/select.c
46409--- linux-3.0.7/fs/select.c 2011-07-21 22:17:23.000000000 -0400
46410+++ linux-3.0.7/fs/select.c 2011-08-23 21:48:14.000000000 -0400
46411@@ -20,6 +20,7 @@
46412 #include <linux/module.h>
46413 #include <linux/slab.h>
46414 #include <linux/poll.h>
46415+#include <linux/security.h>
46416 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
46417 #include <linux/file.h>
46418 #include <linux/fdtable.h>
46419@@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
46420 int retval, i, timed_out = 0;
46421 unsigned long slack = 0;
46422
46423+ pax_track_stack();
46424+
46425 rcu_read_lock();
46426 retval = max_select_fd(n, fds);
46427 rcu_read_unlock();
46428@@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
46429 /* Allocate small arguments on the stack to save memory and be faster */
46430 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
46431
46432+ pax_track_stack();
46433+
46434 ret = -EINVAL;
46435 if (n < 0)
46436 goto out_nofds;
46437@@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
46438 struct poll_list *walk = head;
46439 unsigned long todo = nfds;
46440
46441+ pax_track_stack();
46442+
46443+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
46444 if (nfds > rlimit(RLIMIT_NOFILE))
46445 return -EINVAL;
46446
46447diff -urNp linux-3.0.7/fs/seq_file.c linux-3.0.7/fs/seq_file.c
46448--- linux-3.0.7/fs/seq_file.c 2011-07-21 22:17:23.000000000 -0400
46449+++ linux-3.0.7/fs/seq_file.c 2011-08-23 21:47:56.000000000 -0400
46450@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
46451 return 0;
46452 }
46453 if (!m->buf) {
46454- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46455+ m->size = PAGE_SIZE;
46456+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46457 if (!m->buf)
46458 return -ENOMEM;
46459 }
46460@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
46461 Eoverflow:
46462 m->op->stop(m, p);
46463 kfree(m->buf);
46464- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46465+ m->size <<= 1;
46466+ m->buf = kmalloc(m->size, GFP_KERNEL);
46467 return !m->buf ? -ENOMEM : -EAGAIN;
46468 }
46469
46470@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
46471 m->version = file->f_version;
46472 /* grab buffer if we didn't have one */
46473 if (!m->buf) {
46474- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46475+ m->size = PAGE_SIZE;
46476+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46477 if (!m->buf)
46478 goto Enomem;
46479 }
46480@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
46481 goto Fill;
46482 m->op->stop(m, p);
46483 kfree(m->buf);
46484- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46485+ m->size <<= 1;
46486+ m->buf = kmalloc(m->size, GFP_KERNEL);
46487 if (!m->buf)
46488 goto Enomem;
46489 m->count = 0;
46490@@ -549,7 +553,7 @@ static void single_stop(struct seq_file
46491 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
46492 void *data)
46493 {
46494- struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
46495+ seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
46496 int res = -ENOMEM;
46497
46498 if (op) {
46499diff -urNp linux-3.0.7/fs/splice.c linux-3.0.7/fs/splice.c
46500--- linux-3.0.7/fs/splice.c 2011-07-21 22:17:23.000000000 -0400
46501+++ linux-3.0.7/fs/splice.c 2011-10-06 04:17:55.000000000 -0400
46502@@ -194,7 +194,7 @@ ssize_t splice_to_pipe(struct pipe_inode
46503 pipe_lock(pipe);
46504
46505 for (;;) {
46506- if (!pipe->readers) {
46507+ if (!atomic_read(&pipe->readers)) {
46508 send_sig(SIGPIPE, current, 0);
46509 if (!ret)
46510 ret = -EPIPE;
46511@@ -248,9 +248,9 @@ ssize_t splice_to_pipe(struct pipe_inode
46512 do_wakeup = 0;
46513 }
46514
46515- pipe->waiting_writers++;
46516+ atomic_inc(&pipe->waiting_writers);
46517 pipe_wait(pipe);
46518- pipe->waiting_writers--;
46519+ atomic_dec(&pipe->waiting_writers);
46520 }
46521
46522 pipe_unlock(pipe);
46523@@ -320,6 +320,8 @@ __generic_file_splice_read(struct file *
46524 .spd_release = spd_release_page,
46525 };
46526
46527+ pax_track_stack();
46528+
46529 if (splice_grow_spd(pipe, &spd))
46530 return -ENOMEM;
46531
46532@@ -560,7 +562,7 @@ static ssize_t kernel_readv(struct file
46533 old_fs = get_fs();
46534 set_fs(get_ds());
46535 /* The cast to a user pointer is valid due to the set_fs() */
46536- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
46537+ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
46538 set_fs(old_fs);
46539
46540 return res;
46541@@ -575,7 +577,7 @@ static ssize_t kernel_write(struct file
46542 old_fs = get_fs();
46543 set_fs(get_ds());
46544 /* The cast to a user pointer is valid due to the set_fs() */
46545- res = vfs_write(file, (const char __user *)buf, count, &pos);
46546+ res = vfs_write(file, (const char __force_user *)buf, count, &pos);
46547 set_fs(old_fs);
46548
46549 return res;
46550@@ -603,6 +605,8 @@ ssize_t default_file_splice_read(struct
46551 .spd_release = spd_release_page,
46552 };
46553
46554+ pax_track_stack();
46555+
46556 if (splice_grow_spd(pipe, &spd))
46557 return -ENOMEM;
46558
46559@@ -626,7 +630,7 @@ ssize_t default_file_splice_read(struct
46560 goto err;
46561
46562 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
46563- vec[i].iov_base = (void __user *) page_address(page);
46564+ vec[i].iov_base = (void __force_user *) page_address(page);
46565 vec[i].iov_len = this_len;
46566 spd.pages[i] = page;
46567 spd.nr_pages++;
46568@@ -846,10 +850,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
46569 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
46570 {
46571 while (!pipe->nrbufs) {
46572- if (!pipe->writers)
46573+ if (!atomic_read(&pipe->writers))
46574 return 0;
46575
46576- if (!pipe->waiting_writers && sd->num_spliced)
46577+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
46578 return 0;
46579
46580 if (sd->flags & SPLICE_F_NONBLOCK)
46581@@ -1182,7 +1186,7 @@ ssize_t splice_direct_to_actor(struct fi
46582 * out of the pipe right after the splice_to_pipe(). So set
46583 * PIPE_READERS appropriately.
46584 */
46585- pipe->readers = 1;
46586+ atomic_set(&pipe->readers, 1);
46587
46588 current->splice_pipe = pipe;
46589 }
46590@@ -1619,6 +1623,8 @@ static long vmsplice_to_pipe(struct file
46591 };
46592 long ret;
46593
46594+ pax_track_stack();
46595+
46596 pipe = get_pipe_info(file);
46597 if (!pipe)
46598 return -EBADF;
46599@@ -1734,9 +1740,9 @@ static int ipipe_prep(struct pipe_inode_
46600 ret = -ERESTARTSYS;
46601 break;
46602 }
46603- if (!pipe->writers)
46604+ if (!atomic_read(&pipe->writers))
46605 break;
46606- if (!pipe->waiting_writers) {
46607+ if (!atomic_read(&pipe->waiting_writers)) {
46608 if (flags & SPLICE_F_NONBLOCK) {
46609 ret = -EAGAIN;
46610 break;
46611@@ -1768,7 +1774,7 @@ static int opipe_prep(struct pipe_inode_
46612 pipe_lock(pipe);
46613
46614 while (pipe->nrbufs >= pipe->buffers) {
46615- if (!pipe->readers) {
46616+ if (!atomic_read(&pipe->readers)) {
46617 send_sig(SIGPIPE, current, 0);
46618 ret = -EPIPE;
46619 break;
46620@@ -1781,9 +1787,9 @@ static int opipe_prep(struct pipe_inode_
46621 ret = -ERESTARTSYS;
46622 break;
46623 }
46624- pipe->waiting_writers++;
46625+ atomic_inc(&pipe->waiting_writers);
46626 pipe_wait(pipe);
46627- pipe->waiting_writers--;
46628+ atomic_dec(&pipe->waiting_writers);
46629 }
46630
46631 pipe_unlock(pipe);
46632@@ -1819,14 +1825,14 @@ retry:
46633 pipe_double_lock(ipipe, opipe);
46634
46635 do {
46636- if (!opipe->readers) {
46637+ if (!atomic_read(&opipe->readers)) {
46638 send_sig(SIGPIPE, current, 0);
46639 if (!ret)
46640 ret = -EPIPE;
46641 break;
46642 }
46643
46644- if (!ipipe->nrbufs && !ipipe->writers)
46645+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
46646 break;
46647
46648 /*
46649@@ -1923,7 +1929,7 @@ static int link_pipe(struct pipe_inode_i
46650 pipe_double_lock(ipipe, opipe);
46651
46652 do {
46653- if (!opipe->readers) {
46654+ if (!atomic_read(&opipe->readers)) {
46655 send_sig(SIGPIPE, current, 0);
46656 if (!ret)
46657 ret = -EPIPE;
46658@@ -1968,7 +1974,7 @@ static int link_pipe(struct pipe_inode_i
46659 * return EAGAIN if we have the potential of some data in the
46660 * future, otherwise just return 0
46661 */
46662- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
46663+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
46664 ret = -EAGAIN;
46665
46666 pipe_unlock(ipipe);
46667diff -urNp linux-3.0.7/fs/sysfs/file.c linux-3.0.7/fs/sysfs/file.c
46668--- linux-3.0.7/fs/sysfs/file.c 2011-07-21 22:17:23.000000000 -0400
46669+++ linux-3.0.7/fs/sysfs/file.c 2011-08-23 21:47:56.000000000 -0400
46670@@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
46671
46672 struct sysfs_open_dirent {
46673 atomic_t refcnt;
46674- atomic_t event;
46675+ atomic_unchecked_t event;
46676 wait_queue_head_t poll;
46677 struct list_head buffers; /* goes through sysfs_buffer.list */
46678 };
46679@@ -81,7 +81,7 @@ static int fill_read_buffer(struct dentr
46680 if (!sysfs_get_active(attr_sd))
46681 return -ENODEV;
46682
46683- buffer->event = atomic_read(&attr_sd->s_attr.open->event);
46684+ buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
46685 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
46686
46687 sysfs_put_active(attr_sd);
46688@@ -287,7 +287,7 @@ static int sysfs_get_open_dirent(struct
46689 return -ENOMEM;
46690
46691 atomic_set(&new_od->refcnt, 0);
46692- atomic_set(&new_od->event, 1);
46693+ atomic_set_unchecked(&new_od->event, 1);
46694 init_waitqueue_head(&new_od->poll);
46695 INIT_LIST_HEAD(&new_od->buffers);
46696 goto retry;
46697@@ -432,7 +432,7 @@ static unsigned int sysfs_poll(struct fi
46698
46699 sysfs_put_active(attr_sd);
46700
46701- if (buffer->event != atomic_read(&od->event))
46702+ if (buffer->event != atomic_read_unchecked(&od->event))
46703 goto trigger;
46704
46705 return DEFAULT_POLLMASK;
46706@@ -451,7 +451,7 @@ void sysfs_notify_dirent(struct sysfs_di
46707
46708 od = sd->s_attr.open;
46709 if (od) {
46710- atomic_inc(&od->event);
46711+ atomic_inc_unchecked(&od->event);
46712 wake_up_interruptible(&od->poll);
46713 }
46714
46715diff -urNp linux-3.0.7/fs/sysfs/mount.c linux-3.0.7/fs/sysfs/mount.c
46716--- linux-3.0.7/fs/sysfs/mount.c 2011-07-21 22:17:23.000000000 -0400
46717+++ linux-3.0.7/fs/sysfs/mount.c 2011-08-23 21:48:14.000000000 -0400
46718@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
46719 .s_name = "",
46720 .s_count = ATOMIC_INIT(1),
46721 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
46722+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
46723+ .s_mode = S_IFDIR | S_IRWXU,
46724+#else
46725 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
46726+#endif
46727 .s_ino = 1,
46728 };
46729
46730diff -urNp linux-3.0.7/fs/sysfs/symlink.c linux-3.0.7/fs/sysfs/symlink.c
46731--- linux-3.0.7/fs/sysfs/symlink.c 2011-07-21 22:17:23.000000000 -0400
46732+++ linux-3.0.7/fs/sysfs/symlink.c 2011-08-23 21:47:56.000000000 -0400
46733@@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
46734
46735 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
46736 {
46737- char *page = nd_get_link(nd);
46738+ const char *page = nd_get_link(nd);
46739 if (!IS_ERR(page))
46740 free_page((unsigned long)page);
46741 }
46742diff -urNp linux-3.0.7/fs/udf/inode.c linux-3.0.7/fs/udf/inode.c
46743--- linux-3.0.7/fs/udf/inode.c 2011-07-21 22:17:23.000000000 -0400
46744+++ linux-3.0.7/fs/udf/inode.c 2011-08-23 21:48:14.000000000 -0400
46745@@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
46746 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
46747 int lastblock = 0;
46748
46749+ pax_track_stack();
46750+
46751 prev_epos.offset = udf_file_entry_alloc_offset(inode);
46752 prev_epos.block = iinfo->i_location;
46753 prev_epos.bh = NULL;
46754diff -urNp linux-3.0.7/fs/udf/misc.c linux-3.0.7/fs/udf/misc.c
46755--- linux-3.0.7/fs/udf/misc.c 2011-07-21 22:17:23.000000000 -0400
46756+++ linux-3.0.7/fs/udf/misc.c 2011-08-23 21:47:56.000000000 -0400
46757@@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
46758
46759 u8 udf_tag_checksum(const struct tag *t)
46760 {
46761- u8 *data = (u8 *)t;
46762+ const u8 *data = (const u8 *)t;
46763 u8 checksum = 0;
46764 int i;
46765 for (i = 0; i < sizeof(struct tag); ++i)
46766diff -urNp linux-3.0.7/fs/utimes.c linux-3.0.7/fs/utimes.c
46767--- linux-3.0.7/fs/utimes.c 2011-07-21 22:17:23.000000000 -0400
46768+++ linux-3.0.7/fs/utimes.c 2011-08-23 21:48:14.000000000 -0400
46769@@ -1,6 +1,7 @@
46770 #include <linux/compiler.h>
46771 #include <linux/file.h>
46772 #include <linux/fs.h>
46773+#include <linux/security.h>
46774 #include <linux/linkage.h>
46775 #include <linux/mount.h>
46776 #include <linux/namei.h>
46777@@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
46778 goto mnt_drop_write_and_out;
46779 }
46780 }
46781+
46782+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
46783+ error = -EACCES;
46784+ goto mnt_drop_write_and_out;
46785+ }
46786+
46787 mutex_lock(&inode->i_mutex);
46788 error = notify_change(path->dentry, &newattrs);
46789 mutex_unlock(&inode->i_mutex);
46790diff -urNp linux-3.0.7/fs/xattr.c linux-3.0.7/fs/xattr.c
46791--- linux-3.0.7/fs/xattr.c 2011-07-21 22:17:23.000000000 -0400
46792+++ linux-3.0.7/fs/xattr.c 2011-08-23 21:48:14.000000000 -0400
46793@@ -254,7 +254,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
46794 * Extended attribute SET operations
46795 */
46796 static long
46797-setxattr(struct dentry *d, const char __user *name, const void __user *value,
46798+setxattr(struct path *path, const char __user *name, const void __user *value,
46799 size_t size, int flags)
46800 {
46801 int error;
46802@@ -278,7 +278,13 @@ setxattr(struct dentry *d, const char __
46803 return PTR_ERR(kvalue);
46804 }
46805
46806- error = vfs_setxattr(d, kname, kvalue, size, flags);
46807+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
46808+ error = -EACCES;
46809+ goto out;
46810+ }
46811+
46812+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
46813+out:
46814 kfree(kvalue);
46815 return error;
46816 }
46817@@ -295,7 +301,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
46818 return error;
46819 error = mnt_want_write(path.mnt);
46820 if (!error) {
46821- error = setxattr(path.dentry, name, value, size, flags);
46822+ error = setxattr(&path, name, value, size, flags);
46823 mnt_drop_write(path.mnt);
46824 }
46825 path_put(&path);
46826@@ -314,7 +320,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
46827 return error;
46828 error = mnt_want_write(path.mnt);
46829 if (!error) {
46830- error = setxattr(path.dentry, name, value, size, flags);
46831+ error = setxattr(&path, name, value, size, flags);
46832 mnt_drop_write(path.mnt);
46833 }
46834 path_put(&path);
46835@@ -325,17 +331,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
46836 const void __user *,value, size_t, size, int, flags)
46837 {
46838 struct file *f;
46839- struct dentry *dentry;
46840 int error = -EBADF;
46841
46842 f = fget(fd);
46843 if (!f)
46844 return error;
46845- dentry = f->f_path.dentry;
46846- audit_inode(NULL, dentry);
46847+ audit_inode(NULL, f->f_path.dentry);
46848 error = mnt_want_write_file(f);
46849 if (!error) {
46850- error = setxattr(dentry, name, value, size, flags);
46851+ error = setxattr(&f->f_path, name, value, size, flags);
46852 mnt_drop_write(f->f_path.mnt);
46853 }
46854 fput(f);
46855diff -urNp linux-3.0.7/fs/xattr_acl.c linux-3.0.7/fs/xattr_acl.c
46856--- linux-3.0.7/fs/xattr_acl.c 2011-07-21 22:17:23.000000000 -0400
46857+++ linux-3.0.7/fs/xattr_acl.c 2011-08-23 21:47:56.000000000 -0400
46858@@ -17,8 +17,8 @@
46859 struct posix_acl *
46860 posix_acl_from_xattr(const void *value, size_t size)
46861 {
46862- posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
46863- posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
46864+ const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
46865+ const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
46866 int count;
46867 struct posix_acl *acl;
46868 struct posix_acl_entry *acl_e;
46869diff -urNp linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl.c linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl.c
46870--- linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl.c 2011-07-21 22:17:23.000000000 -0400
46871+++ linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl.c 2011-08-23 21:47:56.000000000 -0400
46872@@ -128,7 +128,7 @@ xfs_find_handle(
46873 }
46874
46875 error = -EFAULT;
46876- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
46877+ if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
46878 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
46879 goto out_put;
46880
46881diff -urNp linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl32.c linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl32.c
46882--- linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-07-21 22:17:23.000000000 -0400
46883+++ linux-3.0.7/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-08-23 21:48:14.000000000 -0400
46884@@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
46885 xfs_fsop_geom_t fsgeo;
46886 int error;
46887
46888+ memset(&fsgeo, 0, sizeof(fsgeo));
46889 error = xfs_fs_geometry(mp, &fsgeo, 3);
46890 if (error)
46891 return -error;
46892diff -urNp linux-3.0.7/fs/xfs/linux-2.6/xfs_iops.c linux-3.0.7/fs/xfs/linux-2.6/xfs_iops.c
46893--- linux-3.0.7/fs/xfs/linux-2.6/xfs_iops.c 2011-07-21 22:17:23.000000000 -0400
46894+++ linux-3.0.7/fs/xfs/linux-2.6/xfs_iops.c 2011-08-23 21:47:56.000000000 -0400
46895@@ -437,7 +437,7 @@ xfs_vn_put_link(
46896 struct nameidata *nd,
46897 void *p)
46898 {
46899- char *s = nd_get_link(nd);
46900+ const char *s = nd_get_link(nd);
46901
46902 if (!IS_ERR(s))
46903 kfree(s);
46904diff -urNp linux-3.0.7/fs/xfs/xfs_bmap.c linux-3.0.7/fs/xfs/xfs_bmap.c
46905--- linux-3.0.7/fs/xfs/xfs_bmap.c 2011-07-21 22:17:23.000000000 -0400
46906+++ linux-3.0.7/fs/xfs/xfs_bmap.c 2011-08-23 21:47:56.000000000 -0400
46907@@ -253,7 +253,7 @@ xfs_bmap_validate_ret(
46908 int nmap,
46909 int ret_nmap);
46910 #else
46911-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
46912+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
46913 #endif /* DEBUG */
46914
46915 STATIC int
46916diff -urNp linux-3.0.7/fs/xfs/xfs_dir2_sf.c linux-3.0.7/fs/xfs/xfs_dir2_sf.c
46917--- linux-3.0.7/fs/xfs/xfs_dir2_sf.c 2011-07-21 22:17:23.000000000 -0400
46918+++ linux-3.0.7/fs/xfs/xfs_dir2_sf.c 2011-08-23 21:47:56.000000000 -0400
46919@@ -780,7 +780,15 @@ xfs_dir2_sf_getdents(
46920 }
46921
46922 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
46923- if (filldir(dirent, (char *)sfep->name, sfep->namelen,
46924+ if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
46925+ char name[sfep->namelen];
46926+ memcpy(name, sfep->name, sfep->namelen);
46927+ if (filldir(dirent, name, sfep->namelen,
46928+ off & 0x7fffffff, ino, DT_UNKNOWN)) {
46929+ *offset = off & 0x7fffffff;
46930+ return 0;
46931+ }
46932+ } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
46933 off & 0x7fffffff, ino, DT_UNKNOWN)) {
46934 *offset = off & 0x7fffffff;
46935 return 0;
46936diff -urNp linux-3.0.7/grsecurity/Kconfig linux-3.0.7/grsecurity/Kconfig
46937--- linux-3.0.7/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
46938+++ linux-3.0.7/grsecurity/Kconfig 2011-09-15 00:00:57.000000000 -0400
46939@@ -0,0 +1,1038 @@
46940+#
46941+# grecurity configuration
46942+#
46943+
46944+menu "Grsecurity"
46945+
46946+config GRKERNSEC
46947+ bool "Grsecurity"
46948+ select CRYPTO
46949+ select CRYPTO_SHA256
46950+ help
46951+ If you say Y here, you will be able to configure many features
46952+ that will enhance the security of your system. It is highly
46953+ recommended that you say Y here and read through the help
46954+ for each option so that you fully understand the features and
46955+ can evaluate their usefulness for your machine.
46956+
46957+choice
46958+ prompt "Security Level"
46959+ depends on GRKERNSEC
46960+ default GRKERNSEC_CUSTOM
46961+
46962+config GRKERNSEC_LOW
46963+ bool "Low"
46964+ select GRKERNSEC_LINK
46965+ select GRKERNSEC_FIFO
46966+ select GRKERNSEC_RANDNET
46967+ select GRKERNSEC_DMESG
46968+ select GRKERNSEC_CHROOT
46969+ select GRKERNSEC_CHROOT_CHDIR
46970+
46971+ help
46972+ If you choose this option, several of the grsecurity options will
46973+ be enabled that will give you greater protection against a number
46974+ of attacks, while assuring that none of your software will have any
46975+ conflicts with the additional security measures. If you run a lot
46976+ of unusual software, or you are having problems with the higher
46977+ security levels, you should say Y here. With this option, the
46978+ following features are enabled:
46979+
46980+ - Linking restrictions
46981+ - FIFO restrictions
46982+ - Restricted dmesg
46983+ - Enforced chdir("/") on chroot
46984+ - Runtime module disabling
46985+
46986+config GRKERNSEC_MEDIUM
46987+ bool "Medium"
46988+ select PAX
46989+ select PAX_EI_PAX
46990+ select PAX_PT_PAX_FLAGS
46991+ select PAX_HAVE_ACL_FLAGS
46992+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
46993+ select GRKERNSEC_CHROOT
46994+ select GRKERNSEC_CHROOT_SYSCTL
46995+ select GRKERNSEC_LINK
46996+ select GRKERNSEC_FIFO
46997+ select GRKERNSEC_DMESG
46998+ select GRKERNSEC_RANDNET
46999+ select GRKERNSEC_FORKFAIL
47000+ select GRKERNSEC_TIME
47001+ select GRKERNSEC_SIGNAL
47002+ select GRKERNSEC_CHROOT
47003+ select GRKERNSEC_CHROOT_UNIX
47004+ select GRKERNSEC_CHROOT_MOUNT
47005+ select GRKERNSEC_CHROOT_PIVOT
47006+ select GRKERNSEC_CHROOT_DOUBLE
47007+ select GRKERNSEC_CHROOT_CHDIR
47008+ select GRKERNSEC_CHROOT_MKNOD
47009+ select GRKERNSEC_PROC
47010+ select GRKERNSEC_PROC_USERGROUP
47011+ select PAX_RANDUSTACK
47012+ select PAX_ASLR
47013+ select PAX_RANDMMAP
47014+ select PAX_REFCOUNT if (X86 || SPARC64)
47015+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
47016+
47017+ help
47018+ If you say Y here, several features in addition to those included
47019+ in the low additional security level will be enabled. These
47020+ features provide even more security to your system, though in rare
47021+ cases they may be incompatible with very old or poorly written
47022+ software. If you enable this option, make sure that your auth
47023+ service (identd) is running as gid 1001. With this option,
47024+ the following features (in addition to those provided in the
47025+ low additional security level) will be enabled:
47026+
47027+ - Failed fork logging
47028+ - Time change logging
47029+ - Signal logging
47030+ - Deny mounts in chroot
47031+ - Deny double chrooting
47032+ - Deny sysctl writes in chroot
47033+ - Deny mknod in chroot
47034+ - Deny access to abstract AF_UNIX sockets out of chroot
47035+ - Deny pivot_root in chroot
47036+ - Denied writes of /dev/kmem, /dev/mem, and /dev/port
47037+ - /proc restrictions with special GID set to 10 (usually wheel)
47038+ - Address Space Layout Randomization (ASLR)
47039+ - Prevent exploitation of most refcount overflows
47040+ - Bounds checking of copying between the kernel and userland
47041+
47042+config GRKERNSEC_HIGH
47043+ bool "High"
47044+ select GRKERNSEC_LINK
47045+ select GRKERNSEC_FIFO
47046+ select GRKERNSEC_DMESG
47047+ select GRKERNSEC_FORKFAIL
47048+ select GRKERNSEC_TIME
47049+ select GRKERNSEC_SIGNAL
47050+ select GRKERNSEC_CHROOT
47051+ select GRKERNSEC_CHROOT_SHMAT
47052+ select GRKERNSEC_CHROOT_UNIX
47053+ select GRKERNSEC_CHROOT_MOUNT
47054+ select GRKERNSEC_CHROOT_FCHDIR
47055+ select GRKERNSEC_CHROOT_PIVOT
47056+ select GRKERNSEC_CHROOT_DOUBLE
47057+ select GRKERNSEC_CHROOT_CHDIR
47058+ select GRKERNSEC_CHROOT_MKNOD
47059+ select GRKERNSEC_CHROOT_CAPS
47060+ select GRKERNSEC_CHROOT_SYSCTL
47061+ select GRKERNSEC_CHROOT_FINDTASK
47062+ select GRKERNSEC_SYSFS_RESTRICT
47063+ select GRKERNSEC_PROC
47064+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
47065+ select GRKERNSEC_HIDESYM
47066+ select GRKERNSEC_BRUTE
47067+ select GRKERNSEC_PROC_USERGROUP
47068+ select GRKERNSEC_KMEM
47069+ select GRKERNSEC_RESLOG
47070+ select GRKERNSEC_RANDNET
47071+ select GRKERNSEC_PROC_ADD
47072+ select GRKERNSEC_CHROOT_CHMOD
47073+ select GRKERNSEC_CHROOT_NICE
47074+ select GRKERNSEC_AUDIT_MOUNT
47075+ select GRKERNSEC_MODHARDEN if (MODULES)
47076+ select GRKERNSEC_HARDEN_PTRACE
47077+ select GRKERNSEC_VM86 if (X86_32)
47078+ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
47079+ select PAX
47080+ select PAX_RANDUSTACK
47081+ select PAX_ASLR
47082+ select PAX_RANDMMAP
47083+ select PAX_NOEXEC
47084+ select PAX_MPROTECT
47085+ select PAX_EI_PAX
47086+ select PAX_PT_PAX_FLAGS
47087+ select PAX_HAVE_ACL_FLAGS
47088+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
47089+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
47090+ select PAX_RANDKSTACK if (X86_TSC && X86)
47091+ select PAX_SEGMEXEC if (X86_32)
47092+ select PAX_PAGEEXEC
47093+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
47094+ select PAX_EMUTRAMP if (PARISC)
47095+ select PAX_EMUSIGRT if (PARISC)
47096+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
47097+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
47098+ select PAX_REFCOUNT if (X86 || SPARC64)
47099+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
47100+ help
47101+ If you say Y here, many of the features of grsecurity will be
47102+ enabled, which will protect you against many kinds of attacks
47103+ against your system. The heightened security comes at a cost
47104+ of an increased chance of incompatibilities with rare software
47105+ on your machine. Since this security level enables PaX, you should
47106+ view <http://pax.grsecurity.net> and read about the PaX
47107+ project. While you are there, download chpax and run it on
47108+ binaries that cause problems with PaX. Also remember that
47109+ since the /proc restrictions are enabled, you must run your
47110+ identd as gid 1001. This security level enables the following
47111+ features in addition to those listed in the low and medium
47112+ security levels:
47113+
47114+ - Additional /proc restrictions
47115+ - Chmod restrictions in chroot
47116+ - No signals, ptrace, or viewing of processes outside of chroot
47117+ - Capability restrictions in chroot
47118+ - Deny fchdir out of chroot
47119+ - Priority restrictions in chroot
47120+ - Segmentation-based implementation of PaX
47121+ - Mprotect restrictions
47122+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
47123+ - Kernel stack randomization
47124+ - Mount/unmount/remount logging
47125+ - Kernel symbol hiding
47126+ - Prevention of memory exhaustion-based exploits
47127+ - Hardening of module auto-loading
47128+ - Ptrace restrictions
47129+ - Restricted vm86 mode
47130+ - Restricted sysfs/debugfs
47131+ - Active kernel exploit response
47132+
47133+config GRKERNSEC_CUSTOM
47134+ bool "Custom"
47135+ help
47136+ If you say Y here, you will be able to configure every grsecurity
47137+ option, which allows you to enable many more features that aren't
47138+ covered in the basic security levels. These additional features
47139+ include TPE, socket restrictions, and the sysctl system for
47140+ grsecurity. It is advised that you read through the help for
47141+ each option to determine its usefulness in your situation.
47142+
47143+endchoice
47144+
47145+menu "Address Space Protection"
47146+depends on GRKERNSEC
47147+
47148+config GRKERNSEC_KMEM
47149+ bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
47150+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
47151+ help
47152+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
47153+ be written to via mmap or otherwise to modify the running kernel.
47154+ /dev/port will also not be allowed to be opened. If you have module
47155+ support disabled, enabling this will close up four ways that are
47156+ currently used to insert malicious code into the running kernel.
47157+ Even with all these features enabled, we still highly recommend that
47158+ you use the RBAC system, as it is still possible for an attacker to
47159+ modify the running kernel through privileged I/O granted by ioperm/iopl.
47160+ If you are not using XFree86, you may be able to stop this additional
47161+ case by enabling the 'Disable privileged I/O' option. Though nothing
47162+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
47163+ but only to video memory, which is the only writing we allow in this
47164+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
47165+ not be allowed to mprotect it with PROT_WRITE later.
47166+ It is highly recommended that you say Y here if you meet all the
47167+ conditions above.
47168+
47169+config GRKERNSEC_VM86
47170+ bool "Restrict VM86 mode"
47171+ depends on X86_32
47172+
47173+ help
47174+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
47175+ make use of a special execution mode on 32bit x86 processors called
47176+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
47177+ video cards and will still work with this option enabled. The purpose
47178+ of the option is to prevent exploitation of emulation errors in
47179+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
47180+ Nearly all users should be able to enable this option.
47181+
47182+config GRKERNSEC_IO
47183+ bool "Disable privileged I/O"
47184+ depends on X86
47185+ select RTC_CLASS
47186+ select RTC_INTF_DEV
47187+ select RTC_DRV_CMOS
47188+
47189+ help
47190+ If you say Y here, all ioperm and iopl calls will return an error.
47191+ Ioperm and iopl can be used to modify the running kernel.
47192+ Unfortunately, some programs need this access to operate properly,
47193+ the most notable of which are XFree86 and hwclock. hwclock can be
47194+ remedied by having RTC support in the kernel, so real-time
47195+ clock support is enabled if this option is enabled, to ensure
47196+ that hwclock operates correctly. XFree86 still will not
47197+ operate correctly with this option enabled, so DO NOT CHOOSE Y
47198+ IF YOU USE XFree86. If you use XFree86 and you still want to
47199+ protect your kernel against modification, use the RBAC system.
47200+
47201+config GRKERNSEC_PROC_MEMMAP
47202+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
47203+ default y if (PAX_NOEXEC || PAX_ASLR)
47204+ depends on PAX_NOEXEC || PAX_ASLR
47205+ help
47206+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
47207+ give no information about the addresses of its mappings if
47208+ PaX features that rely on random addresses are enabled on the task.
47209+ If you use PaX it is greatly recommended that you say Y here as it
47210+ closes up a hole that makes the full ASLR useless for suid
47211+ binaries.
47212+
47213+config GRKERNSEC_BRUTE
47214+ bool "Deter exploit bruteforcing"
47215+ help
47216+ If you say Y here, attempts to bruteforce exploits against forking
47217+ daemons such as apache or sshd, as well as against suid/sgid binaries
47218+ will be deterred. When a child of a forking daemon is killed by PaX
47219+ or crashes due to an illegal instruction or other suspicious signal,
47220+ the parent process will be delayed 30 seconds upon every subsequent
47221+ fork until the administrator is able to assess the situation and
47222+ restart the daemon.
47223+ In the suid/sgid case, the attempt is logged, the user has all their
47224+ processes terminated, and they are prevented from executing any further
47225+ processes for 15 minutes.
47226+ It is recommended that you also enable signal logging in the auditing
47227+ section so that logs are generated when a process triggers a suspicious
47228+ signal.
47229+ If the sysctl option is enabled, a sysctl option with name
47230+ "deter_bruteforce" is created.
47231+
47232+
47233+config GRKERNSEC_MODHARDEN
47234+ bool "Harden module auto-loading"
47235+ depends on MODULES
47236+ help
47237+ If you say Y here, module auto-loading in response to use of some
47238+ feature implemented by an unloaded module will be restricted to
47239+ root users. Enabling this option helps defend against attacks
47240+ by unprivileged users who abuse the auto-loading behavior to
47241+ cause a vulnerable module to load that is then exploited.
47242+
47243+ If this option prevents a legitimate use of auto-loading for a
47244+ non-root user, the administrator can execute modprobe manually
47245+ with the exact name of the module mentioned in the alert log.
47246+ Alternatively, the administrator can add the module to the list
47247+ of modules loaded at boot by modifying init scripts.
47248+
47249+ Modification of init scripts will most likely be needed on
47250+ Ubuntu servers with encrypted home directory support enabled,
47251+ as the first non-root user logging in will cause the ecb(aes),
47252+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
47253+
47254+config GRKERNSEC_HIDESYM
47255+ bool "Hide kernel symbols"
47256+ help
47257+ If you say Y here, getting information on loaded modules, and
47258+ displaying all kernel symbols through a syscall will be restricted
47259+ to users with CAP_SYS_MODULE. For software compatibility reasons,
47260+ /proc/kallsyms will be restricted to the root user. The RBAC
47261+ system can hide that entry even from root.
47262+
47263+ This option also prevents leaking of kernel addresses through
47264+ several /proc entries.
47265+
47266+ Note that this option is only effective provided the following
47267+ conditions are met:
47268+ 1) The kernel using grsecurity is not precompiled by some distribution
47269+ 2) You have also enabled GRKERNSEC_DMESG
47270+ 3) You are using the RBAC system and hiding other files such as your
47271+ kernel image and System.map. Alternatively, enabling this option
47272+ causes the permissions on /boot, /lib/modules, and the kernel
47273+ source directory to change at compile time to prevent
47274+ reading by non-root users.
47275+ If the above conditions are met, this option will aid in providing a
47276+ useful protection against local kernel exploitation of overflows
47277+ and arbitrary read/write vulnerabilities.
47278+
47279+config GRKERNSEC_KERN_LOCKOUT
47280+ bool "Active kernel exploit response"
47281+ depends on X86 || ARM || PPC || SPARC
47282+ help
47283+ If you say Y here, when a PaX alert is triggered due to suspicious
47284+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
47285+ or an OOPs occurs due to bad memory accesses, instead of just
47286+ terminating the offending process (and potentially allowing
47287+ a subsequent exploit from the same user), we will take one of two
47288+ actions:
47289+ If the user was root, we will panic the system
47290+ If the user was non-root, we will log the attempt, terminate
47291+ all processes owned by the user, then prevent them from creating
47292+ any new processes until the system is restarted
47293+ This deters repeated kernel exploitation/bruteforcing attempts
47294+ and is useful for later forensics.
47295+
47296+endmenu
47297+menu "Role Based Access Control Options"
47298+depends on GRKERNSEC
47299+
47300+config GRKERNSEC_RBAC_DEBUG
47301+ bool
47302+
47303+config GRKERNSEC_NO_RBAC
47304+ bool "Disable RBAC system"
47305+ help
47306+ If you say Y here, the /dev/grsec device will be removed from the kernel,
47307+ preventing the RBAC system from being enabled. You should only say Y
47308+ here if you have no intention of using the RBAC system, so as to prevent
47309+ an attacker with root access from misusing the RBAC system to hide files
47310+ and processes when loadable module support and /dev/[k]mem have been
47311+ locked down.
47312+
47313+config GRKERNSEC_ACL_HIDEKERN
47314+ bool "Hide kernel processes"
47315+ help
47316+ If you say Y here, all kernel threads will be hidden to all
47317+ processes but those whose subject has the "view hidden processes"
47318+ flag.
47319+
47320+config GRKERNSEC_ACL_MAXTRIES
47321+ int "Maximum tries before password lockout"
47322+ default 3
47323+ help
47324+ This option enforces the maximum number of times a user can attempt
47325+ to authorize themselves with the grsecurity RBAC system before being
47326+ denied the ability to attempt authorization again for a specified time.
47327+ The lower the number, the harder it will be to brute-force a password.
47328+
47329+config GRKERNSEC_ACL_TIMEOUT
47330+ int "Time to wait after max password tries, in seconds"
47331+ default 30
47332+ help
47333+ This option specifies the time the user must wait after attempting to
47334+ authorize to the RBAC system with the maximum number of invalid
47335+ passwords. The higher the number, the harder it will be to brute-force
47336+ a password.
47337+
47338+endmenu
47339+menu "Filesystem Protections"
47340+depends on GRKERNSEC
47341+
47342+config GRKERNSEC_PROC
47343+ bool "Proc restrictions"
47344+ help
47345+ If you say Y here, the permissions of the /proc filesystem
47346+ will be altered to enhance system security and privacy. You MUST
47347+ choose either a user only restriction or a user and group restriction.
47348+ Depending upon the option you choose, you can either restrict users to
47349+ see only the processes they themselves run, or choose a group that can
47350+ view all processes and files normally restricted to root if you choose
47351+ the "restrict to user only" option. NOTE: If you're running identd as
47352+ a non-root user, you will have to run it as the group you specify here.
47353+
47354+config GRKERNSEC_PROC_USER
47355+ bool "Restrict /proc to user only"
47356+ depends on GRKERNSEC_PROC
47357+ help
47358+ If you say Y here, non-root users will only be able to view their own
47359+ processes, and restricts them from viewing network-related information,
47360+ and viewing kernel symbol and module information.
47361+
47362+config GRKERNSEC_PROC_USERGROUP
47363+ bool "Allow special group"
47364+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
47365+ help
47366+ If you say Y here, you will be able to select a group that will be
47367+ able to view all processes and network-related information. If you've
47368+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
47369+ remain hidden. This option is useful if you want to run identd as
47370+ a non-root user.
47371+
47372+config GRKERNSEC_PROC_GID
47373+ int "GID for special group"
47374+ depends on GRKERNSEC_PROC_USERGROUP
47375+ default 1001
47376+
47377+config GRKERNSEC_PROC_ADD
47378+ bool "Additional restrictions"
47379+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
47380+ help
47381+ If you say Y here, additional restrictions will be placed on
47382+ /proc that keep normal users from viewing device information and
47383+ slabinfo information that could be useful for exploits.
47384+
47385+config GRKERNSEC_LINK
47386+ bool "Linking restrictions"
47387+ help
47388+ If you say Y here, /tmp race exploits will be prevented, since users
47389+ will no longer be able to follow symlinks owned by other users in
47390+ world-writable +t directories (e.g. /tmp), unless the owner of the
47391+ symlink is the owner of the directory. users will also not be
47392+ able to hardlink to files they do not own. If the sysctl option is
47393+ enabled, a sysctl option with name "linking_restrictions" is created.
47394+
47395+config GRKERNSEC_FIFO
47396+ bool "FIFO restrictions"
47397+ help
47398+ If you say Y here, users will not be able to write to FIFOs they don't
47399+ own in world-writable +t directories (e.g. /tmp), unless the owner of
47400+ the FIFO is the same owner of the directory it's held in. If the sysctl
47401+ option is enabled, a sysctl option with name "fifo_restrictions" is
47402+ created.
47403+
47404+config GRKERNSEC_SYSFS_RESTRICT
47405+ bool "Sysfs/debugfs restriction"
47406+ depends on SYSFS
47407+ help
47408+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
47409+ any filesystem normally mounted under it (e.g. debugfs) will only
47410+ be accessible by root. These filesystems generally provide access
47411+ to hardware and debug information that isn't appropriate for unprivileged
47412+ users of the system. Sysfs and debugfs have also become a large source
47413+ of new vulnerabilities, ranging from infoleaks to local compromise.
47414+ There has been very little oversight with an eye toward security involved
47415+ in adding new exporters of information to these filesystems, so their
47416+ use is discouraged.
47417+ This option is equivalent to a chmod 0700 of the mount paths.
47418+
47419+config GRKERNSEC_ROFS
47420+ bool "Runtime read-only mount protection"
47421+ help
47422+ If you say Y here, a sysctl option with name "romount_protect" will
47423+ be created. By setting this option to 1 at runtime, filesystems
47424+ will be protected in the following ways:
47425+ * No new writable mounts will be allowed
47426+ * Existing read-only mounts won't be able to be remounted read/write
47427+ * Write operations will be denied on all block devices
47428+ This option acts independently of grsec_lock: once it is set to 1,
47429+ it cannot be turned off. Therefore, please be mindful of the resulting
47430+ behavior if this option is enabled in an init script on a read-only
47431+ filesystem. This feature is mainly intended for secure embedded systems.
47432+
47433+config GRKERNSEC_CHROOT
47434+ bool "Chroot jail restrictions"
47435+ help
47436+ If you say Y here, you will be able to choose several options that will
47437+ make breaking out of a chrooted jail much more difficult. If you
47438+ encounter no software incompatibilities with the following options, it
47439+ is recommended that you enable each one.
47440+
47441+config GRKERNSEC_CHROOT_MOUNT
47442+ bool "Deny mounts"
47443+ depends on GRKERNSEC_CHROOT
47444+ help
47445+ If you say Y here, processes inside a chroot will not be able to
47446+ mount or remount filesystems. If the sysctl option is enabled, a
47447+ sysctl option with name "chroot_deny_mount" is created.
47448+
47449+config GRKERNSEC_CHROOT_DOUBLE
47450+ bool "Deny double-chroots"
47451+ depends on GRKERNSEC_CHROOT
47452+ help
47453+ If you say Y here, processes inside a chroot will not be able to chroot
47454+ again outside the chroot. This is a widely used method of breaking
47455+ out of a chroot jail and should not be allowed. If the sysctl
47456+ option is enabled, a sysctl option with name
47457+ "chroot_deny_chroot" is created.
47458+
47459+config GRKERNSEC_CHROOT_PIVOT
47460+ bool "Deny pivot_root in chroot"
47461+ depends on GRKERNSEC_CHROOT
47462+ help
47463+ If you say Y here, processes inside a chroot will not be able to use
47464+ a function called pivot_root() that was introduced in Linux 2.3.41. It
47465+ works similar to chroot in that it changes the root filesystem. This
47466+ function could be misused in a chrooted process to attempt to break out
47467+ of the chroot, and therefore should not be allowed. If the sysctl
47468+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
47469+ created.
47470+
47471+config GRKERNSEC_CHROOT_CHDIR
47472+ bool "Enforce chdir(\"/\") on all chroots"
47473+ depends on GRKERNSEC_CHROOT
47474+ help
47475+ If you say Y here, the current working directory of all newly-chrooted
47476+ applications will be set to the the root directory of the chroot.
47477+ The man page on chroot(2) states:
47478+ Note that this call does not change the current working
47479+ directory, so that `.' can be outside the tree rooted at
47480+ `/'. In particular, the super-user can escape from a
47481+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
47482+
47483+ It is recommended that you say Y here, since it's not known to break
47484+ any software. If the sysctl option is enabled, a sysctl option with
47485+ name "chroot_enforce_chdir" is created.
47486+
47487+config GRKERNSEC_CHROOT_CHMOD
47488+ bool "Deny (f)chmod +s"
47489+ depends on GRKERNSEC_CHROOT
47490+ help
47491+ If you say Y here, processes inside a chroot will not be able to chmod
47492+ or fchmod files to make them have suid or sgid bits. This protects
47493+ against another published method of breaking a chroot. If the sysctl
47494+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
47495+ created.
47496+
47497+config GRKERNSEC_CHROOT_FCHDIR
47498+ bool "Deny fchdir out of chroot"
47499+ depends on GRKERNSEC_CHROOT
47500+ help
47501+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
47502+ to a file descriptor of the chrooting process that points to a directory
47503+ outside the filesystem will be stopped. If the sysctl option
47504+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
47505+
47506+config GRKERNSEC_CHROOT_MKNOD
47507+ bool "Deny mknod"
47508+ depends on GRKERNSEC_CHROOT
47509+ help
47510+ If you say Y here, processes inside a chroot will not be allowed to
47511+ mknod. The problem with using mknod inside a chroot is that it
47512+ would allow an attacker to create a device entry that is the same
47513+ as one on the physical root of your system, which could range from
47514+ anything from the console device to a device for your harddrive (which
47515+ they could then use to wipe the drive or steal data). It is recommended
47516+ that you say Y here, unless you run into software incompatibilities.
47517+ If the sysctl option is enabled, a sysctl option with name
47518+ "chroot_deny_mknod" is created.
47519+
47520+config GRKERNSEC_CHROOT_SHMAT
47521+ bool "Deny shmat() out of chroot"
47522+ depends on GRKERNSEC_CHROOT
47523+ help
47524+ If you say Y here, processes inside a chroot will not be able to attach
47525+ to shared memory segments that were created outside of the chroot jail.
47526+ It is recommended that you say Y here. If the sysctl option is enabled,
47527+ a sysctl option with name "chroot_deny_shmat" is created.
47528+
47529+config GRKERNSEC_CHROOT_UNIX
47530+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
47531+ depends on GRKERNSEC_CHROOT
47532+ help
47533+ If you say Y here, processes inside a chroot will not be able to
47534+ connect to abstract (meaning not belonging to a filesystem) Unix
47535+ domain sockets that were bound outside of a chroot. It is recommended
47536+ that you say Y here. If the sysctl option is enabled, a sysctl option
47537+ with name "chroot_deny_unix" is created.
47538+
47539+config GRKERNSEC_CHROOT_FINDTASK
47540+ bool "Protect outside processes"
47541+ depends on GRKERNSEC_CHROOT
47542+ help
47543+ If you say Y here, processes inside a chroot will not be able to
47544+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
47545+ getsid, or view any process outside of the chroot. If the sysctl
47546+ option is enabled, a sysctl option with name "chroot_findtask" is
47547+ created.
47548+
47549+config GRKERNSEC_CHROOT_NICE
47550+ bool "Restrict priority changes"
47551+ depends on GRKERNSEC_CHROOT
47552+ help
47553+ If you say Y here, processes inside a chroot will not be able to raise
47554+ the priority of processes in the chroot, or alter the priority of
47555+ processes outside the chroot. This provides more security than simply
47556+ removing CAP_SYS_NICE from the process' capability set. If the
47557+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
47558+ is created.
47559+
47560+config GRKERNSEC_CHROOT_SYSCTL
47561+ bool "Deny sysctl writes"
47562+ depends on GRKERNSEC_CHROOT
47563+ help
47564+ If you say Y here, an attacker in a chroot will not be able to
47565+ write to sysctl entries, either by sysctl(2) or through a /proc
47566+ interface. It is strongly recommended that you say Y here. If the
47567+ sysctl option is enabled, a sysctl option with name
47568+ "chroot_deny_sysctl" is created.
47569+
47570+config GRKERNSEC_CHROOT_CAPS
47571+ bool "Capability restrictions"
47572+ depends on GRKERNSEC_CHROOT
47573+ help
47574+ If you say Y here, the capabilities on all processes within a
47575+ chroot jail will be lowered to stop module insertion, raw i/o,
47576+ system and net admin tasks, rebooting the system, modifying immutable
47577+ files, modifying IPC owned by another, and changing the system time.
47578+ This is left an option because it can break some apps. Disable this
47579+ if your chrooted apps are having problems performing those kinds of
47580+ tasks. If the sysctl option is enabled, a sysctl option with
47581+ name "chroot_caps" is created.
47582+
47583+endmenu
47584+menu "Kernel Auditing"
47585+depends on GRKERNSEC
47586+
47587+config GRKERNSEC_AUDIT_GROUP
47588+ bool "Single group for auditing"
47589+ help
47590+ If you say Y here, the exec, chdir, and (un)mount logging features
47591+ will only operate on a group you specify. This option is recommended
47592+ if you only want to watch certain users instead of having a large
47593+ amount of logs from the entire system. If the sysctl option is enabled,
47594+ a sysctl option with name "audit_group" is created.
47595+
47596+config GRKERNSEC_AUDIT_GID
47597+ int "GID for auditing"
47598+ depends on GRKERNSEC_AUDIT_GROUP
47599+ default 1007
47600+
47601+config GRKERNSEC_EXECLOG
47602+ bool "Exec logging"
47603+ help
47604+ If you say Y here, all execve() calls will be logged (since the
47605+ other exec*() calls are frontends to execve(), all execution
47606+ will be logged). Useful for shell-servers that like to keep track
47607+ of their users. If the sysctl option is enabled, a sysctl option with
47608+ name "exec_logging" is created.
47609+ WARNING: This option when enabled will produce a LOT of logs, especially
47610+ on an active system.
47611+
47612+config GRKERNSEC_RESLOG
47613+ bool "Resource logging"
47614+ help
47615+ If you say Y here, all attempts to overstep resource limits will
47616+ be logged with the resource name, the requested size, and the current
47617+ limit. It is highly recommended that you say Y here. If the sysctl
47618+ option is enabled, a sysctl option with name "resource_logging" is
47619+ created. If the RBAC system is enabled, the sysctl value is ignored.
47620+
47621+config GRKERNSEC_CHROOT_EXECLOG
47622+ bool "Log execs within chroot"
47623+ help
47624+ If you say Y here, all executions inside a chroot jail will be logged
47625+ to syslog. This can cause a large amount of logs if certain
47626+ applications (eg. djb's daemontools) are installed on the system, and
47627+ is therefore left as an option. If the sysctl option is enabled, a
47628+ sysctl option with name "chroot_execlog" is created.
47629+
47630+config GRKERNSEC_AUDIT_PTRACE
47631+ bool "Ptrace logging"
47632+ help
47633+ If you say Y here, all attempts to attach to a process via ptrace
47634+ will be logged. If the sysctl option is enabled, a sysctl option
47635+ with name "audit_ptrace" is created.
47636+
47637+config GRKERNSEC_AUDIT_CHDIR
47638+ bool "Chdir logging"
47639+ help
47640+ If you say Y here, all chdir() calls will be logged. If the sysctl
47641+ option is enabled, a sysctl option with name "audit_chdir" is created.
47642+
47643+config GRKERNSEC_AUDIT_MOUNT
47644+ bool "(Un)Mount logging"
47645+ help
47646+ If you say Y here, all mounts and unmounts will be logged. If the
47647+ sysctl option is enabled, a sysctl option with name "audit_mount" is
47648+ created.
47649+
47650+config GRKERNSEC_SIGNAL
47651+ bool "Signal logging"
47652+ help
47653+ If you say Y here, certain important signals will be logged, such as
47654+ SIGSEGV, which will as a result inform you of when a error in a program
47655+ occurred, which in some cases could mean a possible exploit attempt.
47656+ If the sysctl option is enabled, a sysctl option with name
47657+ "signal_logging" is created.
47658+
47659+config GRKERNSEC_FORKFAIL
47660+ bool "Fork failure logging"
47661+ help
47662+ If you say Y here, all failed fork() attempts will be logged.
47663+ This could suggest a fork bomb, or someone attempting to overstep
47664+ their process limit. If the sysctl option is enabled, a sysctl option
47665+ with name "forkfail_logging" is created.
47666+
47667+config GRKERNSEC_TIME
47668+ bool "Time change logging"
47669+ help
47670+ If you say Y here, any changes of the system clock will be logged.
47671+ If the sysctl option is enabled, a sysctl option with name
47672+ "timechange_logging" is created.
47673+
47674+config GRKERNSEC_PROC_IPADDR
47675+ bool "/proc/<pid>/ipaddr support"
47676+ help
47677+ If you say Y here, a new entry will be added to each /proc/<pid>
47678+ directory that contains the IP address of the person using the task.
47679+ The IP is carried across local TCP and AF_UNIX stream sockets.
47680+ This information can be useful for IDS/IPSes to perform remote response
47681+ to a local attack. The entry is readable by only the owner of the
47682+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
47683+ the RBAC system), and thus does not create privacy concerns.
47684+
47685+config GRKERNSEC_RWXMAP_LOG
47686+ bool 'Denied RWX mmap/mprotect logging'
47687+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
47688+ help
47689+ If you say Y here, calls to mmap() and mprotect() with explicit
47690+ usage of PROT_WRITE and PROT_EXEC together will be logged when
47691+ denied by the PAX_MPROTECT feature. If the sysctl option is
47692+ enabled, a sysctl option with name "rwxmap_logging" is created.
47693+
47694+config GRKERNSEC_AUDIT_TEXTREL
47695+ bool 'ELF text relocations logging (READ HELP)'
47696+ depends on PAX_MPROTECT
47697+ help
47698+ If you say Y here, text relocations will be logged with the filename
47699+ of the offending library or binary. The purpose of the feature is
47700+ to help Linux distribution developers get rid of libraries and
47701+ binaries that need text relocations which hinder the future progress
47702+ of PaX. Only Linux distribution developers should say Y here, and
47703+ never on a production machine, as this option creates an information
47704+ leak that could aid an attacker in defeating the randomization of
47705+ a single memory region. If the sysctl option is enabled, a sysctl
47706+ option with name "audit_textrel" is created.
47707+
47708+endmenu
47709+
47710+menu "Executable Protections"
47711+depends on GRKERNSEC
47712+
47713+config GRKERNSEC_DMESG
47714+ bool "Dmesg(8) restriction"
47715+ help
47716+ If you say Y here, non-root users will not be able to use dmesg(8)
47717+ to view up to the last 4kb of messages in the kernel's log buffer.
47718+ The kernel's log buffer often contains kernel addresses and other
47719+ identifying information useful to an attacker in fingerprinting a
47720+ system for a targeted exploit.
47721+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
47722+ created.
47723+
47724+config GRKERNSEC_HARDEN_PTRACE
47725+ bool "Deter ptrace-based process snooping"
47726+ help
47727+ If you say Y here, TTY sniffers and other malicious monitoring
47728+ programs implemented through ptrace will be defeated. If you
47729+ have been using the RBAC system, this option has already been
47730+ enabled for several years for all users, with the ability to make
47731+ fine-grained exceptions.
47732+
47733+ This option only affects the ability of non-root users to ptrace
47734+ processes that are not a descendent of the ptracing process.
47735+ This means that strace ./binary and gdb ./binary will still work,
47736+ but attaching to arbitrary processes will not. If the sysctl
47737+ option is enabled, a sysctl option with name "harden_ptrace" is
47738+ created.
47739+
47740+config GRKERNSEC_TPE
47741+ bool "Trusted Path Execution (TPE)"
47742+ help
47743+ If you say Y here, you will be able to choose a gid to add to the
47744+ supplementary groups of users you want to mark as "untrusted."
47745+ These users will not be able to execute any files that are not in
47746+ root-owned directories writable only by root. If the sysctl option
47747+ is enabled, a sysctl option with name "tpe" is created.
47748+
47749+config GRKERNSEC_TPE_ALL
47750+ bool "Partially restrict all non-root users"
47751+ depends on GRKERNSEC_TPE
47752+ help
47753+ If you say Y here, all non-root users will be covered under
47754+ a weaker TPE restriction. This is separate from, and in addition to,
47755+ the main TPE options that you have selected elsewhere. Thus, if a
47756+ "trusted" GID is chosen, this restriction applies to even that GID.
47757+ Under this restriction, all non-root users will only be allowed to
47758+ execute files in directories they own that are not group or
47759+ world-writable, or in directories owned by root and writable only by
47760+ root. If the sysctl option is enabled, a sysctl option with name
47761+ "tpe_restrict_all" is created.
47762+
47763+config GRKERNSEC_TPE_INVERT
47764+ bool "Invert GID option"
47765+ depends on GRKERNSEC_TPE
47766+ help
47767+ If you say Y here, the group you specify in the TPE configuration will
47768+ decide what group TPE restrictions will be *disabled* for. This
47769+ option is useful if you want TPE restrictions to be applied to most
47770+ users on the system. If the sysctl option is enabled, a sysctl option
47771+ with name "tpe_invert" is created. Unlike other sysctl options, this
47772+ entry will default to on for backward-compatibility.
47773+
47774+config GRKERNSEC_TPE_GID
47775+ int "GID for untrusted users"
47776+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
47777+ default 1005
47778+ help
47779+ Setting this GID determines what group TPE restrictions will be
47780+ *enabled* for. If the sysctl option is enabled, a sysctl option
47781+ with name "tpe_gid" is created.
47782+
47783+config GRKERNSEC_TPE_GID
47784+ int "GID for trusted users"
47785+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
47786+ default 1005
47787+ help
47788+ Setting this GID determines what group TPE restrictions will be
47789+ *disabled* for. If the sysctl option is enabled, a sysctl option
47790+ with name "tpe_gid" is created.
47791+
47792+endmenu
47793+menu "Network Protections"
47794+depends on GRKERNSEC
47795+
47796+config GRKERNSEC_RANDNET
47797+ bool "Larger entropy pools"
47798+ help
47799+ If you say Y here, the entropy pools used for many features of Linux
47800+ and grsecurity will be doubled in size. Since several grsecurity
47801+ features use additional randomness, it is recommended that you say Y
47802+ here. Saying Y here has a similar effect as modifying
47803+ /proc/sys/kernel/random/poolsize.
47804+
47805+config GRKERNSEC_BLACKHOLE
47806+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
47807+ depends on NET
47808+ help
47809+ If you say Y here, neither TCP resets nor ICMP
47810+ destination-unreachable packets will be sent in response to packets
47811+ sent to ports for which no associated listening process exists.
47812+ This feature supports both IPV4 and IPV6 and exempts the
47813+ loopback interface from blackholing. Enabling this feature
47814+ makes a host more resilient to DoS attacks and reduces network
47815+ visibility against scanners.
47816+
47817+ The blackhole feature as-implemented is equivalent to the FreeBSD
47818+ blackhole feature, as it prevents RST responses to all packets, not
47819+ just SYNs. Under most application behavior this causes no
47820+ problems, but applications (like haproxy) may not close certain
47821+ connections in a way that cleanly terminates them on the remote
47822+ end, leaving the remote host in LAST_ACK state. Because of this
47823+ side-effect and to prevent intentional LAST_ACK DoSes, this
47824+ feature also adds automatic mitigation against such attacks.
47825+ The mitigation drastically reduces the amount of time a socket
47826+ can spend in LAST_ACK state. If you're using haproxy and not
47827+ all servers it connects to have this option enabled, consider
47828+ disabling this feature on the haproxy host.
47829+
47830+ If the sysctl option is enabled, two sysctl options with names
47831+ "ip_blackhole" and "lastack_retries" will be created.
47832+ While "ip_blackhole" takes the standard zero/non-zero on/off
47833+ toggle, "lastack_retries" uses the same kinds of values as
47834+ "tcp_retries1" and "tcp_retries2". The default value of 4
47835+ prevents a socket from lasting more than 45 seconds in LAST_ACK
47836+ state.
47837+
47838+config GRKERNSEC_SOCKET
47839+ bool "Socket restrictions"
47840+ depends on NET
47841+ help
47842+ If you say Y here, you will be able to choose from several options.
47843+ If you assign a GID on your system and add it to the supplementary
47844+ groups of users you want to restrict socket access to, this patch
47845+ will perform up to three things, based on the option(s) you choose.
47846+
47847+config GRKERNSEC_SOCKET_ALL
47848+ bool "Deny any sockets to group"
47849+ depends on GRKERNSEC_SOCKET
47850+ help
47851+ If you say Y here, you will be able to choose a GID of whose users will
47852+ be unable to connect to other hosts from your machine or run server
47853+ applications from your machine. If the sysctl option is enabled, a
47854+ sysctl option with name "socket_all" is created.
47855+
47856+config GRKERNSEC_SOCKET_ALL_GID
47857+ int "GID to deny all sockets for"
47858+ depends on GRKERNSEC_SOCKET_ALL
47859+ default 1004
47860+ help
47861+ Here you can choose the GID to disable socket access for. Remember to
47862+ add the users you want socket access disabled for to the GID
47863+ specified here. If the sysctl option is enabled, a sysctl option
47864+ with name "socket_all_gid" is created.
47865+
47866+config GRKERNSEC_SOCKET_CLIENT
47867+ bool "Deny client sockets to group"
47868+ depends on GRKERNSEC_SOCKET
47869+ help
47870+ If you say Y here, you will be able to choose a GID of whose users will
47871+ be unable to connect to other hosts from your machine, but will be
47872+ able to run servers. If this option is enabled, all users in the group
47873+ you specify will have to use passive mode when initiating ftp transfers
47874+ from the shell on your machine. If the sysctl option is enabled, a
47875+ sysctl option with name "socket_client" is created.
47876+
47877+config GRKERNSEC_SOCKET_CLIENT_GID
47878+ int "GID to deny client sockets for"
47879+ depends on GRKERNSEC_SOCKET_CLIENT
47880+ default 1003
47881+ help
47882+ Here you can choose the GID to disable client socket access for.
47883+ Remember to add the users you want client socket access disabled for to
47884+ the GID specified here. If the sysctl option is enabled, a sysctl
47885+ option with name "socket_client_gid" is created.
47886+
47887+config GRKERNSEC_SOCKET_SERVER
47888+ bool "Deny server sockets to group"
47889+ depends on GRKERNSEC_SOCKET
47890+ help
47891+ If you say Y here, you will be able to choose a GID of whose users will
47892+ be unable to run server applications from your machine. If the sysctl
47893+ option is enabled, a sysctl option with name "socket_server" is created.
47894+
47895+config GRKERNSEC_SOCKET_SERVER_GID
47896+ int "GID to deny server sockets for"
47897+ depends on GRKERNSEC_SOCKET_SERVER
47898+ default 1002
47899+ help
47900+ Here you can choose the GID to disable server socket access for.
47901+ Remember to add the users you want server socket access disabled for to
47902+ the GID specified here. If the sysctl option is enabled, a sysctl
47903+ option with name "socket_server_gid" is created.
47904+
47905+endmenu
47906+menu "Sysctl support"
47907+depends on GRKERNSEC && SYSCTL
47908+
47909+config GRKERNSEC_SYSCTL
47910+ bool "Sysctl support"
47911+ help
47912+ If you say Y here, you will be able to change the options that
47913+ grsecurity runs with at bootup, without having to recompile your
47914+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
47915+ to enable (1) or disable (0) various features. All the sysctl entries
47916+ are mutable until the "grsec_lock" entry is set to a non-zero value.
47917+ All features enabled in the kernel configuration are disabled at boot
47918+ if you do not say Y to the "Turn on features by default" option.
47919+ All options should be set at startup, and the grsec_lock entry should
47920+ be set to a non-zero value after all the options are set.
47921+ *THIS IS EXTREMELY IMPORTANT*
47922+
47923+config GRKERNSEC_SYSCTL_DISTRO
47924+ bool "Extra sysctl support for distro makers (READ HELP)"
47925+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
47926+ help
47927+ If you say Y here, additional sysctl options will be created
47928+ for features that affect processes running as root. Therefore,
47929+ it is critical when using this option that the grsec_lock entry be
47930+ enabled after boot. Only distros with prebuilt kernel packages
47931+ with this option enabled that can ensure grsec_lock is enabled
47932+ after boot should use this option.
47933+ *Failure to set grsec_lock after boot makes all grsec features
47934+ this option covers useless*
47935+
47936+ Currently this option creates the following sysctl entries:
47937+ "Disable Privileged I/O": "disable_priv_io"
47938+
47939+config GRKERNSEC_SYSCTL_ON
47940+ bool "Turn on features by default"
47941+ depends on GRKERNSEC_SYSCTL
47942+ help
47943+ If you say Y here, instead of having all features enabled in the
47944+ kernel configuration disabled at boot time, the features will be
47945+ enabled at boot time. It is recommended you say Y here unless
47946+ there is some reason you would want all sysctl-tunable features to
47947+ be disabled by default. As mentioned elsewhere, it is important
47948+ to enable the grsec_lock entry once you have finished modifying
47949+ the sysctl entries.
47950+
47951+endmenu
47952+menu "Logging Options"
47953+depends on GRKERNSEC
47954+
47955+config GRKERNSEC_FLOODTIME
47956+ int "Seconds in between log messages (minimum)"
47957+ default 10
47958+ help
47959+ This option allows you to enforce the number of seconds between
47960+ grsecurity log messages. The default should be suitable for most
47961+ people, however, if you choose to change it, choose a value small enough
47962+ to allow informative logs to be produced, but large enough to
47963+ prevent flooding.
47964+
47965+config GRKERNSEC_FLOODBURST
47966+ int "Number of messages in a burst (maximum)"
47967+ default 6
47968+ help
47969+ This option allows you to choose the maximum number of messages allowed
47970+ within the flood time interval you chose in a separate option. The
47971+ default should be suitable for most people, however if you find that
47972+ many of your logs are being interpreted as flooding, you may want to
47973+ raise this value.
47974+
47975+endmenu
47976+
47977+endmenu
47978diff -urNp linux-3.0.7/grsecurity/Makefile linux-3.0.7/grsecurity/Makefile
47979--- linux-3.0.7/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
47980+++ linux-3.0.7/grsecurity/Makefile 2011-10-17 06:45:43.000000000 -0400
47981@@ -0,0 +1,36 @@
47982+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
47983+# during 2001-2009 it has been completely redesigned by Brad Spengler
47984+# into an RBAC system
47985+#
47986+# All code in this directory and various hooks inserted throughout the kernel
47987+# are copyright Brad Spengler - Open Source Security, Inc., and released
47988+# under the GPL v2 or higher
47989+
47990+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
47991+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
47992+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
47993+
47994+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
47995+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
47996+ gracl_learn.o grsec_log.o
47997+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
47998+
47999+ifdef CONFIG_NET
48000+obj-y += grsec_sock.o
48001+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
48002+endif
48003+
48004+ifndef CONFIG_GRKERNSEC
48005+obj-y += grsec_disabled.o
48006+endif
48007+
48008+ifdef CONFIG_GRKERNSEC_HIDESYM
48009+extra-y := grsec_hidesym.o
48010+$(obj)/grsec_hidesym.o:
48011+ @-chmod -f 500 /boot
48012+ @-chmod -f 500 /lib/modules
48013+ @-chmod -f 500 /lib64/modules
48014+ @-chmod -f 500 /lib32/modules
48015+ @-chmod -f 700 .
48016+ @echo ' grsec: protected kernel image paths'
48017+endif
48018diff -urNp linux-3.0.7/grsecurity/gracl.c linux-3.0.7/grsecurity/gracl.c
48019--- linux-3.0.7/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
48020+++ linux-3.0.7/grsecurity/gracl.c 2011-10-17 06:42:59.000000000 -0400
48021@@ -0,0 +1,4154 @@
48022+#include <linux/kernel.h>
48023+#include <linux/module.h>
48024+#include <linux/sched.h>
48025+#include <linux/mm.h>
48026+#include <linux/file.h>
48027+#include <linux/fs.h>
48028+#include <linux/namei.h>
48029+#include <linux/mount.h>
48030+#include <linux/tty.h>
48031+#include <linux/proc_fs.h>
48032+#include <linux/lglock.h>
48033+#include <linux/slab.h>
48034+#include <linux/vmalloc.h>
48035+#include <linux/types.h>
48036+#include <linux/sysctl.h>
48037+#include <linux/netdevice.h>
48038+#include <linux/ptrace.h>
48039+#include <linux/gracl.h>
48040+#include <linux/gralloc.h>
48041+#include <linux/grsecurity.h>
48042+#include <linux/grinternal.h>
48043+#include <linux/pid_namespace.h>
48044+#include <linux/fdtable.h>
48045+#include <linux/percpu.h>
48046+
48047+#include <asm/uaccess.h>
48048+#include <asm/errno.h>
48049+#include <asm/mman.h>
48050+
48051+static struct acl_role_db acl_role_set;
48052+static struct name_db name_set;
48053+static struct inodev_db inodev_set;
48054+
48055+/* for keeping track of userspace pointers used for subjects, so we
48056+ can share references in the kernel as well
48057+*/
48058+
48059+static struct path real_root;
48060+
48061+static struct acl_subj_map_db subj_map_set;
48062+
48063+static struct acl_role_label *default_role;
48064+
48065+static struct acl_role_label *role_list;
48066+
48067+static u16 acl_sp_role_value;
48068+
48069+extern char *gr_shared_page[4];
48070+static DEFINE_MUTEX(gr_dev_mutex);
48071+DEFINE_RWLOCK(gr_inode_lock);
48072+
48073+struct gr_arg *gr_usermode;
48074+
48075+static unsigned int gr_status __read_only = GR_STATUS_INIT;
48076+
48077+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
48078+extern void gr_clear_learn_entries(void);
48079+
48080+#ifdef CONFIG_GRKERNSEC_RESLOG
48081+extern void gr_log_resource(const struct task_struct *task,
48082+ const int res, const unsigned long wanted, const int gt);
48083+#endif
48084+
48085+unsigned char *gr_system_salt;
48086+unsigned char *gr_system_sum;
48087+
48088+static struct sprole_pw **acl_special_roles = NULL;
48089+static __u16 num_sprole_pws = 0;
48090+
48091+static struct acl_role_label *kernel_role = NULL;
48092+
48093+static unsigned int gr_auth_attempts = 0;
48094+static unsigned long gr_auth_expires = 0UL;
48095+
48096+#ifdef CONFIG_NET
48097+extern struct vfsmount *sock_mnt;
48098+#endif
48099+
48100+extern struct vfsmount *pipe_mnt;
48101+extern struct vfsmount *shm_mnt;
48102+#ifdef CONFIG_HUGETLBFS
48103+extern struct vfsmount *hugetlbfs_vfsmount;
48104+#endif
48105+
48106+static struct acl_object_label *fakefs_obj_rw;
48107+static struct acl_object_label *fakefs_obj_rwx;
48108+
48109+extern int gr_init_uidset(void);
48110+extern void gr_free_uidset(void);
48111+extern void gr_remove_uid(uid_t uid);
48112+extern int gr_find_uid(uid_t uid);
48113+
48114+DECLARE_BRLOCK(vfsmount_lock);
48115+
48116+__inline__ int
48117+gr_acl_is_enabled(void)
48118+{
48119+ return (gr_status & GR_READY);
48120+}
48121+
48122+#ifdef CONFIG_BTRFS_FS
48123+extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
48124+extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
48125+#endif
48126+
48127+static inline dev_t __get_dev(const struct dentry *dentry)
48128+{
48129+#ifdef CONFIG_BTRFS_FS
48130+ if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
48131+ return get_btrfs_dev_from_inode(dentry->d_inode);
48132+ else
48133+#endif
48134+ return dentry->d_inode->i_sb->s_dev;
48135+}
48136+
48137+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
48138+{
48139+ return __get_dev(dentry);
48140+}
48141+
48142+static char gr_task_roletype_to_char(struct task_struct *task)
48143+{
48144+ switch (task->role->roletype &
48145+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
48146+ GR_ROLE_SPECIAL)) {
48147+ case GR_ROLE_DEFAULT:
48148+ return 'D';
48149+ case GR_ROLE_USER:
48150+ return 'U';
48151+ case GR_ROLE_GROUP:
48152+ return 'G';
48153+ case GR_ROLE_SPECIAL:
48154+ return 'S';
48155+ }
48156+
48157+ return 'X';
48158+}
48159+
48160+char gr_roletype_to_char(void)
48161+{
48162+ return gr_task_roletype_to_char(current);
48163+}
48164+
48165+__inline__ int
48166+gr_acl_tpe_check(void)
48167+{
48168+ if (unlikely(!(gr_status & GR_READY)))
48169+ return 0;
48170+ if (current->role->roletype & GR_ROLE_TPE)
48171+ return 1;
48172+ else
48173+ return 0;
48174+}
48175+
48176+int
48177+gr_handle_rawio(const struct inode *inode)
48178+{
48179+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
48180+ if (inode && S_ISBLK(inode->i_mode) &&
48181+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
48182+ !capable(CAP_SYS_RAWIO))
48183+ return 1;
48184+#endif
48185+ return 0;
48186+}
48187+
48188+static int
48189+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
48190+{
48191+ if (likely(lena != lenb))
48192+ return 0;
48193+
48194+ return !memcmp(a, b, lena);
48195+}
48196+
48197+static int prepend(char **buffer, int *buflen, const char *str, int namelen)
48198+{
48199+ *buflen -= namelen;
48200+ if (*buflen < 0)
48201+ return -ENAMETOOLONG;
48202+ *buffer -= namelen;
48203+ memcpy(*buffer, str, namelen);
48204+ return 0;
48205+}
48206+
48207+static int prepend_name(char **buffer, int *buflen, struct qstr *name)
48208+{
48209+ return prepend(buffer, buflen, name->name, name->len);
48210+}
48211+
48212+static int prepend_path(const struct path *path, struct path *root,
48213+ char **buffer, int *buflen)
48214+{
48215+ struct dentry *dentry = path->dentry;
48216+ struct vfsmount *vfsmnt = path->mnt;
48217+ bool slash = false;
48218+ int error = 0;
48219+
48220+ while (dentry != root->dentry || vfsmnt != root->mnt) {
48221+ struct dentry * parent;
48222+
48223+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
48224+ /* Global root? */
48225+ if (vfsmnt->mnt_parent == vfsmnt) {
48226+ goto out;
48227+ }
48228+ dentry = vfsmnt->mnt_mountpoint;
48229+ vfsmnt = vfsmnt->mnt_parent;
48230+ continue;
48231+ }
48232+ parent = dentry->d_parent;
48233+ prefetch(parent);
48234+ spin_lock(&dentry->d_lock);
48235+ error = prepend_name(buffer, buflen, &dentry->d_name);
48236+ spin_unlock(&dentry->d_lock);
48237+ if (!error)
48238+ error = prepend(buffer, buflen, "/", 1);
48239+ if (error)
48240+ break;
48241+
48242+ slash = true;
48243+ dentry = parent;
48244+ }
48245+
48246+out:
48247+ if (!error && !slash)
48248+ error = prepend(buffer, buflen, "/", 1);
48249+
48250+ return error;
48251+}
48252+
48253+/* this must be called with vfsmount_lock and rename_lock held */
48254+
48255+static char *__our_d_path(const struct path *path, struct path *root,
48256+ char *buf, int buflen)
48257+{
48258+ char *res = buf + buflen;
48259+ int error;
48260+
48261+ prepend(&res, &buflen, "\0", 1);
48262+ error = prepend_path(path, root, &res, &buflen);
48263+ if (error)
48264+ return ERR_PTR(error);
48265+
48266+ return res;
48267+}
48268+
48269+static char *
48270+gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
48271+{
48272+ char *retval;
48273+
48274+ retval = __our_d_path(path, root, buf, buflen);
48275+ if (unlikely(IS_ERR(retval)))
48276+ retval = strcpy(buf, "<path too long>");
48277+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
48278+ retval[1] = '\0';
48279+
48280+ return retval;
48281+}
48282+
48283+static char *
48284+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
48285+ char *buf, int buflen)
48286+{
48287+ struct path path;
48288+ char *res;
48289+
48290+ path.dentry = (struct dentry *)dentry;
48291+ path.mnt = (struct vfsmount *)vfsmnt;
48292+
48293+ /* we can use real_root.dentry, real_root.mnt, because this is only called
48294+ by the RBAC system */
48295+ res = gen_full_path(&path, &real_root, buf, buflen);
48296+
48297+ return res;
48298+}
48299+
48300+static char *
48301+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
48302+ char *buf, int buflen)
48303+{
48304+ char *res;
48305+ struct path path;
48306+ struct path root;
48307+ struct task_struct *reaper = &init_task;
48308+
48309+ path.dentry = (struct dentry *)dentry;
48310+ path.mnt = (struct vfsmount *)vfsmnt;
48311+
48312+ /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
48313+ get_fs_root(reaper->fs, &root);
48314+
48315+ write_seqlock(&rename_lock);
48316+ br_read_lock(vfsmount_lock);
48317+ res = gen_full_path(&path, &root, buf, buflen);
48318+ br_read_unlock(vfsmount_lock);
48319+ write_sequnlock(&rename_lock);
48320+
48321+ path_put(&root);
48322+ return res;
48323+}
48324+
48325+static char *
48326+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
48327+{
48328+ char *ret;
48329+ write_seqlock(&rename_lock);
48330+ br_read_lock(vfsmount_lock);
48331+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
48332+ PAGE_SIZE);
48333+ br_read_unlock(vfsmount_lock);
48334+ write_sequnlock(&rename_lock);
48335+ return ret;
48336+}
48337+
48338+static char *
48339+gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
48340+{
48341+ char *ret;
48342+ char *buf;
48343+ int buflen;
48344+
48345+ write_seqlock(&rename_lock);
48346+ br_read_lock(vfsmount_lock);
48347+ buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
48348+ ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
48349+ buflen = (int)(ret - buf);
48350+ if (buflen >= 5)
48351+ prepend(&ret, &buflen, "/proc", 5);
48352+ else
48353+ ret = strcpy(buf, "<path too long>");
48354+ br_read_unlock(vfsmount_lock);
48355+ write_sequnlock(&rename_lock);
48356+ return ret;
48357+}
48358+
48359+char *
48360+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
48361+{
48362+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
48363+ PAGE_SIZE);
48364+}
48365+
48366+char *
48367+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
48368+{
48369+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
48370+ PAGE_SIZE);
48371+}
48372+
48373+char *
48374+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
48375+{
48376+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
48377+ PAGE_SIZE);
48378+}
48379+
48380+char *
48381+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
48382+{
48383+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
48384+ PAGE_SIZE);
48385+}
48386+
48387+char *
48388+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
48389+{
48390+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
48391+ PAGE_SIZE);
48392+}
48393+
48394+__inline__ __u32
48395+to_gr_audit(const __u32 reqmode)
48396+{
48397+ /* masks off auditable permission flags, then shifts them to create
48398+ auditing flags, and adds the special case of append auditing if
48399+ we're requesting write */
48400+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
48401+}
48402+
48403+struct acl_subject_label *
48404+lookup_subject_map(const struct acl_subject_label *userp)
48405+{
48406+ unsigned int index = shash(userp, subj_map_set.s_size);
48407+ struct subject_map *match;
48408+
48409+ match = subj_map_set.s_hash[index];
48410+
48411+ while (match && match->user != userp)
48412+ match = match->next;
48413+
48414+ if (match != NULL)
48415+ return match->kernel;
48416+ else
48417+ return NULL;
48418+}
48419+
48420+static void
48421+insert_subj_map_entry(struct subject_map *subjmap)
48422+{
48423+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
48424+ struct subject_map **curr;
48425+
48426+ subjmap->prev = NULL;
48427+
48428+ curr = &subj_map_set.s_hash[index];
48429+ if (*curr != NULL)
48430+ (*curr)->prev = subjmap;
48431+
48432+ subjmap->next = *curr;
48433+ *curr = subjmap;
48434+
48435+ return;
48436+}
48437+
48438+static struct acl_role_label *
48439+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
48440+ const gid_t gid)
48441+{
48442+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
48443+ struct acl_role_label *match;
48444+ struct role_allowed_ip *ipp;
48445+ unsigned int x;
48446+ u32 curr_ip = task->signal->curr_ip;
48447+
48448+ task->signal->saved_ip = curr_ip;
48449+
48450+ match = acl_role_set.r_hash[index];
48451+
48452+ while (match) {
48453+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
48454+ for (x = 0; x < match->domain_child_num; x++) {
48455+ if (match->domain_children[x] == uid)
48456+ goto found;
48457+ }
48458+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
48459+ break;
48460+ match = match->next;
48461+ }
48462+found:
48463+ if (match == NULL) {
48464+ try_group:
48465+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
48466+ match = acl_role_set.r_hash[index];
48467+
48468+ while (match) {
48469+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
48470+ for (x = 0; x < match->domain_child_num; x++) {
48471+ if (match->domain_children[x] == gid)
48472+ goto found2;
48473+ }
48474+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
48475+ break;
48476+ match = match->next;
48477+ }
48478+found2:
48479+ if (match == NULL)
48480+ match = default_role;
48481+ if (match->allowed_ips == NULL)
48482+ return match;
48483+ else {
48484+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
48485+ if (likely
48486+ ((ntohl(curr_ip) & ipp->netmask) ==
48487+ (ntohl(ipp->addr) & ipp->netmask)))
48488+ return match;
48489+ }
48490+ match = default_role;
48491+ }
48492+ } else if (match->allowed_ips == NULL) {
48493+ return match;
48494+ } else {
48495+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
48496+ if (likely
48497+ ((ntohl(curr_ip) & ipp->netmask) ==
48498+ (ntohl(ipp->addr) & ipp->netmask)))
48499+ return match;
48500+ }
48501+ goto try_group;
48502+ }
48503+
48504+ return match;
48505+}
48506+
48507+struct acl_subject_label *
48508+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
48509+ const struct acl_role_label *role)
48510+{
48511+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
48512+ struct acl_subject_label *match;
48513+
48514+ match = role->subj_hash[index];
48515+
48516+ while (match && (match->inode != ino || match->device != dev ||
48517+ (match->mode & GR_DELETED))) {
48518+ match = match->next;
48519+ }
48520+
48521+ if (match && !(match->mode & GR_DELETED))
48522+ return match;
48523+ else
48524+ return NULL;
48525+}
48526+
48527+struct acl_subject_label *
48528+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
48529+ const struct acl_role_label *role)
48530+{
48531+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
48532+ struct acl_subject_label *match;
48533+
48534+ match = role->subj_hash[index];
48535+
48536+ while (match && (match->inode != ino || match->device != dev ||
48537+ !(match->mode & GR_DELETED))) {
48538+ match = match->next;
48539+ }
48540+
48541+ if (match && (match->mode & GR_DELETED))
48542+ return match;
48543+ else
48544+ return NULL;
48545+}
48546+
48547+static struct acl_object_label *
48548+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
48549+ const struct acl_subject_label *subj)
48550+{
48551+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
48552+ struct acl_object_label *match;
48553+
48554+ match = subj->obj_hash[index];
48555+
48556+ while (match && (match->inode != ino || match->device != dev ||
48557+ (match->mode & GR_DELETED))) {
48558+ match = match->next;
48559+ }
48560+
48561+ if (match && !(match->mode & GR_DELETED))
48562+ return match;
48563+ else
48564+ return NULL;
48565+}
48566+
48567+static struct acl_object_label *
48568+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
48569+ const struct acl_subject_label *subj)
48570+{
48571+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
48572+ struct acl_object_label *match;
48573+
48574+ match = subj->obj_hash[index];
48575+
48576+ while (match && (match->inode != ino || match->device != dev ||
48577+ !(match->mode & GR_DELETED))) {
48578+ match = match->next;
48579+ }
48580+
48581+ if (match && (match->mode & GR_DELETED))
48582+ return match;
48583+
48584+ match = subj->obj_hash[index];
48585+
48586+ while (match && (match->inode != ino || match->device != dev ||
48587+ (match->mode & GR_DELETED))) {
48588+ match = match->next;
48589+ }
48590+
48591+ if (match && !(match->mode & GR_DELETED))
48592+ return match;
48593+ else
48594+ return NULL;
48595+}
48596+
48597+static struct name_entry *
48598+lookup_name_entry(const char *name)
48599+{
48600+ unsigned int len = strlen(name);
48601+ unsigned int key = full_name_hash(name, len);
48602+ unsigned int index = key % name_set.n_size;
48603+ struct name_entry *match;
48604+
48605+ match = name_set.n_hash[index];
48606+
48607+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
48608+ match = match->next;
48609+
48610+ return match;
48611+}
48612+
48613+static struct name_entry *
48614+lookup_name_entry_create(const char *name)
48615+{
48616+ unsigned int len = strlen(name);
48617+ unsigned int key = full_name_hash(name, len);
48618+ unsigned int index = key % name_set.n_size;
48619+ struct name_entry *match;
48620+
48621+ match = name_set.n_hash[index];
48622+
48623+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
48624+ !match->deleted))
48625+ match = match->next;
48626+
48627+ if (match && match->deleted)
48628+ return match;
48629+
48630+ match = name_set.n_hash[index];
48631+
48632+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
48633+ match->deleted))
48634+ match = match->next;
48635+
48636+ if (match && !match->deleted)
48637+ return match;
48638+ else
48639+ return NULL;
48640+}
48641+
48642+static struct inodev_entry *
48643+lookup_inodev_entry(const ino_t ino, const dev_t dev)
48644+{
48645+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
48646+ struct inodev_entry *match;
48647+
48648+ match = inodev_set.i_hash[index];
48649+
48650+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
48651+ match = match->next;
48652+
48653+ return match;
48654+}
48655+
48656+static void
48657+insert_inodev_entry(struct inodev_entry *entry)
48658+{
48659+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
48660+ inodev_set.i_size);
48661+ struct inodev_entry **curr;
48662+
48663+ entry->prev = NULL;
48664+
48665+ curr = &inodev_set.i_hash[index];
48666+ if (*curr != NULL)
48667+ (*curr)->prev = entry;
48668+
48669+ entry->next = *curr;
48670+ *curr = entry;
48671+
48672+ return;
48673+}
48674+
48675+static void
48676+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
48677+{
48678+ unsigned int index =
48679+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
48680+ struct acl_role_label **curr;
48681+ struct acl_role_label *tmp;
48682+
48683+ curr = &acl_role_set.r_hash[index];
48684+
48685+ /* if role was already inserted due to domains and already has
48686+ a role in the same bucket as it attached, then we need to
48687+ combine these two buckets
48688+ */
48689+ if (role->next) {
48690+ tmp = role->next;
48691+ while (tmp->next)
48692+ tmp = tmp->next;
48693+ tmp->next = *curr;
48694+ } else
48695+ role->next = *curr;
48696+ *curr = role;
48697+
48698+ return;
48699+}
48700+
48701+static void
48702+insert_acl_role_label(struct acl_role_label *role)
48703+{
48704+ int i;
48705+
48706+ if (role_list == NULL) {
48707+ role_list = role;
48708+ role->prev = NULL;
48709+ } else {
48710+ role->prev = role_list;
48711+ role_list = role;
48712+ }
48713+
48714+ /* used for hash chains */
48715+ role->next = NULL;
48716+
48717+ if (role->roletype & GR_ROLE_DOMAIN) {
48718+ for (i = 0; i < role->domain_child_num; i++)
48719+ __insert_acl_role_label(role, role->domain_children[i]);
48720+ } else
48721+ __insert_acl_role_label(role, role->uidgid);
48722+}
48723+
48724+static int
48725+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
48726+{
48727+ struct name_entry **curr, *nentry;
48728+ struct inodev_entry *ientry;
48729+ unsigned int len = strlen(name);
48730+ unsigned int key = full_name_hash(name, len);
48731+ unsigned int index = key % name_set.n_size;
48732+
48733+ curr = &name_set.n_hash[index];
48734+
48735+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
48736+ curr = &((*curr)->next);
48737+
48738+ if (*curr != NULL)
48739+ return 1;
48740+
48741+ nentry = acl_alloc(sizeof (struct name_entry));
48742+ if (nentry == NULL)
48743+ return 0;
48744+ ientry = acl_alloc(sizeof (struct inodev_entry));
48745+ if (ientry == NULL)
48746+ return 0;
48747+ ientry->nentry = nentry;
48748+
48749+ nentry->key = key;
48750+ nentry->name = name;
48751+ nentry->inode = inode;
48752+ nentry->device = device;
48753+ nentry->len = len;
48754+ nentry->deleted = deleted;
48755+
48756+ nentry->prev = NULL;
48757+ curr = &name_set.n_hash[index];
48758+ if (*curr != NULL)
48759+ (*curr)->prev = nentry;
48760+ nentry->next = *curr;
48761+ *curr = nentry;
48762+
48763+ /* insert us into the table searchable by inode/dev */
48764+ insert_inodev_entry(ientry);
48765+
48766+ return 1;
48767+}
48768+
48769+static void
48770+insert_acl_obj_label(struct acl_object_label *obj,
48771+ struct acl_subject_label *subj)
48772+{
48773+ unsigned int index =
48774+ fhash(obj->inode, obj->device, subj->obj_hash_size);
48775+ struct acl_object_label **curr;
48776+
48777+
48778+ obj->prev = NULL;
48779+
48780+ curr = &subj->obj_hash[index];
48781+ if (*curr != NULL)
48782+ (*curr)->prev = obj;
48783+
48784+ obj->next = *curr;
48785+ *curr = obj;
48786+
48787+ return;
48788+}
48789+
48790+static void
48791+insert_acl_subj_label(struct acl_subject_label *obj,
48792+ struct acl_role_label *role)
48793+{
48794+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
48795+ struct acl_subject_label **curr;
48796+
48797+ obj->prev = NULL;
48798+
48799+ curr = &role->subj_hash[index];
48800+ if (*curr != NULL)
48801+ (*curr)->prev = obj;
48802+
48803+ obj->next = *curr;
48804+ *curr = obj;
48805+
48806+ return;
48807+}
48808+
48809+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
48810+
48811+static void *
48812+create_table(__u32 * len, int elementsize)
48813+{
48814+ unsigned int table_sizes[] = {
48815+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
48816+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
48817+ 4194301, 8388593, 16777213, 33554393, 67108859
48818+ };
48819+ void *newtable = NULL;
48820+ unsigned int pwr = 0;
48821+
48822+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
48823+ table_sizes[pwr] <= *len)
48824+ pwr++;
48825+
48826+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
48827+ return newtable;
48828+
48829+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
48830+ newtable =
48831+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
48832+ else
48833+ newtable = vmalloc(table_sizes[pwr] * elementsize);
48834+
48835+ *len = table_sizes[pwr];
48836+
48837+ return newtable;
48838+}
48839+
48840+static int
48841+init_variables(const struct gr_arg *arg)
48842+{
48843+ struct task_struct *reaper = &init_task;
48844+ unsigned int stacksize;
48845+
48846+ subj_map_set.s_size = arg->role_db.num_subjects;
48847+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
48848+ name_set.n_size = arg->role_db.num_objects;
48849+ inodev_set.i_size = arg->role_db.num_objects;
48850+
48851+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
48852+ !name_set.n_size || !inodev_set.i_size)
48853+ return 1;
48854+
48855+ if (!gr_init_uidset())
48856+ return 1;
48857+
48858+ /* set up the stack that holds allocation info */
48859+
48860+ stacksize = arg->role_db.num_pointers + 5;
48861+
48862+ if (!acl_alloc_stack_init(stacksize))
48863+ return 1;
48864+
48865+ /* grab reference for the real root dentry and vfsmount */
48866+ get_fs_root(reaper->fs, &real_root);
48867+
48868+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48869+ printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
48870+#endif
48871+
48872+ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
48873+ if (fakefs_obj_rw == NULL)
48874+ return 1;
48875+ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
48876+
48877+ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
48878+ if (fakefs_obj_rwx == NULL)
48879+ return 1;
48880+ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
48881+
48882+ subj_map_set.s_hash =
48883+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
48884+ acl_role_set.r_hash =
48885+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
48886+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
48887+ inodev_set.i_hash =
48888+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
48889+
48890+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
48891+ !name_set.n_hash || !inodev_set.i_hash)
48892+ return 1;
48893+
48894+ memset(subj_map_set.s_hash, 0,
48895+ sizeof(struct subject_map *) * subj_map_set.s_size);
48896+ memset(acl_role_set.r_hash, 0,
48897+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
48898+ memset(name_set.n_hash, 0,
48899+ sizeof (struct name_entry *) * name_set.n_size);
48900+ memset(inodev_set.i_hash, 0,
48901+ sizeof (struct inodev_entry *) * inodev_set.i_size);
48902+
48903+ return 0;
48904+}
48905+
48906+/* free information not needed after startup
48907+ currently contains user->kernel pointer mappings for subjects
48908+*/
48909+
48910+static void
48911+free_init_variables(void)
48912+{
48913+ __u32 i;
48914+
48915+ if (subj_map_set.s_hash) {
48916+ for (i = 0; i < subj_map_set.s_size; i++) {
48917+ if (subj_map_set.s_hash[i]) {
48918+ kfree(subj_map_set.s_hash[i]);
48919+ subj_map_set.s_hash[i] = NULL;
48920+ }
48921+ }
48922+
48923+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
48924+ PAGE_SIZE)
48925+ kfree(subj_map_set.s_hash);
48926+ else
48927+ vfree(subj_map_set.s_hash);
48928+ }
48929+
48930+ return;
48931+}
48932+
48933+static void
48934+free_variables(void)
48935+{
48936+ struct acl_subject_label *s;
48937+ struct acl_role_label *r;
48938+ struct task_struct *task, *task2;
48939+ unsigned int x;
48940+
48941+ gr_clear_learn_entries();
48942+
48943+ read_lock(&tasklist_lock);
48944+ do_each_thread(task2, task) {
48945+ task->acl_sp_role = 0;
48946+ task->acl_role_id = 0;
48947+ task->acl = NULL;
48948+ task->role = NULL;
48949+ } while_each_thread(task2, task);
48950+ read_unlock(&tasklist_lock);
48951+
48952+ /* release the reference to the real root dentry and vfsmount */
48953+ path_put(&real_root);
48954+
48955+ /* free all object hash tables */
48956+
48957+ FOR_EACH_ROLE_START(r)
48958+ if (r->subj_hash == NULL)
48959+ goto next_role;
48960+ FOR_EACH_SUBJECT_START(r, s, x)
48961+ if (s->obj_hash == NULL)
48962+ break;
48963+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48964+ kfree(s->obj_hash);
48965+ else
48966+ vfree(s->obj_hash);
48967+ FOR_EACH_SUBJECT_END(s, x)
48968+ FOR_EACH_NESTED_SUBJECT_START(r, s)
48969+ if (s->obj_hash == NULL)
48970+ break;
48971+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48972+ kfree(s->obj_hash);
48973+ else
48974+ vfree(s->obj_hash);
48975+ FOR_EACH_NESTED_SUBJECT_END(s)
48976+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
48977+ kfree(r->subj_hash);
48978+ else
48979+ vfree(r->subj_hash);
48980+ r->subj_hash = NULL;
48981+next_role:
48982+ FOR_EACH_ROLE_END(r)
48983+
48984+ acl_free_all();
48985+
48986+ if (acl_role_set.r_hash) {
48987+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
48988+ PAGE_SIZE)
48989+ kfree(acl_role_set.r_hash);
48990+ else
48991+ vfree(acl_role_set.r_hash);
48992+ }
48993+ if (name_set.n_hash) {
48994+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
48995+ PAGE_SIZE)
48996+ kfree(name_set.n_hash);
48997+ else
48998+ vfree(name_set.n_hash);
48999+ }
49000+
49001+ if (inodev_set.i_hash) {
49002+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
49003+ PAGE_SIZE)
49004+ kfree(inodev_set.i_hash);
49005+ else
49006+ vfree(inodev_set.i_hash);
49007+ }
49008+
49009+ gr_free_uidset();
49010+
49011+ memset(&name_set, 0, sizeof (struct name_db));
49012+ memset(&inodev_set, 0, sizeof (struct inodev_db));
49013+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
49014+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
49015+
49016+ default_role = NULL;
49017+ role_list = NULL;
49018+
49019+ return;
49020+}
49021+
49022+static __u32
49023+count_user_objs(struct acl_object_label *userp)
49024+{
49025+ struct acl_object_label o_tmp;
49026+ __u32 num = 0;
49027+
49028+ while (userp) {
49029+ if (copy_from_user(&o_tmp, userp,
49030+ sizeof (struct acl_object_label)))
49031+ break;
49032+
49033+ userp = o_tmp.prev;
49034+ num++;
49035+ }
49036+
49037+ return num;
49038+}
49039+
49040+static struct acl_subject_label *
49041+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
49042+
49043+static int
49044+copy_user_glob(struct acl_object_label *obj)
49045+{
49046+ struct acl_object_label *g_tmp, **guser;
49047+ unsigned int len;
49048+ char *tmp;
49049+
49050+ if (obj->globbed == NULL)
49051+ return 0;
49052+
49053+ guser = &obj->globbed;
49054+ while (*guser) {
49055+ g_tmp = (struct acl_object_label *)
49056+ acl_alloc(sizeof (struct acl_object_label));
49057+ if (g_tmp == NULL)
49058+ return -ENOMEM;
49059+
49060+ if (copy_from_user(g_tmp, *guser,
49061+ sizeof (struct acl_object_label)))
49062+ return -EFAULT;
49063+
49064+ len = strnlen_user(g_tmp->filename, PATH_MAX);
49065+
49066+ if (!len || len >= PATH_MAX)
49067+ return -EINVAL;
49068+
49069+ if ((tmp = (char *) acl_alloc(len)) == NULL)
49070+ return -ENOMEM;
49071+
49072+ if (copy_from_user(tmp, g_tmp->filename, len))
49073+ return -EFAULT;
49074+ tmp[len-1] = '\0';
49075+ g_tmp->filename = tmp;
49076+
49077+ *guser = g_tmp;
49078+ guser = &(g_tmp->next);
49079+ }
49080+
49081+ return 0;
49082+}
49083+
49084+static int
49085+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
49086+ struct acl_role_label *role)
49087+{
49088+ struct acl_object_label *o_tmp;
49089+ unsigned int len;
49090+ int ret;
49091+ char *tmp;
49092+
49093+ while (userp) {
49094+ if ((o_tmp = (struct acl_object_label *)
49095+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
49096+ return -ENOMEM;
49097+
49098+ if (copy_from_user(o_tmp, userp,
49099+ sizeof (struct acl_object_label)))
49100+ return -EFAULT;
49101+
49102+ userp = o_tmp->prev;
49103+
49104+ len = strnlen_user(o_tmp->filename, PATH_MAX);
49105+
49106+ if (!len || len >= PATH_MAX)
49107+ return -EINVAL;
49108+
49109+ if ((tmp = (char *) acl_alloc(len)) == NULL)
49110+ return -ENOMEM;
49111+
49112+ if (copy_from_user(tmp, o_tmp->filename, len))
49113+ return -EFAULT;
49114+ tmp[len-1] = '\0';
49115+ o_tmp->filename = tmp;
49116+
49117+ insert_acl_obj_label(o_tmp, subj);
49118+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
49119+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
49120+ return -ENOMEM;
49121+
49122+ ret = copy_user_glob(o_tmp);
49123+ if (ret)
49124+ return ret;
49125+
49126+ if (o_tmp->nested) {
49127+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
49128+ if (IS_ERR(o_tmp->nested))
49129+ return PTR_ERR(o_tmp->nested);
49130+
49131+ /* insert into nested subject list */
49132+ o_tmp->nested->next = role->hash->first;
49133+ role->hash->first = o_tmp->nested;
49134+ }
49135+ }
49136+
49137+ return 0;
49138+}
49139+
49140+static __u32
49141+count_user_subjs(struct acl_subject_label *userp)
49142+{
49143+ struct acl_subject_label s_tmp;
49144+ __u32 num = 0;
49145+
49146+ while (userp) {
49147+ if (copy_from_user(&s_tmp, userp,
49148+ sizeof (struct acl_subject_label)))
49149+ break;
49150+
49151+ userp = s_tmp.prev;
49152+ /* do not count nested subjects against this count, since
49153+ they are not included in the hash table, but are
49154+ attached to objects. We have already counted
49155+ the subjects in userspace for the allocation
49156+ stack
49157+ */
49158+ if (!(s_tmp.mode & GR_NESTED))
49159+ num++;
49160+ }
49161+
49162+ return num;
49163+}
49164+
49165+static int
49166+copy_user_allowedips(struct acl_role_label *rolep)
49167+{
49168+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
49169+
49170+ ruserip = rolep->allowed_ips;
49171+
49172+ while (ruserip) {
49173+ rlast = rtmp;
49174+
49175+ if ((rtmp = (struct role_allowed_ip *)
49176+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
49177+ return -ENOMEM;
49178+
49179+ if (copy_from_user(rtmp, ruserip,
49180+ sizeof (struct role_allowed_ip)))
49181+ return -EFAULT;
49182+
49183+ ruserip = rtmp->prev;
49184+
49185+ if (!rlast) {
49186+ rtmp->prev = NULL;
49187+ rolep->allowed_ips = rtmp;
49188+ } else {
49189+ rlast->next = rtmp;
49190+ rtmp->prev = rlast;
49191+ }
49192+
49193+ if (!ruserip)
49194+ rtmp->next = NULL;
49195+ }
49196+
49197+ return 0;
49198+}
49199+
49200+static int
49201+copy_user_transitions(struct acl_role_label *rolep)
49202+{
49203+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
49204+
49205+ unsigned int len;
49206+ char *tmp;
49207+
49208+ rusertp = rolep->transitions;
49209+
49210+ while (rusertp) {
49211+ rlast = rtmp;
49212+
49213+ if ((rtmp = (struct role_transition *)
49214+ acl_alloc(sizeof (struct role_transition))) == NULL)
49215+ return -ENOMEM;
49216+
49217+ if (copy_from_user(rtmp, rusertp,
49218+ sizeof (struct role_transition)))
49219+ return -EFAULT;
49220+
49221+ rusertp = rtmp->prev;
49222+
49223+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
49224+
49225+ if (!len || len >= GR_SPROLE_LEN)
49226+ return -EINVAL;
49227+
49228+ if ((tmp = (char *) acl_alloc(len)) == NULL)
49229+ return -ENOMEM;
49230+
49231+ if (copy_from_user(tmp, rtmp->rolename, len))
49232+ return -EFAULT;
49233+ tmp[len-1] = '\0';
49234+ rtmp->rolename = tmp;
49235+
49236+ if (!rlast) {
49237+ rtmp->prev = NULL;
49238+ rolep->transitions = rtmp;
49239+ } else {
49240+ rlast->next = rtmp;
49241+ rtmp->prev = rlast;
49242+ }
49243+
49244+ if (!rusertp)
49245+ rtmp->next = NULL;
49246+ }
49247+
49248+ return 0;
49249+}
49250+
49251+static struct acl_subject_label *
49252+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
49253+{
49254+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
49255+ unsigned int len;
49256+ char *tmp;
49257+ __u32 num_objs;
49258+ struct acl_ip_label **i_tmp, *i_utmp2;
49259+ struct gr_hash_struct ghash;
49260+ struct subject_map *subjmap;
49261+ unsigned int i_num;
49262+ int err;
49263+
49264+ s_tmp = lookup_subject_map(userp);
49265+
49266+ /* we've already copied this subject into the kernel, just return
49267+ the reference to it, and don't copy it over again
49268+ */
49269+ if (s_tmp)
49270+ return(s_tmp);
49271+
49272+ if ((s_tmp = (struct acl_subject_label *)
49273+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
49274+ return ERR_PTR(-ENOMEM);
49275+
49276+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
49277+ if (subjmap == NULL)
49278+ return ERR_PTR(-ENOMEM);
49279+
49280+ subjmap->user = userp;
49281+ subjmap->kernel = s_tmp;
49282+ insert_subj_map_entry(subjmap);
49283+
49284+ if (copy_from_user(s_tmp, userp,
49285+ sizeof (struct acl_subject_label)))
49286+ return ERR_PTR(-EFAULT);
49287+
49288+ len = strnlen_user(s_tmp->filename, PATH_MAX);
49289+
49290+ if (!len || len >= PATH_MAX)
49291+ return ERR_PTR(-EINVAL);
49292+
49293+ if ((tmp = (char *) acl_alloc(len)) == NULL)
49294+ return ERR_PTR(-ENOMEM);
49295+
49296+ if (copy_from_user(tmp, s_tmp->filename, len))
49297+ return ERR_PTR(-EFAULT);
49298+ tmp[len-1] = '\0';
49299+ s_tmp->filename = tmp;
49300+
49301+ if (!strcmp(s_tmp->filename, "/"))
49302+ role->root_label = s_tmp;
49303+
49304+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
49305+ return ERR_PTR(-EFAULT);
49306+
49307+ /* copy user and group transition tables */
49308+
49309+ if (s_tmp->user_trans_num) {
49310+ uid_t *uidlist;
49311+
49312+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
49313+ if (uidlist == NULL)
49314+ return ERR_PTR(-ENOMEM);
49315+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
49316+ return ERR_PTR(-EFAULT);
49317+
49318+ s_tmp->user_transitions = uidlist;
49319+ }
49320+
49321+ if (s_tmp->group_trans_num) {
49322+ gid_t *gidlist;
49323+
49324+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
49325+ if (gidlist == NULL)
49326+ return ERR_PTR(-ENOMEM);
49327+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
49328+ return ERR_PTR(-EFAULT);
49329+
49330+ s_tmp->group_transitions = gidlist;
49331+ }
49332+
49333+ /* set up object hash table */
49334+ num_objs = count_user_objs(ghash.first);
49335+
49336+ s_tmp->obj_hash_size = num_objs;
49337+ s_tmp->obj_hash =
49338+ (struct acl_object_label **)
49339+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
49340+
49341+ if (!s_tmp->obj_hash)
49342+ return ERR_PTR(-ENOMEM);
49343+
49344+ memset(s_tmp->obj_hash, 0,
49345+ s_tmp->obj_hash_size *
49346+ sizeof (struct acl_object_label *));
49347+
49348+ /* add in objects */
49349+ err = copy_user_objs(ghash.first, s_tmp, role);
49350+
49351+ if (err)
49352+ return ERR_PTR(err);
49353+
49354+ /* set pointer for parent subject */
49355+ if (s_tmp->parent_subject) {
49356+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
49357+
49358+ if (IS_ERR(s_tmp2))
49359+ return s_tmp2;
49360+
49361+ s_tmp->parent_subject = s_tmp2;
49362+ }
49363+
49364+ /* add in ip acls */
49365+
49366+ if (!s_tmp->ip_num) {
49367+ s_tmp->ips = NULL;
49368+ goto insert;
49369+ }
49370+
49371+ i_tmp =
49372+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
49373+ sizeof (struct acl_ip_label *));
49374+
49375+ if (!i_tmp)
49376+ return ERR_PTR(-ENOMEM);
49377+
49378+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
49379+ *(i_tmp + i_num) =
49380+ (struct acl_ip_label *)
49381+ acl_alloc(sizeof (struct acl_ip_label));
49382+ if (!*(i_tmp + i_num))
49383+ return ERR_PTR(-ENOMEM);
49384+
49385+ if (copy_from_user
49386+ (&i_utmp2, s_tmp->ips + i_num,
49387+ sizeof (struct acl_ip_label *)))
49388+ return ERR_PTR(-EFAULT);
49389+
49390+ if (copy_from_user
49391+ (*(i_tmp + i_num), i_utmp2,
49392+ sizeof (struct acl_ip_label)))
49393+ return ERR_PTR(-EFAULT);
49394+
49395+ if ((*(i_tmp + i_num))->iface == NULL)
49396+ continue;
49397+
49398+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
49399+ if (!len || len >= IFNAMSIZ)
49400+ return ERR_PTR(-EINVAL);
49401+ tmp = acl_alloc(len);
49402+ if (tmp == NULL)
49403+ return ERR_PTR(-ENOMEM);
49404+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
49405+ return ERR_PTR(-EFAULT);
49406+ (*(i_tmp + i_num))->iface = tmp;
49407+ }
49408+
49409+ s_tmp->ips = i_tmp;
49410+
49411+insert:
49412+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
49413+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
49414+ return ERR_PTR(-ENOMEM);
49415+
49416+ return s_tmp;
49417+}
49418+
49419+static int
49420+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
49421+{
49422+ struct acl_subject_label s_pre;
49423+ struct acl_subject_label * ret;
49424+ int err;
49425+
49426+ while (userp) {
49427+ if (copy_from_user(&s_pre, userp,
49428+ sizeof (struct acl_subject_label)))
49429+ return -EFAULT;
49430+
49431+ /* do not add nested subjects here, add
49432+ while parsing objects
49433+ */
49434+
49435+ if (s_pre.mode & GR_NESTED) {
49436+ userp = s_pre.prev;
49437+ continue;
49438+ }
49439+
49440+ ret = do_copy_user_subj(userp, role);
49441+
49442+ err = PTR_ERR(ret);
49443+ if (IS_ERR(ret))
49444+ return err;
49445+
49446+ insert_acl_subj_label(ret, role);
49447+
49448+ userp = s_pre.prev;
49449+ }
49450+
49451+ return 0;
49452+}
49453+
49454+static int
49455+copy_user_acl(struct gr_arg *arg)
49456+{
49457+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
49458+ struct sprole_pw *sptmp;
49459+ struct gr_hash_struct *ghash;
49460+ uid_t *domainlist;
49461+ unsigned int r_num;
49462+ unsigned int len;
49463+ char *tmp;
49464+ int err = 0;
49465+ __u16 i;
49466+ __u32 num_subjs;
49467+
49468+ /* we need a default and kernel role */
49469+ if (arg->role_db.num_roles < 2)
49470+ return -EINVAL;
49471+
49472+ /* copy special role authentication info from userspace */
49473+
49474+ num_sprole_pws = arg->num_sprole_pws;
49475+ acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
49476+
49477+ if (!acl_special_roles) {
49478+ err = -ENOMEM;
49479+ goto cleanup;
49480+ }
49481+
49482+ for (i = 0; i < num_sprole_pws; i++) {
49483+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
49484+ if (!sptmp) {
49485+ err = -ENOMEM;
49486+ goto cleanup;
49487+ }
49488+ if (copy_from_user(sptmp, arg->sprole_pws + i,
49489+ sizeof (struct sprole_pw))) {
49490+ err = -EFAULT;
49491+ goto cleanup;
49492+ }
49493+
49494+ len =
49495+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
49496+
49497+ if (!len || len >= GR_SPROLE_LEN) {
49498+ err = -EINVAL;
49499+ goto cleanup;
49500+ }
49501+
49502+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
49503+ err = -ENOMEM;
49504+ goto cleanup;
49505+ }
49506+
49507+ if (copy_from_user(tmp, sptmp->rolename, len)) {
49508+ err = -EFAULT;
49509+ goto cleanup;
49510+ }
49511+ tmp[len-1] = '\0';
49512+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49513+ printk(KERN_ALERT "Copying special role %s\n", tmp);
49514+#endif
49515+ sptmp->rolename = tmp;
49516+ acl_special_roles[i] = sptmp;
49517+ }
49518+
49519+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
49520+
49521+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
49522+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
49523+
49524+ if (!r_tmp) {
49525+ err = -ENOMEM;
49526+ goto cleanup;
49527+ }
49528+
49529+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
49530+ sizeof (struct acl_role_label *))) {
49531+ err = -EFAULT;
49532+ goto cleanup;
49533+ }
49534+
49535+ if (copy_from_user(r_tmp, r_utmp2,
49536+ sizeof (struct acl_role_label))) {
49537+ err = -EFAULT;
49538+ goto cleanup;
49539+ }
49540+
49541+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
49542+
49543+ if (!len || len >= PATH_MAX) {
49544+ err = -EINVAL;
49545+ goto cleanup;
49546+ }
49547+
49548+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
49549+ err = -ENOMEM;
49550+ goto cleanup;
49551+ }
49552+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
49553+ err = -EFAULT;
49554+ goto cleanup;
49555+ }
49556+ tmp[len-1] = '\0';
49557+ r_tmp->rolename = tmp;
49558+
49559+ if (!strcmp(r_tmp->rolename, "default")
49560+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
49561+ default_role = r_tmp;
49562+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
49563+ kernel_role = r_tmp;
49564+ }
49565+
49566+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
49567+ err = -ENOMEM;
49568+ goto cleanup;
49569+ }
49570+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
49571+ err = -EFAULT;
49572+ goto cleanup;
49573+ }
49574+
49575+ r_tmp->hash = ghash;
49576+
49577+ num_subjs = count_user_subjs(r_tmp->hash->first);
49578+
49579+ r_tmp->subj_hash_size = num_subjs;
49580+ r_tmp->subj_hash =
49581+ (struct acl_subject_label **)
49582+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
49583+
49584+ if (!r_tmp->subj_hash) {
49585+ err = -ENOMEM;
49586+ goto cleanup;
49587+ }
49588+
49589+ err = copy_user_allowedips(r_tmp);
49590+ if (err)
49591+ goto cleanup;
49592+
49593+ /* copy domain info */
49594+ if (r_tmp->domain_children != NULL) {
49595+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
49596+ if (domainlist == NULL) {
49597+ err = -ENOMEM;
49598+ goto cleanup;
49599+ }
49600+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
49601+ err = -EFAULT;
49602+ goto cleanup;
49603+ }
49604+ r_tmp->domain_children = domainlist;
49605+ }
49606+
49607+ err = copy_user_transitions(r_tmp);
49608+ if (err)
49609+ goto cleanup;
49610+
49611+ memset(r_tmp->subj_hash, 0,
49612+ r_tmp->subj_hash_size *
49613+ sizeof (struct acl_subject_label *));
49614+
49615+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
49616+
49617+ if (err)
49618+ goto cleanup;
49619+
49620+ /* set nested subject list to null */
49621+ r_tmp->hash->first = NULL;
49622+
49623+ insert_acl_role_label(r_tmp);
49624+ }
49625+
49626+ goto return_err;
49627+ cleanup:
49628+ free_variables();
49629+ return_err:
49630+ return err;
49631+
49632+}
49633+
49634+static int
49635+gracl_init(struct gr_arg *args)
49636+{
49637+ int error = 0;
49638+
49639+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
49640+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
49641+
49642+ if (init_variables(args)) {
49643+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
49644+ error = -ENOMEM;
49645+ free_variables();
49646+ goto out;
49647+ }
49648+
49649+ error = copy_user_acl(args);
49650+ free_init_variables();
49651+ if (error) {
49652+ free_variables();
49653+ goto out;
49654+ }
49655+
49656+ if ((error = gr_set_acls(0))) {
49657+ free_variables();
49658+ goto out;
49659+ }
49660+
49661+ pax_open_kernel();
49662+ gr_status |= GR_READY;
49663+ pax_close_kernel();
49664+
49665+ out:
49666+ return error;
49667+}
49668+
49669+/* derived from glibc fnmatch() 0: match, 1: no match*/
49670+
49671+static int
49672+glob_match(const char *p, const char *n)
49673+{
49674+ char c;
49675+
49676+ while ((c = *p++) != '\0') {
49677+ switch (c) {
49678+ case '?':
49679+ if (*n == '\0')
49680+ return 1;
49681+ else if (*n == '/')
49682+ return 1;
49683+ break;
49684+ case '\\':
49685+ if (*n != c)
49686+ return 1;
49687+ break;
49688+ case '*':
49689+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
49690+ if (*n == '/')
49691+ return 1;
49692+ else if (c == '?') {
49693+ if (*n == '\0')
49694+ return 1;
49695+ else
49696+ ++n;
49697+ }
49698+ }
49699+ if (c == '\0') {
49700+ return 0;
49701+ } else {
49702+ const char *endp;
49703+
49704+ if ((endp = strchr(n, '/')) == NULL)
49705+ endp = n + strlen(n);
49706+
49707+ if (c == '[') {
49708+ for (--p; n < endp; ++n)
49709+ if (!glob_match(p, n))
49710+ return 0;
49711+ } else if (c == '/') {
49712+ while (*n != '\0' && *n != '/')
49713+ ++n;
49714+ if (*n == '/' && !glob_match(p, n + 1))
49715+ return 0;
49716+ } else {
49717+ for (--p; n < endp; ++n)
49718+ if (*n == c && !glob_match(p, n))
49719+ return 0;
49720+ }
49721+
49722+ return 1;
49723+ }
49724+ case '[':
49725+ {
49726+ int not;
49727+ char cold;
49728+
49729+ if (*n == '\0' || *n == '/')
49730+ return 1;
49731+
49732+ not = (*p == '!' || *p == '^');
49733+ if (not)
49734+ ++p;
49735+
49736+ c = *p++;
49737+ for (;;) {
49738+ unsigned char fn = (unsigned char)*n;
49739+
49740+ if (c == '\0')
49741+ return 1;
49742+ else {
49743+ if (c == fn)
49744+ goto matched;
49745+ cold = c;
49746+ c = *p++;
49747+
49748+ if (c == '-' && *p != ']') {
49749+ unsigned char cend = *p++;
49750+
49751+ if (cend == '\0')
49752+ return 1;
49753+
49754+ if (cold <= fn && fn <= cend)
49755+ goto matched;
49756+
49757+ c = *p++;
49758+ }
49759+ }
49760+
49761+ if (c == ']')
49762+ break;
49763+ }
49764+ if (!not)
49765+ return 1;
49766+ break;
49767+ matched:
49768+ while (c != ']') {
49769+ if (c == '\0')
49770+ return 1;
49771+
49772+ c = *p++;
49773+ }
49774+ if (not)
49775+ return 1;
49776+ }
49777+ break;
49778+ default:
49779+ if (c != *n)
49780+ return 1;
49781+ }
49782+
49783+ ++n;
49784+ }
49785+
49786+ if (*n == '\0')
49787+ return 0;
49788+
49789+ if (*n == '/')
49790+ return 0;
49791+
49792+ return 1;
49793+}
49794+
49795+static struct acl_object_label *
49796+chk_glob_label(struct acl_object_label *globbed,
49797+ struct dentry *dentry, struct vfsmount *mnt, char **path)
49798+{
49799+ struct acl_object_label *tmp;
49800+
49801+ if (*path == NULL)
49802+ *path = gr_to_filename_nolock(dentry, mnt);
49803+
49804+ tmp = globbed;
49805+
49806+ while (tmp) {
49807+ if (!glob_match(tmp->filename, *path))
49808+ return tmp;
49809+ tmp = tmp->next;
49810+ }
49811+
49812+ return NULL;
49813+}
49814+
49815+static struct acl_object_label *
49816+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49817+ const ino_t curr_ino, const dev_t curr_dev,
49818+ const struct acl_subject_label *subj, char **path, const int checkglob)
49819+{
49820+ struct acl_subject_label *tmpsubj;
49821+ struct acl_object_label *retval;
49822+ struct acl_object_label *retval2;
49823+
49824+ tmpsubj = (struct acl_subject_label *) subj;
49825+ read_lock(&gr_inode_lock);
49826+ do {
49827+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
49828+ if (retval) {
49829+ if (checkglob && retval->globbed) {
49830+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
49831+ (struct vfsmount *)orig_mnt, path);
49832+ if (retval2)
49833+ retval = retval2;
49834+ }
49835+ break;
49836+ }
49837+ } while ((tmpsubj = tmpsubj->parent_subject));
49838+ read_unlock(&gr_inode_lock);
49839+
49840+ return retval;
49841+}
49842+
49843+static __inline__ struct acl_object_label *
49844+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49845+ struct dentry *curr_dentry,
49846+ const struct acl_subject_label *subj, char **path, const int checkglob)
49847+{
49848+ int newglob = checkglob;
49849+ ino_t inode;
49850+ dev_t device;
49851+
49852+ /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
49853+ as we don't want a / * rule to match instead of the / object
49854+ don't do this for create lookups that call this function though, since they're looking up
49855+ on the parent and thus need globbing checks on all paths
49856+ */
49857+ if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
49858+ newglob = GR_NO_GLOB;
49859+
49860+ spin_lock(&curr_dentry->d_lock);
49861+ inode = curr_dentry->d_inode->i_ino;
49862+ device = __get_dev(curr_dentry);
49863+ spin_unlock(&curr_dentry->d_lock);
49864+
49865+ return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
49866+}
49867+
49868+static struct acl_object_label *
49869+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49870+ const struct acl_subject_label *subj, char *path, const int checkglob)
49871+{
49872+ struct dentry *dentry = (struct dentry *) l_dentry;
49873+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49874+ struct acl_object_label *retval;
49875+ struct dentry *parent;
49876+
49877+ write_seqlock(&rename_lock);
49878+ br_read_lock(vfsmount_lock);
49879+
49880+ if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
49881+#ifdef CONFIG_NET
49882+ mnt == sock_mnt ||
49883+#endif
49884+#ifdef CONFIG_HUGETLBFS
49885+ (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
49886+#endif
49887+ /* ignore Eric Biederman */
49888+ IS_PRIVATE(l_dentry->d_inode))) {
49889+ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
49890+ goto out;
49891+ }
49892+
49893+ for (;;) {
49894+ if (dentry == real_root.dentry && mnt == real_root.mnt)
49895+ break;
49896+
49897+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49898+ if (mnt->mnt_parent == mnt)
49899+ break;
49900+
49901+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49902+ if (retval != NULL)
49903+ goto out;
49904+
49905+ dentry = mnt->mnt_mountpoint;
49906+ mnt = mnt->mnt_parent;
49907+ continue;
49908+ }
49909+
49910+ parent = dentry->d_parent;
49911+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49912+ if (retval != NULL)
49913+ goto out;
49914+
49915+ dentry = parent;
49916+ }
49917+
49918+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49919+
49920+ /* real_root is pinned so we don't have to hold a reference */
49921+ if (retval == NULL)
49922+ retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
49923+out:
49924+ br_read_unlock(vfsmount_lock);
49925+ write_sequnlock(&rename_lock);
49926+
49927+ BUG_ON(retval == NULL);
49928+
49929+ return retval;
49930+}
49931+
49932+static __inline__ struct acl_object_label *
49933+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49934+ const struct acl_subject_label *subj)
49935+{
49936+ char *path = NULL;
49937+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
49938+}
49939+
49940+static __inline__ struct acl_object_label *
49941+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49942+ const struct acl_subject_label *subj)
49943+{
49944+ char *path = NULL;
49945+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
49946+}
49947+
49948+static __inline__ struct acl_object_label *
49949+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49950+ const struct acl_subject_label *subj, char *path)
49951+{
49952+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
49953+}
49954+
49955+static struct acl_subject_label *
49956+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49957+ const struct acl_role_label *role)
49958+{
49959+ struct dentry *dentry = (struct dentry *) l_dentry;
49960+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49961+ struct acl_subject_label *retval;
49962+ struct dentry *parent;
49963+
49964+ write_seqlock(&rename_lock);
49965+ br_read_lock(vfsmount_lock);
49966+
49967+ for (;;) {
49968+ if (dentry == real_root.dentry && mnt == real_root.mnt)
49969+ break;
49970+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49971+ if (mnt->mnt_parent == mnt)
49972+ break;
49973+
49974+ spin_lock(&dentry->d_lock);
49975+ read_lock(&gr_inode_lock);
49976+ retval =
49977+ lookup_acl_subj_label(dentry->d_inode->i_ino,
49978+ __get_dev(dentry), role);
49979+ read_unlock(&gr_inode_lock);
49980+ spin_unlock(&dentry->d_lock);
49981+ if (retval != NULL)
49982+ goto out;
49983+
49984+ dentry = mnt->mnt_mountpoint;
49985+ mnt = mnt->mnt_parent;
49986+ continue;
49987+ }
49988+
49989+ spin_lock(&dentry->d_lock);
49990+ read_lock(&gr_inode_lock);
49991+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
49992+ __get_dev(dentry), role);
49993+ read_unlock(&gr_inode_lock);
49994+ parent = dentry->d_parent;
49995+ spin_unlock(&dentry->d_lock);
49996+
49997+ if (retval != NULL)
49998+ goto out;
49999+
50000+ dentry = parent;
50001+ }
50002+
50003+ spin_lock(&dentry->d_lock);
50004+ read_lock(&gr_inode_lock);
50005+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
50006+ __get_dev(dentry), role);
50007+ read_unlock(&gr_inode_lock);
50008+ spin_unlock(&dentry->d_lock);
50009+
50010+ if (unlikely(retval == NULL)) {
50011+ /* real_root is pinned, we don't need to hold a reference */
50012+ read_lock(&gr_inode_lock);
50013+ retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
50014+ __get_dev(real_root.dentry), role);
50015+ read_unlock(&gr_inode_lock);
50016+ }
50017+out:
50018+ br_read_unlock(vfsmount_lock);
50019+ write_sequnlock(&rename_lock);
50020+
50021+ BUG_ON(retval == NULL);
50022+
50023+ return retval;
50024+}
50025+
50026+static void
50027+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
50028+{
50029+ struct task_struct *task = current;
50030+ const struct cred *cred = current_cred();
50031+
50032+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
50033+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
50034+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
50035+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
50036+
50037+ return;
50038+}
50039+
50040+static void
50041+gr_log_learn_sysctl(const char *path, const __u32 mode)
50042+{
50043+ struct task_struct *task = current;
50044+ const struct cred *cred = current_cred();
50045+
50046+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
50047+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
50048+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
50049+ 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
50050+
50051+ return;
50052+}
50053+
50054+static void
50055+gr_log_learn_id_change(const char type, const unsigned int real,
50056+ const unsigned int effective, const unsigned int fs)
50057+{
50058+ struct task_struct *task = current;
50059+ const struct cred *cred = current_cred();
50060+
50061+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
50062+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
50063+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
50064+ type, real, effective, fs, &task->signal->saved_ip);
50065+
50066+ return;
50067+}
50068+
50069+__u32
50070+gr_search_file(const struct dentry * dentry, const __u32 mode,
50071+ const struct vfsmount * mnt)
50072+{
50073+ __u32 retval = mode;
50074+ struct acl_subject_label *curracl;
50075+ struct acl_object_label *currobj;
50076+
50077+ if (unlikely(!(gr_status & GR_READY)))
50078+ return (mode & ~GR_AUDITS);
50079+
50080+ curracl = current->acl;
50081+
50082+ currobj = chk_obj_label(dentry, mnt, curracl);
50083+ retval = currobj->mode & mode;
50084+
50085+ /* if we're opening a specified transfer file for writing
50086+ (e.g. /dev/initctl), then transfer our role to init
50087+ */
50088+ if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
50089+ current->role->roletype & GR_ROLE_PERSIST)) {
50090+ struct task_struct *task = init_pid_ns.child_reaper;
50091+
50092+ if (task->role != current->role) {
50093+ task->acl_sp_role = 0;
50094+ task->acl_role_id = current->acl_role_id;
50095+ task->role = current->role;
50096+ rcu_read_lock();
50097+ read_lock(&grsec_exec_file_lock);
50098+ gr_apply_subject_to_task(task);
50099+ read_unlock(&grsec_exec_file_lock);
50100+ rcu_read_unlock();
50101+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
50102+ }
50103+ }
50104+
50105+ if (unlikely
50106+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
50107+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
50108+ __u32 new_mode = mode;
50109+
50110+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
50111+
50112+ retval = new_mode;
50113+
50114+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
50115+ new_mode |= GR_INHERIT;
50116+
50117+ if (!(mode & GR_NOLEARN))
50118+ gr_log_learn(dentry, mnt, new_mode);
50119+ }
50120+
50121+ return retval;
50122+}
50123+
50124+struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
50125+ const struct dentry *parent,
50126+ const struct vfsmount *mnt)
50127+{
50128+ struct name_entry *match;
50129+ struct acl_object_label *matchpo;
50130+ struct acl_subject_label *curracl;
50131+ char *path;
50132+
50133+ if (unlikely(!(gr_status & GR_READY)))
50134+ return NULL;
50135+
50136+ preempt_disable();
50137+ path = gr_to_filename_rbac(new_dentry, mnt);
50138+ match = lookup_name_entry_create(path);
50139+
50140+ curracl = current->acl;
50141+
50142+ if (match) {
50143+ read_lock(&gr_inode_lock);
50144+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
50145+ read_unlock(&gr_inode_lock);
50146+
50147+ if (matchpo) {
50148+ preempt_enable();
50149+ return matchpo;
50150+ }
50151+ }
50152+
50153+ // lookup parent
50154+
50155+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
50156+
50157+ preempt_enable();
50158+ return matchpo;
50159+}
50160+
50161+__u32
50162+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
50163+ const struct vfsmount * mnt, const __u32 mode)
50164+{
50165+ struct acl_object_label *matchpo;
50166+ __u32 retval;
50167+
50168+ if (unlikely(!(gr_status & GR_READY)))
50169+ return (mode & ~GR_AUDITS);
50170+
50171+ matchpo = gr_get_create_object(new_dentry, parent, mnt);
50172+
50173+ retval = matchpo->mode & mode;
50174+
50175+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
50176+ && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
50177+ __u32 new_mode = mode;
50178+
50179+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
50180+
50181+ gr_log_learn(new_dentry, mnt, new_mode);
50182+ return new_mode;
50183+ }
50184+
50185+ return retval;
50186+}
50187+
50188+__u32
50189+gr_check_link(const struct dentry * new_dentry,
50190+ const struct dentry * parent_dentry,
50191+ const struct vfsmount * parent_mnt,
50192+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
50193+{
50194+ struct acl_object_label *obj;
50195+ __u32 oldmode, newmode;
50196+ __u32 needmode;
50197+ __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
50198+ GR_DELETE | GR_INHERIT;
50199+
50200+ if (unlikely(!(gr_status & GR_READY)))
50201+ return (GR_CREATE | GR_LINK);
50202+
50203+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
50204+ oldmode = obj->mode;
50205+
50206+ obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
50207+ newmode = obj->mode;
50208+
50209+ needmode = newmode & checkmodes;
50210+
50211+ // old name for hardlink must have at least the permissions of the new name
50212+ if ((oldmode & needmode) != needmode)
50213+ goto bad;
50214+
50215+ // if old name had restrictions/auditing, make sure the new name does as well
50216+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
50217+
50218+ // don't allow hardlinking of suid/sgid files without permission
50219+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
50220+ needmode |= GR_SETID;
50221+
50222+ if ((newmode & needmode) != needmode)
50223+ goto bad;
50224+
50225+ // enforce minimum permissions
50226+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
50227+ return newmode;
50228+bad:
50229+ needmode = oldmode;
50230+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
50231+ needmode |= GR_SETID;
50232+
50233+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
50234+ gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
50235+ return (GR_CREATE | GR_LINK);
50236+ } else if (newmode & GR_SUPPRESS)
50237+ return GR_SUPPRESS;
50238+ else
50239+ return 0;
50240+}
50241+
50242+int
50243+gr_check_hidden_task(const struct task_struct *task)
50244+{
50245+ if (unlikely(!(gr_status & GR_READY)))
50246+ return 0;
50247+
50248+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
50249+ return 1;
50250+
50251+ return 0;
50252+}
50253+
50254+int
50255+gr_check_protected_task(const struct task_struct *task)
50256+{
50257+ if (unlikely(!(gr_status & GR_READY) || !task))
50258+ return 0;
50259+
50260+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
50261+ task->acl != current->acl)
50262+ return 1;
50263+
50264+ return 0;
50265+}
50266+
50267+int
50268+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
50269+{
50270+ struct task_struct *p;
50271+ int ret = 0;
50272+
50273+ if (unlikely(!(gr_status & GR_READY) || !pid))
50274+ return ret;
50275+
50276+ read_lock(&tasklist_lock);
50277+ do_each_pid_task(pid, type, p) {
50278+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
50279+ p->acl != current->acl) {
50280+ ret = 1;
50281+ goto out;
50282+ }
50283+ } while_each_pid_task(pid, type, p);
50284+out:
50285+ read_unlock(&tasklist_lock);
50286+
50287+ return ret;
50288+}
50289+
50290+void
50291+gr_copy_label(struct task_struct *tsk)
50292+{
50293+ tsk->signal->used_accept = 0;
50294+ tsk->acl_sp_role = 0;
50295+ tsk->acl_role_id = current->acl_role_id;
50296+ tsk->acl = current->acl;
50297+ tsk->role = current->role;
50298+ tsk->signal->curr_ip = current->signal->curr_ip;
50299+ tsk->signal->saved_ip = current->signal->saved_ip;
50300+ if (current->exec_file)
50301+ get_file(current->exec_file);
50302+ tsk->exec_file = current->exec_file;
50303+ tsk->is_writable = current->is_writable;
50304+ if (unlikely(current->signal->used_accept)) {
50305+ current->signal->curr_ip = 0;
50306+ current->signal->saved_ip = 0;
50307+ }
50308+
50309+ return;
50310+}
50311+
50312+static void
50313+gr_set_proc_res(struct task_struct *task)
50314+{
50315+ struct acl_subject_label *proc;
50316+ unsigned short i;
50317+
50318+ proc = task->acl;
50319+
50320+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
50321+ return;
50322+
50323+ for (i = 0; i < RLIM_NLIMITS; i++) {
50324+ if (!(proc->resmask & (1 << i)))
50325+ continue;
50326+
50327+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
50328+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
50329+ }
50330+
50331+ return;
50332+}
50333+
50334+extern int __gr_process_user_ban(struct user_struct *user);
50335+
50336+int
50337+gr_check_user_change(int real, int effective, int fs)
50338+{
50339+ unsigned int i;
50340+ __u16 num;
50341+ uid_t *uidlist;
50342+ int curuid;
50343+ int realok = 0;
50344+ int effectiveok = 0;
50345+ int fsok = 0;
50346+
50347+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
50348+ struct user_struct *user;
50349+
50350+ if (real == -1)
50351+ goto skipit;
50352+
50353+ user = find_user(real);
50354+ if (user == NULL)
50355+ goto skipit;
50356+
50357+ if (__gr_process_user_ban(user)) {
50358+ /* for find_user */
50359+ free_uid(user);
50360+ return 1;
50361+ }
50362+
50363+ /* for find_user */
50364+ free_uid(user);
50365+
50366+skipit:
50367+#endif
50368+
50369+ if (unlikely(!(gr_status & GR_READY)))
50370+ return 0;
50371+
50372+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
50373+ gr_log_learn_id_change('u', real, effective, fs);
50374+
50375+ num = current->acl->user_trans_num;
50376+ uidlist = current->acl->user_transitions;
50377+
50378+ if (uidlist == NULL)
50379+ return 0;
50380+
50381+ if (real == -1)
50382+ realok = 1;
50383+ if (effective == -1)
50384+ effectiveok = 1;
50385+ if (fs == -1)
50386+ fsok = 1;
50387+
50388+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
50389+ for (i = 0; i < num; i++) {
50390+ curuid = (int)uidlist[i];
50391+ if (real == curuid)
50392+ realok = 1;
50393+ if (effective == curuid)
50394+ effectiveok = 1;
50395+ if (fs == curuid)
50396+ fsok = 1;
50397+ }
50398+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
50399+ for (i = 0; i < num; i++) {
50400+ curuid = (int)uidlist[i];
50401+ if (real == curuid)
50402+ break;
50403+ if (effective == curuid)
50404+ break;
50405+ if (fs == curuid)
50406+ break;
50407+ }
50408+ /* not in deny list */
50409+ if (i == num) {
50410+ realok = 1;
50411+ effectiveok = 1;
50412+ fsok = 1;
50413+ }
50414+ }
50415+
50416+ if (realok && effectiveok && fsok)
50417+ return 0;
50418+ else {
50419+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
50420+ return 1;
50421+ }
50422+}
50423+
50424+int
50425+gr_check_group_change(int real, int effective, int fs)
50426+{
50427+ unsigned int i;
50428+ __u16 num;
50429+ gid_t *gidlist;
50430+ int curgid;
50431+ int realok = 0;
50432+ int effectiveok = 0;
50433+ int fsok = 0;
50434+
50435+ if (unlikely(!(gr_status & GR_READY)))
50436+ return 0;
50437+
50438+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
50439+ gr_log_learn_id_change('g', real, effective, fs);
50440+
50441+ num = current->acl->group_trans_num;
50442+ gidlist = current->acl->group_transitions;
50443+
50444+ if (gidlist == NULL)
50445+ return 0;
50446+
50447+ if (real == -1)
50448+ realok = 1;
50449+ if (effective == -1)
50450+ effectiveok = 1;
50451+ if (fs == -1)
50452+ fsok = 1;
50453+
50454+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
50455+ for (i = 0; i < num; i++) {
50456+ curgid = (int)gidlist[i];
50457+ if (real == curgid)
50458+ realok = 1;
50459+ if (effective == curgid)
50460+ effectiveok = 1;
50461+ if (fs == curgid)
50462+ fsok = 1;
50463+ }
50464+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
50465+ for (i = 0; i < num; i++) {
50466+ curgid = (int)gidlist[i];
50467+ if (real == curgid)
50468+ break;
50469+ if (effective == curgid)
50470+ break;
50471+ if (fs == curgid)
50472+ break;
50473+ }
50474+ /* not in deny list */
50475+ if (i == num) {
50476+ realok = 1;
50477+ effectiveok = 1;
50478+ fsok = 1;
50479+ }
50480+ }
50481+
50482+ if (realok && effectiveok && fsok)
50483+ return 0;
50484+ else {
50485+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
50486+ return 1;
50487+ }
50488+}
50489+
50490+void
50491+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
50492+{
50493+ struct acl_role_label *role = task->role;
50494+ struct acl_subject_label *subj = NULL;
50495+ struct acl_object_label *obj;
50496+ struct file *filp;
50497+
50498+ if (unlikely(!(gr_status & GR_READY)))
50499+ return;
50500+
50501+ filp = task->exec_file;
50502+
50503+ /* kernel process, we'll give them the kernel role */
50504+ if (unlikely(!filp)) {
50505+ task->role = kernel_role;
50506+ task->acl = kernel_role->root_label;
50507+ return;
50508+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
50509+ role = lookup_acl_role_label(task, uid, gid);
50510+
50511+ /* perform subject lookup in possibly new role
50512+ we can use this result below in the case where role == task->role
50513+ */
50514+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
50515+
50516+ /* if we changed uid/gid, but result in the same role
50517+ and are using inheritance, don't lose the inherited subject
50518+ if current subject is other than what normal lookup
50519+ would result in, we arrived via inheritance, don't
50520+ lose subject
50521+ */
50522+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
50523+ (subj == task->acl)))
50524+ task->acl = subj;
50525+
50526+ task->role = role;
50527+
50528+ task->is_writable = 0;
50529+
50530+ /* ignore additional mmap checks for processes that are writable
50531+ by the default ACL */
50532+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50533+ if (unlikely(obj->mode & GR_WRITE))
50534+ task->is_writable = 1;
50535+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
50536+ if (unlikely(obj->mode & GR_WRITE))
50537+ task->is_writable = 1;
50538+
50539+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50540+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
50541+#endif
50542+
50543+ gr_set_proc_res(task);
50544+
50545+ return;
50546+}
50547+
50548+int
50549+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
50550+ const int unsafe_share)
50551+{
50552+ struct task_struct *task = current;
50553+ struct acl_subject_label *newacl;
50554+ struct acl_object_label *obj;
50555+ __u32 retmode;
50556+
50557+ if (unlikely(!(gr_status & GR_READY)))
50558+ return 0;
50559+
50560+ newacl = chk_subj_label(dentry, mnt, task->role);
50561+
50562+ task_lock(task);
50563+ if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
50564+ !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
50565+ !(task->role->roletype & GR_ROLE_GOD) &&
50566+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
50567+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
50568+ task_unlock(task);
50569+ if (unsafe_share)
50570+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
50571+ else
50572+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
50573+ return -EACCES;
50574+ }
50575+ task_unlock(task);
50576+
50577+ obj = chk_obj_label(dentry, mnt, task->acl);
50578+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
50579+
50580+ if (!(task->acl->mode & GR_INHERITLEARN) &&
50581+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
50582+ if (obj->nested)
50583+ task->acl = obj->nested;
50584+ else
50585+ task->acl = newacl;
50586+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
50587+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
50588+
50589+ task->is_writable = 0;
50590+
50591+ /* ignore additional mmap checks for processes that are writable
50592+ by the default ACL */
50593+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
50594+ if (unlikely(obj->mode & GR_WRITE))
50595+ task->is_writable = 1;
50596+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
50597+ if (unlikely(obj->mode & GR_WRITE))
50598+ task->is_writable = 1;
50599+
50600+ gr_set_proc_res(task);
50601+
50602+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50603+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
50604+#endif
50605+ return 0;
50606+}
50607+
50608+/* always called with valid inodev ptr */
50609+static void
50610+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
50611+{
50612+ struct acl_object_label *matchpo;
50613+ struct acl_subject_label *matchps;
50614+ struct acl_subject_label *subj;
50615+ struct acl_role_label *role;
50616+ unsigned int x;
50617+
50618+ FOR_EACH_ROLE_START(role)
50619+ FOR_EACH_SUBJECT_START(role, subj, x)
50620+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
50621+ matchpo->mode |= GR_DELETED;
50622+ FOR_EACH_SUBJECT_END(subj,x)
50623+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
50624+ if (subj->inode == ino && subj->device == dev)
50625+ subj->mode |= GR_DELETED;
50626+ FOR_EACH_NESTED_SUBJECT_END(subj)
50627+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
50628+ matchps->mode |= GR_DELETED;
50629+ FOR_EACH_ROLE_END(role)
50630+
50631+ inodev->nentry->deleted = 1;
50632+
50633+ return;
50634+}
50635+
50636+void
50637+gr_handle_delete(const ino_t ino, const dev_t dev)
50638+{
50639+ struct inodev_entry *inodev;
50640+
50641+ if (unlikely(!(gr_status & GR_READY)))
50642+ return;
50643+
50644+ write_lock(&gr_inode_lock);
50645+ inodev = lookup_inodev_entry(ino, dev);
50646+ if (inodev != NULL)
50647+ do_handle_delete(inodev, ino, dev);
50648+ write_unlock(&gr_inode_lock);
50649+
50650+ return;
50651+}
50652+
50653+static void
50654+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
50655+ const ino_t newinode, const dev_t newdevice,
50656+ struct acl_subject_label *subj)
50657+{
50658+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
50659+ struct acl_object_label *match;
50660+
50661+ match = subj->obj_hash[index];
50662+
50663+ while (match && (match->inode != oldinode ||
50664+ match->device != olddevice ||
50665+ !(match->mode & GR_DELETED)))
50666+ match = match->next;
50667+
50668+ if (match && (match->inode == oldinode)
50669+ && (match->device == olddevice)
50670+ && (match->mode & GR_DELETED)) {
50671+ if (match->prev == NULL) {
50672+ subj->obj_hash[index] = match->next;
50673+ if (match->next != NULL)
50674+ match->next->prev = NULL;
50675+ } else {
50676+ match->prev->next = match->next;
50677+ if (match->next != NULL)
50678+ match->next->prev = match->prev;
50679+ }
50680+ match->prev = NULL;
50681+ match->next = NULL;
50682+ match->inode = newinode;
50683+ match->device = newdevice;
50684+ match->mode &= ~GR_DELETED;
50685+
50686+ insert_acl_obj_label(match, subj);
50687+ }
50688+
50689+ return;
50690+}
50691+
50692+static void
50693+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
50694+ const ino_t newinode, const dev_t newdevice,
50695+ struct acl_role_label *role)
50696+{
50697+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
50698+ struct acl_subject_label *match;
50699+
50700+ match = role->subj_hash[index];
50701+
50702+ while (match && (match->inode != oldinode ||
50703+ match->device != olddevice ||
50704+ !(match->mode & GR_DELETED)))
50705+ match = match->next;
50706+
50707+ if (match && (match->inode == oldinode)
50708+ && (match->device == olddevice)
50709+ && (match->mode & GR_DELETED)) {
50710+ if (match->prev == NULL) {
50711+ role->subj_hash[index] = match->next;
50712+ if (match->next != NULL)
50713+ match->next->prev = NULL;
50714+ } else {
50715+ match->prev->next = match->next;
50716+ if (match->next != NULL)
50717+ match->next->prev = match->prev;
50718+ }
50719+ match->prev = NULL;
50720+ match->next = NULL;
50721+ match->inode = newinode;
50722+ match->device = newdevice;
50723+ match->mode &= ~GR_DELETED;
50724+
50725+ insert_acl_subj_label(match, role);
50726+ }
50727+
50728+ return;
50729+}
50730+
50731+static void
50732+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
50733+ const ino_t newinode, const dev_t newdevice)
50734+{
50735+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
50736+ struct inodev_entry *match;
50737+
50738+ match = inodev_set.i_hash[index];
50739+
50740+ while (match && (match->nentry->inode != oldinode ||
50741+ match->nentry->device != olddevice || !match->nentry->deleted))
50742+ match = match->next;
50743+
50744+ if (match && (match->nentry->inode == oldinode)
50745+ && (match->nentry->device == olddevice) &&
50746+ match->nentry->deleted) {
50747+ if (match->prev == NULL) {
50748+ inodev_set.i_hash[index] = match->next;
50749+ if (match->next != NULL)
50750+ match->next->prev = NULL;
50751+ } else {
50752+ match->prev->next = match->next;
50753+ if (match->next != NULL)
50754+ match->next->prev = match->prev;
50755+ }
50756+ match->prev = NULL;
50757+ match->next = NULL;
50758+ match->nentry->inode = newinode;
50759+ match->nentry->device = newdevice;
50760+ match->nentry->deleted = 0;
50761+
50762+ insert_inodev_entry(match);
50763+ }
50764+
50765+ return;
50766+}
50767+
50768+static void
50769+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
50770+{
50771+ struct acl_subject_label *subj;
50772+ struct acl_role_label *role;
50773+ unsigned int x;
50774+
50775+ FOR_EACH_ROLE_START(role)
50776+ update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
50777+
50778+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
50779+ if ((subj->inode == ino) && (subj->device == dev)) {
50780+ subj->inode = ino;
50781+ subj->device = dev;
50782+ }
50783+ FOR_EACH_NESTED_SUBJECT_END(subj)
50784+ FOR_EACH_SUBJECT_START(role, subj, x)
50785+ update_acl_obj_label(matchn->inode, matchn->device,
50786+ ino, dev, subj);
50787+ FOR_EACH_SUBJECT_END(subj,x)
50788+ FOR_EACH_ROLE_END(role)
50789+
50790+ update_inodev_entry(matchn->inode, matchn->device, ino, dev);
50791+
50792+ return;
50793+}
50794+
50795+static void
50796+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
50797+ const struct vfsmount *mnt)
50798+{
50799+ ino_t ino = dentry->d_inode->i_ino;
50800+ dev_t dev = __get_dev(dentry);
50801+
50802+ __do_handle_create(matchn, ino, dev);
50803+
50804+ return;
50805+}
50806+
50807+void
50808+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
50809+{
50810+ struct name_entry *matchn;
50811+
50812+ if (unlikely(!(gr_status & GR_READY)))
50813+ return;
50814+
50815+ preempt_disable();
50816+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
50817+
50818+ if (unlikely((unsigned long)matchn)) {
50819+ write_lock(&gr_inode_lock);
50820+ do_handle_create(matchn, dentry, mnt);
50821+ write_unlock(&gr_inode_lock);
50822+ }
50823+ preempt_enable();
50824+
50825+ return;
50826+}
50827+
50828+void
50829+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
50830+{
50831+ struct name_entry *matchn;
50832+
50833+ if (unlikely(!(gr_status & GR_READY)))
50834+ return;
50835+
50836+ preempt_disable();
50837+ matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
50838+
50839+ if (unlikely((unsigned long)matchn)) {
50840+ write_lock(&gr_inode_lock);
50841+ __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
50842+ write_unlock(&gr_inode_lock);
50843+ }
50844+ preempt_enable();
50845+
50846+ return;
50847+}
50848+
50849+void
50850+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
50851+ struct dentry *old_dentry,
50852+ struct dentry *new_dentry,
50853+ struct vfsmount *mnt, const __u8 replace)
50854+{
50855+ struct name_entry *matchn;
50856+ struct inodev_entry *inodev;
50857+ ino_t old_ino = old_dentry->d_inode->i_ino;
50858+ dev_t old_dev = __get_dev(old_dentry);
50859+
50860+ /* vfs_rename swaps the name and parent link for old_dentry and
50861+ new_dentry
50862+ at this point, old_dentry has the new name, parent link, and inode
50863+ for the renamed file
50864+ if a file is being replaced by a rename, new_dentry has the inode
50865+ and name for the replaced file
50866+ */
50867+
50868+ if (unlikely(!(gr_status & GR_READY)))
50869+ return;
50870+
50871+ preempt_disable();
50872+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
50873+
50874+ /* we wouldn't have to check d_inode if it weren't for
50875+ NFS silly-renaming
50876+ */
50877+
50878+ write_lock(&gr_inode_lock);
50879+ if (unlikely(replace && new_dentry->d_inode)) {
50880+ ino_t new_ino = new_dentry->d_inode->i_ino;
50881+ dev_t new_dev = __get_dev(new_dentry);
50882+
50883+ inodev = lookup_inodev_entry(new_ino, new_dev);
50884+ if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
50885+ do_handle_delete(inodev, new_ino, new_dev);
50886+ }
50887+
50888+ inodev = lookup_inodev_entry(old_ino, old_dev);
50889+ if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
50890+ do_handle_delete(inodev, old_ino, old_dev);
50891+
50892+ if (unlikely((unsigned long)matchn))
50893+ do_handle_create(matchn, old_dentry, mnt);
50894+
50895+ write_unlock(&gr_inode_lock);
50896+ preempt_enable();
50897+
50898+ return;
50899+}
50900+
50901+static int
50902+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
50903+ unsigned char **sum)
50904+{
50905+ struct acl_role_label *r;
50906+ struct role_allowed_ip *ipp;
50907+ struct role_transition *trans;
50908+ unsigned int i;
50909+ int found = 0;
50910+ u32 curr_ip = current->signal->curr_ip;
50911+
50912+ current->signal->saved_ip = curr_ip;
50913+
50914+ /* check transition table */
50915+
50916+ for (trans = current->role->transitions; trans; trans = trans->next) {
50917+ if (!strcmp(rolename, trans->rolename)) {
50918+ found = 1;
50919+ break;
50920+ }
50921+ }
50922+
50923+ if (!found)
50924+ return 0;
50925+
50926+ /* handle special roles that do not require authentication
50927+ and check ip */
50928+
50929+ FOR_EACH_ROLE_START(r)
50930+ if (!strcmp(rolename, r->rolename) &&
50931+ (r->roletype & GR_ROLE_SPECIAL)) {
50932+ found = 0;
50933+ if (r->allowed_ips != NULL) {
50934+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
50935+ if ((ntohl(curr_ip) & ipp->netmask) ==
50936+ (ntohl(ipp->addr) & ipp->netmask))
50937+ found = 1;
50938+ }
50939+ } else
50940+ found = 2;
50941+ if (!found)
50942+ return 0;
50943+
50944+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
50945+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
50946+ *salt = NULL;
50947+ *sum = NULL;
50948+ return 1;
50949+ }
50950+ }
50951+ FOR_EACH_ROLE_END(r)
50952+
50953+ for (i = 0; i < num_sprole_pws; i++) {
50954+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
50955+ *salt = acl_special_roles[i]->salt;
50956+ *sum = acl_special_roles[i]->sum;
50957+ return 1;
50958+ }
50959+ }
50960+
50961+ return 0;
50962+}
50963+
50964+static void
50965+assign_special_role(char *rolename)
50966+{
50967+ struct acl_object_label *obj;
50968+ struct acl_role_label *r;
50969+ struct acl_role_label *assigned = NULL;
50970+ struct task_struct *tsk;
50971+ struct file *filp;
50972+
50973+ FOR_EACH_ROLE_START(r)
50974+ if (!strcmp(rolename, r->rolename) &&
50975+ (r->roletype & GR_ROLE_SPECIAL)) {
50976+ assigned = r;
50977+ break;
50978+ }
50979+ FOR_EACH_ROLE_END(r)
50980+
50981+ if (!assigned)
50982+ return;
50983+
50984+ read_lock(&tasklist_lock);
50985+ read_lock(&grsec_exec_file_lock);
50986+
50987+ tsk = current->real_parent;
50988+ if (tsk == NULL)
50989+ goto out_unlock;
50990+
50991+ filp = tsk->exec_file;
50992+ if (filp == NULL)
50993+ goto out_unlock;
50994+
50995+ tsk->is_writable = 0;
50996+
50997+ tsk->acl_sp_role = 1;
50998+ tsk->acl_role_id = ++acl_sp_role_value;
50999+ tsk->role = assigned;
51000+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
51001+
51002+ /* ignore additional mmap checks for processes that are writable
51003+ by the default ACL */
51004+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
51005+ if (unlikely(obj->mode & GR_WRITE))
51006+ tsk->is_writable = 1;
51007+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
51008+ if (unlikely(obj->mode & GR_WRITE))
51009+ tsk->is_writable = 1;
51010+
51011+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
51012+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
51013+#endif
51014+
51015+out_unlock:
51016+ read_unlock(&grsec_exec_file_lock);
51017+ read_unlock(&tasklist_lock);
51018+ return;
51019+}
51020+
51021+int gr_check_secure_terminal(struct task_struct *task)
51022+{
51023+ struct task_struct *p, *p2, *p3;
51024+ struct files_struct *files;
51025+ struct fdtable *fdt;
51026+ struct file *our_file = NULL, *file;
51027+ int i;
51028+
51029+ if (task->signal->tty == NULL)
51030+ return 1;
51031+
51032+ files = get_files_struct(task);
51033+ if (files != NULL) {
51034+ rcu_read_lock();
51035+ fdt = files_fdtable(files);
51036+ for (i=0; i < fdt->max_fds; i++) {
51037+ file = fcheck_files(files, i);
51038+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
51039+ get_file(file);
51040+ our_file = file;
51041+ }
51042+ }
51043+ rcu_read_unlock();
51044+ put_files_struct(files);
51045+ }
51046+
51047+ if (our_file == NULL)
51048+ return 1;
51049+
51050+ read_lock(&tasklist_lock);
51051+ do_each_thread(p2, p) {
51052+ files = get_files_struct(p);
51053+ if (files == NULL ||
51054+ (p->signal && p->signal->tty == task->signal->tty)) {
51055+ if (files != NULL)
51056+ put_files_struct(files);
51057+ continue;
51058+ }
51059+ rcu_read_lock();
51060+ fdt = files_fdtable(files);
51061+ for (i=0; i < fdt->max_fds; i++) {
51062+ file = fcheck_files(files, i);
51063+ if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
51064+ file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
51065+ p3 = task;
51066+ while (p3->pid > 0) {
51067+ if (p3 == p)
51068+ break;
51069+ p3 = p3->real_parent;
51070+ }
51071+ if (p3 == p)
51072+ break;
51073+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
51074+ gr_handle_alertkill(p);
51075+ rcu_read_unlock();
51076+ put_files_struct(files);
51077+ read_unlock(&tasklist_lock);
51078+ fput(our_file);
51079+ return 0;
51080+ }
51081+ }
51082+ rcu_read_unlock();
51083+ put_files_struct(files);
51084+ } while_each_thread(p2, p);
51085+ read_unlock(&tasklist_lock);
51086+
51087+ fput(our_file);
51088+ return 1;
51089+}
51090+
51091+ssize_t
51092+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
51093+{
51094+ struct gr_arg_wrapper uwrap;
51095+ unsigned char *sprole_salt = NULL;
51096+ unsigned char *sprole_sum = NULL;
51097+ int error = sizeof (struct gr_arg_wrapper);
51098+ int error2 = 0;
51099+
51100+ mutex_lock(&gr_dev_mutex);
51101+
51102+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
51103+ error = -EPERM;
51104+ goto out;
51105+ }
51106+
51107+ if (count != sizeof (struct gr_arg_wrapper)) {
51108+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
51109+ error = -EINVAL;
51110+ goto out;
51111+ }
51112+
51113+
51114+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
51115+ gr_auth_expires = 0;
51116+ gr_auth_attempts = 0;
51117+ }
51118+
51119+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
51120+ error = -EFAULT;
51121+ goto out;
51122+ }
51123+
51124+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
51125+ error = -EINVAL;
51126+ goto out;
51127+ }
51128+
51129+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
51130+ error = -EFAULT;
51131+ goto out;
51132+ }
51133+
51134+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
51135+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
51136+ time_after(gr_auth_expires, get_seconds())) {
51137+ error = -EBUSY;
51138+ goto out;
51139+ }
51140+
51141+ /* if non-root trying to do anything other than use a special role,
51142+ do not attempt authentication, do not count towards authentication
51143+ locking
51144+ */
51145+
51146+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
51147+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
51148+ current_uid()) {
51149+ error = -EPERM;
51150+ goto out;
51151+ }
51152+
51153+ /* ensure pw and special role name are null terminated */
51154+
51155+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
51156+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
51157+
51158+ /* Okay.
51159+ * We have our enough of the argument structure..(we have yet
51160+ * to copy_from_user the tables themselves) . Copy the tables
51161+ * only if we need them, i.e. for loading operations. */
51162+
51163+ switch (gr_usermode->mode) {
51164+ case GR_STATUS:
51165+ if (gr_status & GR_READY) {
51166+ error = 1;
51167+ if (!gr_check_secure_terminal(current))
51168+ error = 3;
51169+ } else
51170+ error = 2;
51171+ goto out;
51172+ case GR_SHUTDOWN:
51173+ if ((gr_status & GR_READY)
51174+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
51175+ pax_open_kernel();
51176+ gr_status &= ~GR_READY;
51177+ pax_close_kernel();
51178+
51179+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
51180+ free_variables();
51181+ memset(gr_usermode, 0, sizeof (struct gr_arg));
51182+ memset(gr_system_salt, 0, GR_SALT_LEN);
51183+ memset(gr_system_sum, 0, GR_SHA_LEN);
51184+ } else if (gr_status & GR_READY) {
51185+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
51186+ error = -EPERM;
51187+ } else {
51188+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
51189+ error = -EAGAIN;
51190+ }
51191+ break;
51192+ case GR_ENABLE:
51193+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
51194+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
51195+ else {
51196+ if (gr_status & GR_READY)
51197+ error = -EAGAIN;
51198+ else
51199+ error = error2;
51200+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
51201+ }
51202+ break;
51203+ case GR_RELOAD:
51204+ if (!(gr_status & GR_READY)) {
51205+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
51206+ error = -EAGAIN;
51207+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
51208+ preempt_disable();
51209+
51210+ pax_open_kernel();
51211+ gr_status &= ~GR_READY;
51212+ pax_close_kernel();
51213+
51214+ free_variables();
51215+ if (!(error2 = gracl_init(gr_usermode))) {
51216+ preempt_enable();
51217+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
51218+ } else {
51219+ preempt_enable();
51220+ error = error2;
51221+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
51222+ }
51223+ } else {
51224+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
51225+ error = -EPERM;
51226+ }
51227+ break;
51228+ case GR_SEGVMOD:
51229+ if (unlikely(!(gr_status & GR_READY))) {
51230+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
51231+ error = -EAGAIN;
51232+ break;
51233+ }
51234+
51235+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
51236+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
51237+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
51238+ struct acl_subject_label *segvacl;
51239+ segvacl =
51240+ lookup_acl_subj_label(gr_usermode->segv_inode,
51241+ gr_usermode->segv_device,
51242+ current->role);
51243+ if (segvacl) {
51244+ segvacl->crashes = 0;
51245+ segvacl->expires = 0;
51246+ }
51247+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
51248+ gr_remove_uid(gr_usermode->segv_uid);
51249+ }
51250+ } else {
51251+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
51252+ error = -EPERM;
51253+ }
51254+ break;
51255+ case GR_SPROLE:
51256+ case GR_SPROLEPAM:
51257+ if (unlikely(!(gr_status & GR_READY))) {
51258+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
51259+ error = -EAGAIN;
51260+ break;
51261+ }
51262+
51263+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
51264+ current->role->expires = 0;
51265+ current->role->auth_attempts = 0;
51266+ }
51267+
51268+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
51269+ time_after(current->role->expires, get_seconds())) {
51270+ error = -EBUSY;
51271+ goto out;
51272+ }
51273+
51274+ if (lookup_special_role_auth
51275+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
51276+ && ((!sprole_salt && !sprole_sum)
51277+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
51278+ char *p = "";
51279+ assign_special_role(gr_usermode->sp_role);
51280+ read_lock(&tasklist_lock);
51281+ if (current->real_parent)
51282+ p = current->real_parent->role->rolename;
51283+ read_unlock(&tasklist_lock);
51284+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
51285+ p, acl_sp_role_value);
51286+ } else {
51287+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
51288+ error = -EPERM;
51289+ if(!(current->role->auth_attempts++))
51290+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
51291+
51292+ goto out;
51293+ }
51294+ break;
51295+ case GR_UNSPROLE:
51296+ if (unlikely(!(gr_status & GR_READY))) {
51297+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
51298+ error = -EAGAIN;
51299+ break;
51300+ }
51301+
51302+ if (current->role->roletype & GR_ROLE_SPECIAL) {
51303+ char *p = "";
51304+ int i = 0;
51305+
51306+ read_lock(&tasklist_lock);
51307+ if (current->real_parent) {
51308+ p = current->real_parent->role->rolename;
51309+ i = current->real_parent->acl_role_id;
51310+ }
51311+ read_unlock(&tasklist_lock);
51312+
51313+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
51314+ gr_set_acls(1);
51315+ } else {
51316+ error = -EPERM;
51317+ goto out;
51318+ }
51319+ break;
51320+ default:
51321+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
51322+ error = -EINVAL;
51323+ break;
51324+ }
51325+
51326+ if (error != -EPERM)
51327+ goto out;
51328+
51329+ if(!(gr_auth_attempts++))
51330+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
51331+
51332+ out:
51333+ mutex_unlock(&gr_dev_mutex);
51334+ return error;
51335+}
51336+
51337+/* must be called with
51338+ rcu_read_lock();
51339+ read_lock(&tasklist_lock);
51340+ read_lock(&grsec_exec_file_lock);
51341+*/
51342+int gr_apply_subject_to_task(struct task_struct *task)
51343+{
51344+ struct acl_object_label *obj;
51345+ char *tmpname;
51346+ struct acl_subject_label *tmpsubj;
51347+ struct file *filp;
51348+ struct name_entry *nmatch;
51349+
51350+ filp = task->exec_file;
51351+ if (filp == NULL)
51352+ return 0;
51353+
51354+ /* the following is to apply the correct subject
51355+ on binaries running when the RBAC system
51356+ is enabled, when the binaries have been
51357+ replaced or deleted since their execution
51358+ -----
51359+ when the RBAC system starts, the inode/dev
51360+ from exec_file will be one the RBAC system
51361+ is unaware of. It only knows the inode/dev
51362+ of the present file on disk, or the absence
51363+ of it.
51364+ */
51365+ preempt_disable();
51366+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
51367+
51368+ nmatch = lookup_name_entry(tmpname);
51369+ preempt_enable();
51370+ tmpsubj = NULL;
51371+ if (nmatch) {
51372+ if (nmatch->deleted)
51373+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
51374+ else
51375+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
51376+ if (tmpsubj != NULL)
51377+ task->acl = tmpsubj;
51378+ }
51379+ if (tmpsubj == NULL)
51380+ task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
51381+ task->role);
51382+ if (task->acl) {
51383+ task->is_writable = 0;
51384+ /* ignore additional mmap checks for processes that are writable
51385+ by the default ACL */
51386+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
51387+ if (unlikely(obj->mode & GR_WRITE))
51388+ task->is_writable = 1;
51389+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
51390+ if (unlikely(obj->mode & GR_WRITE))
51391+ task->is_writable = 1;
51392+
51393+ gr_set_proc_res(task);
51394+
51395+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
51396+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
51397+#endif
51398+ } else {
51399+ return 1;
51400+ }
51401+
51402+ return 0;
51403+}
51404+
51405+int
51406+gr_set_acls(const int type)
51407+{
51408+ struct task_struct *task, *task2;
51409+ struct acl_role_label *role = current->role;
51410+ __u16 acl_role_id = current->acl_role_id;
51411+ const struct cred *cred;
51412+ int ret;
51413+
51414+ rcu_read_lock();
51415+ read_lock(&tasklist_lock);
51416+ read_lock(&grsec_exec_file_lock);
51417+ do_each_thread(task2, task) {
51418+ /* check to see if we're called from the exit handler,
51419+ if so, only replace ACLs that have inherited the admin
51420+ ACL */
51421+
51422+ if (type && (task->role != role ||
51423+ task->acl_role_id != acl_role_id))
51424+ continue;
51425+
51426+ task->acl_role_id = 0;
51427+ task->acl_sp_role = 0;
51428+
51429+ if (task->exec_file) {
51430+ cred = __task_cred(task);
51431+ task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
51432+ ret = gr_apply_subject_to_task(task);
51433+ if (ret) {
51434+ read_unlock(&grsec_exec_file_lock);
51435+ read_unlock(&tasklist_lock);
51436+ rcu_read_unlock();
51437+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
51438+ return ret;
51439+ }
51440+ } else {
51441+ // it's a kernel process
51442+ task->role = kernel_role;
51443+ task->acl = kernel_role->root_label;
51444+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
51445+ task->acl->mode &= ~GR_PROCFIND;
51446+#endif
51447+ }
51448+ } while_each_thread(task2, task);
51449+ read_unlock(&grsec_exec_file_lock);
51450+ read_unlock(&tasklist_lock);
51451+ rcu_read_unlock();
51452+
51453+ return 0;
51454+}
51455+
51456+void
51457+gr_learn_resource(const struct task_struct *task,
51458+ const int res, const unsigned long wanted, const int gt)
51459+{
51460+ struct acl_subject_label *acl;
51461+ const struct cred *cred;
51462+
51463+ if (unlikely((gr_status & GR_READY) &&
51464+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
51465+ goto skip_reslog;
51466+
51467+#ifdef CONFIG_GRKERNSEC_RESLOG
51468+ gr_log_resource(task, res, wanted, gt);
51469+#endif
51470+ skip_reslog:
51471+
51472+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
51473+ return;
51474+
51475+ acl = task->acl;
51476+
51477+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
51478+ !(acl->resmask & (1 << (unsigned short) res))))
51479+ return;
51480+
51481+ if (wanted >= acl->res[res].rlim_cur) {
51482+ unsigned long res_add;
51483+
51484+ res_add = wanted;
51485+ switch (res) {
51486+ case RLIMIT_CPU:
51487+ res_add += GR_RLIM_CPU_BUMP;
51488+ break;
51489+ case RLIMIT_FSIZE:
51490+ res_add += GR_RLIM_FSIZE_BUMP;
51491+ break;
51492+ case RLIMIT_DATA:
51493+ res_add += GR_RLIM_DATA_BUMP;
51494+ break;
51495+ case RLIMIT_STACK:
51496+ res_add += GR_RLIM_STACK_BUMP;
51497+ break;
51498+ case RLIMIT_CORE:
51499+ res_add += GR_RLIM_CORE_BUMP;
51500+ break;
51501+ case RLIMIT_RSS:
51502+ res_add += GR_RLIM_RSS_BUMP;
51503+ break;
51504+ case RLIMIT_NPROC:
51505+ res_add += GR_RLIM_NPROC_BUMP;
51506+ break;
51507+ case RLIMIT_NOFILE:
51508+ res_add += GR_RLIM_NOFILE_BUMP;
51509+ break;
51510+ case RLIMIT_MEMLOCK:
51511+ res_add += GR_RLIM_MEMLOCK_BUMP;
51512+ break;
51513+ case RLIMIT_AS:
51514+ res_add += GR_RLIM_AS_BUMP;
51515+ break;
51516+ case RLIMIT_LOCKS:
51517+ res_add += GR_RLIM_LOCKS_BUMP;
51518+ break;
51519+ case RLIMIT_SIGPENDING:
51520+ res_add += GR_RLIM_SIGPENDING_BUMP;
51521+ break;
51522+ case RLIMIT_MSGQUEUE:
51523+ res_add += GR_RLIM_MSGQUEUE_BUMP;
51524+ break;
51525+ case RLIMIT_NICE:
51526+ res_add += GR_RLIM_NICE_BUMP;
51527+ break;
51528+ case RLIMIT_RTPRIO:
51529+ res_add += GR_RLIM_RTPRIO_BUMP;
51530+ break;
51531+ case RLIMIT_RTTIME:
51532+ res_add += GR_RLIM_RTTIME_BUMP;
51533+ break;
51534+ }
51535+
51536+ acl->res[res].rlim_cur = res_add;
51537+
51538+ if (wanted > acl->res[res].rlim_max)
51539+ acl->res[res].rlim_max = res_add;
51540+
51541+ /* only log the subject filename, since resource logging is supported for
51542+ single-subject learning only */
51543+ rcu_read_lock();
51544+ cred = __task_cred(task);
51545+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
51546+ task->role->roletype, cred->uid, cred->gid, acl->filename,
51547+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
51548+ "", (unsigned long) res, &task->signal->saved_ip);
51549+ rcu_read_unlock();
51550+ }
51551+
51552+ return;
51553+}
51554+
51555+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
51556+void
51557+pax_set_initial_flags(struct linux_binprm *bprm)
51558+{
51559+ struct task_struct *task = current;
51560+ struct acl_subject_label *proc;
51561+ unsigned long flags;
51562+
51563+ if (unlikely(!(gr_status & GR_READY)))
51564+ return;
51565+
51566+ flags = pax_get_flags(task);
51567+
51568+ proc = task->acl;
51569+
51570+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
51571+ flags &= ~MF_PAX_PAGEEXEC;
51572+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
51573+ flags &= ~MF_PAX_SEGMEXEC;
51574+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
51575+ flags &= ~MF_PAX_RANDMMAP;
51576+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
51577+ flags &= ~MF_PAX_EMUTRAMP;
51578+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
51579+ flags &= ~MF_PAX_MPROTECT;
51580+
51581+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
51582+ flags |= MF_PAX_PAGEEXEC;
51583+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
51584+ flags |= MF_PAX_SEGMEXEC;
51585+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
51586+ flags |= MF_PAX_RANDMMAP;
51587+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
51588+ flags |= MF_PAX_EMUTRAMP;
51589+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
51590+ flags |= MF_PAX_MPROTECT;
51591+
51592+ pax_set_flags(task, flags);
51593+
51594+ return;
51595+}
51596+#endif
51597+
51598+#ifdef CONFIG_SYSCTL
51599+/* Eric Biederman likes breaking userland ABI and every inode-based security
51600+ system to save 35kb of memory */
51601+
51602+/* we modify the passed in filename, but adjust it back before returning */
51603+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
51604+{
51605+ struct name_entry *nmatch;
51606+ char *p, *lastp = NULL;
51607+ struct acl_object_label *obj = NULL, *tmp;
51608+ struct acl_subject_label *tmpsubj;
51609+ char c = '\0';
51610+
51611+ read_lock(&gr_inode_lock);
51612+
51613+ p = name + len - 1;
51614+ do {
51615+ nmatch = lookup_name_entry(name);
51616+ if (lastp != NULL)
51617+ *lastp = c;
51618+
51619+ if (nmatch == NULL)
51620+ goto next_component;
51621+ tmpsubj = current->acl;
51622+ do {
51623+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
51624+ if (obj != NULL) {
51625+ tmp = obj->globbed;
51626+ while (tmp) {
51627+ if (!glob_match(tmp->filename, name)) {
51628+ obj = tmp;
51629+ goto found_obj;
51630+ }
51631+ tmp = tmp->next;
51632+ }
51633+ goto found_obj;
51634+ }
51635+ } while ((tmpsubj = tmpsubj->parent_subject));
51636+next_component:
51637+ /* end case */
51638+ if (p == name)
51639+ break;
51640+
51641+ while (*p != '/')
51642+ p--;
51643+ if (p == name)
51644+ lastp = p + 1;
51645+ else {
51646+ lastp = p;
51647+ p--;
51648+ }
51649+ c = *lastp;
51650+ *lastp = '\0';
51651+ } while (1);
51652+found_obj:
51653+ read_unlock(&gr_inode_lock);
51654+ /* obj returned will always be non-null */
51655+ return obj;
51656+}
51657+
51658+/* returns 0 when allowing, non-zero on error
51659+ op of 0 is used for readdir, so we don't log the names of hidden files
51660+*/
51661+__u32
51662+gr_handle_sysctl(const struct ctl_table *table, const int op)
51663+{
51664+ struct ctl_table *tmp;
51665+ const char *proc_sys = "/proc/sys";
51666+ char *path;
51667+ struct acl_object_label *obj;
51668+ unsigned short len = 0, pos = 0, depth = 0, i;
51669+ __u32 err = 0;
51670+ __u32 mode = 0;
51671+
51672+ if (unlikely(!(gr_status & GR_READY)))
51673+ return 0;
51674+
51675+ /* for now, ignore operations on non-sysctl entries if it's not a
51676+ readdir*/
51677+ if (table->child != NULL && op != 0)
51678+ return 0;
51679+
51680+ mode |= GR_FIND;
51681+ /* it's only a read if it's an entry, read on dirs is for readdir */
51682+ if (op & MAY_READ)
51683+ mode |= GR_READ;
51684+ if (op & MAY_WRITE)
51685+ mode |= GR_WRITE;
51686+
51687+ preempt_disable();
51688+
51689+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
51690+
51691+ /* it's only a read/write if it's an actual entry, not a dir
51692+ (which are opened for readdir)
51693+ */
51694+
51695+ /* convert the requested sysctl entry into a pathname */
51696+
51697+ for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
51698+ len += strlen(tmp->procname);
51699+ len++;
51700+ depth++;
51701+ }
51702+
51703+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
51704+ /* deny */
51705+ goto out;
51706+ }
51707+
51708+ memset(path, 0, PAGE_SIZE);
51709+
51710+ memcpy(path, proc_sys, strlen(proc_sys));
51711+
51712+ pos += strlen(proc_sys);
51713+
51714+ for (; depth > 0; depth--) {
51715+ path[pos] = '/';
51716+ pos++;
51717+ for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
51718+ if (depth == i) {
51719+ memcpy(path + pos, tmp->procname,
51720+ strlen(tmp->procname));
51721+ pos += strlen(tmp->procname);
51722+ }
51723+ i++;
51724+ }
51725+ }
51726+
51727+ obj = gr_lookup_by_name(path, pos);
51728+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
51729+
51730+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
51731+ ((err & mode) != mode))) {
51732+ __u32 new_mode = mode;
51733+
51734+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
51735+
51736+ err = 0;
51737+ gr_log_learn_sysctl(path, new_mode);
51738+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
51739+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
51740+ err = -ENOENT;
51741+ } else if (!(err & GR_FIND)) {
51742+ err = -ENOENT;
51743+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
51744+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
51745+ path, (mode & GR_READ) ? " reading" : "",
51746+ (mode & GR_WRITE) ? " writing" : "");
51747+ err = -EACCES;
51748+ } else if ((err & mode) != mode) {
51749+ err = -EACCES;
51750+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
51751+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
51752+ path, (mode & GR_READ) ? " reading" : "",
51753+ (mode & GR_WRITE) ? " writing" : "");
51754+ err = 0;
51755+ } else
51756+ err = 0;
51757+
51758+ out:
51759+ preempt_enable();
51760+
51761+ return err;
51762+}
51763+#endif
51764+
51765+int
51766+gr_handle_proc_ptrace(struct task_struct *task)
51767+{
51768+ struct file *filp;
51769+ struct task_struct *tmp = task;
51770+ struct task_struct *curtemp = current;
51771+ __u32 retmode;
51772+
51773+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51774+ if (unlikely(!(gr_status & GR_READY)))
51775+ return 0;
51776+#endif
51777+
51778+ read_lock(&tasklist_lock);
51779+ read_lock(&grsec_exec_file_lock);
51780+ filp = task->exec_file;
51781+
51782+ while (tmp->pid > 0) {
51783+ if (tmp == curtemp)
51784+ break;
51785+ tmp = tmp->real_parent;
51786+ }
51787+
51788+ if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51789+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
51790+ read_unlock(&grsec_exec_file_lock);
51791+ read_unlock(&tasklist_lock);
51792+ return 1;
51793+ }
51794+
51795+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51796+ if (!(gr_status & GR_READY)) {
51797+ read_unlock(&grsec_exec_file_lock);
51798+ read_unlock(&tasklist_lock);
51799+ return 0;
51800+ }
51801+#endif
51802+
51803+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
51804+ read_unlock(&grsec_exec_file_lock);
51805+ read_unlock(&tasklist_lock);
51806+
51807+ if (retmode & GR_NOPTRACE)
51808+ return 1;
51809+
51810+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
51811+ && (current->acl != task->acl || (current->acl != current->role->root_label
51812+ && current->pid != task->pid)))
51813+ return 1;
51814+
51815+ return 0;
51816+}
51817+
51818+void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
51819+{
51820+ if (unlikely(!(gr_status & GR_READY)))
51821+ return;
51822+
51823+ if (!(current->role->roletype & GR_ROLE_GOD))
51824+ return;
51825+
51826+ seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
51827+ p->role->rolename, gr_task_roletype_to_char(p),
51828+ p->acl->filename);
51829+}
51830+
51831+int
51832+gr_handle_ptrace(struct task_struct *task, const long request)
51833+{
51834+ struct task_struct *tmp = task;
51835+ struct task_struct *curtemp = current;
51836+ __u32 retmode;
51837+
51838+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51839+ if (unlikely(!(gr_status & GR_READY)))
51840+ return 0;
51841+#endif
51842+
51843+ read_lock(&tasklist_lock);
51844+ while (tmp->pid > 0) {
51845+ if (tmp == curtemp)
51846+ break;
51847+ tmp = tmp->real_parent;
51848+ }
51849+
51850+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51851+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
51852+ read_unlock(&tasklist_lock);
51853+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51854+ return 1;
51855+ }
51856+ read_unlock(&tasklist_lock);
51857+
51858+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51859+ if (!(gr_status & GR_READY))
51860+ return 0;
51861+#endif
51862+
51863+ read_lock(&grsec_exec_file_lock);
51864+ if (unlikely(!task->exec_file)) {
51865+ read_unlock(&grsec_exec_file_lock);
51866+ return 0;
51867+ }
51868+
51869+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
51870+ read_unlock(&grsec_exec_file_lock);
51871+
51872+ if (retmode & GR_NOPTRACE) {
51873+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51874+ return 1;
51875+ }
51876+
51877+ if (retmode & GR_PTRACERD) {
51878+ switch (request) {
51879+ case PTRACE_POKETEXT:
51880+ case PTRACE_POKEDATA:
51881+ case PTRACE_POKEUSR:
51882+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
51883+ case PTRACE_SETREGS:
51884+ case PTRACE_SETFPREGS:
51885+#endif
51886+#ifdef CONFIG_X86
51887+ case PTRACE_SETFPXREGS:
51888+#endif
51889+#ifdef CONFIG_ALTIVEC
51890+ case PTRACE_SETVRREGS:
51891+#endif
51892+ return 1;
51893+ default:
51894+ return 0;
51895+ }
51896+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
51897+ !(current->role->roletype & GR_ROLE_GOD) &&
51898+ (current->acl != task->acl)) {
51899+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51900+ return 1;
51901+ }
51902+
51903+ return 0;
51904+}
51905+
51906+static int is_writable_mmap(const struct file *filp)
51907+{
51908+ struct task_struct *task = current;
51909+ struct acl_object_label *obj, *obj2;
51910+
51911+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
51912+ !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
51913+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
51914+ obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
51915+ task->role->root_label);
51916+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
51917+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
51918+ return 1;
51919+ }
51920+ }
51921+ return 0;
51922+}
51923+
51924+int
51925+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
51926+{
51927+ __u32 mode;
51928+
51929+ if (unlikely(!file || !(prot & PROT_EXEC)))
51930+ return 1;
51931+
51932+ if (is_writable_mmap(file))
51933+ return 0;
51934+
51935+ mode =
51936+ gr_search_file(file->f_path.dentry,
51937+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51938+ file->f_path.mnt);
51939+
51940+ if (!gr_tpe_allow(file))
51941+ return 0;
51942+
51943+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51944+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51945+ return 0;
51946+ } else if (unlikely(!(mode & GR_EXEC))) {
51947+ return 0;
51948+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51949+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51950+ return 1;
51951+ }
51952+
51953+ return 1;
51954+}
51955+
51956+int
51957+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
51958+{
51959+ __u32 mode;
51960+
51961+ if (unlikely(!file || !(prot & PROT_EXEC)))
51962+ return 1;
51963+
51964+ if (is_writable_mmap(file))
51965+ return 0;
51966+
51967+ mode =
51968+ gr_search_file(file->f_path.dentry,
51969+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51970+ file->f_path.mnt);
51971+
51972+ if (!gr_tpe_allow(file))
51973+ return 0;
51974+
51975+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51976+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51977+ return 0;
51978+ } else if (unlikely(!(mode & GR_EXEC))) {
51979+ return 0;
51980+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51981+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51982+ return 1;
51983+ }
51984+
51985+ return 1;
51986+}
51987+
51988+void
51989+gr_acl_handle_psacct(struct task_struct *task, const long code)
51990+{
51991+ unsigned long runtime;
51992+ unsigned long cputime;
51993+ unsigned int wday, cday;
51994+ __u8 whr, chr;
51995+ __u8 wmin, cmin;
51996+ __u8 wsec, csec;
51997+ struct timespec timeval;
51998+
51999+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
52000+ !(task->acl->mode & GR_PROCACCT)))
52001+ return;
52002+
52003+ do_posix_clock_monotonic_gettime(&timeval);
52004+ runtime = timeval.tv_sec - task->start_time.tv_sec;
52005+ wday = runtime / (3600 * 24);
52006+ runtime -= wday * (3600 * 24);
52007+ whr = runtime / 3600;
52008+ runtime -= whr * 3600;
52009+ wmin = runtime / 60;
52010+ runtime -= wmin * 60;
52011+ wsec = runtime;
52012+
52013+ cputime = (task->utime + task->stime) / HZ;
52014+ cday = cputime / (3600 * 24);
52015+ cputime -= cday * (3600 * 24);
52016+ chr = cputime / 3600;
52017+ cputime -= chr * 3600;
52018+ cmin = cputime / 60;
52019+ cputime -= cmin * 60;
52020+ csec = cputime;
52021+
52022+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
52023+
52024+ return;
52025+}
52026+
52027+void gr_set_kernel_label(struct task_struct *task)
52028+{
52029+ if (gr_status & GR_READY) {
52030+ task->role = kernel_role;
52031+ task->acl = kernel_role->root_label;
52032+ }
52033+ return;
52034+}
52035+
52036+#ifdef CONFIG_TASKSTATS
52037+int gr_is_taskstats_denied(int pid)
52038+{
52039+ struct task_struct *task;
52040+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52041+ const struct cred *cred;
52042+#endif
52043+ int ret = 0;
52044+
52045+ /* restrict taskstats viewing to un-chrooted root users
52046+ who have the 'view' subject flag if the RBAC system is enabled
52047+ */
52048+
52049+ rcu_read_lock();
52050+ read_lock(&tasklist_lock);
52051+ task = find_task_by_vpid(pid);
52052+ if (task) {
52053+#ifdef CONFIG_GRKERNSEC_CHROOT
52054+ if (proc_is_chrooted(task))
52055+ ret = -EACCES;
52056+#endif
52057+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52058+ cred = __task_cred(task);
52059+#ifdef CONFIG_GRKERNSEC_PROC_USER
52060+ if (cred->uid != 0)
52061+ ret = -EACCES;
52062+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
52063+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
52064+ ret = -EACCES;
52065+#endif
52066+#endif
52067+ if (gr_status & GR_READY) {
52068+ if (!(task->acl->mode & GR_VIEW))
52069+ ret = -EACCES;
52070+ }
52071+ } else
52072+ ret = -ENOENT;
52073+
52074+ read_unlock(&tasklist_lock);
52075+ rcu_read_unlock();
52076+
52077+ return ret;
52078+}
52079+#endif
52080+
52081+/* AUXV entries are filled via a descendant of search_binary_handler
52082+ after we've already applied the subject for the target
52083+*/
52084+int gr_acl_enable_at_secure(void)
52085+{
52086+ if (unlikely(!(gr_status & GR_READY)))
52087+ return 0;
52088+
52089+ if (current->acl->mode & GR_ATSECURE)
52090+ return 1;
52091+
52092+ return 0;
52093+}
52094+
52095+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
52096+{
52097+ struct task_struct *task = current;
52098+ struct dentry *dentry = file->f_path.dentry;
52099+ struct vfsmount *mnt = file->f_path.mnt;
52100+ struct acl_object_label *obj, *tmp;
52101+ struct acl_subject_label *subj;
52102+ unsigned int bufsize;
52103+ int is_not_root;
52104+ char *path;
52105+ dev_t dev = __get_dev(dentry);
52106+
52107+ if (unlikely(!(gr_status & GR_READY)))
52108+ return 1;
52109+
52110+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
52111+ return 1;
52112+
52113+ /* ignore Eric Biederman */
52114+ if (IS_PRIVATE(dentry->d_inode))
52115+ return 1;
52116+
52117+ subj = task->acl;
52118+ do {
52119+ obj = lookup_acl_obj_label(ino, dev, subj);
52120+ if (obj != NULL)
52121+ return (obj->mode & GR_FIND) ? 1 : 0;
52122+ } while ((subj = subj->parent_subject));
52123+
52124+ /* this is purely an optimization since we're looking for an object
52125+ for the directory we're doing a readdir on
52126+ if it's possible for any globbed object to match the entry we're
52127+ filling into the directory, then the object we find here will be
52128+ an anchor point with attached globbed objects
52129+ */
52130+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
52131+ if (obj->globbed == NULL)
52132+ return (obj->mode & GR_FIND) ? 1 : 0;
52133+
52134+ is_not_root = ((obj->filename[0] == '/') &&
52135+ (obj->filename[1] == '\0')) ? 0 : 1;
52136+ bufsize = PAGE_SIZE - namelen - is_not_root;
52137+
52138+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
52139+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
52140+ return 1;
52141+
52142+ preempt_disable();
52143+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
52144+ bufsize);
52145+
52146+ bufsize = strlen(path);
52147+
52148+ /* if base is "/", don't append an additional slash */
52149+ if (is_not_root)
52150+ *(path + bufsize) = '/';
52151+ memcpy(path + bufsize + is_not_root, name, namelen);
52152+ *(path + bufsize + namelen + is_not_root) = '\0';
52153+
52154+ tmp = obj->globbed;
52155+ while (tmp) {
52156+ if (!glob_match(tmp->filename, path)) {
52157+ preempt_enable();
52158+ return (tmp->mode & GR_FIND) ? 1 : 0;
52159+ }
52160+ tmp = tmp->next;
52161+ }
52162+ preempt_enable();
52163+ return (obj->mode & GR_FIND) ? 1 : 0;
52164+}
52165+
52166+#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
52167+EXPORT_SYMBOL(gr_acl_is_enabled);
52168+#endif
52169+EXPORT_SYMBOL(gr_learn_resource);
52170+EXPORT_SYMBOL(gr_set_kernel_label);
52171+#ifdef CONFIG_SECURITY
52172+EXPORT_SYMBOL(gr_check_user_change);
52173+EXPORT_SYMBOL(gr_check_group_change);
52174+#endif
52175+
52176diff -urNp linux-3.0.7/grsecurity/gracl_alloc.c linux-3.0.7/grsecurity/gracl_alloc.c
52177--- linux-3.0.7/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
52178+++ linux-3.0.7/grsecurity/gracl_alloc.c 2011-08-23 21:48:14.000000000 -0400
52179@@ -0,0 +1,105 @@
52180+#include <linux/kernel.h>
52181+#include <linux/mm.h>
52182+#include <linux/slab.h>
52183+#include <linux/vmalloc.h>
52184+#include <linux/gracl.h>
52185+#include <linux/grsecurity.h>
52186+
52187+static unsigned long alloc_stack_next = 1;
52188+static unsigned long alloc_stack_size = 1;
52189+static void **alloc_stack;
52190+
52191+static __inline__ int
52192+alloc_pop(void)
52193+{
52194+ if (alloc_stack_next == 1)
52195+ return 0;
52196+
52197+ kfree(alloc_stack[alloc_stack_next - 2]);
52198+
52199+ alloc_stack_next--;
52200+
52201+ return 1;
52202+}
52203+
52204+static __inline__ int
52205+alloc_push(void *buf)
52206+{
52207+ if (alloc_stack_next >= alloc_stack_size)
52208+ return 1;
52209+
52210+ alloc_stack[alloc_stack_next - 1] = buf;
52211+
52212+ alloc_stack_next++;
52213+
52214+ return 0;
52215+}
52216+
52217+void *
52218+acl_alloc(unsigned long len)
52219+{
52220+ void *ret = NULL;
52221+
52222+ if (!len || len > PAGE_SIZE)
52223+ goto out;
52224+
52225+ ret = kmalloc(len, GFP_KERNEL);
52226+
52227+ if (ret) {
52228+ if (alloc_push(ret)) {
52229+ kfree(ret);
52230+ ret = NULL;
52231+ }
52232+ }
52233+
52234+out:
52235+ return ret;
52236+}
52237+
52238+void *
52239+acl_alloc_num(unsigned long num, unsigned long len)
52240+{
52241+ if (!len || (num > (PAGE_SIZE / len)))
52242+ return NULL;
52243+
52244+ return acl_alloc(num * len);
52245+}
52246+
52247+void
52248+acl_free_all(void)
52249+{
52250+ if (gr_acl_is_enabled() || !alloc_stack)
52251+ return;
52252+
52253+ while (alloc_pop()) ;
52254+
52255+ if (alloc_stack) {
52256+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
52257+ kfree(alloc_stack);
52258+ else
52259+ vfree(alloc_stack);
52260+ }
52261+
52262+ alloc_stack = NULL;
52263+ alloc_stack_size = 1;
52264+ alloc_stack_next = 1;
52265+
52266+ return;
52267+}
52268+
52269+int
52270+acl_alloc_stack_init(unsigned long size)
52271+{
52272+ if ((size * sizeof (void *)) <= PAGE_SIZE)
52273+ alloc_stack =
52274+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
52275+ else
52276+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
52277+
52278+ alloc_stack_size = size;
52279+
52280+ if (!alloc_stack)
52281+ return 0;
52282+ else
52283+ return 1;
52284+}
52285diff -urNp linux-3.0.7/grsecurity/gracl_cap.c linux-3.0.7/grsecurity/gracl_cap.c
52286--- linux-3.0.7/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
52287+++ linux-3.0.7/grsecurity/gracl_cap.c 2011-09-14 09:21:24.000000000 -0400
52288@@ -0,0 +1,101 @@
52289+#include <linux/kernel.h>
52290+#include <linux/module.h>
52291+#include <linux/sched.h>
52292+#include <linux/gracl.h>
52293+#include <linux/grsecurity.h>
52294+#include <linux/grinternal.h>
52295+
52296+extern const char *captab_log[];
52297+extern int captab_log_entries;
52298+
52299+int
52300+gr_acl_is_capable(const int cap)
52301+{
52302+ struct task_struct *task = current;
52303+ const struct cred *cred = current_cred();
52304+ struct acl_subject_label *curracl;
52305+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
52306+ kernel_cap_t cap_audit = __cap_empty_set;
52307+
52308+ if (!gr_acl_is_enabled())
52309+ return 1;
52310+
52311+ curracl = task->acl;
52312+
52313+ cap_drop = curracl->cap_lower;
52314+ cap_mask = curracl->cap_mask;
52315+ cap_audit = curracl->cap_invert_audit;
52316+
52317+ while ((curracl = curracl->parent_subject)) {
52318+ /* if the cap isn't specified in the current computed mask but is specified in the
52319+ current level subject, and is lowered in the current level subject, then add
52320+ it to the set of dropped capabilities
52321+ otherwise, add the current level subject's mask to the current computed mask
52322+ */
52323+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
52324+ cap_raise(cap_mask, cap);
52325+ if (cap_raised(curracl->cap_lower, cap))
52326+ cap_raise(cap_drop, cap);
52327+ if (cap_raised(curracl->cap_invert_audit, cap))
52328+ cap_raise(cap_audit, cap);
52329+ }
52330+ }
52331+
52332+ if (!cap_raised(cap_drop, cap)) {
52333+ if (cap_raised(cap_audit, cap))
52334+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
52335+ return 1;
52336+ }
52337+
52338+ curracl = task->acl;
52339+
52340+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
52341+ && cap_raised(cred->cap_effective, cap)) {
52342+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
52343+ task->role->roletype, cred->uid,
52344+ cred->gid, task->exec_file ?
52345+ gr_to_filename(task->exec_file->f_path.dentry,
52346+ task->exec_file->f_path.mnt) : curracl->filename,
52347+ curracl->filename, 0UL,
52348+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
52349+ return 1;
52350+ }
52351+
52352+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
52353+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
52354+ return 0;
52355+}
52356+
52357+int
52358+gr_acl_is_capable_nolog(const int cap)
52359+{
52360+ struct acl_subject_label *curracl;
52361+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
52362+
52363+ if (!gr_acl_is_enabled())
52364+ return 1;
52365+
52366+ curracl = current->acl;
52367+
52368+ cap_drop = curracl->cap_lower;
52369+ cap_mask = curracl->cap_mask;
52370+
52371+ while ((curracl = curracl->parent_subject)) {
52372+ /* if the cap isn't specified in the current computed mask but is specified in the
52373+ current level subject, and is lowered in the current level subject, then add
52374+ it to the set of dropped capabilities
52375+ otherwise, add the current level subject's mask to the current computed mask
52376+ */
52377+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
52378+ cap_raise(cap_mask, cap);
52379+ if (cap_raised(curracl->cap_lower, cap))
52380+ cap_raise(cap_drop, cap);
52381+ }
52382+ }
52383+
52384+ if (!cap_raised(cap_drop, cap))
52385+ return 1;
52386+
52387+ return 0;
52388+}
52389+
52390diff -urNp linux-3.0.7/grsecurity/gracl_fs.c linux-3.0.7/grsecurity/gracl_fs.c
52391--- linux-3.0.7/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
52392+++ linux-3.0.7/grsecurity/gracl_fs.c 2011-10-17 01:22:26.000000000 -0400
52393@@ -0,0 +1,431 @@
52394+#include <linux/kernel.h>
52395+#include <linux/sched.h>
52396+#include <linux/types.h>
52397+#include <linux/fs.h>
52398+#include <linux/file.h>
52399+#include <linux/stat.h>
52400+#include <linux/grsecurity.h>
52401+#include <linux/grinternal.h>
52402+#include <linux/gracl.h>
52403+
52404+__u32
52405+gr_acl_handle_hidden_file(const struct dentry * dentry,
52406+ const struct vfsmount * mnt)
52407+{
52408+ __u32 mode;
52409+
52410+ if (unlikely(!dentry->d_inode))
52411+ return GR_FIND;
52412+
52413+ mode =
52414+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
52415+
52416+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
52417+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
52418+ return mode;
52419+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
52420+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
52421+ return 0;
52422+ } else if (unlikely(!(mode & GR_FIND)))
52423+ return 0;
52424+
52425+ return GR_FIND;
52426+}
52427+
52428+__u32
52429+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
52430+ const int fmode)
52431+{
52432+ __u32 reqmode = GR_FIND;
52433+ __u32 mode;
52434+
52435+ if (unlikely(!dentry->d_inode))
52436+ return reqmode;
52437+
52438+ if (unlikely(fmode & O_APPEND))
52439+ reqmode |= GR_APPEND;
52440+ else if (unlikely(fmode & FMODE_WRITE))
52441+ reqmode |= GR_WRITE;
52442+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
52443+ reqmode |= GR_READ;
52444+ if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
52445+ reqmode &= ~GR_READ;
52446+ mode =
52447+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
52448+ mnt);
52449+
52450+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
52451+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
52452+ reqmode & GR_READ ? " reading" : "",
52453+ reqmode & GR_WRITE ? " writing" : reqmode &
52454+ GR_APPEND ? " appending" : "");
52455+ return reqmode;
52456+ } else
52457+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
52458+ {
52459+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
52460+ reqmode & GR_READ ? " reading" : "",
52461+ reqmode & GR_WRITE ? " writing" : reqmode &
52462+ GR_APPEND ? " appending" : "");
52463+ return 0;
52464+ } else if (unlikely((mode & reqmode) != reqmode))
52465+ return 0;
52466+
52467+ return reqmode;
52468+}
52469+
52470+__u32
52471+gr_acl_handle_creat(const struct dentry * dentry,
52472+ const struct dentry * p_dentry,
52473+ const struct vfsmount * p_mnt, const int fmode,
52474+ const int imode)
52475+{
52476+ __u32 reqmode = GR_WRITE | GR_CREATE;
52477+ __u32 mode;
52478+
52479+ if (unlikely(fmode & O_APPEND))
52480+ reqmode |= GR_APPEND;
52481+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
52482+ reqmode |= GR_READ;
52483+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
52484+ reqmode |= GR_SETID;
52485+
52486+ mode =
52487+ gr_check_create(dentry, p_dentry, p_mnt,
52488+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
52489+
52490+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
52491+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
52492+ reqmode & GR_READ ? " reading" : "",
52493+ reqmode & GR_WRITE ? " writing" : reqmode &
52494+ GR_APPEND ? " appending" : "");
52495+ return reqmode;
52496+ } else
52497+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
52498+ {
52499+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
52500+ reqmode & GR_READ ? " reading" : "",
52501+ reqmode & GR_WRITE ? " writing" : reqmode &
52502+ GR_APPEND ? " appending" : "");
52503+ return 0;
52504+ } else if (unlikely((mode & reqmode) != reqmode))
52505+ return 0;
52506+
52507+ return reqmode;
52508+}
52509+
52510+__u32
52511+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
52512+ const int fmode)
52513+{
52514+ __u32 mode, reqmode = GR_FIND;
52515+
52516+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
52517+ reqmode |= GR_EXEC;
52518+ if (fmode & S_IWOTH)
52519+ reqmode |= GR_WRITE;
52520+ if (fmode & S_IROTH)
52521+ reqmode |= GR_READ;
52522+
52523+ mode =
52524+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
52525+ mnt);
52526+
52527+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
52528+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
52529+ reqmode & GR_READ ? " reading" : "",
52530+ reqmode & GR_WRITE ? " writing" : "",
52531+ reqmode & GR_EXEC ? " executing" : "");
52532+ return reqmode;
52533+ } else
52534+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
52535+ {
52536+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
52537+ reqmode & GR_READ ? " reading" : "",
52538+ reqmode & GR_WRITE ? " writing" : "",
52539+ reqmode & GR_EXEC ? " executing" : "");
52540+ return 0;
52541+ } else if (unlikely((mode & reqmode) != reqmode))
52542+ return 0;
52543+
52544+ return reqmode;
52545+}
52546+
52547+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
52548+{
52549+ __u32 mode;
52550+
52551+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
52552+
52553+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
52554+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
52555+ return mode;
52556+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
52557+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
52558+ return 0;
52559+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
52560+ return 0;
52561+
52562+ return (reqmode);
52563+}
52564+
52565+__u32
52566+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
52567+{
52568+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
52569+}
52570+
52571+__u32
52572+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
52573+{
52574+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
52575+}
52576+
52577+__u32
52578+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
52579+{
52580+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
52581+}
52582+
52583+__u32
52584+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
52585+{
52586+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
52587+}
52588+
52589+__u32
52590+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
52591+ mode_t mode)
52592+{
52593+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
52594+ return 1;
52595+
52596+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
52597+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
52598+ GR_FCHMOD_ACL_MSG);
52599+ } else {
52600+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
52601+ }
52602+}
52603+
52604+__u32
52605+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
52606+ mode_t mode)
52607+{
52608+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
52609+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
52610+ GR_CHMOD_ACL_MSG);
52611+ } else {
52612+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
52613+ }
52614+}
52615+
52616+__u32
52617+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
52618+{
52619+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
52620+}
52621+
52622+__u32
52623+gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
52624+{
52625+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
52626+}
52627+
52628+__u32
52629+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
52630+{
52631+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
52632+}
52633+
52634+__u32
52635+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
52636+{
52637+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
52638+ GR_UNIXCONNECT_ACL_MSG);
52639+}
52640+
52641+/* hardlinks require at minimum create and link permission,
52642+ any additional privilege required is based on the
52643+ privilege of the file being linked to
52644+*/
52645+__u32
52646+gr_acl_handle_link(const struct dentry * new_dentry,
52647+ const struct dentry * parent_dentry,
52648+ const struct vfsmount * parent_mnt,
52649+ const struct dentry * old_dentry,
52650+ const struct vfsmount * old_mnt, const char *to)
52651+{
52652+ __u32 mode;
52653+ __u32 needmode = GR_CREATE | GR_LINK;
52654+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
52655+
52656+ mode =
52657+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
52658+ old_mnt);
52659+
52660+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
52661+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
52662+ return mode;
52663+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
52664+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
52665+ return 0;
52666+ } else if (unlikely((mode & needmode) != needmode))
52667+ return 0;
52668+
52669+ return 1;
52670+}
52671+
52672+__u32
52673+gr_acl_handle_symlink(const struct dentry * new_dentry,
52674+ const struct dentry * parent_dentry,
52675+ const struct vfsmount * parent_mnt, const char *from)
52676+{
52677+ __u32 needmode = GR_WRITE | GR_CREATE;
52678+ __u32 mode;
52679+
52680+ mode =
52681+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
52682+ GR_CREATE | GR_AUDIT_CREATE |
52683+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
52684+
52685+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
52686+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
52687+ return mode;
52688+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
52689+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
52690+ return 0;
52691+ } else if (unlikely((mode & needmode) != needmode))
52692+ return 0;
52693+
52694+ return (GR_WRITE | GR_CREATE);
52695+}
52696+
52697+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
52698+{
52699+ __u32 mode;
52700+
52701+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
52702+
52703+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
52704+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
52705+ return mode;
52706+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
52707+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
52708+ return 0;
52709+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
52710+ return 0;
52711+
52712+ return (reqmode);
52713+}
52714+
52715+__u32
52716+gr_acl_handle_mknod(const struct dentry * new_dentry,
52717+ const struct dentry * parent_dentry,
52718+ const struct vfsmount * parent_mnt,
52719+ const int mode)
52720+{
52721+ __u32 reqmode = GR_WRITE | GR_CREATE;
52722+ if (unlikely(mode & (S_ISUID | S_ISGID)))
52723+ reqmode |= GR_SETID;
52724+
52725+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
52726+ reqmode, GR_MKNOD_ACL_MSG);
52727+}
52728+
52729+__u32
52730+gr_acl_handle_mkdir(const struct dentry *new_dentry,
52731+ const struct dentry *parent_dentry,
52732+ const struct vfsmount *parent_mnt)
52733+{
52734+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
52735+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
52736+}
52737+
52738+#define RENAME_CHECK_SUCCESS(old, new) \
52739+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
52740+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
52741+
52742+int
52743+gr_acl_handle_rename(struct dentry *new_dentry,
52744+ struct dentry *parent_dentry,
52745+ const struct vfsmount *parent_mnt,
52746+ struct dentry *old_dentry,
52747+ struct inode *old_parent_inode,
52748+ struct vfsmount *old_mnt, const char *newname)
52749+{
52750+ __u32 comp1, comp2;
52751+ int error = 0;
52752+
52753+ if (unlikely(!gr_acl_is_enabled()))
52754+ return 0;
52755+
52756+ if (!new_dentry->d_inode) {
52757+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
52758+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
52759+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
52760+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
52761+ GR_DELETE | GR_AUDIT_DELETE |
52762+ GR_AUDIT_READ | GR_AUDIT_WRITE |
52763+ GR_SUPPRESS, old_mnt);
52764+ } else {
52765+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
52766+ GR_CREATE | GR_DELETE |
52767+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
52768+ GR_AUDIT_READ | GR_AUDIT_WRITE |
52769+ GR_SUPPRESS, parent_mnt);
52770+ comp2 =
52771+ gr_search_file(old_dentry,
52772+ GR_READ | GR_WRITE | GR_AUDIT_READ |
52773+ GR_DELETE | GR_AUDIT_DELETE |
52774+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
52775+ }
52776+
52777+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
52778+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
52779+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
52780+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
52781+ && !(comp2 & GR_SUPPRESS)) {
52782+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
52783+ error = -EACCES;
52784+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
52785+ error = -EACCES;
52786+
52787+ return error;
52788+}
52789+
52790+void
52791+gr_acl_handle_exit(void)
52792+{
52793+ u16 id;
52794+ char *rolename;
52795+ struct file *exec_file;
52796+
52797+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
52798+ !(current->role->roletype & GR_ROLE_PERSIST))) {
52799+ id = current->acl_role_id;
52800+ rolename = current->role->rolename;
52801+ gr_set_acls(1);
52802+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
52803+ }
52804+
52805+ write_lock(&grsec_exec_file_lock);
52806+ exec_file = current->exec_file;
52807+ current->exec_file = NULL;
52808+ write_unlock(&grsec_exec_file_lock);
52809+
52810+ if (exec_file)
52811+ fput(exec_file);
52812+}
52813+
52814+int
52815+gr_acl_handle_procpidmem(const struct task_struct *task)
52816+{
52817+ if (unlikely(!gr_acl_is_enabled()))
52818+ return 0;
52819+
52820+ if (task != current && task->acl->mode & GR_PROTPROCFD)
52821+ return -EACCES;
52822+
52823+ return 0;
52824+}
52825diff -urNp linux-3.0.7/grsecurity/gracl_ip.c linux-3.0.7/grsecurity/gracl_ip.c
52826--- linux-3.0.7/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
52827+++ linux-3.0.7/grsecurity/gracl_ip.c 2011-08-23 21:48:14.000000000 -0400
52828@@ -0,0 +1,381 @@
52829+#include <linux/kernel.h>
52830+#include <asm/uaccess.h>
52831+#include <asm/errno.h>
52832+#include <net/sock.h>
52833+#include <linux/file.h>
52834+#include <linux/fs.h>
52835+#include <linux/net.h>
52836+#include <linux/in.h>
52837+#include <linux/skbuff.h>
52838+#include <linux/ip.h>
52839+#include <linux/udp.h>
52840+#include <linux/types.h>
52841+#include <linux/sched.h>
52842+#include <linux/netdevice.h>
52843+#include <linux/inetdevice.h>
52844+#include <linux/gracl.h>
52845+#include <linux/grsecurity.h>
52846+#include <linux/grinternal.h>
52847+
52848+#define GR_BIND 0x01
52849+#define GR_CONNECT 0x02
52850+#define GR_INVERT 0x04
52851+#define GR_BINDOVERRIDE 0x08
52852+#define GR_CONNECTOVERRIDE 0x10
52853+#define GR_SOCK_FAMILY 0x20
52854+
52855+static const char * gr_protocols[IPPROTO_MAX] = {
52856+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
52857+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
52858+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
52859+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
52860+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
52861+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
52862+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
52863+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
52864+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
52865+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
52866+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
52867+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
52868+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
52869+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
52870+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
52871+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
52872+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
52873+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
52874+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
52875+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
52876+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
52877+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
52878+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
52879+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
52880+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
52881+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
52882+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
52883+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
52884+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
52885+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
52886+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
52887+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
52888+ };
52889+
52890+static const char * gr_socktypes[SOCK_MAX] = {
52891+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
52892+ "unknown:7", "unknown:8", "unknown:9", "packet"
52893+ };
52894+
52895+static const char * gr_sockfamilies[AF_MAX+1] = {
52896+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
52897+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
52898+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
52899+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
52900+ };
52901+
52902+const char *
52903+gr_proto_to_name(unsigned char proto)
52904+{
52905+ return gr_protocols[proto];
52906+}
52907+
52908+const char *
52909+gr_socktype_to_name(unsigned char type)
52910+{
52911+ return gr_socktypes[type];
52912+}
52913+
52914+const char *
52915+gr_sockfamily_to_name(unsigned char family)
52916+{
52917+ return gr_sockfamilies[family];
52918+}
52919+
52920+int
52921+gr_search_socket(const int domain, const int type, const int protocol)
52922+{
52923+ struct acl_subject_label *curr;
52924+ const struct cred *cred = current_cred();
52925+
52926+ if (unlikely(!gr_acl_is_enabled()))
52927+ goto exit;
52928+
52929+ if ((domain < 0) || (type < 0) || (protocol < 0) ||
52930+ (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
52931+ goto exit; // let the kernel handle it
52932+
52933+ curr = current->acl;
52934+
52935+ if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
52936+ /* the family is allowed, if this is PF_INET allow it only if
52937+ the extra sock type/protocol checks pass */
52938+ if (domain == PF_INET)
52939+ goto inet_check;
52940+ goto exit;
52941+ } else {
52942+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52943+ __u32 fakeip = 0;
52944+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52945+ current->role->roletype, cred->uid,
52946+ cred->gid, current->exec_file ?
52947+ gr_to_filename(current->exec_file->f_path.dentry,
52948+ current->exec_file->f_path.mnt) :
52949+ curr->filename, curr->filename,
52950+ &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
52951+ &current->signal->saved_ip);
52952+ goto exit;
52953+ }
52954+ goto exit_fail;
52955+ }
52956+
52957+inet_check:
52958+ /* the rest of this checking is for IPv4 only */
52959+ if (!curr->ips)
52960+ goto exit;
52961+
52962+ if ((curr->ip_type & (1 << type)) &&
52963+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
52964+ goto exit;
52965+
52966+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52967+ /* we don't place acls on raw sockets , and sometimes
52968+ dgram/ip sockets are opened for ioctl and not
52969+ bind/connect, so we'll fake a bind learn log */
52970+ if (type == SOCK_RAW || type == SOCK_PACKET) {
52971+ __u32 fakeip = 0;
52972+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52973+ current->role->roletype, cred->uid,
52974+ cred->gid, current->exec_file ?
52975+ gr_to_filename(current->exec_file->f_path.dentry,
52976+ current->exec_file->f_path.mnt) :
52977+ curr->filename, curr->filename,
52978+ &fakeip, 0, type,
52979+ protocol, GR_CONNECT, &current->signal->saved_ip);
52980+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
52981+ __u32 fakeip = 0;
52982+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52983+ current->role->roletype, cred->uid,
52984+ cred->gid, current->exec_file ?
52985+ gr_to_filename(current->exec_file->f_path.dentry,
52986+ current->exec_file->f_path.mnt) :
52987+ curr->filename, curr->filename,
52988+ &fakeip, 0, type,
52989+ protocol, GR_BIND, &current->signal->saved_ip);
52990+ }
52991+ /* we'll log when they use connect or bind */
52992+ goto exit;
52993+ }
52994+
52995+exit_fail:
52996+ if (domain == PF_INET)
52997+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
52998+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
52999+ else
53000+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
53001+ gr_socktype_to_name(type), protocol);
53002+
53003+ return 0;
53004+exit:
53005+ return 1;
53006+}
53007+
53008+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
53009+{
53010+ if ((ip->mode & mode) &&
53011+ (ip_port >= ip->low) &&
53012+ (ip_port <= ip->high) &&
53013+ ((ntohl(ip_addr) & our_netmask) ==
53014+ (ntohl(our_addr) & our_netmask))
53015+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
53016+ && (ip->type & (1 << type))) {
53017+ if (ip->mode & GR_INVERT)
53018+ return 2; // specifically denied
53019+ else
53020+ return 1; // allowed
53021+ }
53022+
53023+ return 0; // not specifically allowed, may continue parsing
53024+}
53025+
53026+static int
53027+gr_search_connectbind(const int full_mode, struct sock *sk,
53028+ struct sockaddr_in *addr, const int type)
53029+{
53030+ char iface[IFNAMSIZ] = {0};
53031+ struct acl_subject_label *curr;
53032+ struct acl_ip_label *ip;
53033+ struct inet_sock *isk;
53034+ struct net_device *dev;
53035+ struct in_device *idev;
53036+ unsigned long i;
53037+ int ret;
53038+ int mode = full_mode & (GR_BIND | GR_CONNECT);
53039+ __u32 ip_addr = 0;
53040+ __u32 our_addr;
53041+ __u32 our_netmask;
53042+ char *p;
53043+ __u16 ip_port = 0;
53044+ const struct cred *cred = current_cred();
53045+
53046+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
53047+ return 0;
53048+
53049+ curr = current->acl;
53050+ isk = inet_sk(sk);
53051+
53052+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
53053+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
53054+ addr->sin_addr.s_addr = curr->inaddr_any_override;
53055+ if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
53056+ struct sockaddr_in saddr;
53057+ int err;
53058+
53059+ saddr.sin_family = AF_INET;
53060+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
53061+ saddr.sin_port = isk->inet_sport;
53062+
53063+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
53064+ if (err)
53065+ return err;
53066+
53067+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
53068+ if (err)
53069+ return err;
53070+ }
53071+
53072+ if (!curr->ips)
53073+ return 0;
53074+
53075+ ip_addr = addr->sin_addr.s_addr;
53076+ ip_port = ntohs(addr->sin_port);
53077+
53078+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
53079+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
53080+ current->role->roletype, cred->uid,
53081+ cred->gid, current->exec_file ?
53082+ gr_to_filename(current->exec_file->f_path.dentry,
53083+ current->exec_file->f_path.mnt) :
53084+ curr->filename, curr->filename,
53085+ &ip_addr, ip_port, type,
53086+ sk->sk_protocol, mode, &current->signal->saved_ip);
53087+ return 0;
53088+ }
53089+
53090+ for (i = 0; i < curr->ip_num; i++) {
53091+ ip = *(curr->ips + i);
53092+ if (ip->iface != NULL) {
53093+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
53094+ p = strchr(iface, ':');
53095+ if (p != NULL)
53096+ *p = '\0';
53097+ dev = dev_get_by_name(sock_net(sk), iface);
53098+ if (dev == NULL)
53099+ continue;
53100+ idev = in_dev_get(dev);
53101+ if (idev == NULL) {
53102+ dev_put(dev);
53103+ continue;
53104+ }
53105+ rcu_read_lock();
53106+ for_ifa(idev) {
53107+ if (!strcmp(ip->iface, ifa->ifa_label)) {
53108+ our_addr = ifa->ifa_address;
53109+ our_netmask = 0xffffffff;
53110+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
53111+ if (ret == 1) {
53112+ rcu_read_unlock();
53113+ in_dev_put(idev);
53114+ dev_put(dev);
53115+ return 0;
53116+ } else if (ret == 2) {
53117+ rcu_read_unlock();
53118+ in_dev_put(idev);
53119+ dev_put(dev);
53120+ goto denied;
53121+ }
53122+ }
53123+ } endfor_ifa(idev);
53124+ rcu_read_unlock();
53125+ in_dev_put(idev);
53126+ dev_put(dev);
53127+ } else {
53128+ our_addr = ip->addr;
53129+ our_netmask = ip->netmask;
53130+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
53131+ if (ret == 1)
53132+ return 0;
53133+ else if (ret == 2)
53134+ goto denied;
53135+ }
53136+ }
53137+
53138+denied:
53139+ if (mode == GR_BIND)
53140+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
53141+ else if (mode == GR_CONNECT)
53142+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
53143+
53144+ return -EACCES;
53145+}
53146+
53147+int
53148+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
53149+{
53150+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
53151+}
53152+
53153+int
53154+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
53155+{
53156+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
53157+}
53158+
53159+int gr_search_listen(struct socket *sock)
53160+{
53161+ struct sock *sk = sock->sk;
53162+ struct sockaddr_in addr;
53163+
53164+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
53165+ addr.sin_port = inet_sk(sk)->inet_sport;
53166+
53167+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
53168+}
53169+
53170+int gr_search_accept(struct socket *sock)
53171+{
53172+ struct sock *sk = sock->sk;
53173+ struct sockaddr_in addr;
53174+
53175+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
53176+ addr.sin_port = inet_sk(sk)->inet_sport;
53177+
53178+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
53179+}
53180+
53181+int
53182+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
53183+{
53184+ if (addr)
53185+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
53186+ else {
53187+ struct sockaddr_in sin;
53188+ const struct inet_sock *inet = inet_sk(sk);
53189+
53190+ sin.sin_addr.s_addr = inet->inet_daddr;
53191+ sin.sin_port = inet->inet_dport;
53192+
53193+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
53194+ }
53195+}
53196+
53197+int
53198+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
53199+{
53200+ struct sockaddr_in sin;
53201+
53202+ if (unlikely(skb->len < sizeof (struct udphdr)))
53203+ return 0; // skip this packet
53204+
53205+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
53206+ sin.sin_port = udp_hdr(skb)->source;
53207+
53208+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
53209+}
53210diff -urNp linux-3.0.7/grsecurity/gracl_learn.c linux-3.0.7/grsecurity/gracl_learn.c
53211--- linux-3.0.7/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
53212+++ linux-3.0.7/grsecurity/gracl_learn.c 2011-08-23 21:48:14.000000000 -0400
53213@@ -0,0 +1,207 @@
53214+#include <linux/kernel.h>
53215+#include <linux/mm.h>
53216+#include <linux/sched.h>
53217+#include <linux/poll.h>
53218+#include <linux/string.h>
53219+#include <linux/file.h>
53220+#include <linux/types.h>
53221+#include <linux/vmalloc.h>
53222+#include <linux/grinternal.h>
53223+
53224+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
53225+ size_t count, loff_t *ppos);
53226+extern int gr_acl_is_enabled(void);
53227+
53228+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
53229+static int gr_learn_attached;
53230+
53231+/* use a 512k buffer */
53232+#define LEARN_BUFFER_SIZE (512 * 1024)
53233+
53234+static DEFINE_SPINLOCK(gr_learn_lock);
53235+static DEFINE_MUTEX(gr_learn_user_mutex);
53236+
53237+/* we need to maintain two buffers, so that the kernel context of grlearn
53238+ uses a semaphore around the userspace copying, and the other kernel contexts
53239+ use a spinlock when copying into the buffer, since they cannot sleep
53240+*/
53241+static char *learn_buffer;
53242+static char *learn_buffer_user;
53243+static int learn_buffer_len;
53244+static int learn_buffer_user_len;
53245+
53246+static ssize_t
53247+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
53248+{
53249+ DECLARE_WAITQUEUE(wait, current);
53250+ ssize_t retval = 0;
53251+
53252+ add_wait_queue(&learn_wait, &wait);
53253+ set_current_state(TASK_INTERRUPTIBLE);
53254+ do {
53255+ mutex_lock(&gr_learn_user_mutex);
53256+ spin_lock(&gr_learn_lock);
53257+ if (learn_buffer_len)
53258+ break;
53259+ spin_unlock(&gr_learn_lock);
53260+ mutex_unlock(&gr_learn_user_mutex);
53261+ if (file->f_flags & O_NONBLOCK) {
53262+ retval = -EAGAIN;
53263+ goto out;
53264+ }
53265+ if (signal_pending(current)) {
53266+ retval = -ERESTARTSYS;
53267+ goto out;
53268+ }
53269+
53270+ schedule();
53271+ } while (1);
53272+
53273+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
53274+ learn_buffer_user_len = learn_buffer_len;
53275+ retval = learn_buffer_len;
53276+ learn_buffer_len = 0;
53277+
53278+ spin_unlock(&gr_learn_lock);
53279+
53280+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
53281+ retval = -EFAULT;
53282+
53283+ mutex_unlock(&gr_learn_user_mutex);
53284+out:
53285+ set_current_state(TASK_RUNNING);
53286+ remove_wait_queue(&learn_wait, &wait);
53287+ return retval;
53288+}
53289+
53290+static unsigned int
53291+poll_learn(struct file * file, poll_table * wait)
53292+{
53293+ poll_wait(file, &learn_wait, wait);
53294+
53295+ if (learn_buffer_len)
53296+ return (POLLIN | POLLRDNORM);
53297+
53298+ return 0;
53299+}
53300+
53301+void
53302+gr_clear_learn_entries(void)
53303+{
53304+ char *tmp;
53305+
53306+ mutex_lock(&gr_learn_user_mutex);
53307+ spin_lock(&gr_learn_lock);
53308+ tmp = learn_buffer;
53309+ learn_buffer = NULL;
53310+ spin_unlock(&gr_learn_lock);
53311+ if (tmp)
53312+ vfree(tmp);
53313+ if (learn_buffer_user != NULL) {
53314+ vfree(learn_buffer_user);
53315+ learn_buffer_user = NULL;
53316+ }
53317+ learn_buffer_len = 0;
53318+ mutex_unlock(&gr_learn_user_mutex);
53319+
53320+ return;
53321+}
53322+
53323+void
53324+gr_add_learn_entry(const char *fmt, ...)
53325+{
53326+ va_list args;
53327+ unsigned int len;
53328+
53329+ if (!gr_learn_attached)
53330+ return;
53331+
53332+ spin_lock(&gr_learn_lock);
53333+
53334+ /* leave a gap at the end so we know when it's "full" but don't have to
53335+ compute the exact length of the string we're trying to append
53336+ */
53337+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
53338+ spin_unlock(&gr_learn_lock);
53339+ wake_up_interruptible(&learn_wait);
53340+ return;
53341+ }
53342+ if (learn_buffer == NULL) {
53343+ spin_unlock(&gr_learn_lock);
53344+ return;
53345+ }
53346+
53347+ va_start(args, fmt);
53348+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
53349+ va_end(args);
53350+
53351+ learn_buffer_len += len + 1;
53352+
53353+ spin_unlock(&gr_learn_lock);
53354+ wake_up_interruptible(&learn_wait);
53355+
53356+ return;
53357+}
53358+
53359+static int
53360+open_learn(struct inode *inode, struct file *file)
53361+{
53362+ if (file->f_mode & FMODE_READ && gr_learn_attached)
53363+ return -EBUSY;
53364+ if (file->f_mode & FMODE_READ) {
53365+ int retval = 0;
53366+ mutex_lock(&gr_learn_user_mutex);
53367+ if (learn_buffer == NULL)
53368+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
53369+ if (learn_buffer_user == NULL)
53370+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
53371+ if (learn_buffer == NULL) {
53372+ retval = -ENOMEM;
53373+ goto out_error;
53374+ }
53375+ if (learn_buffer_user == NULL) {
53376+ retval = -ENOMEM;
53377+ goto out_error;
53378+ }
53379+ learn_buffer_len = 0;
53380+ learn_buffer_user_len = 0;
53381+ gr_learn_attached = 1;
53382+out_error:
53383+ mutex_unlock(&gr_learn_user_mutex);
53384+ return retval;
53385+ }
53386+ return 0;
53387+}
53388+
53389+static int
53390+close_learn(struct inode *inode, struct file *file)
53391+{
53392+ if (file->f_mode & FMODE_READ) {
53393+ char *tmp = NULL;
53394+ mutex_lock(&gr_learn_user_mutex);
53395+ spin_lock(&gr_learn_lock);
53396+ tmp = learn_buffer;
53397+ learn_buffer = NULL;
53398+ spin_unlock(&gr_learn_lock);
53399+ if (tmp)
53400+ vfree(tmp);
53401+ if (learn_buffer_user != NULL) {
53402+ vfree(learn_buffer_user);
53403+ learn_buffer_user = NULL;
53404+ }
53405+ learn_buffer_len = 0;
53406+ learn_buffer_user_len = 0;
53407+ gr_learn_attached = 0;
53408+ mutex_unlock(&gr_learn_user_mutex);
53409+ }
53410+
53411+ return 0;
53412+}
53413+
53414+const struct file_operations grsec_fops = {
53415+ .read = read_learn,
53416+ .write = write_grsec_handler,
53417+ .open = open_learn,
53418+ .release = close_learn,
53419+ .poll = poll_learn,
53420+};
53421diff -urNp linux-3.0.7/grsecurity/gracl_res.c linux-3.0.7/grsecurity/gracl_res.c
53422--- linux-3.0.7/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
53423+++ linux-3.0.7/grsecurity/gracl_res.c 2011-08-23 21:48:14.000000000 -0400
53424@@ -0,0 +1,68 @@
53425+#include <linux/kernel.h>
53426+#include <linux/sched.h>
53427+#include <linux/gracl.h>
53428+#include <linux/grinternal.h>
53429+
53430+static const char *restab_log[] = {
53431+ [RLIMIT_CPU] = "RLIMIT_CPU",
53432+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
53433+ [RLIMIT_DATA] = "RLIMIT_DATA",
53434+ [RLIMIT_STACK] = "RLIMIT_STACK",
53435+ [RLIMIT_CORE] = "RLIMIT_CORE",
53436+ [RLIMIT_RSS] = "RLIMIT_RSS",
53437+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
53438+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
53439+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
53440+ [RLIMIT_AS] = "RLIMIT_AS",
53441+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
53442+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
53443+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
53444+ [RLIMIT_NICE] = "RLIMIT_NICE",
53445+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
53446+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
53447+ [GR_CRASH_RES] = "RLIMIT_CRASH"
53448+};
53449+
53450+void
53451+gr_log_resource(const struct task_struct *task,
53452+ const int res, const unsigned long wanted, const int gt)
53453+{
53454+ const struct cred *cred;
53455+ unsigned long rlim;
53456+
53457+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
53458+ return;
53459+
53460+ // not yet supported resource
53461+ if (unlikely(!restab_log[res]))
53462+ return;
53463+
53464+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
53465+ rlim = task_rlimit_max(task, res);
53466+ else
53467+ rlim = task_rlimit(task, res);
53468+
53469+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
53470+ return;
53471+
53472+ rcu_read_lock();
53473+ cred = __task_cred(task);
53474+
53475+ if (res == RLIMIT_NPROC &&
53476+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
53477+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
53478+ goto out_rcu_unlock;
53479+ else if (res == RLIMIT_MEMLOCK &&
53480+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
53481+ goto out_rcu_unlock;
53482+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
53483+ goto out_rcu_unlock;
53484+ rcu_read_unlock();
53485+
53486+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
53487+
53488+ return;
53489+out_rcu_unlock:
53490+ rcu_read_unlock();
53491+ return;
53492+}
53493diff -urNp linux-3.0.7/grsecurity/gracl_segv.c linux-3.0.7/grsecurity/gracl_segv.c
53494--- linux-3.0.7/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
53495+++ linux-3.0.7/grsecurity/gracl_segv.c 2011-08-23 21:48:14.000000000 -0400
53496@@ -0,0 +1,299 @@
53497+#include <linux/kernel.h>
53498+#include <linux/mm.h>
53499+#include <asm/uaccess.h>
53500+#include <asm/errno.h>
53501+#include <asm/mman.h>
53502+#include <net/sock.h>
53503+#include <linux/file.h>
53504+#include <linux/fs.h>
53505+#include <linux/net.h>
53506+#include <linux/in.h>
53507+#include <linux/slab.h>
53508+#include <linux/types.h>
53509+#include <linux/sched.h>
53510+#include <linux/timer.h>
53511+#include <linux/gracl.h>
53512+#include <linux/grsecurity.h>
53513+#include <linux/grinternal.h>
53514+
53515+static struct crash_uid *uid_set;
53516+static unsigned short uid_used;
53517+static DEFINE_SPINLOCK(gr_uid_lock);
53518+extern rwlock_t gr_inode_lock;
53519+extern struct acl_subject_label *
53520+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
53521+ struct acl_role_label *role);
53522+
53523+#ifdef CONFIG_BTRFS_FS
53524+extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
53525+extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
53526+#endif
53527+
53528+static inline dev_t __get_dev(const struct dentry *dentry)
53529+{
53530+#ifdef CONFIG_BTRFS_FS
53531+ if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
53532+ return get_btrfs_dev_from_inode(dentry->d_inode);
53533+ else
53534+#endif
53535+ return dentry->d_inode->i_sb->s_dev;
53536+}
53537+
53538+int
53539+gr_init_uidset(void)
53540+{
53541+ uid_set =
53542+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
53543+ uid_used = 0;
53544+
53545+ return uid_set ? 1 : 0;
53546+}
53547+
53548+void
53549+gr_free_uidset(void)
53550+{
53551+ if (uid_set)
53552+ kfree(uid_set);
53553+
53554+ return;
53555+}
53556+
53557+int
53558+gr_find_uid(const uid_t uid)
53559+{
53560+ struct crash_uid *tmp = uid_set;
53561+ uid_t buid;
53562+ int low = 0, high = uid_used - 1, mid;
53563+
53564+ while (high >= low) {
53565+ mid = (low + high) >> 1;
53566+ buid = tmp[mid].uid;
53567+ if (buid == uid)
53568+ return mid;
53569+ if (buid > uid)
53570+ high = mid - 1;
53571+ if (buid < uid)
53572+ low = mid + 1;
53573+ }
53574+
53575+ return -1;
53576+}
53577+
53578+static __inline__ void
53579+gr_insertsort(void)
53580+{
53581+ unsigned short i, j;
53582+ struct crash_uid index;
53583+
53584+ for (i = 1; i < uid_used; i++) {
53585+ index = uid_set[i];
53586+ j = i;
53587+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
53588+ uid_set[j] = uid_set[j - 1];
53589+ j--;
53590+ }
53591+ uid_set[j] = index;
53592+ }
53593+
53594+ return;
53595+}
53596+
53597+static __inline__ void
53598+gr_insert_uid(const uid_t uid, const unsigned long expires)
53599+{
53600+ int loc;
53601+
53602+ if (uid_used == GR_UIDTABLE_MAX)
53603+ return;
53604+
53605+ loc = gr_find_uid(uid);
53606+
53607+ if (loc >= 0) {
53608+ uid_set[loc].expires = expires;
53609+ return;
53610+ }
53611+
53612+ uid_set[uid_used].uid = uid;
53613+ uid_set[uid_used].expires = expires;
53614+ uid_used++;
53615+
53616+ gr_insertsort();
53617+
53618+ return;
53619+}
53620+
53621+void
53622+gr_remove_uid(const unsigned short loc)
53623+{
53624+ unsigned short i;
53625+
53626+ for (i = loc + 1; i < uid_used; i++)
53627+ uid_set[i - 1] = uid_set[i];
53628+
53629+ uid_used--;
53630+
53631+ return;
53632+}
53633+
53634+int
53635+gr_check_crash_uid(const uid_t uid)
53636+{
53637+ int loc;
53638+ int ret = 0;
53639+
53640+ if (unlikely(!gr_acl_is_enabled()))
53641+ return 0;
53642+
53643+ spin_lock(&gr_uid_lock);
53644+ loc = gr_find_uid(uid);
53645+
53646+ if (loc < 0)
53647+ goto out_unlock;
53648+
53649+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
53650+ gr_remove_uid(loc);
53651+ else
53652+ ret = 1;
53653+
53654+out_unlock:
53655+ spin_unlock(&gr_uid_lock);
53656+ return ret;
53657+}
53658+
53659+static __inline__ int
53660+proc_is_setxid(const struct cred *cred)
53661+{
53662+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
53663+ cred->uid != cred->fsuid)
53664+ return 1;
53665+ if (cred->gid != cred->egid || cred->gid != cred->sgid ||
53666+ cred->gid != cred->fsgid)
53667+ return 1;
53668+
53669+ return 0;
53670+}
53671+
53672+extern int gr_fake_force_sig(int sig, struct task_struct *t);
53673+
53674+void
53675+gr_handle_crash(struct task_struct *task, const int sig)
53676+{
53677+ struct acl_subject_label *curr;
53678+ struct acl_subject_label *curr2;
53679+ struct task_struct *tsk, *tsk2;
53680+ const struct cred *cred;
53681+ const struct cred *cred2;
53682+
53683+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
53684+ return;
53685+
53686+ if (unlikely(!gr_acl_is_enabled()))
53687+ return;
53688+
53689+ curr = task->acl;
53690+
53691+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
53692+ return;
53693+
53694+ if (time_before_eq(curr->expires, get_seconds())) {
53695+ curr->expires = 0;
53696+ curr->crashes = 0;
53697+ }
53698+
53699+ curr->crashes++;
53700+
53701+ if (!curr->expires)
53702+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
53703+
53704+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
53705+ time_after(curr->expires, get_seconds())) {
53706+ rcu_read_lock();
53707+ cred = __task_cred(task);
53708+ if (cred->uid && proc_is_setxid(cred)) {
53709+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
53710+ spin_lock(&gr_uid_lock);
53711+ gr_insert_uid(cred->uid, curr->expires);
53712+ spin_unlock(&gr_uid_lock);
53713+ curr->expires = 0;
53714+ curr->crashes = 0;
53715+ read_lock(&tasklist_lock);
53716+ do_each_thread(tsk2, tsk) {
53717+ cred2 = __task_cred(tsk);
53718+ if (tsk != task && cred2->uid == cred->uid)
53719+ gr_fake_force_sig(SIGKILL, tsk);
53720+ } while_each_thread(tsk2, tsk);
53721+ read_unlock(&tasklist_lock);
53722+ } else {
53723+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
53724+ read_lock(&tasklist_lock);
53725+ do_each_thread(tsk2, tsk) {
53726+ if (likely(tsk != task)) {
53727+ curr2 = tsk->acl;
53728+
53729+ if (curr2->device == curr->device &&
53730+ curr2->inode == curr->inode)
53731+ gr_fake_force_sig(SIGKILL, tsk);
53732+ }
53733+ } while_each_thread(tsk2, tsk);
53734+ read_unlock(&tasklist_lock);
53735+ }
53736+ rcu_read_unlock();
53737+ }
53738+
53739+ return;
53740+}
53741+
53742+int
53743+gr_check_crash_exec(const struct file *filp)
53744+{
53745+ struct acl_subject_label *curr;
53746+
53747+ if (unlikely(!gr_acl_is_enabled()))
53748+ return 0;
53749+
53750+ read_lock(&gr_inode_lock);
53751+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
53752+ __get_dev(filp->f_path.dentry),
53753+ current->role);
53754+ read_unlock(&gr_inode_lock);
53755+
53756+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
53757+ (!curr->crashes && !curr->expires))
53758+ return 0;
53759+
53760+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
53761+ time_after(curr->expires, get_seconds()))
53762+ return 1;
53763+ else if (time_before_eq(curr->expires, get_seconds())) {
53764+ curr->crashes = 0;
53765+ curr->expires = 0;
53766+ }
53767+
53768+ return 0;
53769+}
53770+
53771+void
53772+gr_handle_alertkill(struct task_struct *task)
53773+{
53774+ struct acl_subject_label *curracl;
53775+ __u32 curr_ip;
53776+ struct task_struct *p, *p2;
53777+
53778+ if (unlikely(!gr_acl_is_enabled()))
53779+ return;
53780+
53781+ curracl = task->acl;
53782+ curr_ip = task->signal->curr_ip;
53783+
53784+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
53785+ read_lock(&tasklist_lock);
53786+ do_each_thread(p2, p) {
53787+ if (p->signal->curr_ip == curr_ip)
53788+ gr_fake_force_sig(SIGKILL, p);
53789+ } while_each_thread(p2, p);
53790+ read_unlock(&tasklist_lock);
53791+ } else if (curracl->mode & GR_KILLPROC)
53792+ gr_fake_force_sig(SIGKILL, task);
53793+
53794+ return;
53795+}
53796diff -urNp linux-3.0.7/grsecurity/gracl_shm.c linux-3.0.7/grsecurity/gracl_shm.c
53797--- linux-3.0.7/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
53798+++ linux-3.0.7/grsecurity/gracl_shm.c 2011-08-23 21:48:14.000000000 -0400
53799@@ -0,0 +1,40 @@
53800+#include <linux/kernel.h>
53801+#include <linux/mm.h>
53802+#include <linux/sched.h>
53803+#include <linux/file.h>
53804+#include <linux/ipc.h>
53805+#include <linux/gracl.h>
53806+#include <linux/grsecurity.h>
53807+#include <linux/grinternal.h>
53808+
53809+int
53810+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53811+ const time_t shm_createtime, const uid_t cuid, const int shmid)
53812+{
53813+ struct task_struct *task;
53814+
53815+ if (!gr_acl_is_enabled())
53816+ return 1;
53817+
53818+ rcu_read_lock();
53819+ read_lock(&tasklist_lock);
53820+
53821+ task = find_task_by_vpid(shm_cprid);
53822+
53823+ if (unlikely(!task))
53824+ task = find_task_by_vpid(shm_lapid);
53825+
53826+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
53827+ (task->pid == shm_lapid)) &&
53828+ (task->acl->mode & GR_PROTSHM) &&
53829+ (task->acl != current->acl))) {
53830+ read_unlock(&tasklist_lock);
53831+ rcu_read_unlock();
53832+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
53833+ return 0;
53834+ }
53835+ read_unlock(&tasklist_lock);
53836+ rcu_read_unlock();
53837+
53838+ return 1;
53839+}
53840diff -urNp linux-3.0.7/grsecurity/grsec_chdir.c linux-3.0.7/grsecurity/grsec_chdir.c
53841--- linux-3.0.7/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
53842+++ linux-3.0.7/grsecurity/grsec_chdir.c 2011-08-23 21:48:14.000000000 -0400
53843@@ -0,0 +1,19 @@
53844+#include <linux/kernel.h>
53845+#include <linux/sched.h>
53846+#include <linux/fs.h>
53847+#include <linux/file.h>
53848+#include <linux/grsecurity.h>
53849+#include <linux/grinternal.h>
53850+
53851+void
53852+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
53853+{
53854+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
53855+ if ((grsec_enable_chdir && grsec_enable_group &&
53856+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
53857+ !grsec_enable_group)) {
53858+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
53859+ }
53860+#endif
53861+ return;
53862+}
53863diff -urNp linux-3.0.7/grsecurity/grsec_chroot.c linux-3.0.7/grsecurity/grsec_chroot.c
53864--- linux-3.0.7/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
53865+++ linux-3.0.7/grsecurity/grsec_chroot.c 2011-09-15 06:47:48.000000000 -0400
53866@@ -0,0 +1,351 @@
53867+#include <linux/kernel.h>
53868+#include <linux/module.h>
53869+#include <linux/sched.h>
53870+#include <linux/file.h>
53871+#include <linux/fs.h>
53872+#include <linux/mount.h>
53873+#include <linux/types.h>
53874+#include <linux/pid_namespace.h>
53875+#include <linux/grsecurity.h>
53876+#include <linux/grinternal.h>
53877+
53878+void gr_set_chroot_entries(struct task_struct *task, struct path *path)
53879+{
53880+#ifdef CONFIG_GRKERNSEC
53881+ if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
53882+ path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
53883+ task->gr_is_chrooted = 1;
53884+ else
53885+ task->gr_is_chrooted = 0;
53886+
53887+ task->gr_chroot_dentry = path->dentry;
53888+#endif
53889+ return;
53890+}
53891+
53892+void gr_clear_chroot_entries(struct task_struct *task)
53893+{
53894+#ifdef CONFIG_GRKERNSEC
53895+ task->gr_is_chrooted = 0;
53896+ task->gr_chroot_dentry = NULL;
53897+#endif
53898+ return;
53899+}
53900+
53901+int
53902+gr_handle_chroot_unix(const pid_t pid)
53903+{
53904+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
53905+ struct task_struct *p;
53906+
53907+ if (unlikely(!grsec_enable_chroot_unix))
53908+ return 1;
53909+
53910+ if (likely(!proc_is_chrooted(current)))
53911+ return 1;
53912+
53913+ rcu_read_lock();
53914+ read_lock(&tasklist_lock);
53915+ p = find_task_by_vpid_unrestricted(pid);
53916+ if (unlikely(p && !have_same_root(current, p))) {
53917+ read_unlock(&tasklist_lock);
53918+ rcu_read_unlock();
53919+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
53920+ return 0;
53921+ }
53922+ read_unlock(&tasklist_lock);
53923+ rcu_read_unlock();
53924+#endif
53925+ return 1;
53926+}
53927+
53928+int
53929+gr_handle_chroot_nice(void)
53930+{
53931+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53932+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
53933+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
53934+ return -EPERM;
53935+ }
53936+#endif
53937+ return 0;
53938+}
53939+
53940+int
53941+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
53942+{
53943+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53944+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
53945+ && proc_is_chrooted(current)) {
53946+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
53947+ return -EACCES;
53948+ }
53949+#endif
53950+ return 0;
53951+}
53952+
53953+int
53954+gr_handle_chroot_rawio(const struct inode *inode)
53955+{
53956+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53957+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
53958+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
53959+ return 1;
53960+#endif
53961+ return 0;
53962+}
53963+
53964+int
53965+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
53966+{
53967+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53968+ struct task_struct *p;
53969+ int ret = 0;
53970+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
53971+ return ret;
53972+
53973+ read_lock(&tasklist_lock);
53974+ do_each_pid_task(pid, type, p) {
53975+ if (!have_same_root(current, p)) {
53976+ ret = 1;
53977+ goto out;
53978+ }
53979+ } while_each_pid_task(pid, type, p);
53980+out:
53981+ read_unlock(&tasklist_lock);
53982+ return ret;
53983+#endif
53984+ return 0;
53985+}
53986+
53987+int
53988+gr_pid_is_chrooted(struct task_struct *p)
53989+{
53990+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53991+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
53992+ return 0;
53993+
53994+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
53995+ !have_same_root(current, p)) {
53996+ return 1;
53997+ }
53998+#endif
53999+ return 0;
54000+}
54001+
54002+EXPORT_SYMBOL(gr_pid_is_chrooted);
54003+
54004+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
54005+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
54006+{
54007+ struct path path, currentroot;
54008+ int ret = 0;
54009+
54010+ path.dentry = (struct dentry *)u_dentry;
54011+ path.mnt = (struct vfsmount *)u_mnt;
54012+ get_fs_root(current->fs, &currentroot);
54013+ if (path_is_under(&path, &currentroot))
54014+ ret = 1;
54015+ path_put(&currentroot);
54016+
54017+ return ret;
54018+}
54019+#endif
54020+
54021+int
54022+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
54023+{
54024+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
54025+ if (!grsec_enable_chroot_fchdir)
54026+ return 1;
54027+
54028+ if (!proc_is_chrooted(current))
54029+ return 1;
54030+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
54031+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
54032+ return 0;
54033+ }
54034+#endif
54035+ return 1;
54036+}
54037+
54038+int
54039+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
54040+ const time_t shm_createtime)
54041+{
54042+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
54043+ struct task_struct *p;
54044+ time_t starttime;
54045+
54046+ if (unlikely(!grsec_enable_chroot_shmat))
54047+ return 1;
54048+
54049+ if (likely(!proc_is_chrooted(current)))
54050+ return 1;
54051+
54052+ rcu_read_lock();
54053+ read_lock(&tasklist_lock);
54054+
54055+ if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
54056+ starttime = p->start_time.tv_sec;
54057+ if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
54058+ if (have_same_root(current, p)) {
54059+ goto allow;
54060+ } else {
54061+ read_unlock(&tasklist_lock);
54062+ rcu_read_unlock();
54063+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
54064+ return 0;
54065+ }
54066+ }
54067+ /* creator exited, pid reuse, fall through to next check */
54068+ }
54069+ if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
54070+ if (unlikely(!have_same_root(current, p))) {
54071+ read_unlock(&tasklist_lock);
54072+ rcu_read_unlock();
54073+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
54074+ return 0;
54075+ }
54076+ }
54077+
54078+allow:
54079+ read_unlock(&tasklist_lock);
54080+ rcu_read_unlock();
54081+#endif
54082+ return 1;
54083+}
54084+
54085+void
54086+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
54087+{
54088+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
54089+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
54090+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
54091+#endif
54092+ return;
54093+}
54094+
54095+int
54096+gr_handle_chroot_mknod(const struct dentry *dentry,
54097+ const struct vfsmount *mnt, const int mode)
54098+{
54099+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
54100+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
54101+ proc_is_chrooted(current)) {
54102+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
54103+ return -EPERM;
54104+ }
54105+#endif
54106+ return 0;
54107+}
54108+
54109+int
54110+gr_handle_chroot_mount(const struct dentry *dentry,
54111+ const struct vfsmount *mnt, const char *dev_name)
54112+{
54113+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
54114+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
54115+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
54116+ return -EPERM;
54117+ }
54118+#endif
54119+ return 0;
54120+}
54121+
54122+int
54123+gr_handle_chroot_pivot(void)
54124+{
54125+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
54126+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
54127+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
54128+ return -EPERM;
54129+ }
54130+#endif
54131+ return 0;
54132+}
54133+
54134+int
54135+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
54136+{
54137+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
54138+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
54139+ !gr_is_outside_chroot(dentry, mnt)) {
54140+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
54141+ return -EPERM;
54142+ }
54143+#endif
54144+ return 0;
54145+}
54146+
54147+extern const char *captab_log[];
54148+extern int captab_log_entries;
54149+
54150+int
54151+gr_chroot_is_capable(const int cap)
54152+{
54153+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
54154+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
54155+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
54156+ if (cap_raised(chroot_caps, cap)) {
54157+ const struct cred *creds = current_cred();
54158+ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
54159+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
54160+ }
54161+ return 0;
54162+ }
54163+ }
54164+#endif
54165+ return 1;
54166+}
54167+
54168+int
54169+gr_chroot_is_capable_nolog(const int cap)
54170+{
54171+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
54172+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
54173+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
54174+ if (cap_raised(chroot_caps, cap)) {
54175+ return 0;
54176+ }
54177+ }
54178+#endif
54179+ return 1;
54180+}
54181+
54182+int
54183+gr_handle_chroot_sysctl(const int op)
54184+{
54185+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
54186+ if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
54187+ proc_is_chrooted(current))
54188+ return -EACCES;
54189+#endif
54190+ return 0;
54191+}
54192+
54193+void
54194+gr_handle_chroot_chdir(struct path *path)
54195+{
54196+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
54197+ if (grsec_enable_chroot_chdir)
54198+ set_fs_pwd(current->fs, path);
54199+#endif
54200+ return;
54201+}
54202+
54203+int
54204+gr_handle_chroot_chmod(const struct dentry *dentry,
54205+ const struct vfsmount *mnt, const int mode)
54206+{
54207+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
54208+ /* allow chmod +s on directories, but not files */
54209+ if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
54210+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
54211+ proc_is_chrooted(current)) {
54212+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
54213+ return -EPERM;
54214+ }
54215+#endif
54216+ return 0;
54217+}
54218diff -urNp linux-3.0.7/grsecurity/grsec_disabled.c linux-3.0.7/grsecurity/grsec_disabled.c
54219--- linux-3.0.7/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
54220+++ linux-3.0.7/grsecurity/grsec_disabled.c 2011-09-24 08:13:01.000000000 -0400
54221@@ -0,0 +1,433 @@
54222+#include <linux/kernel.h>
54223+#include <linux/module.h>
54224+#include <linux/sched.h>
54225+#include <linux/file.h>
54226+#include <linux/fs.h>
54227+#include <linux/kdev_t.h>
54228+#include <linux/net.h>
54229+#include <linux/in.h>
54230+#include <linux/ip.h>
54231+#include <linux/skbuff.h>
54232+#include <linux/sysctl.h>
54233+
54234+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
54235+void
54236+pax_set_initial_flags(struct linux_binprm *bprm)
54237+{
54238+ return;
54239+}
54240+#endif
54241+
54242+#ifdef CONFIG_SYSCTL
54243+__u32
54244+gr_handle_sysctl(const struct ctl_table * table, const int op)
54245+{
54246+ return 0;
54247+}
54248+#endif
54249+
54250+#ifdef CONFIG_TASKSTATS
54251+int gr_is_taskstats_denied(int pid)
54252+{
54253+ return 0;
54254+}
54255+#endif
54256+
54257+int
54258+gr_acl_is_enabled(void)
54259+{
54260+ return 0;
54261+}
54262+
54263+int
54264+gr_handle_rawio(const struct inode *inode)
54265+{
54266+ return 0;
54267+}
54268+
54269+void
54270+gr_acl_handle_psacct(struct task_struct *task, const long code)
54271+{
54272+ return;
54273+}
54274+
54275+int
54276+gr_handle_ptrace(struct task_struct *task, const long request)
54277+{
54278+ return 0;
54279+}
54280+
54281+int
54282+gr_handle_proc_ptrace(struct task_struct *task)
54283+{
54284+ return 0;
54285+}
54286+
54287+void
54288+gr_learn_resource(const struct task_struct *task,
54289+ const int res, const unsigned long wanted, const int gt)
54290+{
54291+ return;
54292+}
54293+
54294+int
54295+gr_set_acls(const int type)
54296+{
54297+ return 0;
54298+}
54299+
54300+int
54301+gr_check_hidden_task(const struct task_struct *tsk)
54302+{
54303+ return 0;
54304+}
54305+
54306+int
54307+gr_check_protected_task(const struct task_struct *task)
54308+{
54309+ return 0;
54310+}
54311+
54312+int
54313+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
54314+{
54315+ return 0;
54316+}
54317+
54318+void
54319+gr_copy_label(struct task_struct *tsk)
54320+{
54321+ return;
54322+}
54323+
54324+void
54325+gr_set_pax_flags(struct task_struct *task)
54326+{
54327+ return;
54328+}
54329+
54330+int
54331+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54332+ const int unsafe_share)
54333+{
54334+ return 0;
54335+}
54336+
54337+void
54338+gr_handle_delete(const ino_t ino, const dev_t dev)
54339+{
54340+ return;
54341+}
54342+
54343+void
54344+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
54345+{
54346+ return;
54347+}
54348+
54349+void
54350+gr_handle_crash(struct task_struct *task, const int sig)
54351+{
54352+ return;
54353+}
54354+
54355+int
54356+gr_check_crash_exec(const struct file *filp)
54357+{
54358+ return 0;
54359+}
54360+
54361+int
54362+gr_check_crash_uid(const uid_t uid)
54363+{
54364+ return 0;
54365+}
54366+
54367+void
54368+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
54369+ struct dentry *old_dentry,
54370+ struct dentry *new_dentry,
54371+ struct vfsmount *mnt, const __u8 replace)
54372+{
54373+ return;
54374+}
54375+
54376+int
54377+gr_search_socket(const int family, const int type, const int protocol)
54378+{
54379+ return 1;
54380+}
54381+
54382+int
54383+gr_search_connectbind(const int mode, const struct socket *sock,
54384+ const struct sockaddr_in *addr)
54385+{
54386+ return 0;
54387+}
54388+
54389+void
54390+gr_handle_alertkill(struct task_struct *task)
54391+{
54392+ return;
54393+}
54394+
54395+__u32
54396+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
54397+{
54398+ return 1;
54399+}
54400+
54401+__u32
54402+gr_acl_handle_hidden_file(const struct dentry * dentry,
54403+ const struct vfsmount * mnt)
54404+{
54405+ return 1;
54406+}
54407+
54408+__u32
54409+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
54410+ const int fmode)
54411+{
54412+ return 1;
54413+}
54414+
54415+__u32
54416+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
54417+{
54418+ return 1;
54419+}
54420+
54421+__u32
54422+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
54423+{
54424+ return 1;
54425+}
54426+
54427+int
54428+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
54429+ unsigned int *vm_flags)
54430+{
54431+ return 1;
54432+}
54433+
54434+__u32
54435+gr_acl_handle_truncate(const struct dentry * dentry,
54436+ const struct vfsmount * mnt)
54437+{
54438+ return 1;
54439+}
54440+
54441+__u32
54442+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
54443+{
54444+ return 1;
54445+}
54446+
54447+__u32
54448+gr_acl_handle_access(const struct dentry * dentry,
54449+ const struct vfsmount * mnt, const int fmode)
54450+{
54451+ return 1;
54452+}
54453+
54454+__u32
54455+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
54456+ mode_t mode)
54457+{
54458+ return 1;
54459+}
54460+
54461+__u32
54462+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
54463+ mode_t mode)
54464+{
54465+ return 1;
54466+}
54467+
54468+__u32
54469+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
54470+{
54471+ return 1;
54472+}
54473+
54474+__u32
54475+gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
54476+{
54477+ return 1;
54478+}
54479+
54480+void
54481+grsecurity_init(void)
54482+{
54483+ return;
54484+}
54485+
54486+__u32
54487+gr_acl_handle_mknod(const struct dentry * new_dentry,
54488+ const struct dentry * parent_dentry,
54489+ const struct vfsmount * parent_mnt,
54490+ const int mode)
54491+{
54492+ return 1;
54493+}
54494+
54495+__u32
54496+gr_acl_handle_mkdir(const struct dentry * new_dentry,
54497+ const struct dentry * parent_dentry,
54498+ const struct vfsmount * parent_mnt)
54499+{
54500+ return 1;
54501+}
54502+
54503+__u32
54504+gr_acl_handle_symlink(const struct dentry * new_dentry,
54505+ const struct dentry * parent_dentry,
54506+ const struct vfsmount * parent_mnt, const char *from)
54507+{
54508+ return 1;
54509+}
54510+
54511+__u32
54512+gr_acl_handle_link(const struct dentry * new_dentry,
54513+ const struct dentry * parent_dentry,
54514+ const struct vfsmount * parent_mnt,
54515+ const struct dentry * old_dentry,
54516+ const struct vfsmount * old_mnt, const char *to)
54517+{
54518+ return 1;
54519+}
54520+
54521+int
54522+gr_acl_handle_rename(const struct dentry *new_dentry,
54523+ const struct dentry *parent_dentry,
54524+ const struct vfsmount *parent_mnt,
54525+ const struct dentry *old_dentry,
54526+ const struct inode *old_parent_inode,
54527+ const struct vfsmount *old_mnt, const char *newname)
54528+{
54529+ return 0;
54530+}
54531+
54532+int
54533+gr_acl_handle_filldir(const struct file *file, const char *name,
54534+ const int namelen, const ino_t ino)
54535+{
54536+ return 1;
54537+}
54538+
54539+int
54540+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
54541+ const time_t shm_createtime, const uid_t cuid, const int shmid)
54542+{
54543+ return 1;
54544+}
54545+
54546+int
54547+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
54548+{
54549+ return 0;
54550+}
54551+
54552+int
54553+gr_search_accept(const struct socket *sock)
54554+{
54555+ return 0;
54556+}
54557+
54558+int
54559+gr_search_listen(const struct socket *sock)
54560+{
54561+ return 0;
54562+}
54563+
54564+int
54565+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
54566+{
54567+ return 0;
54568+}
54569+
54570+__u32
54571+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
54572+{
54573+ return 1;
54574+}
54575+
54576+__u32
54577+gr_acl_handle_creat(const struct dentry * dentry,
54578+ const struct dentry * p_dentry,
54579+ const struct vfsmount * p_mnt, const int fmode,
54580+ const int imode)
54581+{
54582+ return 1;
54583+}
54584+
54585+void
54586+gr_acl_handle_exit(void)
54587+{
54588+ return;
54589+}
54590+
54591+int
54592+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
54593+{
54594+ return 1;
54595+}
54596+
54597+void
54598+gr_set_role_label(const uid_t uid, const gid_t gid)
54599+{
54600+ return;
54601+}
54602+
54603+int
54604+gr_acl_handle_procpidmem(const struct task_struct *task)
54605+{
54606+ return 0;
54607+}
54608+
54609+int
54610+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
54611+{
54612+ return 0;
54613+}
54614+
54615+int
54616+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
54617+{
54618+ return 0;
54619+}
54620+
54621+void
54622+gr_set_kernel_label(struct task_struct *task)
54623+{
54624+ return;
54625+}
54626+
54627+int
54628+gr_check_user_change(int real, int effective, int fs)
54629+{
54630+ return 0;
54631+}
54632+
54633+int
54634+gr_check_group_change(int real, int effective, int fs)
54635+{
54636+ return 0;
54637+}
54638+
54639+int gr_acl_enable_at_secure(void)
54640+{
54641+ return 0;
54642+}
54643+
54644+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
54645+{
54646+ return dentry->d_inode->i_sb->s_dev;
54647+}
54648+
54649+EXPORT_SYMBOL(gr_learn_resource);
54650+EXPORT_SYMBOL(gr_set_kernel_label);
54651+#ifdef CONFIG_SECURITY
54652+EXPORT_SYMBOL(gr_check_user_change);
54653+EXPORT_SYMBOL(gr_check_group_change);
54654+#endif
54655diff -urNp linux-3.0.7/grsecurity/grsec_exec.c linux-3.0.7/grsecurity/grsec_exec.c
54656--- linux-3.0.7/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
54657+++ linux-3.0.7/grsecurity/grsec_exec.c 2011-09-14 09:20:28.000000000 -0400
54658@@ -0,0 +1,145 @@
54659+#include <linux/kernel.h>
54660+#include <linux/sched.h>
54661+#include <linux/file.h>
54662+#include <linux/binfmts.h>
54663+#include <linux/fs.h>
54664+#include <linux/types.h>
54665+#include <linux/grdefs.h>
54666+#include <linux/grsecurity.h>
54667+#include <linux/grinternal.h>
54668+#include <linux/capability.h>
54669+#include <linux/module.h>
54670+
54671+#include <asm/uaccess.h>
54672+
54673+#ifdef CONFIG_GRKERNSEC_EXECLOG
54674+static char gr_exec_arg_buf[132];
54675+static DEFINE_MUTEX(gr_exec_arg_mutex);
54676+#endif
54677+
54678+extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
54679+
54680+void
54681+gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
54682+{
54683+#ifdef CONFIG_GRKERNSEC_EXECLOG
54684+ char *grarg = gr_exec_arg_buf;
54685+ unsigned int i, x, execlen = 0;
54686+ char c;
54687+
54688+ if (!((grsec_enable_execlog && grsec_enable_group &&
54689+ in_group_p(grsec_audit_gid))
54690+ || (grsec_enable_execlog && !grsec_enable_group)))
54691+ return;
54692+
54693+ mutex_lock(&gr_exec_arg_mutex);
54694+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
54695+
54696+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
54697+ const char __user *p;
54698+ unsigned int len;
54699+
54700+ p = get_user_arg_ptr(argv, i);
54701+ if (IS_ERR(p))
54702+ goto log;
54703+
54704+ len = strnlen_user(p, 128 - execlen);
54705+ if (len > 128 - execlen)
54706+ len = 128 - execlen;
54707+ else if (len > 0)
54708+ len--;
54709+ if (copy_from_user(grarg + execlen, p, len))
54710+ goto log;
54711+
54712+ /* rewrite unprintable characters */
54713+ for (x = 0; x < len; x++) {
54714+ c = *(grarg + execlen + x);
54715+ if (c < 32 || c > 126)
54716+ *(grarg + execlen + x) = ' ';
54717+ }
54718+
54719+ execlen += len;
54720+ *(grarg + execlen) = ' ';
54721+ *(grarg + execlen + 1) = '\0';
54722+ execlen++;
54723+ }
54724+
54725+ log:
54726+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
54727+ bprm->file->f_path.mnt, grarg);
54728+ mutex_unlock(&gr_exec_arg_mutex);
54729+#endif
54730+ return;
54731+}
54732+
54733+#ifdef CONFIG_GRKERNSEC
54734+extern int gr_acl_is_capable(const int cap);
54735+extern int gr_acl_is_capable_nolog(const int cap);
54736+extern int gr_chroot_is_capable(const int cap);
54737+extern int gr_chroot_is_capable_nolog(const int cap);
54738+#endif
54739+
54740+const char *captab_log[] = {
54741+ "CAP_CHOWN",
54742+ "CAP_DAC_OVERRIDE",
54743+ "CAP_DAC_READ_SEARCH",
54744+ "CAP_FOWNER",
54745+ "CAP_FSETID",
54746+ "CAP_KILL",
54747+ "CAP_SETGID",
54748+ "CAP_SETUID",
54749+ "CAP_SETPCAP",
54750+ "CAP_LINUX_IMMUTABLE",
54751+ "CAP_NET_BIND_SERVICE",
54752+ "CAP_NET_BROADCAST",
54753+ "CAP_NET_ADMIN",
54754+ "CAP_NET_RAW",
54755+ "CAP_IPC_LOCK",
54756+ "CAP_IPC_OWNER",
54757+ "CAP_SYS_MODULE",
54758+ "CAP_SYS_RAWIO",
54759+ "CAP_SYS_CHROOT",
54760+ "CAP_SYS_PTRACE",
54761+ "CAP_SYS_PACCT",
54762+ "CAP_SYS_ADMIN",
54763+ "CAP_SYS_BOOT",
54764+ "CAP_SYS_NICE",
54765+ "CAP_SYS_RESOURCE",
54766+ "CAP_SYS_TIME",
54767+ "CAP_SYS_TTY_CONFIG",
54768+ "CAP_MKNOD",
54769+ "CAP_LEASE",
54770+ "CAP_AUDIT_WRITE",
54771+ "CAP_AUDIT_CONTROL",
54772+ "CAP_SETFCAP",
54773+ "CAP_MAC_OVERRIDE",
54774+ "CAP_MAC_ADMIN",
54775+ "CAP_SYSLOG"
54776+};
54777+
54778+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
54779+
54780+int gr_is_capable(const int cap)
54781+{
54782+#ifdef CONFIG_GRKERNSEC
54783+ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
54784+ return 1;
54785+ return 0;
54786+#else
54787+ return 1;
54788+#endif
54789+}
54790+
54791+int gr_is_capable_nolog(const int cap)
54792+{
54793+#ifdef CONFIG_GRKERNSEC
54794+ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
54795+ return 1;
54796+ return 0;
54797+#else
54798+ return 1;
54799+#endif
54800+}
54801+
54802+EXPORT_SYMBOL(gr_is_capable);
54803+EXPORT_SYMBOL(gr_is_capable_nolog);
54804diff -urNp linux-3.0.7/grsecurity/grsec_fifo.c linux-3.0.7/grsecurity/grsec_fifo.c
54805--- linux-3.0.7/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
54806+++ linux-3.0.7/grsecurity/grsec_fifo.c 2011-08-23 21:48:14.000000000 -0400
54807@@ -0,0 +1,24 @@
54808+#include <linux/kernel.h>
54809+#include <linux/sched.h>
54810+#include <linux/fs.h>
54811+#include <linux/file.h>
54812+#include <linux/grinternal.h>
54813+
54814+int
54815+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
54816+ const struct dentry *dir, const int flag, const int acc_mode)
54817+{
54818+#ifdef CONFIG_GRKERNSEC_FIFO
54819+ const struct cred *cred = current_cred();
54820+
54821+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
54822+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
54823+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
54824+ (cred->fsuid != dentry->d_inode->i_uid)) {
54825+ if (!inode_permission(dentry->d_inode, acc_mode))
54826+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
54827+ return -EACCES;
54828+ }
54829+#endif
54830+ return 0;
54831+}
54832diff -urNp linux-3.0.7/grsecurity/grsec_fork.c linux-3.0.7/grsecurity/grsec_fork.c
54833--- linux-3.0.7/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
54834+++ linux-3.0.7/grsecurity/grsec_fork.c 2011-08-23 21:48:14.000000000 -0400
54835@@ -0,0 +1,23 @@
54836+#include <linux/kernel.h>
54837+#include <linux/sched.h>
54838+#include <linux/grsecurity.h>
54839+#include <linux/grinternal.h>
54840+#include <linux/errno.h>
54841+
54842+void
54843+gr_log_forkfail(const int retval)
54844+{
54845+#ifdef CONFIG_GRKERNSEC_FORKFAIL
54846+ if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
54847+ switch (retval) {
54848+ case -EAGAIN:
54849+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
54850+ break;
54851+ case -ENOMEM:
54852+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
54853+ break;
54854+ }
54855+ }
54856+#endif
54857+ return;
54858+}
54859diff -urNp linux-3.0.7/grsecurity/grsec_init.c linux-3.0.7/grsecurity/grsec_init.c
54860--- linux-3.0.7/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
54861+++ linux-3.0.7/grsecurity/grsec_init.c 2011-08-25 17:25:12.000000000 -0400
54862@@ -0,0 +1,269 @@
54863+#include <linux/kernel.h>
54864+#include <linux/sched.h>
54865+#include <linux/mm.h>
54866+#include <linux/gracl.h>
54867+#include <linux/slab.h>
54868+#include <linux/vmalloc.h>
54869+#include <linux/percpu.h>
54870+#include <linux/module.h>
54871+
54872+int grsec_enable_brute;
54873+int grsec_enable_link;
54874+int grsec_enable_dmesg;
54875+int grsec_enable_harden_ptrace;
54876+int grsec_enable_fifo;
54877+int grsec_enable_execlog;
54878+int grsec_enable_signal;
54879+int grsec_enable_forkfail;
54880+int grsec_enable_audit_ptrace;
54881+int grsec_enable_time;
54882+int grsec_enable_audit_textrel;
54883+int grsec_enable_group;
54884+int grsec_audit_gid;
54885+int grsec_enable_chdir;
54886+int grsec_enable_mount;
54887+int grsec_enable_rofs;
54888+int grsec_enable_chroot_findtask;
54889+int grsec_enable_chroot_mount;
54890+int grsec_enable_chroot_shmat;
54891+int grsec_enable_chroot_fchdir;
54892+int grsec_enable_chroot_double;
54893+int grsec_enable_chroot_pivot;
54894+int grsec_enable_chroot_chdir;
54895+int grsec_enable_chroot_chmod;
54896+int grsec_enable_chroot_mknod;
54897+int grsec_enable_chroot_nice;
54898+int grsec_enable_chroot_execlog;
54899+int grsec_enable_chroot_caps;
54900+int grsec_enable_chroot_sysctl;
54901+int grsec_enable_chroot_unix;
54902+int grsec_enable_tpe;
54903+int grsec_tpe_gid;
54904+int grsec_enable_blackhole;
54905+#ifdef CONFIG_IPV6_MODULE
54906+EXPORT_SYMBOL(grsec_enable_blackhole);
54907+#endif
54908+int grsec_lastack_retries;
54909+int grsec_enable_tpe_all;
54910+int grsec_enable_tpe_invert;
54911+int grsec_enable_socket_all;
54912+int grsec_socket_all_gid;
54913+int grsec_enable_socket_client;
54914+int grsec_socket_client_gid;
54915+int grsec_enable_socket_server;
54916+int grsec_socket_server_gid;
54917+int grsec_resource_logging;
54918+int grsec_disable_privio;
54919+int grsec_enable_log_rwxmaps;
54920+int grsec_lock;
54921+
54922+DEFINE_SPINLOCK(grsec_alert_lock);
54923+unsigned long grsec_alert_wtime = 0;
54924+unsigned long grsec_alert_fyet = 0;
54925+
54926+DEFINE_SPINLOCK(grsec_audit_lock);
54927+
54928+DEFINE_RWLOCK(grsec_exec_file_lock);
54929+
54930+char *gr_shared_page[4];
54931+
54932+char *gr_alert_log_fmt;
54933+char *gr_audit_log_fmt;
54934+char *gr_alert_log_buf;
54935+char *gr_audit_log_buf;
54936+
54937+extern struct gr_arg *gr_usermode;
54938+extern unsigned char *gr_system_salt;
54939+extern unsigned char *gr_system_sum;
54940+
54941+void __init
54942+grsecurity_init(void)
54943+{
54944+ int j;
54945+ /* create the per-cpu shared pages */
54946+
54947+#ifdef CONFIG_X86
54948+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
54949+#endif
54950+
54951+ for (j = 0; j < 4; j++) {
54952+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
54953+ if (gr_shared_page[j] == NULL) {
54954+ panic("Unable to allocate grsecurity shared page");
54955+ return;
54956+ }
54957+ }
54958+
54959+ /* allocate log buffers */
54960+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
54961+ if (!gr_alert_log_fmt) {
54962+ panic("Unable to allocate grsecurity alert log format buffer");
54963+ return;
54964+ }
54965+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
54966+ if (!gr_audit_log_fmt) {
54967+ panic("Unable to allocate grsecurity audit log format buffer");
54968+ return;
54969+ }
54970+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54971+ if (!gr_alert_log_buf) {
54972+ panic("Unable to allocate grsecurity alert log buffer");
54973+ return;
54974+ }
54975+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54976+ if (!gr_audit_log_buf) {
54977+ panic("Unable to allocate grsecurity audit log buffer");
54978+ return;
54979+ }
54980+
54981+ /* allocate memory for authentication structure */
54982+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
54983+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
54984+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
54985+
54986+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
54987+ panic("Unable to allocate grsecurity authentication structure");
54988+ return;
54989+ }
54990+
54991+
54992+#ifdef CONFIG_GRKERNSEC_IO
54993+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
54994+ grsec_disable_privio = 1;
54995+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
54996+ grsec_disable_privio = 1;
54997+#else
54998+ grsec_disable_privio = 0;
54999+#endif
55000+#endif
55001+
55002+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55003+ /* for backward compatibility, tpe_invert always defaults to on if
55004+ enabled in the kernel
55005+ */
55006+ grsec_enable_tpe_invert = 1;
55007+#endif
55008+
55009+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
55010+#ifndef CONFIG_GRKERNSEC_SYSCTL
55011+ grsec_lock = 1;
55012+#endif
55013+
55014+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
55015+ grsec_enable_audit_textrel = 1;
55016+#endif
55017+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
55018+ grsec_enable_log_rwxmaps = 1;
55019+#endif
55020+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
55021+ grsec_enable_group = 1;
55022+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
55023+#endif
55024+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
55025+ grsec_enable_chdir = 1;
55026+#endif
55027+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55028+ grsec_enable_harden_ptrace = 1;
55029+#endif
55030+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55031+ grsec_enable_mount = 1;
55032+#endif
55033+#ifdef CONFIG_GRKERNSEC_LINK
55034+ grsec_enable_link = 1;
55035+#endif
55036+#ifdef CONFIG_GRKERNSEC_BRUTE
55037+ grsec_enable_brute = 1;
55038+#endif
55039+#ifdef CONFIG_GRKERNSEC_DMESG
55040+ grsec_enable_dmesg = 1;
55041+#endif
55042+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55043+ grsec_enable_blackhole = 1;
55044+ grsec_lastack_retries = 4;
55045+#endif
55046+#ifdef CONFIG_GRKERNSEC_FIFO
55047+ grsec_enable_fifo = 1;
55048+#endif
55049+#ifdef CONFIG_GRKERNSEC_EXECLOG
55050+ grsec_enable_execlog = 1;
55051+#endif
55052+#ifdef CONFIG_GRKERNSEC_SIGNAL
55053+ grsec_enable_signal = 1;
55054+#endif
55055+#ifdef CONFIG_GRKERNSEC_FORKFAIL
55056+ grsec_enable_forkfail = 1;
55057+#endif
55058+#ifdef CONFIG_GRKERNSEC_TIME
55059+ grsec_enable_time = 1;
55060+#endif
55061+#ifdef CONFIG_GRKERNSEC_RESLOG
55062+ grsec_resource_logging = 1;
55063+#endif
55064+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
55065+ grsec_enable_chroot_findtask = 1;
55066+#endif
55067+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55068+ grsec_enable_chroot_unix = 1;
55069+#endif
55070+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
55071+ grsec_enable_chroot_mount = 1;
55072+#endif
55073+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
55074+ grsec_enable_chroot_fchdir = 1;
55075+#endif
55076+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
55077+ grsec_enable_chroot_shmat = 1;
55078+#endif
55079+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
55080+ grsec_enable_audit_ptrace = 1;
55081+#endif
55082+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
55083+ grsec_enable_chroot_double = 1;
55084+#endif
55085+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
55086+ grsec_enable_chroot_pivot = 1;
55087+#endif
55088+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
55089+ grsec_enable_chroot_chdir = 1;
55090+#endif
55091+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
55092+ grsec_enable_chroot_chmod = 1;
55093+#endif
55094+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
55095+ grsec_enable_chroot_mknod = 1;
55096+#endif
55097+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
55098+ grsec_enable_chroot_nice = 1;
55099+#endif
55100+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
55101+ grsec_enable_chroot_execlog = 1;
55102+#endif
55103+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
55104+ grsec_enable_chroot_caps = 1;
55105+#endif
55106+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
55107+ grsec_enable_chroot_sysctl = 1;
55108+#endif
55109+#ifdef CONFIG_GRKERNSEC_TPE
55110+ grsec_enable_tpe = 1;
55111+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
55112+#ifdef CONFIG_GRKERNSEC_TPE_ALL
55113+ grsec_enable_tpe_all = 1;
55114+#endif
55115+#endif
55116+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55117+ grsec_enable_socket_all = 1;
55118+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
55119+#endif
55120+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55121+ grsec_enable_socket_client = 1;
55122+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
55123+#endif
55124+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55125+ grsec_enable_socket_server = 1;
55126+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
55127+#endif
55128+#endif
55129+
55130+ return;
55131+}
55132diff -urNp linux-3.0.7/grsecurity/grsec_link.c linux-3.0.7/grsecurity/grsec_link.c
55133--- linux-3.0.7/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
55134+++ linux-3.0.7/grsecurity/grsec_link.c 2011-08-23 21:48:14.000000000 -0400
55135@@ -0,0 +1,43 @@
55136+#include <linux/kernel.h>
55137+#include <linux/sched.h>
55138+#include <linux/fs.h>
55139+#include <linux/file.h>
55140+#include <linux/grinternal.h>
55141+
55142+int
55143+gr_handle_follow_link(const struct inode *parent,
55144+ const struct inode *inode,
55145+ const struct dentry *dentry, const struct vfsmount *mnt)
55146+{
55147+#ifdef CONFIG_GRKERNSEC_LINK
55148+ const struct cred *cred = current_cred();
55149+
55150+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
55151+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
55152+ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
55153+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
55154+ return -EACCES;
55155+ }
55156+#endif
55157+ return 0;
55158+}
55159+
55160+int
55161+gr_handle_hardlink(const struct dentry *dentry,
55162+ const struct vfsmount *mnt,
55163+ struct inode *inode, const int mode, const char *to)
55164+{
55165+#ifdef CONFIG_GRKERNSEC_LINK
55166+ const struct cred *cred = current_cred();
55167+
55168+ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
55169+ (!S_ISREG(mode) || (mode & S_ISUID) ||
55170+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
55171+ (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
55172+ !capable(CAP_FOWNER) && cred->uid) {
55173+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
55174+ return -EPERM;
55175+ }
55176+#endif
55177+ return 0;
55178+}
55179diff -urNp linux-3.0.7/grsecurity/grsec_log.c linux-3.0.7/grsecurity/grsec_log.c
55180--- linux-3.0.7/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
55181+++ linux-3.0.7/grsecurity/grsec_log.c 2011-09-26 10:46:21.000000000 -0400
55182@@ -0,0 +1,315 @@
55183+#include <linux/kernel.h>
55184+#include <linux/sched.h>
55185+#include <linux/file.h>
55186+#include <linux/tty.h>
55187+#include <linux/fs.h>
55188+#include <linux/grinternal.h>
55189+
55190+#ifdef CONFIG_TREE_PREEMPT_RCU
55191+#define DISABLE_PREEMPT() preempt_disable()
55192+#define ENABLE_PREEMPT() preempt_enable()
55193+#else
55194+#define DISABLE_PREEMPT()
55195+#define ENABLE_PREEMPT()
55196+#endif
55197+
55198+#define BEGIN_LOCKS(x) \
55199+ DISABLE_PREEMPT(); \
55200+ rcu_read_lock(); \
55201+ read_lock(&tasklist_lock); \
55202+ read_lock(&grsec_exec_file_lock); \
55203+ if (x != GR_DO_AUDIT) \
55204+ spin_lock(&grsec_alert_lock); \
55205+ else \
55206+ spin_lock(&grsec_audit_lock)
55207+
55208+#define END_LOCKS(x) \
55209+ if (x != GR_DO_AUDIT) \
55210+ spin_unlock(&grsec_alert_lock); \
55211+ else \
55212+ spin_unlock(&grsec_audit_lock); \
55213+ read_unlock(&grsec_exec_file_lock); \
55214+ read_unlock(&tasklist_lock); \
55215+ rcu_read_unlock(); \
55216+ ENABLE_PREEMPT(); \
55217+ if (x == GR_DONT_AUDIT) \
55218+ gr_handle_alertkill(current)
55219+
55220+enum {
55221+ FLOODING,
55222+ NO_FLOODING
55223+};
55224+
55225+extern char *gr_alert_log_fmt;
55226+extern char *gr_audit_log_fmt;
55227+extern char *gr_alert_log_buf;
55228+extern char *gr_audit_log_buf;
55229+
55230+static int gr_log_start(int audit)
55231+{
55232+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
55233+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
55234+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
55235+#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
55236+ unsigned long curr_secs = get_seconds();
55237+
55238+ if (audit == GR_DO_AUDIT)
55239+ goto set_fmt;
55240+
55241+ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
55242+ grsec_alert_wtime = curr_secs;
55243+ grsec_alert_fyet = 0;
55244+ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
55245+ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
55246+ grsec_alert_fyet++;
55247+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
55248+ grsec_alert_wtime = curr_secs;
55249+ grsec_alert_fyet++;
55250+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
55251+ return FLOODING;
55252+ }
55253+ else return FLOODING;
55254+
55255+set_fmt:
55256+#endif
55257+ memset(buf, 0, PAGE_SIZE);
55258+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
55259+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
55260+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
55261+ } else if (current->signal->curr_ip) {
55262+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
55263+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
55264+ } else if (gr_acl_is_enabled()) {
55265+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
55266+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
55267+ } else {
55268+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
55269+ strcpy(buf, fmt);
55270+ }
55271+
55272+ return NO_FLOODING;
55273+}
55274+
55275+static void gr_log_middle(int audit, const char *msg, va_list ap)
55276+ __attribute__ ((format (printf, 2, 0)));
55277+
55278+static void gr_log_middle(int audit, const char *msg, va_list ap)
55279+{
55280+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
55281+ unsigned int len = strlen(buf);
55282+
55283+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
55284+
55285+ return;
55286+}
55287+
55288+static void gr_log_middle_varargs(int audit, const char *msg, ...)
55289+ __attribute__ ((format (printf, 2, 3)));
55290+
55291+static void gr_log_middle_varargs(int audit, const char *msg, ...)
55292+{
55293+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
55294+ unsigned int len = strlen(buf);
55295+ va_list ap;
55296+
55297+ va_start(ap, msg);
55298+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
55299+ va_end(ap);
55300+
55301+ return;
55302+}
55303+
55304+static void gr_log_end(int audit)
55305+{
55306+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
55307+ unsigned int len = strlen(buf);
55308+
55309+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
55310+ printk("%s\n", buf);
55311+
55312+ return;
55313+}
55314+
55315+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
55316+{
55317+ int logtype;
55318+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
55319+ char *str1 = NULL, *str2 = NULL, *str3 = NULL;
55320+ void *voidptr = NULL;
55321+ int num1 = 0, num2 = 0;
55322+ unsigned long ulong1 = 0, ulong2 = 0;
55323+ struct dentry *dentry = NULL;
55324+ struct vfsmount *mnt = NULL;
55325+ struct file *file = NULL;
55326+ struct task_struct *task = NULL;
55327+ const struct cred *cred, *pcred;
55328+ va_list ap;
55329+
55330+ BEGIN_LOCKS(audit);
55331+ logtype = gr_log_start(audit);
55332+ if (logtype == FLOODING) {
55333+ END_LOCKS(audit);
55334+ return;
55335+ }
55336+ va_start(ap, argtypes);
55337+ switch (argtypes) {
55338+ case GR_TTYSNIFF:
55339+ task = va_arg(ap, struct task_struct *);
55340+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
55341+ break;
55342+ case GR_SYSCTL_HIDDEN:
55343+ str1 = va_arg(ap, char *);
55344+ gr_log_middle_varargs(audit, msg, result, str1);
55345+ break;
55346+ case GR_RBAC:
55347+ dentry = va_arg(ap, struct dentry *);
55348+ mnt = va_arg(ap, struct vfsmount *);
55349+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
55350+ break;
55351+ case GR_RBAC_STR:
55352+ dentry = va_arg(ap, struct dentry *);
55353+ mnt = va_arg(ap, struct vfsmount *);
55354+ str1 = va_arg(ap, char *);
55355+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
55356+ break;
55357+ case GR_STR_RBAC:
55358+ str1 = va_arg(ap, char *);
55359+ dentry = va_arg(ap, struct dentry *);
55360+ mnt = va_arg(ap, struct vfsmount *);
55361+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
55362+ break;
55363+ case GR_RBAC_MODE2:
55364+ dentry = va_arg(ap, struct dentry *);
55365+ mnt = va_arg(ap, struct vfsmount *);
55366+ str1 = va_arg(ap, char *);
55367+ str2 = va_arg(ap, char *);
55368+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
55369+ break;
55370+ case GR_RBAC_MODE3:
55371+ dentry = va_arg(ap, struct dentry *);
55372+ mnt = va_arg(ap, struct vfsmount *);
55373+ str1 = va_arg(ap, char *);
55374+ str2 = va_arg(ap, char *);
55375+ str3 = va_arg(ap, char *);
55376+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
55377+ break;
55378+ case GR_FILENAME:
55379+ dentry = va_arg(ap, struct dentry *);
55380+ mnt = va_arg(ap, struct vfsmount *);
55381+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
55382+ break;
55383+ case GR_STR_FILENAME:
55384+ str1 = va_arg(ap, char *);
55385+ dentry = va_arg(ap, struct dentry *);
55386+ mnt = va_arg(ap, struct vfsmount *);
55387+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
55388+ break;
55389+ case GR_FILENAME_STR:
55390+ dentry = va_arg(ap, struct dentry *);
55391+ mnt = va_arg(ap, struct vfsmount *);
55392+ str1 = va_arg(ap, char *);
55393+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
55394+ break;
55395+ case GR_FILENAME_TWO_INT:
55396+ dentry = va_arg(ap, struct dentry *);
55397+ mnt = va_arg(ap, struct vfsmount *);
55398+ num1 = va_arg(ap, int);
55399+ num2 = va_arg(ap, int);
55400+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
55401+ break;
55402+ case GR_FILENAME_TWO_INT_STR:
55403+ dentry = va_arg(ap, struct dentry *);
55404+ mnt = va_arg(ap, struct vfsmount *);
55405+ num1 = va_arg(ap, int);
55406+ num2 = va_arg(ap, int);
55407+ str1 = va_arg(ap, char *);
55408+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
55409+ break;
55410+ case GR_TEXTREL:
55411+ file = va_arg(ap, struct file *);
55412+ ulong1 = va_arg(ap, unsigned long);
55413+ ulong2 = va_arg(ap, unsigned long);
55414+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
55415+ break;
55416+ case GR_PTRACE:
55417+ task = va_arg(ap, struct task_struct *);
55418+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
55419+ break;
55420+ case GR_RESOURCE:
55421+ task = va_arg(ap, struct task_struct *);
55422+ cred = __task_cred(task);
55423+ pcred = __task_cred(task->real_parent);
55424+ ulong1 = va_arg(ap, unsigned long);
55425+ str1 = va_arg(ap, char *);
55426+ ulong2 = va_arg(ap, unsigned long);
55427+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
55428+ break;
55429+ case GR_CAP:
55430+ task = va_arg(ap, struct task_struct *);
55431+ cred = __task_cred(task);
55432+ pcred = __task_cred(task->real_parent);
55433+ str1 = va_arg(ap, char *);
55434+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
55435+ break;
55436+ case GR_SIG:
55437+ str1 = va_arg(ap, char *);
55438+ voidptr = va_arg(ap, void *);
55439+ gr_log_middle_varargs(audit, msg, str1, voidptr);
55440+ break;
55441+ case GR_SIG2:
55442+ task = va_arg(ap, struct task_struct *);
55443+ cred = __task_cred(task);
55444+ pcred = __task_cred(task->real_parent);
55445+ num1 = va_arg(ap, int);
55446+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
55447+ break;
55448+ case GR_CRASH1:
55449+ task = va_arg(ap, struct task_struct *);
55450+ cred = __task_cred(task);
55451+ pcred = __task_cred(task->real_parent);
55452+ ulong1 = va_arg(ap, unsigned long);
55453+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
55454+ break;
55455+ case GR_CRASH2:
55456+ task = va_arg(ap, struct task_struct *);
55457+ cred = __task_cred(task);
55458+ pcred = __task_cred(task->real_parent);
55459+ ulong1 = va_arg(ap, unsigned long);
55460+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
55461+ break;
55462+ case GR_RWXMAP:
55463+ file = va_arg(ap, struct file *);
55464+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
55465+ break;
55466+ case GR_PSACCT:
55467+ {
55468+ unsigned int wday, cday;
55469+ __u8 whr, chr;
55470+ __u8 wmin, cmin;
55471+ __u8 wsec, csec;
55472+ char cur_tty[64] = { 0 };
55473+ char parent_tty[64] = { 0 };
55474+
55475+ task = va_arg(ap, struct task_struct *);
55476+ wday = va_arg(ap, unsigned int);
55477+ cday = va_arg(ap, unsigned int);
55478+ whr = va_arg(ap, int);
55479+ chr = va_arg(ap, int);
55480+ wmin = va_arg(ap, int);
55481+ cmin = va_arg(ap, int);
55482+ wsec = va_arg(ap, int);
55483+ csec = va_arg(ap, int);
55484+ ulong1 = va_arg(ap, unsigned long);
55485+ cred = __task_cred(task);
55486+ pcred = __task_cred(task->real_parent);
55487+
55488+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
55489+ }
55490+ break;
55491+ default:
55492+ gr_log_middle(audit, msg, ap);
55493+ }
55494+ va_end(ap);
55495+ gr_log_end(audit);
55496+ END_LOCKS(audit);
55497+}
55498diff -urNp linux-3.0.7/grsecurity/grsec_mem.c linux-3.0.7/grsecurity/grsec_mem.c
55499--- linux-3.0.7/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
55500+++ linux-3.0.7/grsecurity/grsec_mem.c 2011-08-23 21:48:14.000000000 -0400
55501@@ -0,0 +1,33 @@
55502+#include <linux/kernel.h>
55503+#include <linux/sched.h>
55504+#include <linux/mm.h>
55505+#include <linux/mman.h>
55506+#include <linux/grinternal.h>
55507+
55508+void
55509+gr_handle_ioperm(void)
55510+{
55511+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
55512+ return;
55513+}
55514+
55515+void
55516+gr_handle_iopl(void)
55517+{
55518+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
55519+ return;
55520+}
55521+
55522+void
55523+gr_handle_mem_readwrite(u64 from, u64 to)
55524+{
55525+ gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
55526+ return;
55527+}
55528+
55529+void
55530+gr_handle_vm86(void)
55531+{
55532+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
55533+ return;
55534+}
55535diff -urNp linux-3.0.7/grsecurity/grsec_mount.c linux-3.0.7/grsecurity/grsec_mount.c
55536--- linux-3.0.7/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
55537+++ linux-3.0.7/grsecurity/grsec_mount.c 2011-08-23 21:48:14.000000000 -0400
55538@@ -0,0 +1,62 @@
55539+#include <linux/kernel.h>
55540+#include <linux/sched.h>
55541+#include <linux/mount.h>
55542+#include <linux/grsecurity.h>
55543+#include <linux/grinternal.h>
55544+
55545+void
55546+gr_log_remount(const char *devname, const int retval)
55547+{
55548+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55549+ if (grsec_enable_mount && (retval >= 0))
55550+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
55551+#endif
55552+ return;
55553+}
55554+
55555+void
55556+gr_log_unmount(const char *devname, const int retval)
55557+{
55558+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55559+ if (grsec_enable_mount && (retval >= 0))
55560+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
55561+#endif
55562+ return;
55563+}
55564+
55565+void
55566+gr_log_mount(const char *from, const char *to, const int retval)
55567+{
55568+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55569+ if (grsec_enable_mount && (retval >= 0))
55570+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
55571+#endif
55572+ return;
55573+}
55574+
55575+int
55576+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
55577+{
55578+#ifdef CONFIG_GRKERNSEC_ROFS
55579+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
55580+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
55581+ return -EPERM;
55582+ } else
55583+ return 0;
55584+#endif
55585+ return 0;
55586+}
55587+
55588+int
55589+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
55590+{
55591+#ifdef CONFIG_GRKERNSEC_ROFS
55592+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
55593+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
55594+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
55595+ return -EPERM;
55596+ } else
55597+ return 0;
55598+#endif
55599+ return 0;
55600+}
55601diff -urNp linux-3.0.7/grsecurity/grsec_pax.c linux-3.0.7/grsecurity/grsec_pax.c
55602--- linux-3.0.7/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
55603+++ linux-3.0.7/grsecurity/grsec_pax.c 2011-08-23 21:48:14.000000000 -0400
55604@@ -0,0 +1,36 @@
55605+#include <linux/kernel.h>
55606+#include <linux/sched.h>
55607+#include <linux/mm.h>
55608+#include <linux/file.h>
55609+#include <linux/grinternal.h>
55610+#include <linux/grsecurity.h>
55611+
55612+void
55613+gr_log_textrel(struct vm_area_struct * vma)
55614+{
55615+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
55616+ if (grsec_enable_audit_textrel)
55617+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
55618+#endif
55619+ return;
55620+}
55621+
55622+void
55623+gr_log_rwxmmap(struct file *file)
55624+{
55625+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
55626+ if (grsec_enable_log_rwxmaps)
55627+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
55628+#endif
55629+ return;
55630+}
55631+
55632+void
55633+gr_log_rwxmprotect(struct file *file)
55634+{
55635+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
55636+ if (grsec_enable_log_rwxmaps)
55637+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
55638+#endif
55639+ return;
55640+}
55641diff -urNp linux-3.0.7/grsecurity/grsec_ptrace.c linux-3.0.7/grsecurity/grsec_ptrace.c
55642--- linux-3.0.7/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
55643+++ linux-3.0.7/grsecurity/grsec_ptrace.c 2011-08-23 21:48:14.000000000 -0400
55644@@ -0,0 +1,14 @@
55645+#include <linux/kernel.h>
55646+#include <linux/sched.h>
55647+#include <linux/grinternal.h>
55648+#include <linux/grsecurity.h>
55649+
55650+void
55651+gr_audit_ptrace(struct task_struct *task)
55652+{
55653+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
55654+ if (grsec_enable_audit_ptrace)
55655+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
55656+#endif
55657+ return;
55658+}
55659diff -urNp linux-3.0.7/grsecurity/grsec_sig.c linux-3.0.7/grsecurity/grsec_sig.c
55660--- linux-3.0.7/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
55661+++ linux-3.0.7/grsecurity/grsec_sig.c 2011-08-23 21:48:14.000000000 -0400
55662@@ -0,0 +1,206 @@
55663+#include <linux/kernel.h>
55664+#include <linux/sched.h>
55665+#include <linux/delay.h>
55666+#include <linux/grsecurity.h>
55667+#include <linux/grinternal.h>
55668+#include <linux/hardirq.h>
55669+
55670+char *signames[] = {
55671+ [SIGSEGV] = "Segmentation fault",
55672+ [SIGILL] = "Illegal instruction",
55673+ [SIGABRT] = "Abort",
55674+ [SIGBUS] = "Invalid alignment/Bus error"
55675+};
55676+
55677+void
55678+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
55679+{
55680+#ifdef CONFIG_GRKERNSEC_SIGNAL
55681+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
55682+ (sig == SIGABRT) || (sig == SIGBUS))) {
55683+ if (t->pid == current->pid) {
55684+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
55685+ } else {
55686+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
55687+ }
55688+ }
55689+#endif
55690+ return;
55691+}
55692+
55693+int
55694+gr_handle_signal(const struct task_struct *p, const int sig)
55695+{
55696+#ifdef CONFIG_GRKERNSEC
55697+ if (current->pid > 1 && gr_check_protected_task(p)) {
55698+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
55699+ return -EPERM;
55700+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
55701+ return -EPERM;
55702+ }
55703+#endif
55704+ return 0;
55705+}
55706+
55707+#ifdef CONFIG_GRKERNSEC
55708+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
55709+
55710+int gr_fake_force_sig(int sig, struct task_struct *t)
55711+{
55712+ unsigned long int flags;
55713+ int ret, blocked, ignored;
55714+ struct k_sigaction *action;
55715+
55716+ spin_lock_irqsave(&t->sighand->siglock, flags);
55717+ action = &t->sighand->action[sig-1];
55718+ ignored = action->sa.sa_handler == SIG_IGN;
55719+ blocked = sigismember(&t->blocked, sig);
55720+ if (blocked || ignored) {
55721+ action->sa.sa_handler = SIG_DFL;
55722+ if (blocked) {
55723+ sigdelset(&t->blocked, sig);
55724+ recalc_sigpending_and_wake(t);
55725+ }
55726+ }
55727+ if (action->sa.sa_handler == SIG_DFL)
55728+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
55729+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
55730+
55731+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
55732+
55733+ return ret;
55734+}
55735+#endif
55736+
55737+#ifdef CONFIG_GRKERNSEC_BRUTE
55738+#define GR_USER_BAN_TIME (15 * 60)
55739+
55740+static int __get_dumpable(unsigned long mm_flags)
55741+{
55742+ int ret;
55743+
55744+ ret = mm_flags & MMF_DUMPABLE_MASK;
55745+ return (ret >= 2) ? 2 : ret;
55746+}
55747+#endif
55748+
55749+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
55750+{
55751+#ifdef CONFIG_GRKERNSEC_BRUTE
55752+ uid_t uid = 0;
55753+
55754+ if (!grsec_enable_brute)
55755+ return;
55756+
55757+ rcu_read_lock();
55758+ read_lock(&tasklist_lock);
55759+ read_lock(&grsec_exec_file_lock);
55760+ if (p->real_parent && p->real_parent->exec_file == p->exec_file)
55761+ p->real_parent->brute = 1;
55762+ else {
55763+ const struct cred *cred = __task_cred(p), *cred2;
55764+ struct task_struct *tsk, *tsk2;
55765+
55766+ if (!__get_dumpable(mm_flags) && cred->uid) {
55767+ struct user_struct *user;
55768+
55769+ uid = cred->uid;
55770+
55771+ /* this is put upon execution past expiration */
55772+ user = find_user(uid);
55773+ if (user == NULL)
55774+ goto unlock;
55775+ user->banned = 1;
55776+ user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
55777+ if (user->ban_expires == ~0UL)
55778+ user->ban_expires--;
55779+
55780+ do_each_thread(tsk2, tsk) {
55781+ cred2 = __task_cred(tsk);
55782+ if (tsk != p && cred2->uid == uid)
55783+ gr_fake_force_sig(SIGKILL, tsk);
55784+ } while_each_thread(tsk2, tsk);
55785+ }
55786+ }
55787+unlock:
55788+ read_unlock(&grsec_exec_file_lock);
55789+ read_unlock(&tasklist_lock);
55790+ rcu_read_unlock();
55791+
55792+ if (uid)
55793+ printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
55794+
55795+#endif
55796+ return;
55797+}
55798+
55799+void gr_handle_brute_check(void)
55800+{
55801+#ifdef CONFIG_GRKERNSEC_BRUTE
55802+ if (current->brute)
55803+ msleep(30 * 1000);
55804+#endif
55805+ return;
55806+}
55807+
55808+void gr_handle_kernel_exploit(void)
55809+{
55810+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
55811+ const struct cred *cred;
55812+ struct task_struct *tsk, *tsk2;
55813+ struct user_struct *user;
55814+ uid_t uid;
55815+
55816+ if (in_irq() || in_serving_softirq() || in_nmi())
55817+ panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
55818+
55819+ uid = current_uid();
55820+
55821+ if (uid == 0)
55822+ panic("grsec: halting the system due to suspicious kernel crash caused by root");
55823+ else {
55824+ /* kill all the processes of this user, hold a reference
55825+ to their creds struct, and prevent them from creating
55826+ another process until system reset
55827+ */
55828+ printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
55829+ /* we intentionally leak this ref */
55830+ user = get_uid(current->cred->user);
55831+ if (user) {
55832+ user->banned = 1;
55833+ user->ban_expires = ~0UL;
55834+ }
55835+
55836+ read_lock(&tasklist_lock);
55837+ do_each_thread(tsk2, tsk) {
55838+ cred = __task_cred(tsk);
55839+ if (cred->uid == uid)
55840+ gr_fake_force_sig(SIGKILL, tsk);
55841+ } while_each_thread(tsk2, tsk);
55842+ read_unlock(&tasklist_lock);
55843+ }
55844+#endif
55845+}
55846+
55847+int __gr_process_user_ban(struct user_struct *user)
55848+{
55849+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55850+ if (unlikely(user->banned)) {
55851+ if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
55852+ user->banned = 0;
55853+ user->ban_expires = 0;
55854+ free_uid(user);
55855+ } else
55856+ return -EPERM;
55857+ }
55858+#endif
55859+ return 0;
55860+}
55861+
55862+int gr_process_user_ban(void)
55863+{
55864+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55865+ return __gr_process_user_ban(current->cred->user);
55866+#endif
55867+ return 0;
55868+}
55869diff -urNp linux-3.0.7/grsecurity/grsec_sock.c linux-3.0.7/grsecurity/grsec_sock.c
55870--- linux-3.0.7/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
55871+++ linux-3.0.7/grsecurity/grsec_sock.c 2011-08-23 21:48:14.000000000 -0400
55872@@ -0,0 +1,244 @@
55873+#include <linux/kernel.h>
55874+#include <linux/module.h>
55875+#include <linux/sched.h>
55876+#include <linux/file.h>
55877+#include <linux/net.h>
55878+#include <linux/in.h>
55879+#include <linux/ip.h>
55880+#include <net/sock.h>
55881+#include <net/inet_sock.h>
55882+#include <linux/grsecurity.h>
55883+#include <linux/grinternal.h>
55884+#include <linux/gracl.h>
55885+
55886+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
55887+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
55888+
55889+EXPORT_SYMBOL(gr_search_udp_recvmsg);
55890+EXPORT_SYMBOL(gr_search_udp_sendmsg);
55891+
55892+#ifdef CONFIG_UNIX_MODULE
55893+EXPORT_SYMBOL(gr_acl_handle_unix);
55894+EXPORT_SYMBOL(gr_acl_handle_mknod);
55895+EXPORT_SYMBOL(gr_handle_chroot_unix);
55896+EXPORT_SYMBOL(gr_handle_create);
55897+#endif
55898+
55899+#ifdef CONFIG_GRKERNSEC
55900+#define gr_conn_table_size 32749
55901+struct conn_table_entry {
55902+ struct conn_table_entry *next;
55903+ struct signal_struct *sig;
55904+};
55905+
55906+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
55907+DEFINE_SPINLOCK(gr_conn_table_lock);
55908+
55909+extern const char * gr_socktype_to_name(unsigned char type);
55910+extern const char * gr_proto_to_name(unsigned char proto);
55911+extern const char * gr_sockfamily_to_name(unsigned char family);
55912+
55913+static __inline__ int
55914+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
55915+{
55916+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
55917+}
55918+
55919+static __inline__ int
55920+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
55921+ __u16 sport, __u16 dport)
55922+{
55923+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
55924+ sig->gr_sport == sport && sig->gr_dport == dport))
55925+ return 1;
55926+ else
55927+ return 0;
55928+}
55929+
55930+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
55931+{
55932+ struct conn_table_entry **match;
55933+ unsigned int index;
55934+
55935+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55936+ sig->gr_sport, sig->gr_dport,
55937+ gr_conn_table_size);
55938+
55939+ newent->sig = sig;
55940+
55941+ match = &gr_conn_table[index];
55942+ newent->next = *match;
55943+ *match = newent;
55944+
55945+ return;
55946+}
55947+
55948+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
55949+{
55950+ struct conn_table_entry *match, *last = NULL;
55951+ unsigned int index;
55952+
55953+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55954+ sig->gr_sport, sig->gr_dport,
55955+ gr_conn_table_size);
55956+
55957+ match = gr_conn_table[index];
55958+ while (match && !conn_match(match->sig,
55959+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
55960+ sig->gr_dport)) {
55961+ last = match;
55962+ match = match->next;
55963+ }
55964+
55965+ if (match) {
55966+ if (last)
55967+ last->next = match->next;
55968+ else
55969+ gr_conn_table[index] = NULL;
55970+ kfree(match);
55971+ }
55972+
55973+ return;
55974+}
55975+
55976+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
55977+ __u16 sport, __u16 dport)
55978+{
55979+ struct conn_table_entry *match;
55980+ unsigned int index;
55981+
55982+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
55983+
55984+ match = gr_conn_table[index];
55985+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
55986+ match = match->next;
55987+
55988+ if (match)
55989+ return match->sig;
55990+ else
55991+ return NULL;
55992+}
55993+
55994+#endif
55995+
55996+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
55997+{
55998+#ifdef CONFIG_GRKERNSEC
55999+ struct signal_struct *sig = task->signal;
56000+ struct conn_table_entry *newent;
56001+
56002+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
56003+ if (newent == NULL)
56004+ return;
56005+ /* no bh lock needed since we are called with bh disabled */
56006+ spin_lock(&gr_conn_table_lock);
56007+ gr_del_task_from_ip_table_nolock(sig);
56008+ sig->gr_saddr = inet->inet_rcv_saddr;
56009+ sig->gr_daddr = inet->inet_daddr;
56010+ sig->gr_sport = inet->inet_sport;
56011+ sig->gr_dport = inet->inet_dport;
56012+ gr_add_to_task_ip_table_nolock(sig, newent);
56013+ spin_unlock(&gr_conn_table_lock);
56014+#endif
56015+ return;
56016+}
56017+
56018+void gr_del_task_from_ip_table(struct task_struct *task)
56019+{
56020+#ifdef CONFIG_GRKERNSEC
56021+ spin_lock_bh(&gr_conn_table_lock);
56022+ gr_del_task_from_ip_table_nolock(task->signal);
56023+ spin_unlock_bh(&gr_conn_table_lock);
56024+#endif
56025+ return;
56026+}
56027+
56028+void
56029+gr_attach_curr_ip(const struct sock *sk)
56030+{
56031+#ifdef CONFIG_GRKERNSEC
56032+ struct signal_struct *p, *set;
56033+ const struct inet_sock *inet = inet_sk(sk);
56034+
56035+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
56036+ return;
56037+
56038+ set = current->signal;
56039+
56040+ spin_lock_bh(&gr_conn_table_lock);
56041+ p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
56042+ inet->inet_dport, inet->inet_sport);
56043+ if (unlikely(p != NULL)) {
56044+ set->curr_ip = p->curr_ip;
56045+ set->used_accept = 1;
56046+ gr_del_task_from_ip_table_nolock(p);
56047+ spin_unlock_bh(&gr_conn_table_lock);
56048+ return;
56049+ }
56050+ spin_unlock_bh(&gr_conn_table_lock);
56051+
56052+ set->curr_ip = inet->inet_daddr;
56053+ set->used_accept = 1;
56054+#endif
56055+ return;
56056+}
56057+
56058+int
56059+gr_handle_sock_all(const int family, const int type, const int protocol)
56060+{
56061+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
56062+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
56063+ (family != AF_UNIX)) {
56064+ if (family == AF_INET)
56065+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
56066+ else
56067+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
56068+ return -EACCES;
56069+ }
56070+#endif
56071+ return 0;
56072+}
56073+
56074+int
56075+gr_handle_sock_server(const struct sockaddr *sck)
56076+{
56077+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
56078+ if (grsec_enable_socket_server &&
56079+ in_group_p(grsec_socket_server_gid) &&
56080+ sck && (sck->sa_family != AF_UNIX) &&
56081+ (sck->sa_family != AF_LOCAL)) {
56082+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
56083+ return -EACCES;
56084+ }
56085+#endif
56086+ return 0;
56087+}
56088+
56089+int
56090+gr_handle_sock_server_other(const struct sock *sck)
56091+{
56092+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
56093+ if (grsec_enable_socket_server &&
56094+ in_group_p(grsec_socket_server_gid) &&
56095+ sck && (sck->sk_family != AF_UNIX) &&
56096+ (sck->sk_family != AF_LOCAL)) {
56097+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
56098+ return -EACCES;
56099+ }
56100+#endif
56101+ return 0;
56102+}
56103+
56104+int
56105+gr_handle_sock_client(const struct sockaddr *sck)
56106+{
56107+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
56108+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
56109+ sck && (sck->sa_family != AF_UNIX) &&
56110+ (sck->sa_family != AF_LOCAL)) {
56111+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
56112+ return -EACCES;
56113+ }
56114+#endif
56115+ return 0;
56116+}
56117diff -urNp linux-3.0.7/grsecurity/grsec_sysctl.c linux-3.0.7/grsecurity/grsec_sysctl.c
56118--- linux-3.0.7/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
56119+++ linux-3.0.7/grsecurity/grsec_sysctl.c 2011-08-25 17:26:15.000000000 -0400
56120@@ -0,0 +1,433 @@
56121+#include <linux/kernel.h>
56122+#include <linux/sched.h>
56123+#include <linux/sysctl.h>
56124+#include <linux/grsecurity.h>
56125+#include <linux/grinternal.h>
56126+
56127+int
56128+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
56129+{
56130+#ifdef CONFIG_GRKERNSEC_SYSCTL
56131+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
56132+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
56133+ return -EACCES;
56134+ }
56135+#endif
56136+ return 0;
56137+}
56138+
56139+#ifdef CONFIG_GRKERNSEC_ROFS
56140+static int __maybe_unused one = 1;
56141+#endif
56142+
56143+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
56144+struct ctl_table grsecurity_table[] = {
56145+#ifdef CONFIG_GRKERNSEC_SYSCTL
56146+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
56147+#ifdef CONFIG_GRKERNSEC_IO
56148+ {
56149+ .procname = "disable_priv_io",
56150+ .data = &grsec_disable_privio,
56151+ .maxlen = sizeof(int),
56152+ .mode = 0600,
56153+ .proc_handler = &proc_dointvec,
56154+ },
56155+#endif
56156+#endif
56157+#ifdef CONFIG_GRKERNSEC_LINK
56158+ {
56159+ .procname = "linking_restrictions",
56160+ .data = &grsec_enable_link,
56161+ .maxlen = sizeof(int),
56162+ .mode = 0600,
56163+ .proc_handler = &proc_dointvec,
56164+ },
56165+#endif
56166+#ifdef CONFIG_GRKERNSEC_BRUTE
56167+ {
56168+ .procname = "deter_bruteforce",
56169+ .data = &grsec_enable_brute,
56170+ .maxlen = sizeof(int),
56171+ .mode = 0600,
56172+ .proc_handler = &proc_dointvec,
56173+ },
56174+#endif
56175+#ifdef CONFIG_GRKERNSEC_FIFO
56176+ {
56177+ .procname = "fifo_restrictions",
56178+ .data = &grsec_enable_fifo,
56179+ .maxlen = sizeof(int),
56180+ .mode = 0600,
56181+ .proc_handler = &proc_dointvec,
56182+ },
56183+#endif
56184+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56185+ {
56186+ .procname = "ip_blackhole",
56187+ .data = &grsec_enable_blackhole,
56188+ .maxlen = sizeof(int),
56189+ .mode = 0600,
56190+ .proc_handler = &proc_dointvec,
56191+ },
56192+ {
56193+ .procname = "lastack_retries",
56194+ .data = &grsec_lastack_retries,
56195+ .maxlen = sizeof(int),
56196+ .mode = 0600,
56197+ .proc_handler = &proc_dointvec,
56198+ },
56199+#endif
56200+#ifdef CONFIG_GRKERNSEC_EXECLOG
56201+ {
56202+ .procname = "exec_logging",
56203+ .data = &grsec_enable_execlog,
56204+ .maxlen = sizeof(int),
56205+ .mode = 0600,
56206+ .proc_handler = &proc_dointvec,
56207+ },
56208+#endif
56209+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
56210+ {
56211+ .procname = "rwxmap_logging",
56212+ .data = &grsec_enable_log_rwxmaps,
56213+ .maxlen = sizeof(int),
56214+ .mode = 0600,
56215+ .proc_handler = &proc_dointvec,
56216+ },
56217+#endif
56218+#ifdef CONFIG_GRKERNSEC_SIGNAL
56219+ {
56220+ .procname = "signal_logging",
56221+ .data = &grsec_enable_signal,
56222+ .maxlen = sizeof(int),
56223+ .mode = 0600,
56224+ .proc_handler = &proc_dointvec,
56225+ },
56226+#endif
56227+#ifdef CONFIG_GRKERNSEC_FORKFAIL
56228+ {
56229+ .procname = "forkfail_logging",
56230+ .data = &grsec_enable_forkfail,
56231+ .maxlen = sizeof(int),
56232+ .mode = 0600,
56233+ .proc_handler = &proc_dointvec,
56234+ },
56235+#endif
56236+#ifdef CONFIG_GRKERNSEC_TIME
56237+ {
56238+ .procname = "timechange_logging",
56239+ .data = &grsec_enable_time,
56240+ .maxlen = sizeof(int),
56241+ .mode = 0600,
56242+ .proc_handler = &proc_dointvec,
56243+ },
56244+#endif
56245+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
56246+ {
56247+ .procname = "chroot_deny_shmat",
56248+ .data = &grsec_enable_chroot_shmat,
56249+ .maxlen = sizeof(int),
56250+ .mode = 0600,
56251+ .proc_handler = &proc_dointvec,
56252+ },
56253+#endif
56254+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
56255+ {
56256+ .procname = "chroot_deny_unix",
56257+ .data = &grsec_enable_chroot_unix,
56258+ .maxlen = sizeof(int),
56259+ .mode = 0600,
56260+ .proc_handler = &proc_dointvec,
56261+ },
56262+#endif
56263+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
56264+ {
56265+ .procname = "chroot_deny_mount",
56266+ .data = &grsec_enable_chroot_mount,
56267+ .maxlen = sizeof(int),
56268+ .mode = 0600,
56269+ .proc_handler = &proc_dointvec,
56270+ },
56271+#endif
56272+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
56273+ {
56274+ .procname = "chroot_deny_fchdir",
56275+ .data = &grsec_enable_chroot_fchdir,
56276+ .maxlen = sizeof(int),
56277+ .mode = 0600,
56278+ .proc_handler = &proc_dointvec,
56279+ },
56280+#endif
56281+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
56282+ {
56283+ .procname = "chroot_deny_chroot",
56284+ .data = &grsec_enable_chroot_double,
56285+ .maxlen = sizeof(int),
56286+ .mode = 0600,
56287+ .proc_handler = &proc_dointvec,
56288+ },
56289+#endif
56290+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
56291+ {
56292+ .procname = "chroot_deny_pivot",
56293+ .data = &grsec_enable_chroot_pivot,
56294+ .maxlen = sizeof(int),
56295+ .mode = 0600,
56296+ .proc_handler = &proc_dointvec,
56297+ },
56298+#endif
56299+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
56300+ {
56301+ .procname = "chroot_enforce_chdir",
56302+ .data = &grsec_enable_chroot_chdir,
56303+ .maxlen = sizeof(int),
56304+ .mode = 0600,
56305+ .proc_handler = &proc_dointvec,
56306+ },
56307+#endif
56308+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
56309+ {
56310+ .procname = "chroot_deny_chmod",
56311+ .data = &grsec_enable_chroot_chmod,
56312+ .maxlen = sizeof(int),
56313+ .mode = 0600,
56314+ .proc_handler = &proc_dointvec,
56315+ },
56316+#endif
56317+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
56318+ {
56319+ .procname = "chroot_deny_mknod",
56320+ .data = &grsec_enable_chroot_mknod,
56321+ .maxlen = sizeof(int),
56322+ .mode = 0600,
56323+ .proc_handler = &proc_dointvec,
56324+ },
56325+#endif
56326+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
56327+ {
56328+ .procname = "chroot_restrict_nice",
56329+ .data = &grsec_enable_chroot_nice,
56330+ .maxlen = sizeof(int),
56331+ .mode = 0600,
56332+ .proc_handler = &proc_dointvec,
56333+ },
56334+#endif
56335+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
56336+ {
56337+ .procname = "chroot_execlog",
56338+ .data = &grsec_enable_chroot_execlog,
56339+ .maxlen = sizeof(int),
56340+ .mode = 0600,
56341+ .proc_handler = &proc_dointvec,
56342+ },
56343+#endif
56344+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
56345+ {
56346+ .procname = "chroot_caps",
56347+ .data = &grsec_enable_chroot_caps,
56348+ .maxlen = sizeof(int),
56349+ .mode = 0600,
56350+ .proc_handler = &proc_dointvec,
56351+ },
56352+#endif
56353+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
56354+ {
56355+ .procname = "chroot_deny_sysctl",
56356+ .data = &grsec_enable_chroot_sysctl,
56357+ .maxlen = sizeof(int),
56358+ .mode = 0600,
56359+ .proc_handler = &proc_dointvec,
56360+ },
56361+#endif
56362+#ifdef CONFIG_GRKERNSEC_TPE
56363+ {
56364+ .procname = "tpe",
56365+ .data = &grsec_enable_tpe,
56366+ .maxlen = sizeof(int),
56367+ .mode = 0600,
56368+ .proc_handler = &proc_dointvec,
56369+ },
56370+ {
56371+ .procname = "tpe_gid",
56372+ .data = &grsec_tpe_gid,
56373+ .maxlen = sizeof(int),
56374+ .mode = 0600,
56375+ .proc_handler = &proc_dointvec,
56376+ },
56377+#endif
56378+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
56379+ {
56380+ .procname = "tpe_invert",
56381+ .data = &grsec_enable_tpe_invert,
56382+ .maxlen = sizeof(int),
56383+ .mode = 0600,
56384+ .proc_handler = &proc_dointvec,
56385+ },
56386+#endif
56387+#ifdef CONFIG_GRKERNSEC_TPE_ALL
56388+ {
56389+ .procname = "tpe_restrict_all",
56390+ .data = &grsec_enable_tpe_all,
56391+ .maxlen = sizeof(int),
56392+ .mode = 0600,
56393+ .proc_handler = &proc_dointvec,
56394+ },
56395+#endif
56396+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
56397+ {
56398+ .procname = "socket_all",
56399+ .data = &grsec_enable_socket_all,
56400+ .maxlen = sizeof(int),
56401+ .mode = 0600,
56402+ .proc_handler = &proc_dointvec,
56403+ },
56404+ {
56405+ .procname = "socket_all_gid",
56406+ .data = &grsec_socket_all_gid,
56407+ .maxlen = sizeof(int),
56408+ .mode = 0600,
56409+ .proc_handler = &proc_dointvec,
56410+ },
56411+#endif
56412+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
56413+ {
56414+ .procname = "socket_client",
56415+ .data = &grsec_enable_socket_client,
56416+ .maxlen = sizeof(int),
56417+ .mode = 0600,
56418+ .proc_handler = &proc_dointvec,
56419+ },
56420+ {
56421+ .procname = "socket_client_gid",
56422+ .data = &grsec_socket_client_gid,
56423+ .maxlen = sizeof(int),
56424+ .mode = 0600,
56425+ .proc_handler = &proc_dointvec,
56426+ },
56427+#endif
56428+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
56429+ {
56430+ .procname = "socket_server",
56431+ .data = &grsec_enable_socket_server,
56432+ .maxlen = sizeof(int),
56433+ .mode = 0600,
56434+ .proc_handler = &proc_dointvec,
56435+ },
56436+ {
56437+ .procname = "socket_server_gid",
56438+ .data = &grsec_socket_server_gid,
56439+ .maxlen = sizeof(int),
56440+ .mode = 0600,
56441+ .proc_handler = &proc_dointvec,
56442+ },
56443+#endif
56444+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
56445+ {
56446+ .procname = "audit_group",
56447+ .data = &grsec_enable_group,
56448+ .maxlen = sizeof(int),
56449+ .mode = 0600,
56450+ .proc_handler = &proc_dointvec,
56451+ },
56452+ {
56453+ .procname = "audit_gid",
56454+ .data = &grsec_audit_gid,
56455+ .maxlen = sizeof(int),
56456+ .mode = 0600,
56457+ .proc_handler = &proc_dointvec,
56458+ },
56459+#endif
56460+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
56461+ {
56462+ .procname = "audit_chdir",
56463+ .data = &grsec_enable_chdir,
56464+ .maxlen = sizeof(int),
56465+ .mode = 0600,
56466+ .proc_handler = &proc_dointvec,
56467+ },
56468+#endif
56469+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
56470+ {
56471+ .procname = "audit_mount",
56472+ .data = &grsec_enable_mount,
56473+ .maxlen = sizeof(int),
56474+ .mode = 0600,
56475+ .proc_handler = &proc_dointvec,
56476+ },
56477+#endif
56478+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
56479+ {
56480+ .procname = "audit_textrel",
56481+ .data = &grsec_enable_audit_textrel,
56482+ .maxlen = sizeof(int),
56483+ .mode = 0600,
56484+ .proc_handler = &proc_dointvec,
56485+ },
56486+#endif
56487+#ifdef CONFIG_GRKERNSEC_DMESG
56488+ {
56489+ .procname = "dmesg",
56490+ .data = &grsec_enable_dmesg,
56491+ .maxlen = sizeof(int),
56492+ .mode = 0600,
56493+ .proc_handler = &proc_dointvec,
56494+ },
56495+#endif
56496+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
56497+ {
56498+ .procname = "chroot_findtask",
56499+ .data = &grsec_enable_chroot_findtask,
56500+ .maxlen = sizeof(int),
56501+ .mode = 0600,
56502+ .proc_handler = &proc_dointvec,
56503+ },
56504+#endif
56505+#ifdef CONFIG_GRKERNSEC_RESLOG
56506+ {
56507+ .procname = "resource_logging",
56508+ .data = &grsec_resource_logging,
56509+ .maxlen = sizeof(int),
56510+ .mode = 0600,
56511+ .proc_handler = &proc_dointvec,
56512+ },
56513+#endif
56514+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
56515+ {
56516+ .procname = "audit_ptrace",
56517+ .data = &grsec_enable_audit_ptrace,
56518+ .maxlen = sizeof(int),
56519+ .mode = 0600,
56520+ .proc_handler = &proc_dointvec,
56521+ },
56522+#endif
56523+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
56524+ {
56525+ .procname = "harden_ptrace",
56526+ .data = &grsec_enable_harden_ptrace,
56527+ .maxlen = sizeof(int),
56528+ .mode = 0600,
56529+ .proc_handler = &proc_dointvec,
56530+ },
56531+#endif
56532+ {
56533+ .procname = "grsec_lock",
56534+ .data = &grsec_lock,
56535+ .maxlen = sizeof(int),
56536+ .mode = 0600,
56537+ .proc_handler = &proc_dointvec,
56538+ },
56539+#endif
56540+#ifdef CONFIG_GRKERNSEC_ROFS
56541+ {
56542+ .procname = "romount_protect",
56543+ .data = &grsec_enable_rofs,
56544+ .maxlen = sizeof(int),
56545+ .mode = 0600,
56546+ .proc_handler = &proc_dointvec_minmax,
56547+ .extra1 = &one,
56548+ .extra2 = &one,
56549+ },
56550+#endif
56551+ { }
56552+};
56553+#endif
56554diff -urNp linux-3.0.7/grsecurity/grsec_time.c linux-3.0.7/grsecurity/grsec_time.c
56555--- linux-3.0.7/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
56556+++ linux-3.0.7/grsecurity/grsec_time.c 2011-08-23 21:48:14.000000000 -0400
56557@@ -0,0 +1,16 @@
56558+#include <linux/kernel.h>
56559+#include <linux/sched.h>
56560+#include <linux/grinternal.h>
56561+#include <linux/module.h>
56562+
56563+void
56564+gr_log_timechange(void)
56565+{
56566+#ifdef CONFIG_GRKERNSEC_TIME
56567+ if (grsec_enable_time)
56568+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
56569+#endif
56570+ return;
56571+}
56572+
56573+EXPORT_SYMBOL(gr_log_timechange);
56574diff -urNp linux-3.0.7/grsecurity/grsec_tpe.c linux-3.0.7/grsecurity/grsec_tpe.c
56575--- linux-3.0.7/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
56576+++ linux-3.0.7/grsecurity/grsec_tpe.c 2011-08-23 21:48:14.000000000 -0400
56577@@ -0,0 +1,39 @@
56578+#include <linux/kernel.h>
56579+#include <linux/sched.h>
56580+#include <linux/file.h>
56581+#include <linux/fs.h>
56582+#include <linux/grinternal.h>
56583+
56584+extern int gr_acl_tpe_check(void);
56585+
56586+int
56587+gr_tpe_allow(const struct file *file)
56588+{
56589+#ifdef CONFIG_GRKERNSEC
56590+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
56591+ const struct cred *cred = current_cred();
56592+
56593+ if (cred->uid && ((grsec_enable_tpe &&
56594+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
56595+ ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
56596+ (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
56597+#else
56598+ in_group_p(grsec_tpe_gid)
56599+#endif
56600+ ) || gr_acl_tpe_check()) &&
56601+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
56602+ (inode->i_mode & S_IWOTH))))) {
56603+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
56604+ return 0;
56605+ }
56606+#ifdef CONFIG_GRKERNSEC_TPE_ALL
56607+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
56608+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
56609+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
56610+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
56611+ return 0;
56612+ }
56613+#endif
56614+#endif
56615+ return 1;
56616+}
56617diff -urNp linux-3.0.7/grsecurity/grsum.c linux-3.0.7/grsecurity/grsum.c
56618--- linux-3.0.7/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
56619+++ linux-3.0.7/grsecurity/grsum.c 2011-08-23 21:48:14.000000000 -0400
56620@@ -0,0 +1,61 @@
56621+#include <linux/err.h>
56622+#include <linux/kernel.h>
56623+#include <linux/sched.h>
56624+#include <linux/mm.h>
56625+#include <linux/scatterlist.h>
56626+#include <linux/crypto.h>
56627+#include <linux/gracl.h>
56628+
56629+
56630+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
56631+#error "crypto and sha256 must be built into the kernel"
56632+#endif
56633+
56634+int
56635+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
56636+{
56637+ char *p;
56638+ struct crypto_hash *tfm;
56639+ struct hash_desc desc;
56640+ struct scatterlist sg;
56641+ unsigned char temp_sum[GR_SHA_LEN];
56642+ volatile int retval = 0;
56643+ volatile int dummy = 0;
56644+ unsigned int i;
56645+
56646+ sg_init_table(&sg, 1);
56647+
56648+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
56649+ if (IS_ERR(tfm)) {
56650+ /* should never happen, since sha256 should be built in */
56651+ return 1;
56652+ }
56653+
56654+ desc.tfm = tfm;
56655+ desc.flags = 0;
56656+
56657+ crypto_hash_init(&desc);
56658+
56659+ p = salt;
56660+ sg_set_buf(&sg, p, GR_SALT_LEN);
56661+ crypto_hash_update(&desc, &sg, sg.length);
56662+
56663+ p = entry->pw;
56664+ sg_set_buf(&sg, p, strlen(p));
56665+
56666+ crypto_hash_update(&desc, &sg, sg.length);
56667+
56668+ crypto_hash_final(&desc, temp_sum);
56669+
56670+ memset(entry->pw, 0, GR_PW_LEN);
56671+
56672+ for (i = 0; i < GR_SHA_LEN; i++)
56673+ if (sum[i] != temp_sum[i])
56674+ retval = 1;
56675+ else
56676+ dummy = 1; // waste a cycle
56677+
56678+ crypto_free_hash(tfm);
56679+
56680+ return retval;
56681+}
56682diff -urNp linux-3.0.7/include/acpi/acpi_bus.h linux-3.0.7/include/acpi/acpi_bus.h
56683--- linux-3.0.7/include/acpi/acpi_bus.h 2011-07-21 22:17:23.000000000 -0400
56684+++ linux-3.0.7/include/acpi/acpi_bus.h 2011-08-23 21:47:56.000000000 -0400
56685@@ -107,7 +107,7 @@ struct acpi_device_ops {
56686 acpi_op_bind bind;
56687 acpi_op_unbind unbind;
56688 acpi_op_notify notify;
56689-};
56690+} __no_const;
56691
56692 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
56693
56694diff -urNp linux-3.0.7/include/asm-generic/atomic-long.h linux-3.0.7/include/asm-generic/atomic-long.h
56695--- linux-3.0.7/include/asm-generic/atomic-long.h 2011-07-21 22:17:23.000000000 -0400
56696+++ linux-3.0.7/include/asm-generic/atomic-long.h 2011-08-23 21:47:56.000000000 -0400
56697@@ -22,6 +22,12 @@
56698
56699 typedef atomic64_t atomic_long_t;
56700
56701+#ifdef CONFIG_PAX_REFCOUNT
56702+typedef atomic64_unchecked_t atomic_long_unchecked_t;
56703+#else
56704+typedef atomic64_t atomic_long_unchecked_t;
56705+#endif
56706+
56707 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
56708
56709 static inline long atomic_long_read(atomic_long_t *l)
56710@@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
56711 return (long)atomic64_read(v);
56712 }
56713
56714+#ifdef CONFIG_PAX_REFCOUNT
56715+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
56716+{
56717+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56718+
56719+ return (long)atomic64_read_unchecked(v);
56720+}
56721+#endif
56722+
56723 static inline void atomic_long_set(atomic_long_t *l, long i)
56724 {
56725 atomic64_t *v = (atomic64_t *)l;
56726@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
56727 atomic64_set(v, i);
56728 }
56729
56730+#ifdef CONFIG_PAX_REFCOUNT
56731+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
56732+{
56733+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56734+
56735+ atomic64_set_unchecked(v, i);
56736+}
56737+#endif
56738+
56739 static inline void atomic_long_inc(atomic_long_t *l)
56740 {
56741 atomic64_t *v = (atomic64_t *)l;
56742@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
56743 atomic64_inc(v);
56744 }
56745
56746+#ifdef CONFIG_PAX_REFCOUNT
56747+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
56748+{
56749+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56750+
56751+ atomic64_inc_unchecked(v);
56752+}
56753+#endif
56754+
56755 static inline void atomic_long_dec(atomic_long_t *l)
56756 {
56757 atomic64_t *v = (atomic64_t *)l;
56758@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
56759 atomic64_dec(v);
56760 }
56761
56762+#ifdef CONFIG_PAX_REFCOUNT
56763+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
56764+{
56765+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56766+
56767+ atomic64_dec_unchecked(v);
56768+}
56769+#endif
56770+
56771 static inline void atomic_long_add(long i, atomic_long_t *l)
56772 {
56773 atomic64_t *v = (atomic64_t *)l;
56774@@ -59,6 +101,15 @@ static inline void atomic_long_add(long
56775 atomic64_add(i, v);
56776 }
56777
56778+#ifdef CONFIG_PAX_REFCOUNT
56779+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
56780+{
56781+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56782+
56783+ atomic64_add_unchecked(i, v);
56784+}
56785+#endif
56786+
56787 static inline void atomic_long_sub(long i, atomic_long_t *l)
56788 {
56789 atomic64_t *v = (atomic64_t *)l;
56790@@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
56791 atomic64_sub(i, v);
56792 }
56793
56794+#ifdef CONFIG_PAX_REFCOUNT
56795+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
56796+{
56797+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56798+
56799+ atomic64_sub_unchecked(i, v);
56800+}
56801+#endif
56802+
56803 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
56804 {
56805 atomic64_t *v = (atomic64_t *)l;
56806@@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
56807 return (long)atomic64_inc_return(v);
56808 }
56809
56810+#ifdef CONFIG_PAX_REFCOUNT
56811+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
56812+{
56813+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56814+
56815+ return (long)atomic64_inc_return_unchecked(v);
56816+}
56817+#endif
56818+
56819 static inline long atomic_long_dec_return(atomic_long_t *l)
56820 {
56821 atomic64_t *v = (atomic64_t *)l;
56822@@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
56823
56824 typedef atomic_t atomic_long_t;
56825
56826+#ifdef CONFIG_PAX_REFCOUNT
56827+typedef atomic_unchecked_t atomic_long_unchecked_t;
56828+#else
56829+typedef atomic_t atomic_long_unchecked_t;
56830+#endif
56831+
56832 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
56833 static inline long atomic_long_read(atomic_long_t *l)
56834 {
56835@@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
56836 return (long)atomic_read(v);
56837 }
56838
56839+#ifdef CONFIG_PAX_REFCOUNT
56840+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
56841+{
56842+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56843+
56844+ return (long)atomic_read_unchecked(v);
56845+}
56846+#endif
56847+
56848 static inline void atomic_long_set(atomic_long_t *l, long i)
56849 {
56850 atomic_t *v = (atomic_t *)l;
56851@@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
56852 atomic_set(v, i);
56853 }
56854
56855+#ifdef CONFIG_PAX_REFCOUNT
56856+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
56857+{
56858+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56859+
56860+ atomic_set_unchecked(v, i);
56861+}
56862+#endif
56863+
56864 static inline void atomic_long_inc(atomic_long_t *l)
56865 {
56866 atomic_t *v = (atomic_t *)l;
56867@@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
56868 atomic_inc(v);
56869 }
56870
56871+#ifdef CONFIG_PAX_REFCOUNT
56872+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
56873+{
56874+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56875+
56876+ atomic_inc_unchecked(v);
56877+}
56878+#endif
56879+
56880 static inline void atomic_long_dec(atomic_long_t *l)
56881 {
56882 atomic_t *v = (atomic_t *)l;
56883@@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
56884 atomic_dec(v);
56885 }
56886
56887+#ifdef CONFIG_PAX_REFCOUNT
56888+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
56889+{
56890+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56891+
56892+ atomic_dec_unchecked(v);
56893+}
56894+#endif
56895+
56896 static inline void atomic_long_add(long i, atomic_long_t *l)
56897 {
56898 atomic_t *v = (atomic_t *)l;
56899@@ -176,6 +287,15 @@ static inline void atomic_long_add(long
56900 atomic_add(i, v);
56901 }
56902
56903+#ifdef CONFIG_PAX_REFCOUNT
56904+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
56905+{
56906+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56907+
56908+ atomic_add_unchecked(i, v);
56909+}
56910+#endif
56911+
56912 static inline void atomic_long_sub(long i, atomic_long_t *l)
56913 {
56914 atomic_t *v = (atomic_t *)l;
56915@@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
56916 atomic_sub(i, v);
56917 }
56918
56919+#ifdef CONFIG_PAX_REFCOUNT
56920+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
56921+{
56922+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56923+
56924+ atomic_sub_unchecked(i, v);
56925+}
56926+#endif
56927+
56928 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
56929 {
56930 atomic_t *v = (atomic_t *)l;
56931@@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
56932 return (long)atomic_inc_return(v);
56933 }
56934
56935+#ifdef CONFIG_PAX_REFCOUNT
56936+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
56937+{
56938+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56939+
56940+ return (long)atomic_inc_return_unchecked(v);
56941+}
56942+#endif
56943+
56944 static inline long atomic_long_dec_return(atomic_long_t *l)
56945 {
56946 atomic_t *v = (atomic_t *)l;
56947@@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
56948
56949 #endif /* BITS_PER_LONG == 64 */
56950
56951+#ifdef CONFIG_PAX_REFCOUNT
56952+static inline void pax_refcount_needs_these_functions(void)
56953+{
56954+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
56955+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
56956+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
56957+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
56958+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
56959+ (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
56960+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
56961+ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
56962+ atomic_dec_unchecked((atomic_unchecked_t *)NULL);
56963+ atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
56964+ (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
56965+
56966+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
56967+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
56968+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
56969+ atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
56970+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
56971+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
56972+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
56973+}
56974+#else
56975+#define atomic_read_unchecked(v) atomic_read(v)
56976+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
56977+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
56978+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
56979+#define atomic_inc_unchecked(v) atomic_inc(v)
56980+#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
56981+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
56982+#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
56983+#define atomic_dec_unchecked(v) atomic_dec(v)
56984+#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
56985+#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
56986+
56987+#define atomic_long_read_unchecked(v) atomic_long_read(v)
56988+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
56989+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
56990+#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
56991+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
56992+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
56993+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
56994+#endif
56995+
56996 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
56997diff -urNp linux-3.0.7/include/asm-generic/cache.h linux-3.0.7/include/asm-generic/cache.h
56998--- linux-3.0.7/include/asm-generic/cache.h 2011-07-21 22:17:23.000000000 -0400
56999+++ linux-3.0.7/include/asm-generic/cache.h 2011-08-23 21:47:56.000000000 -0400
57000@@ -6,7 +6,7 @@
57001 * cache lines need to provide their own cache.h.
57002 */
57003
57004-#define L1_CACHE_SHIFT 5
57005-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
57006+#define L1_CACHE_SHIFT 5UL
57007+#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
57008
57009 #endif /* __ASM_GENERIC_CACHE_H */
57010diff -urNp linux-3.0.7/include/asm-generic/int-l64.h linux-3.0.7/include/asm-generic/int-l64.h
57011--- linux-3.0.7/include/asm-generic/int-l64.h 2011-07-21 22:17:23.000000000 -0400
57012+++ linux-3.0.7/include/asm-generic/int-l64.h 2011-08-23 21:47:56.000000000 -0400
57013@@ -46,6 +46,8 @@ typedef unsigned int u32;
57014 typedef signed long s64;
57015 typedef unsigned long u64;
57016
57017+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
57018+
57019 #define S8_C(x) x
57020 #define U8_C(x) x ## U
57021 #define S16_C(x) x
57022diff -urNp linux-3.0.7/include/asm-generic/int-ll64.h linux-3.0.7/include/asm-generic/int-ll64.h
57023--- linux-3.0.7/include/asm-generic/int-ll64.h 2011-07-21 22:17:23.000000000 -0400
57024+++ linux-3.0.7/include/asm-generic/int-ll64.h 2011-08-23 21:47:56.000000000 -0400
57025@@ -51,6 +51,8 @@ typedef unsigned int u32;
57026 typedef signed long long s64;
57027 typedef unsigned long long u64;
57028
57029+typedef unsigned long long intoverflow_t;
57030+
57031 #define S8_C(x) x
57032 #define U8_C(x) x ## U
57033 #define S16_C(x) x
57034diff -urNp linux-3.0.7/include/asm-generic/kmap_types.h linux-3.0.7/include/asm-generic/kmap_types.h
57035--- linux-3.0.7/include/asm-generic/kmap_types.h 2011-07-21 22:17:23.000000000 -0400
57036+++ linux-3.0.7/include/asm-generic/kmap_types.h 2011-08-23 21:47:56.000000000 -0400
57037@@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
57038 KMAP_D(17) KM_NMI,
57039 KMAP_D(18) KM_NMI_PTE,
57040 KMAP_D(19) KM_KDB,
57041+KMAP_D(20) KM_CLEARPAGE,
57042 /*
57043 * Remember to update debug_kmap_atomic() when adding new kmap types!
57044 */
57045-KMAP_D(20) KM_TYPE_NR
57046+KMAP_D(21) KM_TYPE_NR
57047 };
57048
57049 #undef KMAP_D
57050diff -urNp linux-3.0.7/include/asm-generic/pgtable-nopmd.h linux-3.0.7/include/asm-generic/pgtable-nopmd.h
57051--- linux-3.0.7/include/asm-generic/pgtable-nopmd.h 2011-07-21 22:17:23.000000000 -0400
57052+++ linux-3.0.7/include/asm-generic/pgtable-nopmd.h 2011-08-23 21:47:56.000000000 -0400
57053@@ -1,14 +1,19 @@
57054 #ifndef _PGTABLE_NOPMD_H
57055 #define _PGTABLE_NOPMD_H
57056
57057-#ifndef __ASSEMBLY__
57058-
57059 #include <asm-generic/pgtable-nopud.h>
57060
57061-struct mm_struct;
57062-
57063 #define __PAGETABLE_PMD_FOLDED
57064
57065+#define PMD_SHIFT PUD_SHIFT
57066+#define PTRS_PER_PMD 1
57067+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
57068+#define PMD_MASK (~(PMD_SIZE-1))
57069+
57070+#ifndef __ASSEMBLY__
57071+
57072+struct mm_struct;
57073+
57074 /*
57075 * Having the pmd type consist of a pud gets the size right, and allows
57076 * us to conceptually access the pud entry that this pmd is folded into
57077@@ -16,11 +21,6 @@ struct mm_struct;
57078 */
57079 typedef struct { pud_t pud; } pmd_t;
57080
57081-#define PMD_SHIFT PUD_SHIFT
57082-#define PTRS_PER_PMD 1
57083-#define PMD_SIZE (1UL << PMD_SHIFT)
57084-#define PMD_MASK (~(PMD_SIZE-1))
57085-
57086 /*
57087 * The "pud_xxx()" functions here are trivial for a folded two-level
57088 * setup: the pmd is never bad, and a pmd always exists (as it's folded
57089diff -urNp linux-3.0.7/include/asm-generic/pgtable-nopud.h linux-3.0.7/include/asm-generic/pgtable-nopud.h
57090--- linux-3.0.7/include/asm-generic/pgtable-nopud.h 2011-07-21 22:17:23.000000000 -0400
57091+++ linux-3.0.7/include/asm-generic/pgtable-nopud.h 2011-08-23 21:47:56.000000000 -0400
57092@@ -1,10 +1,15 @@
57093 #ifndef _PGTABLE_NOPUD_H
57094 #define _PGTABLE_NOPUD_H
57095
57096-#ifndef __ASSEMBLY__
57097-
57098 #define __PAGETABLE_PUD_FOLDED
57099
57100+#define PUD_SHIFT PGDIR_SHIFT
57101+#define PTRS_PER_PUD 1
57102+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
57103+#define PUD_MASK (~(PUD_SIZE-1))
57104+
57105+#ifndef __ASSEMBLY__
57106+
57107 /*
57108 * Having the pud type consist of a pgd gets the size right, and allows
57109 * us to conceptually access the pgd entry that this pud is folded into
57110@@ -12,11 +17,6 @@
57111 */
57112 typedef struct { pgd_t pgd; } pud_t;
57113
57114-#define PUD_SHIFT PGDIR_SHIFT
57115-#define PTRS_PER_PUD 1
57116-#define PUD_SIZE (1UL << PUD_SHIFT)
57117-#define PUD_MASK (~(PUD_SIZE-1))
57118-
57119 /*
57120 * The "pgd_xxx()" functions here are trivial for a folded two-level
57121 * setup: the pud is never bad, and a pud always exists (as it's folded
57122diff -urNp linux-3.0.7/include/asm-generic/pgtable.h linux-3.0.7/include/asm-generic/pgtable.h
57123--- linux-3.0.7/include/asm-generic/pgtable.h 2011-07-21 22:17:23.000000000 -0400
57124+++ linux-3.0.7/include/asm-generic/pgtable.h 2011-08-23 21:47:56.000000000 -0400
57125@@ -443,6 +443,14 @@ static inline int pmd_write(pmd_t pmd)
57126 #endif /* __HAVE_ARCH_PMD_WRITE */
57127 #endif
57128
57129+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
57130+static inline unsigned long pax_open_kernel(void) { return 0; }
57131+#endif
57132+
57133+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
57134+static inline unsigned long pax_close_kernel(void) { return 0; }
57135+#endif
57136+
57137 #endif /* !__ASSEMBLY__ */
57138
57139 #endif /* _ASM_GENERIC_PGTABLE_H */
57140diff -urNp linux-3.0.7/include/asm-generic/vmlinux.lds.h linux-3.0.7/include/asm-generic/vmlinux.lds.h
57141--- linux-3.0.7/include/asm-generic/vmlinux.lds.h 2011-07-21 22:17:23.000000000 -0400
57142+++ linux-3.0.7/include/asm-generic/vmlinux.lds.h 2011-08-23 21:47:56.000000000 -0400
57143@@ -217,6 +217,7 @@
57144 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
57145 VMLINUX_SYMBOL(__start_rodata) = .; \
57146 *(.rodata) *(.rodata.*) \
57147+ *(.data..read_only) \
57148 *(__vermagic) /* Kernel version magic */ \
57149 . = ALIGN(8); \
57150 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
57151@@ -723,17 +724,18 @@
57152 * section in the linker script will go there too. @phdr should have
57153 * a leading colon.
57154 *
57155- * Note that this macros defines __per_cpu_load as an absolute symbol.
57156+ * Note that this macros defines per_cpu_load as an absolute symbol.
57157 * If there is no need to put the percpu section at a predetermined
57158 * address, use PERCPU_SECTION.
57159 */
57160 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
57161- VMLINUX_SYMBOL(__per_cpu_load) = .; \
57162- .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
57163+ per_cpu_load = .; \
57164+ .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
57165 - LOAD_OFFSET) { \
57166+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
57167 PERCPU_INPUT(cacheline) \
57168 } phdr \
57169- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
57170+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
57171
57172 /**
57173 * PERCPU_SECTION - define output section for percpu area, simple version
57174diff -urNp linux-3.0.7/include/drm/drmP.h linux-3.0.7/include/drm/drmP.h
57175--- linux-3.0.7/include/drm/drmP.h 2011-07-21 22:17:23.000000000 -0400
57176+++ linux-3.0.7/include/drm/drmP.h 2011-08-23 21:47:56.000000000 -0400
57177@@ -73,6 +73,7 @@
57178 #include <linux/workqueue.h>
57179 #include <linux/poll.h>
57180 #include <asm/pgalloc.h>
57181+#include <asm/local.h>
57182 #include "drm.h"
57183
57184 #include <linux/idr.h>
57185@@ -1033,7 +1034,7 @@ struct drm_device {
57186
57187 /** \name Usage Counters */
57188 /*@{ */
57189- int open_count; /**< Outstanding files open */
57190+ local_t open_count; /**< Outstanding files open */
57191 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
57192 atomic_t vma_count; /**< Outstanding vma areas open */
57193 int buf_use; /**< Buffers in use -- cannot alloc */
57194@@ -1044,7 +1045,7 @@ struct drm_device {
57195 /*@{ */
57196 unsigned long counters;
57197 enum drm_stat_type types[15];
57198- atomic_t counts[15];
57199+ atomic_unchecked_t counts[15];
57200 /*@} */
57201
57202 struct list_head filelist;
57203diff -urNp linux-3.0.7/include/drm/drm_crtc_helper.h linux-3.0.7/include/drm/drm_crtc_helper.h
57204--- linux-3.0.7/include/drm/drm_crtc_helper.h 2011-07-21 22:17:23.000000000 -0400
57205+++ linux-3.0.7/include/drm/drm_crtc_helper.h 2011-08-23 21:47:56.000000000 -0400
57206@@ -74,7 +74,7 @@ struct drm_crtc_helper_funcs {
57207
57208 /* disable crtc when not in use - more explicit than dpms off */
57209 void (*disable)(struct drm_crtc *crtc);
57210-};
57211+} __no_const;
57212
57213 struct drm_encoder_helper_funcs {
57214 void (*dpms)(struct drm_encoder *encoder, int mode);
57215@@ -95,7 +95,7 @@ struct drm_encoder_helper_funcs {
57216 struct drm_connector *connector);
57217 /* disable encoder when not in use - more explicit than dpms off */
57218 void (*disable)(struct drm_encoder *encoder);
57219-};
57220+} __no_const;
57221
57222 struct drm_connector_helper_funcs {
57223 int (*get_modes)(struct drm_connector *connector);
57224diff -urNp linux-3.0.7/include/drm/ttm/ttm_memory.h linux-3.0.7/include/drm/ttm/ttm_memory.h
57225--- linux-3.0.7/include/drm/ttm/ttm_memory.h 2011-07-21 22:17:23.000000000 -0400
57226+++ linux-3.0.7/include/drm/ttm/ttm_memory.h 2011-08-23 21:47:56.000000000 -0400
57227@@ -47,7 +47,7 @@
57228
57229 struct ttm_mem_shrink {
57230 int (*do_shrink) (struct ttm_mem_shrink *);
57231-};
57232+} __no_const;
57233
57234 /**
57235 * struct ttm_mem_global - Global memory accounting structure.
57236diff -urNp linux-3.0.7/include/linux/a.out.h linux-3.0.7/include/linux/a.out.h
57237--- linux-3.0.7/include/linux/a.out.h 2011-07-21 22:17:23.000000000 -0400
57238+++ linux-3.0.7/include/linux/a.out.h 2011-08-23 21:47:56.000000000 -0400
57239@@ -39,6 +39,14 @@ enum machine_type {
57240 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
57241 };
57242
57243+/* Constants for the N_FLAGS field */
57244+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57245+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
57246+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
57247+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
57248+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57249+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57250+
57251 #if !defined (N_MAGIC)
57252 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
57253 #endif
57254diff -urNp linux-3.0.7/include/linux/atmdev.h linux-3.0.7/include/linux/atmdev.h
57255--- linux-3.0.7/include/linux/atmdev.h 2011-07-21 22:17:23.000000000 -0400
57256+++ linux-3.0.7/include/linux/atmdev.h 2011-08-23 21:47:56.000000000 -0400
57257@@ -237,7 +237,7 @@ struct compat_atm_iobuf {
57258 #endif
57259
57260 struct k_atm_aal_stats {
57261-#define __HANDLE_ITEM(i) atomic_t i
57262+#define __HANDLE_ITEM(i) atomic_unchecked_t i
57263 __AAL_STAT_ITEMS
57264 #undef __HANDLE_ITEM
57265 };
57266diff -urNp linux-3.0.7/include/linux/binfmts.h linux-3.0.7/include/linux/binfmts.h
57267--- linux-3.0.7/include/linux/binfmts.h 2011-07-21 22:17:23.000000000 -0400
57268+++ linux-3.0.7/include/linux/binfmts.h 2011-08-23 21:47:56.000000000 -0400
57269@@ -88,6 +88,7 @@ struct linux_binfmt {
57270 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
57271 int (*load_shlib)(struct file *);
57272 int (*core_dump)(struct coredump_params *cprm);
57273+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
57274 unsigned long min_coredump; /* minimal dump size */
57275 };
57276
57277diff -urNp linux-3.0.7/include/linux/blkdev.h linux-3.0.7/include/linux/blkdev.h
57278--- linux-3.0.7/include/linux/blkdev.h 2011-07-21 22:17:23.000000000 -0400
57279+++ linux-3.0.7/include/linux/blkdev.h 2011-08-26 19:49:56.000000000 -0400
57280@@ -1308,7 +1308,7 @@ struct block_device_operations {
57281 /* this callback is with swap_lock and sometimes page table lock held */
57282 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
57283 struct module *owner;
57284-};
57285+} __do_const;
57286
57287 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
57288 unsigned long);
57289diff -urNp linux-3.0.7/include/linux/blktrace_api.h linux-3.0.7/include/linux/blktrace_api.h
57290--- linux-3.0.7/include/linux/blktrace_api.h 2011-07-21 22:17:23.000000000 -0400
57291+++ linux-3.0.7/include/linux/blktrace_api.h 2011-08-23 21:47:56.000000000 -0400
57292@@ -161,7 +161,7 @@ struct blk_trace {
57293 struct dentry *dir;
57294 struct dentry *dropped_file;
57295 struct dentry *msg_file;
57296- atomic_t dropped;
57297+ atomic_unchecked_t dropped;
57298 };
57299
57300 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
57301diff -urNp linux-3.0.7/include/linux/byteorder/little_endian.h linux-3.0.7/include/linux/byteorder/little_endian.h
57302--- linux-3.0.7/include/linux/byteorder/little_endian.h 2011-07-21 22:17:23.000000000 -0400
57303+++ linux-3.0.7/include/linux/byteorder/little_endian.h 2011-08-23 21:47:56.000000000 -0400
57304@@ -42,51 +42,51 @@
57305
57306 static inline __le64 __cpu_to_le64p(const __u64 *p)
57307 {
57308- return (__force __le64)*p;
57309+ return (__force const __le64)*p;
57310 }
57311 static inline __u64 __le64_to_cpup(const __le64 *p)
57312 {
57313- return (__force __u64)*p;
57314+ return (__force const __u64)*p;
57315 }
57316 static inline __le32 __cpu_to_le32p(const __u32 *p)
57317 {
57318- return (__force __le32)*p;
57319+ return (__force const __le32)*p;
57320 }
57321 static inline __u32 __le32_to_cpup(const __le32 *p)
57322 {
57323- return (__force __u32)*p;
57324+ return (__force const __u32)*p;
57325 }
57326 static inline __le16 __cpu_to_le16p(const __u16 *p)
57327 {
57328- return (__force __le16)*p;
57329+ return (__force const __le16)*p;
57330 }
57331 static inline __u16 __le16_to_cpup(const __le16 *p)
57332 {
57333- return (__force __u16)*p;
57334+ return (__force const __u16)*p;
57335 }
57336 static inline __be64 __cpu_to_be64p(const __u64 *p)
57337 {
57338- return (__force __be64)__swab64p(p);
57339+ return (__force const __be64)__swab64p(p);
57340 }
57341 static inline __u64 __be64_to_cpup(const __be64 *p)
57342 {
57343- return __swab64p((__u64 *)p);
57344+ return __swab64p((const __u64 *)p);
57345 }
57346 static inline __be32 __cpu_to_be32p(const __u32 *p)
57347 {
57348- return (__force __be32)__swab32p(p);
57349+ return (__force const __be32)__swab32p(p);
57350 }
57351 static inline __u32 __be32_to_cpup(const __be32 *p)
57352 {
57353- return __swab32p((__u32 *)p);
57354+ return __swab32p((const __u32 *)p);
57355 }
57356 static inline __be16 __cpu_to_be16p(const __u16 *p)
57357 {
57358- return (__force __be16)__swab16p(p);
57359+ return (__force const __be16)__swab16p(p);
57360 }
57361 static inline __u16 __be16_to_cpup(const __be16 *p)
57362 {
57363- return __swab16p((__u16 *)p);
57364+ return __swab16p((const __u16 *)p);
57365 }
57366 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
57367 #define __le64_to_cpus(x) do { (void)(x); } while (0)
57368diff -urNp linux-3.0.7/include/linux/cache.h linux-3.0.7/include/linux/cache.h
57369--- linux-3.0.7/include/linux/cache.h 2011-07-21 22:17:23.000000000 -0400
57370+++ linux-3.0.7/include/linux/cache.h 2011-08-23 21:47:56.000000000 -0400
57371@@ -16,6 +16,10 @@
57372 #define __read_mostly
57373 #endif
57374
57375+#ifndef __read_only
57376+#define __read_only __read_mostly
57377+#endif
57378+
57379 #ifndef ____cacheline_aligned
57380 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
57381 #endif
57382diff -urNp linux-3.0.7/include/linux/capability.h linux-3.0.7/include/linux/capability.h
57383--- linux-3.0.7/include/linux/capability.h 2011-07-21 22:17:23.000000000 -0400
57384+++ linux-3.0.7/include/linux/capability.h 2011-08-23 21:48:14.000000000 -0400
57385@@ -547,6 +547,9 @@ extern bool capable(int cap);
57386 extern bool ns_capable(struct user_namespace *ns, int cap);
57387 extern bool task_ns_capable(struct task_struct *t, int cap);
57388 extern bool nsown_capable(int cap);
57389+extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
57390+extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
57391+extern bool capable_nolog(int cap);
57392
57393 /* audit system wants to get cap info from files as well */
57394 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
57395diff -urNp linux-3.0.7/include/linux/cleancache.h linux-3.0.7/include/linux/cleancache.h
57396--- linux-3.0.7/include/linux/cleancache.h 2011-07-21 22:17:23.000000000 -0400
57397+++ linux-3.0.7/include/linux/cleancache.h 2011-08-23 21:47:56.000000000 -0400
57398@@ -31,7 +31,7 @@ struct cleancache_ops {
57399 void (*flush_page)(int, struct cleancache_filekey, pgoff_t);
57400 void (*flush_inode)(int, struct cleancache_filekey);
57401 void (*flush_fs)(int);
57402-};
57403+} __no_const;
57404
57405 extern struct cleancache_ops
57406 cleancache_register_ops(struct cleancache_ops *ops);
57407diff -urNp linux-3.0.7/include/linux/compiler-gcc4.h linux-3.0.7/include/linux/compiler-gcc4.h
57408--- linux-3.0.7/include/linux/compiler-gcc4.h 2011-07-21 22:17:23.000000000 -0400
57409+++ linux-3.0.7/include/linux/compiler-gcc4.h 2011-08-26 19:49:56.000000000 -0400
57410@@ -31,6 +31,12 @@
57411
57412
57413 #if __GNUC_MINOR__ >= 5
57414+
57415+#ifdef CONSTIFY_PLUGIN
57416+#define __no_const __attribute__((no_const))
57417+#define __do_const __attribute__((do_const))
57418+#endif
57419+
57420 /*
57421 * Mark a position in code as unreachable. This can be used to
57422 * suppress control flow warnings after asm blocks that transfer
57423@@ -46,6 +52,11 @@
57424 #define __noclone __attribute__((__noclone__))
57425
57426 #endif
57427+
57428+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
57429+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
57430+#define __bos0(ptr) __bos((ptr), 0)
57431+#define __bos1(ptr) __bos((ptr), 1)
57432 #endif
57433
57434 #if __GNUC_MINOR__ > 0
57435diff -urNp linux-3.0.7/include/linux/compiler.h linux-3.0.7/include/linux/compiler.h
57436--- linux-3.0.7/include/linux/compiler.h 2011-07-21 22:17:23.000000000 -0400
57437+++ linux-3.0.7/include/linux/compiler.h 2011-10-06 04:17:55.000000000 -0400
57438@@ -5,31 +5,62 @@
57439
57440 #ifdef __CHECKER__
57441 # define __user __attribute__((noderef, address_space(1)))
57442+# define __force_user __force __user
57443 # define __kernel __attribute__((address_space(0)))
57444+# define __force_kernel __force __kernel
57445 # define __safe __attribute__((safe))
57446 # define __force __attribute__((force))
57447 # define __nocast __attribute__((nocast))
57448 # define __iomem __attribute__((noderef, address_space(2)))
57449+# define __force_iomem __force __iomem
57450 # define __acquires(x) __attribute__((context(x,0,1)))
57451 # define __releases(x) __attribute__((context(x,1,0)))
57452 # define __acquire(x) __context__(x,1)
57453 # define __release(x) __context__(x,-1)
57454 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
57455 # define __percpu __attribute__((noderef, address_space(3)))
57456+# define __force_percpu __force __percpu
57457 #ifdef CONFIG_SPARSE_RCU_POINTER
57458 # define __rcu __attribute__((noderef, address_space(4)))
57459+# define __force_rcu __force __rcu
57460 #else
57461 # define __rcu
57462+# define __force_rcu
57463 #endif
57464 extern void __chk_user_ptr(const volatile void __user *);
57465 extern void __chk_io_ptr(const volatile void __iomem *);
57466+#elif defined(CHECKER_PLUGIN)
57467+//# define __user
57468+//# define __force_user
57469+//# define __kernel
57470+//# define __force_kernel
57471+# define __safe
57472+# define __force
57473+# define __nocast
57474+# define __iomem
57475+# define __force_iomem
57476+# define __chk_user_ptr(x) (void)0
57477+# define __chk_io_ptr(x) (void)0
57478+# define __builtin_warning(x, y...) (1)
57479+# define __acquires(x)
57480+# define __releases(x)
57481+# define __acquire(x) (void)0
57482+# define __release(x) (void)0
57483+# define __cond_lock(x,c) (c)
57484+# define __percpu
57485+# define __force_percpu
57486+# define __rcu
57487+# define __force_rcu
57488 #else
57489 # define __user
57490+# define __force_user
57491 # define __kernel
57492+# define __force_kernel
57493 # define __safe
57494 # define __force
57495 # define __nocast
57496 # define __iomem
57497+# define __force_iomem
57498 # define __chk_user_ptr(x) (void)0
57499 # define __chk_io_ptr(x) (void)0
57500 # define __builtin_warning(x, y...) (1)
57501@@ -39,7 +70,9 @@ extern void __chk_io_ptr(const volatile
57502 # define __release(x) (void)0
57503 # define __cond_lock(x,c) (c)
57504 # define __percpu
57505+# define __force_percpu
57506 # define __rcu
57507+# define __force_rcu
57508 #endif
57509
57510 #ifdef __KERNEL__
57511@@ -264,6 +297,14 @@ void ftrace_likely_update(struct ftrace_
57512 # define __attribute_const__ /* unimplemented */
57513 #endif
57514
57515+#ifndef __no_const
57516+# define __no_const
57517+#endif
57518+
57519+#ifndef __do_const
57520+# define __do_const
57521+#endif
57522+
57523 /*
57524 * Tell gcc if a function is cold. The compiler will assume any path
57525 * directly leading to the call is unlikely.
57526@@ -273,6 +314,22 @@ void ftrace_likely_update(struct ftrace_
57527 #define __cold
57528 #endif
57529
57530+#ifndef __alloc_size
57531+#define __alloc_size(...)
57532+#endif
57533+
57534+#ifndef __bos
57535+#define __bos(ptr, arg)
57536+#endif
57537+
57538+#ifndef __bos0
57539+#define __bos0(ptr)
57540+#endif
57541+
57542+#ifndef __bos1
57543+#define __bos1(ptr)
57544+#endif
57545+
57546 /* Simple shorthand for a section definition */
57547 #ifndef __section
57548 # define __section(S) __attribute__ ((__section__(#S)))
57549@@ -306,6 +363,7 @@ void ftrace_likely_update(struct ftrace_
57550 * use is to mediate communication between process-level code and irq/NMI
57551 * handlers, all running on the same CPU.
57552 */
57553-#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
57554+#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
57555+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
57556
57557 #endif /* __LINUX_COMPILER_H */
57558diff -urNp linux-3.0.7/include/linux/cpuset.h linux-3.0.7/include/linux/cpuset.h
57559--- linux-3.0.7/include/linux/cpuset.h 2011-07-21 22:17:23.000000000 -0400
57560+++ linux-3.0.7/include/linux/cpuset.h 2011-08-23 21:47:56.000000000 -0400
57561@@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
57562 * nodemask.
57563 */
57564 smp_mb();
57565- --ACCESS_ONCE(current->mems_allowed_change_disable);
57566+ --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
57567 }
57568
57569 static inline void set_mems_allowed(nodemask_t nodemask)
57570diff -urNp linux-3.0.7/include/linux/crypto.h linux-3.0.7/include/linux/crypto.h
57571--- linux-3.0.7/include/linux/crypto.h 2011-07-21 22:17:23.000000000 -0400
57572+++ linux-3.0.7/include/linux/crypto.h 2011-08-23 21:47:56.000000000 -0400
57573@@ -361,7 +361,7 @@ struct cipher_tfm {
57574 const u8 *key, unsigned int keylen);
57575 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57576 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57577-};
57578+} __no_const;
57579
57580 struct hash_tfm {
57581 int (*init)(struct hash_desc *desc);
57582@@ -382,13 +382,13 @@ struct compress_tfm {
57583 int (*cot_decompress)(struct crypto_tfm *tfm,
57584 const u8 *src, unsigned int slen,
57585 u8 *dst, unsigned int *dlen);
57586-};
57587+} __no_const;
57588
57589 struct rng_tfm {
57590 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
57591 unsigned int dlen);
57592 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
57593-};
57594+} __no_const;
57595
57596 #define crt_ablkcipher crt_u.ablkcipher
57597 #define crt_aead crt_u.aead
57598diff -urNp linux-3.0.7/include/linux/decompress/mm.h linux-3.0.7/include/linux/decompress/mm.h
57599--- linux-3.0.7/include/linux/decompress/mm.h 2011-07-21 22:17:23.000000000 -0400
57600+++ linux-3.0.7/include/linux/decompress/mm.h 2011-08-23 21:47:56.000000000 -0400
57601@@ -77,7 +77,7 @@ static void free(void *where)
57602 * warnings when not needed (indeed large_malloc / large_free are not
57603 * needed by inflate */
57604
57605-#define malloc(a) kmalloc(a, GFP_KERNEL)
57606+#define malloc(a) kmalloc((a), GFP_KERNEL)
57607 #define free(a) kfree(a)
57608
57609 #define large_malloc(a) vmalloc(a)
57610diff -urNp linux-3.0.7/include/linux/dma-mapping.h linux-3.0.7/include/linux/dma-mapping.h
57611--- linux-3.0.7/include/linux/dma-mapping.h 2011-07-21 22:17:23.000000000 -0400
57612+++ linux-3.0.7/include/linux/dma-mapping.h 2011-08-26 19:49:56.000000000 -0400
57613@@ -50,7 +50,7 @@ struct dma_map_ops {
57614 int (*dma_supported)(struct device *dev, u64 mask);
57615 int (*set_dma_mask)(struct device *dev, u64 mask);
57616 int is_phys;
57617-};
57618+} __do_const;
57619
57620 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
57621
57622diff -urNp linux-3.0.7/include/linux/efi.h linux-3.0.7/include/linux/efi.h
57623--- linux-3.0.7/include/linux/efi.h 2011-07-21 22:17:23.000000000 -0400
57624+++ linux-3.0.7/include/linux/efi.h 2011-08-23 21:47:56.000000000 -0400
57625@@ -410,7 +410,7 @@ struct efivar_operations {
57626 efi_get_variable_t *get_variable;
57627 efi_get_next_variable_t *get_next_variable;
57628 efi_set_variable_t *set_variable;
57629-};
57630+} __no_const;
57631
57632 struct efivars {
57633 /*
57634diff -urNp linux-3.0.7/include/linux/elf.h linux-3.0.7/include/linux/elf.h
57635--- linux-3.0.7/include/linux/elf.h 2011-07-21 22:17:23.000000000 -0400
57636+++ linux-3.0.7/include/linux/elf.h 2011-08-23 21:47:56.000000000 -0400
57637@@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
57638 #define PT_GNU_EH_FRAME 0x6474e550
57639
57640 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
57641+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
57642+
57643+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
57644+
57645+/* Constants for the e_flags field */
57646+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57647+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
57648+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
57649+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
57650+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57651+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57652
57653 /*
57654 * Extended Numbering
57655@@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
57656 #define DT_DEBUG 21
57657 #define DT_TEXTREL 22
57658 #define DT_JMPREL 23
57659+#define DT_FLAGS 30
57660+ #define DF_TEXTREL 0x00000004
57661 #define DT_ENCODING 32
57662 #define OLD_DT_LOOS 0x60000000
57663 #define DT_LOOS 0x6000000d
57664@@ -252,6 +265,19 @@ typedef struct elf64_hdr {
57665 #define PF_W 0x2
57666 #define PF_X 0x1
57667
57668+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
57669+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
57670+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
57671+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
57672+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
57673+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
57674+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
57675+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
57676+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
57677+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
57678+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
57679+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
57680+
57681 typedef struct elf32_phdr{
57682 Elf32_Word p_type;
57683 Elf32_Off p_offset;
57684@@ -344,6 +370,8 @@ typedef struct elf64_shdr {
57685 #define EI_OSABI 7
57686 #define EI_PAD 8
57687
57688+#define EI_PAX 14
57689+
57690 #define ELFMAG0 0x7f /* EI_MAG */
57691 #define ELFMAG1 'E'
57692 #define ELFMAG2 'L'
57693@@ -422,6 +450,7 @@ extern Elf32_Dyn _DYNAMIC [];
57694 #define elf_note elf32_note
57695 #define elf_addr_t Elf32_Off
57696 #define Elf_Half Elf32_Half
57697+#define elf_dyn Elf32_Dyn
57698
57699 #else
57700
57701@@ -432,6 +461,7 @@ extern Elf64_Dyn _DYNAMIC [];
57702 #define elf_note elf64_note
57703 #define elf_addr_t Elf64_Off
57704 #define Elf_Half Elf64_Half
57705+#define elf_dyn Elf64_Dyn
57706
57707 #endif
57708
57709diff -urNp linux-3.0.7/include/linux/firewire.h linux-3.0.7/include/linux/firewire.h
57710--- linux-3.0.7/include/linux/firewire.h 2011-07-21 22:17:23.000000000 -0400
57711+++ linux-3.0.7/include/linux/firewire.h 2011-08-23 21:47:56.000000000 -0400
57712@@ -428,7 +428,7 @@ struct fw_iso_context {
57713 union {
57714 fw_iso_callback_t sc;
57715 fw_iso_mc_callback_t mc;
57716- } callback;
57717+ } __no_const callback;
57718 void *callback_data;
57719 };
57720
57721diff -urNp linux-3.0.7/include/linux/fs.h linux-3.0.7/include/linux/fs.h
57722--- linux-3.0.7/include/linux/fs.h 2011-07-21 22:17:23.000000000 -0400
57723+++ linux-3.0.7/include/linux/fs.h 2011-08-26 19:49:56.000000000 -0400
57724@@ -109,6 +109,11 @@ struct inodes_stat_t {
57725 /* File was opened by fanotify and shouldn't generate fanotify events */
57726 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
57727
57728+/* Hack for grsec so as not to require read permission simply to execute
57729+ * a binary
57730+ */
57731+#define FMODE_GREXEC ((__force fmode_t)0x2000000)
57732+
57733 /*
57734 * The below are the various read and write types that we support. Some of
57735 * them include behavioral modifiers that send information down to the
57736@@ -1571,7 +1576,8 @@ struct file_operations {
57737 int (*setlease)(struct file *, long, struct file_lock **);
57738 long (*fallocate)(struct file *file, int mode, loff_t offset,
57739 loff_t len);
57740-};
57741+} __do_const;
57742+typedef struct file_operations __no_const file_operations_no_const;
57743
57744 #define IPERM_FLAG_RCU 0x0001
57745
57746diff -urNp linux-3.0.7/include/linux/fs_struct.h linux-3.0.7/include/linux/fs_struct.h
57747--- linux-3.0.7/include/linux/fs_struct.h 2011-07-21 22:17:23.000000000 -0400
57748+++ linux-3.0.7/include/linux/fs_struct.h 2011-08-23 21:47:56.000000000 -0400
57749@@ -6,7 +6,7 @@
57750 #include <linux/seqlock.h>
57751
57752 struct fs_struct {
57753- int users;
57754+ atomic_t users;
57755 spinlock_t lock;
57756 seqcount_t seq;
57757 int umask;
57758diff -urNp linux-3.0.7/include/linux/fscache-cache.h linux-3.0.7/include/linux/fscache-cache.h
57759--- linux-3.0.7/include/linux/fscache-cache.h 2011-07-21 22:17:23.000000000 -0400
57760+++ linux-3.0.7/include/linux/fscache-cache.h 2011-08-23 21:47:56.000000000 -0400
57761@@ -102,7 +102,7 @@ struct fscache_operation {
57762 fscache_operation_release_t release;
57763 };
57764
57765-extern atomic_t fscache_op_debug_id;
57766+extern atomic_unchecked_t fscache_op_debug_id;
57767 extern void fscache_op_work_func(struct work_struct *work);
57768
57769 extern void fscache_enqueue_operation(struct fscache_operation *);
57770@@ -122,7 +122,7 @@ static inline void fscache_operation_ini
57771 {
57772 INIT_WORK(&op->work, fscache_op_work_func);
57773 atomic_set(&op->usage, 1);
57774- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
57775+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
57776 op->processor = processor;
57777 op->release = release;
57778 INIT_LIST_HEAD(&op->pend_link);
57779diff -urNp linux-3.0.7/include/linux/fsnotify.h linux-3.0.7/include/linux/fsnotify.h
57780--- linux-3.0.7/include/linux/fsnotify.h 2011-07-21 22:17:23.000000000 -0400
57781+++ linux-3.0.7/include/linux/fsnotify.h 2011-08-24 18:10:29.000000000 -0400
57782@@ -314,7 +314,7 @@ static inline void fsnotify_change(struc
57783 */
57784 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
57785 {
57786- return kstrdup(name, GFP_KERNEL);
57787+ return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
57788 }
57789
57790 /*
57791diff -urNp linux-3.0.7/include/linux/ftrace_event.h linux-3.0.7/include/linux/ftrace_event.h
57792--- linux-3.0.7/include/linux/ftrace_event.h 2011-07-21 22:17:23.000000000 -0400
57793+++ linux-3.0.7/include/linux/ftrace_event.h 2011-08-23 21:47:56.000000000 -0400
57794@@ -96,7 +96,7 @@ struct trace_event_functions {
57795 trace_print_func raw;
57796 trace_print_func hex;
57797 trace_print_func binary;
57798-};
57799+} __no_const;
57800
57801 struct trace_event {
57802 struct hlist_node node;
57803@@ -247,7 +247,7 @@ extern int trace_define_field(struct ftr
57804 extern int trace_add_event_call(struct ftrace_event_call *call);
57805 extern void trace_remove_event_call(struct ftrace_event_call *call);
57806
57807-#define is_signed_type(type) (((type)(-1)) < 0)
57808+#define is_signed_type(type) (((type)(-1)) < (type)1)
57809
57810 int trace_set_clr_event(const char *system, const char *event, int set);
57811
57812diff -urNp linux-3.0.7/include/linux/genhd.h linux-3.0.7/include/linux/genhd.h
57813--- linux-3.0.7/include/linux/genhd.h 2011-07-21 22:17:23.000000000 -0400
57814+++ linux-3.0.7/include/linux/genhd.h 2011-08-23 21:47:56.000000000 -0400
57815@@ -184,7 +184,7 @@ struct gendisk {
57816 struct kobject *slave_dir;
57817
57818 struct timer_rand_state *random;
57819- atomic_t sync_io; /* RAID */
57820+ atomic_unchecked_t sync_io; /* RAID */
57821 struct disk_events *ev;
57822 #ifdef CONFIG_BLK_DEV_INTEGRITY
57823 struct blk_integrity *integrity;
57824diff -urNp linux-3.0.7/include/linux/gracl.h linux-3.0.7/include/linux/gracl.h
57825--- linux-3.0.7/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
57826+++ linux-3.0.7/include/linux/gracl.h 2011-08-23 21:48:14.000000000 -0400
57827@@ -0,0 +1,317 @@
57828+#ifndef GR_ACL_H
57829+#define GR_ACL_H
57830+
57831+#include <linux/grdefs.h>
57832+#include <linux/resource.h>
57833+#include <linux/capability.h>
57834+#include <linux/dcache.h>
57835+#include <asm/resource.h>
57836+
57837+/* Major status information */
57838+
57839+#define GR_VERSION "grsecurity 2.2.2"
57840+#define GRSECURITY_VERSION 0x2202
57841+
57842+enum {
57843+ GR_SHUTDOWN = 0,
57844+ GR_ENABLE = 1,
57845+ GR_SPROLE = 2,
57846+ GR_RELOAD = 3,
57847+ GR_SEGVMOD = 4,
57848+ GR_STATUS = 5,
57849+ GR_UNSPROLE = 6,
57850+ GR_PASSSET = 7,
57851+ GR_SPROLEPAM = 8,
57852+};
57853+
57854+/* Password setup definitions
57855+ * kernel/grhash.c */
57856+enum {
57857+ GR_PW_LEN = 128,
57858+ GR_SALT_LEN = 16,
57859+ GR_SHA_LEN = 32,
57860+};
57861+
57862+enum {
57863+ GR_SPROLE_LEN = 64,
57864+};
57865+
57866+enum {
57867+ GR_NO_GLOB = 0,
57868+ GR_REG_GLOB,
57869+ GR_CREATE_GLOB
57870+};
57871+
57872+#define GR_NLIMITS 32
57873+
57874+/* Begin Data Structures */
57875+
57876+struct sprole_pw {
57877+ unsigned char *rolename;
57878+ unsigned char salt[GR_SALT_LEN];
57879+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
57880+};
57881+
57882+struct name_entry {
57883+ __u32 key;
57884+ ino_t inode;
57885+ dev_t device;
57886+ char *name;
57887+ __u16 len;
57888+ __u8 deleted;
57889+ struct name_entry *prev;
57890+ struct name_entry *next;
57891+};
57892+
57893+struct inodev_entry {
57894+ struct name_entry *nentry;
57895+ struct inodev_entry *prev;
57896+ struct inodev_entry *next;
57897+};
57898+
57899+struct acl_role_db {
57900+ struct acl_role_label **r_hash;
57901+ __u32 r_size;
57902+};
57903+
57904+struct inodev_db {
57905+ struct inodev_entry **i_hash;
57906+ __u32 i_size;
57907+};
57908+
57909+struct name_db {
57910+ struct name_entry **n_hash;
57911+ __u32 n_size;
57912+};
57913+
57914+struct crash_uid {
57915+ uid_t uid;
57916+ unsigned long expires;
57917+};
57918+
57919+struct gr_hash_struct {
57920+ void **table;
57921+ void **nametable;
57922+ void *first;
57923+ __u32 table_size;
57924+ __u32 used_size;
57925+ int type;
57926+};
57927+
57928+/* Userspace Grsecurity ACL data structures */
57929+
57930+struct acl_subject_label {
57931+ char *filename;
57932+ ino_t inode;
57933+ dev_t device;
57934+ __u32 mode;
57935+ kernel_cap_t cap_mask;
57936+ kernel_cap_t cap_lower;
57937+ kernel_cap_t cap_invert_audit;
57938+
57939+ struct rlimit res[GR_NLIMITS];
57940+ __u32 resmask;
57941+
57942+ __u8 user_trans_type;
57943+ __u8 group_trans_type;
57944+ uid_t *user_transitions;
57945+ gid_t *group_transitions;
57946+ __u16 user_trans_num;
57947+ __u16 group_trans_num;
57948+
57949+ __u32 sock_families[2];
57950+ __u32 ip_proto[8];
57951+ __u32 ip_type;
57952+ struct acl_ip_label **ips;
57953+ __u32 ip_num;
57954+ __u32 inaddr_any_override;
57955+
57956+ __u32 crashes;
57957+ unsigned long expires;
57958+
57959+ struct acl_subject_label *parent_subject;
57960+ struct gr_hash_struct *hash;
57961+ struct acl_subject_label *prev;
57962+ struct acl_subject_label *next;
57963+
57964+ struct acl_object_label **obj_hash;
57965+ __u32 obj_hash_size;
57966+ __u16 pax_flags;
57967+};
57968+
57969+struct role_allowed_ip {
57970+ __u32 addr;
57971+ __u32 netmask;
57972+
57973+ struct role_allowed_ip *prev;
57974+ struct role_allowed_ip *next;
57975+};
57976+
57977+struct role_transition {
57978+ char *rolename;
57979+
57980+ struct role_transition *prev;
57981+ struct role_transition *next;
57982+};
57983+
57984+struct acl_role_label {
57985+ char *rolename;
57986+ uid_t uidgid;
57987+ __u16 roletype;
57988+
57989+ __u16 auth_attempts;
57990+ unsigned long expires;
57991+
57992+ struct acl_subject_label *root_label;
57993+ struct gr_hash_struct *hash;
57994+
57995+ struct acl_role_label *prev;
57996+ struct acl_role_label *next;
57997+
57998+ struct role_transition *transitions;
57999+ struct role_allowed_ip *allowed_ips;
58000+ uid_t *domain_children;
58001+ __u16 domain_child_num;
58002+
58003+ struct acl_subject_label **subj_hash;
58004+ __u32 subj_hash_size;
58005+};
58006+
58007+struct user_acl_role_db {
58008+ struct acl_role_label **r_table;
58009+ __u32 num_pointers; /* Number of allocations to track */
58010+ __u32 num_roles; /* Number of roles */
58011+ __u32 num_domain_children; /* Number of domain children */
58012+ __u32 num_subjects; /* Number of subjects */
58013+ __u32 num_objects; /* Number of objects */
58014+};
58015+
58016+struct acl_object_label {
58017+ char *filename;
58018+ ino_t inode;
58019+ dev_t device;
58020+ __u32 mode;
58021+
58022+ struct acl_subject_label *nested;
58023+ struct acl_object_label *globbed;
58024+
58025+ /* next two structures not used */
58026+
58027+ struct acl_object_label *prev;
58028+ struct acl_object_label *next;
58029+};
58030+
58031+struct acl_ip_label {
58032+ char *iface;
58033+ __u32 addr;
58034+ __u32 netmask;
58035+ __u16 low, high;
58036+ __u8 mode;
58037+ __u32 type;
58038+ __u32 proto[8];
58039+
58040+ /* next two structures not used */
58041+
58042+ struct acl_ip_label *prev;
58043+ struct acl_ip_label *next;
58044+};
58045+
58046+struct gr_arg {
58047+ struct user_acl_role_db role_db;
58048+ unsigned char pw[GR_PW_LEN];
58049+ unsigned char salt[GR_SALT_LEN];
58050+ unsigned char sum[GR_SHA_LEN];
58051+ unsigned char sp_role[GR_SPROLE_LEN];
58052+ struct sprole_pw *sprole_pws;
58053+ dev_t segv_device;
58054+ ino_t segv_inode;
58055+ uid_t segv_uid;
58056+ __u16 num_sprole_pws;
58057+ __u16 mode;
58058+};
58059+
58060+struct gr_arg_wrapper {
58061+ struct gr_arg *arg;
58062+ __u32 version;
58063+ __u32 size;
58064+};
58065+
58066+struct subject_map {
58067+ struct acl_subject_label *user;
58068+ struct acl_subject_label *kernel;
58069+ struct subject_map *prev;
58070+ struct subject_map *next;
58071+};
58072+
58073+struct acl_subj_map_db {
58074+ struct subject_map **s_hash;
58075+ __u32 s_size;
58076+};
58077+
58078+/* End Data Structures Section */
58079+
58080+/* Hash functions generated by empirical testing by Brad Spengler
58081+ Makes good use of the low bits of the inode. Generally 0-1 times
58082+ in loop for successful match. 0-3 for unsuccessful match.
58083+ Shift/add algorithm with modulus of table size and an XOR*/
58084+
58085+static __inline__ unsigned int
58086+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
58087+{
58088+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
58089+}
58090+
58091+ static __inline__ unsigned int
58092+shash(const struct acl_subject_label *userp, const unsigned int sz)
58093+{
58094+ return ((const unsigned long)userp % sz);
58095+}
58096+
58097+static __inline__ unsigned int
58098+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
58099+{
58100+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
58101+}
58102+
58103+static __inline__ unsigned int
58104+nhash(const char *name, const __u16 len, const unsigned int sz)
58105+{
58106+ return full_name_hash((const unsigned char *)name, len) % sz;
58107+}
58108+
58109+#define FOR_EACH_ROLE_START(role) \
58110+ role = role_list; \
58111+ while (role) {
58112+
58113+#define FOR_EACH_ROLE_END(role) \
58114+ role = role->prev; \
58115+ }
58116+
58117+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
58118+ subj = NULL; \
58119+ iter = 0; \
58120+ while (iter < role->subj_hash_size) { \
58121+ if (subj == NULL) \
58122+ subj = role->subj_hash[iter]; \
58123+ if (subj == NULL) { \
58124+ iter++; \
58125+ continue; \
58126+ }
58127+
58128+#define FOR_EACH_SUBJECT_END(subj,iter) \
58129+ subj = subj->next; \
58130+ if (subj == NULL) \
58131+ iter++; \
58132+ }
58133+
58134+
58135+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
58136+ subj = role->hash->first; \
58137+ while (subj != NULL) {
58138+
58139+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
58140+ subj = subj->next; \
58141+ }
58142+
58143+#endif
58144+
58145diff -urNp linux-3.0.7/include/linux/gralloc.h linux-3.0.7/include/linux/gralloc.h
58146--- linux-3.0.7/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
58147+++ linux-3.0.7/include/linux/gralloc.h 2011-08-23 21:48:14.000000000 -0400
58148@@ -0,0 +1,9 @@
58149+#ifndef __GRALLOC_H
58150+#define __GRALLOC_H
58151+
58152+void acl_free_all(void);
58153+int acl_alloc_stack_init(unsigned long size);
58154+void *acl_alloc(unsigned long len);
58155+void *acl_alloc_num(unsigned long num, unsigned long len);
58156+
58157+#endif
58158diff -urNp linux-3.0.7/include/linux/grdefs.h linux-3.0.7/include/linux/grdefs.h
58159--- linux-3.0.7/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
58160+++ linux-3.0.7/include/linux/grdefs.h 2011-08-23 21:48:14.000000000 -0400
58161@@ -0,0 +1,140 @@
58162+#ifndef GRDEFS_H
58163+#define GRDEFS_H
58164+
58165+/* Begin grsecurity status declarations */
58166+
58167+enum {
58168+ GR_READY = 0x01,
58169+ GR_STATUS_INIT = 0x00 // disabled state
58170+};
58171+
58172+/* Begin ACL declarations */
58173+
58174+/* Role flags */
58175+
58176+enum {
58177+ GR_ROLE_USER = 0x0001,
58178+ GR_ROLE_GROUP = 0x0002,
58179+ GR_ROLE_DEFAULT = 0x0004,
58180+ GR_ROLE_SPECIAL = 0x0008,
58181+ GR_ROLE_AUTH = 0x0010,
58182+ GR_ROLE_NOPW = 0x0020,
58183+ GR_ROLE_GOD = 0x0040,
58184+ GR_ROLE_LEARN = 0x0080,
58185+ GR_ROLE_TPE = 0x0100,
58186+ GR_ROLE_DOMAIN = 0x0200,
58187+ GR_ROLE_PAM = 0x0400,
58188+ GR_ROLE_PERSIST = 0x0800
58189+};
58190+
58191+/* ACL Subject and Object mode flags */
58192+enum {
58193+ GR_DELETED = 0x80000000
58194+};
58195+
58196+/* ACL Object-only mode flags */
58197+enum {
58198+ GR_READ = 0x00000001,
58199+ GR_APPEND = 0x00000002,
58200+ GR_WRITE = 0x00000004,
58201+ GR_EXEC = 0x00000008,
58202+ GR_FIND = 0x00000010,
58203+ GR_INHERIT = 0x00000020,
58204+ GR_SETID = 0x00000040,
58205+ GR_CREATE = 0x00000080,
58206+ GR_DELETE = 0x00000100,
58207+ GR_LINK = 0x00000200,
58208+ GR_AUDIT_READ = 0x00000400,
58209+ GR_AUDIT_APPEND = 0x00000800,
58210+ GR_AUDIT_WRITE = 0x00001000,
58211+ GR_AUDIT_EXEC = 0x00002000,
58212+ GR_AUDIT_FIND = 0x00004000,
58213+ GR_AUDIT_INHERIT= 0x00008000,
58214+ GR_AUDIT_SETID = 0x00010000,
58215+ GR_AUDIT_CREATE = 0x00020000,
58216+ GR_AUDIT_DELETE = 0x00040000,
58217+ GR_AUDIT_LINK = 0x00080000,
58218+ GR_PTRACERD = 0x00100000,
58219+ GR_NOPTRACE = 0x00200000,
58220+ GR_SUPPRESS = 0x00400000,
58221+ GR_NOLEARN = 0x00800000,
58222+ GR_INIT_TRANSFER= 0x01000000
58223+};
58224+
58225+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
58226+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
58227+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
58228+
58229+/* ACL subject-only mode flags */
58230+enum {
58231+ GR_KILL = 0x00000001,
58232+ GR_VIEW = 0x00000002,
58233+ GR_PROTECTED = 0x00000004,
58234+ GR_LEARN = 0x00000008,
58235+ GR_OVERRIDE = 0x00000010,
58236+ /* just a placeholder, this mode is only used in userspace */
58237+ GR_DUMMY = 0x00000020,
58238+ GR_PROTSHM = 0x00000040,
58239+ GR_KILLPROC = 0x00000080,
58240+ GR_KILLIPPROC = 0x00000100,
58241+ /* just a placeholder, this mode is only used in userspace */
58242+ GR_NOTROJAN = 0x00000200,
58243+ GR_PROTPROCFD = 0x00000400,
58244+ GR_PROCACCT = 0x00000800,
58245+ GR_RELAXPTRACE = 0x00001000,
58246+ GR_NESTED = 0x00002000,
58247+ GR_INHERITLEARN = 0x00004000,
58248+ GR_PROCFIND = 0x00008000,
58249+ GR_POVERRIDE = 0x00010000,
58250+ GR_KERNELAUTH = 0x00020000,
58251+ GR_ATSECURE = 0x00040000,
58252+ GR_SHMEXEC = 0x00080000
58253+};
58254+
58255+enum {
58256+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
58257+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
58258+ GR_PAX_ENABLE_MPROTECT = 0x0004,
58259+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
58260+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
58261+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
58262+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
58263+ GR_PAX_DISABLE_MPROTECT = 0x0400,
58264+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
58265+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
58266+};
58267+
58268+enum {
58269+ GR_ID_USER = 0x01,
58270+ GR_ID_GROUP = 0x02,
58271+};
58272+
58273+enum {
58274+ GR_ID_ALLOW = 0x01,
58275+ GR_ID_DENY = 0x02,
58276+};
58277+
58278+#define GR_CRASH_RES 31
58279+#define GR_UIDTABLE_MAX 500
58280+
58281+/* begin resource learning section */
58282+enum {
58283+ GR_RLIM_CPU_BUMP = 60,
58284+ GR_RLIM_FSIZE_BUMP = 50000,
58285+ GR_RLIM_DATA_BUMP = 10000,
58286+ GR_RLIM_STACK_BUMP = 1000,
58287+ GR_RLIM_CORE_BUMP = 10000,
58288+ GR_RLIM_RSS_BUMP = 500000,
58289+ GR_RLIM_NPROC_BUMP = 1,
58290+ GR_RLIM_NOFILE_BUMP = 5,
58291+ GR_RLIM_MEMLOCK_BUMP = 50000,
58292+ GR_RLIM_AS_BUMP = 500000,
58293+ GR_RLIM_LOCKS_BUMP = 2,
58294+ GR_RLIM_SIGPENDING_BUMP = 5,
58295+ GR_RLIM_MSGQUEUE_BUMP = 10000,
58296+ GR_RLIM_NICE_BUMP = 1,
58297+ GR_RLIM_RTPRIO_BUMP = 1,
58298+ GR_RLIM_RTTIME_BUMP = 1000000
58299+};
58300+
58301+#endif
58302diff -urNp linux-3.0.7/include/linux/grinternal.h linux-3.0.7/include/linux/grinternal.h
58303--- linux-3.0.7/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
58304+++ linux-3.0.7/include/linux/grinternal.h 2011-10-17 00:25:19.000000000 -0400
58305@@ -0,0 +1,219 @@
58306+#ifndef __GRINTERNAL_H
58307+#define __GRINTERNAL_H
58308+
58309+#ifdef CONFIG_GRKERNSEC
58310+
58311+#include <linux/fs.h>
58312+#include <linux/mnt_namespace.h>
58313+#include <linux/nsproxy.h>
58314+#include <linux/gracl.h>
58315+#include <linux/grdefs.h>
58316+#include <linux/grmsg.h>
58317+
58318+void gr_add_learn_entry(const char *fmt, ...)
58319+ __attribute__ ((format (printf, 1, 2)));
58320+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
58321+ const struct vfsmount *mnt);
58322+__u32 gr_check_create(const struct dentry *new_dentry,
58323+ const struct dentry *parent,
58324+ const struct vfsmount *mnt, const __u32 mode);
58325+int gr_check_protected_task(const struct task_struct *task);
58326+__u32 to_gr_audit(const __u32 reqmode);
58327+int gr_set_acls(const int type);
58328+int gr_apply_subject_to_task(struct task_struct *task);
58329+int gr_acl_is_enabled(void);
58330+char gr_roletype_to_char(void);
58331+
58332+void gr_handle_alertkill(struct task_struct *task);
58333+char *gr_to_filename(const struct dentry *dentry,
58334+ const struct vfsmount *mnt);
58335+char *gr_to_filename1(const struct dentry *dentry,
58336+ const struct vfsmount *mnt);
58337+char *gr_to_filename2(const struct dentry *dentry,
58338+ const struct vfsmount *mnt);
58339+char *gr_to_filename3(const struct dentry *dentry,
58340+ const struct vfsmount *mnt);
58341+
58342+extern int grsec_enable_harden_ptrace;
58343+extern int grsec_enable_link;
58344+extern int grsec_enable_fifo;
58345+extern int grsec_enable_execve;
58346+extern int grsec_enable_shm;
58347+extern int grsec_enable_execlog;
58348+extern int grsec_enable_signal;
58349+extern int grsec_enable_audit_ptrace;
58350+extern int grsec_enable_forkfail;
58351+extern int grsec_enable_time;
58352+extern int grsec_enable_rofs;
58353+extern int grsec_enable_chroot_shmat;
58354+extern int grsec_enable_chroot_mount;
58355+extern int grsec_enable_chroot_double;
58356+extern int grsec_enable_chroot_pivot;
58357+extern int grsec_enable_chroot_chdir;
58358+extern int grsec_enable_chroot_chmod;
58359+extern int grsec_enable_chroot_mknod;
58360+extern int grsec_enable_chroot_fchdir;
58361+extern int grsec_enable_chroot_nice;
58362+extern int grsec_enable_chroot_execlog;
58363+extern int grsec_enable_chroot_caps;
58364+extern int grsec_enable_chroot_sysctl;
58365+extern int grsec_enable_chroot_unix;
58366+extern int grsec_enable_tpe;
58367+extern int grsec_tpe_gid;
58368+extern int grsec_enable_tpe_all;
58369+extern int grsec_enable_tpe_invert;
58370+extern int grsec_enable_socket_all;
58371+extern int grsec_socket_all_gid;
58372+extern int grsec_enable_socket_client;
58373+extern int grsec_socket_client_gid;
58374+extern int grsec_enable_socket_server;
58375+extern int grsec_socket_server_gid;
58376+extern int grsec_audit_gid;
58377+extern int grsec_enable_group;
58378+extern int grsec_enable_audit_textrel;
58379+extern int grsec_enable_log_rwxmaps;
58380+extern int grsec_enable_mount;
58381+extern int grsec_enable_chdir;
58382+extern int grsec_resource_logging;
58383+extern int grsec_enable_blackhole;
58384+extern int grsec_lastack_retries;
58385+extern int grsec_enable_brute;
58386+extern int grsec_lock;
58387+
58388+extern spinlock_t grsec_alert_lock;
58389+extern unsigned long grsec_alert_wtime;
58390+extern unsigned long grsec_alert_fyet;
58391+
58392+extern spinlock_t grsec_audit_lock;
58393+
58394+extern rwlock_t grsec_exec_file_lock;
58395+
58396+#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
58397+ gr_to_filename2((tsk)->exec_file->f_path.dentry, \
58398+ (tsk)->exec_file->f_vfsmnt) : "/")
58399+
58400+#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
58401+ gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
58402+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58403+
58404+#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
58405+ gr_to_filename((tsk)->exec_file->f_path.dentry, \
58406+ (tsk)->exec_file->f_vfsmnt) : "/")
58407+
58408+#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
58409+ gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
58410+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58411+
58412+#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
58413+
58414+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
58415+
58416+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
58417+ (task)->pid, (cred)->uid, \
58418+ (cred)->euid, (cred)->gid, (cred)->egid, \
58419+ gr_parent_task_fullpath(task), \
58420+ (task)->real_parent->comm, (task)->real_parent->pid, \
58421+ (pcred)->uid, (pcred)->euid, \
58422+ (pcred)->gid, (pcred)->egid
58423+
58424+#define GR_CHROOT_CAPS {{ \
58425+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
58426+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
58427+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
58428+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
58429+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
58430+ CAP_TO_MASK(CAP_IPC_OWNER) , CAP_TO_MASK(CAP_SYSLOG) }}
58431+
58432+#define security_learn(normal_msg,args...) \
58433+({ \
58434+ read_lock(&grsec_exec_file_lock); \
58435+ gr_add_learn_entry(normal_msg "\n", ## args); \
58436+ read_unlock(&grsec_exec_file_lock); \
58437+})
58438+
58439+enum {
58440+ GR_DO_AUDIT,
58441+ GR_DONT_AUDIT,
58442+ /* used for non-audit messages that we shouldn't kill the task on */
58443+ GR_DONT_AUDIT_GOOD
58444+};
58445+
58446+enum {
58447+ GR_TTYSNIFF,
58448+ GR_RBAC,
58449+ GR_RBAC_STR,
58450+ GR_STR_RBAC,
58451+ GR_RBAC_MODE2,
58452+ GR_RBAC_MODE3,
58453+ GR_FILENAME,
58454+ GR_SYSCTL_HIDDEN,
58455+ GR_NOARGS,
58456+ GR_ONE_INT,
58457+ GR_ONE_INT_TWO_STR,
58458+ GR_ONE_STR,
58459+ GR_STR_INT,
58460+ GR_TWO_STR_INT,
58461+ GR_TWO_INT,
58462+ GR_TWO_U64,
58463+ GR_THREE_INT,
58464+ GR_FIVE_INT_TWO_STR,
58465+ GR_TWO_STR,
58466+ GR_THREE_STR,
58467+ GR_FOUR_STR,
58468+ GR_STR_FILENAME,
58469+ GR_FILENAME_STR,
58470+ GR_FILENAME_TWO_INT,
58471+ GR_FILENAME_TWO_INT_STR,
58472+ GR_TEXTREL,
58473+ GR_PTRACE,
58474+ GR_RESOURCE,
58475+ GR_CAP,
58476+ GR_SIG,
58477+ GR_SIG2,
58478+ GR_CRASH1,
58479+ GR_CRASH2,
58480+ GR_PSACCT,
58481+ GR_RWXMAP
58482+};
58483+
58484+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
58485+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
58486+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
58487+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
58488+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
58489+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
58490+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
58491+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
58492+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
58493+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
58494+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
58495+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
58496+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
58497+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
58498+#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
58499+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
58500+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
58501+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
58502+#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
58503+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
58504+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
58505+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
58506+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
58507+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
58508+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
58509+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
58510+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
58511+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
58512+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
58513+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
58514+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
58515+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
58516+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
58517+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
58518+#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
58519+
58520+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
58521+
58522+#endif
58523+
58524+#endif
58525diff -urNp linux-3.0.7/include/linux/grmsg.h linux-3.0.7/include/linux/grmsg.h
58526--- linux-3.0.7/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
58527+++ linux-3.0.7/include/linux/grmsg.h 2011-09-14 09:16:54.000000000 -0400
58528@@ -0,0 +1,108 @@
58529+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
58530+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
58531+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
58532+#define GR_STOPMOD_MSG "denied modification of module state by "
58533+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
58534+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
58535+#define GR_IOPERM_MSG "denied use of ioperm() by "
58536+#define GR_IOPL_MSG "denied use of iopl() by "
58537+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
58538+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
58539+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
58540+#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
58541+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
58542+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
58543+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
58544+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
58545+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
58546+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
58547+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
58548+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
58549+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
58550+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
58551+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
58552+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
58553+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
58554+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
58555+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
58556+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
58557+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
58558+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
58559+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
58560+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
58561+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
58562+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
58563+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
58564+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
58565+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
58566+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
58567+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
58568+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
58569+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
58570+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
58571+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
58572+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
58573+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
58574+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
58575+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
58576+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
58577+#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
58578+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
58579+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
58580+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
58581+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
58582+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
58583+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
58584+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
58585+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
58586+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
58587+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
58588+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
58589+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
58590+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
58591+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
58592+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
58593+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
58594+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
58595+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
58596+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
58597+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
58598+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
58599+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
58600+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
58601+#define GR_FAILFORK_MSG "failed fork with errno %s by "
58602+#define GR_NICE_CHROOT_MSG "denied priority change by "
58603+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
58604+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
58605+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
58606+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
58607+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
58608+#define GR_TIME_MSG "time set by "
58609+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
58610+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
58611+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
58612+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
58613+#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
58614+#define GR_BIND_MSG "denied bind() by "
58615+#define GR_CONNECT_MSG "denied connect() by "
58616+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
58617+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
58618+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
58619+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
58620+#define GR_CAP_ACL_MSG "use of %s denied for "
58621+#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
58622+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
58623+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
58624+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
58625+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
58626+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
58627+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
58628+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
58629+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
58630+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
58631+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
58632+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
58633+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
58634+#define GR_VM86_MSG "denied use of vm86 by "
58635+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
58636+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
58637diff -urNp linux-3.0.7/include/linux/grsecurity.h linux-3.0.7/include/linux/grsecurity.h
58638--- linux-3.0.7/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
58639+++ linux-3.0.7/include/linux/grsecurity.h 2011-10-17 06:35:30.000000000 -0400
58640@@ -0,0 +1,228 @@
58641+#ifndef GR_SECURITY_H
58642+#define GR_SECURITY_H
58643+#include <linux/fs.h>
58644+#include <linux/fs_struct.h>
58645+#include <linux/binfmts.h>
58646+#include <linux/gracl.h>
58647+
58648+/* notify of brain-dead configs */
58649+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58650+#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
58651+#endif
58652+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
58653+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
58654+#endif
58655+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58656+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58657+#endif
58658+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58659+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58660+#endif
58661+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
58662+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
58663+#endif
58664+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
58665+#error "CONFIG_PAX enabled, but no PaX options are enabled."
58666+#endif
58667+
58668+#include <linux/compat.h>
58669+
58670+struct user_arg_ptr {
58671+#ifdef CONFIG_COMPAT
58672+ bool is_compat;
58673+#endif
58674+ union {
58675+ const char __user *const __user *native;
58676+#ifdef CONFIG_COMPAT
58677+ compat_uptr_t __user *compat;
58678+#endif
58679+ } ptr;
58680+};
58681+
58682+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
58683+void gr_handle_brute_check(void);
58684+void gr_handle_kernel_exploit(void);
58685+int gr_process_user_ban(void);
58686+
58687+char gr_roletype_to_char(void);
58688+
58689+int gr_acl_enable_at_secure(void);
58690+
58691+int gr_check_user_change(int real, int effective, int fs);
58692+int gr_check_group_change(int real, int effective, int fs);
58693+
58694+void gr_del_task_from_ip_table(struct task_struct *p);
58695+
58696+int gr_pid_is_chrooted(struct task_struct *p);
58697+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
58698+int gr_handle_chroot_nice(void);
58699+int gr_handle_chroot_sysctl(const int op);
58700+int gr_handle_chroot_setpriority(struct task_struct *p,
58701+ const int niceval);
58702+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
58703+int gr_handle_chroot_chroot(const struct dentry *dentry,
58704+ const struct vfsmount *mnt);
58705+void gr_handle_chroot_chdir(struct path *path);
58706+int gr_handle_chroot_chmod(const struct dentry *dentry,
58707+ const struct vfsmount *mnt, const int mode);
58708+int gr_handle_chroot_mknod(const struct dentry *dentry,
58709+ const struct vfsmount *mnt, const int mode);
58710+int gr_handle_chroot_mount(const struct dentry *dentry,
58711+ const struct vfsmount *mnt,
58712+ const char *dev_name);
58713+int gr_handle_chroot_pivot(void);
58714+int gr_handle_chroot_unix(const pid_t pid);
58715+
58716+int gr_handle_rawio(const struct inode *inode);
58717+
58718+void gr_handle_ioperm(void);
58719+void gr_handle_iopl(void);
58720+
58721+int gr_tpe_allow(const struct file *file);
58722+
58723+void gr_set_chroot_entries(struct task_struct *task, struct path *path);
58724+void gr_clear_chroot_entries(struct task_struct *task);
58725+
58726+void gr_log_forkfail(const int retval);
58727+void gr_log_timechange(void);
58728+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
58729+void gr_log_chdir(const struct dentry *dentry,
58730+ const struct vfsmount *mnt);
58731+void gr_log_chroot_exec(const struct dentry *dentry,
58732+ const struct vfsmount *mnt);
58733+void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv);
58734+void gr_log_remount(const char *devname, const int retval);
58735+void gr_log_unmount(const char *devname, const int retval);
58736+void gr_log_mount(const char *from, const char *to, const int retval);
58737+void gr_log_textrel(struct vm_area_struct *vma);
58738+void gr_log_rwxmmap(struct file *file);
58739+void gr_log_rwxmprotect(struct file *file);
58740+
58741+int gr_handle_follow_link(const struct inode *parent,
58742+ const struct inode *inode,
58743+ const struct dentry *dentry,
58744+ const struct vfsmount *mnt);
58745+int gr_handle_fifo(const struct dentry *dentry,
58746+ const struct vfsmount *mnt,
58747+ const struct dentry *dir, const int flag,
58748+ const int acc_mode);
58749+int gr_handle_hardlink(const struct dentry *dentry,
58750+ const struct vfsmount *mnt,
58751+ struct inode *inode,
58752+ const int mode, const char *to);
58753+
58754+int gr_is_capable(const int cap);
58755+int gr_is_capable_nolog(const int cap);
58756+void gr_learn_resource(const struct task_struct *task, const int limit,
58757+ const unsigned long wanted, const int gt);
58758+void gr_copy_label(struct task_struct *tsk);
58759+void gr_handle_crash(struct task_struct *task, const int sig);
58760+int gr_handle_signal(const struct task_struct *p, const int sig);
58761+int gr_check_crash_uid(const uid_t uid);
58762+int gr_check_protected_task(const struct task_struct *task);
58763+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
58764+int gr_acl_handle_mmap(const struct file *file,
58765+ const unsigned long prot);
58766+int gr_acl_handle_mprotect(const struct file *file,
58767+ const unsigned long prot);
58768+int gr_check_hidden_task(const struct task_struct *tsk);
58769+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
58770+ const struct vfsmount *mnt);
58771+__u32 gr_acl_handle_utime(const struct dentry *dentry,
58772+ const struct vfsmount *mnt);
58773+__u32 gr_acl_handle_access(const struct dentry *dentry,
58774+ const struct vfsmount *mnt, const int fmode);
58775+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
58776+ const struct vfsmount *mnt, mode_t mode);
58777+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
58778+ const struct vfsmount *mnt, mode_t mode);
58779+__u32 gr_acl_handle_chown(const struct dentry *dentry,
58780+ const struct vfsmount *mnt);
58781+__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
58782+ const struct vfsmount *mnt);
58783+int gr_handle_ptrace(struct task_struct *task, const long request);
58784+int gr_handle_proc_ptrace(struct task_struct *task);
58785+__u32 gr_acl_handle_execve(const struct dentry *dentry,
58786+ const struct vfsmount *mnt);
58787+int gr_check_crash_exec(const struct file *filp);
58788+int gr_acl_is_enabled(void);
58789+void gr_set_kernel_label(struct task_struct *task);
58790+void gr_set_role_label(struct task_struct *task, const uid_t uid,
58791+ const gid_t gid);
58792+int gr_set_proc_label(const struct dentry *dentry,
58793+ const struct vfsmount *mnt,
58794+ const int unsafe_share);
58795+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
58796+ const struct vfsmount *mnt);
58797+__u32 gr_acl_handle_open(const struct dentry *dentry,
58798+ const struct vfsmount *mnt, const int fmode);
58799+__u32 gr_acl_handle_creat(const struct dentry *dentry,
58800+ const struct dentry *p_dentry,
58801+ const struct vfsmount *p_mnt, const int fmode,
58802+ const int imode);
58803+void gr_handle_create(const struct dentry *dentry,
58804+ const struct vfsmount *mnt);
58805+void gr_handle_proc_create(const struct dentry *dentry,
58806+ const struct inode *inode);
58807+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
58808+ const struct dentry *parent_dentry,
58809+ const struct vfsmount *parent_mnt,
58810+ const int mode);
58811+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
58812+ const struct dentry *parent_dentry,
58813+ const struct vfsmount *parent_mnt);
58814+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
58815+ const struct vfsmount *mnt);
58816+void gr_handle_delete(const ino_t ino, const dev_t dev);
58817+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
58818+ const struct vfsmount *mnt);
58819+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
58820+ const struct dentry *parent_dentry,
58821+ const struct vfsmount *parent_mnt,
58822+ const char *from);
58823+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
58824+ const struct dentry *parent_dentry,
58825+ const struct vfsmount *parent_mnt,
58826+ const struct dentry *old_dentry,
58827+ const struct vfsmount *old_mnt, const char *to);
58828+int gr_acl_handle_rename(struct dentry *new_dentry,
58829+ struct dentry *parent_dentry,
58830+ const struct vfsmount *parent_mnt,
58831+ struct dentry *old_dentry,
58832+ struct inode *old_parent_inode,
58833+ struct vfsmount *old_mnt, const char *newname);
58834+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
58835+ struct dentry *old_dentry,
58836+ struct dentry *new_dentry,
58837+ struct vfsmount *mnt, const __u8 replace);
58838+__u32 gr_check_link(const struct dentry *new_dentry,
58839+ const struct dentry *parent_dentry,
58840+ const struct vfsmount *parent_mnt,
58841+ const struct dentry *old_dentry,
58842+ const struct vfsmount *old_mnt);
58843+int gr_acl_handle_filldir(const struct file *file, const char *name,
58844+ const unsigned int namelen, const ino_t ino);
58845+
58846+__u32 gr_acl_handle_unix(const struct dentry *dentry,
58847+ const struct vfsmount *mnt);
58848+void gr_acl_handle_exit(void);
58849+void gr_acl_handle_psacct(struct task_struct *task, const long code);
58850+int gr_acl_handle_procpidmem(const struct task_struct *task);
58851+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
58852+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
58853+void gr_audit_ptrace(struct task_struct *task);
58854+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
58855+
58856+#ifdef CONFIG_GRKERNSEC
58857+void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
58858+void gr_handle_vm86(void);
58859+void gr_handle_mem_readwrite(u64 from, u64 to);
58860+
58861+extern int grsec_enable_dmesg;
58862+extern int grsec_disable_privio;
58863+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58864+extern int grsec_enable_chroot_findtask;
58865+#endif
58866+#endif
58867+
58868+#endif
58869diff -urNp linux-3.0.7/include/linux/grsock.h linux-3.0.7/include/linux/grsock.h
58870--- linux-3.0.7/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
58871+++ linux-3.0.7/include/linux/grsock.h 2011-08-23 21:48:14.000000000 -0400
58872@@ -0,0 +1,19 @@
58873+#ifndef __GRSOCK_H
58874+#define __GRSOCK_H
58875+
58876+extern void gr_attach_curr_ip(const struct sock *sk);
58877+extern int gr_handle_sock_all(const int family, const int type,
58878+ const int protocol);
58879+extern int gr_handle_sock_server(const struct sockaddr *sck);
58880+extern int gr_handle_sock_server_other(const struct sock *sck);
58881+extern int gr_handle_sock_client(const struct sockaddr *sck);
58882+extern int gr_search_connect(struct socket * sock,
58883+ struct sockaddr_in * addr);
58884+extern int gr_search_bind(struct socket * sock,
58885+ struct sockaddr_in * addr);
58886+extern int gr_search_listen(struct socket * sock);
58887+extern int gr_search_accept(struct socket * sock);
58888+extern int gr_search_socket(const int domain, const int type,
58889+ const int protocol);
58890+
58891+#endif
58892diff -urNp linux-3.0.7/include/linux/hid.h linux-3.0.7/include/linux/hid.h
58893--- linux-3.0.7/include/linux/hid.h 2011-07-21 22:17:23.000000000 -0400
58894+++ linux-3.0.7/include/linux/hid.h 2011-08-23 21:47:56.000000000 -0400
58895@@ -675,7 +675,7 @@ struct hid_ll_driver {
58896 unsigned int code, int value);
58897
58898 int (*parse)(struct hid_device *hdev);
58899-};
58900+} __no_const;
58901
58902 #define PM_HINT_FULLON 1<<5
58903 #define PM_HINT_NORMAL 1<<1
58904diff -urNp linux-3.0.7/include/linux/highmem.h linux-3.0.7/include/linux/highmem.h
58905--- linux-3.0.7/include/linux/highmem.h 2011-07-21 22:17:23.000000000 -0400
58906+++ linux-3.0.7/include/linux/highmem.h 2011-08-23 21:47:56.000000000 -0400
58907@@ -185,6 +185,18 @@ static inline void clear_highpage(struct
58908 kunmap_atomic(kaddr, KM_USER0);
58909 }
58910
58911+static inline void sanitize_highpage(struct page *page)
58912+{
58913+ void *kaddr;
58914+ unsigned long flags;
58915+
58916+ local_irq_save(flags);
58917+ kaddr = kmap_atomic(page, KM_CLEARPAGE);
58918+ clear_page(kaddr);
58919+ kunmap_atomic(kaddr, KM_CLEARPAGE);
58920+ local_irq_restore(flags);
58921+}
58922+
58923 static inline void zero_user_segments(struct page *page,
58924 unsigned start1, unsigned end1,
58925 unsigned start2, unsigned end2)
58926diff -urNp linux-3.0.7/include/linux/i2c.h linux-3.0.7/include/linux/i2c.h
58927--- linux-3.0.7/include/linux/i2c.h 2011-07-21 22:17:23.000000000 -0400
58928+++ linux-3.0.7/include/linux/i2c.h 2011-08-23 21:47:56.000000000 -0400
58929@@ -346,6 +346,7 @@ struct i2c_algorithm {
58930 /* To determine what the adapter supports */
58931 u32 (*functionality) (struct i2c_adapter *);
58932 };
58933+typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
58934
58935 /*
58936 * i2c_adapter is the structure used to identify a physical i2c bus along
58937diff -urNp linux-3.0.7/include/linux/i2o.h linux-3.0.7/include/linux/i2o.h
58938--- linux-3.0.7/include/linux/i2o.h 2011-07-21 22:17:23.000000000 -0400
58939+++ linux-3.0.7/include/linux/i2o.h 2011-08-23 21:47:56.000000000 -0400
58940@@ -564,7 +564,7 @@ struct i2o_controller {
58941 struct i2o_device *exec; /* Executive */
58942 #if BITS_PER_LONG == 64
58943 spinlock_t context_list_lock; /* lock for context_list */
58944- atomic_t context_list_counter; /* needed for unique contexts */
58945+ atomic_unchecked_t context_list_counter; /* needed for unique contexts */
58946 struct list_head context_list; /* list of context id's
58947 and pointers */
58948 #endif
58949diff -urNp linux-3.0.7/include/linux/init.h linux-3.0.7/include/linux/init.h
58950--- linux-3.0.7/include/linux/init.h 2011-07-21 22:17:23.000000000 -0400
58951+++ linux-3.0.7/include/linux/init.h 2011-08-23 21:47:56.000000000 -0400
58952@@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
58953
58954 /* Each module must use one module_init(). */
58955 #define module_init(initfn) \
58956- static inline initcall_t __inittest(void) \
58957+ static inline __used initcall_t __inittest(void) \
58958 { return initfn; } \
58959 int init_module(void) __attribute__((alias(#initfn)));
58960
58961 /* This is only required if you want to be unloadable. */
58962 #define module_exit(exitfn) \
58963- static inline exitcall_t __exittest(void) \
58964+ static inline __used exitcall_t __exittest(void) \
58965 { return exitfn; } \
58966 void cleanup_module(void) __attribute__((alias(#exitfn)));
58967
58968diff -urNp linux-3.0.7/include/linux/init_task.h linux-3.0.7/include/linux/init_task.h
58969--- linux-3.0.7/include/linux/init_task.h 2011-07-21 22:17:23.000000000 -0400
58970+++ linux-3.0.7/include/linux/init_task.h 2011-08-23 21:47:56.000000000 -0400
58971@@ -126,6 +126,12 @@ extern struct cred init_cred;
58972 # define INIT_PERF_EVENTS(tsk)
58973 #endif
58974
58975+#ifdef CONFIG_X86
58976+#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
58977+#else
58978+#define INIT_TASK_THREAD_INFO
58979+#endif
58980+
58981 /*
58982 * INIT_TASK is used to set up the first task table, touch at
58983 * your own risk!. Base=0, limit=0x1fffff (=2MB)
58984@@ -164,6 +170,7 @@ extern struct cred init_cred;
58985 RCU_INIT_POINTER(.cred, &init_cred), \
58986 .comm = "swapper", \
58987 .thread = INIT_THREAD, \
58988+ INIT_TASK_THREAD_INFO \
58989 .fs = &init_fs, \
58990 .files = &init_files, \
58991 .signal = &init_signals, \
58992diff -urNp linux-3.0.7/include/linux/intel-iommu.h linux-3.0.7/include/linux/intel-iommu.h
58993--- linux-3.0.7/include/linux/intel-iommu.h 2011-07-21 22:17:23.000000000 -0400
58994+++ linux-3.0.7/include/linux/intel-iommu.h 2011-08-23 21:47:56.000000000 -0400
58995@@ -296,7 +296,7 @@ struct iommu_flush {
58996 u8 fm, u64 type);
58997 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
58998 unsigned int size_order, u64 type);
58999-};
59000+} __no_const;
59001
59002 enum {
59003 SR_DMAR_FECTL_REG,
59004diff -urNp linux-3.0.7/include/linux/interrupt.h linux-3.0.7/include/linux/interrupt.h
59005--- linux-3.0.7/include/linux/interrupt.h 2011-07-21 22:17:23.000000000 -0400
59006+++ linux-3.0.7/include/linux/interrupt.h 2011-08-23 21:47:56.000000000 -0400
59007@@ -422,7 +422,7 @@ enum
59008 /* map softirq index to softirq name. update 'softirq_to_name' in
59009 * kernel/softirq.c when adding a new softirq.
59010 */
59011-extern char *softirq_to_name[NR_SOFTIRQS];
59012+extern const char * const softirq_to_name[NR_SOFTIRQS];
59013
59014 /* softirq mask and active fields moved to irq_cpustat_t in
59015 * asm/hardirq.h to get better cache usage. KAO
59016@@ -430,12 +430,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
59017
59018 struct softirq_action
59019 {
59020- void (*action)(struct softirq_action *);
59021+ void (*action)(void);
59022 };
59023
59024 asmlinkage void do_softirq(void);
59025 asmlinkage void __do_softirq(void);
59026-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
59027+extern void open_softirq(int nr, void (*action)(void));
59028 extern void softirq_init(void);
59029 static inline void __raise_softirq_irqoff(unsigned int nr)
59030 {
59031diff -urNp linux-3.0.7/include/linux/kallsyms.h linux-3.0.7/include/linux/kallsyms.h
59032--- linux-3.0.7/include/linux/kallsyms.h 2011-07-21 22:17:23.000000000 -0400
59033+++ linux-3.0.7/include/linux/kallsyms.h 2011-08-23 21:48:14.000000000 -0400
59034@@ -15,7 +15,8 @@
59035
59036 struct module;
59037
59038-#ifdef CONFIG_KALLSYMS
59039+#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
59040+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
59041 /* Lookup the address for a symbol. Returns 0 if not found. */
59042 unsigned long kallsyms_lookup_name(const char *name);
59043
59044@@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
59045 /* Stupid that this does nothing, but I didn't create this mess. */
59046 #define __print_symbol(fmt, addr)
59047 #endif /*CONFIG_KALLSYMS*/
59048+#else /* when included by kallsyms.c, vsnprintf.c, or
59049+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
59050+extern void __print_symbol(const char *fmt, unsigned long address);
59051+extern int sprint_backtrace(char *buffer, unsigned long address);
59052+extern int sprint_symbol(char *buffer, unsigned long address);
59053+const char *kallsyms_lookup(unsigned long addr,
59054+ unsigned long *symbolsize,
59055+ unsigned long *offset,
59056+ char **modname, char *namebuf);
59057+#endif
59058
59059 /* This macro allows us to keep printk typechecking */
59060 static void __check_printsym_format(const char *fmt, ...)
59061diff -urNp linux-3.0.7/include/linux/kgdb.h linux-3.0.7/include/linux/kgdb.h
59062--- linux-3.0.7/include/linux/kgdb.h 2011-07-21 22:17:23.000000000 -0400
59063+++ linux-3.0.7/include/linux/kgdb.h 2011-08-26 19:49:56.000000000 -0400
59064@@ -53,7 +53,7 @@ extern int kgdb_connected;
59065 extern int kgdb_io_module_registered;
59066
59067 extern atomic_t kgdb_setting_breakpoint;
59068-extern atomic_t kgdb_cpu_doing_single_step;
59069+extern atomic_unchecked_t kgdb_cpu_doing_single_step;
59070
59071 extern struct task_struct *kgdb_usethread;
59072 extern struct task_struct *kgdb_contthread;
59073@@ -251,7 +251,7 @@ struct kgdb_arch {
59074 void (*disable_hw_break)(struct pt_regs *regs);
59075 void (*remove_all_hw_break)(void);
59076 void (*correct_hw_break)(void);
59077-};
59078+} __do_const;
59079
59080 /**
59081 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
59082@@ -276,7 +276,7 @@ struct kgdb_io {
59083 void (*pre_exception) (void);
59084 void (*post_exception) (void);
59085 int is_console;
59086-};
59087+} __do_const;
59088
59089 extern struct kgdb_arch arch_kgdb_ops;
59090
59091diff -urNp linux-3.0.7/include/linux/kmod.h linux-3.0.7/include/linux/kmod.h
59092--- linux-3.0.7/include/linux/kmod.h 2011-07-21 22:17:23.000000000 -0400
59093+++ linux-3.0.7/include/linux/kmod.h 2011-08-23 21:48:14.000000000 -0400
59094@@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysc
59095 * usually useless though. */
59096 extern int __request_module(bool wait, const char *name, ...) \
59097 __attribute__((format(printf, 2, 3)));
59098+extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
59099+ __attribute__((format(printf, 3, 4)));
59100 #define request_module(mod...) __request_module(true, mod)
59101 #define request_module_nowait(mod...) __request_module(false, mod)
59102 #define try_then_request_module(x, mod...) \
59103diff -urNp linux-3.0.7/include/linux/kvm_host.h linux-3.0.7/include/linux/kvm_host.h
59104--- linux-3.0.7/include/linux/kvm_host.h 2011-07-21 22:17:23.000000000 -0400
59105+++ linux-3.0.7/include/linux/kvm_host.h 2011-08-23 21:47:56.000000000 -0400
59106@@ -307,7 +307,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
59107 void vcpu_load(struct kvm_vcpu *vcpu);
59108 void vcpu_put(struct kvm_vcpu *vcpu);
59109
59110-int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59111+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59112 struct module *module);
59113 void kvm_exit(void);
59114
59115@@ -446,7 +446,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
59116 struct kvm_guest_debug *dbg);
59117 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
59118
59119-int kvm_arch_init(void *opaque);
59120+int kvm_arch_init(const void *opaque);
59121 void kvm_arch_exit(void);
59122
59123 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
59124diff -urNp linux-3.0.7/include/linux/libata.h linux-3.0.7/include/linux/libata.h
59125--- linux-3.0.7/include/linux/libata.h 2011-07-21 22:17:23.000000000 -0400
59126+++ linux-3.0.7/include/linux/libata.h 2011-08-26 19:49:56.000000000 -0400
59127@@ -899,7 +899,7 @@ struct ata_port_operations {
59128 * fields must be pointers.
59129 */
59130 const struct ata_port_operations *inherits;
59131-};
59132+} __do_const;
59133
59134 struct ata_port_info {
59135 unsigned long flags;
59136diff -urNp linux-3.0.7/include/linux/linkage.h linux-3.0.7/include/linux/linkage.h
59137--- linux-3.0.7/include/linux/linkage.h 2011-07-21 22:17:23.000000000 -0400
59138+++ linux-3.0.7/include/linux/linkage.h 2011-10-11 10:44:33.000000000 -0400
59139@@ -82,6 +82,7 @@
59140 */
59141 #ifndef ENDPROC
59142 #define ENDPROC(name) \
59143+ .size name, .-name; \
59144 .type name, @function; \
59145 END(name)
59146 #endif
59147diff -urNp linux-3.0.7/include/linux/mca.h linux-3.0.7/include/linux/mca.h
59148--- linux-3.0.7/include/linux/mca.h 2011-07-21 22:17:23.000000000 -0400
59149+++ linux-3.0.7/include/linux/mca.h 2011-08-23 21:47:56.000000000 -0400
59150@@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
59151 int region);
59152 void * (*mca_transform_memory)(struct mca_device *,
59153 void *memory);
59154-};
59155+} __no_const;
59156
59157 struct mca_bus {
59158 u64 default_dma_mask;
59159diff -urNp linux-3.0.7/include/linux/memory.h linux-3.0.7/include/linux/memory.h
59160--- linux-3.0.7/include/linux/memory.h 2011-07-21 22:17:23.000000000 -0400
59161+++ linux-3.0.7/include/linux/memory.h 2011-08-23 21:47:56.000000000 -0400
59162@@ -144,7 +144,7 @@ struct memory_accessor {
59163 size_t count);
59164 ssize_t (*write)(struct memory_accessor *, const char *buf,
59165 off_t offset, size_t count);
59166-};
59167+} __no_const;
59168
59169 /*
59170 * Kernel text modification mutex, used for code patching. Users of this lock
59171diff -urNp linux-3.0.7/include/linux/mfd/abx500.h linux-3.0.7/include/linux/mfd/abx500.h
59172--- linux-3.0.7/include/linux/mfd/abx500.h 2011-07-21 22:17:23.000000000 -0400
59173+++ linux-3.0.7/include/linux/mfd/abx500.h 2011-08-23 21:47:56.000000000 -0400
59174@@ -234,6 +234,7 @@ struct abx500_ops {
59175 int (*event_registers_startup_state_get) (struct device *, u8 *);
59176 int (*startup_irq_enabled) (struct device *, unsigned int);
59177 };
59178+typedef struct abx500_ops __no_const abx500_ops_no_const;
59179
59180 int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
59181 void abx500_remove_ops(struct device *dev);
59182diff -urNp linux-3.0.7/include/linux/mm.h linux-3.0.7/include/linux/mm.h
59183--- linux-3.0.7/include/linux/mm.h 2011-09-02 18:11:21.000000000 -0400
59184+++ linux-3.0.7/include/linux/mm.h 2011-08-23 21:47:56.000000000 -0400
59185@@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
59186
59187 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
59188 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
59189+
59190+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
59191+#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
59192+#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
59193+#else
59194 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
59195+#endif
59196+
59197 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
59198 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
59199
59200@@ -1009,34 +1016,6 @@ int set_page_dirty(struct page *page);
59201 int set_page_dirty_lock(struct page *page);
59202 int clear_page_dirty_for_io(struct page *page);
59203
59204-/* Is the vma a continuation of the stack vma above it? */
59205-static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
59206-{
59207- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
59208-}
59209-
59210-static inline int stack_guard_page_start(struct vm_area_struct *vma,
59211- unsigned long addr)
59212-{
59213- return (vma->vm_flags & VM_GROWSDOWN) &&
59214- (vma->vm_start == addr) &&
59215- !vma_growsdown(vma->vm_prev, addr);
59216-}
59217-
59218-/* Is the vma a continuation of the stack vma below it? */
59219-static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
59220-{
59221- return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
59222-}
59223-
59224-static inline int stack_guard_page_end(struct vm_area_struct *vma,
59225- unsigned long addr)
59226-{
59227- return (vma->vm_flags & VM_GROWSUP) &&
59228- (vma->vm_end == addr) &&
59229- !vma_growsup(vma->vm_next, addr);
59230-}
59231-
59232 extern unsigned long move_page_tables(struct vm_area_struct *vma,
59233 unsigned long old_addr, struct vm_area_struct *new_vma,
59234 unsigned long new_addr, unsigned long len);
59235@@ -1169,6 +1148,15 @@ struct shrinker {
59236 extern void register_shrinker(struct shrinker *);
59237 extern void unregister_shrinker(struct shrinker *);
59238
59239+#ifdef CONFIG_MMU
59240+pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
59241+#else
59242+static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
59243+{
59244+ return __pgprot(0);
59245+}
59246+#endif
59247+
59248 int vma_wants_writenotify(struct vm_area_struct *vma);
59249
59250 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
59251@@ -1452,6 +1440,7 @@ out:
59252 }
59253
59254 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
59255+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
59256
59257 extern unsigned long do_brk(unsigned long, unsigned long);
59258
59259@@ -1510,6 +1499,10 @@ extern struct vm_area_struct * find_vma(
59260 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
59261 struct vm_area_struct **pprev);
59262
59263+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
59264+extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
59265+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
59266+
59267 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
59268 NULL if none. Assume start_addr < end_addr. */
59269 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
59270@@ -1526,15 +1519,6 @@ static inline unsigned long vma_pages(st
59271 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
59272 }
59273
59274-#ifdef CONFIG_MMU
59275-pgprot_t vm_get_page_prot(unsigned long vm_flags);
59276-#else
59277-static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
59278-{
59279- return __pgprot(0);
59280-}
59281-#endif
59282-
59283 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
59284 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
59285 unsigned long pfn, unsigned long size, pgprot_t);
59286@@ -1647,7 +1631,7 @@ extern int unpoison_memory(unsigned long
59287 extern int sysctl_memory_failure_early_kill;
59288 extern int sysctl_memory_failure_recovery;
59289 extern void shake_page(struct page *p, int access);
59290-extern atomic_long_t mce_bad_pages;
59291+extern atomic_long_unchecked_t mce_bad_pages;
59292 extern int soft_offline_page(struct page *page, int flags);
59293
59294 extern void dump_page(struct page *page);
59295@@ -1661,5 +1645,11 @@ extern void copy_user_huge_page(struct p
59296 unsigned int pages_per_huge_page);
59297 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
59298
59299+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
59300+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
59301+#else
59302+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
59303+#endif
59304+
59305 #endif /* __KERNEL__ */
59306 #endif /* _LINUX_MM_H */
59307diff -urNp linux-3.0.7/include/linux/mm_types.h linux-3.0.7/include/linux/mm_types.h
59308--- linux-3.0.7/include/linux/mm_types.h 2011-07-21 22:17:23.000000000 -0400
59309+++ linux-3.0.7/include/linux/mm_types.h 2011-08-23 21:47:56.000000000 -0400
59310@@ -184,6 +184,8 @@ struct vm_area_struct {
59311 #ifdef CONFIG_NUMA
59312 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
59313 #endif
59314+
59315+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
59316 };
59317
59318 struct core_thread {
59319@@ -316,6 +318,24 @@ struct mm_struct {
59320 #ifdef CONFIG_CPUMASK_OFFSTACK
59321 struct cpumask cpumask_allocation;
59322 #endif
59323+
59324+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
59325+ unsigned long pax_flags;
59326+#endif
59327+
59328+#ifdef CONFIG_PAX_DLRESOLVE
59329+ unsigned long call_dl_resolve;
59330+#endif
59331+
59332+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
59333+ unsigned long call_syscall;
59334+#endif
59335+
59336+#ifdef CONFIG_PAX_ASLR
59337+ unsigned long delta_mmap; /* randomized offset */
59338+ unsigned long delta_stack; /* randomized offset */
59339+#endif
59340+
59341 };
59342
59343 static inline void mm_init_cpumask(struct mm_struct *mm)
59344diff -urNp linux-3.0.7/include/linux/mmu_notifier.h linux-3.0.7/include/linux/mmu_notifier.h
59345--- linux-3.0.7/include/linux/mmu_notifier.h 2011-07-21 22:17:23.000000000 -0400
59346+++ linux-3.0.7/include/linux/mmu_notifier.h 2011-08-23 21:47:56.000000000 -0400
59347@@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
59348 */
59349 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
59350 ({ \
59351- pte_t __pte; \
59352+ pte_t ___pte; \
59353 struct vm_area_struct *___vma = __vma; \
59354 unsigned long ___address = __address; \
59355- __pte = ptep_clear_flush(___vma, ___address, __ptep); \
59356+ ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
59357 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
59358- __pte; \
59359+ ___pte; \
59360 })
59361
59362 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
59363diff -urNp linux-3.0.7/include/linux/mmzone.h linux-3.0.7/include/linux/mmzone.h
59364--- linux-3.0.7/include/linux/mmzone.h 2011-07-21 22:17:23.000000000 -0400
59365+++ linux-3.0.7/include/linux/mmzone.h 2011-08-23 21:47:56.000000000 -0400
59366@@ -350,7 +350,7 @@ struct zone {
59367 unsigned long flags; /* zone flags, see below */
59368
59369 /* Zone statistics */
59370- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59371+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59372
59373 /*
59374 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
59375diff -urNp linux-3.0.7/include/linux/mod_devicetable.h linux-3.0.7/include/linux/mod_devicetable.h
59376--- linux-3.0.7/include/linux/mod_devicetable.h 2011-07-21 22:17:23.000000000 -0400
59377+++ linux-3.0.7/include/linux/mod_devicetable.h 2011-08-23 21:47:56.000000000 -0400
59378@@ -12,7 +12,7 @@
59379 typedef unsigned long kernel_ulong_t;
59380 #endif
59381
59382-#define PCI_ANY_ID (~0)
59383+#define PCI_ANY_ID ((__u16)~0)
59384
59385 struct pci_device_id {
59386 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
59387@@ -131,7 +131,7 @@ struct usb_device_id {
59388 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
59389 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
59390
59391-#define HID_ANY_ID (~0)
59392+#define HID_ANY_ID (~0U)
59393
59394 struct hid_device_id {
59395 __u16 bus;
59396diff -urNp linux-3.0.7/include/linux/module.h linux-3.0.7/include/linux/module.h
59397--- linux-3.0.7/include/linux/module.h 2011-07-21 22:17:23.000000000 -0400
59398+++ linux-3.0.7/include/linux/module.h 2011-08-23 21:47:56.000000000 -0400
59399@@ -16,6 +16,7 @@
59400 #include <linux/kobject.h>
59401 #include <linux/moduleparam.h>
59402 #include <linux/tracepoint.h>
59403+#include <linux/fs.h>
59404
59405 #include <linux/percpu.h>
59406 #include <asm/module.h>
59407@@ -325,19 +326,16 @@ struct module
59408 int (*init)(void);
59409
59410 /* If this is non-NULL, vfree after init() returns */
59411- void *module_init;
59412+ void *module_init_rx, *module_init_rw;
59413
59414 /* Here is the actual code + data, vfree'd on unload. */
59415- void *module_core;
59416+ void *module_core_rx, *module_core_rw;
59417
59418 /* Here are the sizes of the init and core sections */
59419- unsigned int init_size, core_size;
59420+ unsigned int init_size_rw, core_size_rw;
59421
59422 /* The size of the executable code in each section. */
59423- unsigned int init_text_size, core_text_size;
59424-
59425- /* Size of RO sections of the module (text+rodata) */
59426- unsigned int init_ro_size, core_ro_size;
59427+ unsigned int init_size_rx, core_size_rx;
59428
59429 /* Arch-specific module values */
59430 struct mod_arch_specific arch;
59431@@ -393,6 +391,10 @@ struct module
59432 #ifdef CONFIG_EVENT_TRACING
59433 struct ftrace_event_call **trace_events;
59434 unsigned int num_trace_events;
59435+ struct file_operations trace_id;
59436+ struct file_operations trace_enable;
59437+ struct file_operations trace_format;
59438+ struct file_operations trace_filter;
59439 #endif
59440 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
59441 unsigned int num_ftrace_callsites;
59442@@ -443,16 +445,46 @@ bool is_module_address(unsigned long add
59443 bool is_module_percpu_address(unsigned long addr);
59444 bool is_module_text_address(unsigned long addr);
59445
59446+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
59447+{
59448+
59449+#ifdef CONFIG_PAX_KERNEXEC
59450+ if (ktla_ktva(addr) >= (unsigned long)start &&
59451+ ktla_ktva(addr) < (unsigned long)start + size)
59452+ return 1;
59453+#endif
59454+
59455+ return ((void *)addr >= start && (void *)addr < start + size);
59456+}
59457+
59458+static inline int within_module_core_rx(unsigned long addr, struct module *mod)
59459+{
59460+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
59461+}
59462+
59463+static inline int within_module_core_rw(unsigned long addr, struct module *mod)
59464+{
59465+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
59466+}
59467+
59468+static inline int within_module_init_rx(unsigned long addr, struct module *mod)
59469+{
59470+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
59471+}
59472+
59473+static inline int within_module_init_rw(unsigned long addr, struct module *mod)
59474+{
59475+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
59476+}
59477+
59478 static inline int within_module_core(unsigned long addr, struct module *mod)
59479 {
59480- return (unsigned long)mod->module_core <= addr &&
59481- addr < (unsigned long)mod->module_core + mod->core_size;
59482+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
59483 }
59484
59485 static inline int within_module_init(unsigned long addr, struct module *mod)
59486 {
59487- return (unsigned long)mod->module_init <= addr &&
59488- addr < (unsigned long)mod->module_init + mod->init_size;
59489+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
59490 }
59491
59492 /* Search for module by name: must hold module_mutex. */
59493diff -urNp linux-3.0.7/include/linux/moduleloader.h linux-3.0.7/include/linux/moduleloader.h
59494--- linux-3.0.7/include/linux/moduleloader.h 2011-07-21 22:17:23.000000000 -0400
59495+++ linux-3.0.7/include/linux/moduleloader.h 2011-08-23 21:47:56.000000000 -0400
59496@@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
59497 sections. Returns NULL on failure. */
59498 void *module_alloc(unsigned long size);
59499
59500+#ifdef CONFIG_PAX_KERNEXEC
59501+void *module_alloc_exec(unsigned long size);
59502+#else
59503+#define module_alloc_exec(x) module_alloc(x)
59504+#endif
59505+
59506 /* Free memory returned from module_alloc. */
59507 void module_free(struct module *mod, void *module_region);
59508
59509+#ifdef CONFIG_PAX_KERNEXEC
59510+void module_free_exec(struct module *mod, void *module_region);
59511+#else
59512+#define module_free_exec(x, y) module_free((x), (y))
59513+#endif
59514+
59515 /* Apply the given relocation to the (simplified) ELF. Return -error
59516 or 0. */
59517 int apply_relocate(Elf_Shdr *sechdrs,
59518diff -urNp linux-3.0.7/include/linux/moduleparam.h linux-3.0.7/include/linux/moduleparam.h
59519--- linux-3.0.7/include/linux/moduleparam.h 2011-07-21 22:17:23.000000000 -0400
59520+++ linux-3.0.7/include/linux/moduleparam.h 2011-08-23 21:47:56.000000000 -0400
59521@@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
59522 * @len is usually just sizeof(string).
59523 */
59524 #define module_param_string(name, string, len, perm) \
59525- static const struct kparam_string __param_string_##name \
59526+ static const struct kparam_string __param_string_##name __used \
59527 = { len, string }; \
59528 __module_param_call(MODULE_PARAM_PREFIX, name, \
59529 &param_ops_string, \
59530@@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
59531 * module_param_named() for why this might be necessary.
59532 */
59533 #define module_param_array_named(name, array, type, nump, perm) \
59534- static const struct kparam_array __param_arr_##name \
59535+ static const struct kparam_array __param_arr_##name __used \
59536 = { .max = ARRAY_SIZE(array), .num = nump, \
59537 .ops = &param_ops_##type, \
59538 .elemsize = sizeof(array[0]), .elem = array }; \
59539diff -urNp linux-3.0.7/include/linux/namei.h linux-3.0.7/include/linux/namei.h
59540--- linux-3.0.7/include/linux/namei.h 2011-07-21 22:17:23.000000000 -0400
59541+++ linux-3.0.7/include/linux/namei.h 2011-08-23 21:47:56.000000000 -0400
59542@@ -24,7 +24,7 @@ struct nameidata {
59543 unsigned seq;
59544 int last_type;
59545 unsigned depth;
59546- char *saved_names[MAX_NESTED_LINKS + 1];
59547+ const char *saved_names[MAX_NESTED_LINKS + 1];
59548
59549 /* Intent data */
59550 union {
59551@@ -91,12 +91,12 @@ extern int follow_up(struct path *);
59552 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
59553 extern void unlock_rename(struct dentry *, struct dentry *);
59554
59555-static inline void nd_set_link(struct nameidata *nd, char *path)
59556+static inline void nd_set_link(struct nameidata *nd, const char *path)
59557 {
59558 nd->saved_names[nd->depth] = path;
59559 }
59560
59561-static inline char *nd_get_link(struct nameidata *nd)
59562+static inline const char *nd_get_link(const struct nameidata *nd)
59563 {
59564 return nd->saved_names[nd->depth];
59565 }
59566diff -urNp linux-3.0.7/include/linux/netdevice.h linux-3.0.7/include/linux/netdevice.h
59567--- linux-3.0.7/include/linux/netdevice.h 2011-09-02 18:11:21.000000000 -0400
59568+++ linux-3.0.7/include/linux/netdevice.h 2011-08-23 21:47:56.000000000 -0400
59569@@ -979,6 +979,7 @@ struct net_device_ops {
59570 int (*ndo_set_features)(struct net_device *dev,
59571 u32 features);
59572 };
59573+typedef struct net_device_ops __no_const net_device_ops_no_const;
59574
59575 /*
59576 * The DEVICE structure.
59577diff -urNp linux-3.0.7/include/linux/netfilter/xt_gradm.h linux-3.0.7/include/linux/netfilter/xt_gradm.h
59578--- linux-3.0.7/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
59579+++ linux-3.0.7/include/linux/netfilter/xt_gradm.h 2011-08-23 21:48:14.000000000 -0400
59580@@ -0,0 +1,9 @@
59581+#ifndef _LINUX_NETFILTER_XT_GRADM_H
59582+#define _LINUX_NETFILTER_XT_GRADM_H 1
59583+
59584+struct xt_gradm_mtinfo {
59585+ __u16 flags;
59586+ __u16 invflags;
59587+};
59588+
59589+#endif
59590diff -urNp linux-3.0.7/include/linux/of_pdt.h linux-3.0.7/include/linux/of_pdt.h
59591--- linux-3.0.7/include/linux/of_pdt.h 2011-07-21 22:17:23.000000000 -0400
59592+++ linux-3.0.7/include/linux/of_pdt.h 2011-08-30 06:20:11.000000000 -0400
59593@@ -32,7 +32,7 @@ struct of_pdt_ops {
59594
59595 /* return 0 on success; fill in 'len' with number of bytes in path */
59596 int (*pkg2path)(phandle node, char *buf, const int buflen, int *len);
59597-};
59598+} __no_const;
59599
59600 extern void *prom_early_alloc(unsigned long size);
59601
59602diff -urNp linux-3.0.7/include/linux/oprofile.h linux-3.0.7/include/linux/oprofile.h
59603--- linux-3.0.7/include/linux/oprofile.h 2011-07-21 22:17:23.000000000 -0400
59604+++ linux-3.0.7/include/linux/oprofile.h 2011-08-23 21:47:56.000000000 -0400
59605@@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
59606 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
59607 char const * name, ulong * val);
59608
59609-/** Create a file for read-only access to an atomic_t. */
59610+/** Create a file for read-only access to an atomic_unchecked_t. */
59611 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
59612- char const * name, atomic_t * val);
59613+ char const * name, atomic_unchecked_t * val);
59614
59615 /** create a directory */
59616 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
59617diff -urNp linux-3.0.7/include/linux/padata.h linux-3.0.7/include/linux/padata.h
59618--- linux-3.0.7/include/linux/padata.h 2011-07-21 22:17:23.000000000 -0400
59619+++ linux-3.0.7/include/linux/padata.h 2011-08-23 21:47:56.000000000 -0400
59620@@ -129,7 +129,7 @@ struct parallel_data {
59621 struct padata_instance *pinst;
59622 struct padata_parallel_queue __percpu *pqueue;
59623 struct padata_serial_queue __percpu *squeue;
59624- atomic_t seq_nr;
59625+ atomic_unchecked_t seq_nr;
59626 atomic_t reorder_objects;
59627 atomic_t refcnt;
59628 unsigned int max_seq_nr;
59629diff -urNp linux-3.0.7/include/linux/perf_event.h linux-3.0.7/include/linux/perf_event.h
59630--- linux-3.0.7/include/linux/perf_event.h 2011-07-21 22:17:23.000000000 -0400
59631+++ linux-3.0.7/include/linux/perf_event.h 2011-08-23 21:47:56.000000000 -0400
59632@@ -761,8 +761,8 @@ struct perf_event {
59633
59634 enum perf_event_active_state state;
59635 unsigned int attach_state;
59636- local64_t count;
59637- atomic64_t child_count;
59638+ local64_t count; /* PaX: fix it one day */
59639+ atomic64_unchecked_t child_count;
59640
59641 /*
59642 * These are the total time in nanoseconds that the event
59643@@ -813,8 +813,8 @@ struct perf_event {
59644 * These accumulate total time (in nanoseconds) that children
59645 * events have been enabled and running, respectively.
59646 */
59647- atomic64_t child_total_time_enabled;
59648- atomic64_t child_total_time_running;
59649+ atomic64_unchecked_t child_total_time_enabled;
59650+ atomic64_unchecked_t child_total_time_running;
59651
59652 /*
59653 * Protect attach/detach and child_list:
59654diff -urNp linux-3.0.7/include/linux/pipe_fs_i.h linux-3.0.7/include/linux/pipe_fs_i.h
59655--- linux-3.0.7/include/linux/pipe_fs_i.h 2011-07-21 22:17:23.000000000 -0400
59656+++ linux-3.0.7/include/linux/pipe_fs_i.h 2011-08-23 21:47:56.000000000 -0400
59657@@ -46,9 +46,9 @@ struct pipe_buffer {
59658 struct pipe_inode_info {
59659 wait_queue_head_t wait;
59660 unsigned int nrbufs, curbuf, buffers;
59661- unsigned int readers;
59662- unsigned int writers;
59663- unsigned int waiting_writers;
59664+ atomic_t readers;
59665+ atomic_t writers;
59666+ atomic_t waiting_writers;
59667 unsigned int r_counter;
59668 unsigned int w_counter;
59669 struct page *tmp_page;
59670diff -urNp linux-3.0.7/include/linux/pm_runtime.h linux-3.0.7/include/linux/pm_runtime.h
59671--- linux-3.0.7/include/linux/pm_runtime.h 2011-07-21 22:17:23.000000000 -0400
59672+++ linux-3.0.7/include/linux/pm_runtime.h 2011-08-23 21:47:56.000000000 -0400
59673@@ -94,7 +94,7 @@ static inline bool pm_runtime_callbacks_
59674
59675 static inline void pm_runtime_mark_last_busy(struct device *dev)
59676 {
59677- ACCESS_ONCE(dev->power.last_busy) = jiffies;
59678+ ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
59679 }
59680
59681 #else /* !CONFIG_PM_RUNTIME */
59682diff -urNp linux-3.0.7/include/linux/poison.h linux-3.0.7/include/linux/poison.h
59683--- linux-3.0.7/include/linux/poison.h 2011-07-21 22:17:23.000000000 -0400
59684+++ linux-3.0.7/include/linux/poison.h 2011-08-23 21:47:56.000000000 -0400
59685@@ -19,8 +19,8 @@
59686 * under normal circumstances, used to verify that nobody uses
59687 * non-initialized list entries.
59688 */
59689-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
59690-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
59691+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
59692+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
59693
59694 /********** include/linux/timer.h **********/
59695 /*
59696diff -urNp linux-3.0.7/include/linux/preempt.h linux-3.0.7/include/linux/preempt.h
59697--- linux-3.0.7/include/linux/preempt.h 2011-07-21 22:17:23.000000000 -0400
59698+++ linux-3.0.7/include/linux/preempt.h 2011-08-23 21:47:56.000000000 -0400
59699@@ -115,7 +115,7 @@ struct preempt_ops {
59700 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
59701 void (*sched_out)(struct preempt_notifier *notifier,
59702 struct task_struct *next);
59703-};
59704+} __no_const;
59705
59706 /**
59707 * preempt_notifier - key for installing preemption notifiers
59708diff -urNp linux-3.0.7/include/linux/proc_fs.h linux-3.0.7/include/linux/proc_fs.h
59709--- linux-3.0.7/include/linux/proc_fs.h 2011-07-21 22:17:23.000000000 -0400
59710+++ linux-3.0.7/include/linux/proc_fs.h 2011-08-23 21:48:14.000000000 -0400
59711@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
59712 return proc_create_data(name, mode, parent, proc_fops, NULL);
59713 }
59714
59715+static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
59716+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
59717+{
59718+#ifdef CONFIG_GRKERNSEC_PROC_USER
59719+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
59720+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
59721+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
59722+#else
59723+ return proc_create_data(name, mode, parent, proc_fops, NULL);
59724+#endif
59725+}
59726+
59727+
59728 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
59729 mode_t mode, struct proc_dir_entry *base,
59730 read_proc_t *read_proc, void * data)
59731@@ -258,7 +271,7 @@ union proc_op {
59732 int (*proc_show)(struct seq_file *m,
59733 struct pid_namespace *ns, struct pid *pid,
59734 struct task_struct *task);
59735-};
59736+} __no_const;
59737
59738 struct ctl_table_header;
59739 struct ctl_table;
59740diff -urNp linux-3.0.7/include/linux/ptrace.h linux-3.0.7/include/linux/ptrace.h
59741--- linux-3.0.7/include/linux/ptrace.h 2011-07-21 22:17:23.000000000 -0400
59742+++ linux-3.0.7/include/linux/ptrace.h 2011-08-23 21:48:14.000000000 -0400
59743@@ -115,10 +115,10 @@ extern void __ptrace_unlink(struct task_
59744 extern void exit_ptrace(struct task_struct *tracer);
59745 #define PTRACE_MODE_READ 1
59746 #define PTRACE_MODE_ATTACH 2
59747-/* Returns 0 on success, -errno on denial. */
59748-extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
59749 /* Returns true on success, false on denial. */
59750 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
59751+/* Returns true on success, false on denial. */
59752+extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
59753
59754 static inline int ptrace_reparented(struct task_struct *child)
59755 {
59756diff -urNp linux-3.0.7/include/linux/random.h linux-3.0.7/include/linux/random.h
59757--- linux-3.0.7/include/linux/random.h 2011-09-02 18:11:21.000000000 -0400
59758+++ linux-3.0.7/include/linux/random.h 2011-08-23 21:47:56.000000000 -0400
59759@@ -69,12 +69,17 @@ void srandom32(u32 seed);
59760
59761 u32 prandom32(struct rnd_state *);
59762
59763+static inline unsigned long pax_get_random_long(void)
59764+{
59765+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
59766+}
59767+
59768 /*
59769 * Handle minimum values for seeds
59770 */
59771 static inline u32 __seed(u32 x, u32 m)
59772 {
59773- return (x < m) ? x + m : x;
59774+ return (x <= m) ? x + m + 1 : x;
59775 }
59776
59777 /**
59778diff -urNp linux-3.0.7/include/linux/reboot.h linux-3.0.7/include/linux/reboot.h
59779--- linux-3.0.7/include/linux/reboot.h 2011-07-21 22:17:23.000000000 -0400
59780+++ linux-3.0.7/include/linux/reboot.h 2011-08-23 21:47:56.000000000 -0400
59781@@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
59782 * Architecture-specific implementations of sys_reboot commands.
59783 */
59784
59785-extern void machine_restart(char *cmd);
59786-extern void machine_halt(void);
59787-extern void machine_power_off(void);
59788+extern void machine_restart(char *cmd) __noreturn;
59789+extern void machine_halt(void) __noreturn;
59790+extern void machine_power_off(void) __noreturn;
59791
59792 extern void machine_shutdown(void);
59793 struct pt_regs;
59794@@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
59795 */
59796
59797 extern void kernel_restart_prepare(char *cmd);
59798-extern void kernel_restart(char *cmd);
59799-extern void kernel_halt(void);
59800-extern void kernel_power_off(void);
59801+extern void kernel_restart(char *cmd) __noreturn;
59802+extern void kernel_halt(void) __noreturn;
59803+extern void kernel_power_off(void) __noreturn;
59804
59805 extern int C_A_D; /* for sysctl */
59806 void ctrl_alt_del(void);
59807@@ -76,7 +76,7 @@ extern int orderly_poweroff(bool force);
59808 * Emergency restart, callable from an interrupt handler.
59809 */
59810
59811-extern void emergency_restart(void);
59812+extern void emergency_restart(void) __noreturn;
59813 #include <asm/emergency-restart.h>
59814
59815 #endif
59816diff -urNp linux-3.0.7/include/linux/reiserfs_fs.h linux-3.0.7/include/linux/reiserfs_fs.h
59817--- linux-3.0.7/include/linux/reiserfs_fs.h 2011-07-21 22:17:23.000000000 -0400
59818+++ linux-3.0.7/include/linux/reiserfs_fs.h 2011-08-23 21:47:56.000000000 -0400
59819@@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
59820 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
59821
59822 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
59823-#define get_generation(s) atomic_read (&fs_generation(s))
59824+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
59825 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
59826 #define __fs_changed(gen,s) (gen != get_generation (s))
59827 #define fs_changed(gen,s) \
59828diff -urNp linux-3.0.7/include/linux/reiserfs_fs_sb.h linux-3.0.7/include/linux/reiserfs_fs_sb.h
59829--- linux-3.0.7/include/linux/reiserfs_fs_sb.h 2011-07-21 22:17:23.000000000 -0400
59830+++ linux-3.0.7/include/linux/reiserfs_fs_sb.h 2011-08-23 21:47:56.000000000 -0400
59831@@ -386,7 +386,7 @@ struct reiserfs_sb_info {
59832 /* Comment? -Hans */
59833 wait_queue_head_t s_wait;
59834 /* To be obsoleted soon by per buffer seals.. -Hans */
59835- atomic_t s_generation_counter; // increased by one every time the
59836+ atomic_unchecked_t s_generation_counter; // increased by one every time the
59837 // tree gets re-balanced
59838 unsigned long s_properties; /* File system properties. Currently holds
59839 on-disk FS format */
59840diff -urNp linux-3.0.7/include/linux/relay.h linux-3.0.7/include/linux/relay.h
59841--- linux-3.0.7/include/linux/relay.h 2011-07-21 22:17:23.000000000 -0400
59842+++ linux-3.0.7/include/linux/relay.h 2011-08-23 21:47:56.000000000 -0400
59843@@ -159,7 +159,7 @@ struct rchan_callbacks
59844 * The callback should return 0 if successful, negative if not.
59845 */
59846 int (*remove_buf_file)(struct dentry *dentry);
59847-};
59848+} __no_const;
59849
59850 /*
59851 * CONFIG_RELAY kernel API, kernel/relay.c
59852diff -urNp linux-3.0.7/include/linux/rfkill.h linux-3.0.7/include/linux/rfkill.h
59853--- linux-3.0.7/include/linux/rfkill.h 2011-07-21 22:17:23.000000000 -0400
59854+++ linux-3.0.7/include/linux/rfkill.h 2011-08-23 21:47:56.000000000 -0400
59855@@ -147,6 +147,7 @@ struct rfkill_ops {
59856 void (*query)(struct rfkill *rfkill, void *data);
59857 int (*set_block)(void *data, bool blocked);
59858 };
59859+typedef struct rfkill_ops __no_const rfkill_ops_no_const;
59860
59861 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
59862 /**
59863diff -urNp linux-3.0.7/include/linux/rmap.h linux-3.0.7/include/linux/rmap.h
59864--- linux-3.0.7/include/linux/rmap.h 2011-07-21 22:17:23.000000000 -0400
59865+++ linux-3.0.7/include/linux/rmap.h 2011-08-23 21:47:56.000000000 -0400
59866@@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
59867 void anon_vma_init(void); /* create anon_vma_cachep */
59868 int anon_vma_prepare(struct vm_area_struct *);
59869 void unlink_anon_vmas(struct vm_area_struct *);
59870-int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
59871-int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
59872+int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
59873+int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
59874 void __anon_vma_link(struct vm_area_struct *);
59875
59876 static inline void anon_vma_merge(struct vm_area_struct *vma,
59877diff -urNp linux-3.0.7/include/linux/sched.h linux-3.0.7/include/linux/sched.h
59878--- linux-3.0.7/include/linux/sched.h 2011-10-17 23:17:09.000000000 -0400
59879+++ linux-3.0.7/include/linux/sched.h 2011-10-17 23:17:19.000000000 -0400
59880@@ -100,6 +100,7 @@ struct bio_list;
59881 struct fs_struct;
59882 struct perf_event_context;
59883 struct blk_plug;
59884+struct linux_binprm;
59885
59886 /*
59887 * List of flags we want to share for kernel threads,
59888@@ -380,10 +381,13 @@ struct user_namespace;
59889 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
59890
59891 extern int sysctl_max_map_count;
59892+extern unsigned long sysctl_heap_stack_gap;
59893
59894 #include <linux/aio.h>
59895
59896 #ifdef CONFIG_MMU
59897+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
59898+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
59899 extern void arch_pick_mmap_layout(struct mm_struct *mm);
59900 extern unsigned long
59901 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
59902@@ -629,6 +633,17 @@ struct signal_struct {
59903 #ifdef CONFIG_TASKSTATS
59904 struct taskstats *stats;
59905 #endif
59906+
59907+#ifdef CONFIG_GRKERNSEC
59908+ u32 curr_ip;
59909+ u32 saved_ip;
59910+ u32 gr_saddr;
59911+ u32 gr_daddr;
59912+ u16 gr_sport;
59913+ u16 gr_dport;
59914+ u8 used_accept:1;
59915+#endif
59916+
59917 #ifdef CONFIG_AUDIT
59918 unsigned audit_tty;
59919 struct tty_audit_buf *tty_audit_buf;
59920@@ -710,6 +725,11 @@ struct user_struct {
59921 struct key *session_keyring; /* UID's default session keyring */
59922 #endif
59923
59924+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
59925+ unsigned int banned;
59926+ unsigned long ban_expires;
59927+#endif
59928+
59929 /* Hash table maintenance information */
59930 struct hlist_node uidhash_node;
59931 uid_t uid;
59932@@ -1340,8 +1360,8 @@ struct task_struct {
59933 struct list_head thread_group;
59934
59935 struct completion *vfork_done; /* for vfork() */
59936- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
59937- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
59938+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
59939+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
59940
59941 cputime_t utime, stime, utimescaled, stimescaled;
59942 cputime_t gtime;
59943@@ -1357,13 +1377,6 @@ struct task_struct {
59944 struct task_cputime cputime_expires;
59945 struct list_head cpu_timers[3];
59946
59947-/* process credentials */
59948- const struct cred __rcu *real_cred; /* objective and real subjective task
59949- * credentials (COW) */
59950- const struct cred __rcu *cred; /* effective (overridable) subjective task
59951- * credentials (COW) */
59952- struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
59953-
59954 char comm[TASK_COMM_LEN]; /* executable name excluding path
59955 - access with [gs]et_task_comm (which lock
59956 it with task_lock())
59957@@ -1380,8 +1393,16 @@ struct task_struct {
59958 #endif
59959 /* CPU-specific state of this task */
59960 struct thread_struct thread;
59961+/* thread_info moved to task_struct */
59962+#ifdef CONFIG_X86
59963+ struct thread_info tinfo;
59964+#endif
59965 /* filesystem information */
59966 struct fs_struct *fs;
59967+
59968+ const struct cred __rcu *cred; /* effective (overridable) subjective task
59969+ * credentials (COW) */
59970+
59971 /* open file information */
59972 struct files_struct *files;
59973 /* namespaces */
59974@@ -1428,6 +1449,11 @@ struct task_struct {
59975 struct rt_mutex_waiter *pi_blocked_on;
59976 #endif
59977
59978+/* process credentials */
59979+ const struct cred __rcu *real_cred; /* objective and real subjective task
59980+ * credentials (COW) */
59981+ struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
59982+
59983 #ifdef CONFIG_DEBUG_MUTEXES
59984 /* mutex deadlock detection */
59985 struct mutex_waiter *blocked_on;
59986@@ -1538,6 +1564,21 @@ struct task_struct {
59987 unsigned long default_timer_slack_ns;
59988
59989 struct list_head *scm_work_list;
59990+
59991+#ifdef CONFIG_GRKERNSEC
59992+ /* grsecurity */
59993+ struct dentry *gr_chroot_dentry;
59994+ struct acl_subject_label *acl;
59995+ struct acl_role_label *role;
59996+ struct file *exec_file;
59997+ u16 acl_role_id;
59998+ /* is this the task that authenticated to the special role */
59999+ u8 acl_sp_role;
60000+ u8 is_writable;
60001+ u8 brute;
60002+ u8 gr_is_chrooted;
60003+#endif
60004+
60005 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
60006 /* Index of current stored address in ret_stack */
60007 int curr_ret_stack;
60008@@ -1572,6 +1613,57 @@ struct task_struct {
60009 #endif
60010 };
60011
60012+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
60013+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
60014+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
60015+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
60016+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
60017+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
60018+
60019+#ifdef CONFIG_PAX_SOFTMODE
60020+extern int pax_softmode;
60021+#endif
60022+
60023+extern int pax_check_flags(unsigned long *);
60024+
60025+/* if tsk != current then task_lock must be held on it */
60026+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
60027+static inline unsigned long pax_get_flags(struct task_struct *tsk)
60028+{
60029+ if (likely(tsk->mm))
60030+ return tsk->mm->pax_flags;
60031+ else
60032+ return 0UL;
60033+}
60034+
60035+/* if tsk != current then task_lock must be held on it */
60036+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
60037+{
60038+ if (likely(tsk->mm)) {
60039+ tsk->mm->pax_flags = flags;
60040+ return 0;
60041+ }
60042+ return -EINVAL;
60043+}
60044+#endif
60045+
60046+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
60047+extern void pax_set_initial_flags(struct linux_binprm *bprm);
60048+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
60049+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
60050+#endif
60051+
60052+extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
60053+extern void pax_report_insns(void *pc, void *sp);
60054+extern void pax_report_refcount_overflow(struct pt_regs *regs);
60055+extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
60056+
60057+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
60058+extern void pax_track_stack(void);
60059+#else
60060+static inline void pax_track_stack(void) {}
60061+#endif
60062+
60063 /* Future-safe accessor for struct task_struct's cpus_allowed. */
60064 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
60065
60066@@ -1768,6 +1860,7 @@ extern void thread_group_times(struct ta
60067 #define PF_DUMPCORE 0x00000200 /* dumped core */
60068 #define PF_SIGNALED 0x00000400 /* killed by a signal */
60069 #define PF_MEMALLOC 0x00000800 /* Allocating memory */
60070+#define PF_NPROC_EXCEEDED 0x00001000 /* set_user noticed that RLIMIT_NPROC was exceeded */
60071 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
60072 #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
60073 #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
60074@@ -2055,7 +2148,9 @@ void yield(void);
60075 extern struct exec_domain default_exec_domain;
60076
60077 union thread_union {
60078+#ifndef CONFIG_X86
60079 struct thread_info thread_info;
60080+#endif
60081 unsigned long stack[THREAD_SIZE/sizeof(long)];
60082 };
60083
60084@@ -2088,6 +2183,7 @@ extern struct pid_namespace init_pid_ns;
60085 */
60086
60087 extern struct task_struct *find_task_by_vpid(pid_t nr);
60088+extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
60089 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
60090 struct pid_namespace *ns);
60091
60092@@ -2224,7 +2320,7 @@ extern void __cleanup_sighand(struct sig
60093 extern void exit_itimers(struct signal_struct *);
60094 extern void flush_itimer_signals(void);
60095
60096-extern NORET_TYPE void do_group_exit(int);
60097+extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
60098
60099 extern void daemonize(const char *, ...);
60100 extern int allow_signal(int);
60101@@ -2392,13 +2488,17 @@ static inline unsigned long *end_of_stac
60102
60103 #endif
60104
60105-static inline int object_is_on_stack(void *obj)
60106+static inline int object_starts_on_stack(void *obj)
60107 {
60108- void *stack = task_stack_page(current);
60109+ const void *stack = task_stack_page(current);
60110
60111 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
60112 }
60113
60114+#ifdef CONFIG_PAX_USERCOPY
60115+extern int object_is_on_stack(const void *obj, unsigned long len);
60116+#endif
60117+
60118 extern void thread_info_cache_init(void);
60119
60120 #ifdef CONFIG_DEBUG_STACK_USAGE
60121diff -urNp linux-3.0.7/include/linux/screen_info.h linux-3.0.7/include/linux/screen_info.h
60122--- linux-3.0.7/include/linux/screen_info.h 2011-07-21 22:17:23.000000000 -0400
60123+++ linux-3.0.7/include/linux/screen_info.h 2011-08-23 21:47:56.000000000 -0400
60124@@ -43,7 +43,8 @@ struct screen_info {
60125 __u16 pages; /* 0x32 */
60126 __u16 vesa_attributes; /* 0x34 */
60127 __u32 capabilities; /* 0x36 */
60128- __u8 _reserved[6]; /* 0x3a */
60129+ __u16 vesapm_size; /* 0x3a */
60130+ __u8 _reserved[4]; /* 0x3c */
60131 } __attribute__((packed));
60132
60133 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
60134diff -urNp linux-3.0.7/include/linux/security.h linux-3.0.7/include/linux/security.h
60135--- linux-3.0.7/include/linux/security.h 2011-07-21 22:17:23.000000000 -0400
60136+++ linux-3.0.7/include/linux/security.h 2011-08-23 21:48:14.000000000 -0400
60137@@ -36,6 +36,7 @@
60138 #include <linux/key.h>
60139 #include <linux/xfrm.h>
60140 #include <linux/slab.h>
60141+#include <linux/grsecurity.h>
60142 #include <net/flow.h>
60143
60144 /* Maximum number of letters for an LSM name string */
60145diff -urNp linux-3.0.7/include/linux/seq_file.h linux-3.0.7/include/linux/seq_file.h
60146--- linux-3.0.7/include/linux/seq_file.h 2011-07-21 22:17:23.000000000 -0400
60147+++ linux-3.0.7/include/linux/seq_file.h 2011-08-23 21:47:56.000000000 -0400
60148@@ -32,6 +32,7 @@ struct seq_operations {
60149 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
60150 int (*show) (struct seq_file *m, void *v);
60151 };
60152+typedef struct seq_operations __no_const seq_operations_no_const;
60153
60154 #define SEQ_SKIP 1
60155
60156diff -urNp linux-3.0.7/include/linux/shm.h linux-3.0.7/include/linux/shm.h
60157--- linux-3.0.7/include/linux/shm.h 2011-07-21 22:17:23.000000000 -0400
60158+++ linux-3.0.7/include/linux/shm.h 2011-08-23 21:48:14.000000000 -0400
60159@@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
60160 pid_t shm_cprid;
60161 pid_t shm_lprid;
60162 struct user_struct *mlock_user;
60163+#ifdef CONFIG_GRKERNSEC
60164+ time_t shm_createtime;
60165+ pid_t shm_lapid;
60166+#endif
60167 };
60168
60169 /* shm_mode upper byte flags */
60170diff -urNp linux-3.0.7/include/linux/shmem_fs.h linux-3.0.7/include/linux/shmem_fs.h
60171--- linux-3.0.7/include/linux/shmem_fs.h 2011-07-21 22:17:23.000000000 -0400
60172+++ linux-3.0.7/include/linux/shmem_fs.h 2011-08-23 21:47:56.000000000 -0400
60173@@ -10,7 +10,7 @@
60174
60175 #define SHMEM_NR_DIRECT 16
60176
60177-#define SHMEM_SYMLINK_INLINE_LEN (SHMEM_NR_DIRECT * sizeof(swp_entry_t))
60178+#define SHMEM_SYMLINK_INLINE_LEN 64
60179
60180 struct shmem_inode_info {
60181 spinlock_t lock;
60182diff -urNp linux-3.0.7/include/linux/skbuff.h linux-3.0.7/include/linux/skbuff.h
60183--- linux-3.0.7/include/linux/skbuff.h 2011-07-21 22:17:23.000000000 -0400
60184+++ linux-3.0.7/include/linux/skbuff.h 2011-08-23 21:47:56.000000000 -0400
60185@@ -592,7 +592,7 @@ static inline struct skb_shared_hwtstamp
60186 */
60187 static inline int skb_queue_empty(const struct sk_buff_head *list)
60188 {
60189- return list->next == (struct sk_buff *)list;
60190+ return list->next == (const struct sk_buff *)list;
60191 }
60192
60193 /**
60194@@ -605,7 +605,7 @@ static inline int skb_queue_empty(const
60195 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
60196 const struct sk_buff *skb)
60197 {
60198- return skb->next == (struct sk_buff *)list;
60199+ return skb->next == (const struct sk_buff *)list;
60200 }
60201
60202 /**
60203@@ -618,7 +618,7 @@ static inline bool skb_queue_is_last(con
60204 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
60205 const struct sk_buff *skb)
60206 {
60207- return skb->prev == (struct sk_buff *)list;
60208+ return skb->prev == (const struct sk_buff *)list;
60209 }
60210
60211 /**
60212@@ -1440,7 +1440,7 @@ static inline int pskb_network_may_pull(
60213 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
60214 */
60215 #ifndef NET_SKB_PAD
60216-#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
60217+#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
60218 #endif
60219
60220 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
60221diff -urNp linux-3.0.7/include/linux/slab.h linux-3.0.7/include/linux/slab.h
60222--- linux-3.0.7/include/linux/slab.h 2011-07-21 22:17:23.000000000 -0400
60223+++ linux-3.0.7/include/linux/slab.h 2011-08-23 21:47:56.000000000 -0400
60224@@ -11,12 +11,20 @@
60225
60226 #include <linux/gfp.h>
60227 #include <linux/types.h>
60228+#include <linux/err.h>
60229
60230 /*
60231 * Flags to pass to kmem_cache_create().
60232 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
60233 */
60234 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
60235+
60236+#ifdef CONFIG_PAX_USERCOPY
60237+#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
60238+#else
60239+#define SLAB_USERCOPY 0x00000000UL
60240+#endif
60241+
60242 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
60243 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
60244 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
60245@@ -87,10 +95,13 @@
60246 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
60247 * Both make kfree a no-op.
60248 */
60249-#define ZERO_SIZE_PTR ((void *)16)
60250+#define ZERO_SIZE_PTR \
60251+({ \
60252+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
60253+ (void *)(-MAX_ERRNO-1L); \
60254+})
60255
60256-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
60257- (unsigned long)ZERO_SIZE_PTR)
60258+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
60259
60260 /*
60261 * struct kmem_cache related prototypes
60262@@ -141,6 +152,7 @@ void * __must_check krealloc(const void
60263 void kfree(const void *);
60264 void kzfree(const void *);
60265 size_t ksize(const void *);
60266+void check_object_size(const void *ptr, unsigned long n, bool to);
60267
60268 /*
60269 * Allocator specific definitions. These are mainly used to establish optimized
60270@@ -333,4 +345,59 @@ static inline void *kzalloc_node(size_t
60271
60272 void __init kmem_cache_init_late(void);
60273
60274+#define kmalloc(x, y) \
60275+({ \
60276+ void *___retval; \
60277+ intoverflow_t ___x = (intoverflow_t)x; \
60278+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
60279+ ___retval = NULL; \
60280+ else \
60281+ ___retval = kmalloc((size_t)___x, (y)); \
60282+ ___retval; \
60283+})
60284+
60285+#define kmalloc_node(x, y, z) \
60286+({ \
60287+ void *___retval; \
60288+ intoverflow_t ___x = (intoverflow_t)x; \
60289+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
60290+ ___retval = NULL; \
60291+ else \
60292+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
60293+ ___retval; \
60294+})
60295+
60296+#define kzalloc(x, y) \
60297+({ \
60298+ void *___retval; \
60299+ intoverflow_t ___x = (intoverflow_t)x; \
60300+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
60301+ ___retval = NULL; \
60302+ else \
60303+ ___retval = kzalloc((size_t)___x, (y)); \
60304+ ___retval; \
60305+})
60306+
60307+#define __krealloc(x, y, z) \
60308+({ \
60309+ void *___retval; \
60310+ intoverflow_t ___y = (intoverflow_t)y; \
60311+ if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
60312+ ___retval = NULL; \
60313+ else \
60314+ ___retval = __krealloc((x), (size_t)___y, (z)); \
60315+ ___retval; \
60316+})
60317+
60318+#define krealloc(x, y, z) \
60319+({ \
60320+ void *___retval; \
60321+ intoverflow_t ___y = (intoverflow_t)y; \
60322+ if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
60323+ ___retval = NULL; \
60324+ else \
60325+ ___retval = krealloc((x), (size_t)___y, (z)); \
60326+ ___retval; \
60327+})
60328+
60329 #endif /* _LINUX_SLAB_H */
60330diff -urNp linux-3.0.7/include/linux/slab_def.h linux-3.0.7/include/linux/slab_def.h
60331--- linux-3.0.7/include/linux/slab_def.h 2011-07-21 22:17:23.000000000 -0400
60332+++ linux-3.0.7/include/linux/slab_def.h 2011-08-23 21:47:56.000000000 -0400
60333@@ -96,10 +96,10 @@ struct kmem_cache {
60334 unsigned long node_allocs;
60335 unsigned long node_frees;
60336 unsigned long node_overflow;
60337- atomic_t allochit;
60338- atomic_t allocmiss;
60339- atomic_t freehit;
60340- atomic_t freemiss;
60341+ atomic_unchecked_t allochit;
60342+ atomic_unchecked_t allocmiss;
60343+ atomic_unchecked_t freehit;
60344+ atomic_unchecked_t freemiss;
60345
60346 /*
60347 * If debugging is enabled, then the allocator can add additional
60348diff -urNp linux-3.0.7/include/linux/slub_def.h linux-3.0.7/include/linux/slub_def.h
60349--- linux-3.0.7/include/linux/slub_def.h 2011-07-21 22:17:23.000000000 -0400
60350+++ linux-3.0.7/include/linux/slub_def.h 2011-08-23 21:47:56.000000000 -0400
60351@@ -82,7 +82,7 @@ struct kmem_cache {
60352 struct kmem_cache_order_objects max;
60353 struct kmem_cache_order_objects min;
60354 gfp_t allocflags; /* gfp flags to use on each alloc */
60355- int refcount; /* Refcount for slab cache destroy */
60356+ atomic_t refcount; /* Refcount for slab cache destroy */
60357 void (*ctor)(void *);
60358 int inuse; /* Offset to metadata */
60359 int align; /* Alignment */
60360@@ -218,7 +218,7 @@ static __always_inline struct kmem_cache
60361 }
60362
60363 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
60364-void *__kmalloc(size_t size, gfp_t flags);
60365+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
60366
60367 static __always_inline void *
60368 kmalloc_order(size_t size, gfp_t flags, unsigned int order)
60369diff -urNp linux-3.0.7/include/linux/sonet.h linux-3.0.7/include/linux/sonet.h
60370--- linux-3.0.7/include/linux/sonet.h 2011-07-21 22:17:23.000000000 -0400
60371+++ linux-3.0.7/include/linux/sonet.h 2011-08-23 21:47:56.000000000 -0400
60372@@ -61,7 +61,7 @@ struct sonet_stats {
60373 #include <asm/atomic.h>
60374
60375 struct k_sonet_stats {
60376-#define __HANDLE_ITEM(i) atomic_t i
60377+#define __HANDLE_ITEM(i) atomic_unchecked_t i
60378 __SONET_ITEMS
60379 #undef __HANDLE_ITEM
60380 };
60381diff -urNp linux-3.0.7/include/linux/sunrpc/clnt.h linux-3.0.7/include/linux/sunrpc/clnt.h
60382--- linux-3.0.7/include/linux/sunrpc/clnt.h 2011-07-21 22:17:23.000000000 -0400
60383+++ linux-3.0.7/include/linux/sunrpc/clnt.h 2011-08-23 21:47:56.000000000 -0400
60384@@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
60385 {
60386 switch (sap->sa_family) {
60387 case AF_INET:
60388- return ntohs(((struct sockaddr_in *)sap)->sin_port);
60389+ return ntohs(((const struct sockaddr_in *)sap)->sin_port);
60390 case AF_INET6:
60391- return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
60392+ return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
60393 }
60394 return 0;
60395 }
60396@@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
60397 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
60398 const struct sockaddr *src)
60399 {
60400- const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
60401+ const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
60402 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
60403
60404 dsin->sin_family = ssin->sin_family;
60405@@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
60406 if (sa->sa_family != AF_INET6)
60407 return 0;
60408
60409- return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
60410+ return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
60411 }
60412
60413 #endif /* __KERNEL__ */
60414diff -urNp linux-3.0.7/include/linux/sunrpc/svc_rdma.h linux-3.0.7/include/linux/sunrpc/svc_rdma.h
60415--- linux-3.0.7/include/linux/sunrpc/svc_rdma.h 2011-07-21 22:17:23.000000000 -0400
60416+++ linux-3.0.7/include/linux/sunrpc/svc_rdma.h 2011-08-23 21:47:56.000000000 -0400
60417@@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
60418 extern unsigned int svcrdma_max_requests;
60419 extern unsigned int svcrdma_max_req_size;
60420
60421-extern atomic_t rdma_stat_recv;
60422-extern atomic_t rdma_stat_read;
60423-extern atomic_t rdma_stat_write;
60424-extern atomic_t rdma_stat_sq_starve;
60425-extern atomic_t rdma_stat_rq_starve;
60426-extern atomic_t rdma_stat_rq_poll;
60427-extern atomic_t rdma_stat_rq_prod;
60428-extern atomic_t rdma_stat_sq_poll;
60429-extern atomic_t rdma_stat_sq_prod;
60430+extern atomic_unchecked_t rdma_stat_recv;
60431+extern atomic_unchecked_t rdma_stat_read;
60432+extern atomic_unchecked_t rdma_stat_write;
60433+extern atomic_unchecked_t rdma_stat_sq_starve;
60434+extern atomic_unchecked_t rdma_stat_rq_starve;
60435+extern atomic_unchecked_t rdma_stat_rq_poll;
60436+extern atomic_unchecked_t rdma_stat_rq_prod;
60437+extern atomic_unchecked_t rdma_stat_sq_poll;
60438+extern atomic_unchecked_t rdma_stat_sq_prod;
60439
60440 #define RPCRDMA_VERSION 1
60441
60442diff -urNp linux-3.0.7/include/linux/sysctl.h linux-3.0.7/include/linux/sysctl.h
60443--- linux-3.0.7/include/linux/sysctl.h 2011-07-21 22:17:23.000000000 -0400
60444+++ linux-3.0.7/include/linux/sysctl.h 2011-08-23 21:48:14.000000000 -0400
60445@@ -155,7 +155,11 @@ enum
60446 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
60447 };
60448
60449-
60450+#ifdef CONFIG_PAX_SOFTMODE
60451+enum {
60452+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
60453+};
60454+#endif
60455
60456 /* CTL_VM names: */
60457 enum
60458@@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
60459
60460 extern int proc_dostring(struct ctl_table *, int,
60461 void __user *, size_t *, loff_t *);
60462+extern int proc_dostring_modpriv(struct ctl_table *, int,
60463+ void __user *, size_t *, loff_t *);
60464 extern int proc_dointvec(struct ctl_table *, int,
60465 void __user *, size_t *, loff_t *);
60466 extern int proc_dointvec_minmax(struct ctl_table *, int,
60467diff -urNp linux-3.0.7/include/linux/tty_ldisc.h linux-3.0.7/include/linux/tty_ldisc.h
60468--- linux-3.0.7/include/linux/tty_ldisc.h 2011-07-21 22:17:23.000000000 -0400
60469+++ linux-3.0.7/include/linux/tty_ldisc.h 2011-08-23 21:47:56.000000000 -0400
60470@@ -148,7 +148,7 @@ struct tty_ldisc_ops {
60471
60472 struct module *owner;
60473
60474- int refcount;
60475+ atomic_t refcount;
60476 };
60477
60478 struct tty_ldisc {
60479diff -urNp linux-3.0.7/include/linux/types.h linux-3.0.7/include/linux/types.h
60480--- linux-3.0.7/include/linux/types.h 2011-07-21 22:17:23.000000000 -0400
60481+++ linux-3.0.7/include/linux/types.h 2011-08-23 21:47:56.000000000 -0400
60482@@ -213,10 +213,26 @@ typedef struct {
60483 int counter;
60484 } atomic_t;
60485
60486+#ifdef CONFIG_PAX_REFCOUNT
60487+typedef struct {
60488+ int counter;
60489+} atomic_unchecked_t;
60490+#else
60491+typedef atomic_t atomic_unchecked_t;
60492+#endif
60493+
60494 #ifdef CONFIG_64BIT
60495 typedef struct {
60496 long counter;
60497 } atomic64_t;
60498+
60499+#ifdef CONFIG_PAX_REFCOUNT
60500+typedef struct {
60501+ long counter;
60502+} atomic64_unchecked_t;
60503+#else
60504+typedef atomic64_t atomic64_unchecked_t;
60505+#endif
60506 #endif
60507
60508 struct list_head {
60509diff -urNp linux-3.0.7/include/linux/uaccess.h linux-3.0.7/include/linux/uaccess.h
60510--- linux-3.0.7/include/linux/uaccess.h 2011-07-21 22:17:23.000000000 -0400
60511+++ linux-3.0.7/include/linux/uaccess.h 2011-10-06 04:17:55.000000000 -0400
60512@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
60513 long ret; \
60514 mm_segment_t old_fs = get_fs(); \
60515 \
60516- set_fs(KERNEL_DS); \
60517 pagefault_disable(); \
60518- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
60519- pagefault_enable(); \
60520+ set_fs(KERNEL_DS); \
60521+ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
60522 set_fs(old_fs); \
60523+ pagefault_enable(); \
60524 ret; \
60525 })
60526
60527diff -urNp linux-3.0.7/include/linux/unaligned/access_ok.h linux-3.0.7/include/linux/unaligned/access_ok.h
60528--- linux-3.0.7/include/linux/unaligned/access_ok.h 2011-07-21 22:17:23.000000000 -0400
60529+++ linux-3.0.7/include/linux/unaligned/access_ok.h 2011-08-23 21:47:56.000000000 -0400
60530@@ -6,32 +6,32 @@
60531
60532 static inline u16 get_unaligned_le16(const void *p)
60533 {
60534- return le16_to_cpup((__le16 *)p);
60535+ return le16_to_cpup((const __le16 *)p);
60536 }
60537
60538 static inline u32 get_unaligned_le32(const void *p)
60539 {
60540- return le32_to_cpup((__le32 *)p);
60541+ return le32_to_cpup((const __le32 *)p);
60542 }
60543
60544 static inline u64 get_unaligned_le64(const void *p)
60545 {
60546- return le64_to_cpup((__le64 *)p);
60547+ return le64_to_cpup((const __le64 *)p);
60548 }
60549
60550 static inline u16 get_unaligned_be16(const void *p)
60551 {
60552- return be16_to_cpup((__be16 *)p);
60553+ return be16_to_cpup((const __be16 *)p);
60554 }
60555
60556 static inline u32 get_unaligned_be32(const void *p)
60557 {
60558- return be32_to_cpup((__be32 *)p);
60559+ return be32_to_cpup((const __be32 *)p);
60560 }
60561
60562 static inline u64 get_unaligned_be64(const void *p)
60563 {
60564- return be64_to_cpup((__be64 *)p);
60565+ return be64_to_cpup((const __be64 *)p);
60566 }
60567
60568 static inline void put_unaligned_le16(u16 val, void *p)
60569diff -urNp linux-3.0.7/include/linux/vermagic.h linux-3.0.7/include/linux/vermagic.h
60570--- linux-3.0.7/include/linux/vermagic.h 2011-07-21 22:17:23.000000000 -0400
60571+++ linux-3.0.7/include/linux/vermagic.h 2011-10-07 19:25:35.000000000 -0400
60572@@ -26,9 +26,28 @@
60573 #define MODULE_ARCH_VERMAGIC ""
60574 #endif
60575
60576+#ifdef CONFIG_PAX_REFCOUNT
60577+#define MODULE_PAX_REFCOUNT "REFCOUNT "
60578+#else
60579+#define MODULE_PAX_REFCOUNT ""
60580+#endif
60581+
60582+#ifdef CONSTIFY_PLUGIN
60583+#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
60584+#else
60585+#define MODULE_CONSTIFY_PLUGIN ""
60586+#endif
60587+
60588+#ifdef CONFIG_GRKERNSEC
60589+#define MODULE_GRSEC "GRSEC "
60590+#else
60591+#define MODULE_GRSEC ""
60592+#endif
60593+
60594 #define VERMAGIC_STRING \
60595 UTS_RELEASE " " \
60596 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
60597 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
60598- MODULE_ARCH_VERMAGIC
60599+ MODULE_ARCH_VERMAGIC \
60600+ MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_GRSEC
60601
60602diff -urNp linux-3.0.7/include/linux/vmalloc.h linux-3.0.7/include/linux/vmalloc.h
60603--- linux-3.0.7/include/linux/vmalloc.h 2011-07-21 22:17:23.000000000 -0400
60604+++ linux-3.0.7/include/linux/vmalloc.h 2011-08-23 21:47:56.000000000 -0400
60605@@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
60606 #define VM_MAP 0x00000004 /* vmap()ed pages */
60607 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
60608 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
60609+
60610+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
60611+#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
60612+#endif
60613+
60614 /* bits [20..32] reserved for arch specific ioremap internals */
60615
60616 /*
60617@@ -155,4 +160,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
60618 # endif
60619 #endif
60620
60621+#define vmalloc(x) \
60622+({ \
60623+ void *___retval; \
60624+ intoverflow_t ___x = (intoverflow_t)x; \
60625+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
60626+ ___retval = NULL; \
60627+ else \
60628+ ___retval = vmalloc((unsigned long)___x); \
60629+ ___retval; \
60630+})
60631+
60632+#define vzalloc(x) \
60633+({ \
60634+ void *___retval; \
60635+ intoverflow_t ___x = (intoverflow_t)x; \
60636+ if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
60637+ ___retval = NULL; \
60638+ else \
60639+ ___retval = vzalloc((unsigned long)___x); \
60640+ ___retval; \
60641+})
60642+
60643+#define __vmalloc(x, y, z) \
60644+({ \
60645+ void *___retval; \
60646+ intoverflow_t ___x = (intoverflow_t)x; \
60647+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
60648+ ___retval = NULL; \
60649+ else \
60650+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
60651+ ___retval; \
60652+})
60653+
60654+#define vmalloc_user(x) \
60655+({ \
60656+ void *___retval; \
60657+ intoverflow_t ___x = (intoverflow_t)x; \
60658+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
60659+ ___retval = NULL; \
60660+ else \
60661+ ___retval = vmalloc_user((unsigned long)___x); \
60662+ ___retval; \
60663+})
60664+
60665+#define vmalloc_exec(x) \
60666+({ \
60667+ void *___retval; \
60668+ intoverflow_t ___x = (intoverflow_t)x; \
60669+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
60670+ ___retval = NULL; \
60671+ else \
60672+ ___retval = vmalloc_exec((unsigned long)___x); \
60673+ ___retval; \
60674+})
60675+
60676+#define vmalloc_node(x, y) \
60677+({ \
60678+ void *___retval; \
60679+ intoverflow_t ___x = (intoverflow_t)x; \
60680+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
60681+ ___retval = NULL; \
60682+ else \
60683+ ___retval = vmalloc_node((unsigned long)___x, (y));\
60684+ ___retval; \
60685+})
60686+
60687+#define vzalloc_node(x, y) \
60688+({ \
60689+ void *___retval; \
60690+ intoverflow_t ___x = (intoverflow_t)x; \
60691+ if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
60692+ ___retval = NULL; \
60693+ else \
60694+ ___retval = vzalloc_node((unsigned long)___x, (y));\
60695+ ___retval; \
60696+})
60697+
60698+#define vmalloc_32(x) \
60699+({ \
60700+ void *___retval; \
60701+ intoverflow_t ___x = (intoverflow_t)x; \
60702+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
60703+ ___retval = NULL; \
60704+ else \
60705+ ___retval = vmalloc_32((unsigned long)___x); \
60706+ ___retval; \
60707+})
60708+
60709+#define vmalloc_32_user(x) \
60710+({ \
60711+void *___retval; \
60712+ intoverflow_t ___x = (intoverflow_t)x; \
60713+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
60714+ ___retval = NULL; \
60715+ else \
60716+ ___retval = vmalloc_32_user((unsigned long)___x);\
60717+ ___retval; \
60718+})
60719+
60720 #endif /* _LINUX_VMALLOC_H */
60721diff -urNp linux-3.0.7/include/linux/vmstat.h linux-3.0.7/include/linux/vmstat.h
60722--- linux-3.0.7/include/linux/vmstat.h 2011-07-21 22:17:23.000000000 -0400
60723+++ linux-3.0.7/include/linux/vmstat.h 2011-08-23 21:47:56.000000000 -0400
60724@@ -87,18 +87,18 @@ static inline void vm_events_fold_cpu(in
60725 /*
60726 * Zone based page accounting with per cpu differentials.
60727 */
60728-extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
60729+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
60730
60731 static inline void zone_page_state_add(long x, struct zone *zone,
60732 enum zone_stat_item item)
60733 {
60734- atomic_long_add(x, &zone->vm_stat[item]);
60735- atomic_long_add(x, &vm_stat[item]);
60736+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
60737+ atomic_long_add_unchecked(x, &vm_stat[item]);
60738 }
60739
60740 static inline unsigned long global_page_state(enum zone_stat_item item)
60741 {
60742- long x = atomic_long_read(&vm_stat[item]);
60743+ long x = atomic_long_read_unchecked(&vm_stat[item]);
60744 #ifdef CONFIG_SMP
60745 if (x < 0)
60746 x = 0;
60747@@ -109,7 +109,7 @@ static inline unsigned long global_page_
60748 static inline unsigned long zone_page_state(struct zone *zone,
60749 enum zone_stat_item item)
60750 {
60751- long x = atomic_long_read(&zone->vm_stat[item]);
60752+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
60753 #ifdef CONFIG_SMP
60754 if (x < 0)
60755 x = 0;
60756@@ -126,7 +126,7 @@ static inline unsigned long zone_page_st
60757 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
60758 enum zone_stat_item item)
60759 {
60760- long x = atomic_long_read(&zone->vm_stat[item]);
60761+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
60762
60763 #ifdef CONFIG_SMP
60764 int cpu;
60765@@ -221,8 +221,8 @@ static inline void __mod_zone_page_state
60766
60767 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
60768 {
60769- atomic_long_inc(&zone->vm_stat[item]);
60770- atomic_long_inc(&vm_stat[item]);
60771+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
60772+ atomic_long_inc_unchecked(&vm_stat[item]);
60773 }
60774
60775 static inline void __inc_zone_page_state(struct page *page,
60776@@ -233,8 +233,8 @@ static inline void __inc_zone_page_state
60777
60778 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
60779 {
60780- atomic_long_dec(&zone->vm_stat[item]);
60781- atomic_long_dec(&vm_stat[item]);
60782+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
60783+ atomic_long_dec_unchecked(&vm_stat[item]);
60784 }
60785
60786 static inline void __dec_zone_page_state(struct page *page,
60787diff -urNp linux-3.0.7/include/media/saa7146_vv.h linux-3.0.7/include/media/saa7146_vv.h
60788--- linux-3.0.7/include/media/saa7146_vv.h 2011-07-21 22:17:23.000000000 -0400
60789+++ linux-3.0.7/include/media/saa7146_vv.h 2011-10-07 19:07:40.000000000 -0400
60790@@ -163,7 +163,7 @@ struct saa7146_ext_vv
60791 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
60792
60793 /* the extension can override this */
60794- struct v4l2_ioctl_ops ops;
60795+ v4l2_ioctl_ops_no_const ops;
60796 /* pointer to the saa7146 core ops */
60797 const struct v4l2_ioctl_ops *core_ops;
60798
60799diff -urNp linux-3.0.7/include/media/v4l2-dev.h linux-3.0.7/include/media/v4l2-dev.h
60800--- linux-3.0.7/include/media/v4l2-dev.h 2011-07-21 22:17:23.000000000 -0400
60801+++ linux-3.0.7/include/media/v4l2-dev.h 2011-10-07 19:07:40.000000000 -0400
60802@@ -56,7 +56,7 @@ int v4l2_prio_check(struct v4l2_prio_sta
60803
60804
60805 struct v4l2_file_operations {
60806- struct module *owner;
60807+ struct module * const owner;
60808 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
60809 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
60810 unsigned int (*poll) (struct file *, struct poll_table_struct *);
60811@@ -68,6 +68,7 @@ struct v4l2_file_operations {
60812 int (*open) (struct file *);
60813 int (*release) (struct file *);
60814 };
60815+typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const;
60816
60817 /*
60818 * Newer version of video_device, handled by videodev2.c
60819diff -urNp linux-3.0.7/include/media/v4l2-ioctl.h linux-3.0.7/include/media/v4l2-ioctl.h
60820--- linux-3.0.7/include/media/v4l2-ioctl.h 2011-07-21 22:17:23.000000000 -0400
60821+++ linux-3.0.7/include/media/v4l2-ioctl.h 2011-08-24 18:25:45.000000000 -0400
60822@@ -272,6 +272,7 @@ struct v4l2_ioctl_ops {
60823 long (*vidioc_default) (struct file *file, void *fh,
60824 bool valid_prio, int cmd, void *arg);
60825 };
60826+typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
60827
60828
60829 /* v4l debugging and diagnostics */
60830diff -urNp linux-3.0.7/include/net/caif/cfctrl.h linux-3.0.7/include/net/caif/cfctrl.h
60831--- linux-3.0.7/include/net/caif/cfctrl.h 2011-07-21 22:17:23.000000000 -0400
60832+++ linux-3.0.7/include/net/caif/cfctrl.h 2011-08-23 21:47:56.000000000 -0400
60833@@ -52,7 +52,7 @@ struct cfctrl_rsp {
60834 void (*radioset_rsp)(void);
60835 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
60836 struct cflayer *client_layer);
60837-};
60838+} __no_const;
60839
60840 /* Link Setup Parameters for CAIF-Links. */
60841 struct cfctrl_link_param {
60842@@ -101,8 +101,8 @@ struct cfctrl_request_info {
60843 struct cfctrl {
60844 struct cfsrvl serv;
60845 struct cfctrl_rsp res;
60846- atomic_t req_seq_no;
60847- atomic_t rsp_seq_no;
60848+ atomic_unchecked_t req_seq_no;
60849+ atomic_unchecked_t rsp_seq_no;
60850 struct list_head list;
60851 /* Protects from simultaneous access to first_req list */
60852 spinlock_t info_list_lock;
60853diff -urNp linux-3.0.7/include/net/flow.h linux-3.0.7/include/net/flow.h
60854--- linux-3.0.7/include/net/flow.h 2011-07-21 22:17:23.000000000 -0400
60855+++ linux-3.0.7/include/net/flow.h 2011-08-23 21:47:56.000000000 -0400
60856@@ -188,6 +188,6 @@ extern struct flow_cache_object *flow_ca
60857 u8 dir, flow_resolve_t resolver, void *ctx);
60858
60859 extern void flow_cache_flush(void);
60860-extern atomic_t flow_cache_genid;
60861+extern atomic_unchecked_t flow_cache_genid;
60862
60863 #endif
60864diff -urNp linux-3.0.7/include/net/inetpeer.h linux-3.0.7/include/net/inetpeer.h
60865--- linux-3.0.7/include/net/inetpeer.h 2011-07-21 22:17:23.000000000 -0400
60866+++ linux-3.0.7/include/net/inetpeer.h 2011-08-23 21:47:56.000000000 -0400
60867@@ -43,8 +43,8 @@ struct inet_peer {
60868 */
60869 union {
60870 struct {
60871- atomic_t rid; /* Frag reception counter */
60872- atomic_t ip_id_count; /* IP ID for the next packet */
60873+ atomic_unchecked_t rid; /* Frag reception counter */
60874+ atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
60875 __u32 tcp_ts;
60876 __u32 tcp_ts_stamp;
60877 u32 metrics[RTAX_MAX];
60878@@ -108,7 +108,7 @@ static inline __u16 inet_getid(struct in
60879 {
60880 more++;
60881 inet_peer_refcheck(p);
60882- return atomic_add_return(more, &p->ip_id_count) - more;
60883+ return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
60884 }
60885
60886 #endif /* _NET_INETPEER_H */
60887diff -urNp linux-3.0.7/include/net/ip_fib.h linux-3.0.7/include/net/ip_fib.h
60888--- linux-3.0.7/include/net/ip_fib.h 2011-07-21 22:17:23.000000000 -0400
60889+++ linux-3.0.7/include/net/ip_fib.h 2011-08-23 21:47:56.000000000 -0400
60890@@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
60891
60892 #define FIB_RES_SADDR(net, res) \
60893 ((FIB_RES_NH(res).nh_saddr_genid == \
60894- atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
60895+ atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
60896 FIB_RES_NH(res).nh_saddr : \
60897 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
60898 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
60899diff -urNp linux-3.0.7/include/net/ip_vs.h linux-3.0.7/include/net/ip_vs.h
60900--- linux-3.0.7/include/net/ip_vs.h 2011-07-21 22:17:23.000000000 -0400
60901+++ linux-3.0.7/include/net/ip_vs.h 2011-08-23 21:47:56.000000000 -0400
60902@@ -509,7 +509,7 @@ struct ip_vs_conn {
60903 struct ip_vs_conn *control; /* Master control connection */
60904 atomic_t n_control; /* Number of controlled ones */
60905 struct ip_vs_dest *dest; /* real server */
60906- atomic_t in_pkts; /* incoming packet counter */
60907+ atomic_unchecked_t in_pkts; /* incoming packet counter */
60908
60909 /* packet transmitter for different forwarding methods. If it
60910 mangles the packet, it must return NF_DROP or better NF_STOLEN,
60911@@ -647,7 +647,7 @@ struct ip_vs_dest {
60912 __be16 port; /* port number of the server */
60913 union nf_inet_addr addr; /* IP address of the server */
60914 volatile unsigned flags; /* dest status flags */
60915- atomic_t conn_flags; /* flags to copy to conn */
60916+ atomic_unchecked_t conn_flags; /* flags to copy to conn */
60917 atomic_t weight; /* server weight */
60918
60919 atomic_t refcnt; /* reference counter */
60920diff -urNp linux-3.0.7/include/net/irda/ircomm_core.h linux-3.0.7/include/net/irda/ircomm_core.h
60921--- linux-3.0.7/include/net/irda/ircomm_core.h 2011-07-21 22:17:23.000000000 -0400
60922+++ linux-3.0.7/include/net/irda/ircomm_core.h 2011-08-23 21:47:56.000000000 -0400
60923@@ -51,7 +51,7 @@ typedef struct {
60924 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
60925 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
60926 struct ircomm_info *);
60927-} call_t;
60928+} __no_const call_t;
60929
60930 struct ircomm_cb {
60931 irda_queue_t queue;
60932diff -urNp linux-3.0.7/include/net/irda/ircomm_tty.h linux-3.0.7/include/net/irda/ircomm_tty.h
60933--- linux-3.0.7/include/net/irda/ircomm_tty.h 2011-07-21 22:17:23.000000000 -0400
60934+++ linux-3.0.7/include/net/irda/ircomm_tty.h 2011-08-23 21:47:56.000000000 -0400
60935@@ -35,6 +35,7 @@
60936 #include <linux/termios.h>
60937 #include <linux/timer.h>
60938 #include <linux/tty.h> /* struct tty_struct */
60939+#include <asm/local.h>
60940
60941 #include <net/irda/irias_object.h>
60942 #include <net/irda/ircomm_core.h>
60943@@ -105,8 +106,8 @@ struct ircomm_tty_cb {
60944 unsigned short close_delay;
60945 unsigned short closing_wait; /* time to wait before closing */
60946
60947- int open_count;
60948- int blocked_open; /* # of blocked opens */
60949+ local_t open_count;
60950+ local_t blocked_open; /* # of blocked opens */
60951
60952 /* Protect concurent access to :
60953 * o self->open_count
60954diff -urNp linux-3.0.7/include/net/iucv/af_iucv.h linux-3.0.7/include/net/iucv/af_iucv.h
60955--- linux-3.0.7/include/net/iucv/af_iucv.h 2011-07-21 22:17:23.000000000 -0400
60956+++ linux-3.0.7/include/net/iucv/af_iucv.h 2011-08-23 21:47:56.000000000 -0400
60957@@ -87,7 +87,7 @@ struct iucv_sock {
60958 struct iucv_sock_list {
60959 struct hlist_head head;
60960 rwlock_t lock;
60961- atomic_t autobind_name;
60962+ atomic_unchecked_t autobind_name;
60963 };
60964
60965 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
60966diff -urNp linux-3.0.7/include/net/lapb.h linux-3.0.7/include/net/lapb.h
60967--- linux-3.0.7/include/net/lapb.h 2011-07-21 22:17:23.000000000 -0400
60968+++ linux-3.0.7/include/net/lapb.h 2011-08-23 21:47:56.000000000 -0400
60969@@ -95,7 +95,7 @@ struct lapb_cb {
60970 struct sk_buff_head write_queue;
60971 struct sk_buff_head ack_queue;
60972 unsigned char window;
60973- struct lapb_register_struct callbacks;
60974+ struct lapb_register_struct *callbacks;
60975
60976 /* FRMR control information */
60977 struct lapb_frame frmr_data;
60978diff -urNp linux-3.0.7/include/net/neighbour.h linux-3.0.7/include/net/neighbour.h
60979--- linux-3.0.7/include/net/neighbour.h 2011-07-21 22:17:23.000000000 -0400
60980+++ linux-3.0.7/include/net/neighbour.h 2011-08-31 18:39:25.000000000 -0400
60981@@ -124,7 +124,7 @@ struct neigh_ops {
60982 int (*connected_output)(struct sk_buff*);
60983 int (*hh_output)(struct sk_buff*);
60984 int (*queue_xmit)(struct sk_buff*);
60985-};
60986+} __do_const;
60987
60988 struct pneigh_entry {
60989 struct pneigh_entry *next;
60990diff -urNp linux-3.0.7/include/net/netlink.h linux-3.0.7/include/net/netlink.h
60991--- linux-3.0.7/include/net/netlink.h 2011-07-21 22:17:23.000000000 -0400
60992+++ linux-3.0.7/include/net/netlink.h 2011-08-23 21:47:56.000000000 -0400
60993@@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
60994 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
60995 {
60996 if (mark)
60997- skb_trim(skb, (unsigned char *) mark - skb->data);
60998+ skb_trim(skb, (const unsigned char *) mark - skb->data);
60999 }
61000
61001 /**
61002diff -urNp linux-3.0.7/include/net/netns/ipv4.h linux-3.0.7/include/net/netns/ipv4.h
61003--- linux-3.0.7/include/net/netns/ipv4.h 2011-07-21 22:17:23.000000000 -0400
61004+++ linux-3.0.7/include/net/netns/ipv4.h 2011-08-23 21:47:56.000000000 -0400
61005@@ -56,8 +56,8 @@ struct netns_ipv4 {
61006
61007 unsigned int sysctl_ping_group_range[2];
61008
61009- atomic_t rt_genid;
61010- atomic_t dev_addr_genid;
61011+ atomic_unchecked_t rt_genid;
61012+ atomic_unchecked_t dev_addr_genid;
61013
61014 #ifdef CONFIG_IP_MROUTE
61015 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
61016diff -urNp linux-3.0.7/include/net/sctp/sctp.h linux-3.0.7/include/net/sctp/sctp.h
61017--- linux-3.0.7/include/net/sctp/sctp.h 2011-07-21 22:17:23.000000000 -0400
61018+++ linux-3.0.7/include/net/sctp/sctp.h 2011-08-23 21:47:56.000000000 -0400
61019@@ -315,9 +315,9 @@ do { \
61020
61021 #else /* SCTP_DEBUG */
61022
61023-#define SCTP_DEBUG_PRINTK(whatever...)
61024-#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
61025-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
61026+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
61027+#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
61028+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
61029 #define SCTP_ENABLE_DEBUG
61030 #define SCTP_DISABLE_DEBUG
61031 #define SCTP_ASSERT(expr, str, func)
61032diff -urNp linux-3.0.7/include/net/sock.h linux-3.0.7/include/net/sock.h
61033--- linux-3.0.7/include/net/sock.h 2011-07-21 22:17:23.000000000 -0400
61034+++ linux-3.0.7/include/net/sock.h 2011-08-23 21:47:56.000000000 -0400
61035@@ -277,7 +277,7 @@ struct sock {
61036 #ifdef CONFIG_RPS
61037 __u32 sk_rxhash;
61038 #endif
61039- atomic_t sk_drops;
61040+ atomic_unchecked_t sk_drops;
61041 int sk_rcvbuf;
61042
61043 struct sk_filter __rcu *sk_filter;
61044@@ -1390,7 +1390,7 @@ static inline void sk_nocaps_add(struct
61045 }
61046
61047 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
61048- char __user *from, char *to,
61049+ char __user *from, unsigned char *to,
61050 int copy, int offset)
61051 {
61052 if (skb->ip_summed == CHECKSUM_NONE) {
61053diff -urNp linux-3.0.7/include/net/tcp.h linux-3.0.7/include/net/tcp.h
61054--- linux-3.0.7/include/net/tcp.h 2011-07-21 22:17:23.000000000 -0400
61055+++ linux-3.0.7/include/net/tcp.h 2011-08-23 21:47:56.000000000 -0400
61056@@ -1374,8 +1374,8 @@ enum tcp_seq_states {
61057 struct tcp_seq_afinfo {
61058 char *name;
61059 sa_family_t family;
61060- struct file_operations seq_fops;
61061- struct seq_operations seq_ops;
61062+ file_operations_no_const seq_fops;
61063+ seq_operations_no_const seq_ops;
61064 };
61065
61066 struct tcp_iter_state {
61067diff -urNp linux-3.0.7/include/net/udp.h linux-3.0.7/include/net/udp.h
61068--- linux-3.0.7/include/net/udp.h 2011-07-21 22:17:23.000000000 -0400
61069+++ linux-3.0.7/include/net/udp.h 2011-08-23 21:47:56.000000000 -0400
61070@@ -234,8 +234,8 @@ struct udp_seq_afinfo {
61071 char *name;
61072 sa_family_t family;
61073 struct udp_table *udp_table;
61074- struct file_operations seq_fops;
61075- struct seq_operations seq_ops;
61076+ file_operations_no_const seq_fops;
61077+ seq_operations_no_const seq_ops;
61078 };
61079
61080 struct udp_iter_state {
61081diff -urNp linux-3.0.7/include/net/xfrm.h linux-3.0.7/include/net/xfrm.h
61082--- linux-3.0.7/include/net/xfrm.h 2011-07-21 22:17:23.000000000 -0400
61083+++ linux-3.0.7/include/net/xfrm.h 2011-08-23 21:47:56.000000000 -0400
61084@@ -505,7 +505,7 @@ struct xfrm_policy {
61085 struct timer_list timer;
61086
61087 struct flow_cache_object flo;
61088- atomic_t genid;
61089+ atomic_unchecked_t genid;
61090 u32 priority;
61091 u32 index;
61092 struct xfrm_mark mark;
61093diff -urNp linux-3.0.7/include/rdma/iw_cm.h linux-3.0.7/include/rdma/iw_cm.h
61094--- linux-3.0.7/include/rdma/iw_cm.h 2011-07-21 22:17:23.000000000 -0400
61095+++ linux-3.0.7/include/rdma/iw_cm.h 2011-08-23 21:47:56.000000000 -0400
61096@@ -120,7 +120,7 @@ struct iw_cm_verbs {
61097 int backlog);
61098
61099 int (*destroy_listen)(struct iw_cm_id *cm_id);
61100-};
61101+} __no_const;
61102
61103 /**
61104 * iw_create_cm_id - Create an IW CM identifier.
61105diff -urNp linux-3.0.7/include/scsi/libfc.h linux-3.0.7/include/scsi/libfc.h
61106--- linux-3.0.7/include/scsi/libfc.h 2011-07-21 22:17:23.000000000 -0400
61107+++ linux-3.0.7/include/scsi/libfc.h 2011-08-23 21:47:56.000000000 -0400
61108@@ -750,6 +750,7 @@ struct libfc_function_template {
61109 */
61110 void (*disc_stop_final) (struct fc_lport *);
61111 };
61112+typedef struct libfc_function_template __no_const libfc_function_template_no_const;
61113
61114 /**
61115 * struct fc_disc - Discovery context
61116@@ -853,7 +854,7 @@ struct fc_lport {
61117 struct fc_vport *vport;
61118
61119 /* Operational Information */
61120- struct libfc_function_template tt;
61121+ libfc_function_template_no_const tt;
61122 u8 link_up;
61123 u8 qfull;
61124 enum fc_lport_state state;
61125diff -urNp linux-3.0.7/include/scsi/scsi_device.h linux-3.0.7/include/scsi/scsi_device.h
61126--- linux-3.0.7/include/scsi/scsi_device.h 2011-07-21 22:17:23.000000000 -0400
61127+++ linux-3.0.7/include/scsi/scsi_device.h 2011-08-23 21:47:56.000000000 -0400
61128@@ -161,9 +161,9 @@ struct scsi_device {
61129 unsigned int max_device_blocked; /* what device_blocked counts down from */
61130 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
61131
61132- atomic_t iorequest_cnt;
61133- atomic_t iodone_cnt;
61134- atomic_t ioerr_cnt;
61135+ atomic_unchecked_t iorequest_cnt;
61136+ atomic_unchecked_t iodone_cnt;
61137+ atomic_unchecked_t ioerr_cnt;
61138
61139 struct device sdev_gendev,
61140 sdev_dev;
61141diff -urNp linux-3.0.7/include/scsi/scsi_transport_fc.h linux-3.0.7/include/scsi/scsi_transport_fc.h
61142--- linux-3.0.7/include/scsi/scsi_transport_fc.h 2011-07-21 22:17:23.000000000 -0400
61143+++ linux-3.0.7/include/scsi/scsi_transport_fc.h 2011-08-26 19:49:56.000000000 -0400
61144@@ -711,7 +711,7 @@ struct fc_function_template {
61145 unsigned long show_host_system_hostname:1;
61146
61147 unsigned long disable_target_scan:1;
61148-};
61149+} __do_const;
61150
61151
61152 /**
61153diff -urNp linux-3.0.7/include/sound/ak4xxx-adda.h linux-3.0.7/include/sound/ak4xxx-adda.h
61154--- linux-3.0.7/include/sound/ak4xxx-adda.h 2011-07-21 22:17:23.000000000 -0400
61155+++ linux-3.0.7/include/sound/ak4xxx-adda.h 2011-08-23 21:47:56.000000000 -0400
61156@@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
61157 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
61158 unsigned char val);
61159 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
61160-};
61161+} __no_const;
61162
61163 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
61164
61165diff -urNp linux-3.0.7/include/sound/hwdep.h linux-3.0.7/include/sound/hwdep.h
61166--- linux-3.0.7/include/sound/hwdep.h 2011-07-21 22:17:23.000000000 -0400
61167+++ linux-3.0.7/include/sound/hwdep.h 2011-08-23 21:47:56.000000000 -0400
61168@@ -49,7 +49,7 @@ struct snd_hwdep_ops {
61169 struct snd_hwdep_dsp_status *status);
61170 int (*dsp_load)(struct snd_hwdep *hw,
61171 struct snd_hwdep_dsp_image *image);
61172-};
61173+} __no_const;
61174
61175 struct snd_hwdep {
61176 struct snd_card *card;
61177diff -urNp linux-3.0.7/include/sound/info.h linux-3.0.7/include/sound/info.h
61178--- linux-3.0.7/include/sound/info.h 2011-07-21 22:17:23.000000000 -0400
61179+++ linux-3.0.7/include/sound/info.h 2011-08-23 21:47:56.000000000 -0400
61180@@ -44,7 +44,7 @@ struct snd_info_entry_text {
61181 struct snd_info_buffer *buffer);
61182 void (*write)(struct snd_info_entry *entry,
61183 struct snd_info_buffer *buffer);
61184-};
61185+} __no_const;
61186
61187 struct snd_info_entry_ops {
61188 int (*open)(struct snd_info_entry *entry,
61189diff -urNp linux-3.0.7/include/sound/pcm.h linux-3.0.7/include/sound/pcm.h
61190--- linux-3.0.7/include/sound/pcm.h 2011-07-21 22:17:23.000000000 -0400
61191+++ linux-3.0.7/include/sound/pcm.h 2011-08-23 21:47:56.000000000 -0400
61192@@ -81,6 +81,7 @@ struct snd_pcm_ops {
61193 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
61194 int (*ack)(struct snd_pcm_substream *substream);
61195 };
61196+typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
61197
61198 /*
61199 *
61200diff -urNp linux-3.0.7/include/sound/sb16_csp.h linux-3.0.7/include/sound/sb16_csp.h
61201--- linux-3.0.7/include/sound/sb16_csp.h 2011-07-21 22:17:23.000000000 -0400
61202+++ linux-3.0.7/include/sound/sb16_csp.h 2011-08-23 21:47:56.000000000 -0400
61203@@ -146,7 +146,7 @@ struct snd_sb_csp_ops {
61204 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
61205 int (*csp_stop) (struct snd_sb_csp * p);
61206 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
61207-};
61208+} __no_const;
61209
61210 /*
61211 * CSP private data
61212diff -urNp linux-3.0.7/include/sound/soc.h linux-3.0.7/include/sound/soc.h
61213--- linux-3.0.7/include/sound/soc.h 2011-07-21 22:17:23.000000000 -0400
61214+++ linux-3.0.7/include/sound/soc.h 2011-08-26 19:49:56.000000000 -0400
61215@@ -636,7 +636,7 @@ struct snd_soc_platform_driver {
61216
61217 /* platform stream ops */
61218 struct snd_pcm_ops *ops;
61219-};
61220+} __do_const;
61221
61222 struct snd_soc_platform {
61223 const char *name;
61224diff -urNp linux-3.0.7/include/sound/ymfpci.h linux-3.0.7/include/sound/ymfpci.h
61225--- linux-3.0.7/include/sound/ymfpci.h 2011-07-21 22:17:23.000000000 -0400
61226+++ linux-3.0.7/include/sound/ymfpci.h 2011-08-23 21:47:56.000000000 -0400
61227@@ -358,7 +358,7 @@ struct snd_ymfpci {
61228 spinlock_t reg_lock;
61229 spinlock_t voice_lock;
61230 wait_queue_head_t interrupt_sleep;
61231- atomic_t interrupt_sleep_count;
61232+ atomic_unchecked_t interrupt_sleep_count;
61233 struct snd_info_entry *proc_entry;
61234 const struct firmware *dsp_microcode;
61235 const struct firmware *controller_microcode;
61236diff -urNp linux-3.0.7/include/target/target_core_base.h linux-3.0.7/include/target/target_core_base.h
61237--- linux-3.0.7/include/target/target_core_base.h 2011-07-21 22:17:23.000000000 -0400
61238+++ linux-3.0.7/include/target/target_core_base.h 2011-08-23 21:47:56.000000000 -0400
61239@@ -364,7 +364,7 @@ struct t10_reservation_ops {
61240 int (*t10_seq_non_holder)(struct se_cmd *, unsigned char *, u32);
61241 int (*t10_pr_register)(struct se_cmd *);
61242 int (*t10_pr_clear)(struct se_cmd *);
61243-};
61244+} __no_const;
61245
61246 struct t10_reservation_template {
61247 /* Reservation effects all target ports */
61248@@ -432,8 +432,8 @@ struct se_transport_task {
61249 atomic_t t_task_cdbs_left;
61250 atomic_t t_task_cdbs_ex_left;
61251 atomic_t t_task_cdbs_timeout_left;
61252- atomic_t t_task_cdbs_sent;
61253- atomic_t t_transport_aborted;
61254+ atomic_unchecked_t t_task_cdbs_sent;
61255+ atomic_unchecked_t t_transport_aborted;
61256 atomic_t t_transport_active;
61257 atomic_t t_transport_complete;
61258 atomic_t t_transport_queue_active;
61259@@ -774,7 +774,7 @@ struct se_device {
61260 atomic_t active_cmds;
61261 atomic_t simple_cmds;
61262 atomic_t depth_left;
61263- atomic_t dev_ordered_id;
61264+ atomic_unchecked_t dev_ordered_id;
61265 atomic_t dev_tur_active;
61266 atomic_t execute_tasks;
61267 atomic_t dev_status_thr_count;
61268diff -urNp linux-3.0.7/include/trace/events/irq.h linux-3.0.7/include/trace/events/irq.h
61269--- linux-3.0.7/include/trace/events/irq.h 2011-07-21 22:17:23.000000000 -0400
61270+++ linux-3.0.7/include/trace/events/irq.h 2011-08-23 21:47:56.000000000 -0400
61271@@ -36,7 +36,7 @@ struct softirq_action;
61272 */
61273 TRACE_EVENT(irq_handler_entry,
61274
61275- TP_PROTO(int irq, struct irqaction *action),
61276+ TP_PROTO(int irq, const struct irqaction *action),
61277
61278 TP_ARGS(irq, action),
61279
61280@@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
61281 */
61282 TRACE_EVENT(irq_handler_exit,
61283
61284- TP_PROTO(int irq, struct irqaction *action, int ret),
61285+ TP_PROTO(int irq, const struct irqaction *action, int ret),
61286
61287 TP_ARGS(irq, action, ret),
61288
61289diff -urNp linux-3.0.7/include/video/udlfb.h linux-3.0.7/include/video/udlfb.h
61290--- linux-3.0.7/include/video/udlfb.h 2011-07-21 22:17:23.000000000 -0400
61291+++ linux-3.0.7/include/video/udlfb.h 2011-08-23 21:47:56.000000000 -0400
61292@@ -51,10 +51,10 @@ struct dlfb_data {
61293 int base8;
61294 u32 pseudo_palette[256];
61295 /* blit-only rendering path metrics, exposed through sysfs */
61296- atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61297- atomic_t bytes_identical; /* saved effort with backbuffer comparison */
61298- atomic_t bytes_sent; /* to usb, after compression including overhead */
61299- atomic_t cpu_kcycles_used; /* transpired during pixel processing */
61300+ atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61301+ atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
61302+ atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
61303+ atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
61304 };
61305
61306 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
61307diff -urNp linux-3.0.7/include/video/uvesafb.h linux-3.0.7/include/video/uvesafb.h
61308--- linux-3.0.7/include/video/uvesafb.h 2011-07-21 22:17:23.000000000 -0400
61309+++ linux-3.0.7/include/video/uvesafb.h 2011-08-23 21:47:56.000000000 -0400
61310@@ -177,6 +177,7 @@ struct uvesafb_par {
61311 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
61312 u8 pmi_setpal; /* PMI for palette changes */
61313 u16 *pmi_base; /* protected mode interface location */
61314+ u8 *pmi_code; /* protected mode code location */
61315 void *pmi_start;
61316 void *pmi_pal;
61317 u8 *vbe_state_orig; /*
61318diff -urNp linux-3.0.7/init/Kconfig linux-3.0.7/init/Kconfig
61319--- linux-3.0.7/init/Kconfig 2011-07-21 22:17:23.000000000 -0400
61320+++ linux-3.0.7/init/Kconfig 2011-08-23 21:47:56.000000000 -0400
61321@@ -1195,7 +1195,7 @@ config SLUB_DEBUG
61322
61323 config COMPAT_BRK
61324 bool "Disable heap randomization"
61325- default y
61326+ default n
61327 help
61328 Randomizing heap placement makes heap exploits harder, but it
61329 also breaks ancient binaries (including anything libc5 based).
61330diff -urNp linux-3.0.7/init/do_mounts.c linux-3.0.7/init/do_mounts.c
61331--- linux-3.0.7/init/do_mounts.c 2011-07-21 22:17:23.000000000 -0400
61332+++ linux-3.0.7/init/do_mounts.c 2011-10-06 04:17:55.000000000 -0400
61333@@ -287,11 +287,11 @@ static void __init get_fs_names(char *pa
61334
61335 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
61336 {
61337- int err = sys_mount(name, "/root", fs, flags, data);
61338+ int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
61339 if (err)
61340 return err;
61341
61342- sys_chdir((const char __user __force *)"/root");
61343+ sys_chdir((const char __force_user*)"/root");
61344 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
61345 printk(KERN_INFO
61346 "VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
61347@@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
61348 va_start(args, fmt);
61349 vsprintf(buf, fmt, args);
61350 va_end(args);
61351- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
61352+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
61353 if (fd >= 0) {
61354 sys_ioctl(fd, FDEJECT, 0);
61355 sys_close(fd);
61356 }
61357 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
61358- fd = sys_open("/dev/console", O_RDWR, 0);
61359+ fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
61360 if (fd >= 0) {
61361 sys_ioctl(fd, TCGETS, (long)&termios);
61362 termios.c_lflag &= ~ICANON;
61363 sys_ioctl(fd, TCSETSF, (long)&termios);
61364- sys_read(fd, &c, 1);
61365+ sys_read(fd, (char __user *)&c, 1);
61366 termios.c_lflag |= ICANON;
61367 sys_ioctl(fd, TCSETSF, (long)&termios);
61368 sys_close(fd);
61369@@ -488,6 +488,6 @@ void __init prepare_namespace(void)
61370 mount_root();
61371 out:
61372 devtmpfs_mount("dev");
61373- sys_mount(".", "/", NULL, MS_MOVE, NULL);
61374- sys_chroot((const char __user __force *)".");
61375+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61376+ sys_chroot((const char __force_user *)".");
61377 }
61378diff -urNp linux-3.0.7/init/do_mounts.h linux-3.0.7/init/do_mounts.h
61379--- linux-3.0.7/init/do_mounts.h 2011-07-21 22:17:23.000000000 -0400
61380+++ linux-3.0.7/init/do_mounts.h 2011-10-06 04:17:55.000000000 -0400
61381@@ -15,15 +15,15 @@ extern int root_mountflags;
61382
61383 static inline int create_dev(char *name, dev_t dev)
61384 {
61385- sys_unlink(name);
61386- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
61387+ sys_unlink((char __force_user *)name);
61388+ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
61389 }
61390
61391 #if BITS_PER_LONG == 32
61392 static inline u32 bstat(char *name)
61393 {
61394 struct stat64 stat;
61395- if (sys_stat64(name, &stat) != 0)
61396+ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
61397 return 0;
61398 if (!S_ISBLK(stat.st_mode))
61399 return 0;
61400@@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
61401 static inline u32 bstat(char *name)
61402 {
61403 struct stat stat;
61404- if (sys_newstat(name, &stat) != 0)
61405+ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
61406 return 0;
61407 if (!S_ISBLK(stat.st_mode))
61408 return 0;
61409diff -urNp linux-3.0.7/init/do_mounts_initrd.c linux-3.0.7/init/do_mounts_initrd.c
61410--- linux-3.0.7/init/do_mounts_initrd.c 2011-07-21 22:17:23.000000000 -0400
61411+++ linux-3.0.7/init/do_mounts_initrd.c 2011-10-06 04:17:55.000000000 -0400
61412@@ -44,13 +44,13 @@ static void __init handle_initrd(void)
61413 create_dev("/dev/root.old", Root_RAM0);
61414 /* mount initrd on rootfs' /root */
61415 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
61416- sys_mkdir("/old", 0700);
61417- root_fd = sys_open("/", 0, 0);
61418- old_fd = sys_open("/old", 0, 0);
61419+ sys_mkdir((const char __force_user *)"/old", 0700);
61420+ root_fd = sys_open((const char __force_user *)"/", 0, 0);
61421+ old_fd = sys_open((const char __force_user *)"/old", 0, 0);
61422 /* move initrd over / and chdir/chroot in initrd root */
61423- sys_chdir("/root");
61424- sys_mount(".", "/", NULL, MS_MOVE, NULL);
61425- sys_chroot(".");
61426+ sys_chdir((const char __force_user *)"/root");
61427+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61428+ sys_chroot((const char __force_user *)".");
61429
61430 /*
61431 * In case that a resume from disk is carried out by linuxrc or one of
61432@@ -67,15 +67,15 @@ static void __init handle_initrd(void)
61433
61434 /* move initrd to rootfs' /old */
61435 sys_fchdir(old_fd);
61436- sys_mount("/", ".", NULL, MS_MOVE, NULL);
61437+ sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
61438 /* switch root and cwd back to / of rootfs */
61439 sys_fchdir(root_fd);
61440- sys_chroot(".");
61441+ sys_chroot((const char __force_user *)".");
61442 sys_close(old_fd);
61443 sys_close(root_fd);
61444
61445 if (new_decode_dev(real_root_dev) == Root_RAM0) {
61446- sys_chdir("/old");
61447+ sys_chdir((const char __force_user *)"/old");
61448 return;
61449 }
61450
61451@@ -83,17 +83,17 @@ static void __init handle_initrd(void)
61452 mount_root();
61453
61454 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
61455- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
61456+ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
61457 if (!error)
61458 printk("okay\n");
61459 else {
61460- int fd = sys_open("/dev/root.old", O_RDWR, 0);
61461+ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
61462 if (error == -ENOENT)
61463 printk("/initrd does not exist. Ignored.\n");
61464 else
61465 printk("failed\n");
61466 printk(KERN_NOTICE "Unmounting old root\n");
61467- sys_umount("/old", MNT_DETACH);
61468+ sys_umount((char __force_user *)"/old", MNT_DETACH);
61469 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
61470 if (fd < 0) {
61471 error = fd;
61472@@ -116,11 +116,11 @@ int __init initrd_load(void)
61473 * mounted in the normal path.
61474 */
61475 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
61476- sys_unlink("/initrd.image");
61477+ sys_unlink((const char __force_user *)"/initrd.image");
61478 handle_initrd();
61479 return 1;
61480 }
61481 }
61482- sys_unlink("/initrd.image");
61483+ sys_unlink((const char __force_user *)"/initrd.image");
61484 return 0;
61485 }
61486diff -urNp linux-3.0.7/init/do_mounts_md.c linux-3.0.7/init/do_mounts_md.c
61487--- linux-3.0.7/init/do_mounts_md.c 2011-07-21 22:17:23.000000000 -0400
61488+++ linux-3.0.7/init/do_mounts_md.c 2011-10-06 04:17:55.000000000 -0400
61489@@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
61490 partitioned ? "_d" : "", minor,
61491 md_setup_args[ent].device_names);
61492
61493- fd = sys_open(name, 0, 0);
61494+ fd = sys_open((char __force_user *)name, 0, 0);
61495 if (fd < 0) {
61496 printk(KERN_ERR "md: open failed - cannot start "
61497 "array %s\n", name);
61498@@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
61499 * array without it
61500 */
61501 sys_close(fd);
61502- fd = sys_open(name, 0, 0);
61503+ fd = sys_open((char __force_user *)name, 0, 0);
61504 sys_ioctl(fd, BLKRRPART, 0);
61505 }
61506 sys_close(fd);
61507@@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
61508
61509 wait_for_device_probe();
61510
61511- fd = sys_open((const char __user __force *) "/dev/md0", 0, 0);
61512+ fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
61513 if (fd >= 0) {
61514 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
61515 sys_close(fd);
61516diff -urNp linux-3.0.7/init/initramfs.c linux-3.0.7/init/initramfs.c
61517--- linux-3.0.7/init/initramfs.c 2011-07-21 22:17:23.000000000 -0400
61518+++ linux-3.0.7/init/initramfs.c 2011-10-06 04:17:55.000000000 -0400
61519@@ -74,7 +74,7 @@ static void __init free_hash(void)
61520 }
61521 }
61522
61523-static long __init do_utime(char __user *filename, time_t mtime)
61524+static long __init do_utime(__force char __user *filename, time_t mtime)
61525 {
61526 struct timespec t[2];
61527
61528@@ -109,7 +109,7 @@ static void __init dir_utime(void)
61529 struct dir_entry *de, *tmp;
61530 list_for_each_entry_safe(de, tmp, &dir_list, list) {
61531 list_del(&de->list);
61532- do_utime(de->name, de->mtime);
61533+ do_utime((char __force_user *)de->name, de->mtime);
61534 kfree(de->name);
61535 kfree(de);
61536 }
61537@@ -271,7 +271,7 @@ static int __init maybe_link(void)
61538 if (nlink >= 2) {
61539 char *old = find_link(major, minor, ino, mode, collected);
61540 if (old)
61541- return (sys_link(old, collected) < 0) ? -1 : 1;
61542+ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
61543 }
61544 return 0;
61545 }
61546@@ -280,11 +280,11 @@ static void __init clean_path(char *path
61547 {
61548 struct stat st;
61549
61550- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
61551+ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
61552 if (S_ISDIR(st.st_mode))
61553- sys_rmdir(path);
61554+ sys_rmdir((char __force_user *)path);
61555 else
61556- sys_unlink(path);
61557+ sys_unlink((char __force_user *)path);
61558 }
61559 }
61560
61561@@ -305,7 +305,7 @@ static int __init do_name(void)
61562 int openflags = O_WRONLY|O_CREAT;
61563 if (ml != 1)
61564 openflags |= O_TRUNC;
61565- wfd = sys_open(collected, openflags, mode);
61566+ wfd = sys_open((char __force_user *)collected, openflags, mode);
61567
61568 if (wfd >= 0) {
61569 sys_fchown(wfd, uid, gid);
61570@@ -317,17 +317,17 @@ static int __init do_name(void)
61571 }
61572 }
61573 } else if (S_ISDIR(mode)) {
61574- sys_mkdir(collected, mode);
61575- sys_chown(collected, uid, gid);
61576- sys_chmod(collected, mode);
61577+ sys_mkdir((char __force_user *)collected, mode);
61578+ sys_chown((char __force_user *)collected, uid, gid);
61579+ sys_chmod((char __force_user *)collected, mode);
61580 dir_add(collected, mtime);
61581 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
61582 S_ISFIFO(mode) || S_ISSOCK(mode)) {
61583 if (maybe_link() == 0) {
61584- sys_mknod(collected, mode, rdev);
61585- sys_chown(collected, uid, gid);
61586- sys_chmod(collected, mode);
61587- do_utime(collected, mtime);
61588+ sys_mknod((char __force_user *)collected, mode, rdev);
61589+ sys_chown((char __force_user *)collected, uid, gid);
61590+ sys_chmod((char __force_user *)collected, mode);
61591+ do_utime((char __force_user *)collected, mtime);
61592 }
61593 }
61594 return 0;
61595@@ -336,15 +336,15 @@ static int __init do_name(void)
61596 static int __init do_copy(void)
61597 {
61598 if (count >= body_len) {
61599- sys_write(wfd, victim, body_len);
61600+ sys_write(wfd, (char __force_user *)victim, body_len);
61601 sys_close(wfd);
61602- do_utime(vcollected, mtime);
61603+ do_utime((char __force_user *)vcollected, mtime);
61604 kfree(vcollected);
61605 eat(body_len);
61606 state = SkipIt;
61607 return 0;
61608 } else {
61609- sys_write(wfd, victim, count);
61610+ sys_write(wfd, (char __force_user *)victim, count);
61611 body_len -= count;
61612 eat(count);
61613 return 1;
61614@@ -355,9 +355,9 @@ static int __init do_symlink(void)
61615 {
61616 collected[N_ALIGN(name_len) + body_len] = '\0';
61617 clean_path(collected, 0);
61618- sys_symlink(collected + N_ALIGN(name_len), collected);
61619- sys_lchown(collected, uid, gid);
61620- do_utime(collected, mtime);
61621+ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
61622+ sys_lchown((char __force_user *)collected, uid, gid);
61623+ do_utime((char __force_user *)collected, mtime);
61624 state = SkipIt;
61625 next_state = Reset;
61626 return 0;
61627diff -urNp linux-3.0.7/init/main.c linux-3.0.7/init/main.c
61628--- linux-3.0.7/init/main.c 2011-07-21 22:17:23.000000000 -0400
61629+++ linux-3.0.7/init/main.c 2011-10-06 04:17:55.000000000 -0400
61630@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
61631 extern void tc_init(void);
61632 #endif
61633
61634+extern void grsecurity_init(void);
61635+
61636 /*
61637 * Debug helper: via this flag we know that we are in 'early bootup code'
61638 * where only the boot processor is running with IRQ disabled. This means
61639@@ -149,6 +151,49 @@ static int __init set_reset_devices(char
61640
61641 __setup("reset_devices", set_reset_devices);
61642
61643+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
61644+extern char pax_enter_kernel_user[];
61645+extern char pax_exit_kernel_user[];
61646+extern pgdval_t clone_pgd_mask;
61647+#endif
61648+
61649+#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
61650+static int __init setup_pax_nouderef(char *str)
61651+{
61652+#ifdef CONFIG_X86_32
61653+ unsigned int cpu;
61654+ struct desc_struct *gdt;
61655+
61656+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
61657+ gdt = get_cpu_gdt_table(cpu);
61658+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
61659+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
61660+ gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
61661+ gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
61662+ }
61663+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
61664+#else
61665+ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
61666+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
61667+ clone_pgd_mask = ~(pgdval_t)0UL;
61668+#endif
61669+
61670+ return 0;
61671+}
61672+early_param("pax_nouderef", setup_pax_nouderef);
61673+#endif
61674+
61675+#ifdef CONFIG_PAX_SOFTMODE
61676+int pax_softmode;
61677+
61678+static int __init setup_pax_softmode(char *str)
61679+{
61680+ get_option(&str, &pax_softmode);
61681+ return 1;
61682+}
61683+__setup("pax_softmode=", setup_pax_softmode);
61684+#endif
61685+
61686 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
61687 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
61688 static const char *panic_later, *panic_param;
61689@@ -667,6 +712,7 @@ int __init_or_module do_one_initcall(ini
61690 {
61691 int count = preempt_count();
61692 int ret;
61693+ const char *msg1 = "", *msg2 = "";
61694
61695 if (initcall_debug)
61696 ret = do_one_initcall_debug(fn);
61697@@ -679,15 +725,15 @@ int __init_or_module do_one_initcall(ini
61698 sprintf(msgbuf, "error code %d ", ret);
61699
61700 if (preempt_count() != count) {
61701- strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
61702+ msg1 = " preemption imbalance";
61703 preempt_count() = count;
61704 }
61705 if (irqs_disabled()) {
61706- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
61707+ msg2 = " disabled interrupts";
61708 local_irq_enable();
61709 }
61710- if (msgbuf[0]) {
61711- printk("initcall %pF returned with %s\n", fn, msgbuf);
61712+ if (msgbuf[0] || *msg1 || *msg2) {
61713+ printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
61714 }
61715
61716 return ret;
61717@@ -805,7 +851,7 @@ static int __init kernel_init(void * unu
61718 do_basic_setup();
61719
61720 /* Open the /dev/console on the rootfs, this should never fail */
61721- if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
61722+ if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
61723 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
61724
61725 (void) sys_dup(0);
61726@@ -818,11 +864,13 @@ static int __init kernel_init(void * unu
61727 if (!ramdisk_execute_command)
61728 ramdisk_execute_command = "/init";
61729
61730- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
61731+ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
61732 ramdisk_execute_command = NULL;
61733 prepare_namespace();
61734 }
61735
61736+ grsecurity_init();
61737+
61738 /*
61739 * Ok, we have completed the initial bootup, and
61740 * we're essentially up and running. Get rid of the
61741diff -urNp linux-3.0.7/ipc/mqueue.c linux-3.0.7/ipc/mqueue.c
61742--- linux-3.0.7/ipc/mqueue.c 2011-10-16 21:54:54.000000000 -0400
61743+++ linux-3.0.7/ipc/mqueue.c 2011-10-16 21:59:31.000000000 -0400
61744@@ -156,6 +156,7 @@ static struct inode *mqueue_get_inode(st
61745 mq_bytes = (mq_msg_tblsz +
61746 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
61747
61748+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
61749 spin_lock(&mq_lock);
61750 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
61751 u->mq_bytes + mq_bytes > task_rlimit(p, RLIMIT_MSGQUEUE)) {
61752diff -urNp linux-3.0.7/ipc/msg.c linux-3.0.7/ipc/msg.c
61753--- linux-3.0.7/ipc/msg.c 2011-07-21 22:17:23.000000000 -0400
61754+++ linux-3.0.7/ipc/msg.c 2011-08-23 21:47:56.000000000 -0400
61755@@ -309,18 +309,19 @@ static inline int msg_security(struct ke
61756 return security_msg_queue_associate(msq, msgflg);
61757 }
61758
61759+static struct ipc_ops msg_ops = {
61760+ .getnew = newque,
61761+ .associate = msg_security,
61762+ .more_checks = NULL
61763+};
61764+
61765 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
61766 {
61767 struct ipc_namespace *ns;
61768- struct ipc_ops msg_ops;
61769 struct ipc_params msg_params;
61770
61771 ns = current->nsproxy->ipc_ns;
61772
61773- msg_ops.getnew = newque;
61774- msg_ops.associate = msg_security;
61775- msg_ops.more_checks = NULL;
61776-
61777 msg_params.key = key;
61778 msg_params.flg = msgflg;
61779
61780diff -urNp linux-3.0.7/ipc/sem.c linux-3.0.7/ipc/sem.c
61781--- linux-3.0.7/ipc/sem.c 2011-09-02 18:11:21.000000000 -0400
61782+++ linux-3.0.7/ipc/sem.c 2011-08-23 21:48:14.000000000 -0400
61783@@ -318,10 +318,15 @@ static inline int sem_more_checks(struct
61784 return 0;
61785 }
61786
61787+static struct ipc_ops sem_ops = {
61788+ .getnew = newary,
61789+ .associate = sem_security,
61790+ .more_checks = sem_more_checks
61791+};
61792+
61793 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
61794 {
61795 struct ipc_namespace *ns;
61796- struct ipc_ops sem_ops;
61797 struct ipc_params sem_params;
61798
61799 ns = current->nsproxy->ipc_ns;
61800@@ -329,10 +334,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
61801 if (nsems < 0 || nsems > ns->sc_semmsl)
61802 return -EINVAL;
61803
61804- sem_ops.getnew = newary;
61805- sem_ops.associate = sem_security;
61806- sem_ops.more_checks = sem_more_checks;
61807-
61808 sem_params.key = key;
61809 sem_params.flg = semflg;
61810 sem_params.u.nsems = nsems;
61811@@ -854,6 +855,8 @@ static int semctl_main(struct ipc_namesp
61812 int nsems;
61813 struct list_head tasks;
61814
61815+ pax_track_stack();
61816+
61817 sma = sem_lock_check(ns, semid);
61818 if (IS_ERR(sma))
61819 return PTR_ERR(sma);
61820@@ -1301,6 +1304,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
61821 struct ipc_namespace *ns;
61822 struct list_head tasks;
61823
61824+ pax_track_stack();
61825+
61826 ns = current->nsproxy->ipc_ns;
61827
61828 if (nsops < 1 || semid < 0)
61829diff -urNp linux-3.0.7/ipc/shm.c linux-3.0.7/ipc/shm.c
61830--- linux-3.0.7/ipc/shm.c 2011-07-21 22:17:23.000000000 -0400
61831+++ linux-3.0.7/ipc/shm.c 2011-08-23 21:48:14.000000000 -0400
61832@@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
61833 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
61834 #endif
61835
61836+#ifdef CONFIG_GRKERNSEC
61837+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
61838+ const time_t shm_createtime, const uid_t cuid,
61839+ const int shmid);
61840+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
61841+ const time_t shm_createtime);
61842+#endif
61843+
61844 void shm_init_ns(struct ipc_namespace *ns)
61845 {
61846 ns->shm_ctlmax = SHMMAX;
61847@@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
61848 shp->shm_lprid = 0;
61849 shp->shm_atim = shp->shm_dtim = 0;
61850 shp->shm_ctim = get_seconds();
61851+#ifdef CONFIG_GRKERNSEC
61852+ {
61853+ struct timespec timeval;
61854+ do_posix_clock_monotonic_gettime(&timeval);
61855+
61856+ shp->shm_createtime = timeval.tv_sec;
61857+ }
61858+#endif
61859 shp->shm_segsz = size;
61860 shp->shm_nattch = 0;
61861 shp->shm_file = file;
61862@@ -451,18 +467,19 @@ static inline int shm_more_checks(struct
61863 return 0;
61864 }
61865
61866+static struct ipc_ops shm_ops = {
61867+ .getnew = newseg,
61868+ .associate = shm_security,
61869+ .more_checks = shm_more_checks
61870+};
61871+
61872 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
61873 {
61874 struct ipc_namespace *ns;
61875- struct ipc_ops shm_ops;
61876 struct ipc_params shm_params;
61877
61878 ns = current->nsproxy->ipc_ns;
61879
61880- shm_ops.getnew = newseg;
61881- shm_ops.associate = shm_security;
61882- shm_ops.more_checks = shm_more_checks;
61883-
61884 shm_params.key = key;
61885 shm_params.flg = shmflg;
61886 shm_params.u.size = size;
61887@@ -762,8 +779,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
61888 case SHM_LOCK:
61889 case SHM_UNLOCK:
61890 {
61891- struct file *uninitialized_var(shm_file);
61892-
61893 lru_add_drain_all(); /* drain pagevecs to lru lists */
61894
61895 shp = shm_lock_check(ns, shmid);
61896@@ -896,9 +911,21 @@ long do_shmat(int shmid, char __user *sh
61897 if (err)
61898 goto out_unlock;
61899
61900+#ifdef CONFIG_GRKERNSEC
61901+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
61902+ shp->shm_perm.cuid, shmid) ||
61903+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
61904+ err = -EACCES;
61905+ goto out_unlock;
61906+ }
61907+#endif
61908+
61909 path = shp->shm_file->f_path;
61910 path_get(&path);
61911 shp->shm_nattch++;
61912+#ifdef CONFIG_GRKERNSEC
61913+ shp->shm_lapid = current->pid;
61914+#endif
61915 size = i_size_read(path.dentry->d_inode);
61916 shm_unlock(shp);
61917
61918diff -urNp linux-3.0.7/kernel/acct.c linux-3.0.7/kernel/acct.c
61919--- linux-3.0.7/kernel/acct.c 2011-07-21 22:17:23.000000000 -0400
61920+++ linux-3.0.7/kernel/acct.c 2011-10-06 04:17:55.000000000 -0400
61921@@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
61922 */
61923 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
61924 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
61925- file->f_op->write(file, (char *)&ac,
61926+ file->f_op->write(file, (char __force_user *)&ac,
61927 sizeof(acct_t), &file->f_pos);
61928 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
61929 set_fs(fs);
61930diff -urNp linux-3.0.7/kernel/audit.c linux-3.0.7/kernel/audit.c
61931--- linux-3.0.7/kernel/audit.c 2011-07-21 22:17:23.000000000 -0400
61932+++ linux-3.0.7/kernel/audit.c 2011-08-23 21:47:56.000000000 -0400
61933@@ -112,7 +112,7 @@ u32 audit_sig_sid = 0;
61934 3) suppressed due to audit_rate_limit
61935 4) suppressed due to audit_backlog_limit
61936 */
61937-static atomic_t audit_lost = ATOMIC_INIT(0);
61938+static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
61939
61940 /* The netlink socket. */
61941 static struct sock *audit_sock;
61942@@ -234,7 +234,7 @@ void audit_log_lost(const char *message)
61943 unsigned long now;
61944 int print;
61945
61946- atomic_inc(&audit_lost);
61947+ atomic_inc_unchecked(&audit_lost);
61948
61949 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
61950
61951@@ -253,7 +253,7 @@ void audit_log_lost(const char *message)
61952 printk(KERN_WARNING
61953 "audit: audit_lost=%d audit_rate_limit=%d "
61954 "audit_backlog_limit=%d\n",
61955- atomic_read(&audit_lost),
61956+ atomic_read_unchecked(&audit_lost),
61957 audit_rate_limit,
61958 audit_backlog_limit);
61959 audit_panic(message);
61960@@ -686,7 +686,7 @@ static int audit_receive_msg(struct sk_b
61961 status_set.pid = audit_pid;
61962 status_set.rate_limit = audit_rate_limit;
61963 status_set.backlog_limit = audit_backlog_limit;
61964- status_set.lost = atomic_read(&audit_lost);
61965+ status_set.lost = atomic_read_unchecked(&audit_lost);
61966 status_set.backlog = skb_queue_len(&audit_skb_queue);
61967 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
61968 &status_set, sizeof(status_set));
61969diff -urNp linux-3.0.7/kernel/auditsc.c linux-3.0.7/kernel/auditsc.c
61970--- linux-3.0.7/kernel/auditsc.c 2011-07-21 22:17:23.000000000 -0400
61971+++ linux-3.0.7/kernel/auditsc.c 2011-08-23 21:47:56.000000000 -0400
61972@@ -2118,7 +2118,7 @@ int auditsc_get_stamp(struct audit_conte
61973 }
61974
61975 /* global counter which is incremented every time something logs in */
61976-static atomic_t session_id = ATOMIC_INIT(0);
61977+static atomic_unchecked_t session_id = ATOMIC_INIT(0);
61978
61979 /**
61980 * audit_set_loginuid - set a task's audit_context loginuid
61981@@ -2131,7 +2131,7 @@ static atomic_t session_id = ATOMIC_INIT
61982 */
61983 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
61984 {
61985- unsigned int sessionid = atomic_inc_return(&session_id);
61986+ unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
61987 struct audit_context *context = task->audit_context;
61988
61989 if (context && context->in_syscall) {
61990diff -urNp linux-3.0.7/kernel/capability.c linux-3.0.7/kernel/capability.c
61991--- linux-3.0.7/kernel/capability.c 2011-07-21 22:17:23.000000000 -0400
61992+++ linux-3.0.7/kernel/capability.c 2011-08-23 21:48:14.000000000 -0400
61993@@ -202,6 +202,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
61994 * before modification is attempted and the application
61995 * fails.
61996 */
61997+ if (tocopy > ARRAY_SIZE(kdata))
61998+ return -EFAULT;
61999+
62000 if (copy_to_user(dataptr, kdata, tocopy
62001 * sizeof(struct __user_cap_data_struct))) {
62002 return -EFAULT;
62003@@ -374,7 +377,7 @@ bool ns_capable(struct user_namespace *n
62004 BUG();
62005 }
62006
62007- if (security_capable(ns, current_cred(), cap) == 0) {
62008+ if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
62009 current->flags |= PF_SUPERPRIV;
62010 return true;
62011 }
62012@@ -382,6 +385,27 @@ bool ns_capable(struct user_namespace *n
62013 }
62014 EXPORT_SYMBOL(ns_capable);
62015
62016+bool ns_capable_nolog(struct user_namespace *ns, int cap)
62017+{
62018+ if (unlikely(!cap_valid(cap))) {
62019+ printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
62020+ BUG();
62021+ }
62022+
62023+ if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
62024+ current->flags |= PF_SUPERPRIV;
62025+ return true;
62026+ }
62027+ return false;
62028+}
62029+EXPORT_SYMBOL(ns_capable_nolog);
62030+
62031+bool capable_nolog(int cap)
62032+{
62033+ return ns_capable_nolog(&init_user_ns, cap);
62034+}
62035+EXPORT_SYMBOL(capable_nolog);
62036+
62037 /**
62038 * task_ns_capable - Determine whether current task has a superior
62039 * capability targeted at a specific task's user namespace.
62040@@ -396,6 +420,12 @@ bool task_ns_capable(struct task_struct
62041 }
62042 EXPORT_SYMBOL(task_ns_capable);
62043
62044+bool task_ns_capable_nolog(struct task_struct *t, int cap)
62045+{
62046+ return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
62047+}
62048+EXPORT_SYMBOL(task_ns_capable_nolog);
62049+
62050 /**
62051 * nsown_capable - Check superior capability to one's own user_ns
62052 * @cap: The capability in question
62053diff -urNp linux-3.0.7/kernel/cgroup.c linux-3.0.7/kernel/cgroup.c
62054--- linux-3.0.7/kernel/cgroup.c 2011-07-21 22:17:23.000000000 -0400
62055+++ linux-3.0.7/kernel/cgroup.c 2011-08-23 21:48:14.000000000 -0400
62056@@ -593,6 +593,8 @@ static struct css_set *find_css_set(
62057 struct hlist_head *hhead;
62058 struct cg_cgroup_link *link;
62059
62060+ pax_track_stack();
62061+
62062 /* First see if we already have a cgroup group that matches
62063 * the desired set */
62064 read_lock(&css_set_lock);
62065diff -urNp linux-3.0.7/kernel/compat.c linux-3.0.7/kernel/compat.c
62066--- linux-3.0.7/kernel/compat.c 2011-07-21 22:17:23.000000000 -0400
62067+++ linux-3.0.7/kernel/compat.c 2011-10-06 04:17:55.000000000 -0400
62068@@ -13,6 +13,7 @@
62069
62070 #include <linux/linkage.h>
62071 #include <linux/compat.h>
62072+#include <linux/module.h>
62073 #include <linux/errno.h>
62074 #include <linux/time.h>
62075 #include <linux/signal.h>
62076@@ -166,7 +167,7 @@ static long compat_nanosleep_restart(str
62077 mm_segment_t oldfs;
62078 long ret;
62079
62080- restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
62081+ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
62082 oldfs = get_fs();
62083 set_fs(KERNEL_DS);
62084 ret = hrtimer_nanosleep_restart(restart);
62085@@ -198,7 +199,7 @@ asmlinkage long compat_sys_nanosleep(str
62086 oldfs = get_fs();
62087 set_fs(KERNEL_DS);
62088 ret = hrtimer_nanosleep(&tu,
62089- rmtp ? (struct timespec __user *)&rmt : NULL,
62090+ rmtp ? (struct timespec __force_user *)&rmt : NULL,
62091 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
62092 set_fs(oldfs);
62093
62094@@ -307,7 +308,7 @@ asmlinkage long compat_sys_sigpending(co
62095 mm_segment_t old_fs = get_fs();
62096
62097 set_fs(KERNEL_DS);
62098- ret = sys_sigpending((old_sigset_t __user *) &s);
62099+ ret = sys_sigpending((old_sigset_t __force_user *) &s);
62100 set_fs(old_fs);
62101 if (ret == 0)
62102 ret = put_user(s, set);
62103@@ -330,8 +331,8 @@ asmlinkage long compat_sys_sigprocmask(i
62104 old_fs = get_fs();
62105 set_fs(KERNEL_DS);
62106 ret = sys_sigprocmask(how,
62107- set ? (old_sigset_t __user *) &s : NULL,
62108- oset ? (old_sigset_t __user *) &s : NULL);
62109+ set ? (old_sigset_t __force_user *) &s : NULL,
62110+ oset ? (old_sigset_t __force_user *) &s : NULL);
62111 set_fs(old_fs);
62112 if (ret == 0)
62113 if (oset)
62114@@ -368,7 +369,7 @@ asmlinkage long compat_sys_old_getrlimit
62115 mm_segment_t old_fs = get_fs();
62116
62117 set_fs(KERNEL_DS);
62118- ret = sys_old_getrlimit(resource, &r);
62119+ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
62120 set_fs(old_fs);
62121
62122 if (!ret) {
62123@@ -440,7 +441,7 @@ asmlinkage long compat_sys_getrusage(int
62124 mm_segment_t old_fs = get_fs();
62125
62126 set_fs(KERNEL_DS);
62127- ret = sys_getrusage(who, (struct rusage __user *) &r);
62128+ ret = sys_getrusage(who, (struct rusage __force_user *) &r);
62129 set_fs(old_fs);
62130
62131 if (ret)
62132@@ -467,8 +468,8 @@ compat_sys_wait4(compat_pid_t pid, compa
62133 set_fs (KERNEL_DS);
62134 ret = sys_wait4(pid,
62135 (stat_addr ?
62136- (unsigned int __user *) &status : NULL),
62137- options, (struct rusage __user *) &r);
62138+ (unsigned int __force_user *) &status : NULL),
62139+ options, (struct rusage __force_user *) &r);
62140 set_fs (old_fs);
62141
62142 if (ret > 0) {
62143@@ -493,8 +494,8 @@ asmlinkage long compat_sys_waitid(int wh
62144 memset(&info, 0, sizeof(info));
62145
62146 set_fs(KERNEL_DS);
62147- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
62148- uru ? (struct rusage __user *)&ru : NULL);
62149+ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
62150+ uru ? (struct rusage __force_user *)&ru : NULL);
62151 set_fs(old_fs);
62152
62153 if ((ret < 0) || (info.si_signo == 0))
62154@@ -624,8 +625,8 @@ long compat_sys_timer_settime(timer_t ti
62155 oldfs = get_fs();
62156 set_fs(KERNEL_DS);
62157 err = sys_timer_settime(timer_id, flags,
62158- (struct itimerspec __user *) &newts,
62159- (struct itimerspec __user *) &oldts);
62160+ (struct itimerspec __force_user *) &newts,
62161+ (struct itimerspec __force_user *) &oldts);
62162 set_fs(oldfs);
62163 if (!err && old && put_compat_itimerspec(old, &oldts))
62164 return -EFAULT;
62165@@ -642,7 +643,7 @@ long compat_sys_timer_gettime(timer_t ti
62166 oldfs = get_fs();
62167 set_fs(KERNEL_DS);
62168 err = sys_timer_gettime(timer_id,
62169- (struct itimerspec __user *) &ts);
62170+ (struct itimerspec __force_user *) &ts);
62171 set_fs(oldfs);
62172 if (!err && put_compat_itimerspec(setting, &ts))
62173 return -EFAULT;
62174@@ -661,7 +662,7 @@ long compat_sys_clock_settime(clockid_t
62175 oldfs = get_fs();
62176 set_fs(KERNEL_DS);
62177 err = sys_clock_settime(which_clock,
62178- (struct timespec __user *) &ts);
62179+ (struct timespec __force_user *) &ts);
62180 set_fs(oldfs);
62181 return err;
62182 }
62183@@ -676,7 +677,7 @@ long compat_sys_clock_gettime(clockid_t
62184 oldfs = get_fs();
62185 set_fs(KERNEL_DS);
62186 err = sys_clock_gettime(which_clock,
62187- (struct timespec __user *) &ts);
62188+ (struct timespec __force_user *) &ts);
62189 set_fs(oldfs);
62190 if (!err && put_compat_timespec(&ts, tp))
62191 return -EFAULT;
62192@@ -696,7 +697,7 @@ long compat_sys_clock_adjtime(clockid_t
62193
62194 oldfs = get_fs();
62195 set_fs(KERNEL_DS);
62196- ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
62197+ ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
62198 set_fs(oldfs);
62199
62200 err = compat_put_timex(utp, &txc);
62201@@ -716,7 +717,7 @@ long compat_sys_clock_getres(clockid_t w
62202 oldfs = get_fs();
62203 set_fs(KERNEL_DS);
62204 err = sys_clock_getres(which_clock,
62205- (struct timespec __user *) &ts);
62206+ (struct timespec __force_user *) &ts);
62207 set_fs(oldfs);
62208 if (!err && tp && put_compat_timespec(&ts, tp))
62209 return -EFAULT;
62210@@ -728,9 +729,9 @@ static long compat_clock_nanosleep_resta
62211 long err;
62212 mm_segment_t oldfs;
62213 struct timespec tu;
62214- struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
62215+ struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
62216
62217- restart->nanosleep.rmtp = (struct timespec __user *) &tu;
62218+ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
62219 oldfs = get_fs();
62220 set_fs(KERNEL_DS);
62221 err = clock_nanosleep_restart(restart);
62222@@ -762,8 +763,8 @@ long compat_sys_clock_nanosleep(clockid_
62223 oldfs = get_fs();
62224 set_fs(KERNEL_DS);
62225 err = sys_clock_nanosleep(which_clock, flags,
62226- (struct timespec __user *) &in,
62227- (struct timespec __user *) &out);
62228+ (struct timespec __force_user *) &in,
62229+ (struct timespec __force_user *) &out);
62230 set_fs(oldfs);
62231
62232 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
62233diff -urNp linux-3.0.7/kernel/configs.c linux-3.0.7/kernel/configs.c
62234--- linux-3.0.7/kernel/configs.c 2011-07-21 22:17:23.000000000 -0400
62235+++ linux-3.0.7/kernel/configs.c 2011-08-23 21:48:14.000000000 -0400
62236@@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
62237 struct proc_dir_entry *entry;
62238
62239 /* create the current config file */
62240+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
62241+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
62242+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
62243+ &ikconfig_file_ops);
62244+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
62245+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
62246+ &ikconfig_file_ops);
62247+#endif
62248+#else
62249 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
62250 &ikconfig_file_ops);
62251+#endif
62252+
62253 if (!entry)
62254 return -ENOMEM;
62255
62256diff -urNp linux-3.0.7/kernel/cred.c linux-3.0.7/kernel/cred.c
62257--- linux-3.0.7/kernel/cred.c 2011-07-21 22:17:23.000000000 -0400
62258+++ linux-3.0.7/kernel/cred.c 2011-08-25 17:23:03.000000000 -0400
62259@@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
62260 */
62261 void __put_cred(struct cred *cred)
62262 {
62263+ pax_track_stack();
62264+
62265 kdebug("__put_cred(%p{%d,%d})", cred,
62266 atomic_read(&cred->usage),
62267 read_cred_subscribers(cred));
62268@@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
62269 {
62270 struct cred *cred;
62271
62272+ pax_track_stack();
62273+
62274 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
62275 atomic_read(&tsk->cred->usage),
62276 read_cred_subscribers(tsk->cred));
62277@@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
62278 {
62279 const struct cred *cred;
62280
62281+ pax_track_stack();
62282+
62283 rcu_read_lock();
62284
62285 do {
62286@@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
62287 {
62288 struct cred *new;
62289
62290+ pax_track_stack();
62291+
62292 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
62293 if (!new)
62294 return NULL;
62295@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
62296 const struct cred *old;
62297 struct cred *new;
62298
62299+ pax_track_stack();
62300+
62301 validate_process_creds();
62302
62303 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62304@@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
62305 struct thread_group_cred *tgcred = NULL;
62306 struct cred *new;
62307
62308+ pax_track_stack();
62309+
62310 #ifdef CONFIG_KEYS
62311 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
62312 if (!tgcred)
62313@@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
62314 struct cred *new;
62315 int ret;
62316
62317+ pax_track_stack();
62318+
62319 if (
62320 #ifdef CONFIG_KEYS
62321 !p->cred->thread_keyring &&
62322@@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
62323 struct task_struct *task = current;
62324 const struct cred *old = task->real_cred;
62325
62326+ pax_track_stack();
62327+
62328 kdebug("commit_creds(%p{%d,%d})", new,
62329 atomic_read(&new->usage),
62330 read_cred_subscribers(new));
62331@@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
62332
62333 get_cred(new); /* we will require a ref for the subj creds too */
62334
62335+ gr_set_role_label(task, new->uid, new->gid);
62336+
62337 /* dumpability changes */
62338 if (old->euid != new->euid ||
62339 old->egid != new->egid ||
62340@@ -508,10 +526,8 @@ int commit_creds(struct cred *new)
62341 key_fsgid_changed(task);
62342
62343 /* do it
62344- * - What if a process setreuid()'s and this brings the
62345- * new uid over his NPROC rlimit? We can check this now
62346- * cheaply with the new uid cache, so if it matters
62347- * we should be checking for it. -DaveM
62348+ * RLIMIT_NPROC limits on user->processes have already been checked
62349+ * in set_user().
62350 */
62351 alter_cred_subscribers(new, 2);
62352 if (new->user != old->user)
62353@@ -551,6 +567,8 @@ EXPORT_SYMBOL(commit_creds);
62354 */
62355 void abort_creds(struct cred *new)
62356 {
62357+ pax_track_stack();
62358+
62359 kdebug("abort_creds(%p{%d,%d})", new,
62360 atomic_read(&new->usage),
62361 read_cred_subscribers(new));
62362@@ -574,6 +592,8 @@ const struct cred *override_creds(const
62363 {
62364 const struct cred *old = current->cred;
62365
62366+ pax_track_stack();
62367+
62368 kdebug("override_creds(%p{%d,%d})", new,
62369 atomic_read(&new->usage),
62370 read_cred_subscribers(new));
62371@@ -603,6 +623,8 @@ void revert_creds(const struct cred *old
62372 {
62373 const struct cred *override = current->cred;
62374
62375+ pax_track_stack();
62376+
62377 kdebug("revert_creds(%p{%d,%d})", old,
62378 atomic_read(&old->usage),
62379 read_cred_subscribers(old));
62380@@ -649,6 +671,8 @@ struct cred *prepare_kernel_cred(struct
62381 const struct cred *old;
62382 struct cred *new;
62383
62384+ pax_track_stack();
62385+
62386 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62387 if (!new)
62388 return NULL;
62389@@ -703,6 +727,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
62390 */
62391 int set_security_override(struct cred *new, u32 secid)
62392 {
62393+ pax_track_stack();
62394+
62395 return security_kernel_act_as(new, secid);
62396 }
62397 EXPORT_SYMBOL(set_security_override);
62398@@ -722,6 +748,8 @@ int set_security_override_from_ctx(struc
62399 u32 secid;
62400 int ret;
62401
62402+ pax_track_stack();
62403+
62404 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
62405 if (ret < 0)
62406 return ret;
62407diff -urNp linux-3.0.7/kernel/debug/debug_core.c linux-3.0.7/kernel/debug/debug_core.c
62408--- linux-3.0.7/kernel/debug/debug_core.c 2011-07-21 22:17:23.000000000 -0400
62409+++ linux-3.0.7/kernel/debug/debug_core.c 2011-08-23 21:47:56.000000000 -0400
62410@@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
62411 */
62412 static atomic_t masters_in_kgdb;
62413 static atomic_t slaves_in_kgdb;
62414-static atomic_t kgdb_break_tasklet_var;
62415+static atomic_unchecked_t kgdb_break_tasklet_var;
62416 atomic_t kgdb_setting_breakpoint;
62417
62418 struct task_struct *kgdb_usethread;
62419@@ -129,7 +129,7 @@ int kgdb_single_step;
62420 static pid_t kgdb_sstep_pid;
62421
62422 /* to keep track of the CPU which is doing the single stepping*/
62423-atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62424+atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62425
62426 /*
62427 * If you are debugging a problem where roundup (the collection of
62428@@ -542,7 +542,7 @@ return_normal:
62429 * kernel will only try for the value of sstep_tries before
62430 * giving up and continuing on.
62431 */
62432- if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
62433+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
62434 (kgdb_info[cpu].task &&
62435 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
62436 atomic_set(&kgdb_active, -1);
62437@@ -636,8 +636,8 @@ cpu_master_loop:
62438 }
62439
62440 kgdb_restore:
62441- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
62442- int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
62443+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
62444+ int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
62445 if (kgdb_info[sstep_cpu].task)
62446 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
62447 else
62448@@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
62449 static void kgdb_tasklet_bpt(unsigned long ing)
62450 {
62451 kgdb_breakpoint();
62452- atomic_set(&kgdb_break_tasklet_var, 0);
62453+ atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
62454 }
62455
62456 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
62457
62458 void kgdb_schedule_breakpoint(void)
62459 {
62460- if (atomic_read(&kgdb_break_tasklet_var) ||
62461+ if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
62462 atomic_read(&kgdb_active) != -1 ||
62463 atomic_read(&kgdb_setting_breakpoint))
62464 return;
62465- atomic_inc(&kgdb_break_tasklet_var);
62466+ atomic_inc_unchecked(&kgdb_break_tasklet_var);
62467 tasklet_schedule(&kgdb_tasklet_breakpoint);
62468 }
62469 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
62470diff -urNp linux-3.0.7/kernel/debug/kdb/kdb_main.c linux-3.0.7/kernel/debug/kdb/kdb_main.c
62471--- linux-3.0.7/kernel/debug/kdb/kdb_main.c 2011-07-21 22:17:23.000000000 -0400
62472+++ linux-3.0.7/kernel/debug/kdb/kdb_main.c 2011-08-23 21:47:56.000000000 -0400
62473@@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
62474 list_for_each_entry(mod, kdb_modules, list) {
62475
62476 kdb_printf("%-20s%8u 0x%p ", mod->name,
62477- mod->core_size, (void *)mod);
62478+ mod->core_size_rx + mod->core_size_rw, (void *)mod);
62479 #ifdef CONFIG_MODULE_UNLOAD
62480 kdb_printf("%4d ", module_refcount(mod));
62481 #endif
62482@@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
62483 kdb_printf(" (Loading)");
62484 else
62485 kdb_printf(" (Live)");
62486- kdb_printf(" 0x%p", mod->module_core);
62487+ kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
62488
62489 #ifdef CONFIG_MODULE_UNLOAD
62490 {
62491diff -urNp linux-3.0.7/kernel/events/core.c linux-3.0.7/kernel/events/core.c
62492--- linux-3.0.7/kernel/events/core.c 2011-09-02 18:11:21.000000000 -0400
62493+++ linux-3.0.7/kernel/events/core.c 2011-09-14 09:08:05.000000000 -0400
62494@@ -170,7 +170,7 @@ int perf_proc_update_handler(struct ctl_
62495 return 0;
62496 }
62497
62498-static atomic64_t perf_event_id;
62499+static atomic64_unchecked_t perf_event_id;
62500
62501 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
62502 enum event_type_t event_type);
62503@@ -2488,7 +2488,7 @@ static void __perf_event_read(void *info
62504
62505 static inline u64 perf_event_count(struct perf_event *event)
62506 {
62507- return local64_read(&event->count) + atomic64_read(&event->child_count);
62508+ return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
62509 }
62510
62511 static u64 perf_event_read(struct perf_event *event)
62512@@ -3023,9 +3023,9 @@ u64 perf_event_read_value(struct perf_ev
62513 mutex_lock(&event->child_mutex);
62514 total += perf_event_read(event);
62515 *enabled += event->total_time_enabled +
62516- atomic64_read(&event->child_total_time_enabled);
62517+ atomic64_read_unchecked(&event->child_total_time_enabled);
62518 *running += event->total_time_running +
62519- atomic64_read(&event->child_total_time_running);
62520+ atomic64_read_unchecked(&event->child_total_time_running);
62521
62522 list_for_each_entry(child, &event->child_list, child_list) {
62523 total += perf_event_read(child);
62524@@ -3388,10 +3388,10 @@ void perf_event_update_userpage(struct p
62525 userpg->offset -= local64_read(&event->hw.prev_count);
62526
62527 userpg->time_enabled = event->total_time_enabled +
62528- atomic64_read(&event->child_total_time_enabled);
62529+ atomic64_read_unchecked(&event->child_total_time_enabled);
62530
62531 userpg->time_running = event->total_time_running +
62532- atomic64_read(&event->child_total_time_running);
62533+ atomic64_read_unchecked(&event->child_total_time_running);
62534
62535 barrier();
62536 ++userpg->lock;
62537@@ -4188,11 +4188,11 @@ static void perf_output_read_one(struct
62538 values[n++] = perf_event_count(event);
62539 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
62540 values[n++] = enabled +
62541- atomic64_read(&event->child_total_time_enabled);
62542+ atomic64_read_unchecked(&event->child_total_time_enabled);
62543 }
62544 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
62545 values[n++] = running +
62546- atomic64_read(&event->child_total_time_running);
62547+ atomic64_read_unchecked(&event->child_total_time_running);
62548 }
62549 if (read_format & PERF_FORMAT_ID)
62550 values[n++] = primary_event_id(event);
62551@@ -4833,12 +4833,12 @@ static void perf_event_mmap_event(struct
62552 * need to add enough zero bytes after the string to handle
62553 * the 64bit alignment we do later.
62554 */
62555- buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
62556+ buf = kzalloc(PATH_MAX, GFP_KERNEL);
62557 if (!buf) {
62558 name = strncpy(tmp, "//enomem", sizeof(tmp));
62559 goto got_name;
62560 }
62561- name = d_path(&file->f_path, buf, PATH_MAX);
62562+ name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
62563 if (IS_ERR(name)) {
62564 name = strncpy(tmp, "//toolong", sizeof(tmp));
62565 goto got_name;
62566@@ -6190,7 +6190,7 @@ perf_event_alloc(struct perf_event_attr
62567 event->parent = parent_event;
62568
62569 event->ns = get_pid_ns(current->nsproxy->pid_ns);
62570- event->id = atomic64_inc_return(&perf_event_id);
62571+ event->id = atomic64_inc_return_unchecked(&perf_event_id);
62572
62573 event->state = PERF_EVENT_STATE_INACTIVE;
62574
62575@@ -6713,10 +6713,10 @@ static void sync_child_event(struct perf
62576 /*
62577 * Add back the child's count to the parent's count:
62578 */
62579- atomic64_add(child_val, &parent_event->child_count);
62580- atomic64_add(child_event->total_time_enabled,
62581+ atomic64_add_unchecked(child_val, &parent_event->child_count);
62582+ atomic64_add_unchecked(child_event->total_time_enabled,
62583 &parent_event->child_total_time_enabled);
62584- atomic64_add(child_event->total_time_running,
62585+ atomic64_add_unchecked(child_event->total_time_running,
62586 &parent_event->child_total_time_running);
62587
62588 /*
62589diff -urNp linux-3.0.7/kernel/exit.c linux-3.0.7/kernel/exit.c
62590--- linux-3.0.7/kernel/exit.c 2011-07-21 22:17:23.000000000 -0400
62591+++ linux-3.0.7/kernel/exit.c 2011-08-23 21:48:14.000000000 -0400
62592@@ -57,6 +57,10 @@
62593 #include <asm/pgtable.h>
62594 #include <asm/mmu_context.h>
62595
62596+#ifdef CONFIG_GRKERNSEC
62597+extern rwlock_t grsec_exec_file_lock;
62598+#endif
62599+
62600 static void exit_mm(struct task_struct * tsk);
62601
62602 static void __unhash_process(struct task_struct *p, bool group_dead)
62603@@ -169,6 +173,10 @@ void release_task(struct task_struct * p
62604 struct task_struct *leader;
62605 int zap_leader;
62606 repeat:
62607+#ifdef CONFIG_NET
62608+ gr_del_task_from_ip_table(p);
62609+#endif
62610+
62611 tracehook_prepare_release_task(p);
62612 /* don't need to get the RCU readlock here - the process is dead and
62613 * can't be modifying its own credentials. But shut RCU-lockdep up */
62614@@ -338,11 +346,22 @@ static void reparent_to_kthreadd(void)
62615 {
62616 write_lock_irq(&tasklist_lock);
62617
62618+#ifdef CONFIG_GRKERNSEC
62619+ write_lock(&grsec_exec_file_lock);
62620+ if (current->exec_file) {
62621+ fput(current->exec_file);
62622+ current->exec_file = NULL;
62623+ }
62624+ write_unlock(&grsec_exec_file_lock);
62625+#endif
62626+
62627 ptrace_unlink(current);
62628 /* Reparent to init */
62629 current->real_parent = current->parent = kthreadd_task;
62630 list_move_tail(&current->sibling, &current->real_parent->children);
62631
62632+ gr_set_kernel_label(current);
62633+
62634 /* Set the exit signal to SIGCHLD so we signal init on exit */
62635 current->exit_signal = SIGCHLD;
62636
62637@@ -394,7 +413,7 @@ int allow_signal(int sig)
62638 * know it'll be handled, so that they don't get converted to
62639 * SIGKILL or just silently dropped.
62640 */
62641- current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
62642+ current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
62643 recalc_sigpending();
62644 spin_unlock_irq(&current->sighand->siglock);
62645 return 0;
62646@@ -430,6 +449,17 @@ void daemonize(const char *name, ...)
62647 vsnprintf(current->comm, sizeof(current->comm), name, args);
62648 va_end(args);
62649
62650+#ifdef CONFIG_GRKERNSEC
62651+ write_lock(&grsec_exec_file_lock);
62652+ if (current->exec_file) {
62653+ fput(current->exec_file);
62654+ current->exec_file = NULL;
62655+ }
62656+ write_unlock(&grsec_exec_file_lock);
62657+#endif
62658+
62659+ gr_set_kernel_label(current);
62660+
62661 /*
62662 * If we were started as result of loading a module, close all of the
62663 * user space pages. We don't need them, and if we didn't close them
62664@@ -904,15 +934,8 @@ NORET_TYPE void do_exit(long code)
62665 struct task_struct *tsk = current;
62666 int group_dead;
62667
62668- profile_task_exit(tsk);
62669-
62670- WARN_ON(atomic_read(&tsk->fs_excl));
62671- WARN_ON(blk_needs_flush_plug(tsk));
62672-
62673 if (unlikely(in_interrupt()))
62674 panic("Aiee, killing interrupt handler!");
62675- if (unlikely(!tsk->pid))
62676- panic("Attempted to kill the idle task!");
62677
62678 /*
62679 * If do_exit is called because this processes oopsed, it's possible
62680@@ -923,6 +946,14 @@ NORET_TYPE void do_exit(long code)
62681 */
62682 set_fs(USER_DS);
62683
62684+ profile_task_exit(tsk);
62685+
62686+ WARN_ON(atomic_read(&tsk->fs_excl));
62687+ WARN_ON(blk_needs_flush_plug(tsk));
62688+
62689+ if (unlikely(!tsk->pid))
62690+ panic("Attempted to kill the idle task!");
62691+
62692 tracehook_report_exit(&code);
62693
62694 validate_creds_for_do_exit(tsk);
62695@@ -983,6 +1014,9 @@ NORET_TYPE void do_exit(long code)
62696 tsk->exit_code = code;
62697 taskstats_exit(tsk, group_dead);
62698
62699+ gr_acl_handle_psacct(tsk, code);
62700+ gr_acl_handle_exit();
62701+
62702 exit_mm(tsk);
62703
62704 if (group_dead)
62705diff -urNp linux-3.0.7/kernel/fork.c linux-3.0.7/kernel/fork.c
62706--- linux-3.0.7/kernel/fork.c 2011-07-21 22:17:23.000000000 -0400
62707+++ linux-3.0.7/kernel/fork.c 2011-08-25 17:23:36.000000000 -0400
62708@@ -286,7 +286,7 @@ static struct task_struct *dup_task_stru
62709 *stackend = STACK_END_MAGIC; /* for overflow detection */
62710
62711 #ifdef CONFIG_CC_STACKPROTECTOR
62712- tsk->stack_canary = get_random_int();
62713+ tsk->stack_canary = pax_get_random_long();
62714 #endif
62715
62716 /* One for us, one for whoever does the "release_task()" (usually parent) */
62717@@ -308,13 +308,77 @@ out:
62718 }
62719
62720 #ifdef CONFIG_MMU
62721+static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
62722+{
62723+ struct vm_area_struct *tmp;
62724+ unsigned long charge;
62725+ struct mempolicy *pol;
62726+ struct file *file;
62727+
62728+ charge = 0;
62729+ if (mpnt->vm_flags & VM_ACCOUNT) {
62730+ unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
62731+ if (security_vm_enough_memory(len))
62732+ goto fail_nomem;
62733+ charge = len;
62734+ }
62735+ tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
62736+ if (!tmp)
62737+ goto fail_nomem;
62738+ *tmp = *mpnt;
62739+ tmp->vm_mm = mm;
62740+ INIT_LIST_HEAD(&tmp->anon_vma_chain);
62741+ pol = mpol_dup(vma_policy(mpnt));
62742+ if (IS_ERR(pol))
62743+ goto fail_nomem_policy;
62744+ vma_set_policy(tmp, pol);
62745+ if (anon_vma_fork(tmp, mpnt))
62746+ goto fail_nomem_anon_vma_fork;
62747+ tmp->vm_flags &= ~VM_LOCKED;
62748+ tmp->vm_next = tmp->vm_prev = NULL;
62749+ tmp->vm_mirror = NULL;
62750+ file = tmp->vm_file;
62751+ if (file) {
62752+ struct inode *inode = file->f_path.dentry->d_inode;
62753+ struct address_space *mapping = file->f_mapping;
62754+
62755+ get_file(file);
62756+ if (tmp->vm_flags & VM_DENYWRITE)
62757+ atomic_dec(&inode->i_writecount);
62758+ mutex_lock(&mapping->i_mmap_mutex);
62759+ if (tmp->vm_flags & VM_SHARED)
62760+ mapping->i_mmap_writable++;
62761+ flush_dcache_mmap_lock(mapping);
62762+ /* insert tmp into the share list, just after mpnt */
62763+ vma_prio_tree_add(tmp, mpnt);
62764+ flush_dcache_mmap_unlock(mapping);
62765+ mutex_unlock(&mapping->i_mmap_mutex);
62766+ }
62767+
62768+ /*
62769+ * Clear hugetlb-related page reserves for children. This only
62770+ * affects MAP_PRIVATE mappings. Faults generated by the child
62771+ * are not guaranteed to succeed, even if read-only
62772+ */
62773+ if (is_vm_hugetlb_page(tmp))
62774+ reset_vma_resv_huge_pages(tmp);
62775+
62776+ return tmp;
62777+
62778+fail_nomem_anon_vma_fork:
62779+ mpol_put(pol);
62780+fail_nomem_policy:
62781+ kmem_cache_free(vm_area_cachep, tmp);
62782+fail_nomem:
62783+ vm_unacct_memory(charge);
62784+ return NULL;
62785+}
62786+
62787 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
62788 {
62789 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
62790 struct rb_node **rb_link, *rb_parent;
62791 int retval;
62792- unsigned long charge;
62793- struct mempolicy *pol;
62794
62795 down_write(&oldmm->mmap_sem);
62796 flush_cache_dup_mm(oldmm);
62797@@ -326,8 +390,8 @@ static int dup_mmap(struct mm_struct *mm
62798 mm->locked_vm = 0;
62799 mm->mmap = NULL;
62800 mm->mmap_cache = NULL;
62801- mm->free_area_cache = oldmm->mmap_base;
62802- mm->cached_hole_size = ~0UL;
62803+ mm->free_area_cache = oldmm->free_area_cache;
62804+ mm->cached_hole_size = oldmm->cached_hole_size;
62805 mm->map_count = 0;
62806 cpumask_clear(mm_cpumask(mm));
62807 mm->mm_rb = RB_ROOT;
62808@@ -343,8 +407,6 @@ static int dup_mmap(struct mm_struct *mm
62809
62810 prev = NULL;
62811 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
62812- struct file *file;
62813-
62814 if (mpnt->vm_flags & VM_DONTCOPY) {
62815 long pages = vma_pages(mpnt);
62816 mm->total_vm -= pages;
62817@@ -352,55 +414,13 @@ static int dup_mmap(struct mm_struct *mm
62818 -pages);
62819 continue;
62820 }
62821- charge = 0;
62822- if (mpnt->vm_flags & VM_ACCOUNT) {
62823- unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
62824- if (security_vm_enough_memory(len))
62825- goto fail_nomem;
62826- charge = len;
62827- }
62828- tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
62829- if (!tmp)
62830- goto fail_nomem;
62831- *tmp = *mpnt;
62832- INIT_LIST_HEAD(&tmp->anon_vma_chain);
62833- pol = mpol_dup(vma_policy(mpnt));
62834- retval = PTR_ERR(pol);
62835- if (IS_ERR(pol))
62836- goto fail_nomem_policy;
62837- vma_set_policy(tmp, pol);
62838- tmp->vm_mm = mm;
62839- if (anon_vma_fork(tmp, mpnt))
62840- goto fail_nomem_anon_vma_fork;
62841- tmp->vm_flags &= ~VM_LOCKED;
62842- tmp->vm_next = tmp->vm_prev = NULL;
62843- file = tmp->vm_file;
62844- if (file) {
62845- struct inode *inode = file->f_path.dentry->d_inode;
62846- struct address_space *mapping = file->f_mapping;
62847-
62848- get_file(file);
62849- if (tmp->vm_flags & VM_DENYWRITE)
62850- atomic_dec(&inode->i_writecount);
62851- mutex_lock(&mapping->i_mmap_mutex);
62852- if (tmp->vm_flags & VM_SHARED)
62853- mapping->i_mmap_writable++;
62854- flush_dcache_mmap_lock(mapping);
62855- /* insert tmp into the share list, just after mpnt */
62856- vma_prio_tree_add(tmp, mpnt);
62857- flush_dcache_mmap_unlock(mapping);
62858- mutex_unlock(&mapping->i_mmap_mutex);
62859+ tmp = dup_vma(mm, mpnt);
62860+ if (!tmp) {
62861+ retval = -ENOMEM;
62862+ goto out;
62863 }
62864
62865 /*
62866- * Clear hugetlb-related page reserves for children. This only
62867- * affects MAP_PRIVATE mappings. Faults generated by the child
62868- * are not guaranteed to succeed, even if read-only
62869- */
62870- if (is_vm_hugetlb_page(tmp))
62871- reset_vma_resv_huge_pages(tmp);
62872-
62873- /*
62874 * Link in the new vma and copy the page table entries.
62875 */
62876 *pprev = tmp;
62877@@ -421,6 +441,31 @@ static int dup_mmap(struct mm_struct *mm
62878 if (retval)
62879 goto out;
62880 }
62881+
62882+#ifdef CONFIG_PAX_SEGMEXEC
62883+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
62884+ struct vm_area_struct *mpnt_m;
62885+
62886+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
62887+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
62888+
62889+ if (!mpnt->vm_mirror)
62890+ continue;
62891+
62892+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
62893+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
62894+ mpnt->vm_mirror = mpnt_m;
62895+ } else {
62896+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
62897+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
62898+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
62899+ mpnt->vm_mirror->vm_mirror = mpnt;
62900+ }
62901+ }
62902+ BUG_ON(mpnt_m);
62903+ }
62904+#endif
62905+
62906 /* a new mm has just been created */
62907 arch_dup_mmap(oldmm, mm);
62908 retval = 0;
62909@@ -429,14 +474,6 @@ out:
62910 flush_tlb_mm(oldmm);
62911 up_write(&oldmm->mmap_sem);
62912 return retval;
62913-fail_nomem_anon_vma_fork:
62914- mpol_put(pol);
62915-fail_nomem_policy:
62916- kmem_cache_free(vm_area_cachep, tmp);
62917-fail_nomem:
62918- retval = -ENOMEM;
62919- vm_unacct_memory(charge);
62920- goto out;
62921 }
62922
62923 static inline int mm_alloc_pgd(struct mm_struct * mm)
62924@@ -836,13 +873,14 @@ static int copy_fs(unsigned long clone_f
62925 spin_unlock(&fs->lock);
62926 return -EAGAIN;
62927 }
62928- fs->users++;
62929+ atomic_inc(&fs->users);
62930 spin_unlock(&fs->lock);
62931 return 0;
62932 }
62933 tsk->fs = copy_fs_struct(fs);
62934 if (!tsk->fs)
62935 return -ENOMEM;
62936+ gr_set_chroot_entries(tsk, &tsk->fs->root);
62937 return 0;
62938 }
62939
62940@@ -1104,12 +1142,16 @@ static struct task_struct *copy_process(
62941 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
62942 #endif
62943 retval = -EAGAIN;
62944+
62945+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
62946+
62947 if (atomic_read(&p->real_cred->user->processes) >=
62948 task_rlimit(p, RLIMIT_NPROC)) {
62949- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
62950- p->real_cred->user != INIT_USER)
62951+ if (p->real_cred->user != INIT_USER &&
62952+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
62953 goto bad_fork_free;
62954 }
62955+ current->flags &= ~PF_NPROC_EXCEEDED;
62956
62957 retval = copy_creds(p, clone_flags);
62958 if (retval < 0)
62959@@ -1250,6 +1292,8 @@ static struct task_struct *copy_process(
62960 if (clone_flags & CLONE_THREAD)
62961 p->tgid = current->tgid;
62962
62963+ gr_copy_label(p);
62964+
62965 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
62966 /*
62967 * Clear TID on mm_release()?
62968@@ -1414,6 +1458,8 @@ bad_fork_cleanup_count:
62969 bad_fork_free:
62970 free_task(p);
62971 fork_out:
62972+ gr_log_forkfail(retval);
62973+
62974 return ERR_PTR(retval);
62975 }
62976
62977@@ -1502,6 +1548,8 @@ long do_fork(unsigned long clone_flags,
62978 if (clone_flags & CLONE_PARENT_SETTID)
62979 put_user(nr, parent_tidptr);
62980
62981+ gr_handle_brute_check();
62982+
62983 if (clone_flags & CLONE_VFORK) {
62984 p->vfork_done = &vfork;
62985 init_completion(&vfork);
62986@@ -1610,7 +1658,7 @@ static int unshare_fs(unsigned long unsh
62987 return 0;
62988
62989 /* don't need lock here; in the worst case we'll do useless copy */
62990- if (fs->users == 1)
62991+ if (atomic_read(&fs->users) == 1)
62992 return 0;
62993
62994 *new_fsp = copy_fs_struct(fs);
62995@@ -1697,7 +1745,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
62996 fs = current->fs;
62997 spin_lock(&fs->lock);
62998 current->fs = new_fs;
62999- if (--fs->users)
63000+ gr_set_chroot_entries(current, &current->fs->root);
63001+ if (atomic_dec_return(&fs->users))
63002 new_fs = NULL;
63003 else
63004 new_fs = fs;
63005diff -urNp linux-3.0.7/kernel/futex.c linux-3.0.7/kernel/futex.c
63006--- linux-3.0.7/kernel/futex.c 2011-09-02 18:11:21.000000000 -0400
63007+++ linux-3.0.7/kernel/futex.c 2011-08-23 21:48:14.000000000 -0400
63008@@ -54,6 +54,7 @@
63009 #include <linux/mount.h>
63010 #include <linux/pagemap.h>
63011 #include <linux/syscalls.h>
63012+#include <linux/ptrace.h>
63013 #include <linux/signal.h>
63014 #include <linux/module.h>
63015 #include <linux/magic.h>
63016@@ -238,6 +239,11 @@ get_futex_key(u32 __user *uaddr, int fsh
63017 struct page *page, *page_head;
63018 int err, ro = 0;
63019
63020+#ifdef CONFIG_PAX_SEGMEXEC
63021+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
63022+ return -EFAULT;
63023+#endif
63024+
63025 /*
63026 * The futex address must be "naturally" aligned.
63027 */
63028@@ -1863,6 +1869,8 @@ static int futex_wait(u32 __user *uaddr,
63029 struct futex_q q = futex_q_init;
63030 int ret;
63031
63032+ pax_track_stack();
63033+
63034 if (!bitset)
63035 return -EINVAL;
63036 q.bitset = bitset;
63037@@ -2259,6 +2267,8 @@ static int futex_wait_requeue_pi(u32 __u
63038 struct futex_q q = futex_q_init;
63039 int res, ret;
63040
63041+ pax_track_stack();
63042+
63043 if (!bitset)
63044 return -EINVAL;
63045
63046@@ -2431,7 +2441,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63047 {
63048 struct robust_list_head __user *head;
63049 unsigned long ret;
63050+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
63051 const struct cred *cred = current_cred(), *pcred;
63052+#endif
63053
63054 if (!futex_cmpxchg_enabled)
63055 return -ENOSYS;
63056@@ -2447,6 +2459,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63057 if (!p)
63058 goto err_unlock;
63059 ret = -EPERM;
63060+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
63061+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
63062+ goto err_unlock;
63063+#else
63064 pcred = __task_cred(p);
63065 /* If victim is in different user_ns, then uids are not
63066 comparable, so we must have CAP_SYS_PTRACE */
63067@@ -2461,6 +2477,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63068 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
63069 goto err_unlock;
63070 ok:
63071+#endif
63072 head = p->robust_list;
63073 rcu_read_unlock();
63074 }
63075@@ -2712,6 +2729,7 @@ static int __init futex_init(void)
63076 {
63077 u32 curval;
63078 int i;
63079+ mm_segment_t oldfs;
63080
63081 /*
63082 * This will fail and we want it. Some arch implementations do
63083@@ -2723,8 +2741,11 @@ static int __init futex_init(void)
63084 * implementation, the non-functional ones will return
63085 * -ENOSYS.
63086 */
63087+ oldfs = get_fs();
63088+ set_fs(USER_DS);
63089 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
63090 futex_cmpxchg_enabled = 1;
63091+ set_fs(oldfs);
63092
63093 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
63094 plist_head_init(&futex_queues[i].chain, &futex_queues[i].lock);
63095diff -urNp linux-3.0.7/kernel/futex_compat.c linux-3.0.7/kernel/futex_compat.c
63096--- linux-3.0.7/kernel/futex_compat.c 2011-07-21 22:17:23.000000000 -0400
63097+++ linux-3.0.7/kernel/futex_compat.c 2011-08-23 21:48:14.000000000 -0400
63098@@ -10,6 +10,7 @@
63099 #include <linux/compat.h>
63100 #include <linux/nsproxy.h>
63101 #include <linux/futex.h>
63102+#include <linux/ptrace.h>
63103
63104 #include <asm/uaccess.h>
63105
63106@@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
63107 {
63108 struct compat_robust_list_head __user *head;
63109 unsigned long ret;
63110- const struct cred *cred = current_cred(), *pcred;
63111+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
63112+ const struct cred *cred = current_cred();
63113+ const struct cred *pcred;
63114+#endif
63115
63116 if (!futex_cmpxchg_enabled)
63117 return -ENOSYS;
63118@@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
63119 if (!p)
63120 goto err_unlock;
63121 ret = -EPERM;
63122+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
63123+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
63124+ goto err_unlock;
63125+#else
63126 pcred = __task_cred(p);
63127 /* If victim is in different user_ns, then uids are not
63128 comparable, so we must have CAP_SYS_PTRACE */
63129@@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
63130 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
63131 goto err_unlock;
63132 ok:
63133+#endif
63134 head = p->compat_robust_list;
63135 rcu_read_unlock();
63136 }
63137diff -urNp linux-3.0.7/kernel/gcov/base.c linux-3.0.7/kernel/gcov/base.c
63138--- linux-3.0.7/kernel/gcov/base.c 2011-07-21 22:17:23.000000000 -0400
63139+++ linux-3.0.7/kernel/gcov/base.c 2011-08-23 21:47:56.000000000 -0400
63140@@ -102,11 +102,6 @@ void gcov_enable_events(void)
63141 }
63142
63143 #ifdef CONFIG_MODULES
63144-static inline int within(void *addr, void *start, unsigned long size)
63145-{
63146- return ((addr >= start) && (addr < start + size));
63147-}
63148-
63149 /* Update list and generate events when modules are unloaded. */
63150 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
63151 void *data)
63152@@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
63153 prev = NULL;
63154 /* Remove entries located in module from linked list. */
63155 for (info = gcov_info_head; info; info = info->next) {
63156- if (within(info, mod->module_core, mod->core_size)) {
63157+ if (within_module_core_rw((unsigned long)info, mod)) {
63158 if (prev)
63159 prev->next = info->next;
63160 else
63161diff -urNp linux-3.0.7/kernel/hrtimer.c linux-3.0.7/kernel/hrtimer.c
63162--- linux-3.0.7/kernel/hrtimer.c 2011-07-21 22:17:23.000000000 -0400
63163+++ linux-3.0.7/kernel/hrtimer.c 2011-08-23 21:47:56.000000000 -0400
63164@@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
63165 local_irq_restore(flags);
63166 }
63167
63168-static void run_hrtimer_softirq(struct softirq_action *h)
63169+static void run_hrtimer_softirq(void)
63170 {
63171 hrtimer_peek_ahead_timers();
63172 }
63173diff -urNp linux-3.0.7/kernel/jump_label.c linux-3.0.7/kernel/jump_label.c
63174--- linux-3.0.7/kernel/jump_label.c 2011-07-21 22:17:23.000000000 -0400
63175+++ linux-3.0.7/kernel/jump_label.c 2011-08-23 21:47:56.000000000 -0400
63176@@ -55,7 +55,9 @@ jump_label_sort_entries(struct jump_entr
63177
63178 size = (((unsigned long)stop - (unsigned long)start)
63179 / sizeof(struct jump_entry));
63180+ pax_open_kernel();
63181 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
63182+ pax_close_kernel();
63183 }
63184
63185 static void jump_label_update(struct jump_label_key *key, int enable);
63186@@ -297,10 +299,12 @@ static void jump_label_invalidate_module
63187 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
63188 struct jump_entry *iter;
63189
63190+ pax_open_kernel();
63191 for (iter = iter_start; iter < iter_stop; iter++) {
63192 if (within_module_init(iter->code, mod))
63193 iter->code = 0;
63194 }
63195+ pax_close_kernel();
63196 }
63197
63198 static int
63199diff -urNp linux-3.0.7/kernel/kallsyms.c linux-3.0.7/kernel/kallsyms.c
63200--- linux-3.0.7/kernel/kallsyms.c 2011-07-21 22:17:23.000000000 -0400
63201+++ linux-3.0.7/kernel/kallsyms.c 2011-08-23 21:48:14.000000000 -0400
63202@@ -11,6 +11,9 @@
63203 * Changed the compression method from stem compression to "table lookup"
63204 * compression (see scripts/kallsyms.c for a more complete description)
63205 */
63206+#ifdef CONFIG_GRKERNSEC_HIDESYM
63207+#define __INCLUDED_BY_HIDESYM 1
63208+#endif
63209 #include <linux/kallsyms.h>
63210 #include <linux/module.h>
63211 #include <linux/init.h>
63212@@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
63213
63214 static inline int is_kernel_inittext(unsigned long addr)
63215 {
63216+ if (system_state != SYSTEM_BOOTING)
63217+ return 0;
63218+
63219 if (addr >= (unsigned long)_sinittext
63220 && addr <= (unsigned long)_einittext)
63221 return 1;
63222 return 0;
63223 }
63224
63225+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63226+#ifdef CONFIG_MODULES
63227+static inline int is_module_text(unsigned long addr)
63228+{
63229+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
63230+ return 1;
63231+
63232+ addr = ktla_ktva(addr);
63233+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
63234+}
63235+#else
63236+static inline int is_module_text(unsigned long addr)
63237+{
63238+ return 0;
63239+}
63240+#endif
63241+#endif
63242+
63243 static inline int is_kernel_text(unsigned long addr)
63244 {
63245 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
63246@@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
63247
63248 static inline int is_kernel(unsigned long addr)
63249 {
63250+
63251+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63252+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
63253+ return 1;
63254+
63255+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
63256+#else
63257 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
63258+#endif
63259+
63260 return 1;
63261 return in_gate_area_no_mm(addr);
63262 }
63263
63264 static int is_ksym_addr(unsigned long addr)
63265 {
63266+
63267+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63268+ if (is_module_text(addr))
63269+ return 0;
63270+#endif
63271+
63272 if (all_var)
63273 return is_kernel(addr);
63274
63275@@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
63276
63277 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
63278 {
63279- iter->name[0] = '\0';
63280 iter->nameoff = get_symbol_offset(new_pos);
63281 iter->pos = new_pos;
63282 }
63283@@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
63284 {
63285 struct kallsym_iter *iter = m->private;
63286
63287+#ifdef CONFIG_GRKERNSEC_HIDESYM
63288+ if (current_uid())
63289+ return 0;
63290+#endif
63291+
63292 /* Some debugging symbols have no name. Ignore them. */
63293 if (!iter->name[0])
63294 return 0;
63295@@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
63296 struct kallsym_iter *iter;
63297 int ret;
63298
63299- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
63300+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
63301 if (!iter)
63302 return -ENOMEM;
63303 reset_iter(iter, 0);
63304diff -urNp linux-3.0.7/kernel/kexec.c linux-3.0.7/kernel/kexec.c
63305--- linux-3.0.7/kernel/kexec.c 2011-07-21 22:17:23.000000000 -0400
63306+++ linux-3.0.7/kernel/kexec.c 2011-10-06 04:17:55.000000000 -0400
63307@@ -1033,7 +1033,8 @@ asmlinkage long compat_sys_kexec_load(un
63308 unsigned long flags)
63309 {
63310 struct compat_kexec_segment in;
63311- struct kexec_segment out, __user *ksegments;
63312+ struct kexec_segment out;
63313+ struct kexec_segment __user *ksegments;
63314 unsigned long i, result;
63315
63316 /* Don't allow clients that don't understand the native
63317diff -urNp linux-3.0.7/kernel/kmod.c linux-3.0.7/kernel/kmod.c
63318--- linux-3.0.7/kernel/kmod.c 2011-07-21 22:17:23.000000000 -0400
63319+++ linux-3.0.7/kernel/kmod.c 2011-10-06 04:17:55.000000000 -0400
63320@@ -73,13 +73,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
63321 * If module auto-loading support is disabled then this function
63322 * becomes a no-operation.
63323 */
63324-int __request_module(bool wait, const char *fmt, ...)
63325+static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
63326 {
63327- va_list args;
63328 char module_name[MODULE_NAME_LEN];
63329 unsigned int max_modprobes;
63330 int ret;
63331- char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
63332+ char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
63333 static char *envp[] = { "HOME=/",
63334 "TERM=linux",
63335 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
63336@@ -88,9 +87,7 @@ int __request_module(bool wait, const ch
63337 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
63338 static int kmod_loop_msg;
63339
63340- va_start(args, fmt);
63341- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
63342- va_end(args);
63343+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
63344 if (ret >= MODULE_NAME_LEN)
63345 return -ENAMETOOLONG;
63346
63347@@ -98,6 +95,20 @@ int __request_module(bool wait, const ch
63348 if (ret)
63349 return ret;
63350
63351+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63352+ if (!current_uid()) {
63353+ /* hack to workaround consolekit/udisks stupidity */
63354+ read_lock(&tasklist_lock);
63355+ if (!strcmp(current->comm, "mount") &&
63356+ current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
63357+ read_unlock(&tasklist_lock);
63358+ printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
63359+ return -EPERM;
63360+ }
63361+ read_unlock(&tasklist_lock);
63362+ }
63363+#endif
63364+
63365 /* If modprobe needs a service that is in a module, we get a recursive
63366 * loop. Limit the number of running kmod threads to max_threads/2 or
63367 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
63368@@ -131,6 +142,47 @@ int __request_module(bool wait, const ch
63369 atomic_dec(&kmod_concurrent);
63370 return ret;
63371 }
63372+
63373+int ___request_module(bool wait, char *module_param, const char *fmt, ...)
63374+{
63375+ va_list args;
63376+ int ret;
63377+
63378+ va_start(args, fmt);
63379+ ret = ____request_module(wait, module_param, fmt, args);
63380+ va_end(args);
63381+
63382+ return ret;
63383+}
63384+
63385+int __request_module(bool wait, const char *fmt, ...)
63386+{
63387+ va_list args;
63388+ int ret;
63389+
63390+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63391+ if (current_uid()) {
63392+ char module_param[MODULE_NAME_LEN];
63393+
63394+ memset(module_param, 0, sizeof(module_param));
63395+
63396+ snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
63397+
63398+ va_start(args, fmt);
63399+ ret = ____request_module(wait, module_param, fmt, args);
63400+ va_end(args);
63401+
63402+ return ret;
63403+ }
63404+#endif
63405+
63406+ va_start(args, fmt);
63407+ ret = ____request_module(wait, NULL, fmt, args);
63408+ va_end(args);
63409+
63410+ return ret;
63411+}
63412+
63413 EXPORT_SYMBOL(__request_module);
63414 #endif /* CONFIG_MODULES */
63415
63416@@ -220,7 +272,7 @@ static int wait_for_helper(void *data)
63417 *
63418 * Thus the __user pointer cast is valid here.
63419 */
63420- sys_wait4(pid, (int __user *)&ret, 0, NULL);
63421+ sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
63422
63423 /*
63424 * If ret is 0, either ____call_usermodehelper failed and the
63425diff -urNp linux-3.0.7/kernel/kprobes.c linux-3.0.7/kernel/kprobes.c
63426--- linux-3.0.7/kernel/kprobes.c 2011-07-21 22:17:23.000000000 -0400
63427+++ linux-3.0.7/kernel/kprobes.c 2011-08-23 21:47:56.000000000 -0400
63428@@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
63429 * kernel image and loaded module images reside. This is required
63430 * so x86_64 can correctly handle the %rip-relative fixups.
63431 */
63432- kip->insns = module_alloc(PAGE_SIZE);
63433+ kip->insns = module_alloc_exec(PAGE_SIZE);
63434 if (!kip->insns) {
63435 kfree(kip);
63436 return NULL;
63437@@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
63438 */
63439 if (!list_is_singular(&kip->list)) {
63440 list_del(&kip->list);
63441- module_free(NULL, kip->insns);
63442+ module_free_exec(NULL, kip->insns);
63443 kfree(kip);
63444 }
63445 return 1;
63446@@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
63447 {
63448 int i, err = 0;
63449 unsigned long offset = 0, size = 0;
63450- char *modname, namebuf[128];
63451+ char *modname, namebuf[KSYM_NAME_LEN];
63452 const char *symbol_name;
63453 void *addr;
63454 struct kprobe_blackpoint *kb;
63455@@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
63456 const char *sym = NULL;
63457 unsigned int i = *(loff_t *) v;
63458 unsigned long offset = 0;
63459- char *modname, namebuf[128];
63460+ char *modname, namebuf[KSYM_NAME_LEN];
63461
63462 head = &kprobe_table[i];
63463 preempt_disable();
63464diff -urNp linux-3.0.7/kernel/lockdep.c linux-3.0.7/kernel/lockdep.c
63465--- linux-3.0.7/kernel/lockdep.c 2011-07-21 22:17:23.000000000 -0400
63466+++ linux-3.0.7/kernel/lockdep.c 2011-08-23 21:47:56.000000000 -0400
63467@@ -583,6 +583,10 @@ static int static_obj(void *obj)
63468 end = (unsigned long) &_end,
63469 addr = (unsigned long) obj;
63470
63471+#ifdef CONFIG_PAX_KERNEXEC
63472+ start = ktla_ktva(start);
63473+#endif
63474+
63475 /*
63476 * static variable?
63477 */
63478@@ -718,6 +722,7 @@ register_lock_class(struct lockdep_map *
63479 if (!static_obj(lock->key)) {
63480 debug_locks_off();
63481 printk("INFO: trying to register non-static key.\n");
63482+ printk("lock:%pS key:%pS.\n", lock, lock->key);
63483 printk("the code is fine but needs lockdep annotation.\n");
63484 printk("turning off the locking correctness validator.\n");
63485 dump_stack();
63486@@ -2936,7 +2941,7 @@ static int __lock_acquire(struct lockdep
63487 if (!class)
63488 return 0;
63489 }
63490- atomic_inc((atomic_t *)&class->ops);
63491+ atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
63492 if (very_verbose(class)) {
63493 printk("\nacquire class [%p] %s", class->key, class->name);
63494 if (class->name_version > 1)
63495diff -urNp linux-3.0.7/kernel/lockdep_proc.c linux-3.0.7/kernel/lockdep_proc.c
63496--- linux-3.0.7/kernel/lockdep_proc.c 2011-07-21 22:17:23.000000000 -0400
63497+++ linux-3.0.7/kernel/lockdep_proc.c 2011-08-23 21:47:56.000000000 -0400
63498@@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
63499
63500 static void print_name(struct seq_file *m, struct lock_class *class)
63501 {
63502- char str[128];
63503+ char str[KSYM_NAME_LEN];
63504 const char *name = class->name;
63505
63506 if (!name) {
63507diff -urNp linux-3.0.7/kernel/module.c linux-3.0.7/kernel/module.c
63508--- linux-3.0.7/kernel/module.c 2011-07-21 22:17:23.000000000 -0400
63509+++ linux-3.0.7/kernel/module.c 2011-08-23 21:48:14.000000000 -0400
63510@@ -58,6 +58,7 @@
63511 #include <linux/jump_label.h>
63512 #include <linux/pfn.h>
63513 #include <linux/bsearch.h>
63514+#include <linux/grsecurity.h>
63515
63516 #define CREATE_TRACE_POINTS
63517 #include <trace/events/module.h>
63518@@ -119,7 +120,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
63519
63520 /* Bounds of module allocation, for speeding __module_address.
63521 * Protected by module_mutex. */
63522-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
63523+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
63524+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
63525
63526 int register_module_notifier(struct notifier_block * nb)
63527 {
63528@@ -284,7 +286,7 @@ bool each_symbol_section(bool (*fn)(cons
63529 return true;
63530
63531 list_for_each_entry_rcu(mod, &modules, list) {
63532- struct symsearch arr[] = {
63533+ struct symsearch modarr[] = {
63534 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
63535 NOT_GPL_ONLY, false },
63536 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
63537@@ -306,7 +308,7 @@ bool each_symbol_section(bool (*fn)(cons
63538 #endif
63539 };
63540
63541- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
63542+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
63543 return true;
63544 }
63545 return false;
63546@@ -438,7 +440,7 @@ static inline void __percpu *mod_percpu(
63547 static int percpu_modalloc(struct module *mod,
63548 unsigned long size, unsigned long align)
63549 {
63550- if (align > PAGE_SIZE) {
63551+ if (align-1 >= PAGE_SIZE) {
63552 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
63553 mod->name, align, PAGE_SIZE);
63554 align = PAGE_SIZE;
63555@@ -1166,7 +1168,7 @@ resolve_symbol_wait(struct module *mod,
63556 */
63557 #ifdef CONFIG_SYSFS
63558
63559-#ifdef CONFIG_KALLSYMS
63560+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63561 static inline bool sect_empty(const Elf_Shdr *sect)
63562 {
63563 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
63564@@ -1632,21 +1634,21 @@ static void set_section_ro_nx(void *base
63565
63566 static void unset_module_core_ro_nx(struct module *mod)
63567 {
63568- set_page_attributes(mod->module_core + mod->core_text_size,
63569- mod->module_core + mod->core_size,
63570+ set_page_attributes(mod->module_core_rw,
63571+ mod->module_core_rw + mod->core_size_rw,
63572 set_memory_x);
63573- set_page_attributes(mod->module_core,
63574- mod->module_core + mod->core_ro_size,
63575+ set_page_attributes(mod->module_core_rx,
63576+ mod->module_core_rx + mod->core_size_rx,
63577 set_memory_rw);
63578 }
63579
63580 static void unset_module_init_ro_nx(struct module *mod)
63581 {
63582- set_page_attributes(mod->module_init + mod->init_text_size,
63583- mod->module_init + mod->init_size,
63584+ set_page_attributes(mod->module_init_rw,
63585+ mod->module_init_rw + mod->init_size_rw,
63586 set_memory_x);
63587- set_page_attributes(mod->module_init,
63588- mod->module_init + mod->init_ro_size,
63589+ set_page_attributes(mod->module_init_rx,
63590+ mod->module_init_rx + mod->init_size_rx,
63591 set_memory_rw);
63592 }
63593
63594@@ -1657,14 +1659,14 @@ void set_all_modules_text_rw(void)
63595
63596 mutex_lock(&module_mutex);
63597 list_for_each_entry_rcu(mod, &modules, list) {
63598- if ((mod->module_core) && (mod->core_text_size)) {
63599- set_page_attributes(mod->module_core,
63600- mod->module_core + mod->core_text_size,
63601+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
63602+ set_page_attributes(mod->module_core_rx,
63603+ mod->module_core_rx + mod->core_size_rx,
63604 set_memory_rw);
63605 }
63606- if ((mod->module_init) && (mod->init_text_size)) {
63607- set_page_attributes(mod->module_init,
63608- mod->module_init + mod->init_text_size,
63609+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
63610+ set_page_attributes(mod->module_init_rx,
63611+ mod->module_init_rx + mod->init_size_rx,
63612 set_memory_rw);
63613 }
63614 }
63615@@ -1678,14 +1680,14 @@ void set_all_modules_text_ro(void)
63616
63617 mutex_lock(&module_mutex);
63618 list_for_each_entry_rcu(mod, &modules, list) {
63619- if ((mod->module_core) && (mod->core_text_size)) {
63620- set_page_attributes(mod->module_core,
63621- mod->module_core + mod->core_text_size,
63622+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
63623+ set_page_attributes(mod->module_core_rx,
63624+ mod->module_core_rx + mod->core_size_rx,
63625 set_memory_ro);
63626 }
63627- if ((mod->module_init) && (mod->init_text_size)) {
63628- set_page_attributes(mod->module_init,
63629- mod->module_init + mod->init_text_size,
63630+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
63631+ set_page_attributes(mod->module_init_rx,
63632+ mod->module_init_rx + mod->init_size_rx,
63633 set_memory_ro);
63634 }
63635 }
63636@@ -1722,16 +1724,19 @@ static void free_module(struct module *m
63637
63638 /* This may be NULL, but that's OK */
63639 unset_module_init_ro_nx(mod);
63640- module_free(mod, mod->module_init);
63641+ module_free(mod, mod->module_init_rw);
63642+ module_free_exec(mod, mod->module_init_rx);
63643 kfree(mod->args);
63644 percpu_modfree(mod);
63645
63646 /* Free lock-classes: */
63647- lockdep_free_key_range(mod->module_core, mod->core_size);
63648+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
63649+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
63650
63651 /* Finally, free the core (containing the module structure) */
63652 unset_module_core_ro_nx(mod);
63653- module_free(mod, mod->module_core);
63654+ module_free_exec(mod, mod->module_core_rx);
63655+ module_free(mod, mod->module_core_rw);
63656
63657 #ifdef CONFIG_MPU
63658 update_protections(current->mm);
63659@@ -1800,10 +1805,31 @@ static int simplify_symbols(struct modul
63660 unsigned int i;
63661 int ret = 0;
63662 const struct kernel_symbol *ksym;
63663+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63664+ int is_fs_load = 0;
63665+ int register_filesystem_found = 0;
63666+ char *p;
63667+
63668+ p = strstr(mod->args, "grsec_modharden_fs");
63669+ if (p) {
63670+ char *endptr = p + strlen("grsec_modharden_fs");
63671+ /* copy \0 as well */
63672+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
63673+ is_fs_load = 1;
63674+ }
63675+#endif
63676
63677 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
63678 const char *name = info->strtab + sym[i].st_name;
63679
63680+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63681+ /* it's a real shame this will never get ripped and copied
63682+ upstream! ;(
63683+ */
63684+ if (is_fs_load && !strcmp(name, "register_filesystem"))
63685+ register_filesystem_found = 1;
63686+#endif
63687+
63688 switch (sym[i].st_shndx) {
63689 case SHN_COMMON:
63690 /* We compiled with -fno-common. These are not
63691@@ -1824,7 +1850,9 @@ static int simplify_symbols(struct modul
63692 ksym = resolve_symbol_wait(mod, info, name);
63693 /* Ok if resolved. */
63694 if (ksym && !IS_ERR(ksym)) {
63695+ pax_open_kernel();
63696 sym[i].st_value = ksym->value;
63697+ pax_close_kernel();
63698 break;
63699 }
63700
63701@@ -1843,11 +1871,20 @@ static int simplify_symbols(struct modul
63702 secbase = (unsigned long)mod_percpu(mod);
63703 else
63704 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
63705+ pax_open_kernel();
63706 sym[i].st_value += secbase;
63707+ pax_close_kernel();
63708 break;
63709 }
63710 }
63711
63712+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63713+ if (is_fs_load && !register_filesystem_found) {
63714+ printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
63715+ ret = -EPERM;
63716+ }
63717+#endif
63718+
63719 return ret;
63720 }
63721
63722@@ -1931,22 +1968,12 @@ static void layout_sections(struct modul
63723 || s->sh_entsize != ~0UL
63724 || strstarts(sname, ".init"))
63725 continue;
63726- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
63727+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63728+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
63729+ else
63730+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
63731 DEBUGP("\t%s\n", name);
63732 }
63733- switch (m) {
63734- case 0: /* executable */
63735- mod->core_size = debug_align(mod->core_size);
63736- mod->core_text_size = mod->core_size;
63737- break;
63738- case 1: /* RO: text and ro-data */
63739- mod->core_size = debug_align(mod->core_size);
63740- mod->core_ro_size = mod->core_size;
63741- break;
63742- case 3: /* whole core */
63743- mod->core_size = debug_align(mod->core_size);
63744- break;
63745- }
63746 }
63747
63748 DEBUGP("Init section allocation order:\n");
63749@@ -1960,23 +1987,13 @@ static void layout_sections(struct modul
63750 || s->sh_entsize != ~0UL
63751 || !strstarts(sname, ".init"))
63752 continue;
63753- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
63754- | INIT_OFFSET_MASK);
63755+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63756+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
63757+ else
63758+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
63759+ s->sh_entsize |= INIT_OFFSET_MASK;
63760 DEBUGP("\t%s\n", sname);
63761 }
63762- switch (m) {
63763- case 0: /* executable */
63764- mod->init_size = debug_align(mod->init_size);
63765- mod->init_text_size = mod->init_size;
63766- break;
63767- case 1: /* RO: text and ro-data */
63768- mod->init_size = debug_align(mod->init_size);
63769- mod->init_ro_size = mod->init_size;
63770- break;
63771- case 3: /* whole init */
63772- mod->init_size = debug_align(mod->init_size);
63773- break;
63774- }
63775 }
63776 }
63777
63778@@ -2141,7 +2158,7 @@ static void layout_symtab(struct module
63779
63780 /* Put symbol section at end of init part of module. */
63781 symsect->sh_flags |= SHF_ALLOC;
63782- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
63783+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
63784 info->index.sym) | INIT_OFFSET_MASK;
63785 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
63786
63787@@ -2158,19 +2175,19 @@ static void layout_symtab(struct module
63788 }
63789
63790 /* Append room for core symbols at end of core part. */
63791- info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
63792- mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
63793+ info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
63794+ mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
63795
63796 /* Put string table section at end of init part of module. */
63797 strsect->sh_flags |= SHF_ALLOC;
63798- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
63799+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
63800 info->index.str) | INIT_OFFSET_MASK;
63801 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
63802
63803 /* Append room for core symbols' strings at end of core part. */
63804- info->stroffs = mod->core_size;
63805+ info->stroffs = mod->core_size_rx;
63806 __set_bit(0, info->strmap);
63807- mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
63808+ mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
63809 }
63810
63811 static void add_kallsyms(struct module *mod, const struct load_info *info)
63812@@ -2186,11 +2203,13 @@ static void add_kallsyms(struct module *
63813 /* Make sure we get permanent strtab: don't use info->strtab. */
63814 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
63815
63816+ pax_open_kernel();
63817+
63818 /* Set types up while we still have access to sections. */
63819 for (i = 0; i < mod->num_symtab; i++)
63820 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
63821
63822- mod->core_symtab = dst = mod->module_core + info->symoffs;
63823+ mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
63824 src = mod->symtab;
63825 *dst = *src;
63826 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
63827@@ -2203,10 +2222,12 @@ static void add_kallsyms(struct module *
63828 }
63829 mod->core_num_syms = ndst;
63830
63831- mod->core_strtab = s = mod->module_core + info->stroffs;
63832+ mod->core_strtab = s = mod->module_core_rx + info->stroffs;
63833 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
63834 if (test_bit(i, info->strmap))
63835 *++s = mod->strtab[i];
63836+
63837+ pax_close_kernel();
63838 }
63839 #else
63840 static inline void layout_symtab(struct module *mod, struct load_info *info)
63841@@ -2235,17 +2256,33 @@ static void dynamic_debug_remove(struct
63842 ddebug_remove_module(debug->modname);
63843 }
63844
63845-static void *module_alloc_update_bounds(unsigned long size)
63846+static void *module_alloc_update_bounds_rw(unsigned long size)
63847 {
63848 void *ret = module_alloc(size);
63849
63850 if (ret) {
63851 mutex_lock(&module_mutex);
63852 /* Update module bounds. */
63853- if ((unsigned long)ret < module_addr_min)
63854- module_addr_min = (unsigned long)ret;
63855- if ((unsigned long)ret + size > module_addr_max)
63856- module_addr_max = (unsigned long)ret + size;
63857+ if ((unsigned long)ret < module_addr_min_rw)
63858+ module_addr_min_rw = (unsigned long)ret;
63859+ if ((unsigned long)ret + size > module_addr_max_rw)
63860+ module_addr_max_rw = (unsigned long)ret + size;
63861+ mutex_unlock(&module_mutex);
63862+ }
63863+ return ret;
63864+}
63865+
63866+static void *module_alloc_update_bounds_rx(unsigned long size)
63867+{
63868+ void *ret = module_alloc_exec(size);
63869+
63870+ if (ret) {
63871+ mutex_lock(&module_mutex);
63872+ /* Update module bounds. */
63873+ if ((unsigned long)ret < module_addr_min_rx)
63874+ module_addr_min_rx = (unsigned long)ret;
63875+ if ((unsigned long)ret + size > module_addr_max_rx)
63876+ module_addr_max_rx = (unsigned long)ret + size;
63877 mutex_unlock(&module_mutex);
63878 }
63879 return ret;
63880@@ -2538,7 +2575,7 @@ static int move_module(struct module *mo
63881 void *ptr;
63882
63883 /* Do the allocs. */
63884- ptr = module_alloc_update_bounds(mod->core_size);
63885+ ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
63886 /*
63887 * The pointer to this block is stored in the module structure
63888 * which is inside the block. Just mark it as not being a
63889@@ -2548,23 +2585,50 @@ static int move_module(struct module *mo
63890 if (!ptr)
63891 return -ENOMEM;
63892
63893- memset(ptr, 0, mod->core_size);
63894- mod->module_core = ptr;
63895+ memset(ptr, 0, mod->core_size_rw);
63896+ mod->module_core_rw = ptr;
63897
63898- ptr = module_alloc_update_bounds(mod->init_size);
63899+ ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
63900 /*
63901 * The pointer to this block is stored in the module structure
63902 * which is inside the block. This block doesn't need to be
63903 * scanned as it contains data and code that will be freed
63904 * after the module is initialized.
63905 */
63906- kmemleak_ignore(ptr);
63907- if (!ptr && mod->init_size) {
63908- module_free(mod, mod->module_core);
63909+ kmemleak_not_leak(ptr);
63910+ if (!ptr && mod->init_size_rw) {
63911+ module_free(mod, mod->module_core_rw);
63912 return -ENOMEM;
63913 }
63914- memset(ptr, 0, mod->init_size);
63915- mod->module_init = ptr;
63916+ memset(ptr, 0, mod->init_size_rw);
63917+ mod->module_init_rw = ptr;
63918+
63919+ ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
63920+ kmemleak_not_leak(ptr);
63921+ if (!ptr) {
63922+ module_free(mod, mod->module_init_rw);
63923+ module_free(mod, mod->module_core_rw);
63924+ return -ENOMEM;
63925+ }
63926+
63927+ pax_open_kernel();
63928+ memset(ptr, 0, mod->core_size_rx);
63929+ pax_close_kernel();
63930+ mod->module_core_rx = ptr;
63931+
63932+ ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
63933+ kmemleak_not_leak(ptr);
63934+ if (!ptr && mod->init_size_rx) {
63935+ module_free_exec(mod, mod->module_core_rx);
63936+ module_free(mod, mod->module_init_rw);
63937+ module_free(mod, mod->module_core_rw);
63938+ return -ENOMEM;
63939+ }
63940+
63941+ pax_open_kernel();
63942+ memset(ptr, 0, mod->init_size_rx);
63943+ pax_close_kernel();
63944+ mod->module_init_rx = ptr;
63945
63946 /* Transfer each section which specifies SHF_ALLOC */
63947 DEBUGP("final section addresses:\n");
63948@@ -2575,16 +2639,45 @@ static int move_module(struct module *mo
63949 if (!(shdr->sh_flags & SHF_ALLOC))
63950 continue;
63951
63952- if (shdr->sh_entsize & INIT_OFFSET_MASK)
63953- dest = mod->module_init
63954- + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
63955- else
63956- dest = mod->module_core + shdr->sh_entsize;
63957+ if (shdr->sh_entsize & INIT_OFFSET_MASK) {
63958+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
63959+ dest = mod->module_init_rw
63960+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
63961+ else
63962+ dest = mod->module_init_rx
63963+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
63964+ } else {
63965+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
63966+ dest = mod->module_core_rw + shdr->sh_entsize;
63967+ else
63968+ dest = mod->module_core_rx + shdr->sh_entsize;
63969+ }
63970+
63971+ if (shdr->sh_type != SHT_NOBITS) {
63972+
63973+#ifdef CONFIG_PAX_KERNEXEC
63974+#ifdef CONFIG_X86_64
63975+ if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
63976+ set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
63977+#endif
63978+ if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
63979+ pax_open_kernel();
63980+ memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
63981+ pax_close_kernel();
63982+ } else
63983+#endif
63984
63985- if (shdr->sh_type != SHT_NOBITS)
63986 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
63987+ }
63988 /* Update sh_addr to point to copy in image. */
63989- shdr->sh_addr = (unsigned long)dest;
63990+
63991+#ifdef CONFIG_PAX_KERNEXEC
63992+ if (shdr->sh_flags & SHF_EXECINSTR)
63993+ shdr->sh_addr = ktva_ktla((unsigned long)dest);
63994+ else
63995+#endif
63996+
63997+ shdr->sh_addr = (unsigned long)dest;
63998 DEBUGP("\t0x%lx %s\n",
63999 shdr->sh_addr, info->secstrings + shdr->sh_name);
64000 }
64001@@ -2635,12 +2728,12 @@ static void flush_module_icache(const st
64002 * Do it before processing of module parameters, so the module
64003 * can provide parameter accessor functions of its own.
64004 */
64005- if (mod->module_init)
64006- flush_icache_range((unsigned long)mod->module_init,
64007- (unsigned long)mod->module_init
64008- + mod->init_size);
64009- flush_icache_range((unsigned long)mod->module_core,
64010- (unsigned long)mod->module_core + mod->core_size);
64011+ if (mod->module_init_rx)
64012+ flush_icache_range((unsigned long)mod->module_init_rx,
64013+ (unsigned long)mod->module_init_rx
64014+ + mod->init_size_rx);
64015+ flush_icache_range((unsigned long)mod->module_core_rx,
64016+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
64017
64018 set_fs(old_fs);
64019 }
64020@@ -2712,8 +2805,10 @@ static void module_deallocate(struct mod
64021 {
64022 kfree(info->strmap);
64023 percpu_modfree(mod);
64024- module_free(mod, mod->module_init);
64025- module_free(mod, mod->module_core);
64026+ module_free_exec(mod, mod->module_init_rx);
64027+ module_free_exec(mod, mod->module_core_rx);
64028+ module_free(mod, mod->module_init_rw);
64029+ module_free(mod, mod->module_core_rw);
64030 }
64031
64032 static int post_relocation(struct module *mod, const struct load_info *info)
64033@@ -2770,9 +2865,38 @@ static struct module *load_module(void _
64034 if (err)
64035 goto free_unload;
64036
64037+ /* Now copy in args */
64038+ mod->args = strndup_user(uargs, ~0UL >> 1);
64039+ if (IS_ERR(mod->args)) {
64040+ err = PTR_ERR(mod->args);
64041+ goto free_unload;
64042+ }
64043+
64044 /* Set up MODINFO_ATTR fields */
64045 setup_modinfo(mod, &info);
64046
64047+#ifdef CONFIG_GRKERNSEC_MODHARDEN
64048+ {
64049+ char *p, *p2;
64050+
64051+ if (strstr(mod->args, "grsec_modharden_netdev")) {
64052+ printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
64053+ err = -EPERM;
64054+ goto free_modinfo;
64055+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
64056+ p += strlen("grsec_modharden_normal");
64057+ p2 = strstr(p, "_");
64058+ if (p2) {
64059+ *p2 = '\0';
64060+ printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
64061+ *p2 = '_';
64062+ }
64063+ err = -EPERM;
64064+ goto free_modinfo;
64065+ }
64066+ }
64067+#endif
64068+
64069 /* Fix up syms, so that st_value is a pointer to location. */
64070 err = simplify_symbols(mod, &info);
64071 if (err < 0)
64072@@ -2788,13 +2912,6 @@ static struct module *load_module(void _
64073
64074 flush_module_icache(mod);
64075
64076- /* Now copy in args */
64077- mod->args = strndup_user(uargs, ~0UL >> 1);
64078- if (IS_ERR(mod->args)) {
64079- err = PTR_ERR(mod->args);
64080- goto free_arch_cleanup;
64081- }
64082-
64083 /* Mark state as coming so strong_try_module_get() ignores us. */
64084 mod->state = MODULE_STATE_COMING;
64085
64086@@ -2854,11 +2971,10 @@ static struct module *load_module(void _
64087 unlock:
64088 mutex_unlock(&module_mutex);
64089 synchronize_sched();
64090- kfree(mod->args);
64091- free_arch_cleanup:
64092 module_arch_cleanup(mod);
64093 free_modinfo:
64094 free_modinfo(mod);
64095+ kfree(mod->args);
64096 free_unload:
64097 module_unload_free(mod);
64098 free_module:
64099@@ -2899,16 +3015,16 @@ SYSCALL_DEFINE3(init_module, void __user
64100 MODULE_STATE_COMING, mod);
64101
64102 /* Set RO and NX regions for core */
64103- set_section_ro_nx(mod->module_core,
64104- mod->core_text_size,
64105- mod->core_ro_size,
64106- mod->core_size);
64107+ set_section_ro_nx(mod->module_core_rx,
64108+ mod->core_size_rx,
64109+ mod->core_size_rx,
64110+ mod->core_size_rx);
64111
64112 /* Set RO and NX regions for init */
64113- set_section_ro_nx(mod->module_init,
64114- mod->init_text_size,
64115- mod->init_ro_size,
64116- mod->init_size);
64117+ set_section_ro_nx(mod->module_init_rx,
64118+ mod->init_size_rx,
64119+ mod->init_size_rx,
64120+ mod->init_size_rx);
64121
64122 do_mod_ctors(mod);
64123 /* Start the module */
64124@@ -2954,11 +3070,12 @@ SYSCALL_DEFINE3(init_module, void __user
64125 mod->strtab = mod->core_strtab;
64126 #endif
64127 unset_module_init_ro_nx(mod);
64128- module_free(mod, mod->module_init);
64129- mod->module_init = NULL;
64130- mod->init_size = 0;
64131- mod->init_ro_size = 0;
64132- mod->init_text_size = 0;
64133+ module_free(mod, mod->module_init_rw);
64134+ module_free_exec(mod, mod->module_init_rx);
64135+ mod->module_init_rw = NULL;
64136+ mod->module_init_rx = NULL;
64137+ mod->init_size_rw = 0;
64138+ mod->init_size_rx = 0;
64139 mutex_unlock(&module_mutex);
64140
64141 return 0;
64142@@ -2989,10 +3106,16 @@ static const char *get_ksymbol(struct mo
64143 unsigned long nextval;
64144
64145 /* At worse, next value is at end of module */
64146- if (within_module_init(addr, mod))
64147- nextval = (unsigned long)mod->module_init+mod->init_text_size;
64148+ if (within_module_init_rx(addr, mod))
64149+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
64150+ else if (within_module_init_rw(addr, mod))
64151+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
64152+ else if (within_module_core_rx(addr, mod))
64153+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
64154+ else if (within_module_core_rw(addr, mod))
64155+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
64156 else
64157- nextval = (unsigned long)mod->module_core+mod->core_text_size;
64158+ return NULL;
64159
64160 /* Scan for closest preceding symbol, and next symbol. (ELF
64161 starts real symbols at 1). */
64162@@ -3238,7 +3361,7 @@ static int m_show(struct seq_file *m, vo
64163 char buf[8];
64164
64165 seq_printf(m, "%s %u",
64166- mod->name, mod->init_size + mod->core_size);
64167+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
64168 print_unload_info(m, mod);
64169
64170 /* Informative for users. */
64171@@ -3247,7 +3370,7 @@ static int m_show(struct seq_file *m, vo
64172 mod->state == MODULE_STATE_COMING ? "Loading":
64173 "Live");
64174 /* Used by oprofile and other similar tools. */
64175- seq_printf(m, " 0x%pK", mod->module_core);
64176+ seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
64177
64178 /* Taints info */
64179 if (mod->taints)
64180@@ -3283,7 +3406,17 @@ static const struct file_operations proc
64181
64182 static int __init proc_modules_init(void)
64183 {
64184+#ifndef CONFIG_GRKERNSEC_HIDESYM
64185+#ifdef CONFIG_GRKERNSEC_PROC_USER
64186+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64187+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64188+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
64189+#else
64190 proc_create("modules", 0, NULL, &proc_modules_operations);
64191+#endif
64192+#else
64193+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64194+#endif
64195 return 0;
64196 }
64197 module_init(proc_modules_init);
64198@@ -3342,12 +3475,12 @@ struct module *__module_address(unsigned
64199 {
64200 struct module *mod;
64201
64202- if (addr < module_addr_min || addr > module_addr_max)
64203+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
64204+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
64205 return NULL;
64206
64207 list_for_each_entry_rcu(mod, &modules, list)
64208- if (within_module_core(addr, mod)
64209- || within_module_init(addr, mod))
64210+ if (within_module_init(addr, mod) || within_module_core(addr, mod))
64211 return mod;
64212 return NULL;
64213 }
64214@@ -3381,11 +3514,20 @@ bool is_module_text_address(unsigned lon
64215 */
64216 struct module *__module_text_address(unsigned long addr)
64217 {
64218- struct module *mod = __module_address(addr);
64219+ struct module *mod;
64220+
64221+#ifdef CONFIG_X86_32
64222+ addr = ktla_ktva(addr);
64223+#endif
64224+
64225+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
64226+ return NULL;
64227+
64228+ mod = __module_address(addr);
64229+
64230 if (mod) {
64231 /* Make sure it's within the text section. */
64232- if (!within(addr, mod->module_init, mod->init_text_size)
64233- && !within(addr, mod->module_core, mod->core_text_size))
64234+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
64235 mod = NULL;
64236 }
64237 return mod;
64238diff -urNp linux-3.0.7/kernel/mutex-debug.c linux-3.0.7/kernel/mutex-debug.c
64239--- linux-3.0.7/kernel/mutex-debug.c 2011-07-21 22:17:23.000000000 -0400
64240+++ linux-3.0.7/kernel/mutex-debug.c 2011-08-23 21:47:56.000000000 -0400
64241@@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
64242 }
64243
64244 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64245- struct thread_info *ti)
64246+ struct task_struct *task)
64247 {
64248 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
64249
64250 /* Mark the current thread as blocked on the lock: */
64251- ti->task->blocked_on = waiter;
64252+ task->blocked_on = waiter;
64253 }
64254
64255 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64256- struct thread_info *ti)
64257+ struct task_struct *task)
64258 {
64259 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
64260- DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
64261- DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
64262- ti->task->blocked_on = NULL;
64263+ DEBUG_LOCKS_WARN_ON(waiter->task != task);
64264+ DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
64265+ task->blocked_on = NULL;
64266
64267 list_del_init(&waiter->list);
64268 waiter->task = NULL;
64269diff -urNp linux-3.0.7/kernel/mutex-debug.h linux-3.0.7/kernel/mutex-debug.h
64270--- linux-3.0.7/kernel/mutex-debug.h 2011-07-21 22:17:23.000000000 -0400
64271+++ linux-3.0.7/kernel/mutex-debug.h 2011-08-23 21:47:56.000000000 -0400
64272@@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(stru
64273 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
64274 extern void debug_mutex_add_waiter(struct mutex *lock,
64275 struct mutex_waiter *waiter,
64276- struct thread_info *ti);
64277+ struct task_struct *task);
64278 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64279- struct thread_info *ti);
64280+ struct task_struct *task);
64281 extern void debug_mutex_unlock(struct mutex *lock);
64282 extern void debug_mutex_init(struct mutex *lock, const char *name,
64283 struct lock_class_key *key);
64284diff -urNp linux-3.0.7/kernel/mutex.c linux-3.0.7/kernel/mutex.c
64285--- linux-3.0.7/kernel/mutex.c 2011-07-21 22:17:23.000000000 -0400
64286+++ linux-3.0.7/kernel/mutex.c 2011-08-23 21:47:56.000000000 -0400
64287@@ -198,7 +198,7 @@ __mutex_lock_common(struct mutex *lock,
64288 spin_lock_mutex(&lock->wait_lock, flags);
64289
64290 debug_mutex_lock_common(lock, &waiter);
64291- debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
64292+ debug_mutex_add_waiter(lock, &waiter, task);
64293
64294 /* add waiting tasks to the end of the waitqueue (FIFO): */
64295 list_add_tail(&waiter.list, &lock->wait_list);
64296@@ -227,8 +227,7 @@ __mutex_lock_common(struct mutex *lock,
64297 * TASK_UNINTERRUPTIBLE case.)
64298 */
64299 if (unlikely(signal_pending_state(state, task))) {
64300- mutex_remove_waiter(lock, &waiter,
64301- task_thread_info(task));
64302+ mutex_remove_waiter(lock, &waiter, task);
64303 mutex_release(&lock->dep_map, 1, ip);
64304 spin_unlock_mutex(&lock->wait_lock, flags);
64305
64306@@ -249,7 +248,7 @@ __mutex_lock_common(struct mutex *lock,
64307 done:
64308 lock_acquired(&lock->dep_map, ip);
64309 /* got the lock - rejoice! */
64310- mutex_remove_waiter(lock, &waiter, current_thread_info());
64311+ mutex_remove_waiter(lock, &waiter, task);
64312 mutex_set_owner(lock);
64313
64314 /* set it to 0 if there are no waiters left: */
64315diff -urNp linux-3.0.7/kernel/padata.c linux-3.0.7/kernel/padata.c
64316--- linux-3.0.7/kernel/padata.c 2011-07-21 22:17:23.000000000 -0400
64317+++ linux-3.0.7/kernel/padata.c 2011-08-23 21:47:56.000000000 -0400
64318@@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
64319 padata->pd = pd;
64320 padata->cb_cpu = cb_cpu;
64321
64322- if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
64323- atomic_set(&pd->seq_nr, -1);
64324+ if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
64325+ atomic_set_unchecked(&pd->seq_nr, -1);
64326
64327- padata->seq_nr = atomic_inc_return(&pd->seq_nr);
64328+ padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
64329
64330 target_cpu = padata_cpu_hash(padata);
64331 queue = per_cpu_ptr(pd->pqueue, target_cpu);
64332@@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
64333 padata_init_pqueues(pd);
64334 padata_init_squeues(pd);
64335 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
64336- atomic_set(&pd->seq_nr, -1);
64337+ atomic_set_unchecked(&pd->seq_nr, -1);
64338 atomic_set(&pd->reorder_objects, 0);
64339 atomic_set(&pd->refcnt, 0);
64340 pd->pinst = pinst;
64341diff -urNp linux-3.0.7/kernel/panic.c linux-3.0.7/kernel/panic.c
64342--- linux-3.0.7/kernel/panic.c 2011-07-21 22:17:23.000000000 -0400
64343+++ linux-3.0.7/kernel/panic.c 2011-08-23 21:48:14.000000000 -0400
64344@@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
64345 const char *board;
64346
64347 printk(KERN_WARNING "------------[ cut here ]------------\n");
64348- printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
64349+ printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
64350 board = dmi_get_system_info(DMI_PRODUCT_NAME);
64351 if (board)
64352 printk(KERN_WARNING "Hardware name: %s\n", board);
64353@@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
64354 */
64355 void __stack_chk_fail(void)
64356 {
64357- panic("stack-protector: Kernel stack is corrupted in: %p\n",
64358+ dump_stack();
64359+ panic("stack-protector: Kernel stack is corrupted in: %pA\n",
64360 __builtin_return_address(0));
64361 }
64362 EXPORT_SYMBOL(__stack_chk_fail);
64363diff -urNp linux-3.0.7/kernel/pid.c linux-3.0.7/kernel/pid.c
64364--- linux-3.0.7/kernel/pid.c 2011-07-21 22:17:23.000000000 -0400
64365+++ linux-3.0.7/kernel/pid.c 2011-08-23 21:48:14.000000000 -0400
64366@@ -33,6 +33,7 @@
64367 #include <linux/rculist.h>
64368 #include <linux/bootmem.h>
64369 #include <linux/hash.h>
64370+#include <linux/security.h>
64371 #include <linux/pid_namespace.h>
64372 #include <linux/init_task.h>
64373 #include <linux/syscalls.h>
64374@@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
64375
64376 int pid_max = PID_MAX_DEFAULT;
64377
64378-#define RESERVED_PIDS 300
64379+#define RESERVED_PIDS 500
64380
64381 int pid_max_min = RESERVED_PIDS + 1;
64382 int pid_max_max = PID_MAX_LIMIT;
64383@@ -419,8 +420,15 @@ EXPORT_SYMBOL(pid_task);
64384 */
64385 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
64386 {
64387+ struct task_struct *task;
64388+
64389 rcu_lockdep_assert(rcu_read_lock_held());
64390- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
64391+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
64392+
64393+ if (gr_pid_is_chrooted(task))
64394+ return NULL;
64395+
64396+ return task;
64397 }
64398
64399 struct task_struct *find_task_by_vpid(pid_t vnr)
64400@@ -428,6 +436,12 @@ struct task_struct *find_task_by_vpid(pi
64401 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
64402 }
64403
64404+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
64405+{
64406+ rcu_lockdep_assert(rcu_read_lock_held());
64407+ return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
64408+}
64409+
64410 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
64411 {
64412 struct pid *pid;
64413diff -urNp linux-3.0.7/kernel/posix-cpu-timers.c linux-3.0.7/kernel/posix-cpu-timers.c
64414--- linux-3.0.7/kernel/posix-cpu-timers.c 2011-10-17 23:17:09.000000000 -0400
64415+++ linux-3.0.7/kernel/posix-cpu-timers.c 2011-10-17 23:17:19.000000000 -0400
64416@@ -6,6 +6,7 @@
64417 #include <linux/posix-timers.h>
64418 #include <linux/errno.h>
64419 #include <linux/math64.h>
64420+#include <linux/security.h>
64421 #include <asm/uaccess.h>
64422 #include <linux/kernel_stat.h>
64423 #include <trace/events/timer.h>
64424@@ -1605,14 +1606,14 @@ struct k_clock clock_posix_cpu = {
64425
64426 static __init int init_posix_cpu_timers(void)
64427 {
64428- struct k_clock process = {
64429+ static struct k_clock process = {
64430 .clock_getres = process_cpu_clock_getres,
64431 .clock_get = process_cpu_clock_get,
64432 .timer_create = process_cpu_timer_create,
64433 .nsleep = process_cpu_nsleep,
64434 .nsleep_restart = process_cpu_nsleep_restart,
64435 };
64436- struct k_clock thread = {
64437+ static struct k_clock thread = {
64438 .clock_getres = thread_cpu_clock_getres,
64439 .clock_get = thread_cpu_clock_get,
64440 .timer_create = thread_cpu_timer_create,
64441diff -urNp linux-3.0.7/kernel/posix-timers.c linux-3.0.7/kernel/posix-timers.c
64442--- linux-3.0.7/kernel/posix-timers.c 2011-07-21 22:17:23.000000000 -0400
64443+++ linux-3.0.7/kernel/posix-timers.c 2011-08-23 21:48:14.000000000 -0400
64444@@ -43,6 +43,7 @@
64445 #include <linux/idr.h>
64446 #include <linux/posix-clock.h>
64447 #include <linux/posix-timers.h>
64448+#include <linux/grsecurity.h>
64449 #include <linux/syscalls.h>
64450 #include <linux/wait.h>
64451 #include <linux/workqueue.h>
64452@@ -129,7 +130,7 @@ static DEFINE_SPINLOCK(idr_lock);
64453 * which we beg off on and pass to do_sys_settimeofday().
64454 */
64455
64456-static struct k_clock posix_clocks[MAX_CLOCKS];
64457+static struct k_clock *posix_clocks[MAX_CLOCKS];
64458
64459 /*
64460 * These ones are defined below.
64461@@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
64462 */
64463 static __init int init_posix_timers(void)
64464 {
64465- struct k_clock clock_realtime = {
64466+ static struct k_clock clock_realtime = {
64467 .clock_getres = hrtimer_get_res,
64468 .clock_get = posix_clock_realtime_get,
64469 .clock_set = posix_clock_realtime_set,
64470@@ -239,7 +240,7 @@ static __init int init_posix_timers(void
64471 .timer_get = common_timer_get,
64472 .timer_del = common_timer_del,
64473 };
64474- struct k_clock clock_monotonic = {
64475+ static struct k_clock clock_monotonic = {
64476 .clock_getres = hrtimer_get_res,
64477 .clock_get = posix_ktime_get_ts,
64478 .nsleep = common_nsleep,
64479@@ -249,19 +250,19 @@ static __init int init_posix_timers(void
64480 .timer_get = common_timer_get,
64481 .timer_del = common_timer_del,
64482 };
64483- struct k_clock clock_monotonic_raw = {
64484+ static struct k_clock clock_monotonic_raw = {
64485 .clock_getres = hrtimer_get_res,
64486 .clock_get = posix_get_monotonic_raw,
64487 };
64488- struct k_clock clock_realtime_coarse = {
64489+ static struct k_clock clock_realtime_coarse = {
64490 .clock_getres = posix_get_coarse_res,
64491 .clock_get = posix_get_realtime_coarse,
64492 };
64493- struct k_clock clock_monotonic_coarse = {
64494+ static struct k_clock clock_monotonic_coarse = {
64495 .clock_getres = posix_get_coarse_res,
64496 .clock_get = posix_get_monotonic_coarse,
64497 };
64498- struct k_clock clock_boottime = {
64499+ static struct k_clock clock_boottime = {
64500 .clock_getres = hrtimer_get_res,
64501 .clock_get = posix_get_boottime,
64502 .nsleep = common_nsleep,
64503@@ -272,6 +273,8 @@ static __init int init_posix_timers(void
64504 .timer_del = common_timer_del,
64505 };
64506
64507+ pax_track_stack();
64508+
64509 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
64510 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
64511 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
64512@@ -473,7 +476,7 @@ void posix_timers_register_clock(const c
64513 return;
64514 }
64515
64516- posix_clocks[clock_id] = *new_clock;
64517+ posix_clocks[clock_id] = new_clock;
64518 }
64519 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
64520
64521@@ -519,9 +522,9 @@ static struct k_clock *clockid_to_kclock
64522 return (id & CLOCKFD_MASK) == CLOCKFD ?
64523 &clock_posix_dynamic : &clock_posix_cpu;
64524
64525- if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
64526+ if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
64527 return NULL;
64528- return &posix_clocks[id];
64529+ return posix_clocks[id];
64530 }
64531
64532 static int common_timer_create(struct k_itimer *new_timer)
64533@@ -959,6 +962,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
64534 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
64535 return -EFAULT;
64536
64537+ /* only the CLOCK_REALTIME clock can be set, all other clocks
64538+ have their clock_set fptr set to a nosettime dummy function
64539+ CLOCK_REALTIME has a NULL clock_set fptr which causes it to
64540+ call common_clock_set, which calls do_sys_settimeofday, which
64541+ we hook
64542+ */
64543+
64544 return kc->clock_set(which_clock, &new_tp);
64545 }
64546
64547diff -urNp linux-3.0.7/kernel/power/poweroff.c linux-3.0.7/kernel/power/poweroff.c
64548--- linux-3.0.7/kernel/power/poweroff.c 2011-07-21 22:17:23.000000000 -0400
64549+++ linux-3.0.7/kernel/power/poweroff.c 2011-08-23 21:47:56.000000000 -0400
64550@@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
64551 .enable_mask = SYSRQ_ENABLE_BOOT,
64552 };
64553
64554-static int pm_sysrq_init(void)
64555+static int __init pm_sysrq_init(void)
64556 {
64557 register_sysrq_key('o', &sysrq_poweroff_op);
64558 return 0;
64559diff -urNp linux-3.0.7/kernel/power/process.c linux-3.0.7/kernel/power/process.c
64560--- linux-3.0.7/kernel/power/process.c 2011-07-21 22:17:23.000000000 -0400
64561+++ linux-3.0.7/kernel/power/process.c 2011-08-23 21:47:56.000000000 -0400
64562@@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
64563 u64 elapsed_csecs64;
64564 unsigned int elapsed_csecs;
64565 bool wakeup = false;
64566+ bool timedout = false;
64567
64568 do_gettimeofday(&start);
64569
64570@@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
64571
64572 while (true) {
64573 todo = 0;
64574+ if (time_after(jiffies, end_time))
64575+ timedout = true;
64576 read_lock(&tasklist_lock);
64577 do_each_thread(g, p) {
64578 if (frozen(p) || !freezable(p))
64579@@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
64580 * try_to_stop() after schedule() in ptrace/signal
64581 * stop sees TIF_FREEZE.
64582 */
64583- if (!task_is_stopped_or_traced(p) &&
64584- !freezer_should_skip(p))
64585+ if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
64586 todo++;
64587+ if (timedout) {
64588+ printk(KERN_ERR "Task refusing to freeze:\n");
64589+ sched_show_task(p);
64590+ }
64591+ }
64592 } while_each_thread(g, p);
64593 read_unlock(&tasklist_lock);
64594
64595@@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
64596 todo += wq_busy;
64597 }
64598
64599- if (!todo || time_after(jiffies, end_time))
64600+ if (!todo || timedout)
64601 break;
64602
64603 if (pm_wakeup_pending()) {
64604diff -urNp linux-3.0.7/kernel/printk.c linux-3.0.7/kernel/printk.c
64605--- linux-3.0.7/kernel/printk.c 2011-10-16 21:54:54.000000000 -0400
64606+++ linux-3.0.7/kernel/printk.c 2011-10-16 21:55:28.000000000 -0400
64607@@ -313,12 +313,17 @@ static int check_syslog_permissions(int
64608 if (from_file && type != SYSLOG_ACTION_OPEN)
64609 return 0;
64610
64611+#ifdef CONFIG_GRKERNSEC_DMESG
64612+ if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
64613+ return -EPERM;
64614+#endif
64615+
64616 if (syslog_action_restricted(type)) {
64617 if (capable(CAP_SYSLOG))
64618 return 0;
64619 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
64620 if (capable(CAP_SYS_ADMIN)) {
64621- WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
64622+ printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
64623 "but no CAP_SYSLOG (deprecated).\n");
64624 return 0;
64625 }
64626diff -urNp linux-3.0.7/kernel/profile.c linux-3.0.7/kernel/profile.c
64627--- linux-3.0.7/kernel/profile.c 2011-07-21 22:17:23.000000000 -0400
64628+++ linux-3.0.7/kernel/profile.c 2011-08-23 21:47:56.000000000 -0400
64629@@ -39,7 +39,7 @@ struct profile_hit {
64630 /* Oprofile timer tick hook */
64631 static int (*timer_hook)(struct pt_regs *) __read_mostly;
64632
64633-static atomic_t *prof_buffer;
64634+static atomic_unchecked_t *prof_buffer;
64635 static unsigned long prof_len, prof_shift;
64636
64637 int prof_on __read_mostly;
64638@@ -281,7 +281,7 @@ static void profile_flip_buffers(void)
64639 hits[i].pc = 0;
64640 continue;
64641 }
64642- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64643+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64644 hits[i].hits = hits[i].pc = 0;
64645 }
64646 }
64647@@ -342,9 +342,9 @@ static void do_profile_hits(int type, vo
64648 * Add the current hit(s) and flush the write-queue out
64649 * to the global buffer:
64650 */
64651- atomic_add(nr_hits, &prof_buffer[pc]);
64652+ atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
64653 for (i = 0; i < NR_PROFILE_HIT; ++i) {
64654- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64655+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64656 hits[i].pc = hits[i].hits = 0;
64657 }
64658 out:
64659@@ -419,7 +419,7 @@ static void do_profile_hits(int type, vo
64660 {
64661 unsigned long pc;
64662 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
64663- atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64664+ atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64665 }
64666 #endif /* !CONFIG_SMP */
64667
64668@@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
64669 return -EFAULT;
64670 buf++; p++; count--; read++;
64671 }
64672- pnt = (char *)prof_buffer + p - sizeof(atomic_t);
64673+ pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
64674 if (copy_to_user(buf, (void *)pnt, count))
64675 return -EFAULT;
64676 read += count;
64677@@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
64678 }
64679 #endif
64680 profile_discard_flip_buffers();
64681- memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
64682+ memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
64683 return count;
64684 }
64685
64686diff -urNp linux-3.0.7/kernel/ptrace.c linux-3.0.7/kernel/ptrace.c
64687--- linux-3.0.7/kernel/ptrace.c 2011-07-21 22:17:23.000000000 -0400
64688+++ linux-3.0.7/kernel/ptrace.c 2011-08-23 21:48:14.000000000 -0400
64689@@ -132,7 +132,8 @@ int ptrace_check_attach(struct task_stru
64690 return ret;
64691 }
64692
64693-int __ptrace_may_access(struct task_struct *task, unsigned int mode)
64694+static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
64695+ unsigned int log)
64696 {
64697 const struct cred *cred = current_cred(), *tcred;
64698
64699@@ -158,7 +159,8 @@ int __ptrace_may_access(struct task_stru
64700 cred->gid == tcred->sgid &&
64701 cred->gid == tcred->gid))
64702 goto ok;
64703- if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
64704+ if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
64705+ (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
64706 goto ok;
64707 rcu_read_unlock();
64708 return -EPERM;
64709@@ -167,7 +169,9 @@ ok:
64710 smp_rmb();
64711 if (task->mm)
64712 dumpable = get_dumpable(task->mm);
64713- if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
64714+ if (!dumpable &&
64715+ ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
64716+ (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
64717 return -EPERM;
64718
64719 return security_ptrace_access_check(task, mode);
64720@@ -177,7 +181,16 @@ bool ptrace_may_access(struct task_struc
64721 {
64722 int err;
64723 task_lock(task);
64724- err = __ptrace_may_access(task, mode);
64725+ err = __ptrace_may_access(task, mode, 0);
64726+ task_unlock(task);
64727+ return !err;
64728+}
64729+
64730+bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
64731+{
64732+ int err;
64733+ task_lock(task);
64734+ err = __ptrace_may_access(task, mode, 1);
64735 task_unlock(task);
64736 return !err;
64737 }
64738@@ -205,7 +218,7 @@ static int ptrace_attach(struct task_str
64739 goto out;
64740
64741 task_lock(task);
64742- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
64743+ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
64744 task_unlock(task);
64745 if (retval)
64746 goto unlock_creds;
64747@@ -218,7 +231,7 @@ static int ptrace_attach(struct task_str
64748 goto unlock_tasklist;
64749
64750 task->ptrace = PT_PTRACED;
64751- if (task_ns_capable(task, CAP_SYS_PTRACE))
64752+ if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
64753 task->ptrace |= PT_PTRACE_CAP;
64754
64755 __ptrace_link(task, current);
64756@@ -406,6 +419,8 @@ int ptrace_readdata(struct task_struct *
64757 {
64758 int copied = 0;
64759
64760+ pax_track_stack();
64761+
64762 while (len > 0) {
64763 char buf[128];
64764 int this_len, retval;
64765@@ -417,7 +432,7 @@ int ptrace_readdata(struct task_struct *
64766 break;
64767 return -EIO;
64768 }
64769- if (copy_to_user(dst, buf, retval))
64770+ if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
64771 return -EFAULT;
64772 copied += retval;
64773 src += retval;
64774@@ -431,6 +446,8 @@ int ptrace_writedata(struct task_struct
64775 {
64776 int copied = 0;
64777
64778+ pax_track_stack();
64779+
64780 while (len > 0) {
64781 char buf[128];
64782 int this_len, retval;
64783@@ -613,9 +630,11 @@ int ptrace_request(struct task_struct *c
64784 {
64785 int ret = -EIO;
64786 siginfo_t siginfo;
64787- void __user *datavp = (void __user *) data;
64788+ void __user *datavp = (__force void __user *) data;
64789 unsigned long __user *datalp = datavp;
64790
64791+ pax_track_stack();
64792+
64793 switch (request) {
64794 case PTRACE_PEEKTEXT:
64795 case PTRACE_PEEKDATA:
64796@@ -761,14 +780,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
64797 goto out;
64798 }
64799
64800+ if (gr_handle_ptrace(child, request)) {
64801+ ret = -EPERM;
64802+ goto out_put_task_struct;
64803+ }
64804+
64805 if (request == PTRACE_ATTACH) {
64806 ret = ptrace_attach(child);
64807 /*
64808 * Some architectures need to do book-keeping after
64809 * a ptrace attach.
64810 */
64811- if (!ret)
64812+ if (!ret) {
64813 arch_ptrace_attach(child);
64814+ gr_audit_ptrace(child);
64815+ }
64816 goto out_put_task_struct;
64817 }
64818
64819@@ -793,7 +819,7 @@ int generic_ptrace_peekdata(struct task_
64820 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
64821 if (copied != sizeof(tmp))
64822 return -EIO;
64823- return put_user(tmp, (unsigned long __user *)data);
64824+ return put_user(tmp, (__force unsigned long __user *)data);
64825 }
64826
64827 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
64828@@ -816,6 +842,8 @@ int compat_ptrace_request(struct task_st
64829 siginfo_t siginfo;
64830 int ret;
64831
64832+ pax_track_stack();
64833+
64834 switch (request) {
64835 case PTRACE_PEEKTEXT:
64836 case PTRACE_PEEKDATA:
64837@@ -903,14 +931,21 @@ asmlinkage long compat_sys_ptrace(compat
64838 goto out;
64839 }
64840
64841+ if (gr_handle_ptrace(child, request)) {
64842+ ret = -EPERM;
64843+ goto out_put_task_struct;
64844+ }
64845+
64846 if (request == PTRACE_ATTACH) {
64847 ret = ptrace_attach(child);
64848 /*
64849 * Some architectures need to do book-keeping after
64850 * a ptrace attach.
64851 */
64852- if (!ret)
64853+ if (!ret) {
64854 arch_ptrace_attach(child);
64855+ gr_audit_ptrace(child);
64856+ }
64857 goto out_put_task_struct;
64858 }
64859
64860diff -urNp linux-3.0.7/kernel/rcutorture.c linux-3.0.7/kernel/rcutorture.c
64861--- linux-3.0.7/kernel/rcutorture.c 2011-07-21 22:17:23.000000000 -0400
64862+++ linux-3.0.7/kernel/rcutorture.c 2011-08-23 21:47:56.000000000 -0400
64863@@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
64864 { 0 };
64865 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
64866 { 0 };
64867-static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
64868-static atomic_t n_rcu_torture_alloc;
64869-static atomic_t n_rcu_torture_alloc_fail;
64870-static atomic_t n_rcu_torture_free;
64871-static atomic_t n_rcu_torture_mberror;
64872-static atomic_t n_rcu_torture_error;
64873+static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
64874+static atomic_unchecked_t n_rcu_torture_alloc;
64875+static atomic_unchecked_t n_rcu_torture_alloc_fail;
64876+static atomic_unchecked_t n_rcu_torture_free;
64877+static atomic_unchecked_t n_rcu_torture_mberror;
64878+static atomic_unchecked_t n_rcu_torture_error;
64879 static long n_rcu_torture_boost_ktrerror;
64880 static long n_rcu_torture_boost_rterror;
64881 static long n_rcu_torture_boost_failure;
64882@@ -223,11 +223,11 @@ rcu_torture_alloc(void)
64883
64884 spin_lock_bh(&rcu_torture_lock);
64885 if (list_empty(&rcu_torture_freelist)) {
64886- atomic_inc(&n_rcu_torture_alloc_fail);
64887+ atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
64888 spin_unlock_bh(&rcu_torture_lock);
64889 return NULL;
64890 }
64891- atomic_inc(&n_rcu_torture_alloc);
64892+ atomic_inc_unchecked(&n_rcu_torture_alloc);
64893 p = rcu_torture_freelist.next;
64894 list_del_init(p);
64895 spin_unlock_bh(&rcu_torture_lock);
64896@@ -240,7 +240,7 @@ rcu_torture_alloc(void)
64897 static void
64898 rcu_torture_free(struct rcu_torture *p)
64899 {
64900- atomic_inc(&n_rcu_torture_free);
64901+ atomic_inc_unchecked(&n_rcu_torture_free);
64902 spin_lock_bh(&rcu_torture_lock);
64903 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
64904 spin_unlock_bh(&rcu_torture_lock);
64905@@ -360,7 +360,7 @@ rcu_torture_cb(struct rcu_head *p)
64906 i = rp->rtort_pipe_count;
64907 if (i > RCU_TORTURE_PIPE_LEN)
64908 i = RCU_TORTURE_PIPE_LEN;
64909- atomic_inc(&rcu_torture_wcount[i]);
64910+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
64911 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
64912 rp->rtort_mbtest = 0;
64913 rcu_torture_free(rp);
64914@@ -407,7 +407,7 @@ static void rcu_sync_torture_deferred_fr
64915 i = rp->rtort_pipe_count;
64916 if (i > RCU_TORTURE_PIPE_LEN)
64917 i = RCU_TORTURE_PIPE_LEN;
64918- atomic_inc(&rcu_torture_wcount[i]);
64919+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
64920 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
64921 rp->rtort_mbtest = 0;
64922 list_del(&rp->rtort_free);
64923@@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
64924 i = old_rp->rtort_pipe_count;
64925 if (i > RCU_TORTURE_PIPE_LEN)
64926 i = RCU_TORTURE_PIPE_LEN;
64927- atomic_inc(&rcu_torture_wcount[i]);
64928+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
64929 old_rp->rtort_pipe_count++;
64930 cur_ops->deferred_free(old_rp);
64931 }
64932@@ -951,7 +951,7 @@ static void rcu_torture_timer(unsigned l
64933 return;
64934 }
64935 if (p->rtort_mbtest == 0)
64936- atomic_inc(&n_rcu_torture_mberror);
64937+ atomic_inc_unchecked(&n_rcu_torture_mberror);
64938 spin_lock(&rand_lock);
64939 cur_ops->read_delay(&rand);
64940 n_rcu_torture_timers++;
64941@@ -1013,7 +1013,7 @@ rcu_torture_reader(void *arg)
64942 continue;
64943 }
64944 if (p->rtort_mbtest == 0)
64945- atomic_inc(&n_rcu_torture_mberror);
64946+ atomic_inc_unchecked(&n_rcu_torture_mberror);
64947 cur_ops->read_delay(&rand);
64948 preempt_disable();
64949 pipe_count = p->rtort_pipe_count;
64950@@ -1072,16 +1072,16 @@ rcu_torture_printk(char *page)
64951 rcu_torture_current,
64952 rcu_torture_current_version,
64953 list_empty(&rcu_torture_freelist),
64954- atomic_read(&n_rcu_torture_alloc),
64955- atomic_read(&n_rcu_torture_alloc_fail),
64956- atomic_read(&n_rcu_torture_free),
64957- atomic_read(&n_rcu_torture_mberror),
64958+ atomic_read_unchecked(&n_rcu_torture_alloc),
64959+ atomic_read_unchecked(&n_rcu_torture_alloc_fail),
64960+ atomic_read_unchecked(&n_rcu_torture_free),
64961+ atomic_read_unchecked(&n_rcu_torture_mberror),
64962 n_rcu_torture_boost_ktrerror,
64963 n_rcu_torture_boost_rterror,
64964 n_rcu_torture_boost_failure,
64965 n_rcu_torture_boosts,
64966 n_rcu_torture_timers);
64967- if (atomic_read(&n_rcu_torture_mberror) != 0 ||
64968+ if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
64969 n_rcu_torture_boost_ktrerror != 0 ||
64970 n_rcu_torture_boost_rterror != 0 ||
64971 n_rcu_torture_boost_failure != 0)
64972@@ -1089,7 +1089,7 @@ rcu_torture_printk(char *page)
64973 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
64974 if (i > 1) {
64975 cnt += sprintf(&page[cnt], "!!! ");
64976- atomic_inc(&n_rcu_torture_error);
64977+ atomic_inc_unchecked(&n_rcu_torture_error);
64978 WARN_ON_ONCE(1);
64979 }
64980 cnt += sprintf(&page[cnt], "Reader Pipe: ");
64981@@ -1103,7 +1103,7 @@ rcu_torture_printk(char *page)
64982 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
64983 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
64984 cnt += sprintf(&page[cnt], " %d",
64985- atomic_read(&rcu_torture_wcount[i]));
64986+ atomic_read_unchecked(&rcu_torture_wcount[i]));
64987 }
64988 cnt += sprintf(&page[cnt], "\n");
64989 if (cur_ops->stats)
64990@@ -1412,7 +1412,7 @@ rcu_torture_cleanup(void)
64991
64992 if (cur_ops->cleanup)
64993 cur_ops->cleanup();
64994- if (atomic_read(&n_rcu_torture_error))
64995+ if (atomic_read_unchecked(&n_rcu_torture_error))
64996 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
64997 else
64998 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
64999@@ -1476,17 +1476,17 @@ rcu_torture_init(void)
65000
65001 rcu_torture_current = NULL;
65002 rcu_torture_current_version = 0;
65003- atomic_set(&n_rcu_torture_alloc, 0);
65004- atomic_set(&n_rcu_torture_alloc_fail, 0);
65005- atomic_set(&n_rcu_torture_free, 0);
65006- atomic_set(&n_rcu_torture_mberror, 0);
65007- atomic_set(&n_rcu_torture_error, 0);
65008+ atomic_set_unchecked(&n_rcu_torture_alloc, 0);
65009+ atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
65010+ atomic_set_unchecked(&n_rcu_torture_free, 0);
65011+ atomic_set_unchecked(&n_rcu_torture_mberror, 0);
65012+ atomic_set_unchecked(&n_rcu_torture_error, 0);
65013 n_rcu_torture_boost_ktrerror = 0;
65014 n_rcu_torture_boost_rterror = 0;
65015 n_rcu_torture_boost_failure = 0;
65016 n_rcu_torture_boosts = 0;
65017 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
65018- atomic_set(&rcu_torture_wcount[i], 0);
65019+ atomic_set_unchecked(&rcu_torture_wcount[i], 0);
65020 for_each_possible_cpu(cpu) {
65021 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65022 per_cpu(rcu_torture_count, cpu)[i] = 0;
65023diff -urNp linux-3.0.7/kernel/rcutree.c linux-3.0.7/kernel/rcutree.c
65024--- linux-3.0.7/kernel/rcutree.c 2011-07-21 22:17:23.000000000 -0400
65025+++ linux-3.0.7/kernel/rcutree.c 2011-09-14 09:08:05.000000000 -0400
65026@@ -356,9 +356,9 @@ void rcu_enter_nohz(void)
65027 }
65028 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65029 smp_mb__before_atomic_inc(); /* See above. */
65030- atomic_inc(&rdtp->dynticks);
65031+ atomic_inc_unchecked(&rdtp->dynticks);
65032 smp_mb__after_atomic_inc(); /* Force ordering with next sojourn. */
65033- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65034+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65035 local_irq_restore(flags);
65036
65037 /* If the interrupt queued a callback, get out of dyntick mode. */
65038@@ -387,10 +387,10 @@ void rcu_exit_nohz(void)
65039 return;
65040 }
65041 smp_mb__before_atomic_inc(); /* Force ordering w/previous sojourn. */
65042- atomic_inc(&rdtp->dynticks);
65043+ atomic_inc_unchecked(&rdtp->dynticks);
65044 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65045 smp_mb__after_atomic_inc(); /* See above. */
65046- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65047+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65048 local_irq_restore(flags);
65049 }
65050
65051@@ -406,14 +406,14 @@ void rcu_nmi_enter(void)
65052 struct rcu_dynticks *rdtp = &__get_cpu_var(rcu_dynticks);
65053
65054 if (rdtp->dynticks_nmi_nesting == 0 &&
65055- (atomic_read(&rdtp->dynticks) & 0x1))
65056+ (atomic_read_unchecked(&rdtp->dynticks) & 0x1))
65057 return;
65058 rdtp->dynticks_nmi_nesting++;
65059 smp_mb__before_atomic_inc(); /* Force delay from prior write. */
65060- atomic_inc(&rdtp->dynticks);
65061+ atomic_inc_unchecked(&rdtp->dynticks);
65062 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65063 smp_mb__after_atomic_inc(); /* See above. */
65064- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65065+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65066 }
65067
65068 /**
65069@@ -432,9 +432,9 @@ void rcu_nmi_exit(void)
65070 return;
65071 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65072 smp_mb__before_atomic_inc(); /* See above. */
65073- atomic_inc(&rdtp->dynticks);
65074+ atomic_inc_unchecked(&rdtp->dynticks);
65075 smp_mb__after_atomic_inc(); /* Force delay to next write. */
65076- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65077+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65078 }
65079
65080 /**
65081@@ -469,7 +469,7 @@ void rcu_irq_exit(void)
65082 */
65083 static int dyntick_save_progress_counter(struct rcu_data *rdp)
65084 {
65085- rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
65086+ rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65087 return 0;
65088 }
65089
65090@@ -484,7 +484,7 @@ static int rcu_implicit_dynticks_qs(stru
65091 unsigned long curr;
65092 unsigned long snap;
65093
65094- curr = (unsigned long)atomic_add_return(0, &rdp->dynticks->dynticks);
65095+ curr = (unsigned long)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65096 snap = (unsigned long)rdp->dynticks_snap;
65097
65098 /*
65099@@ -1470,7 +1470,7 @@ __rcu_process_callbacks(struct rcu_state
65100 /*
65101 * Do softirq processing for the current CPU.
65102 */
65103-static void rcu_process_callbacks(struct softirq_action *unused)
65104+static void rcu_process_callbacks(void)
65105 {
65106 __rcu_process_callbacks(&rcu_sched_state,
65107 &__get_cpu_var(rcu_sched_data));
65108diff -urNp linux-3.0.7/kernel/rcutree.h linux-3.0.7/kernel/rcutree.h
65109--- linux-3.0.7/kernel/rcutree.h 2011-07-21 22:17:23.000000000 -0400
65110+++ linux-3.0.7/kernel/rcutree.h 2011-09-14 09:08:05.000000000 -0400
65111@@ -86,7 +86,7 @@
65112 struct rcu_dynticks {
65113 int dynticks_nesting; /* Track irq/process nesting level. */
65114 int dynticks_nmi_nesting; /* Track NMI nesting level. */
65115- atomic_t dynticks; /* Even value for dynticks-idle, else odd. */
65116+ atomic_unchecked_t dynticks; /* Even value for dynticks-idle, else odd. */
65117 };
65118
65119 /* RCU's kthread states for tracing. */
65120diff -urNp linux-3.0.7/kernel/rcutree_plugin.h linux-3.0.7/kernel/rcutree_plugin.h
65121--- linux-3.0.7/kernel/rcutree_plugin.h 2011-07-21 22:17:23.000000000 -0400
65122+++ linux-3.0.7/kernel/rcutree_plugin.h 2011-08-23 21:47:56.000000000 -0400
65123@@ -822,7 +822,7 @@ void synchronize_rcu_expedited(void)
65124
65125 /* Clean up and exit. */
65126 smp_mb(); /* ensure expedited GP seen before counter increment. */
65127- ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
65128+ ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
65129 unlock_mb_ret:
65130 mutex_unlock(&sync_rcu_preempt_exp_mutex);
65131 mb_ret:
65132@@ -1774,8 +1774,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
65133
65134 #else /* #ifndef CONFIG_SMP */
65135
65136-static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
65137-static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
65138+static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
65139+static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
65140
65141 static int synchronize_sched_expedited_cpu_stop(void *data)
65142 {
65143@@ -1830,7 +1830,7 @@ void synchronize_sched_expedited(void)
65144 int firstsnap, s, snap, trycount = 0;
65145
65146 /* Note that atomic_inc_return() implies full memory barrier. */
65147- firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
65148+ firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
65149 get_online_cpus();
65150
65151 /*
65152@@ -1851,7 +1851,7 @@ void synchronize_sched_expedited(void)
65153 }
65154
65155 /* Check to see if someone else did our work for us. */
65156- s = atomic_read(&sync_sched_expedited_done);
65157+ s = atomic_read_unchecked(&sync_sched_expedited_done);
65158 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
65159 smp_mb(); /* ensure test happens before caller kfree */
65160 return;
65161@@ -1866,7 +1866,7 @@ void synchronize_sched_expedited(void)
65162 * grace period works for us.
65163 */
65164 get_online_cpus();
65165- snap = atomic_read(&sync_sched_expedited_started) - 1;
65166+ snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
65167 smp_mb(); /* ensure read is before try_stop_cpus(). */
65168 }
65169
65170@@ -1877,12 +1877,12 @@ void synchronize_sched_expedited(void)
65171 * than we did beat us to the punch.
65172 */
65173 do {
65174- s = atomic_read(&sync_sched_expedited_done);
65175+ s = atomic_read_unchecked(&sync_sched_expedited_done);
65176 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
65177 smp_mb(); /* ensure test happens before caller kfree */
65178 break;
65179 }
65180- } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
65181+ } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
65182
65183 put_online_cpus();
65184 }
65185diff -urNp linux-3.0.7/kernel/relay.c linux-3.0.7/kernel/relay.c
65186--- linux-3.0.7/kernel/relay.c 2011-07-21 22:17:23.000000000 -0400
65187+++ linux-3.0.7/kernel/relay.c 2011-08-23 21:48:14.000000000 -0400
65188@@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
65189 };
65190 ssize_t ret;
65191
65192+ pax_track_stack();
65193+
65194 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
65195 return 0;
65196 if (splice_grow_spd(pipe, &spd))
65197diff -urNp linux-3.0.7/kernel/resource.c linux-3.0.7/kernel/resource.c
65198--- linux-3.0.7/kernel/resource.c 2011-07-21 22:17:23.000000000 -0400
65199+++ linux-3.0.7/kernel/resource.c 2011-08-23 21:48:14.000000000 -0400
65200@@ -141,8 +141,18 @@ static const struct file_operations proc
65201
65202 static int __init ioresources_init(void)
65203 {
65204+#ifdef CONFIG_GRKERNSEC_PROC_ADD
65205+#ifdef CONFIG_GRKERNSEC_PROC_USER
65206+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
65207+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
65208+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
65209+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
65210+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
65211+#endif
65212+#else
65213 proc_create("ioports", 0, NULL, &proc_ioports_operations);
65214 proc_create("iomem", 0, NULL, &proc_iomem_operations);
65215+#endif
65216 return 0;
65217 }
65218 __initcall(ioresources_init);
65219diff -urNp linux-3.0.7/kernel/rtmutex-tester.c linux-3.0.7/kernel/rtmutex-tester.c
65220--- linux-3.0.7/kernel/rtmutex-tester.c 2011-07-21 22:17:23.000000000 -0400
65221+++ linux-3.0.7/kernel/rtmutex-tester.c 2011-08-23 21:47:56.000000000 -0400
65222@@ -20,7 +20,7 @@
65223 #define MAX_RT_TEST_MUTEXES 8
65224
65225 static spinlock_t rttest_lock;
65226-static atomic_t rttest_event;
65227+static atomic_unchecked_t rttest_event;
65228
65229 struct test_thread_data {
65230 int opcode;
65231@@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
65232
65233 case RTTEST_LOCKCONT:
65234 td->mutexes[td->opdata] = 1;
65235- td->event = atomic_add_return(1, &rttest_event);
65236+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65237 return 0;
65238
65239 case RTTEST_RESET:
65240@@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
65241 return 0;
65242
65243 case RTTEST_RESETEVENT:
65244- atomic_set(&rttest_event, 0);
65245+ atomic_set_unchecked(&rttest_event, 0);
65246 return 0;
65247
65248 default:
65249@@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
65250 return ret;
65251
65252 td->mutexes[id] = 1;
65253- td->event = atomic_add_return(1, &rttest_event);
65254+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65255 rt_mutex_lock(&mutexes[id]);
65256- td->event = atomic_add_return(1, &rttest_event);
65257+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65258 td->mutexes[id] = 4;
65259 return 0;
65260
65261@@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
65262 return ret;
65263
65264 td->mutexes[id] = 1;
65265- td->event = atomic_add_return(1, &rttest_event);
65266+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65267 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
65268- td->event = atomic_add_return(1, &rttest_event);
65269+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65270 td->mutexes[id] = ret ? 0 : 4;
65271 return ret ? -EINTR : 0;
65272
65273@@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
65274 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
65275 return ret;
65276
65277- td->event = atomic_add_return(1, &rttest_event);
65278+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65279 rt_mutex_unlock(&mutexes[id]);
65280- td->event = atomic_add_return(1, &rttest_event);
65281+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65282 td->mutexes[id] = 0;
65283 return 0;
65284
65285@@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
65286 break;
65287
65288 td->mutexes[dat] = 2;
65289- td->event = atomic_add_return(1, &rttest_event);
65290+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65291 break;
65292
65293 default:
65294@@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
65295 return;
65296
65297 td->mutexes[dat] = 3;
65298- td->event = atomic_add_return(1, &rttest_event);
65299+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65300 break;
65301
65302 case RTTEST_LOCKNOWAIT:
65303@@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
65304 return;
65305
65306 td->mutexes[dat] = 1;
65307- td->event = atomic_add_return(1, &rttest_event);
65308+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65309 return;
65310
65311 default:
65312diff -urNp linux-3.0.7/kernel/sched.c linux-3.0.7/kernel/sched.c
65313--- linux-3.0.7/kernel/sched.c 2011-10-17 23:17:09.000000000 -0400
65314+++ linux-3.0.7/kernel/sched.c 2011-10-17 23:17:19.000000000 -0400
65315@@ -4227,6 +4227,8 @@ static void __sched __schedule(void)
65316 struct rq *rq;
65317 int cpu;
65318
65319+ pax_track_stack();
65320+
65321 need_resched:
65322 preempt_disable();
65323 cpu = smp_processor_id();
65324@@ -4920,6 +4922,8 @@ int can_nice(const struct task_struct *p
65325 /* convert nice value [19,-20] to rlimit style value [1,40] */
65326 int nice_rlim = 20 - nice;
65327
65328+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
65329+
65330 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
65331 capable(CAP_SYS_NICE));
65332 }
65333@@ -4953,7 +4957,8 @@ SYSCALL_DEFINE1(nice, int, increment)
65334 if (nice > 19)
65335 nice = 19;
65336
65337- if (increment < 0 && !can_nice(current, nice))
65338+ if (increment < 0 && (!can_nice(current, nice) ||
65339+ gr_handle_chroot_nice()))
65340 return -EPERM;
65341
65342 retval = security_task_setnice(current, nice);
65343@@ -5097,6 +5102,7 @@ recheck:
65344 unsigned long rlim_rtprio =
65345 task_rlimit(p, RLIMIT_RTPRIO);
65346
65347+ gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
65348 /* can't set/change the rt policy */
65349 if (policy != p->policy && !rlim_rtprio)
65350 return -EPERM;
65351diff -urNp linux-3.0.7/kernel/sched_autogroup.c linux-3.0.7/kernel/sched_autogroup.c
65352--- linux-3.0.7/kernel/sched_autogroup.c 2011-07-21 22:17:23.000000000 -0400
65353+++ linux-3.0.7/kernel/sched_autogroup.c 2011-08-23 21:47:56.000000000 -0400
65354@@ -7,7 +7,7 @@
65355
65356 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
65357 static struct autogroup autogroup_default;
65358-static atomic_t autogroup_seq_nr;
65359+static atomic_unchecked_t autogroup_seq_nr;
65360
65361 static void __init autogroup_init(struct task_struct *init_task)
65362 {
65363@@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
65364
65365 kref_init(&ag->kref);
65366 init_rwsem(&ag->lock);
65367- ag->id = atomic_inc_return(&autogroup_seq_nr);
65368+ ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
65369 ag->tg = tg;
65370 #ifdef CONFIG_RT_GROUP_SCHED
65371 /*
65372diff -urNp linux-3.0.7/kernel/sched_fair.c linux-3.0.7/kernel/sched_fair.c
65373--- linux-3.0.7/kernel/sched_fair.c 2011-07-21 22:17:23.000000000 -0400
65374+++ linux-3.0.7/kernel/sched_fair.c 2011-08-23 21:47:56.000000000 -0400
65375@@ -4050,7 +4050,7 @@ static void nohz_idle_balance(int this_c
65376 * run_rebalance_domains is triggered when needed from the scheduler tick.
65377 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
65378 */
65379-static void run_rebalance_domains(struct softirq_action *h)
65380+static void run_rebalance_domains(void)
65381 {
65382 int this_cpu = smp_processor_id();
65383 struct rq *this_rq = cpu_rq(this_cpu);
65384diff -urNp linux-3.0.7/kernel/signal.c linux-3.0.7/kernel/signal.c
65385--- linux-3.0.7/kernel/signal.c 2011-07-21 22:17:23.000000000 -0400
65386+++ linux-3.0.7/kernel/signal.c 2011-08-23 21:48:14.000000000 -0400
65387@@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
65388
65389 int print_fatal_signals __read_mostly;
65390
65391-static void __user *sig_handler(struct task_struct *t, int sig)
65392+static __sighandler_t sig_handler(struct task_struct *t, int sig)
65393 {
65394 return t->sighand->action[sig - 1].sa.sa_handler;
65395 }
65396
65397-static int sig_handler_ignored(void __user *handler, int sig)
65398+static int sig_handler_ignored(__sighandler_t handler, int sig)
65399 {
65400 /* Is it explicitly or implicitly ignored? */
65401 return handler == SIG_IGN ||
65402@@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
65403 static int sig_task_ignored(struct task_struct *t, int sig,
65404 int from_ancestor_ns)
65405 {
65406- void __user *handler;
65407+ __sighandler_t handler;
65408
65409 handler = sig_handler(t, sig);
65410
65411@@ -320,6 +320,9 @@ __sigqueue_alloc(int sig, struct task_st
65412 atomic_inc(&user->sigpending);
65413 rcu_read_unlock();
65414
65415+ if (!override_rlimit)
65416+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
65417+
65418 if (override_rlimit ||
65419 atomic_read(&user->sigpending) <=
65420 task_rlimit(t, RLIMIT_SIGPENDING)) {
65421@@ -444,7 +447,7 @@ flush_signal_handlers(struct task_struct
65422
65423 int unhandled_signal(struct task_struct *tsk, int sig)
65424 {
65425- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
65426+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
65427 if (is_global_init(tsk))
65428 return 1;
65429 if (handler != SIG_IGN && handler != SIG_DFL)
65430@@ -770,6 +773,13 @@ static int check_kill_permission(int sig
65431 }
65432 }
65433
65434+ /* allow glibc communication via tgkill to other threads in our
65435+ thread group */
65436+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
65437+ sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
65438+ && gr_handle_signal(t, sig))
65439+ return -EPERM;
65440+
65441 return security_task_kill(t, info, sig, 0);
65442 }
65443
65444@@ -1092,7 +1102,7 @@ __group_send_sig_info(int sig, struct si
65445 return send_signal(sig, info, p, 1);
65446 }
65447
65448-static int
65449+int
65450 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
65451 {
65452 return send_signal(sig, info, t, 0);
65453@@ -1129,6 +1139,7 @@ force_sig_info(int sig, struct siginfo *
65454 unsigned long int flags;
65455 int ret, blocked, ignored;
65456 struct k_sigaction *action;
65457+ int is_unhandled = 0;
65458
65459 spin_lock_irqsave(&t->sighand->siglock, flags);
65460 action = &t->sighand->action[sig-1];
65461@@ -1143,9 +1154,18 @@ force_sig_info(int sig, struct siginfo *
65462 }
65463 if (action->sa.sa_handler == SIG_DFL)
65464 t->signal->flags &= ~SIGNAL_UNKILLABLE;
65465+ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
65466+ is_unhandled = 1;
65467 ret = specific_send_sig_info(sig, info, t);
65468 spin_unlock_irqrestore(&t->sighand->siglock, flags);
65469
65470+ /* only deal with unhandled signals, java etc trigger SIGSEGV during
65471+ normal operation */
65472+ if (is_unhandled) {
65473+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
65474+ gr_handle_crash(t, sig);
65475+ }
65476+
65477 return ret;
65478 }
65479
65480@@ -1212,8 +1232,11 @@ int group_send_sig_info(int sig, struct
65481 ret = check_kill_permission(sig, info, p);
65482 rcu_read_unlock();
65483
65484- if (!ret && sig)
65485+ if (!ret && sig) {
65486 ret = do_send_sig_info(sig, info, p, true);
65487+ if (!ret)
65488+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
65489+ }
65490
65491 return ret;
65492 }
65493@@ -1839,6 +1862,8 @@ void ptrace_notify(int exit_code)
65494 {
65495 siginfo_t info;
65496
65497+ pax_track_stack();
65498+
65499 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
65500
65501 memset(&info, 0, sizeof info);
65502@@ -2639,7 +2664,15 @@ do_send_specific(pid_t tgid, pid_t pid,
65503 int error = -ESRCH;
65504
65505 rcu_read_lock();
65506- p = find_task_by_vpid(pid);
65507+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
65508+ /* allow glibc communication via tgkill to other threads in our
65509+ thread group */
65510+ if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
65511+ sig == (SIGRTMIN+1) && tgid == info->si_pid)
65512+ p = find_task_by_vpid_unrestricted(pid);
65513+ else
65514+#endif
65515+ p = find_task_by_vpid(pid);
65516 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
65517 error = check_kill_permission(sig, info, p);
65518 /*
65519diff -urNp linux-3.0.7/kernel/smp.c linux-3.0.7/kernel/smp.c
65520--- linux-3.0.7/kernel/smp.c 2011-07-21 22:17:23.000000000 -0400
65521+++ linux-3.0.7/kernel/smp.c 2011-08-23 21:47:56.000000000 -0400
65522@@ -580,22 +580,22 @@ int smp_call_function(smp_call_func_t fu
65523 }
65524 EXPORT_SYMBOL(smp_call_function);
65525
65526-void ipi_call_lock(void)
65527+void ipi_call_lock(void) __acquires(call_function.lock)
65528 {
65529 raw_spin_lock(&call_function.lock);
65530 }
65531
65532-void ipi_call_unlock(void)
65533+void ipi_call_unlock(void) __releases(call_function.lock)
65534 {
65535 raw_spin_unlock(&call_function.lock);
65536 }
65537
65538-void ipi_call_lock_irq(void)
65539+void ipi_call_lock_irq(void) __acquires(call_function.lock)
65540 {
65541 raw_spin_lock_irq(&call_function.lock);
65542 }
65543
65544-void ipi_call_unlock_irq(void)
65545+void ipi_call_unlock_irq(void) __releases(call_function.lock)
65546 {
65547 raw_spin_unlock_irq(&call_function.lock);
65548 }
65549diff -urNp linux-3.0.7/kernel/softirq.c linux-3.0.7/kernel/softirq.c
65550--- linux-3.0.7/kernel/softirq.c 2011-07-21 22:17:23.000000000 -0400
65551+++ linux-3.0.7/kernel/softirq.c 2011-08-23 21:47:56.000000000 -0400
65552@@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
65553
65554 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
65555
65556-char *softirq_to_name[NR_SOFTIRQS] = {
65557+const char * const softirq_to_name[NR_SOFTIRQS] = {
65558 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
65559 "TASKLET", "SCHED", "HRTIMER", "RCU"
65560 };
65561@@ -235,7 +235,7 @@ restart:
65562 kstat_incr_softirqs_this_cpu(vec_nr);
65563
65564 trace_softirq_entry(vec_nr);
65565- h->action(h);
65566+ h->action();
65567 trace_softirq_exit(vec_nr);
65568 if (unlikely(prev_count != preempt_count())) {
65569 printk(KERN_ERR "huh, entered softirq %u %s %p"
65570@@ -385,9 +385,11 @@ void raise_softirq(unsigned int nr)
65571 local_irq_restore(flags);
65572 }
65573
65574-void open_softirq(int nr, void (*action)(struct softirq_action *))
65575+void open_softirq(int nr, void (*action)(void))
65576 {
65577- softirq_vec[nr].action = action;
65578+ pax_open_kernel();
65579+ *(void **)&softirq_vec[nr].action = action;
65580+ pax_close_kernel();
65581 }
65582
65583 /*
65584@@ -441,7 +443,7 @@ void __tasklet_hi_schedule_first(struct
65585
65586 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
65587
65588-static void tasklet_action(struct softirq_action *a)
65589+static void tasklet_action(void)
65590 {
65591 struct tasklet_struct *list;
65592
65593@@ -476,7 +478,7 @@ static void tasklet_action(struct softir
65594 }
65595 }
65596
65597-static void tasklet_hi_action(struct softirq_action *a)
65598+static void tasklet_hi_action(void)
65599 {
65600 struct tasklet_struct *list;
65601
65602diff -urNp linux-3.0.7/kernel/sys.c linux-3.0.7/kernel/sys.c
65603--- linux-3.0.7/kernel/sys.c 2011-09-02 18:11:26.000000000 -0400
65604+++ linux-3.0.7/kernel/sys.c 2011-10-06 04:17:55.000000000 -0400
65605@@ -158,6 +158,12 @@ static int set_one_prio(struct task_stru
65606 error = -EACCES;
65607 goto out;
65608 }
65609+
65610+ if (gr_handle_chroot_setpriority(p, niceval)) {
65611+ error = -EACCES;
65612+ goto out;
65613+ }
65614+
65615 no_nice = security_task_setnice(p, niceval);
65616 if (no_nice) {
65617 error = no_nice;
65618@@ -541,6 +547,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
65619 goto error;
65620 }
65621
65622+ if (gr_check_group_change(new->gid, new->egid, -1))
65623+ goto error;
65624+
65625 if (rgid != (gid_t) -1 ||
65626 (egid != (gid_t) -1 && egid != old->gid))
65627 new->sgid = new->egid;
65628@@ -570,6 +579,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
65629 old = current_cred();
65630
65631 retval = -EPERM;
65632+
65633+ if (gr_check_group_change(gid, gid, gid))
65634+ goto error;
65635+
65636 if (nsown_capable(CAP_SETGID))
65637 new->gid = new->egid = new->sgid = new->fsgid = gid;
65638 else if (gid == old->gid || gid == old->sgid)
65639@@ -595,11 +608,18 @@ static int set_user(struct cred *new)
65640 if (!new_user)
65641 return -EAGAIN;
65642
65643+ /*
65644+ * We don't fail in case of NPROC limit excess here because too many
65645+ * poorly written programs don't check set*uid() return code, assuming
65646+ * it never fails if called by root. We may still enforce NPROC limit
65647+ * for programs doing set*uid()+execve() by harmlessly deferring the
65648+ * failure to the execve() stage.
65649+ */
65650 if (atomic_read(&new_user->processes) >= rlimit(RLIMIT_NPROC) &&
65651- new_user != INIT_USER) {
65652- free_uid(new_user);
65653- return -EAGAIN;
65654- }
65655+ new_user != INIT_USER)
65656+ current->flags |= PF_NPROC_EXCEEDED;
65657+ else
65658+ current->flags &= ~PF_NPROC_EXCEEDED;
65659
65660 free_uid(new->user);
65661 new->user = new_user;
65662@@ -650,6 +670,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
65663 goto error;
65664 }
65665
65666+ if (gr_check_user_change(new->uid, new->euid, -1))
65667+ goto error;
65668+
65669 if (new->uid != old->uid) {
65670 retval = set_user(new);
65671 if (retval < 0)
65672@@ -694,6 +717,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
65673 old = current_cred();
65674
65675 retval = -EPERM;
65676+
65677+ if (gr_check_crash_uid(uid))
65678+ goto error;
65679+ if (gr_check_user_change(uid, uid, uid))
65680+ goto error;
65681+
65682 if (nsown_capable(CAP_SETUID)) {
65683 new->suid = new->uid = uid;
65684 if (uid != old->uid) {
65685@@ -748,6 +777,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
65686 goto error;
65687 }
65688
65689+ if (gr_check_user_change(ruid, euid, -1))
65690+ goto error;
65691+
65692 if (ruid != (uid_t) -1) {
65693 new->uid = ruid;
65694 if (ruid != old->uid) {
65695@@ -812,6 +844,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
65696 goto error;
65697 }
65698
65699+ if (gr_check_group_change(rgid, egid, -1))
65700+ goto error;
65701+
65702 if (rgid != (gid_t) -1)
65703 new->gid = rgid;
65704 if (egid != (gid_t) -1)
65705@@ -858,6 +893,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65706 old = current_cred();
65707 old_fsuid = old->fsuid;
65708
65709+ if (gr_check_user_change(-1, -1, uid))
65710+ goto error;
65711+
65712 if (uid == old->uid || uid == old->euid ||
65713 uid == old->suid || uid == old->fsuid ||
65714 nsown_capable(CAP_SETUID)) {
65715@@ -868,6 +906,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65716 }
65717 }
65718
65719+error:
65720 abort_creds(new);
65721 return old_fsuid;
65722
65723@@ -894,12 +933,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
65724 if (gid == old->gid || gid == old->egid ||
65725 gid == old->sgid || gid == old->fsgid ||
65726 nsown_capable(CAP_SETGID)) {
65727+ if (gr_check_group_change(-1, -1, gid))
65728+ goto error;
65729+
65730 if (gid != old_fsgid) {
65731 new->fsgid = gid;
65732 goto change_okay;
65733 }
65734 }
65735
65736+error:
65737 abort_creds(new);
65738 return old_fsgid;
65739
65740@@ -1205,19 +1248,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_
65741 return -EFAULT;
65742
65743 down_read(&uts_sem);
65744- error = __copy_to_user(&name->sysname, &utsname()->sysname,
65745+ error = __copy_to_user(name->sysname, &utsname()->sysname,
65746 __OLD_UTS_LEN);
65747 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
65748- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
65749+ error |= __copy_to_user(name->nodename, &utsname()->nodename,
65750 __OLD_UTS_LEN);
65751 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
65752- error |= __copy_to_user(&name->release, &utsname()->release,
65753+ error |= __copy_to_user(name->release, &utsname()->release,
65754 __OLD_UTS_LEN);
65755 error |= __put_user(0, name->release + __OLD_UTS_LEN);
65756- error |= __copy_to_user(&name->version, &utsname()->version,
65757+ error |= __copy_to_user(name->version, &utsname()->version,
65758 __OLD_UTS_LEN);
65759 error |= __put_user(0, name->version + __OLD_UTS_LEN);
65760- error |= __copy_to_user(&name->machine, &utsname()->machine,
65761+ error |= __copy_to_user(name->machine, &utsname()->machine,
65762 __OLD_UTS_LEN);
65763 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
65764 up_read(&uts_sem);
65765@@ -1680,7 +1723,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
65766 error = get_dumpable(me->mm);
65767 break;
65768 case PR_SET_DUMPABLE:
65769- if (arg2 < 0 || arg2 > 1) {
65770+ if (arg2 > 1) {
65771 error = -EINVAL;
65772 break;
65773 }
65774diff -urNp linux-3.0.7/kernel/sysctl.c linux-3.0.7/kernel/sysctl.c
65775--- linux-3.0.7/kernel/sysctl.c 2011-07-21 22:17:23.000000000 -0400
65776+++ linux-3.0.7/kernel/sysctl.c 2011-08-23 21:48:14.000000000 -0400
65777@@ -85,6 +85,13 @@
65778
65779
65780 #if defined(CONFIG_SYSCTL)
65781+#include <linux/grsecurity.h>
65782+#include <linux/grinternal.h>
65783+
65784+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
65785+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
65786+ const int op);
65787+extern int gr_handle_chroot_sysctl(const int op);
65788
65789 /* External variables not in a header file. */
65790 extern int sysctl_overcommit_memory;
65791@@ -197,6 +204,7 @@ static int sysrq_sysctl_handler(ctl_tabl
65792 }
65793
65794 #endif
65795+extern struct ctl_table grsecurity_table[];
65796
65797 static struct ctl_table root_table[];
65798 static struct ctl_table_root sysctl_table_root;
65799@@ -226,6 +234,20 @@ extern struct ctl_table epoll_table[];
65800 int sysctl_legacy_va_layout;
65801 #endif
65802
65803+#ifdef CONFIG_PAX_SOFTMODE
65804+static ctl_table pax_table[] = {
65805+ {
65806+ .procname = "softmode",
65807+ .data = &pax_softmode,
65808+ .maxlen = sizeof(unsigned int),
65809+ .mode = 0600,
65810+ .proc_handler = &proc_dointvec,
65811+ },
65812+
65813+ { }
65814+};
65815+#endif
65816+
65817 /* The default sysctl tables: */
65818
65819 static struct ctl_table root_table[] = {
65820@@ -272,6 +294,22 @@ static int max_extfrag_threshold = 1000;
65821 #endif
65822
65823 static struct ctl_table kern_table[] = {
65824+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
65825+ {
65826+ .procname = "grsecurity",
65827+ .mode = 0500,
65828+ .child = grsecurity_table,
65829+ },
65830+#endif
65831+
65832+#ifdef CONFIG_PAX_SOFTMODE
65833+ {
65834+ .procname = "pax",
65835+ .mode = 0500,
65836+ .child = pax_table,
65837+ },
65838+#endif
65839+
65840 {
65841 .procname = "sched_child_runs_first",
65842 .data = &sysctl_sched_child_runs_first,
65843@@ -546,7 +584,7 @@ static struct ctl_table kern_table[] = {
65844 .data = &modprobe_path,
65845 .maxlen = KMOD_PATH_LEN,
65846 .mode = 0644,
65847- .proc_handler = proc_dostring,
65848+ .proc_handler = proc_dostring_modpriv,
65849 },
65850 {
65851 .procname = "modules_disabled",
65852@@ -713,16 +751,20 @@ static struct ctl_table kern_table[] = {
65853 .extra1 = &zero,
65854 .extra2 = &one,
65855 },
65856+#endif
65857 {
65858 .procname = "kptr_restrict",
65859 .data = &kptr_restrict,
65860 .maxlen = sizeof(int),
65861 .mode = 0644,
65862 .proc_handler = proc_dmesg_restrict,
65863+#ifdef CONFIG_GRKERNSEC_HIDESYM
65864+ .extra1 = &two,
65865+#else
65866 .extra1 = &zero,
65867+#endif
65868 .extra2 = &two,
65869 },
65870-#endif
65871 {
65872 .procname = "ngroups_max",
65873 .data = &ngroups_max,
65874@@ -1205,6 +1247,13 @@ static struct ctl_table vm_table[] = {
65875 .proc_handler = proc_dointvec_minmax,
65876 .extra1 = &zero,
65877 },
65878+ {
65879+ .procname = "heap_stack_gap",
65880+ .data = &sysctl_heap_stack_gap,
65881+ .maxlen = sizeof(sysctl_heap_stack_gap),
65882+ .mode = 0644,
65883+ .proc_handler = proc_doulongvec_minmax,
65884+ },
65885 #else
65886 {
65887 .procname = "nr_trim_pages",
65888@@ -1714,6 +1763,17 @@ static int test_perm(int mode, int op)
65889 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
65890 {
65891 int mode;
65892+ int error;
65893+
65894+ if (table->parent != NULL && table->parent->procname != NULL &&
65895+ table->procname != NULL &&
65896+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
65897+ return -EACCES;
65898+ if (gr_handle_chroot_sysctl(op))
65899+ return -EACCES;
65900+ error = gr_handle_sysctl(table, op);
65901+ if (error)
65902+ return error;
65903
65904 if (root->permissions)
65905 mode = root->permissions(root, current->nsproxy, table);
65906@@ -2118,6 +2178,16 @@ int proc_dostring(struct ctl_table *tabl
65907 buffer, lenp, ppos);
65908 }
65909
65910+int proc_dostring_modpriv(struct ctl_table *table, int write,
65911+ void __user *buffer, size_t *lenp, loff_t *ppos)
65912+{
65913+ if (write && !capable(CAP_SYS_MODULE))
65914+ return -EPERM;
65915+
65916+ return _proc_do_string(table->data, table->maxlen, write,
65917+ buffer, lenp, ppos);
65918+}
65919+
65920 static size_t proc_skip_spaces(char **buf)
65921 {
65922 size_t ret;
65923@@ -2223,6 +2293,8 @@ static int proc_put_long(void __user **b
65924 len = strlen(tmp);
65925 if (len > *size)
65926 len = *size;
65927+ if (len > sizeof(tmp))
65928+ len = sizeof(tmp);
65929 if (copy_to_user(*buf, tmp, len))
65930 return -EFAULT;
65931 *size -= len;
65932@@ -2539,8 +2611,11 @@ static int __do_proc_doulongvec_minmax(v
65933 *i = val;
65934 } else {
65935 val = convdiv * (*i) / convmul;
65936- if (!first)
65937+ if (!first) {
65938 err = proc_put_char(&buffer, &left, '\t');
65939+ if (err)
65940+ break;
65941+ }
65942 err = proc_put_long(&buffer, &left, val, false);
65943 if (err)
65944 break;
65945@@ -2935,6 +3010,12 @@ int proc_dostring(struct ctl_table *tabl
65946 return -ENOSYS;
65947 }
65948
65949+int proc_dostring_modpriv(struct ctl_table *table, int write,
65950+ void __user *buffer, size_t *lenp, loff_t *ppos)
65951+{
65952+ return -ENOSYS;
65953+}
65954+
65955 int proc_dointvec(struct ctl_table *table, int write,
65956 void __user *buffer, size_t *lenp, loff_t *ppos)
65957 {
65958@@ -2991,6 +3072,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
65959 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
65960 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
65961 EXPORT_SYMBOL(proc_dostring);
65962+EXPORT_SYMBOL(proc_dostring_modpriv);
65963 EXPORT_SYMBOL(proc_doulongvec_minmax);
65964 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
65965 EXPORT_SYMBOL(register_sysctl_table);
65966diff -urNp linux-3.0.7/kernel/sysctl_binary.c linux-3.0.7/kernel/sysctl_binary.c
65967--- linux-3.0.7/kernel/sysctl_binary.c 2011-07-21 22:17:23.000000000 -0400
65968+++ linux-3.0.7/kernel/sysctl_binary.c 2011-10-06 04:17:55.000000000 -0400
65969@@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *f
65970 int i;
65971
65972 set_fs(KERNEL_DS);
65973- result = vfs_read(file, buffer, BUFSZ - 1, &pos);
65974+ result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
65975 set_fs(old_fs);
65976 if (result < 0)
65977 goto out_kfree;
65978@@ -1034,7 +1034,7 @@ static ssize_t bin_intvec(struct file *f
65979 }
65980
65981 set_fs(KERNEL_DS);
65982- result = vfs_write(file, buffer, str - buffer, &pos);
65983+ result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
65984 set_fs(old_fs);
65985 if (result < 0)
65986 goto out_kfree;
65987@@ -1067,7 +1067,7 @@ static ssize_t bin_ulongvec(struct file
65988 int i;
65989
65990 set_fs(KERNEL_DS);
65991- result = vfs_read(file, buffer, BUFSZ - 1, &pos);
65992+ result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
65993 set_fs(old_fs);
65994 if (result < 0)
65995 goto out_kfree;
65996@@ -1112,7 +1112,7 @@ static ssize_t bin_ulongvec(struct file
65997 }
65998
65999 set_fs(KERNEL_DS);
66000- result = vfs_write(file, buffer, str - buffer, &pos);
66001+ result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
66002 set_fs(old_fs);
66003 if (result < 0)
66004 goto out_kfree;
66005@@ -1138,7 +1138,7 @@ static ssize_t bin_uuid(struct file *fil
66006 int i;
66007
66008 set_fs(KERNEL_DS);
66009- result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
66010+ result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
66011 set_fs(old_fs);
66012 if (result < 0)
66013 goto out;
66014@@ -1185,7 +1185,7 @@ static ssize_t bin_dn_node_address(struc
66015 __le16 dnaddr;
66016
66017 set_fs(KERNEL_DS);
66018- result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
66019+ result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
66020 set_fs(old_fs);
66021 if (result < 0)
66022 goto out;
66023@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struc
66024 le16_to_cpu(dnaddr) & 0x3ff);
66025
66026 set_fs(KERNEL_DS);
66027- result = vfs_write(file, buf, len, &pos);
66028+ result = vfs_write(file, (const char __force_user *)buf, len, &pos);
66029 set_fs(old_fs);
66030 if (result < 0)
66031 goto out;
66032diff -urNp linux-3.0.7/kernel/sysctl_check.c linux-3.0.7/kernel/sysctl_check.c
66033--- linux-3.0.7/kernel/sysctl_check.c 2011-07-21 22:17:23.000000000 -0400
66034+++ linux-3.0.7/kernel/sysctl_check.c 2011-08-23 21:48:14.000000000 -0400
66035@@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
66036 set_fail(&fail, table, "Directory with extra2");
66037 } else {
66038 if ((table->proc_handler == proc_dostring) ||
66039+ (table->proc_handler == proc_dostring_modpriv) ||
66040 (table->proc_handler == proc_dointvec) ||
66041 (table->proc_handler == proc_dointvec_minmax) ||
66042 (table->proc_handler == proc_dointvec_jiffies) ||
66043diff -urNp linux-3.0.7/kernel/taskstats.c linux-3.0.7/kernel/taskstats.c
66044--- linux-3.0.7/kernel/taskstats.c 2011-07-21 22:17:23.000000000 -0400
66045+++ linux-3.0.7/kernel/taskstats.c 2011-08-23 21:48:14.000000000 -0400
66046@@ -27,9 +27,12 @@
66047 #include <linux/cgroup.h>
66048 #include <linux/fs.h>
66049 #include <linux/file.h>
66050+#include <linux/grsecurity.h>
66051 #include <net/genetlink.h>
66052 #include <asm/atomic.h>
66053
66054+extern int gr_is_taskstats_denied(int pid);
66055+
66056 /*
66057 * Maximum length of a cpumask that can be specified in
66058 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
66059@@ -558,6 +561,9 @@ err:
66060
66061 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
66062 {
66063+ if (gr_is_taskstats_denied(current->pid))
66064+ return -EACCES;
66065+
66066 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
66067 return cmd_attr_register_cpumask(info);
66068 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
66069diff -urNp linux-3.0.7/kernel/time/alarmtimer.c linux-3.0.7/kernel/time/alarmtimer.c
66070--- linux-3.0.7/kernel/time/alarmtimer.c 2011-10-16 21:54:54.000000000 -0400
66071+++ linux-3.0.7/kernel/time/alarmtimer.c 2011-10-16 21:55:28.000000000 -0400
66072@@ -693,7 +693,7 @@ static int __init alarmtimer_init(void)
66073 {
66074 int error = 0;
66075 int i;
66076- struct k_clock alarm_clock = {
66077+ static struct k_clock alarm_clock = {
66078 .clock_getres = alarm_clock_getres,
66079 .clock_get = alarm_clock_get,
66080 .timer_create = alarm_timer_create,
66081diff -urNp linux-3.0.7/kernel/time/tick-broadcast.c linux-3.0.7/kernel/time/tick-broadcast.c
66082--- linux-3.0.7/kernel/time/tick-broadcast.c 2011-07-21 22:17:23.000000000 -0400
66083+++ linux-3.0.7/kernel/time/tick-broadcast.c 2011-08-23 21:47:56.000000000 -0400
66084@@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
66085 * then clear the broadcast bit.
66086 */
66087 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
66088- int cpu = smp_processor_id();
66089+ cpu = smp_processor_id();
66090
66091 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
66092 tick_broadcast_clear_oneshot(cpu);
66093diff -urNp linux-3.0.7/kernel/time/timekeeping.c linux-3.0.7/kernel/time/timekeeping.c
66094--- linux-3.0.7/kernel/time/timekeeping.c 2011-07-21 22:17:23.000000000 -0400
66095+++ linux-3.0.7/kernel/time/timekeeping.c 2011-08-23 21:48:14.000000000 -0400
66096@@ -14,6 +14,7 @@
66097 #include <linux/init.h>
66098 #include <linux/mm.h>
66099 #include <linux/sched.h>
66100+#include <linux/grsecurity.h>
66101 #include <linux/syscore_ops.h>
66102 #include <linux/clocksource.h>
66103 #include <linux/jiffies.h>
66104@@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
66105 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
66106 return -EINVAL;
66107
66108+ gr_log_timechange();
66109+
66110 write_seqlock_irqsave(&xtime_lock, flags);
66111
66112 timekeeping_forward_now();
66113diff -urNp linux-3.0.7/kernel/time/timer_list.c linux-3.0.7/kernel/time/timer_list.c
66114--- linux-3.0.7/kernel/time/timer_list.c 2011-07-21 22:17:23.000000000 -0400
66115+++ linux-3.0.7/kernel/time/timer_list.c 2011-08-23 21:48:14.000000000 -0400
66116@@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
66117
66118 static void print_name_offset(struct seq_file *m, void *sym)
66119 {
66120+#ifdef CONFIG_GRKERNSEC_HIDESYM
66121+ SEQ_printf(m, "<%p>", NULL);
66122+#else
66123 char symname[KSYM_NAME_LEN];
66124
66125 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
66126 SEQ_printf(m, "<%pK>", sym);
66127 else
66128 SEQ_printf(m, "%s", symname);
66129+#endif
66130 }
66131
66132 static void
66133@@ -112,7 +116,11 @@ next_one:
66134 static void
66135 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
66136 {
66137+#ifdef CONFIG_GRKERNSEC_HIDESYM
66138+ SEQ_printf(m, " .base: %p\n", NULL);
66139+#else
66140 SEQ_printf(m, " .base: %pK\n", base);
66141+#endif
66142 SEQ_printf(m, " .index: %d\n",
66143 base->index);
66144 SEQ_printf(m, " .resolution: %Lu nsecs\n",
66145@@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
66146 {
66147 struct proc_dir_entry *pe;
66148
66149+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66150+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
66151+#else
66152 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
66153+#endif
66154 if (!pe)
66155 return -ENOMEM;
66156 return 0;
66157diff -urNp linux-3.0.7/kernel/time/timer_stats.c linux-3.0.7/kernel/time/timer_stats.c
66158--- linux-3.0.7/kernel/time/timer_stats.c 2011-07-21 22:17:23.000000000 -0400
66159+++ linux-3.0.7/kernel/time/timer_stats.c 2011-08-23 21:48:14.000000000 -0400
66160@@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
66161 static unsigned long nr_entries;
66162 static struct entry entries[MAX_ENTRIES];
66163
66164-static atomic_t overflow_count;
66165+static atomic_unchecked_t overflow_count;
66166
66167 /*
66168 * The entries are in a hash-table, for fast lookup:
66169@@ -140,7 +140,7 @@ static void reset_entries(void)
66170 nr_entries = 0;
66171 memset(entries, 0, sizeof(entries));
66172 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
66173- atomic_set(&overflow_count, 0);
66174+ atomic_set_unchecked(&overflow_count, 0);
66175 }
66176
66177 static struct entry *alloc_entry(void)
66178@@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
66179 if (likely(entry))
66180 entry->count++;
66181 else
66182- atomic_inc(&overflow_count);
66183+ atomic_inc_unchecked(&overflow_count);
66184
66185 out_unlock:
66186 raw_spin_unlock_irqrestore(lock, flags);
66187@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
66188
66189 static void print_name_offset(struct seq_file *m, unsigned long addr)
66190 {
66191+#ifdef CONFIG_GRKERNSEC_HIDESYM
66192+ seq_printf(m, "<%p>", NULL);
66193+#else
66194 char symname[KSYM_NAME_LEN];
66195
66196 if (lookup_symbol_name(addr, symname) < 0)
66197 seq_printf(m, "<%p>", (void *)addr);
66198 else
66199 seq_printf(m, "%s", symname);
66200+#endif
66201 }
66202
66203 static int tstats_show(struct seq_file *m, void *v)
66204@@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
66205
66206 seq_puts(m, "Timer Stats Version: v0.2\n");
66207 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
66208- if (atomic_read(&overflow_count))
66209+ if (atomic_read_unchecked(&overflow_count))
66210 seq_printf(m, "Overflow: %d entries\n",
66211- atomic_read(&overflow_count));
66212+ atomic_read_unchecked(&overflow_count));
66213
66214 for (i = 0; i < nr_entries; i++) {
66215 entry = entries + i;
66216@@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
66217 {
66218 struct proc_dir_entry *pe;
66219
66220+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66221+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
66222+#else
66223 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
66224+#endif
66225 if (!pe)
66226 return -ENOMEM;
66227 return 0;
66228diff -urNp linux-3.0.7/kernel/time.c linux-3.0.7/kernel/time.c
66229--- linux-3.0.7/kernel/time.c 2011-07-21 22:17:23.000000000 -0400
66230+++ linux-3.0.7/kernel/time.c 2011-08-23 21:48:14.000000000 -0400
66231@@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
66232 return error;
66233
66234 if (tz) {
66235+ /* we log in do_settimeofday called below, so don't log twice
66236+ */
66237+ if (!tv)
66238+ gr_log_timechange();
66239+
66240 /* SMP safe, global irq locking makes it work. */
66241 sys_tz = *tz;
66242 update_vsyscall_tz();
66243diff -urNp linux-3.0.7/kernel/timer.c linux-3.0.7/kernel/timer.c
66244--- linux-3.0.7/kernel/timer.c 2011-07-21 22:17:23.000000000 -0400
66245+++ linux-3.0.7/kernel/timer.c 2011-08-23 21:47:56.000000000 -0400
66246@@ -1304,7 +1304,7 @@ void update_process_times(int user_tick)
66247 /*
66248 * This function runs timers and the timer-tq in bottom half context.
66249 */
66250-static void run_timer_softirq(struct softirq_action *h)
66251+static void run_timer_softirq(void)
66252 {
66253 struct tvec_base *base = __this_cpu_read(tvec_bases);
66254
66255diff -urNp linux-3.0.7/kernel/trace/blktrace.c linux-3.0.7/kernel/trace/blktrace.c
66256--- linux-3.0.7/kernel/trace/blktrace.c 2011-07-21 22:17:23.000000000 -0400
66257+++ linux-3.0.7/kernel/trace/blktrace.c 2011-08-23 21:47:56.000000000 -0400
66258@@ -321,7 +321,7 @@ static ssize_t blk_dropped_read(struct f
66259 struct blk_trace *bt = filp->private_data;
66260 char buf[16];
66261
66262- snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
66263+ snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
66264
66265 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
66266 }
66267@@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(str
66268 return 1;
66269
66270 bt = buf->chan->private_data;
66271- atomic_inc(&bt->dropped);
66272+ atomic_inc_unchecked(&bt->dropped);
66273 return 0;
66274 }
66275
66276@@ -487,7 +487,7 @@ int do_blk_trace_setup(struct request_qu
66277
66278 bt->dir = dir;
66279 bt->dev = dev;
66280- atomic_set(&bt->dropped, 0);
66281+ atomic_set_unchecked(&bt->dropped, 0);
66282
66283 ret = -EIO;
66284 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
66285diff -urNp linux-3.0.7/kernel/trace/ftrace.c linux-3.0.7/kernel/trace/ftrace.c
66286--- linux-3.0.7/kernel/trace/ftrace.c 2011-10-17 23:17:09.000000000 -0400
66287+++ linux-3.0.7/kernel/trace/ftrace.c 2011-10-17 23:17:19.000000000 -0400
66288@@ -1566,12 +1566,17 @@ ftrace_code_disable(struct module *mod,
66289 if (unlikely(ftrace_disabled))
66290 return 0;
66291
66292+ ret = ftrace_arch_code_modify_prepare();
66293+ FTRACE_WARN_ON(ret);
66294+ if (ret)
66295+ return 0;
66296+
66297 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
66298+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
66299 if (ret) {
66300 ftrace_bug(ret, ip);
66301- return 0;
66302 }
66303- return 1;
66304+ return ret ? 0 : 1;
66305 }
66306
66307 /*
66308@@ -2570,7 +2575,7 @@ static void ftrace_free_entry_rcu(struct
66309
66310 int
66311 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
66312- void *data)
66313+ void *data)
66314 {
66315 struct ftrace_func_probe *entry;
66316 struct ftrace_page *pg;
66317diff -urNp linux-3.0.7/kernel/trace/trace.c linux-3.0.7/kernel/trace/trace.c
66318--- linux-3.0.7/kernel/trace/trace.c 2011-07-21 22:17:23.000000000 -0400
66319+++ linux-3.0.7/kernel/trace/trace.c 2011-08-23 21:48:14.000000000 -0400
66320@@ -3339,6 +3339,8 @@ static ssize_t tracing_splice_read_pipe(
66321 size_t rem;
66322 unsigned int i;
66323
66324+ pax_track_stack();
66325+
66326 if (splice_grow_spd(pipe, &spd))
66327 return -ENOMEM;
66328
66329@@ -3822,6 +3824,8 @@ tracing_buffers_splice_read(struct file
66330 int entries, size, i;
66331 size_t ret;
66332
66333+ pax_track_stack();
66334+
66335 if (splice_grow_spd(pipe, &spd))
66336 return -ENOMEM;
66337
66338@@ -3990,10 +3994,9 @@ static const struct file_operations trac
66339 };
66340 #endif
66341
66342-static struct dentry *d_tracer;
66343-
66344 struct dentry *tracing_init_dentry(void)
66345 {
66346+ static struct dentry *d_tracer;
66347 static int once;
66348
66349 if (d_tracer)
66350@@ -4013,10 +4016,9 @@ struct dentry *tracing_init_dentry(void)
66351 return d_tracer;
66352 }
66353
66354-static struct dentry *d_percpu;
66355-
66356 struct dentry *tracing_dentry_percpu(void)
66357 {
66358+ static struct dentry *d_percpu;
66359 static int once;
66360 struct dentry *d_tracer;
66361
66362diff -urNp linux-3.0.7/kernel/trace/trace_events.c linux-3.0.7/kernel/trace/trace_events.c
66363--- linux-3.0.7/kernel/trace/trace_events.c 2011-09-02 18:11:21.000000000 -0400
66364+++ linux-3.0.7/kernel/trace/trace_events.c 2011-08-23 21:47:56.000000000 -0400
66365@@ -1318,10 +1318,6 @@ static LIST_HEAD(ftrace_module_file_list
66366 struct ftrace_module_file_ops {
66367 struct list_head list;
66368 struct module *mod;
66369- struct file_operations id;
66370- struct file_operations enable;
66371- struct file_operations format;
66372- struct file_operations filter;
66373 };
66374
66375 static struct ftrace_module_file_ops *
66376@@ -1342,17 +1338,12 @@ trace_create_file_ops(struct module *mod
66377
66378 file_ops->mod = mod;
66379
66380- file_ops->id = ftrace_event_id_fops;
66381- file_ops->id.owner = mod;
66382-
66383- file_ops->enable = ftrace_enable_fops;
66384- file_ops->enable.owner = mod;
66385-
66386- file_ops->filter = ftrace_event_filter_fops;
66387- file_ops->filter.owner = mod;
66388-
66389- file_ops->format = ftrace_event_format_fops;
66390- file_ops->format.owner = mod;
66391+ pax_open_kernel();
66392+ *(void **)&mod->trace_id.owner = mod;
66393+ *(void **)&mod->trace_enable.owner = mod;
66394+ *(void **)&mod->trace_filter.owner = mod;
66395+ *(void **)&mod->trace_format.owner = mod;
66396+ pax_close_kernel();
66397
66398 list_add(&file_ops->list, &ftrace_module_file_list);
66399
66400@@ -1376,8 +1367,8 @@ static void trace_module_add_events(stru
66401
66402 for_each_event(call, start, end) {
66403 __trace_add_event_call(*call, mod,
66404- &file_ops->id, &file_ops->enable,
66405- &file_ops->filter, &file_ops->format);
66406+ &mod->trace_id, &mod->trace_enable,
66407+ &mod->trace_filter, &mod->trace_format);
66408 }
66409 }
66410
66411diff -urNp linux-3.0.7/kernel/trace/trace_kprobe.c linux-3.0.7/kernel/trace/trace_kprobe.c
66412--- linux-3.0.7/kernel/trace/trace_kprobe.c 2011-07-21 22:17:23.000000000 -0400
66413+++ linux-3.0.7/kernel/trace/trace_kprobe.c 2011-10-06 04:17:55.000000000 -0400
66414@@ -217,7 +217,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66415 long ret;
66416 int maxlen = get_rloc_len(*(u32 *)dest);
66417 u8 *dst = get_rloc_data(dest);
66418- u8 *src = addr;
66419+ const u8 __user *src = (const u8 __force_user *)addr;
66420 mm_segment_t old_fs = get_fs();
66421 if (!maxlen)
66422 return;
66423@@ -229,7 +229,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66424 pagefault_disable();
66425 do
66426 ret = __copy_from_user_inatomic(dst++, src++, 1);
66427- while (dst[-1] && ret == 0 && src - (u8 *)addr < maxlen);
66428+ while (dst[-1] && ret == 0 && src - (const u8 __force_user *)addr < maxlen);
66429 dst[-1] = '\0';
66430 pagefault_enable();
66431 set_fs(old_fs);
66432@@ -238,7 +238,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66433 ((u8 *)get_rloc_data(dest))[0] = '\0';
66434 *(u32 *)dest = make_data_rloc(0, get_rloc_offs(*(u32 *)dest));
66435 } else
66436- *(u32 *)dest = make_data_rloc(src - (u8 *)addr,
66437+ *(u32 *)dest = make_data_rloc(src - (const u8 __force_user *)addr,
66438 get_rloc_offs(*(u32 *)dest));
66439 }
66440 /* Return the length of string -- including null terminal byte */
66441@@ -252,7 +252,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66442 set_fs(KERNEL_DS);
66443 pagefault_disable();
66444 do {
66445- ret = __copy_from_user_inatomic(&c, (u8 *)addr + len, 1);
66446+ ret = __copy_from_user_inatomic(&c, (const u8 __force_user *)addr + len, 1);
66447 len++;
66448 } while (c && ret == 0 && len < MAX_STRING_SIZE);
66449 pagefault_enable();
66450diff -urNp linux-3.0.7/kernel/trace/trace_mmiotrace.c linux-3.0.7/kernel/trace/trace_mmiotrace.c
66451--- linux-3.0.7/kernel/trace/trace_mmiotrace.c 2011-07-21 22:17:23.000000000 -0400
66452+++ linux-3.0.7/kernel/trace/trace_mmiotrace.c 2011-08-23 21:47:56.000000000 -0400
66453@@ -24,7 +24,7 @@ struct header_iter {
66454 static struct trace_array *mmio_trace_array;
66455 static bool overrun_detected;
66456 static unsigned long prev_overruns;
66457-static atomic_t dropped_count;
66458+static atomic_unchecked_t dropped_count;
66459
66460 static void mmio_reset_data(struct trace_array *tr)
66461 {
66462@@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
66463
66464 static unsigned long count_overruns(struct trace_iterator *iter)
66465 {
66466- unsigned long cnt = atomic_xchg(&dropped_count, 0);
66467+ unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
66468 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
66469
66470 if (over > prev_overruns)
66471@@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
66472 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
66473 sizeof(*entry), 0, pc);
66474 if (!event) {
66475- atomic_inc(&dropped_count);
66476+ atomic_inc_unchecked(&dropped_count);
66477 return;
66478 }
66479 entry = ring_buffer_event_data(event);
66480@@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
66481 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
66482 sizeof(*entry), 0, pc);
66483 if (!event) {
66484- atomic_inc(&dropped_count);
66485+ atomic_inc_unchecked(&dropped_count);
66486 return;
66487 }
66488 entry = ring_buffer_event_data(event);
66489diff -urNp linux-3.0.7/kernel/trace/trace_output.c linux-3.0.7/kernel/trace/trace_output.c
66490--- linux-3.0.7/kernel/trace/trace_output.c 2011-07-21 22:17:23.000000000 -0400
66491+++ linux-3.0.7/kernel/trace/trace_output.c 2011-08-23 21:47:56.000000000 -0400
66492@@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
66493
66494 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
66495 if (!IS_ERR(p)) {
66496- p = mangle_path(s->buffer + s->len, p, "\n");
66497+ p = mangle_path(s->buffer + s->len, p, "\n\\");
66498 if (p) {
66499 s->len = p - s->buffer;
66500 return 1;
66501diff -urNp linux-3.0.7/kernel/trace/trace_stack.c linux-3.0.7/kernel/trace/trace_stack.c
66502--- linux-3.0.7/kernel/trace/trace_stack.c 2011-07-21 22:17:23.000000000 -0400
66503+++ linux-3.0.7/kernel/trace/trace_stack.c 2011-08-23 21:47:56.000000000 -0400
66504@@ -50,7 +50,7 @@ static inline void check_stack(void)
66505 return;
66506
66507 /* we do not handle interrupt stacks yet */
66508- if (!object_is_on_stack(&this_size))
66509+ if (!object_starts_on_stack(&this_size))
66510 return;
66511
66512 local_irq_save(flags);
66513diff -urNp linux-3.0.7/kernel/trace/trace_workqueue.c linux-3.0.7/kernel/trace/trace_workqueue.c
66514--- linux-3.0.7/kernel/trace/trace_workqueue.c 2011-07-21 22:17:23.000000000 -0400
66515+++ linux-3.0.7/kernel/trace/trace_workqueue.c 2011-08-23 21:47:56.000000000 -0400
66516@@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
66517 int cpu;
66518 pid_t pid;
66519 /* Can be inserted from interrupt or user context, need to be atomic */
66520- atomic_t inserted;
66521+ atomic_unchecked_t inserted;
66522 /*
66523 * Don't need to be atomic, works are serialized in a single workqueue thread
66524 * on a single CPU.
66525@@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
66526 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
66527 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
66528 if (node->pid == wq_thread->pid) {
66529- atomic_inc(&node->inserted);
66530+ atomic_inc_unchecked(&node->inserted);
66531 goto found;
66532 }
66533 }
66534@@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
66535 tsk = get_pid_task(pid, PIDTYPE_PID);
66536 if (tsk) {
66537 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
66538- atomic_read(&cws->inserted), cws->executed,
66539+ atomic_read_unchecked(&cws->inserted), cws->executed,
66540 tsk->comm);
66541 put_task_struct(tsk);
66542 }
66543diff -urNp linux-3.0.7/lib/Kconfig.debug linux-3.0.7/lib/Kconfig.debug
66544--- linux-3.0.7/lib/Kconfig.debug 2011-07-21 22:17:23.000000000 -0400
66545+++ linux-3.0.7/lib/Kconfig.debug 2011-08-23 21:48:14.000000000 -0400
66546@@ -1088,6 +1088,7 @@ config LATENCYTOP
66547 depends on DEBUG_KERNEL
66548 depends on STACKTRACE_SUPPORT
66549 depends on PROC_FS
66550+ depends on !GRKERNSEC_HIDESYM
66551 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
66552 select KALLSYMS
66553 select KALLSYMS_ALL
66554diff -urNp linux-3.0.7/lib/bitmap.c linux-3.0.7/lib/bitmap.c
66555--- linux-3.0.7/lib/bitmap.c 2011-07-21 22:17:23.000000000 -0400
66556+++ linux-3.0.7/lib/bitmap.c 2011-10-06 04:17:55.000000000 -0400
66557@@ -421,7 +421,7 @@ int __bitmap_parse(const char *buf, unsi
66558 {
66559 int c, old_c, totaldigits, ndigits, nchunks, nbits;
66560 u32 chunk;
66561- const char __user *ubuf = buf;
66562+ const char __user *ubuf = (const char __force_user *)buf;
66563
66564 bitmap_zero(maskp, nmaskbits);
66565
66566@@ -506,7 +506,7 @@ int bitmap_parse_user(const char __user
66567 {
66568 if (!access_ok(VERIFY_READ, ubuf, ulen))
66569 return -EFAULT;
66570- return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
66571+ return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
66572 }
66573 EXPORT_SYMBOL(bitmap_parse_user);
66574
66575@@ -596,7 +596,7 @@ static int __bitmap_parselist(const char
66576 {
66577 unsigned a, b;
66578 int c, old_c, totaldigits;
66579- const char __user *ubuf = buf;
66580+ const char __user *ubuf = (const char __force_user *)buf;
66581 int exp_digit, in_range;
66582
66583 totaldigits = c = 0;
66584@@ -696,7 +696,7 @@ int bitmap_parselist_user(const char __u
66585 {
66586 if (!access_ok(VERIFY_READ, ubuf, ulen))
66587 return -EFAULT;
66588- return __bitmap_parselist((const char *)ubuf,
66589+ return __bitmap_parselist((const char __force_kernel *)ubuf,
66590 ulen, 1, maskp, nmaskbits);
66591 }
66592 EXPORT_SYMBOL(bitmap_parselist_user);
66593diff -urNp linux-3.0.7/lib/bug.c linux-3.0.7/lib/bug.c
66594--- linux-3.0.7/lib/bug.c 2011-07-21 22:17:23.000000000 -0400
66595+++ linux-3.0.7/lib/bug.c 2011-08-23 21:47:56.000000000 -0400
66596@@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
66597 return BUG_TRAP_TYPE_NONE;
66598
66599 bug = find_bug(bugaddr);
66600+ if (!bug)
66601+ return BUG_TRAP_TYPE_NONE;
66602
66603 file = NULL;
66604 line = 0;
66605diff -urNp linux-3.0.7/lib/debugobjects.c linux-3.0.7/lib/debugobjects.c
66606--- linux-3.0.7/lib/debugobjects.c 2011-07-21 22:17:23.000000000 -0400
66607+++ linux-3.0.7/lib/debugobjects.c 2011-08-23 21:47:56.000000000 -0400
66608@@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
66609 if (limit > 4)
66610 return;
66611
66612- is_on_stack = object_is_on_stack(addr);
66613+ is_on_stack = object_starts_on_stack(addr);
66614 if (is_on_stack == onstack)
66615 return;
66616
66617diff -urNp linux-3.0.7/lib/devres.c linux-3.0.7/lib/devres.c
66618--- linux-3.0.7/lib/devres.c 2011-07-21 22:17:23.000000000 -0400
66619+++ linux-3.0.7/lib/devres.c 2011-10-06 04:17:55.000000000 -0400
66620@@ -81,7 +81,7 @@ void devm_iounmap(struct device *dev, vo
66621 {
66622 iounmap(addr);
66623 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
66624- (void *)addr));
66625+ (void __force *)addr));
66626 }
66627 EXPORT_SYMBOL(devm_iounmap);
66628
66629@@ -141,7 +141,7 @@ void devm_ioport_unmap(struct device *de
66630 {
66631 ioport_unmap(addr);
66632 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
66633- devm_ioport_map_match, (void *)addr));
66634+ devm_ioport_map_match, (void __force *)addr));
66635 }
66636 EXPORT_SYMBOL(devm_ioport_unmap);
66637
66638diff -urNp linux-3.0.7/lib/dma-debug.c linux-3.0.7/lib/dma-debug.c
66639--- linux-3.0.7/lib/dma-debug.c 2011-07-21 22:17:23.000000000 -0400
66640+++ linux-3.0.7/lib/dma-debug.c 2011-08-23 21:47:56.000000000 -0400
66641@@ -870,7 +870,7 @@ out:
66642
66643 static void check_for_stack(struct device *dev, void *addr)
66644 {
66645- if (object_is_on_stack(addr))
66646+ if (object_starts_on_stack(addr))
66647 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
66648 "stack [addr=%p]\n", addr);
66649 }
66650diff -urNp linux-3.0.7/lib/extable.c linux-3.0.7/lib/extable.c
66651--- linux-3.0.7/lib/extable.c 2011-07-21 22:17:23.000000000 -0400
66652+++ linux-3.0.7/lib/extable.c 2011-08-23 21:47:56.000000000 -0400
66653@@ -13,6 +13,7 @@
66654 #include <linux/init.h>
66655 #include <linux/sort.h>
66656 #include <asm/uaccess.h>
66657+#include <asm/pgtable.h>
66658
66659 #ifndef ARCH_HAS_SORT_EXTABLE
66660 /*
66661@@ -36,8 +37,10 @@ static int cmp_ex(const void *a, const v
66662 void sort_extable(struct exception_table_entry *start,
66663 struct exception_table_entry *finish)
66664 {
66665+ pax_open_kernel();
66666 sort(start, finish - start, sizeof(struct exception_table_entry),
66667 cmp_ex, NULL);
66668+ pax_close_kernel();
66669 }
66670
66671 #ifdef CONFIG_MODULES
66672diff -urNp linux-3.0.7/lib/inflate.c linux-3.0.7/lib/inflate.c
66673--- linux-3.0.7/lib/inflate.c 2011-07-21 22:17:23.000000000 -0400
66674+++ linux-3.0.7/lib/inflate.c 2011-08-23 21:47:56.000000000 -0400
66675@@ -269,7 +269,7 @@ static void free(void *where)
66676 malloc_ptr = free_mem_ptr;
66677 }
66678 #else
66679-#define malloc(a) kmalloc(a, GFP_KERNEL)
66680+#define malloc(a) kmalloc((a), GFP_KERNEL)
66681 #define free(a) kfree(a)
66682 #endif
66683
66684diff -urNp linux-3.0.7/lib/kref.c linux-3.0.7/lib/kref.c
66685--- linux-3.0.7/lib/kref.c 2011-07-21 22:17:23.000000000 -0400
66686+++ linux-3.0.7/lib/kref.c 2011-08-23 21:47:56.000000000 -0400
66687@@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
66688 */
66689 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
66690 {
66691- WARN_ON(release == NULL);
66692+ BUG_ON(release == NULL);
66693 WARN_ON(release == (void (*)(struct kref *))kfree);
66694
66695 if (atomic_dec_and_test(&kref->refcount)) {
66696diff -urNp linux-3.0.7/lib/radix-tree.c linux-3.0.7/lib/radix-tree.c
66697--- linux-3.0.7/lib/radix-tree.c 2011-07-21 22:17:23.000000000 -0400
66698+++ linux-3.0.7/lib/radix-tree.c 2011-08-23 21:47:56.000000000 -0400
66699@@ -80,7 +80,7 @@ struct radix_tree_preload {
66700 int nr;
66701 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
66702 };
66703-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
66704+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
66705
66706 static inline void *ptr_to_indirect(void *ptr)
66707 {
66708diff -urNp linux-3.0.7/lib/vsprintf.c linux-3.0.7/lib/vsprintf.c
66709--- linux-3.0.7/lib/vsprintf.c 2011-07-21 22:17:23.000000000 -0400
66710+++ linux-3.0.7/lib/vsprintf.c 2011-08-23 21:48:14.000000000 -0400
66711@@ -16,6 +16,9 @@
66712 * - scnprintf and vscnprintf
66713 */
66714
66715+#ifdef CONFIG_GRKERNSEC_HIDESYM
66716+#define __INCLUDED_BY_HIDESYM 1
66717+#endif
66718 #include <stdarg.h>
66719 #include <linux/module.h>
66720 #include <linux/types.h>
66721@@ -435,7 +438,7 @@ char *symbol_string(char *buf, char *end
66722 char sym[KSYM_SYMBOL_LEN];
66723 if (ext == 'B')
66724 sprint_backtrace(sym, value);
66725- else if (ext != 'f' && ext != 's')
66726+ else if (ext != 'f' && ext != 's' && ext != 'a')
66727 sprint_symbol(sym, value);
66728 else
66729 kallsyms_lookup(value, NULL, NULL, NULL, sym);
66730@@ -799,7 +802,11 @@ char *uuid_string(char *buf, char *end,
66731 return string(buf, end, uuid, spec);
66732 }
66733
66734+#ifdef CONFIG_GRKERNSEC_HIDESYM
66735+int kptr_restrict __read_mostly = 2;
66736+#else
66737 int kptr_restrict __read_mostly;
66738+#endif
66739
66740 /*
66741 * Show a '%p' thing. A kernel extension is that the '%p' is followed
66742@@ -813,6 +820,8 @@ int kptr_restrict __read_mostly;
66743 * - 'S' For symbolic direct pointers with offset
66744 * - 's' For symbolic direct pointers without offset
66745 * - 'B' For backtraced symbolic direct pointers with offset
66746+ * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
66747+ * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
66748 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
66749 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
66750 * - 'M' For a 6-byte MAC address, it prints the address in the
66751@@ -857,12 +866,12 @@ char *pointer(const char *fmt, char *buf
66752 {
66753 if (!ptr && *fmt != 'K') {
66754 /*
66755- * Print (null) with the same width as a pointer so it makes
66756+ * Print (nil) with the same width as a pointer so it makes
66757 * tabular output look nice.
66758 */
66759 if (spec.field_width == -1)
66760 spec.field_width = 2 * sizeof(void *);
66761- return string(buf, end, "(null)", spec);
66762+ return string(buf, end, "(nil)", spec);
66763 }
66764
66765 switch (*fmt) {
66766@@ -872,6 +881,13 @@ char *pointer(const char *fmt, char *buf
66767 /* Fallthrough */
66768 case 'S':
66769 case 's':
66770+#ifdef CONFIG_GRKERNSEC_HIDESYM
66771+ break;
66772+#else
66773+ return symbol_string(buf, end, ptr, spec, *fmt);
66774+#endif
66775+ case 'A':
66776+ case 'a':
66777 case 'B':
66778 return symbol_string(buf, end, ptr, spec, *fmt);
66779 case 'R':
66780@@ -1631,11 +1647,11 @@ int bstr_printf(char *buf, size_t size,
66781 typeof(type) value; \
66782 if (sizeof(type) == 8) { \
66783 args = PTR_ALIGN(args, sizeof(u32)); \
66784- *(u32 *)&value = *(u32 *)args; \
66785- *((u32 *)&value + 1) = *(u32 *)(args + 4); \
66786+ *(u32 *)&value = *(const u32 *)args; \
66787+ *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
66788 } else { \
66789 args = PTR_ALIGN(args, sizeof(type)); \
66790- value = *(typeof(type) *)args; \
66791+ value = *(const typeof(type) *)args; \
66792 } \
66793 args += sizeof(type); \
66794 value; \
66795@@ -1698,7 +1714,7 @@ int bstr_printf(char *buf, size_t size,
66796 case FORMAT_TYPE_STR: {
66797 const char *str_arg = args;
66798 args += strlen(str_arg) + 1;
66799- str = string(str, end, (char *)str_arg, spec);
66800+ str = string(str, end, str_arg, spec);
66801 break;
66802 }
66803
66804diff -urNp linux-3.0.7/localversion-grsec linux-3.0.7/localversion-grsec
66805--- linux-3.0.7/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
66806+++ linux-3.0.7/localversion-grsec 2011-08-23 21:48:14.000000000 -0400
66807@@ -0,0 +1 @@
66808+-grsec
66809diff -urNp linux-3.0.7/mm/Kconfig linux-3.0.7/mm/Kconfig
66810--- linux-3.0.7/mm/Kconfig 2011-07-21 22:17:23.000000000 -0400
66811+++ linux-3.0.7/mm/Kconfig 2011-08-23 21:48:14.000000000 -0400
66812@@ -240,7 +240,7 @@ config KSM
66813 config DEFAULT_MMAP_MIN_ADDR
66814 int "Low address space to protect from user allocation"
66815 depends on MMU
66816- default 4096
66817+ default 65536
66818 help
66819 This is the portion of low virtual memory which should be protected
66820 from userspace allocation. Keeping a user from writing to low pages
66821diff -urNp linux-3.0.7/mm/filemap.c linux-3.0.7/mm/filemap.c
66822--- linux-3.0.7/mm/filemap.c 2011-07-21 22:17:23.000000000 -0400
66823+++ linux-3.0.7/mm/filemap.c 2011-08-23 21:48:14.000000000 -0400
66824@@ -1763,7 +1763,7 @@ int generic_file_mmap(struct file * file
66825 struct address_space *mapping = file->f_mapping;
66826
66827 if (!mapping->a_ops->readpage)
66828- return -ENOEXEC;
66829+ return -ENODEV;
66830 file_accessed(file);
66831 vma->vm_ops = &generic_file_vm_ops;
66832 vma->vm_flags |= VM_CAN_NONLINEAR;
66833@@ -2169,6 +2169,7 @@ inline int generic_write_checks(struct f
66834 *pos = i_size_read(inode);
66835
66836 if (limit != RLIM_INFINITY) {
66837+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
66838 if (*pos >= limit) {
66839 send_sig(SIGXFSZ, current, 0);
66840 return -EFBIG;
66841diff -urNp linux-3.0.7/mm/fremap.c linux-3.0.7/mm/fremap.c
66842--- linux-3.0.7/mm/fremap.c 2011-07-21 22:17:23.000000000 -0400
66843+++ linux-3.0.7/mm/fremap.c 2011-08-23 21:47:56.000000000 -0400
66844@@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
66845 retry:
66846 vma = find_vma(mm, start);
66847
66848+#ifdef CONFIG_PAX_SEGMEXEC
66849+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
66850+ goto out;
66851+#endif
66852+
66853 /*
66854 * Make sure the vma is shared, that it supports prefaulting,
66855 * and that the remapped range is valid and fully within
66856diff -urNp linux-3.0.7/mm/highmem.c linux-3.0.7/mm/highmem.c
66857--- linux-3.0.7/mm/highmem.c 2011-07-21 22:17:23.000000000 -0400
66858+++ linux-3.0.7/mm/highmem.c 2011-08-23 21:47:56.000000000 -0400
66859@@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
66860 * So no dangers, even with speculative execution.
66861 */
66862 page = pte_page(pkmap_page_table[i]);
66863+ pax_open_kernel();
66864 pte_clear(&init_mm, (unsigned long)page_address(page),
66865 &pkmap_page_table[i]);
66866-
66867+ pax_close_kernel();
66868 set_page_address(page, NULL);
66869 need_flush = 1;
66870 }
66871@@ -186,9 +187,11 @@ start:
66872 }
66873 }
66874 vaddr = PKMAP_ADDR(last_pkmap_nr);
66875+
66876+ pax_open_kernel();
66877 set_pte_at(&init_mm, vaddr,
66878 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
66879-
66880+ pax_close_kernel();
66881 pkmap_count[last_pkmap_nr] = 1;
66882 set_page_address(page, (void *)vaddr);
66883
66884diff -urNp linux-3.0.7/mm/huge_memory.c linux-3.0.7/mm/huge_memory.c
66885--- linux-3.0.7/mm/huge_memory.c 2011-07-21 22:17:23.000000000 -0400
66886+++ linux-3.0.7/mm/huge_memory.c 2011-08-23 21:47:56.000000000 -0400
66887@@ -702,7 +702,7 @@ out:
66888 * run pte_offset_map on the pmd, if an huge pmd could
66889 * materialize from under us from a different thread.
66890 */
66891- if (unlikely(__pte_alloc(mm, vma, pmd, address)))
66892+ if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
66893 return VM_FAULT_OOM;
66894 /* if an huge pmd materialized from under us just retry later */
66895 if (unlikely(pmd_trans_huge(*pmd)))
66896diff -urNp linux-3.0.7/mm/hugetlb.c linux-3.0.7/mm/hugetlb.c
66897--- linux-3.0.7/mm/hugetlb.c 2011-07-21 22:17:23.000000000 -0400
66898+++ linux-3.0.7/mm/hugetlb.c 2011-08-23 21:47:56.000000000 -0400
66899@@ -2339,6 +2339,27 @@ static int unmap_ref_private(struct mm_s
66900 return 1;
66901 }
66902
66903+#ifdef CONFIG_PAX_SEGMEXEC
66904+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
66905+{
66906+ struct mm_struct *mm = vma->vm_mm;
66907+ struct vm_area_struct *vma_m;
66908+ unsigned long address_m;
66909+ pte_t *ptep_m;
66910+
66911+ vma_m = pax_find_mirror_vma(vma);
66912+ if (!vma_m)
66913+ return;
66914+
66915+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
66916+ address_m = address + SEGMEXEC_TASK_SIZE;
66917+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
66918+ get_page(page_m);
66919+ hugepage_add_anon_rmap(page_m, vma_m, address_m);
66920+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
66921+}
66922+#endif
66923+
66924 /*
66925 * Hugetlb_cow() should be called with page lock of the original hugepage held.
66926 */
66927@@ -2440,6 +2461,11 @@ retry_avoidcopy:
66928 make_huge_pte(vma, new_page, 1));
66929 page_remove_rmap(old_page);
66930 hugepage_add_new_anon_rmap(new_page, vma, address);
66931+
66932+#ifdef CONFIG_PAX_SEGMEXEC
66933+ pax_mirror_huge_pte(vma, address, new_page);
66934+#endif
66935+
66936 /* Make the old page be freed below */
66937 new_page = old_page;
66938 mmu_notifier_invalidate_range_end(mm,
66939@@ -2591,6 +2617,10 @@ retry:
66940 && (vma->vm_flags & VM_SHARED)));
66941 set_huge_pte_at(mm, address, ptep, new_pte);
66942
66943+#ifdef CONFIG_PAX_SEGMEXEC
66944+ pax_mirror_huge_pte(vma, address, page);
66945+#endif
66946+
66947 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
66948 /* Optimization, do the COW without a second fault */
66949 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
66950@@ -2620,6 +2650,10 @@ int hugetlb_fault(struct mm_struct *mm,
66951 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
66952 struct hstate *h = hstate_vma(vma);
66953
66954+#ifdef CONFIG_PAX_SEGMEXEC
66955+ struct vm_area_struct *vma_m;
66956+#endif
66957+
66958 ptep = huge_pte_offset(mm, address);
66959 if (ptep) {
66960 entry = huge_ptep_get(ptep);
66961@@ -2631,6 +2665,26 @@ int hugetlb_fault(struct mm_struct *mm,
66962 VM_FAULT_SET_HINDEX(h - hstates);
66963 }
66964
66965+#ifdef CONFIG_PAX_SEGMEXEC
66966+ vma_m = pax_find_mirror_vma(vma);
66967+ if (vma_m) {
66968+ unsigned long address_m;
66969+
66970+ if (vma->vm_start > vma_m->vm_start) {
66971+ address_m = address;
66972+ address -= SEGMEXEC_TASK_SIZE;
66973+ vma = vma_m;
66974+ h = hstate_vma(vma);
66975+ } else
66976+ address_m = address + SEGMEXEC_TASK_SIZE;
66977+
66978+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
66979+ return VM_FAULT_OOM;
66980+ address_m &= HPAGE_MASK;
66981+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
66982+ }
66983+#endif
66984+
66985 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
66986 if (!ptep)
66987 return VM_FAULT_OOM;
66988diff -urNp linux-3.0.7/mm/internal.h linux-3.0.7/mm/internal.h
66989--- linux-3.0.7/mm/internal.h 2011-07-21 22:17:23.000000000 -0400
66990+++ linux-3.0.7/mm/internal.h 2011-08-23 21:47:56.000000000 -0400
66991@@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
66992 * in mm/page_alloc.c
66993 */
66994 extern void __free_pages_bootmem(struct page *page, unsigned int order);
66995+extern void free_compound_page(struct page *page);
66996 extern void prep_compound_page(struct page *page, unsigned long order);
66997 #ifdef CONFIG_MEMORY_FAILURE
66998 extern bool is_free_buddy_page(struct page *page);
66999diff -urNp linux-3.0.7/mm/kmemleak.c linux-3.0.7/mm/kmemleak.c
67000--- linux-3.0.7/mm/kmemleak.c 2011-07-21 22:17:23.000000000 -0400
67001+++ linux-3.0.7/mm/kmemleak.c 2011-08-23 21:48:14.000000000 -0400
67002@@ -357,7 +357,7 @@ static void print_unreferenced(struct se
67003
67004 for (i = 0; i < object->trace_len; i++) {
67005 void *ptr = (void *)object->trace[i];
67006- seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
67007+ seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
67008 }
67009 }
67010
67011diff -urNp linux-3.0.7/mm/maccess.c linux-3.0.7/mm/maccess.c
67012--- linux-3.0.7/mm/maccess.c 2011-07-21 22:17:23.000000000 -0400
67013+++ linux-3.0.7/mm/maccess.c 2011-10-06 04:17:55.000000000 -0400
67014@@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, cons
67015 set_fs(KERNEL_DS);
67016 pagefault_disable();
67017 ret = __copy_from_user_inatomic(dst,
67018- (__force const void __user *)src, size);
67019+ (const void __force_user *)src, size);
67020 pagefault_enable();
67021 set_fs(old_fs);
67022
67023@@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, con
67024
67025 set_fs(KERNEL_DS);
67026 pagefault_disable();
67027- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
67028+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
67029 pagefault_enable();
67030 set_fs(old_fs);
67031
67032diff -urNp linux-3.0.7/mm/madvise.c linux-3.0.7/mm/madvise.c
67033--- linux-3.0.7/mm/madvise.c 2011-07-21 22:17:23.000000000 -0400
67034+++ linux-3.0.7/mm/madvise.c 2011-08-23 21:47:56.000000000 -0400
67035@@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
67036 pgoff_t pgoff;
67037 unsigned long new_flags = vma->vm_flags;
67038
67039+#ifdef CONFIG_PAX_SEGMEXEC
67040+ struct vm_area_struct *vma_m;
67041+#endif
67042+
67043 switch (behavior) {
67044 case MADV_NORMAL:
67045 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
67046@@ -110,6 +114,13 @@ success:
67047 /*
67048 * vm_flags is protected by the mmap_sem held in write mode.
67049 */
67050+
67051+#ifdef CONFIG_PAX_SEGMEXEC
67052+ vma_m = pax_find_mirror_vma(vma);
67053+ if (vma_m)
67054+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
67055+#endif
67056+
67057 vma->vm_flags = new_flags;
67058
67059 out:
67060@@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
67061 struct vm_area_struct ** prev,
67062 unsigned long start, unsigned long end)
67063 {
67064+
67065+#ifdef CONFIG_PAX_SEGMEXEC
67066+ struct vm_area_struct *vma_m;
67067+#endif
67068+
67069 *prev = vma;
67070 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
67071 return -EINVAL;
67072@@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
67073 zap_page_range(vma, start, end - start, &details);
67074 } else
67075 zap_page_range(vma, start, end - start, NULL);
67076+
67077+#ifdef CONFIG_PAX_SEGMEXEC
67078+ vma_m = pax_find_mirror_vma(vma);
67079+ if (vma_m) {
67080+ if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
67081+ struct zap_details details = {
67082+ .nonlinear_vma = vma_m,
67083+ .last_index = ULONG_MAX,
67084+ };
67085+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
67086+ } else
67087+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
67088+ }
67089+#endif
67090+
67091 return 0;
67092 }
67093
67094@@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
67095 if (end < start)
67096 goto out;
67097
67098+#ifdef CONFIG_PAX_SEGMEXEC
67099+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
67100+ if (end > SEGMEXEC_TASK_SIZE)
67101+ goto out;
67102+ } else
67103+#endif
67104+
67105+ if (end > TASK_SIZE)
67106+ goto out;
67107+
67108 error = 0;
67109 if (end == start)
67110 goto out;
67111diff -urNp linux-3.0.7/mm/memory-failure.c linux-3.0.7/mm/memory-failure.c
67112--- linux-3.0.7/mm/memory-failure.c 2011-07-21 22:17:23.000000000 -0400
67113+++ linux-3.0.7/mm/memory-failure.c 2011-10-06 04:17:55.000000000 -0400
67114@@ -59,7 +59,7 @@ int sysctl_memory_failure_early_kill __r
67115
67116 int sysctl_memory_failure_recovery __read_mostly = 1;
67117
67118-atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
67119+atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
67120
67121 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
67122
67123@@ -200,7 +200,7 @@ static int kill_proc_ao(struct task_stru
67124 si.si_signo = SIGBUS;
67125 si.si_errno = 0;
67126 si.si_code = BUS_MCEERR_AO;
67127- si.si_addr = (void *)addr;
67128+ si.si_addr = (void __user *)addr;
67129 #ifdef __ARCH_SI_TRAPNO
67130 si.si_trapno = trapno;
67131 #endif
67132@@ -1008,7 +1008,7 @@ int __memory_failure(unsigned long pfn,
67133 }
67134
67135 nr_pages = 1 << compound_trans_order(hpage);
67136- atomic_long_add(nr_pages, &mce_bad_pages);
67137+ atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
67138
67139 /*
67140 * We need/can do nothing about count=0 pages.
67141@@ -1038,7 +1038,7 @@ int __memory_failure(unsigned long pfn,
67142 if (!PageHWPoison(hpage)
67143 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
67144 || (p != hpage && TestSetPageHWPoison(hpage))) {
67145- atomic_long_sub(nr_pages, &mce_bad_pages);
67146+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
67147 return 0;
67148 }
67149 set_page_hwpoison_huge_page(hpage);
67150@@ -1096,7 +1096,7 @@ int __memory_failure(unsigned long pfn,
67151 }
67152 if (hwpoison_filter(p)) {
67153 if (TestClearPageHWPoison(p))
67154- atomic_long_sub(nr_pages, &mce_bad_pages);
67155+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
67156 unlock_page(hpage);
67157 put_page(hpage);
67158 return 0;
67159@@ -1222,7 +1222,7 @@ int unpoison_memory(unsigned long pfn)
67160 return 0;
67161 }
67162 if (TestClearPageHWPoison(p))
67163- atomic_long_sub(nr_pages, &mce_bad_pages);
67164+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
67165 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
67166 return 0;
67167 }
67168@@ -1236,7 +1236,7 @@ int unpoison_memory(unsigned long pfn)
67169 */
67170 if (TestClearPageHWPoison(page)) {
67171 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
67172- atomic_long_sub(nr_pages, &mce_bad_pages);
67173+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
67174 freeit = 1;
67175 if (PageHuge(page))
67176 clear_page_hwpoison_huge_page(page);
67177@@ -1349,7 +1349,7 @@ static int soft_offline_huge_page(struct
67178 }
67179 done:
67180 if (!PageHWPoison(hpage))
67181- atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
67182+ atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
67183 set_page_hwpoison_huge_page(hpage);
67184 dequeue_hwpoisoned_huge_page(hpage);
67185 /* keep elevated page count for bad page */
67186@@ -1480,7 +1480,7 @@ int soft_offline_page(struct page *page,
67187 return ret;
67188
67189 done:
67190- atomic_long_add(1, &mce_bad_pages);
67191+ atomic_long_add_unchecked(1, &mce_bad_pages);
67192 SetPageHWPoison(page);
67193 /* keep elevated page count for bad page */
67194 return ret;
67195diff -urNp linux-3.0.7/mm/memory.c linux-3.0.7/mm/memory.c
67196--- linux-3.0.7/mm/memory.c 2011-09-02 18:11:21.000000000 -0400
67197+++ linux-3.0.7/mm/memory.c 2011-08-23 21:47:56.000000000 -0400
67198@@ -457,8 +457,12 @@ static inline void free_pmd_range(struct
67199 return;
67200
67201 pmd = pmd_offset(pud, start);
67202+
67203+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
67204 pud_clear(pud);
67205 pmd_free_tlb(tlb, pmd, start);
67206+#endif
67207+
67208 }
67209
67210 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
67211@@ -489,9 +493,12 @@ static inline void free_pud_range(struct
67212 if (end - 1 > ceiling - 1)
67213 return;
67214
67215+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
67216 pud = pud_offset(pgd, start);
67217 pgd_clear(pgd);
67218 pud_free_tlb(tlb, pud, start);
67219+#endif
67220+
67221 }
67222
67223 /*
67224@@ -1577,12 +1584,6 @@ no_page_table:
67225 return page;
67226 }
67227
67228-static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
67229-{
67230- return stack_guard_page_start(vma, addr) ||
67231- stack_guard_page_end(vma, addr+PAGE_SIZE);
67232-}
67233-
67234 /**
67235 * __get_user_pages() - pin user pages in memory
67236 * @tsk: task_struct of target task
67237@@ -1655,10 +1656,10 @@ int __get_user_pages(struct task_struct
67238 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
67239 i = 0;
67240
67241- do {
67242+ while (nr_pages) {
67243 struct vm_area_struct *vma;
67244
67245- vma = find_extend_vma(mm, start);
67246+ vma = find_vma(mm, start);
67247 if (!vma && in_gate_area(mm, start)) {
67248 unsigned long pg = start & PAGE_MASK;
67249 pgd_t *pgd;
67250@@ -1706,7 +1707,7 @@ int __get_user_pages(struct task_struct
67251 goto next_page;
67252 }
67253
67254- if (!vma ||
67255+ if (!vma || start < vma->vm_start ||
67256 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
67257 !(vm_flags & vma->vm_flags))
67258 return i ? : -EFAULT;
67259@@ -1733,11 +1734,6 @@ int __get_user_pages(struct task_struct
67260 int ret;
67261 unsigned int fault_flags = 0;
67262
67263- /* For mlock, just skip the stack guard page. */
67264- if (foll_flags & FOLL_MLOCK) {
67265- if (stack_guard_page(vma, start))
67266- goto next_page;
67267- }
67268 if (foll_flags & FOLL_WRITE)
67269 fault_flags |= FAULT_FLAG_WRITE;
67270 if (nonblocking)
67271@@ -1811,7 +1807,7 @@ next_page:
67272 start += PAGE_SIZE;
67273 nr_pages--;
67274 } while (nr_pages && start < vma->vm_end);
67275- } while (nr_pages);
67276+ }
67277 return i;
67278 }
67279 EXPORT_SYMBOL(__get_user_pages);
67280@@ -2018,6 +2014,10 @@ static int insert_page(struct vm_area_st
67281 page_add_file_rmap(page);
67282 set_pte_at(mm, addr, pte, mk_pte(page, prot));
67283
67284+#ifdef CONFIG_PAX_SEGMEXEC
67285+ pax_mirror_file_pte(vma, addr, page, ptl);
67286+#endif
67287+
67288 retval = 0;
67289 pte_unmap_unlock(pte, ptl);
67290 return retval;
67291@@ -2052,10 +2052,22 @@ out:
67292 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
67293 struct page *page)
67294 {
67295+
67296+#ifdef CONFIG_PAX_SEGMEXEC
67297+ struct vm_area_struct *vma_m;
67298+#endif
67299+
67300 if (addr < vma->vm_start || addr >= vma->vm_end)
67301 return -EFAULT;
67302 if (!page_count(page))
67303 return -EINVAL;
67304+
67305+#ifdef CONFIG_PAX_SEGMEXEC
67306+ vma_m = pax_find_mirror_vma(vma);
67307+ if (vma_m)
67308+ vma_m->vm_flags |= VM_INSERTPAGE;
67309+#endif
67310+
67311 vma->vm_flags |= VM_INSERTPAGE;
67312 return insert_page(vma, addr, page, vma->vm_page_prot);
67313 }
67314@@ -2141,6 +2153,7 @@ int vm_insert_mixed(struct vm_area_struc
67315 unsigned long pfn)
67316 {
67317 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
67318+ BUG_ON(vma->vm_mirror);
67319
67320 if (addr < vma->vm_start || addr >= vma->vm_end)
67321 return -EFAULT;
67322@@ -2456,6 +2469,186 @@ static inline void cow_user_page(struct
67323 copy_user_highpage(dst, src, va, vma);
67324 }
67325
67326+#ifdef CONFIG_PAX_SEGMEXEC
67327+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
67328+{
67329+ struct mm_struct *mm = vma->vm_mm;
67330+ spinlock_t *ptl;
67331+ pte_t *pte, entry;
67332+
67333+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
67334+ entry = *pte;
67335+ if (!pte_present(entry)) {
67336+ if (!pte_none(entry)) {
67337+ BUG_ON(pte_file(entry));
67338+ free_swap_and_cache(pte_to_swp_entry(entry));
67339+ pte_clear_not_present_full(mm, address, pte, 0);
67340+ }
67341+ } else {
67342+ struct page *page;
67343+
67344+ flush_cache_page(vma, address, pte_pfn(entry));
67345+ entry = ptep_clear_flush(vma, address, pte);
67346+ BUG_ON(pte_dirty(entry));
67347+ page = vm_normal_page(vma, address, entry);
67348+ if (page) {
67349+ update_hiwater_rss(mm);
67350+ if (PageAnon(page))
67351+ dec_mm_counter_fast(mm, MM_ANONPAGES);
67352+ else
67353+ dec_mm_counter_fast(mm, MM_FILEPAGES);
67354+ page_remove_rmap(page);
67355+ page_cache_release(page);
67356+ }
67357+ }
67358+ pte_unmap_unlock(pte, ptl);
67359+}
67360+
67361+/* PaX: if vma is mirrored, synchronize the mirror's PTE
67362+ *
67363+ * the ptl of the lower mapped page is held on entry and is not released on exit
67364+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
67365+ */
67366+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67367+{
67368+ struct mm_struct *mm = vma->vm_mm;
67369+ unsigned long address_m;
67370+ spinlock_t *ptl_m;
67371+ struct vm_area_struct *vma_m;
67372+ pmd_t *pmd_m;
67373+ pte_t *pte_m, entry_m;
67374+
67375+ BUG_ON(!page_m || !PageAnon(page_m));
67376+
67377+ vma_m = pax_find_mirror_vma(vma);
67378+ if (!vma_m)
67379+ return;
67380+
67381+ BUG_ON(!PageLocked(page_m));
67382+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67383+ address_m = address + SEGMEXEC_TASK_SIZE;
67384+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67385+ pte_m = pte_offset_map(pmd_m, address_m);
67386+ ptl_m = pte_lockptr(mm, pmd_m);
67387+ if (ptl != ptl_m) {
67388+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67389+ if (!pte_none(*pte_m))
67390+ goto out;
67391+ }
67392+
67393+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67394+ page_cache_get(page_m);
67395+ page_add_anon_rmap(page_m, vma_m, address_m);
67396+ inc_mm_counter_fast(mm, MM_ANONPAGES);
67397+ set_pte_at(mm, address_m, pte_m, entry_m);
67398+ update_mmu_cache(vma_m, address_m, entry_m);
67399+out:
67400+ if (ptl != ptl_m)
67401+ spin_unlock(ptl_m);
67402+ pte_unmap(pte_m);
67403+ unlock_page(page_m);
67404+}
67405+
67406+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67407+{
67408+ struct mm_struct *mm = vma->vm_mm;
67409+ unsigned long address_m;
67410+ spinlock_t *ptl_m;
67411+ struct vm_area_struct *vma_m;
67412+ pmd_t *pmd_m;
67413+ pte_t *pte_m, entry_m;
67414+
67415+ BUG_ON(!page_m || PageAnon(page_m));
67416+
67417+ vma_m = pax_find_mirror_vma(vma);
67418+ if (!vma_m)
67419+ return;
67420+
67421+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67422+ address_m = address + SEGMEXEC_TASK_SIZE;
67423+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67424+ pte_m = pte_offset_map(pmd_m, address_m);
67425+ ptl_m = pte_lockptr(mm, pmd_m);
67426+ if (ptl != ptl_m) {
67427+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67428+ if (!pte_none(*pte_m))
67429+ goto out;
67430+ }
67431+
67432+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67433+ page_cache_get(page_m);
67434+ page_add_file_rmap(page_m);
67435+ inc_mm_counter_fast(mm, MM_FILEPAGES);
67436+ set_pte_at(mm, address_m, pte_m, entry_m);
67437+ update_mmu_cache(vma_m, address_m, entry_m);
67438+out:
67439+ if (ptl != ptl_m)
67440+ spin_unlock(ptl_m);
67441+ pte_unmap(pte_m);
67442+}
67443+
67444+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
67445+{
67446+ struct mm_struct *mm = vma->vm_mm;
67447+ unsigned long address_m;
67448+ spinlock_t *ptl_m;
67449+ struct vm_area_struct *vma_m;
67450+ pmd_t *pmd_m;
67451+ pte_t *pte_m, entry_m;
67452+
67453+ vma_m = pax_find_mirror_vma(vma);
67454+ if (!vma_m)
67455+ return;
67456+
67457+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67458+ address_m = address + SEGMEXEC_TASK_SIZE;
67459+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67460+ pte_m = pte_offset_map(pmd_m, address_m);
67461+ ptl_m = pte_lockptr(mm, pmd_m);
67462+ if (ptl != ptl_m) {
67463+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67464+ if (!pte_none(*pte_m))
67465+ goto out;
67466+ }
67467+
67468+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
67469+ set_pte_at(mm, address_m, pte_m, entry_m);
67470+out:
67471+ if (ptl != ptl_m)
67472+ spin_unlock(ptl_m);
67473+ pte_unmap(pte_m);
67474+}
67475+
67476+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
67477+{
67478+ struct page *page_m;
67479+ pte_t entry;
67480+
67481+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
67482+ goto out;
67483+
67484+ entry = *pte;
67485+ page_m = vm_normal_page(vma, address, entry);
67486+ if (!page_m)
67487+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
67488+ else if (PageAnon(page_m)) {
67489+ if (pax_find_mirror_vma(vma)) {
67490+ pte_unmap_unlock(pte, ptl);
67491+ lock_page(page_m);
67492+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
67493+ if (pte_same(entry, *pte))
67494+ pax_mirror_anon_pte(vma, address, page_m, ptl);
67495+ else
67496+ unlock_page(page_m);
67497+ }
67498+ } else
67499+ pax_mirror_file_pte(vma, address, page_m, ptl);
67500+
67501+out:
67502+ pte_unmap_unlock(pte, ptl);
67503+}
67504+#endif
67505+
67506 /*
67507 * This routine handles present pages, when users try to write
67508 * to a shared page. It is done by copying the page to a new address
67509@@ -2667,6 +2860,12 @@ gotten:
67510 */
67511 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67512 if (likely(pte_same(*page_table, orig_pte))) {
67513+
67514+#ifdef CONFIG_PAX_SEGMEXEC
67515+ if (pax_find_mirror_vma(vma))
67516+ BUG_ON(!trylock_page(new_page));
67517+#endif
67518+
67519 if (old_page) {
67520 if (!PageAnon(old_page)) {
67521 dec_mm_counter_fast(mm, MM_FILEPAGES);
67522@@ -2718,6 +2917,10 @@ gotten:
67523 page_remove_rmap(old_page);
67524 }
67525
67526+#ifdef CONFIG_PAX_SEGMEXEC
67527+ pax_mirror_anon_pte(vma, address, new_page, ptl);
67528+#endif
67529+
67530 /* Free the old page.. */
67531 new_page = old_page;
67532 ret |= VM_FAULT_WRITE;
67533@@ -2997,6 +3200,11 @@ static int do_swap_page(struct mm_struct
67534 swap_free(entry);
67535 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
67536 try_to_free_swap(page);
67537+
67538+#ifdef CONFIG_PAX_SEGMEXEC
67539+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
67540+#endif
67541+
67542 unlock_page(page);
67543 if (swapcache) {
67544 /*
67545@@ -3020,6 +3228,11 @@ static int do_swap_page(struct mm_struct
67546
67547 /* No need to invalidate - it was non-present before */
67548 update_mmu_cache(vma, address, page_table);
67549+
67550+#ifdef CONFIG_PAX_SEGMEXEC
67551+ pax_mirror_anon_pte(vma, address, page, ptl);
67552+#endif
67553+
67554 unlock:
67555 pte_unmap_unlock(page_table, ptl);
67556 out:
67557@@ -3039,40 +3252,6 @@ out_release:
67558 }
67559
67560 /*
67561- * This is like a special single-page "expand_{down|up}wards()",
67562- * except we must first make sure that 'address{-|+}PAGE_SIZE'
67563- * doesn't hit another vma.
67564- */
67565-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
67566-{
67567- address &= PAGE_MASK;
67568- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
67569- struct vm_area_struct *prev = vma->vm_prev;
67570-
67571- /*
67572- * Is there a mapping abutting this one below?
67573- *
67574- * That's only ok if it's the same stack mapping
67575- * that has gotten split..
67576- */
67577- if (prev && prev->vm_end == address)
67578- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
67579-
67580- expand_downwards(vma, address - PAGE_SIZE);
67581- }
67582- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
67583- struct vm_area_struct *next = vma->vm_next;
67584-
67585- /* As VM_GROWSDOWN but s/below/above/ */
67586- if (next && next->vm_start == address + PAGE_SIZE)
67587- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
67588-
67589- expand_upwards(vma, address + PAGE_SIZE);
67590- }
67591- return 0;
67592-}
67593-
67594-/*
67595 * We enter with non-exclusive mmap_sem (to exclude vma changes,
67596 * but allow concurrent faults), and pte mapped but not yet locked.
67597 * We return with mmap_sem still held, but pte unmapped and unlocked.
67598@@ -3081,27 +3260,23 @@ static int do_anonymous_page(struct mm_s
67599 unsigned long address, pte_t *page_table, pmd_t *pmd,
67600 unsigned int flags)
67601 {
67602- struct page *page;
67603+ struct page *page = NULL;
67604 spinlock_t *ptl;
67605 pte_t entry;
67606
67607- pte_unmap(page_table);
67608-
67609- /* Check if we need to add a guard page to the stack */
67610- if (check_stack_guard_page(vma, address) < 0)
67611- return VM_FAULT_SIGBUS;
67612-
67613- /* Use the zero-page for reads */
67614 if (!(flags & FAULT_FLAG_WRITE)) {
67615 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
67616 vma->vm_page_prot));
67617- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67618+ ptl = pte_lockptr(mm, pmd);
67619+ spin_lock(ptl);
67620 if (!pte_none(*page_table))
67621 goto unlock;
67622 goto setpte;
67623 }
67624
67625 /* Allocate our own private page. */
67626+ pte_unmap(page_table);
67627+
67628 if (unlikely(anon_vma_prepare(vma)))
67629 goto oom;
67630 page = alloc_zeroed_user_highpage_movable(vma, address);
67631@@ -3120,6 +3295,11 @@ static int do_anonymous_page(struct mm_s
67632 if (!pte_none(*page_table))
67633 goto release;
67634
67635+#ifdef CONFIG_PAX_SEGMEXEC
67636+ if (pax_find_mirror_vma(vma))
67637+ BUG_ON(!trylock_page(page));
67638+#endif
67639+
67640 inc_mm_counter_fast(mm, MM_ANONPAGES);
67641 page_add_new_anon_rmap(page, vma, address);
67642 setpte:
67643@@ -3127,6 +3307,12 @@ setpte:
67644
67645 /* No need to invalidate - it was non-present before */
67646 update_mmu_cache(vma, address, page_table);
67647+
67648+#ifdef CONFIG_PAX_SEGMEXEC
67649+ if (page)
67650+ pax_mirror_anon_pte(vma, address, page, ptl);
67651+#endif
67652+
67653 unlock:
67654 pte_unmap_unlock(page_table, ptl);
67655 return 0;
67656@@ -3264,6 +3450,12 @@ static int __do_fault(struct mm_struct *
67657 */
67658 /* Only go through if we didn't race with anybody else... */
67659 if (likely(pte_same(*page_table, orig_pte))) {
67660+
67661+#ifdef CONFIG_PAX_SEGMEXEC
67662+ if (anon && pax_find_mirror_vma(vma))
67663+ BUG_ON(!trylock_page(page));
67664+#endif
67665+
67666 flush_icache_page(vma, page);
67667 entry = mk_pte(page, vma->vm_page_prot);
67668 if (flags & FAULT_FLAG_WRITE)
67669@@ -3283,6 +3475,14 @@ static int __do_fault(struct mm_struct *
67670
67671 /* no need to invalidate: a not-present page won't be cached */
67672 update_mmu_cache(vma, address, page_table);
67673+
67674+#ifdef CONFIG_PAX_SEGMEXEC
67675+ if (anon)
67676+ pax_mirror_anon_pte(vma, address, page, ptl);
67677+ else
67678+ pax_mirror_file_pte(vma, address, page, ptl);
67679+#endif
67680+
67681 } else {
67682 if (charged)
67683 mem_cgroup_uncharge_page(page);
67684@@ -3430,6 +3630,12 @@ int handle_pte_fault(struct mm_struct *m
67685 if (flags & FAULT_FLAG_WRITE)
67686 flush_tlb_fix_spurious_fault(vma, address);
67687 }
67688+
67689+#ifdef CONFIG_PAX_SEGMEXEC
67690+ pax_mirror_pte(vma, address, pte, pmd, ptl);
67691+ return 0;
67692+#endif
67693+
67694 unlock:
67695 pte_unmap_unlock(pte, ptl);
67696 return 0;
67697@@ -3446,6 +3652,10 @@ int handle_mm_fault(struct mm_struct *mm
67698 pmd_t *pmd;
67699 pte_t *pte;
67700
67701+#ifdef CONFIG_PAX_SEGMEXEC
67702+ struct vm_area_struct *vma_m;
67703+#endif
67704+
67705 __set_current_state(TASK_RUNNING);
67706
67707 count_vm_event(PGFAULT);
67708@@ -3457,6 +3667,34 @@ int handle_mm_fault(struct mm_struct *mm
67709 if (unlikely(is_vm_hugetlb_page(vma)))
67710 return hugetlb_fault(mm, vma, address, flags);
67711
67712+#ifdef CONFIG_PAX_SEGMEXEC
67713+ vma_m = pax_find_mirror_vma(vma);
67714+ if (vma_m) {
67715+ unsigned long address_m;
67716+ pgd_t *pgd_m;
67717+ pud_t *pud_m;
67718+ pmd_t *pmd_m;
67719+
67720+ if (vma->vm_start > vma_m->vm_start) {
67721+ address_m = address;
67722+ address -= SEGMEXEC_TASK_SIZE;
67723+ vma = vma_m;
67724+ } else
67725+ address_m = address + SEGMEXEC_TASK_SIZE;
67726+
67727+ pgd_m = pgd_offset(mm, address_m);
67728+ pud_m = pud_alloc(mm, pgd_m, address_m);
67729+ if (!pud_m)
67730+ return VM_FAULT_OOM;
67731+ pmd_m = pmd_alloc(mm, pud_m, address_m);
67732+ if (!pmd_m)
67733+ return VM_FAULT_OOM;
67734+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
67735+ return VM_FAULT_OOM;
67736+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
67737+ }
67738+#endif
67739+
67740 pgd = pgd_offset(mm, address);
67741 pud = pud_alloc(mm, pgd, address);
67742 if (!pud)
67743@@ -3486,7 +3724,7 @@ int handle_mm_fault(struct mm_struct *mm
67744 * run pte_offset_map on the pmd, if an huge pmd could
67745 * materialize from under us from a different thread.
67746 */
67747- if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
67748+ if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
67749 return VM_FAULT_OOM;
67750 /* if an huge pmd materialized from under us just retry later */
67751 if (unlikely(pmd_trans_huge(*pmd)))
67752@@ -3590,7 +3828,7 @@ static int __init gate_vma_init(void)
67753 gate_vma.vm_start = FIXADDR_USER_START;
67754 gate_vma.vm_end = FIXADDR_USER_END;
67755 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
67756- gate_vma.vm_page_prot = __P101;
67757+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
67758 /*
67759 * Make sure the vDSO gets into every core dump.
67760 * Dumping its contents makes post-mortem fully interpretable later
67761diff -urNp linux-3.0.7/mm/mempolicy.c linux-3.0.7/mm/mempolicy.c
67762--- linux-3.0.7/mm/mempolicy.c 2011-07-21 22:17:23.000000000 -0400
67763+++ linux-3.0.7/mm/mempolicy.c 2011-08-23 21:48:14.000000000 -0400
67764@@ -639,6 +639,10 @@ static int mbind_range(struct mm_struct
67765 unsigned long vmstart;
67766 unsigned long vmend;
67767
67768+#ifdef CONFIG_PAX_SEGMEXEC
67769+ struct vm_area_struct *vma_m;
67770+#endif
67771+
67772 vma = find_vma_prev(mm, start, &prev);
67773 if (!vma || vma->vm_start > start)
67774 return -EFAULT;
67775@@ -669,6 +673,16 @@ static int mbind_range(struct mm_struct
67776 err = policy_vma(vma, new_pol);
67777 if (err)
67778 goto out;
67779+
67780+#ifdef CONFIG_PAX_SEGMEXEC
67781+ vma_m = pax_find_mirror_vma(vma);
67782+ if (vma_m) {
67783+ err = policy_vma(vma_m, new_pol);
67784+ if (err)
67785+ goto out;
67786+ }
67787+#endif
67788+
67789 }
67790
67791 out:
67792@@ -1102,6 +1116,17 @@ static long do_mbind(unsigned long start
67793
67794 if (end < start)
67795 return -EINVAL;
67796+
67797+#ifdef CONFIG_PAX_SEGMEXEC
67798+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
67799+ if (end > SEGMEXEC_TASK_SIZE)
67800+ return -EINVAL;
67801+ } else
67802+#endif
67803+
67804+ if (end > TASK_SIZE)
67805+ return -EINVAL;
67806+
67807 if (end == start)
67808 return 0;
67809
67810@@ -1320,6 +1345,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
67811 if (!mm)
67812 goto out;
67813
67814+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67815+ if (mm != current->mm &&
67816+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
67817+ err = -EPERM;
67818+ goto out;
67819+ }
67820+#endif
67821+
67822 /*
67823 * Check if this process has the right to modify the specified
67824 * process. The right exists if the process has administrative
67825@@ -1329,8 +1362,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
67826 rcu_read_lock();
67827 tcred = __task_cred(task);
67828 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
67829- cred->uid != tcred->suid && cred->uid != tcred->uid &&
67830- !capable(CAP_SYS_NICE)) {
67831+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
67832 rcu_read_unlock();
67833 err = -EPERM;
67834 goto out;
67835diff -urNp linux-3.0.7/mm/migrate.c linux-3.0.7/mm/migrate.c
67836--- linux-3.0.7/mm/migrate.c 2011-07-21 22:17:23.000000000 -0400
67837+++ linux-3.0.7/mm/migrate.c 2011-08-23 21:48:14.000000000 -0400
67838@@ -1124,6 +1124,8 @@ static int do_pages_move(struct mm_struc
67839 unsigned long chunk_start;
67840 int err;
67841
67842+ pax_track_stack();
67843+
67844 task_nodes = cpuset_mems_allowed(task);
67845
67846 err = -ENOMEM;
67847@@ -1308,6 +1310,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
67848 if (!mm)
67849 return -EINVAL;
67850
67851+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67852+ if (mm != current->mm &&
67853+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
67854+ err = -EPERM;
67855+ goto out;
67856+ }
67857+#endif
67858+
67859 /*
67860 * Check if this process has the right to modify the specified
67861 * process. The right exists if the process has administrative
67862@@ -1317,8 +1327,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
67863 rcu_read_lock();
67864 tcred = __task_cred(task);
67865 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
67866- cred->uid != tcred->suid && cred->uid != tcred->uid &&
67867- !capable(CAP_SYS_NICE)) {
67868+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
67869 rcu_read_unlock();
67870 err = -EPERM;
67871 goto out;
67872diff -urNp linux-3.0.7/mm/mlock.c linux-3.0.7/mm/mlock.c
67873--- linux-3.0.7/mm/mlock.c 2011-07-21 22:17:23.000000000 -0400
67874+++ linux-3.0.7/mm/mlock.c 2011-08-23 21:48:14.000000000 -0400
67875@@ -13,6 +13,7 @@
67876 #include <linux/pagemap.h>
67877 #include <linux/mempolicy.h>
67878 #include <linux/syscalls.h>
67879+#include <linux/security.h>
67880 #include <linux/sched.h>
67881 #include <linux/module.h>
67882 #include <linux/rmap.h>
67883@@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
67884 return -EINVAL;
67885 if (end == start)
67886 return 0;
67887+ if (end > TASK_SIZE)
67888+ return -EINVAL;
67889+
67890 vma = find_vma_prev(current->mm, start, &prev);
67891 if (!vma || vma->vm_start > start)
67892 return -ENOMEM;
67893@@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
67894 for (nstart = start ; ; ) {
67895 vm_flags_t newflags;
67896
67897+#ifdef CONFIG_PAX_SEGMEXEC
67898+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
67899+ break;
67900+#endif
67901+
67902 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
67903
67904 newflags = vma->vm_flags | VM_LOCKED;
67905@@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
67906 lock_limit >>= PAGE_SHIFT;
67907
67908 /* check against resource limits */
67909+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
67910 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
67911 error = do_mlock(start, len, 1);
67912 up_write(&current->mm->mmap_sem);
67913@@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
67914 static int do_mlockall(int flags)
67915 {
67916 struct vm_area_struct * vma, * prev = NULL;
67917- unsigned int def_flags = 0;
67918
67919 if (flags & MCL_FUTURE)
67920- def_flags = VM_LOCKED;
67921- current->mm->def_flags = def_flags;
67922+ current->mm->def_flags |= VM_LOCKED;
67923+ else
67924+ current->mm->def_flags &= ~VM_LOCKED;
67925 if (flags == MCL_FUTURE)
67926 goto out;
67927
67928 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
67929 vm_flags_t newflags;
67930
67931+#ifdef CONFIG_PAX_SEGMEXEC
67932+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
67933+ break;
67934+#endif
67935+
67936+ BUG_ON(vma->vm_end > TASK_SIZE);
67937 newflags = vma->vm_flags | VM_LOCKED;
67938 if (!(flags & MCL_CURRENT))
67939 newflags &= ~VM_LOCKED;
67940@@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
67941 lock_limit >>= PAGE_SHIFT;
67942
67943 ret = -ENOMEM;
67944+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
67945 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
67946 capable(CAP_IPC_LOCK))
67947 ret = do_mlockall(flags);
67948diff -urNp linux-3.0.7/mm/mmap.c linux-3.0.7/mm/mmap.c
67949--- linux-3.0.7/mm/mmap.c 2011-07-21 22:17:23.000000000 -0400
67950+++ linux-3.0.7/mm/mmap.c 2011-08-23 21:48:14.000000000 -0400
67951@@ -46,6 +46,16 @@
67952 #define arch_rebalance_pgtables(addr, len) (addr)
67953 #endif
67954
67955+static inline void verify_mm_writelocked(struct mm_struct *mm)
67956+{
67957+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
67958+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
67959+ up_read(&mm->mmap_sem);
67960+ BUG();
67961+ }
67962+#endif
67963+}
67964+
67965 static void unmap_region(struct mm_struct *mm,
67966 struct vm_area_struct *vma, struct vm_area_struct *prev,
67967 unsigned long start, unsigned long end);
67968@@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
67969 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
67970 *
67971 */
67972-pgprot_t protection_map[16] = {
67973+pgprot_t protection_map[16] __read_only = {
67974 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
67975 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
67976 };
67977
67978-pgprot_t vm_get_page_prot(unsigned long vm_flags)
67979+pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
67980 {
67981- return __pgprot(pgprot_val(protection_map[vm_flags &
67982+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
67983 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
67984 pgprot_val(arch_vm_get_page_prot(vm_flags)));
67985+
67986+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
67987+ if (!(__supported_pte_mask & _PAGE_NX) &&
67988+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
67989+ (vm_flags & (VM_READ | VM_WRITE)))
67990+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
67991+#endif
67992+
67993+ return prot;
67994 }
67995 EXPORT_SYMBOL(vm_get_page_prot);
67996
67997 int sysctl_overcommit_memory __read_mostly = OVERCOMMIT_GUESS; /* heuristic overcommit */
67998 int sysctl_overcommit_ratio __read_mostly = 50; /* default is 50% */
67999 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
68000+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
68001 /*
68002 * Make sure vm_committed_as in one cacheline and not cacheline shared with
68003 * other variables. It can be updated by several CPUs frequently.
68004@@ -236,6 +256,7 @@ static struct vm_area_struct *remove_vma
68005 struct vm_area_struct *next = vma->vm_next;
68006
68007 might_sleep();
68008+ BUG_ON(vma->vm_mirror);
68009 if (vma->vm_ops && vma->vm_ops->close)
68010 vma->vm_ops->close(vma);
68011 if (vma->vm_file) {
68012@@ -280,6 +301,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
68013 * not page aligned -Ram Gupta
68014 */
68015 rlim = rlimit(RLIMIT_DATA);
68016+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
68017 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
68018 (mm->end_data - mm->start_data) > rlim)
68019 goto out;
68020@@ -697,6 +719,12 @@ static int
68021 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
68022 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68023 {
68024+
68025+#ifdef CONFIG_PAX_SEGMEXEC
68026+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
68027+ return 0;
68028+#endif
68029+
68030 if (is_mergeable_vma(vma, file, vm_flags) &&
68031 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68032 if (vma->vm_pgoff == vm_pgoff)
68033@@ -716,6 +744,12 @@ static int
68034 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
68035 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68036 {
68037+
68038+#ifdef CONFIG_PAX_SEGMEXEC
68039+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
68040+ return 0;
68041+#endif
68042+
68043 if (is_mergeable_vma(vma, file, vm_flags) &&
68044 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68045 pgoff_t vm_pglen;
68046@@ -758,13 +792,20 @@ can_vma_merge_after(struct vm_area_struc
68047 struct vm_area_struct *vma_merge(struct mm_struct *mm,
68048 struct vm_area_struct *prev, unsigned long addr,
68049 unsigned long end, unsigned long vm_flags,
68050- struct anon_vma *anon_vma, struct file *file,
68051+ struct anon_vma *anon_vma, struct file *file,
68052 pgoff_t pgoff, struct mempolicy *policy)
68053 {
68054 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
68055 struct vm_area_struct *area, *next;
68056 int err;
68057
68058+#ifdef CONFIG_PAX_SEGMEXEC
68059+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
68060+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
68061+
68062+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
68063+#endif
68064+
68065 /*
68066 * We later require that vma->vm_flags == vm_flags,
68067 * so this tests vma->vm_flags & VM_SPECIAL, too.
68068@@ -780,6 +821,15 @@ struct vm_area_struct *vma_merge(struct
68069 if (next && next->vm_end == end) /* cases 6, 7, 8 */
68070 next = next->vm_next;
68071
68072+#ifdef CONFIG_PAX_SEGMEXEC
68073+ if (prev)
68074+ prev_m = pax_find_mirror_vma(prev);
68075+ if (area)
68076+ area_m = pax_find_mirror_vma(area);
68077+ if (next)
68078+ next_m = pax_find_mirror_vma(next);
68079+#endif
68080+
68081 /*
68082 * Can it merge with the predecessor?
68083 */
68084@@ -799,9 +849,24 @@ struct vm_area_struct *vma_merge(struct
68085 /* cases 1, 6 */
68086 err = vma_adjust(prev, prev->vm_start,
68087 next->vm_end, prev->vm_pgoff, NULL);
68088- } else /* cases 2, 5, 7 */
68089+
68090+#ifdef CONFIG_PAX_SEGMEXEC
68091+ if (!err && prev_m)
68092+ err = vma_adjust(prev_m, prev_m->vm_start,
68093+ next_m->vm_end, prev_m->vm_pgoff, NULL);
68094+#endif
68095+
68096+ } else { /* cases 2, 5, 7 */
68097 err = vma_adjust(prev, prev->vm_start,
68098 end, prev->vm_pgoff, NULL);
68099+
68100+#ifdef CONFIG_PAX_SEGMEXEC
68101+ if (!err && prev_m)
68102+ err = vma_adjust(prev_m, prev_m->vm_start,
68103+ end_m, prev_m->vm_pgoff, NULL);
68104+#endif
68105+
68106+ }
68107 if (err)
68108 return NULL;
68109 khugepaged_enter_vma_merge(prev);
68110@@ -815,12 +880,27 @@ struct vm_area_struct *vma_merge(struct
68111 mpol_equal(policy, vma_policy(next)) &&
68112 can_vma_merge_before(next, vm_flags,
68113 anon_vma, file, pgoff+pglen)) {
68114- if (prev && addr < prev->vm_end) /* case 4 */
68115+ if (prev && addr < prev->vm_end) { /* case 4 */
68116 err = vma_adjust(prev, prev->vm_start,
68117 addr, prev->vm_pgoff, NULL);
68118- else /* cases 3, 8 */
68119+
68120+#ifdef CONFIG_PAX_SEGMEXEC
68121+ if (!err && prev_m)
68122+ err = vma_adjust(prev_m, prev_m->vm_start,
68123+ addr_m, prev_m->vm_pgoff, NULL);
68124+#endif
68125+
68126+ } else { /* cases 3, 8 */
68127 err = vma_adjust(area, addr, next->vm_end,
68128 next->vm_pgoff - pglen, NULL);
68129+
68130+#ifdef CONFIG_PAX_SEGMEXEC
68131+ if (!err && area_m)
68132+ err = vma_adjust(area_m, addr_m, next_m->vm_end,
68133+ next_m->vm_pgoff - pglen, NULL);
68134+#endif
68135+
68136+ }
68137 if (err)
68138 return NULL;
68139 khugepaged_enter_vma_merge(area);
68140@@ -929,14 +1009,11 @@ none:
68141 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
68142 struct file *file, long pages)
68143 {
68144- const unsigned long stack_flags
68145- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
68146-
68147 if (file) {
68148 mm->shared_vm += pages;
68149 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
68150 mm->exec_vm += pages;
68151- } else if (flags & stack_flags)
68152+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
68153 mm->stack_vm += pages;
68154 if (flags & (VM_RESERVED|VM_IO))
68155 mm->reserved_vm += pages;
68156@@ -963,7 +1040,7 @@ unsigned long do_mmap_pgoff(struct file
68157 * (the exception is when the underlying filesystem is noexec
68158 * mounted, in which case we dont add PROT_EXEC.)
68159 */
68160- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
68161+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
68162 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
68163 prot |= PROT_EXEC;
68164
68165@@ -989,7 +1066,7 @@ unsigned long do_mmap_pgoff(struct file
68166 /* Obtain the address to map to. we verify (or select) it and ensure
68167 * that it represents a valid section of the address space.
68168 */
68169- addr = get_unmapped_area(file, addr, len, pgoff, flags);
68170+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
68171 if (addr & ~PAGE_MASK)
68172 return addr;
68173
68174@@ -1000,6 +1077,36 @@ unsigned long do_mmap_pgoff(struct file
68175 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
68176 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
68177
68178+#ifdef CONFIG_PAX_MPROTECT
68179+ if (mm->pax_flags & MF_PAX_MPROTECT) {
68180+#ifndef CONFIG_PAX_MPROTECT_COMPAT
68181+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
68182+ gr_log_rwxmmap(file);
68183+
68184+#ifdef CONFIG_PAX_EMUPLT
68185+ vm_flags &= ~VM_EXEC;
68186+#else
68187+ return -EPERM;
68188+#endif
68189+
68190+ }
68191+
68192+ if (!(vm_flags & VM_EXEC))
68193+ vm_flags &= ~VM_MAYEXEC;
68194+#else
68195+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
68196+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
68197+#endif
68198+ else
68199+ vm_flags &= ~VM_MAYWRITE;
68200+ }
68201+#endif
68202+
68203+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68204+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
68205+ vm_flags &= ~VM_PAGEEXEC;
68206+#endif
68207+
68208 if (flags & MAP_LOCKED)
68209 if (!can_do_mlock())
68210 return -EPERM;
68211@@ -1011,6 +1118,7 @@ unsigned long do_mmap_pgoff(struct file
68212 locked += mm->locked_vm;
68213 lock_limit = rlimit(RLIMIT_MEMLOCK);
68214 lock_limit >>= PAGE_SHIFT;
68215+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68216 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
68217 return -EAGAIN;
68218 }
68219@@ -1081,6 +1189,9 @@ unsigned long do_mmap_pgoff(struct file
68220 if (error)
68221 return error;
68222
68223+ if (!gr_acl_handle_mmap(file, prot))
68224+ return -EACCES;
68225+
68226 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
68227 }
68228 EXPORT_SYMBOL(do_mmap_pgoff);
68229@@ -1161,7 +1272,7 @@ int vma_wants_writenotify(struct vm_area
68230 vm_flags_t vm_flags = vma->vm_flags;
68231
68232 /* If it was private or non-writable, the write bit is already clear */
68233- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
68234+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
68235 return 0;
68236
68237 /* The backer wishes to know when pages are first written to? */
68238@@ -1210,14 +1321,24 @@ unsigned long mmap_region(struct file *f
68239 unsigned long charged = 0;
68240 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
68241
68242+#ifdef CONFIG_PAX_SEGMEXEC
68243+ struct vm_area_struct *vma_m = NULL;
68244+#endif
68245+
68246+ /*
68247+ * mm->mmap_sem is required to protect against another thread
68248+ * changing the mappings in case we sleep.
68249+ */
68250+ verify_mm_writelocked(mm);
68251+
68252 /* Clear old maps */
68253 error = -ENOMEM;
68254-munmap_back:
68255 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68256 if (vma && vma->vm_start < addr + len) {
68257 if (do_munmap(mm, addr, len))
68258 return -ENOMEM;
68259- goto munmap_back;
68260+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68261+ BUG_ON(vma && vma->vm_start < addr + len);
68262 }
68263
68264 /* Check against address space limit. */
68265@@ -1266,6 +1387,16 @@ munmap_back:
68266 goto unacct_error;
68267 }
68268
68269+#ifdef CONFIG_PAX_SEGMEXEC
68270+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
68271+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
68272+ if (!vma_m) {
68273+ error = -ENOMEM;
68274+ goto free_vma;
68275+ }
68276+ }
68277+#endif
68278+
68279 vma->vm_mm = mm;
68280 vma->vm_start = addr;
68281 vma->vm_end = addr + len;
68282@@ -1289,6 +1420,19 @@ munmap_back:
68283 error = file->f_op->mmap(file, vma);
68284 if (error)
68285 goto unmap_and_free_vma;
68286+
68287+#ifdef CONFIG_PAX_SEGMEXEC
68288+ if (vma_m && (vm_flags & VM_EXECUTABLE))
68289+ added_exe_file_vma(mm);
68290+#endif
68291+
68292+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68293+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
68294+ vma->vm_flags |= VM_PAGEEXEC;
68295+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
68296+ }
68297+#endif
68298+
68299 if (vm_flags & VM_EXECUTABLE)
68300 added_exe_file_vma(mm);
68301
68302@@ -1324,6 +1468,11 @@ munmap_back:
68303 vma_link(mm, vma, prev, rb_link, rb_parent);
68304 file = vma->vm_file;
68305
68306+#ifdef CONFIG_PAX_SEGMEXEC
68307+ if (vma_m)
68308+ BUG_ON(pax_mirror_vma(vma_m, vma));
68309+#endif
68310+
68311 /* Once vma denies write, undo our temporary denial count */
68312 if (correct_wcount)
68313 atomic_inc(&inode->i_writecount);
68314@@ -1332,6 +1481,7 @@ out:
68315
68316 mm->total_vm += len >> PAGE_SHIFT;
68317 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
68318+ track_exec_limit(mm, addr, addr + len, vm_flags);
68319 if (vm_flags & VM_LOCKED) {
68320 if (!mlock_vma_pages_range(vma, addr, addr + len))
68321 mm->locked_vm += (len >> PAGE_SHIFT);
68322@@ -1349,6 +1499,12 @@ unmap_and_free_vma:
68323 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
68324 charged = 0;
68325 free_vma:
68326+
68327+#ifdef CONFIG_PAX_SEGMEXEC
68328+ if (vma_m)
68329+ kmem_cache_free(vm_area_cachep, vma_m);
68330+#endif
68331+
68332 kmem_cache_free(vm_area_cachep, vma);
68333 unacct_error:
68334 if (charged)
68335@@ -1356,6 +1512,44 @@ unacct_error:
68336 return error;
68337 }
68338
68339+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
68340+{
68341+ if (!vma) {
68342+#ifdef CONFIG_STACK_GROWSUP
68343+ if (addr > sysctl_heap_stack_gap)
68344+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
68345+ else
68346+ vma = find_vma(current->mm, 0);
68347+ if (vma && (vma->vm_flags & VM_GROWSUP))
68348+ return false;
68349+#endif
68350+ return true;
68351+ }
68352+
68353+ if (addr + len > vma->vm_start)
68354+ return false;
68355+
68356+ if (vma->vm_flags & VM_GROWSDOWN)
68357+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
68358+#ifdef CONFIG_STACK_GROWSUP
68359+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
68360+ return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
68361+#endif
68362+
68363+ return true;
68364+}
68365+
68366+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
68367+{
68368+ if (vma->vm_start < len)
68369+ return -ENOMEM;
68370+ if (!(vma->vm_flags & VM_GROWSDOWN))
68371+ return vma->vm_start - len;
68372+ if (sysctl_heap_stack_gap <= vma->vm_start - len)
68373+ return vma->vm_start - len - sysctl_heap_stack_gap;
68374+ return -ENOMEM;
68375+}
68376+
68377 /* Get an address range which is currently unmapped.
68378 * For shmat() with addr=0.
68379 *
68380@@ -1382,18 +1576,23 @@ arch_get_unmapped_area(struct file *filp
68381 if (flags & MAP_FIXED)
68382 return addr;
68383
68384+#ifdef CONFIG_PAX_RANDMMAP
68385+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68386+#endif
68387+
68388 if (addr) {
68389 addr = PAGE_ALIGN(addr);
68390- vma = find_vma(mm, addr);
68391- if (TASK_SIZE - len >= addr &&
68392- (!vma || addr + len <= vma->vm_start))
68393- return addr;
68394+ if (TASK_SIZE - len >= addr) {
68395+ vma = find_vma(mm, addr);
68396+ if (check_heap_stack_gap(vma, addr, len))
68397+ return addr;
68398+ }
68399 }
68400 if (len > mm->cached_hole_size) {
68401- start_addr = addr = mm->free_area_cache;
68402+ start_addr = addr = mm->free_area_cache;
68403 } else {
68404- start_addr = addr = TASK_UNMAPPED_BASE;
68405- mm->cached_hole_size = 0;
68406+ start_addr = addr = mm->mmap_base;
68407+ mm->cached_hole_size = 0;
68408 }
68409
68410 full_search:
68411@@ -1404,34 +1603,40 @@ full_search:
68412 * Start a new search - just in case we missed
68413 * some holes.
68414 */
68415- if (start_addr != TASK_UNMAPPED_BASE) {
68416- addr = TASK_UNMAPPED_BASE;
68417- start_addr = addr;
68418+ if (start_addr != mm->mmap_base) {
68419+ start_addr = addr = mm->mmap_base;
68420 mm->cached_hole_size = 0;
68421 goto full_search;
68422 }
68423 return -ENOMEM;
68424 }
68425- if (!vma || addr + len <= vma->vm_start) {
68426- /*
68427- * Remember the place where we stopped the search:
68428- */
68429- mm->free_area_cache = addr + len;
68430- return addr;
68431- }
68432+ if (check_heap_stack_gap(vma, addr, len))
68433+ break;
68434 if (addr + mm->cached_hole_size < vma->vm_start)
68435 mm->cached_hole_size = vma->vm_start - addr;
68436 addr = vma->vm_end;
68437 }
68438+
68439+ /*
68440+ * Remember the place where we stopped the search:
68441+ */
68442+ mm->free_area_cache = addr + len;
68443+ return addr;
68444 }
68445 #endif
68446
68447 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
68448 {
68449+
68450+#ifdef CONFIG_PAX_SEGMEXEC
68451+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68452+ return;
68453+#endif
68454+
68455 /*
68456 * Is this a new hole at the lowest possible address?
68457 */
68458- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
68459+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
68460 mm->free_area_cache = addr;
68461 mm->cached_hole_size = ~0UL;
68462 }
68463@@ -1449,7 +1654,7 @@ arch_get_unmapped_area_topdown(struct fi
68464 {
68465 struct vm_area_struct *vma;
68466 struct mm_struct *mm = current->mm;
68467- unsigned long addr = addr0;
68468+ unsigned long base = mm->mmap_base, addr = addr0;
68469
68470 /* requested length too big for entire address space */
68471 if (len > TASK_SIZE)
68472@@ -1458,13 +1663,18 @@ arch_get_unmapped_area_topdown(struct fi
68473 if (flags & MAP_FIXED)
68474 return addr;
68475
68476+#ifdef CONFIG_PAX_RANDMMAP
68477+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68478+#endif
68479+
68480 /* requesting a specific address */
68481 if (addr) {
68482 addr = PAGE_ALIGN(addr);
68483- vma = find_vma(mm, addr);
68484- if (TASK_SIZE - len >= addr &&
68485- (!vma || addr + len <= vma->vm_start))
68486- return addr;
68487+ if (TASK_SIZE - len >= addr) {
68488+ vma = find_vma(mm, addr);
68489+ if (check_heap_stack_gap(vma, addr, len))
68490+ return addr;
68491+ }
68492 }
68493
68494 /* check if free_area_cache is useful for us */
68495@@ -1479,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
68496 /* make sure it can fit in the remaining address space */
68497 if (addr > len) {
68498 vma = find_vma(mm, addr-len);
68499- if (!vma || addr <= vma->vm_start)
68500+ if (check_heap_stack_gap(vma, addr - len, len))
68501 /* remember the address as a hint for next time */
68502 return (mm->free_area_cache = addr-len);
68503 }
68504@@ -1496,7 +1706,7 @@ arch_get_unmapped_area_topdown(struct fi
68505 * return with success:
68506 */
68507 vma = find_vma(mm, addr);
68508- if (!vma || addr+len <= vma->vm_start)
68509+ if (check_heap_stack_gap(vma, addr, len))
68510 /* remember the address as a hint for next time */
68511 return (mm->free_area_cache = addr);
68512
68513@@ -1505,8 +1715,8 @@ arch_get_unmapped_area_topdown(struct fi
68514 mm->cached_hole_size = vma->vm_start - addr;
68515
68516 /* try just below the current vma->vm_start */
68517- addr = vma->vm_start-len;
68518- } while (len < vma->vm_start);
68519+ addr = skip_heap_stack_gap(vma, len);
68520+ } while (!IS_ERR_VALUE(addr));
68521
68522 bottomup:
68523 /*
68524@@ -1515,13 +1725,21 @@ bottomup:
68525 * can happen with large stack limits and large mmap()
68526 * allocations.
68527 */
68528+ mm->mmap_base = TASK_UNMAPPED_BASE;
68529+
68530+#ifdef CONFIG_PAX_RANDMMAP
68531+ if (mm->pax_flags & MF_PAX_RANDMMAP)
68532+ mm->mmap_base += mm->delta_mmap;
68533+#endif
68534+
68535+ mm->free_area_cache = mm->mmap_base;
68536 mm->cached_hole_size = ~0UL;
68537- mm->free_area_cache = TASK_UNMAPPED_BASE;
68538 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
68539 /*
68540 * Restore the topdown base:
68541 */
68542- mm->free_area_cache = mm->mmap_base;
68543+ mm->mmap_base = base;
68544+ mm->free_area_cache = base;
68545 mm->cached_hole_size = ~0UL;
68546
68547 return addr;
68548@@ -1530,6 +1748,12 @@ bottomup:
68549
68550 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
68551 {
68552+
68553+#ifdef CONFIG_PAX_SEGMEXEC
68554+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68555+ return;
68556+#endif
68557+
68558 /*
68559 * Is this a new hole at the highest possible address?
68560 */
68561@@ -1537,8 +1761,10 @@ void arch_unmap_area_topdown(struct mm_s
68562 mm->free_area_cache = addr;
68563
68564 /* dont allow allocations above current base */
68565- if (mm->free_area_cache > mm->mmap_base)
68566+ if (mm->free_area_cache > mm->mmap_base) {
68567 mm->free_area_cache = mm->mmap_base;
68568+ mm->cached_hole_size = ~0UL;
68569+ }
68570 }
68571
68572 unsigned long
68573@@ -1646,6 +1872,28 @@ out:
68574 return prev ? prev->vm_next : vma;
68575 }
68576
68577+#ifdef CONFIG_PAX_SEGMEXEC
68578+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
68579+{
68580+ struct vm_area_struct *vma_m;
68581+
68582+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
68583+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
68584+ BUG_ON(vma->vm_mirror);
68585+ return NULL;
68586+ }
68587+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
68588+ vma_m = vma->vm_mirror;
68589+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
68590+ BUG_ON(vma->vm_file != vma_m->vm_file);
68591+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
68592+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
68593+ BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
68594+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
68595+ return vma_m;
68596+}
68597+#endif
68598+
68599 /*
68600 * Verify that the stack growth is acceptable and
68601 * update accounting. This is shared with both the
68602@@ -1662,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
68603 return -ENOMEM;
68604
68605 /* Stack limit test */
68606+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
68607 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
68608 return -ENOMEM;
68609
68610@@ -1672,6 +1921,7 @@ static int acct_stack_growth(struct vm_a
68611 locked = mm->locked_vm + grow;
68612 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
68613 limit >>= PAGE_SHIFT;
68614+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68615 if (locked > limit && !capable(CAP_IPC_LOCK))
68616 return -ENOMEM;
68617 }
68618@@ -1702,37 +1952,48 @@ static int acct_stack_growth(struct vm_a
68619 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
68620 * vma is the last one with address > vma->vm_end. Have to extend vma.
68621 */
68622+#ifndef CONFIG_IA64
68623+static
68624+#endif
68625 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
68626 {
68627 int error;
68628+ bool locknext;
68629
68630 if (!(vma->vm_flags & VM_GROWSUP))
68631 return -EFAULT;
68632
68633+ /* Also guard against wrapping around to address 0. */
68634+ if (address < PAGE_ALIGN(address+1))
68635+ address = PAGE_ALIGN(address+1);
68636+ else
68637+ return -ENOMEM;
68638+
68639 /*
68640 * We must make sure the anon_vma is allocated
68641 * so that the anon_vma locking is not a noop.
68642 */
68643 if (unlikely(anon_vma_prepare(vma)))
68644 return -ENOMEM;
68645+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
68646+ if (locknext && anon_vma_prepare(vma->vm_next))
68647+ return -ENOMEM;
68648 vma_lock_anon_vma(vma);
68649+ if (locknext)
68650+ vma_lock_anon_vma(vma->vm_next);
68651
68652 /*
68653 * vma->vm_start/vm_end cannot change under us because the caller
68654 * is required to hold the mmap_sem in read mode. We need the
68655- * anon_vma lock to serialize against concurrent expand_stacks.
68656- * Also guard against wrapping around to address 0.
68657+ * anon_vma locks to serialize against concurrent expand_stacks
68658+ * and expand_upwards.
68659 */
68660- if (address < PAGE_ALIGN(address+4))
68661- address = PAGE_ALIGN(address+4);
68662- else {
68663- vma_unlock_anon_vma(vma);
68664- return -ENOMEM;
68665- }
68666 error = 0;
68667
68668 /* Somebody else might have raced and expanded it already */
68669- if (address > vma->vm_end) {
68670+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
68671+ error = -ENOMEM;
68672+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
68673 unsigned long size, grow;
68674
68675 size = address - vma->vm_start;
68676@@ -1747,6 +2008,8 @@ int expand_upwards(struct vm_area_struct
68677 }
68678 }
68679 }
68680+ if (locknext)
68681+ vma_unlock_anon_vma(vma->vm_next);
68682 vma_unlock_anon_vma(vma);
68683 khugepaged_enter_vma_merge(vma);
68684 return error;
68685@@ -1760,6 +2023,8 @@ int expand_downwards(struct vm_area_stru
68686 unsigned long address)
68687 {
68688 int error;
68689+ bool lockprev = false;
68690+ struct vm_area_struct *prev;
68691
68692 /*
68693 * We must make sure the anon_vma is allocated
68694@@ -1773,6 +2038,15 @@ int expand_downwards(struct vm_area_stru
68695 if (error)
68696 return error;
68697
68698+ prev = vma->vm_prev;
68699+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
68700+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
68701+#endif
68702+ if (lockprev && anon_vma_prepare(prev))
68703+ return -ENOMEM;
68704+ if (lockprev)
68705+ vma_lock_anon_vma(prev);
68706+
68707 vma_lock_anon_vma(vma);
68708
68709 /*
68710@@ -1782,9 +2056,17 @@ int expand_downwards(struct vm_area_stru
68711 */
68712
68713 /* Somebody else might have raced and expanded it already */
68714- if (address < vma->vm_start) {
68715+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
68716+ error = -ENOMEM;
68717+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
68718 unsigned long size, grow;
68719
68720+#ifdef CONFIG_PAX_SEGMEXEC
68721+ struct vm_area_struct *vma_m;
68722+
68723+ vma_m = pax_find_mirror_vma(vma);
68724+#endif
68725+
68726 size = vma->vm_end - address;
68727 grow = (vma->vm_start - address) >> PAGE_SHIFT;
68728
68729@@ -1794,11 +2076,22 @@ int expand_downwards(struct vm_area_stru
68730 if (!error) {
68731 vma->vm_start = address;
68732 vma->vm_pgoff -= grow;
68733+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
68734+
68735+#ifdef CONFIG_PAX_SEGMEXEC
68736+ if (vma_m) {
68737+ vma_m->vm_start -= grow << PAGE_SHIFT;
68738+ vma_m->vm_pgoff -= grow;
68739+ }
68740+#endif
68741+
68742 perf_event_mmap(vma);
68743 }
68744 }
68745 }
68746 vma_unlock_anon_vma(vma);
68747+ if (lockprev)
68748+ vma_unlock_anon_vma(prev);
68749 khugepaged_enter_vma_merge(vma);
68750 return error;
68751 }
68752@@ -1868,6 +2161,13 @@ static void remove_vma_list(struct mm_st
68753 do {
68754 long nrpages = vma_pages(vma);
68755
68756+#ifdef CONFIG_PAX_SEGMEXEC
68757+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
68758+ vma = remove_vma(vma);
68759+ continue;
68760+ }
68761+#endif
68762+
68763 mm->total_vm -= nrpages;
68764 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
68765 vma = remove_vma(vma);
68766@@ -1913,6 +2213,16 @@ detach_vmas_to_be_unmapped(struct mm_str
68767 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
68768 vma->vm_prev = NULL;
68769 do {
68770+
68771+#ifdef CONFIG_PAX_SEGMEXEC
68772+ if (vma->vm_mirror) {
68773+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
68774+ vma->vm_mirror->vm_mirror = NULL;
68775+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
68776+ vma->vm_mirror = NULL;
68777+ }
68778+#endif
68779+
68780 rb_erase(&vma->vm_rb, &mm->mm_rb);
68781 mm->map_count--;
68782 tail_vma = vma;
68783@@ -1941,14 +2251,33 @@ static int __split_vma(struct mm_struct
68784 struct vm_area_struct *new;
68785 int err = -ENOMEM;
68786
68787+#ifdef CONFIG_PAX_SEGMEXEC
68788+ struct vm_area_struct *vma_m, *new_m = NULL;
68789+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
68790+#endif
68791+
68792 if (is_vm_hugetlb_page(vma) && (addr &
68793 ~(huge_page_mask(hstate_vma(vma)))))
68794 return -EINVAL;
68795
68796+#ifdef CONFIG_PAX_SEGMEXEC
68797+ vma_m = pax_find_mirror_vma(vma);
68798+#endif
68799+
68800 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
68801 if (!new)
68802 goto out_err;
68803
68804+#ifdef CONFIG_PAX_SEGMEXEC
68805+ if (vma_m) {
68806+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
68807+ if (!new_m) {
68808+ kmem_cache_free(vm_area_cachep, new);
68809+ goto out_err;
68810+ }
68811+ }
68812+#endif
68813+
68814 /* most fields are the same, copy all, and then fixup */
68815 *new = *vma;
68816
68817@@ -1961,6 +2290,22 @@ static int __split_vma(struct mm_struct
68818 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
68819 }
68820
68821+#ifdef CONFIG_PAX_SEGMEXEC
68822+ if (vma_m) {
68823+ *new_m = *vma_m;
68824+ INIT_LIST_HEAD(&new_m->anon_vma_chain);
68825+ new_m->vm_mirror = new;
68826+ new->vm_mirror = new_m;
68827+
68828+ if (new_below)
68829+ new_m->vm_end = addr_m;
68830+ else {
68831+ new_m->vm_start = addr_m;
68832+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
68833+ }
68834+ }
68835+#endif
68836+
68837 pol = mpol_dup(vma_policy(vma));
68838 if (IS_ERR(pol)) {
68839 err = PTR_ERR(pol);
68840@@ -1986,6 +2331,42 @@ static int __split_vma(struct mm_struct
68841 else
68842 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
68843
68844+#ifdef CONFIG_PAX_SEGMEXEC
68845+ if (!err && vma_m) {
68846+ if (anon_vma_clone(new_m, vma_m))
68847+ goto out_free_mpol;
68848+
68849+ mpol_get(pol);
68850+ vma_set_policy(new_m, pol);
68851+
68852+ if (new_m->vm_file) {
68853+ get_file(new_m->vm_file);
68854+ if (vma_m->vm_flags & VM_EXECUTABLE)
68855+ added_exe_file_vma(mm);
68856+ }
68857+
68858+ if (new_m->vm_ops && new_m->vm_ops->open)
68859+ new_m->vm_ops->open(new_m);
68860+
68861+ if (new_below)
68862+ err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
68863+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
68864+ else
68865+ err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
68866+
68867+ if (err) {
68868+ if (new_m->vm_ops && new_m->vm_ops->close)
68869+ new_m->vm_ops->close(new_m);
68870+ if (new_m->vm_file) {
68871+ if (vma_m->vm_flags & VM_EXECUTABLE)
68872+ removed_exe_file_vma(mm);
68873+ fput(new_m->vm_file);
68874+ }
68875+ mpol_put(pol);
68876+ }
68877+ }
68878+#endif
68879+
68880 /* Success. */
68881 if (!err)
68882 return 0;
68883@@ -1998,10 +2379,18 @@ static int __split_vma(struct mm_struct
68884 removed_exe_file_vma(mm);
68885 fput(new->vm_file);
68886 }
68887- unlink_anon_vmas(new);
68888 out_free_mpol:
68889 mpol_put(pol);
68890 out_free_vma:
68891+
68892+#ifdef CONFIG_PAX_SEGMEXEC
68893+ if (new_m) {
68894+ unlink_anon_vmas(new_m);
68895+ kmem_cache_free(vm_area_cachep, new_m);
68896+ }
68897+#endif
68898+
68899+ unlink_anon_vmas(new);
68900 kmem_cache_free(vm_area_cachep, new);
68901 out_err:
68902 return err;
68903@@ -2014,6 +2403,15 @@ static int __split_vma(struct mm_struct
68904 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
68905 unsigned long addr, int new_below)
68906 {
68907+
68908+#ifdef CONFIG_PAX_SEGMEXEC
68909+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
68910+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
68911+ if (mm->map_count >= sysctl_max_map_count-1)
68912+ return -ENOMEM;
68913+ } else
68914+#endif
68915+
68916 if (mm->map_count >= sysctl_max_map_count)
68917 return -ENOMEM;
68918
68919@@ -2025,11 +2423,30 @@ int split_vma(struct mm_struct *mm, stru
68920 * work. This now handles partial unmappings.
68921 * Jeremy Fitzhardinge <jeremy@goop.org>
68922 */
68923+#ifdef CONFIG_PAX_SEGMEXEC
68924 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
68925 {
68926+ int ret = __do_munmap(mm, start, len);
68927+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
68928+ return ret;
68929+
68930+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
68931+}
68932+
68933+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
68934+#else
68935+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
68936+#endif
68937+{
68938 unsigned long end;
68939 struct vm_area_struct *vma, *prev, *last;
68940
68941+ /*
68942+ * mm->mmap_sem is required to protect against another thread
68943+ * changing the mappings in case we sleep.
68944+ */
68945+ verify_mm_writelocked(mm);
68946+
68947 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
68948 return -EINVAL;
68949
68950@@ -2104,6 +2521,8 @@ int do_munmap(struct mm_struct *mm, unsi
68951 /* Fix up all other VM information */
68952 remove_vma_list(mm, vma);
68953
68954+ track_exec_limit(mm, start, end, 0UL);
68955+
68956 return 0;
68957 }
68958
68959@@ -2116,22 +2535,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
68960
68961 profile_munmap(addr);
68962
68963+#ifdef CONFIG_PAX_SEGMEXEC
68964+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
68965+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
68966+ return -EINVAL;
68967+#endif
68968+
68969 down_write(&mm->mmap_sem);
68970 ret = do_munmap(mm, addr, len);
68971 up_write(&mm->mmap_sem);
68972 return ret;
68973 }
68974
68975-static inline void verify_mm_writelocked(struct mm_struct *mm)
68976-{
68977-#ifdef CONFIG_DEBUG_VM
68978- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
68979- WARN_ON(1);
68980- up_read(&mm->mmap_sem);
68981- }
68982-#endif
68983-}
68984-
68985 /*
68986 * this is really a simplified "do_mmap". it only handles
68987 * anonymous maps. eventually we may be able to do some
68988@@ -2145,6 +2560,7 @@ unsigned long do_brk(unsigned long addr,
68989 struct rb_node ** rb_link, * rb_parent;
68990 pgoff_t pgoff = addr >> PAGE_SHIFT;
68991 int error;
68992+ unsigned long charged;
68993
68994 len = PAGE_ALIGN(len);
68995 if (!len)
68996@@ -2156,16 +2572,30 @@ unsigned long do_brk(unsigned long addr,
68997
68998 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
68999
69000+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
69001+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
69002+ flags &= ~VM_EXEC;
69003+
69004+#ifdef CONFIG_PAX_MPROTECT
69005+ if (mm->pax_flags & MF_PAX_MPROTECT)
69006+ flags &= ~VM_MAYEXEC;
69007+#endif
69008+
69009+ }
69010+#endif
69011+
69012 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
69013 if (error & ~PAGE_MASK)
69014 return error;
69015
69016+ charged = len >> PAGE_SHIFT;
69017+
69018 /*
69019 * mlock MCL_FUTURE?
69020 */
69021 if (mm->def_flags & VM_LOCKED) {
69022 unsigned long locked, lock_limit;
69023- locked = len >> PAGE_SHIFT;
69024+ locked = charged;
69025 locked += mm->locked_vm;
69026 lock_limit = rlimit(RLIMIT_MEMLOCK);
69027 lock_limit >>= PAGE_SHIFT;
69028@@ -2182,22 +2612,22 @@ unsigned long do_brk(unsigned long addr,
69029 /*
69030 * Clear old maps. this also does some error checking for us
69031 */
69032- munmap_back:
69033 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69034 if (vma && vma->vm_start < addr + len) {
69035 if (do_munmap(mm, addr, len))
69036 return -ENOMEM;
69037- goto munmap_back;
69038+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69039+ BUG_ON(vma && vma->vm_start < addr + len);
69040 }
69041
69042 /* Check against address space limits *after* clearing old maps... */
69043- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
69044+ if (!may_expand_vm(mm, charged))
69045 return -ENOMEM;
69046
69047 if (mm->map_count > sysctl_max_map_count)
69048 return -ENOMEM;
69049
69050- if (security_vm_enough_memory(len >> PAGE_SHIFT))
69051+ if (security_vm_enough_memory(charged))
69052 return -ENOMEM;
69053
69054 /* Can we just expand an old private anonymous mapping? */
69055@@ -2211,7 +2641,7 @@ unsigned long do_brk(unsigned long addr,
69056 */
69057 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69058 if (!vma) {
69059- vm_unacct_memory(len >> PAGE_SHIFT);
69060+ vm_unacct_memory(charged);
69061 return -ENOMEM;
69062 }
69063
69064@@ -2225,11 +2655,12 @@ unsigned long do_brk(unsigned long addr,
69065 vma_link(mm, vma, prev, rb_link, rb_parent);
69066 out:
69067 perf_event_mmap(vma);
69068- mm->total_vm += len >> PAGE_SHIFT;
69069+ mm->total_vm += charged;
69070 if (flags & VM_LOCKED) {
69071 if (!mlock_vma_pages_range(vma, addr, addr + len))
69072- mm->locked_vm += (len >> PAGE_SHIFT);
69073+ mm->locked_vm += charged;
69074 }
69075+ track_exec_limit(mm, addr, addr + len, flags);
69076 return addr;
69077 }
69078
69079@@ -2276,8 +2707,10 @@ void exit_mmap(struct mm_struct *mm)
69080 * Walk the list again, actually closing and freeing it,
69081 * with preemption enabled, without holding any MM locks.
69082 */
69083- while (vma)
69084+ while (vma) {
69085+ vma->vm_mirror = NULL;
69086 vma = remove_vma(vma);
69087+ }
69088
69089 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
69090 }
69091@@ -2291,6 +2724,13 @@ int insert_vm_struct(struct mm_struct *
69092 struct vm_area_struct * __vma, * prev;
69093 struct rb_node ** rb_link, * rb_parent;
69094
69095+#ifdef CONFIG_PAX_SEGMEXEC
69096+ struct vm_area_struct *vma_m = NULL;
69097+#endif
69098+
69099+ if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
69100+ return -EPERM;
69101+
69102 /*
69103 * The vm_pgoff of a purely anonymous vma should be irrelevant
69104 * until its first write fault, when page's anon_vma and index
69105@@ -2313,7 +2753,22 @@ int insert_vm_struct(struct mm_struct *
69106 if ((vma->vm_flags & VM_ACCOUNT) &&
69107 security_vm_enough_memory_mm(mm, vma_pages(vma)))
69108 return -ENOMEM;
69109+
69110+#ifdef CONFIG_PAX_SEGMEXEC
69111+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
69112+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69113+ if (!vma_m)
69114+ return -ENOMEM;
69115+ }
69116+#endif
69117+
69118 vma_link(mm, vma, prev, rb_link, rb_parent);
69119+
69120+#ifdef CONFIG_PAX_SEGMEXEC
69121+ if (vma_m)
69122+ BUG_ON(pax_mirror_vma(vma_m, vma));
69123+#endif
69124+
69125 return 0;
69126 }
69127
69128@@ -2331,6 +2786,8 @@ struct vm_area_struct *copy_vma(struct v
69129 struct rb_node **rb_link, *rb_parent;
69130 struct mempolicy *pol;
69131
69132+ BUG_ON(vma->vm_mirror);
69133+
69134 /*
69135 * If anonymous vma has not yet been faulted, update new pgoff
69136 * to match new location, to increase its chance of merging.
69137@@ -2381,6 +2838,39 @@ struct vm_area_struct *copy_vma(struct v
69138 return NULL;
69139 }
69140
69141+#ifdef CONFIG_PAX_SEGMEXEC
69142+long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
69143+{
69144+ struct vm_area_struct *prev_m;
69145+ struct rb_node **rb_link_m, *rb_parent_m;
69146+ struct mempolicy *pol_m;
69147+
69148+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
69149+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
69150+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
69151+ *vma_m = *vma;
69152+ INIT_LIST_HEAD(&vma_m->anon_vma_chain);
69153+ if (anon_vma_clone(vma_m, vma))
69154+ return -ENOMEM;
69155+ pol_m = vma_policy(vma_m);
69156+ mpol_get(pol_m);
69157+ vma_set_policy(vma_m, pol_m);
69158+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
69159+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
69160+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
69161+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
69162+ if (vma_m->vm_file)
69163+ get_file(vma_m->vm_file);
69164+ if (vma_m->vm_ops && vma_m->vm_ops->open)
69165+ vma_m->vm_ops->open(vma_m);
69166+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
69167+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
69168+ vma_m->vm_mirror = vma;
69169+ vma->vm_mirror = vma_m;
69170+ return 0;
69171+}
69172+#endif
69173+
69174 /*
69175 * Return true if the calling process may expand its vm space by the passed
69176 * number of pages
69177@@ -2391,7 +2881,7 @@ int may_expand_vm(struct mm_struct *mm,
69178 unsigned long lim;
69179
69180 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
69181-
69182+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
69183 if (cur + npages > lim)
69184 return 0;
69185 return 1;
69186@@ -2462,6 +2952,22 @@ int install_special_mapping(struct mm_st
69187 vma->vm_start = addr;
69188 vma->vm_end = addr + len;
69189
69190+#ifdef CONFIG_PAX_MPROTECT
69191+ if (mm->pax_flags & MF_PAX_MPROTECT) {
69192+#ifndef CONFIG_PAX_MPROTECT_COMPAT
69193+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
69194+ return -EPERM;
69195+ if (!(vm_flags & VM_EXEC))
69196+ vm_flags &= ~VM_MAYEXEC;
69197+#else
69198+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
69199+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
69200+#endif
69201+ else
69202+ vm_flags &= ~VM_MAYWRITE;
69203+ }
69204+#endif
69205+
69206 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
69207 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
69208
69209diff -urNp linux-3.0.7/mm/mprotect.c linux-3.0.7/mm/mprotect.c
69210--- linux-3.0.7/mm/mprotect.c 2011-07-21 22:17:23.000000000 -0400
69211+++ linux-3.0.7/mm/mprotect.c 2011-08-23 21:48:14.000000000 -0400
69212@@ -23,10 +23,16 @@
69213 #include <linux/mmu_notifier.h>
69214 #include <linux/migrate.h>
69215 #include <linux/perf_event.h>
69216+
69217+#ifdef CONFIG_PAX_MPROTECT
69218+#include <linux/elf.h>
69219+#endif
69220+
69221 #include <asm/uaccess.h>
69222 #include <asm/pgtable.h>
69223 #include <asm/cacheflush.h>
69224 #include <asm/tlbflush.h>
69225+#include <asm/mmu_context.h>
69226
69227 #ifndef pgprot_modify
69228 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
69229@@ -141,6 +147,48 @@ static void change_protection(struct vm_
69230 flush_tlb_range(vma, start, end);
69231 }
69232
69233+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69234+/* called while holding the mmap semaphor for writing except stack expansion */
69235+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
69236+{
69237+ unsigned long oldlimit, newlimit = 0UL;
69238+
69239+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
69240+ return;
69241+
69242+ spin_lock(&mm->page_table_lock);
69243+ oldlimit = mm->context.user_cs_limit;
69244+ if ((prot & VM_EXEC) && oldlimit < end)
69245+ /* USER_CS limit moved up */
69246+ newlimit = end;
69247+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
69248+ /* USER_CS limit moved down */
69249+ newlimit = start;
69250+
69251+ if (newlimit) {
69252+ mm->context.user_cs_limit = newlimit;
69253+
69254+#ifdef CONFIG_SMP
69255+ wmb();
69256+ cpus_clear(mm->context.cpu_user_cs_mask);
69257+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
69258+#endif
69259+
69260+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
69261+ }
69262+ spin_unlock(&mm->page_table_lock);
69263+ if (newlimit == end) {
69264+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
69265+
69266+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
69267+ if (is_vm_hugetlb_page(vma))
69268+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
69269+ else
69270+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
69271+ }
69272+}
69273+#endif
69274+
69275 int
69276 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
69277 unsigned long start, unsigned long end, unsigned long newflags)
69278@@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
69279 int error;
69280 int dirty_accountable = 0;
69281
69282+#ifdef CONFIG_PAX_SEGMEXEC
69283+ struct vm_area_struct *vma_m = NULL;
69284+ unsigned long start_m, end_m;
69285+
69286+ start_m = start + SEGMEXEC_TASK_SIZE;
69287+ end_m = end + SEGMEXEC_TASK_SIZE;
69288+#endif
69289+
69290 if (newflags == oldflags) {
69291 *pprev = vma;
69292 return 0;
69293 }
69294
69295+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
69296+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
69297+
69298+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
69299+ return -ENOMEM;
69300+
69301+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
69302+ return -ENOMEM;
69303+ }
69304+
69305 /*
69306 * If we make a private mapping writable we increase our commit;
69307 * but (without finer accounting) cannot reduce our commit if we
69308@@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
69309 }
69310 }
69311
69312+#ifdef CONFIG_PAX_SEGMEXEC
69313+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
69314+ if (start != vma->vm_start) {
69315+ error = split_vma(mm, vma, start, 1);
69316+ if (error)
69317+ goto fail;
69318+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
69319+ *pprev = (*pprev)->vm_next;
69320+ }
69321+
69322+ if (end != vma->vm_end) {
69323+ error = split_vma(mm, vma, end, 0);
69324+ if (error)
69325+ goto fail;
69326+ }
69327+
69328+ if (pax_find_mirror_vma(vma)) {
69329+ error = __do_munmap(mm, start_m, end_m - start_m);
69330+ if (error)
69331+ goto fail;
69332+ } else {
69333+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69334+ if (!vma_m) {
69335+ error = -ENOMEM;
69336+ goto fail;
69337+ }
69338+ vma->vm_flags = newflags;
69339+ error = pax_mirror_vma(vma_m, vma);
69340+ if (error) {
69341+ vma->vm_flags = oldflags;
69342+ goto fail;
69343+ }
69344+ }
69345+ }
69346+#endif
69347+
69348 /*
69349 * First try to merge with previous and/or next vma.
69350 */
69351@@ -204,9 +306,21 @@ success:
69352 * vm_flags and vm_page_prot are protected by the mmap_sem
69353 * held in write mode.
69354 */
69355+
69356+#ifdef CONFIG_PAX_SEGMEXEC
69357+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
69358+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
69359+#endif
69360+
69361 vma->vm_flags = newflags;
69362+
69363+#ifdef CONFIG_PAX_MPROTECT
69364+ if (mm->binfmt && mm->binfmt->handle_mprotect)
69365+ mm->binfmt->handle_mprotect(vma, newflags);
69366+#endif
69367+
69368 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
69369- vm_get_page_prot(newflags));
69370+ vm_get_page_prot(vma->vm_flags));
69371
69372 if (vma_wants_writenotify(vma)) {
69373 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
69374@@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69375 end = start + len;
69376 if (end <= start)
69377 return -ENOMEM;
69378+
69379+#ifdef CONFIG_PAX_SEGMEXEC
69380+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69381+ if (end > SEGMEXEC_TASK_SIZE)
69382+ return -EINVAL;
69383+ } else
69384+#endif
69385+
69386+ if (end > TASK_SIZE)
69387+ return -EINVAL;
69388+
69389 if (!arch_validate_prot(prot))
69390 return -EINVAL;
69391
69392@@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69393 /*
69394 * Does the application expect PROT_READ to imply PROT_EXEC:
69395 */
69396- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
69397+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
69398 prot |= PROT_EXEC;
69399
69400 vm_flags = calc_vm_prot_bits(prot);
69401@@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69402 if (start > vma->vm_start)
69403 prev = vma;
69404
69405+#ifdef CONFIG_PAX_MPROTECT
69406+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
69407+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
69408+#endif
69409+
69410 for (nstart = start ; ; ) {
69411 unsigned long newflags;
69412
69413@@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69414
69415 /* newflags >> 4 shift VM_MAY% in place of VM_% */
69416 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
69417+ if (prot & (PROT_WRITE | PROT_EXEC))
69418+ gr_log_rwxmprotect(vma->vm_file);
69419+
69420+ error = -EACCES;
69421+ goto out;
69422+ }
69423+
69424+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
69425 error = -EACCES;
69426 goto out;
69427 }
69428@@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69429 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
69430 if (error)
69431 goto out;
69432+
69433+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
69434+
69435 nstart = tmp;
69436
69437 if (nstart < prev->vm_end)
69438diff -urNp linux-3.0.7/mm/mremap.c linux-3.0.7/mm/mremap.c
69439--- linux-3.0.7/mm/mremap.c 2011-07-21 22:17:23.000000000 -0400
69440+++ linux-3.0.7/mm/mremap.c 2011-08-23 21:47:56.000000000 -0400
69441@@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
69442 continue;
69443 pte = ptep_clear_flush(vma, old_addr, old_pte);
69444 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
69445+
69446+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69447+ if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
69448+ pte = pte_exprotect(pte);
69449+#endif
69450+
69451 set_pte_at(mm, new_addr, new_pte, pte);
69452 }
69453
69454@@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
69455 if (is_vm_hugetlb_page(vma))
69456 goto Einval;
69457
69458+#ifdef CONFIG_PAX_SEGMEXEC
69459+ if (pax_find_mirror_vma(vma))
69460+ goto Einval;
69461+#endif
69462+
69463 /* We can't remap across vm area boundaries */
69464 if (old_len > vma->vm_end - addr)
69465 goto Efault;
69466@@ -328,20 +339,25 @@ static unsigned long mremap_to(unsigned
69467 unsigned long ret = -EINVAL;
69468 unsigned long charged = 0;
69469 unsigned long map_flags;
69470+ unsigned long pax_task_size = TASK_SIZE;
69471
69472 if (new_addr & ~PAGE_MASK)
69473 goto out;
69474
69475- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
69476+#ifdef CONFIG_PAX_SEGMEXEC
69477+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
69478+ pax_task_size = SEGMEXEC_TASK_SIZE;
69479+#endif
69480+
69481+ pax_task_size -= PAGE_SIZE;
69482+
69483+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
69484 goto out;
69485
69486 /* Check if the location we're moving into overlaps the
69487 * old location at all, and fail if it does.
69488 */
69489- if ((new_addr <= addr) && (new_addr+new_len) > addr)
69490- goto out;
69491-
69492- if ((addr <= new_addr) && (addr+old_len) > new_addr)
69493+ if (addr + old_len > new_addr && new_addr + new_len > addr)
69494 goto out;
69495
69496 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69497@@ -413,6 +429,7 @@ unsigned long do_mremap(unsigned long ad
69498 struct vm_area_struct *vma;
69499 unsigned long ret = -EINVAL;
69500 unsigned long charged = 0;
69501+ unsigned long pax_task_size = TASK_SIZE;
69502
69503 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
69504 goto out;
69505@@ -431,6 +448,17 @@ unsigned long do_mremap(unsigned long ad
69506 if (!new_len)
69507 goto out;
69508
69509+#ifdef CONFIG_PAX_SEGMEXEC
69510+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
69511+ pax_task_size = SEGMEXEC_TASK_SIZE;
69512+#endif
69513+
69514+ pax_task_size -= PAGE_SIZE;
69515+
69516+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
69517+ old_len > pax_task_size || addr > pax_task_size-old_len)
69518+ goto out;
69519+
69520 if (flags & MREMAP_FIXED) {
69521 if (flags & MREMAP_MAYMOVE)
69522 ret = mremap_to(addr, old_len, new_addr, new_len);
69523@@ -480,6 +508,7 @@ unsigned long do_mremap(unsigned long ad
69524 addr + new_len);
69525 }
69526 ret = addr;
69527+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
69528 goto out;
69529 }
69530 }
69531@@ -506,7 +535,13 @@ unsigned long do_mremap(unsigned long ad
69532 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69533 if (ret)
69534 goto out;
69535+
69536+ map_flags = vma->vm_flags;
69537 ret = move_vma(vma, addr, old_len, new_len, new_addr);
69538+ if (!(ret & ~PAGE_MASK)) {
69539+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
69540+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
69541+ }
69542 }
69543 out:
69544 if (ret & ~PAGE_MASK)
69545diff -urNp linux-3.0.7/mm/nobootmem.c linux-3.0.7/mm/nobootmem.c
69546--- linux-3.0.7/mm/nobootmem.c 2011-07-21 22:17:23.000000000 -0400
69547+++ linux-3.0.7/mm/nobootmem.c 2011-08-23 21:47:56.000000000 -0400
69548@@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
69549 unsigned long __init free_all_memory_core_early(int nodeid)
69550 {
69551 int i;
69552- u64 start, end;
69553+ u64 start, end, startrange, endrange;
69554 unsigned long count = 0;
69555- struct range *range = NULL;
69556+ struct range *range = NULL, rangerange = { 0, 0 };
69557 int nr_range;
69558
69559 nr_range = get_free_all_memory_range(&range, nodeid);
69560+ startrange = __pa(range) >> PAGE_SHIFT;
69561+ endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
69562
69563 for (i = 0; i < nr_range; i++) {
69564 start = range[i].start;
69565 end = range[i].end;
69566+ if (start <= endrange && startrange < end) {
69567+ BUG_ON(rangerange.start | rangerange.end);
69568+ rangerange = range[i];
69569+ continue;
69570+ }
69571 count += end - start;
69572 __free_pages_memory(start, end);
69573 }
69574+ start = rangerange.start;
69575+ end = rangerange.end;
69576+ count += end - start;
69577+ __free_pages_memory(start, end);
69578
69579 return count;
69580 }
69581diff -urNp linux-3.0.7/mm/nommu.c linux-3.0.7/mm/nommu.c
69582--- linux-3.0.7/mm/nommu.c 2011-07-21 22:17:23.000000000 -0400
69583+++ linux-3.0.7/mm/nommu.c 2011-08-23 21:47:56.000000000 -0400
69584@@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
69585 int sysctl_overcommit_ratio = 50; /* default is 50% */
69586 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
69587 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
69588-int heap_stack_gap = 0;
69589
69590 atomic_long_t mmap_pages_allocated;
69591
69592@@ -826,15 +825,6 @@ struct vm_area_struct *find_vma(struct m
69593 EXPORT_SYMBOL(find_vma);
69594
69595 /*
69596- * find a VMA
69597- * - we don't extend stack VMAs under NOMMU conditions
69598- */
69599-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
69600-{
69601- return find_vma(mm, addr);
69602-}
69603-
69604-/*
69605 * expand a stack to a given address
69606 * - not supported under NOMMU conditions
69607 */
69608@@ -1554,6 +1544,7 @@ int split_vma(struct mm_struct *mm, stru
69609
69610 /* most fields are the same, copy all, and then fixup */
69611 *new = *vma;
69612+ INIT_LIST_HEAD(&new->anon_vma_chain);
69613 *region = *vma->vm_region;
69614 new->vm_region = region;
69615
69616diff -urNp linux-3.0.7/mm/page_alloc.c linux-3.0.7/mm/page_alloc.c
69617--- linux-3.0.7/mm/page_alloc.c 2011-10-16 21:54:54.000000000 -0400
69618+++ linux-3.0.7/mm/page_alloc.c 2011-10-16 21:55:28.000000000 -0400
69619@@ -340,7 +340,7 @@ out:
69620 * This usage means that zero-order pages may not be compound.
69621 */
69622
69623-static void free_compound_page(struct page *page)
69624+void free_compound_page(struct page *page)
69625 {
69626 __free_pages_ok(page, compound_order(page));
69627 }
69628@@ -653,6 +653,10 @@ static bool free_pages_prepare(struct pa
69629 int i;
69630 int bad = 0;
69631
69632+#ifdef CONFIG_PAX_MEMORY_SANITIZE
69633+ unsigned long index = 1UL << order;
69634+#endif
69635+
69636 trace_mm_page_free_direct(page, order);
69637 kmemcheck_free_shadow(page, order);
69638
69639@@ -668,6 +672,12 @@ static bool free_pages_prepare(struct pa
69640 debug_check_no_obj_freed(page_address(page),
69641 PAGE_SIZE << order);
69642 }
69643+
69644+#ifdef CONFIG_PAX_MEMORY_SANITIZE
69645+ for (; index; --index)
69646+ sanitize_highpage(page + index - 1);
69647+#endif
69648+
69649 arch_free_page(page, order);
69650 kernel_map_pages(page, 1 << order, 0);
69651
69652@@ -783,8 +793,10 @@ static int prep_new_page(struct page *pa
69653 arch_alloc_page(page, order);
69654 kernel_map_pages(page, 1 << order, 1);
69655
69656+#ifndef CONFIG_PAX_MEMORY_SANITIZE
69657 if (gfp_flags & __GFP_ZERO)
69658 prep_zero_page(page, order, gfp_flags);
69659+#endif
69660
69661 if (order && (gfp_flags & __GFP_COMP))
69662 prep_compound_page(page, order);
69663@@ -2557,6 +2569,8 @@ void show_free_areas(unsigned int filter
69664 int cpu;
69665 struct zone *zone;
69666
69667+ pax_track_stack();
69668+
69669 for_each_populated_zone(zone) {
69670 if (skip_free_areas_node(filter, zone_to_nid(zone)))
69671 continue;
69672diff -urNp linux-3.0.7/mm/percpu.c linux-3.0.7/mm/percpu.c
69673--- linux-3.0.7/mm/percpu.c 2011-07-21 22:17:23.000000000 -0400
69674+++ linux-3.0.7/mm/percpu.c 2011-08-23 21:47:56.000000000 -0400
69675@@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
69676 static unsigned int pcpu_last_unit_cpu __read_mostly;
69677
69678 /* the address of the first chunk which starts with the kernel static area */
69679-void *pcpu_base_addr __read_mostly;
69680+void *pcpu_base_addr __read_only;
69681 EXPORT_SYMBOL_GPL(pcpu_base_addr);
69682
69683 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
69684diff -urNp linux-3.0.7/mm/rmap.c linux-3.0.7/mm/rmap.c
69685--- linux-3.0.7/mm/rmap.c 2011-07-21 22:17:23.000000000 -0400
69686+++ linux-3.0.7/mm/rmap.c 2011-08-23 21:47:56.000000000 -0400
69687@@ -153,6 +153,10 @@ int anon_vma_prepare(struct vm_area_stru
69688 struct anon_vma *anon_vma = vma->anon_vma;
69689 struct anon_vma_chain *avc;
69690
69691+#ifdef CONFIG_PAX_SEGMEXEC
69692+ struct anon_vma_chain *avc_m = NULL;
69693+#endif
69694+
69695 might_sleep();
69696 if (unlikely(!anon_vma)) {
69697 struct mm_struct *mm = vma->vm_mm;
69698@@ -162,6 +166,12 @@ int anon_vma_prepare(struct vm_area_stru
69699 if (!avc)
69700 goto out_enomem;
69701
69702+#ifdef CONFIG_PAX_SEGMEXEC
69703+ avc_m = anon_vma_chain_alloc(GFP_KERNEL);
69704+ if (!avc_m)
69705+ goto out_enomem_free_avc;
69706+#endif
69707+
69708 anon_vma = find_mergeable_anon_vma(vma);
69709 allocated = NULL;
69710 if (!anon_vma) {
69711@@ -175,6 +185,21 @@ int anon_vma_prepare(struct vm_area_stru
69712 /* page_table_lock to protect against threads */
69713 spin_lock(&mm->page_table_lock);
69714 if (likely(!vma->anon_vma)) {
69715+
69716+#ifdef CONFIG_PAX_SEGMEXEC
69717+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
69718+
69719+ if (vma_m) {
69720+ BUG_ON(vma_m->anon_vma);
69721+ vma_m->anon_vma = anon_vma;
69722+ avc_m->anon_vma = anon_vma;
69723+ avc_m->vma = vma;
69724+ list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
69725+ list_add(&avc_m->same_anon_vma, &anon_vma->head);
69726+ avc_m = NULL;
69727+ }
69728+#endif
69729+
69730 vma->anon_vma = anon_vma;
69731 avc->anon_vma = anon_vma;
69732 avc->vma = vma;
69733@@ -188,12 +213,24 @@ int anon_vma_prepare(struct vm_area_stru
69734
69735 if (unlikely(allocated))
69736 put_anon_vma(allocated);
69737+
69738+#ifdef CONFIG_PAX_SEGMEXEC
69739+ if (unlikely(avc_m))
69740+ anon_vma_chain_free(avc_m);
69741+#endif
69742+
69743 if (unlikely(avc))
69744 anon_vma_chain_free(avc);
69745 }
69746 return 0;
69747
69748 out_enomem_free_avc:
69749+
69750+#ifdef CONFIG_PAX_SEGMEXEC
69751+ if (avc_m)
69752+ anon_vma_chain_free(avc_m);
69753+#endif
69754+
69755 anon_vma_chain_free(avc);
69756 out_enomem:
69757 return -ENOMEM;
69758@@ -244,7 +281,7 @@ static void anon_vma_chain_link(struct v
69759 * Attach the anon_vmas from src to dst.
69760 * Returns 0 on success, -ENOMEM on failure.
69761 */
69762-int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
69763+int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
69764 {
69765 struct anon_vma_chain *avc, *pavc;
69766 struct anon_vma *root = NULL;
69767@@ -277,7 +314,7 @@ int anon_vma_clone(struct vm_area_struct
69768 * the corresponding VMA in the parent process is attached to.
69769 * Returns 0 on success, non-zero on failure.
69770 */
69771-int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
69772+int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
69773 {
69774 struct anon_vma_chain *avc;
69775 struct anon_vma *anon_vma;
69776diff -urNp linux-3.0.7/mm/shmem.c linux-3.0.7/mm/shmem.c
69777--- linux-3.0.7/mm/shmem.c 2011-07-21 22:17:23.000000000 -0400
69778+++ linux-3.0.7/mm/shmem.c 2011-08-23 21:48:14.000000000 -0400
69779@@ -31,7 +31,7 @@
69780 #include <linux/percpu_counter.h>
69781 #include <linux/swap.h>
69782
69783-static struct vfsmount *shm_mnt;
69784+struct vfsmount *shm_mnt;
69785
69786 #ifdef CONFIG_SHMEM
69787 /*
69788@@ -1101,6 +1101,8 @@ static int shmem_writepage(struct page *
69789 goto unlock;
69790 }
69791 entry = shmem_swp_entry(info, index, NULL);
69792+ if (!entry)
69793+ goto unlock;
69794 if (entry->val) {
69795 /*
69796 * The more uptodate page coming down from a stacked
69797@@ -1172,6 +1174,8 @@ static struct page *shmem_swapin(swp_ent
69798 struct vm_area_struct pvma;
69799 struct page *page;
69800
69801+ pax_track_stack();
69802+
69803 spol = mpol_cond_copy(&mpol,
69804 mpol_shared_policy_lookup(&info->policy, idx));
69805
69806@@ -2568,8 +2572,7 @@ int shmem_fill_super(struct super_block
69807 int err = -ENOMEM;
69808
69809 /* Round up to L1_CACHE_BYTES to resist false sharing */
69810- sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
69811- L1_CACHE_BYTES), GFP_KERNEL);
69812+ sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
69813 if (!sbinfo)
69814 return -ENOMEM;
69815
69816diff -urNp linux-3.0.7/mm/slab.c linux-3.0.7/mm/slab.c
69817--- linux-3.0.7/mm/slab.c 2011-07-21 22:17:23.000000000 -0400
69818+++ linux-3.0.7/mm/slab.c 2011-08-23 21:48:14.000000000 -0400
69819@@ -151,7 +151,7 @@
69820
69821 /* Legal flag mask for kmem_cache_create(). */
69822 #if DEBUG
69823-# define CREATE_MASK (SLAB_RED_ZONE | \
69824+# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
69825 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
69826 SLAB_CACHE_DMA | \
69827 SLAB_STORE_USER | \
69828@@ -159,7 +159,7 @@
69829 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
69830 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
69831 #else
69832-# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
69833+# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
69834 SLAB_CACHE_DMA | \
69835 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
69836 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
69837@@ -288,7 +288,7 @@ struct kmem_list3 {
69838 * Need this for bootstrapping a per node allocator.
69839 */
69840 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
69841-static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
69842+static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
69843 #define CACHE_CACHE 0
69844 #define SIZE_AC MAX_NUMNODES
69845 #define SIZE_L3 (2 * MAX_NUMNODES)
69846@@ -389,10 +389,10 @@ static void kmem_list3_init(struct kmem_
69847 if ((x)->max_freeable < i) \
69848 (x)->max_freeable = i; \
69849 } while (0)
69850-#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
69851-#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
69852-#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
69853-#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
69854+#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
69855+#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
69856+#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
69857+#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
69858 #else
69859 #define STATS_INC_ACTIVE(x) do { } while (0)
69860 #define STATS_DEC_ACTIVE(x) do { } while (0)
69861@@ -538,7 +538,7 @@ static inline void *index_to_obj(struct
69862 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
69863 */
69864 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
69865- const struct slab *slab, void *obj)
69866+ const struct slab *slab, const void *obj)
69867 {
69868 u32 offset = (obj - slab->s_mem);
69869 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
69870@@ -564,7 +564,7 @@ struct cache_names {
69871 static struct cache_names __initdata cache_names[] = {
69872 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
69873 #include <linux/kmalloc_sizes.h>
69874- {NULL,}
69875+ {NULL}
69876 #undef CACHE
69877 };
69878
69879@@ -1530,7 +1530,7 @@ void __init kmem_cache_init(void)
69880 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
69881 sizes[INDEX_AC].cs_size,
69882 ARCH_KMALLOC_MINALIGN,
69883- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
69884+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
69885 NULL);
69886
69887 if (INDEX_AC != INDEX_L3) {
69888@@ -1538,7 +1538,7 @@ void __init kmem_cache_init(void)
69889 kmem_cache_create(names[INDEX_L3].name,
69890 sizes[INDEX_L3].cs_size,
69891 ARCH_KMALLOC_MINALIGN,
69892- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
69893+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
69894 NULL);
69895 }
69896
69897@@ -1556,7 +1556,7 @@ void __init kmem_cache_init(void)
69898 sizes->cs_cachep = kmem_cache_create(names->name,
69899 sizes->cs_size,
69900 ARCH_KMALLOC_MINALIGN,
69901- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
69902+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
69903 NULL);
69904 }
69905 #ifdef CONFIG_ZONE_DMA
69906@@ -4272,10 +4272,10 @@ static int s_show(struct seq_file *m, vo
69907 }
69908 /* cpu stats */
69909 {
69910- unsigned long allochit = atomic_read(&cachep->allochit);
69911- unsigned long allocmiss = atomic_read(&cachep->allocmiss);
69912- unsigned long freehit = atomic_read(&cachep->freehit);
69913- unsigned long freemiss = atomic_read(&cachep->freemiss);
69914+ unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
69915+ unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
69916+ unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
69917+ unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
69918
69919 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
69920 allochit, allocmiss, freehit, freemiss);
69921@@ -4532,15 +4532,66 @@ static const struct file_operations proc
69922
69923 static int __init slab_proc_init(void)
69924 {
69925- proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
69926+ mode_t gr_mode = S_IRUGO;
69927+
69928+#ifdef CONFIG_GRKERNSEC_PROC_ADD
69929+ gr_mode = S_IRUSR;
69930+#endif
69931+
69932+ proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
69933 #ifdef CONFIG_DEBUG_SLAB_LEAK
69934- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
69935+ proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
69936 #endif
69937 return 0;
69938 }
69939 module_init(slab_proc_init);
69940 #endif
69941
69942+void check_object_size(const void *ptr, unsigned long n, bool to)
69943+{
69944+
69945+#ifdef CONFIG_PAX_USERCOPY
69946+ struct page *page;
69947+ struct kmem_cache *cachep = NULL;
69948+ struct slab *slabp;
69949+ unsigned int objnr;
69950+ unsigned long offset;
69951+
69952+ if (!n)
69953+ return;
69954+
69955+ if (ZERO_OR_NULL_PTR(ptr))
69956+ goto report;
69957+
69958+ if (!virt_addr_valid(ptr))
69959+ return;
69960+
69961+ page = virt_to_head_page(ptr);
69962+
69963+ if (!PageSlab(page)) {
69964+ if (object_is_on_stack(ptr, n) == -1)
69965+ goto report;
69966+ return;
69967+ }
69968+
69969+ cachep = page_get_cache(page);
69970+ if (!(cachep->flags & SLAB_USERCOPY))
69971+ goto report;
69972+
69973+ slabp = page_get_slab(page);
69974+ objnr = obj_to_index(cachep, slabp, ptr);
69975+ BUG_ON(objnr >= cachep->num);
69976+ offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
69977+ if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
69978+ return;
69979+
69980+report:
69981+ pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
69982+#endif
69983+
69984+}
69985+EXPORT_SYMBOL(check_object_size);
69986+
69987 /**
69988 * ksize - get the actual amount of memory allocated for a given object
69989 * @objp: Pointer to the object
69990diff -urNp linux-3.0.7/mm/slob.c linux-3.0.7/mm/slob.c
69991--- linux-3.0.7/mm/slob.c 2011-07-21 22:17:23.000000000 -0400
69992+++ linux-3.0.7/mm/slob.c 2011-08-23 21:47:56.000000000 -0400
69993@@ -29,7 +29,7 @@
69994 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
69995 * alloc_pages() directly, allocating compound pages so the page order
69996 * does not have to be separately tracked, and also stores the exact
69997- * allocation size in page->private so that it can be used to accurately
69998+ * allocation size in slob_page->size so that it can be used to accurately
69999 * provide ksize(). These objects are detected in kfree() because slob_page()
70000 * is false for them.
70001 *
70002@@ -58,6 +58,7 @@
70003 */
70004
70005 #include <linux/kernel.h>
70006+#include <linux/sched.h>
70007 #include <linux/slab.h>
70008 #include <linux/mm.h>
70009 #include <linux/swap.h> /* struct reclaim_state */
70010@@ -102,7 +103,8 @@ struct slob_page {
70011 unsigned long flags; /* mandatory */
70012 atomic_t _count; /* mandatory */
70013 slobidx_t units; /* free units left in page */
70014- unsigned long pad[2];
70015+ unsigned long pad[1];
70016+ unsigned long size; /* size when >=PAGE_SIZE */
70017 slob_t *free; /* first free slob_t in page */
70018 struct list_head list; /* linked list of free pages */
70019 };
70020@@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
70021 */
70022 static inline int is_slob_page(struct slob_page *sp)
70023 {
70024- return PageSlab((struct page *)sp);
70025+ return PageSlab((struct page *)sp) && !sp->size;
70026 }
70027
70028 static inline void set_slob_page(struct slob_page *sp)
70029@@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
70030
70031 static inline struct slob_page *slob_page(const void *addr)
70032 {
70033- return (struct slob_page *)virt_to_page(addr);
70034+ return (struct slob_page *)virt_to_head_page(addr);
70035 }
70036
70037 /*
70038@@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
70039 /*
70040 * Return the size of a slob block.
70041 */
70042-static slobidx_t slob_units(slob_t *s)
70043+static slobidx_t slob_units(const slob_t *s)
70044 {
70045 if (s->units > 0)
70046 return s->units;
70047@@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
70048 /*
70049 * Return the next free slob block pointer after this one.
70050 */
70051-static slob_t *slob_next(slob_t *s)
70052+static slob_t *slob_next(const slob_t *s)
70053 {
70054 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
70055 slobidx_t next;
70056@@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
70057 /*
70058 * Returns true if s is the last free block in its page.
70059 */
70060-static int slob_last(slob_t *s)
70061+static int slob_last(const slob_t *s)
70062 {
70063 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
70064 }
70065@@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
70066 if (!page)
70067 return NULL;
70068
70069+ set_slob_page(page);
70070 return page_address(page);
70071 }
70072
70073@@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
70074 if (!b)
70075 return NULL;
70076 sp = slob_page(b);
70077- set_slob_page(sp);
70078
70079 spin_lock_irqsave(&slob_lock, flags);
70080 sp->units = SLOB_UNITS(PAGE_SIZE);
70081 sp->free = b;
70082+ sp->size = 0;
70083 INIT_LIST_HEAD(&sp->list);
70084 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
70085 set_slob_page_free(sp, slob_list);
70086@@ -476,10 +479,9 @@ out:
70087 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
70088 */
70089
70090-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70091+static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
70092 {
70093- unsigned int *m;
70094- int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70095+ slob_t *m;
70096 void *ret;
70097
70098 lockdep_trace_alloc(gfp);
70099@@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
70100
70101 if (!m)
70102 return NULL;
70103- *m = size;
70104+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
70105+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
70106+ m[0].units = size;
70107+ m[1].units = align;
70108 ret = (void *)m + align;
70109
70110 trace_kmalloc_node(_RET_IP_, ret,
70111@@ -504,16 +509,25 @@ void *__kmalloc_node(size_t size, gfp_t
70112 gfp |= __GFP_COMP;
70113 ret = slob_new_pages(gfp, order, node);
70114 if (ret) {
70115- struct page *page;
70116- page = virt_to_page(ret);
70117- page->private = size;
70118+ struct slob_page *sp;
70119+ sp = slob_page(ret);
70120+ sp->size = size;
70121 }
70122
70123 trace_kmalloc_node(_RET_IP_, ret,
70124 size, PAGE_SIZE << order, gfp, node);
70125 }
70126
70127- kmemleak_alloc(ret, size, 1, gfp);
70128+ return ret;
70129+}
70130+
70131+void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70132+{
70133+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70134+ void *ret = __kmalloc_node_align(size, gfp, node, align);
70135+
70136+ if (!ZERO_OR_NULL_PTR(ret))
70137+ kmemleak_alloc(ret, size, 1, gfp);
70138 return ret;
70139 }
70140 EXPORT_SYMBOL(__kmalloc_node);
70141@@ -531,13 +545,88 @@ void kfree(const void *block)
70142 sp = slob_page(block);
70143 if (is_slob_page(sp)) {
70144 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70145- unsigned int *m = (unsigned int *)(block - align);
70146- slob_free(m, *m + align);
70147- } else
70148+ slob_t *m = (slob_t *)(block - align);
70149+ slob_free(m, m[0].units + align);
70150+ } else {
70151+ clear_slob_page(sp);
70152+ free_slob_page(sp);
70153+ sp->size = 0;
70154 put_page(&sp->page);
70155+ }
70156 }
70157 EXPORT_SYMBOL(kfree);
70158
70159+void check_object_size(const void *ptr, unsigned long n, bool to)
70160+{
70161+
70162+#ifdef CONFIG_PAX_USERCOPY
70163+ struct slob_page *sp;
70164+ const slob_t *free;
70165+ const void *base;
70166+ unsigned long flags;
70167+
70168+ if (!n)
70169+ return;
70170+
70171+ if (ZERO_OR_NULL_PTR(ptr))
70172+ goto report;
70173+
70174+ if (!virt_addr_valid(ptr))
70175+ return;
70176+
70177+ sp = slob_page(ptr);
70178+ if (!PageSlab((struct page*)sp)) {
70179+ if (object_is_on_stack(ptr, n) == -1)
70180+ goto report;
70181+ return;
70182+ }
70183+
70184+ if (sp->size) {
70185+ base = page_address(&sp->page);
70186+ if (base <= ptr && n <= sp->size - (ptr - base))
70187+ return;
70188+ goto report;
70189+ }
70190+
70191+ /* some tricky double walking to find the chunk */
70192+ spin_lock_irqsave(&slob_lock, flags);
70193+ base = (void *)((unsigned long)ptr & PAGE_MASK);
70194+ free = sp->free;
70195+
70196+ while (!slob_last(free) && (void *)free <= ptr) {
70197+ base = free + slob_units(free);
70198+ free = slob_next(free);
70199+ }
70200+
70201+ while (base < (void *)free) {
70202+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
70203+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
70204+ int offset;
70205+
70206+ if (ptr < base + align)
70207+ break;
70208+
70209+ offset = ptr - base - align;
70210+ if (offset >= m) {
70211+ base += size;
70212+ continue;
70213+ }
70214+
70215+ if (n > m - offset)
70216+ break;
70217+
70218+ spin_unlock_irqrestore(&slob_lock, flags);
70219+ return;
70220+ }
70221+
70222+ spin_unlock_irqrestore(&slob_lock, flags);
70223+report:
70224+ pax_report_usercopy(ptr, n, to, NULL);
70225+#endif
70226+
70227+}
70228+EXPORT_SYMBOL(check_object_size);
70229+
70230 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
70231 size_t ksize(const void *block)
70232 {
70233@@ -550,10 +639,10 @@ size_t ksize(const void *block)
70234 sp = slob_page(block);
70235 if (is_slob_page(sp)) {
70236 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70237- unsigned int *m = (unsigned int *)(block - align);
70238- return SLOB_UNITS(*m) * SLOB_UNIT;
70239+ slob_t *m = (slob_t *)(block - align);
70240+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
70241 } else
70242- return sp->page.private;
70243+ return sp->size;
70244 }
70245 EXPORT_SYMBOL(ksize);
70246
70247@@ -569,8 +658,13 @@ struct kmem_cache *kmem_cache_create(con
70248 {
70249 struct kmem_cache *c;
70250
70251+#ifdef CONFIG_PAX_USERCOPY
70252+ c = __kmalloc_node_align(sizeof(struct kmem_cache),
70253+ GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
70254+#else
70255 c = slob_alloc(sizeof(struct kmem_cache),
70256 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
70257+#endif
70258
70259 if (c) {
70260 c->name = name;
70261@@ -608,17 +702,25 @@ void *kmem_cache_alloc_node(struct kmem_
70262 {
70263 void *b;
70264
70265+#ifdef CONFIG_PAX_USERCOPY
70266+ b = __kmalloc_node_align(c->size, flags, node, c->align);
70267+#else
70268 if (c->size < PAGE_SIZE) {
70269 b = slob_alloc(c->size, flags, c->align, node);
70270 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70271 SLOB_UNITS(c->size) * SLOB_UNIT,
70272 flags, node);
70273 } else {
70274+ struct slob_page *sp;
70275+
70276 b = slob_new_pages(flags, get_order(c->size), node);
70277+ sp = slob_page(b);
70278+ sp->size = c->size;
70279 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70280 PAGE_SIZE << get_order(c->size),
70281 flags, node);
70282 }
70283+#endif
70284
70285 if (c->ctor)
70286 c->ctor(b);
70287@@ -630,10 +732,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
70288
70289 static void __kmem_cache_free(void *b, int size)
70290 {
70291- if (size < PAGE_SIZE)
70292+ struct slob_page *sp = slob_page(b);
70293+
70294+ if (is_slob_page(sp))
70295 slob_free(b, size);
70296- else
70297+ else {
70298+ clear_slob_page(sp);
70299+ free_slob_page(sp);
70300+ sp->size = 0;
70301 slob_free_pages(b, get_order(size));
70302+ }
70303 }
70304
70305 static void kmem_rcu_free(struct rcu_head *head)
70306@@ -646,17 +754,31 @@ static void kmem_rcu_free(struct rcu_hea
70307
70308 void kmem_cache_free(struct kmem_cache *c, void *b)
70309 {
70310+ int size = c->size;
70311+
70312+#ifdef CONFIG_PAX_USERCOPY
70313+ if (size + c->align < PAGE_SIZE) {
70314+ size += c->align;
70315+ b -= c->align;
70316+ }
70317+#endif
70318+
70319 kmemleak_free_recursive(b, c->flags);
70320 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
70321 struct slob_rcu *slob_rcu;
70322- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
70323- slob_rcu->size = c->size;
70324+ slob_rcu = b + (size - sizeof(struct slob_rcu));
70325+ slob_rcu->size = size;
70326 call_rcu(&slob_rcu->head, kmem_rcu_free);
70327 } else {
70328- __kmem_cache_free(b, c->size);
70329+ __kmem_cache_free(b, size);
70330 }
70331
70332+#ifdef CONFIG_PAX_USERCOPY
70333+ trace_kfree(_RET_IP_, b);
70334+#else
70335 trace_kmem_cache_free(_RET_IP_, b);
70336+#endif
70337+
70338 }
70339 EXPORT_SYMBOL(kmem_cache_free);
70340
70341diff -urNp linux-3.0.7/mm/slub.c linux-3.0.7/mm/slub.c
70342--- linux-3.0.7/mm/slub.c 2011-07-21 22:17:23.000000000 -0400
70343+++ linux-3.0.7/mm/slub.c 2011-09-25 22:15:40.000000000 -0400
70344@@ -200,7 +200,7 @@ struct track {
70345
70346 enum track_item { TRACK_ALLOC, TRACK_FREE };
70347
70348-#ifdef CONFIG_SYSFS
70349+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70350 static int sysfs_slab_add(struct kmem_cache *);
70351 static int sysfs_slab_alias(struct kmem_cache *, const char *);
70352 static void sysfs_slab_remove(struct kmem_cache *);
70353@@ -442,7 +442,7 @@ static void print_track(const char *s, s
70354 if (!t->addr)
70355 return;
70356
70357- printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
70358+ printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
70359 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
70360 }
70361
70362@@ -2137,6 +2137,8 @@ void kmem_cache_free(struct kmem_cache *
70363
70364 page = virt_to_head_page(x);
70365
70366+ BUG_ON(!PageSlab(page));
70367+
70368 slab_free(s, page, x, _RET_IP_);
70369
70370 trace_kmem_cache_free(_RET_IP_, x);
70371@@ -2170,7 +2172,7 @@ static int slub_min_objects;
70372 * Merge control. If this is set then no merging of slab caches will occur.
70373 * (Could be removed. This was introduced to pacify the merge skeptics.)
70374 */
70375-static int slub_nomerge;
70376+static int slub_nomerge = 1;
70377
70378 /*
70379 * Calculate the order of allocation given an slab object size.
70380@@ -2594,7 +2596,7 @@ static int kmem_cache_open(struct kmem_c
70381 * list to avoid pounding the page allocator excessively.
70382 */
70383 set_min_partial(s, ilog2(s->size));
70384- s->refcount = 1;
70385+ atomic_set(&s->refcount, 1);
70386 #ifdef CONFIG_NUMA
70387 s->remote_node_defrag_ratio = 1000;
70388 #endif
70389@@ -2699,8 +2701,7 @@ static inline int kmem_cache_close(struc
70390 void kmem_cache_destroy(struct kmem_cache *s)
70391 {
70392 down_write(&slub_lock);
70393- s->refcount--;
70394- if (!s->refcount) {
70395+ if (atomic_dec_and_test(&s->refcount)) {
70396 list_del(&s->list);
70397 if (kmem_cache_close(s)) {
70398 printk(KERN_ERR "SLUB %s: %s called for cache that "
70399@@ -2910,6 +2911,46 @@ void *__kmalloc_node(size_t size, gfp_t
70400 EXPORT_SYMBOL(__kmalloc_node);
70401 #endif
70402
70403+void check_object_size(const void *ptr, unsigned long n, bool to)
70404+{
70405+
70406+#ifdef CONFIG_PAX_USERCOPY
70407+ struct page *page;
70408+ struct kmem_cache *s = NULL;
70409+ unsigned long offset;
70410+
70411+ if (!n)
70412+ return;
70413+
70414+ if (ZERO_OR_NULL_PTR(ptr))
70415+ goto report;
70416+
70417+ if (!virt_addr_valid(ptr))
70418+ return;
70419+
70420+ page = virt_to_head_page(ptr);
70421+
70422+ if (!PageSlab(page)) {
70423+ if (object_is_on_stack(ptr, n) == -1)
70424+ goto report;
70425+ return;
70426+ }
70427+
70428+ s = page->slab;
70429+ if (!(s->flags & SLAB_USERCOPY))
70430+ goto report;
70431+
70432+ offset = (ptr - page_address(page)) % s->size;
70433+ if (offset <= s->objsize && n <= s->objsize - offset)
70434+ return;
70435+
70436+report:
70437+ pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
70438+#endif
70439+
70440+}
70441+EXPORT_SYMBOL(check_object_size);
70442+
70443 size_t ksize(const void *object)
70444 {
70445 struct page *page;
70446@@ -3154,7 +3195,7 @@ static void __init kmem_cache_bootstrap_
70447 int node;
70448
70449 list_add(&s->list, &slab_caches);
70450- s->refcount = -1;
70451+ atomic_set(&s->refcount, -1);
70452
70453 for_each_node_state(node, N_NORMAL_MEMORY) {
70454 struct kmem_cache_node *n = get_node(s, node);
70455@@ -3271,17 +3312,17 @@ void __init kmem_cache_init(void)
70456
70457 /* Caches that are not of the two-to-the-power-of size */
70458 if (KMALLOC_MIN_SIZE <= 32) {
70459- kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
70460+ kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
70461 caches++;
70462 }
70463
70464 if (KMALLOC_MIN_SIZE <= 64) {
70465- kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
70466+ kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
70467 caches++;
70468 }
70469
70470 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
70471- kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
70472+ kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
70473 caches++;
70474 }
70475
70476@@ -3349,7 +3390,7 @@ static int slab_unmergeable(struct kmem_
70477 /*
70478 * We may have set a slab to be unmergeable during bootstrap.
70479 */
70480- if (s->refcount < 0)
70481+ if (atomic_read(&s->refcount) < 0)
70482 return 1;
70483
70484 return 0;
70485@@ -3408,7 +3449,7 @@ struct kmem_cache *kmem_cache_create(con
70486 down_write(&slub_lock);
70487 s = find_mergeable(size, align, flags, name, ctor);
70488 if (s) {
70489- s->refcount++;
70490+ atomic_inc(&s->refcount);
70491 /*
70492 * Adjust the object sizes so that we clear
70493 * the complete object on kzalloc.
70494@@ -3417,7 +3458,7 @@ struct kmem_cache *kmem_cache_create(con
70495 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
70496
70497 if (sysfs_slab_alias(s, name)) {
70498- s->refcount--;
70499+ atomic_dec(&s->refcount);
70500 goto err;
70501 }
70502 up_write(&slub_lock);
70503@@ -3545,7 +3586,7 @@ void *__kmalloc_node_track_caller(size_t
70504 }
70505 #endif
70506
70507-#ifdef CONFIG_SYSFS
70508+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70509 static int count_inuse(struct page *page)
70510 {
70511 return page->inuse;
70512@@ -3935,12 +3976,12 @@ static void resiliency_test(void)
70513 validate_slab_cache(kmalloc_caches[9]);
70514 }
70515 #else
70516-#ifdef CONFIG_SYSFS
70517+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70518 static void resiliency_test(void) {};
70519 #endif
70520 #endif
70521
70522-#ifdef CONFIG_SYSFS
70523+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70524 enum slab_stat_type {
70525 SL_ALL, /* All slabs */
70526 SL_PARTIAL, /* Only partially allocated slabs */
70527@@ -4150,7 +4191,7 @@ SLAB_ATTR_RO(ctor);
70528
70529 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
70530 {
70531- return sprintf(buf, "%d\n", s->refcount - 1);
70532+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
70533 }
70534 SLAB_ATTR_RO(aliases);
70535
70536@@ -4662,6 +4703,7 @@ static char *create_unique_id(struct kme
70537 return name;
70538 }
70539
70540+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70541 static int sysfs_slab_add(struct kmem_cache *s)
70542 {
70543 int err;
70544@@ -4724,6 +4766,7 @@ static void sysfs_slab_remove(struct kme
70545 kobject_del(&s->kobj);
70546 kobject_put(&s->kobj);
70547 }
70548+#endif
70549
70550 /*
70551 * Need to buffer aliases during bootup until sysfs becomes
70552@@ -4737,6 +4780,7 @@ struct saved_alias {
70553
70554 static struct saved_alias *alias_list;
70555
70556+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70557 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
70558 {
70559 struct saved_alias *al;
70560@@ -4759,6 +4803,7 @@ static int sysfs_slab_alias(struct kmem_
70561 alias_list = al;
70562 return 0;
70563 }
70564+#endif
70565
70566 static int __init slab_sysfs_init(void)
70567 {
70568@@ -4894,7 +4939,13 @@ static const struct file_operations proc
70569
70570 static int __init slab_proc_init(void)
70571 {
70572- proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
70573+ mode_t gr_mode = S_IRUGO;
70574+
70575+#ifdef CONFIG_GRKERNSEC_PROC_ADD
70576+ gr_mode = S_IRUSR;
70577+#endif
70578+
70579+ proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
70580 return 0;
70581 }
70582 module_init(slab_proc_init);
70583diff -urNp linux-3.0.7/mm/swap.c linux-3.0.7/mm/swap.c
70584--- linux-3.0.7/mm/swap.c 2011-07-21 22:17:23.000000000 -0400
70585+++ linux-3.0.7/mm/swap.c 2011-08-23 21:47:56.000000000 -0400
70586@@ -31,6 +31,7 @@
70587 #include <linux/backing-dev.h>
70588 #include <linux/memcontrol.h>
70589 #include <linux/gfp.h>
70590+#include <linux/hugetlb.h>
70591
70592 #include "internal.h"
70593
70594@@ -71,6 +72,8 @@ static void __put_compound_page(struct p
70595
70596 __page_cache_release(page);
70597 dtor = get_compound_page_dtor(page);
70598+ if (!PageHuge(page))
70599+ BUG_ON(dtor != free_compound_page);
70600 (*dtor)(page);
70601 }
70602
70603diff -urNp linux-3.0.7/mm/swapfile.c linux-3.0.7/mm/swapfile.c
70604--- linux-3.0.7/mm/swapfile.c 2011-07-21 22:17:23.000000000 -0400
70605+++ linux-3.0.7/mm/swapfile.c 2011-08-23 21:47:56.000000000 -0400
70606@@ -62,7 +62,7 @@ static DEFINE_MUTEX(swapon_mutex);
70607
70608 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
70609 /* Activity counter to indicate that a swapon or swapoff has occurred */
70610-static atomic_t proc_poll_event = ATOMIC_INIT(0);
70611+static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
70612
70613 static inline unsigned char swap_count(unsigned char ent)
70614 {
70615@@ -1671,7 +1671,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
70616 }
70617 filp_close(swap_file, NULL);
70618 err = 0;
70619- atomic_inc(&proc_poll_event);
70620+ atomic_inc_unchecked(&proc_poll_event);
70621 wake_up_interruptible(&proc_poll_wait);
70622
70623 out_dput:
70624@@ -1692,8 +1692,8 @@ static unsigned swaps_poll(struct file *
70625
70626 poll_wait(file, &proc_poll_wait, wait);
70627
70628- if (s->event != atomic_read(&proc_poll_event)) {
70629- s->event = atomic_read(&proc_poll_event);
70630+ if (s->event != atomic_read_unchecked(&proc_poll_event)) {
70631+ s->event = atomic_read_unchecked(&proc_poll_event);
70632 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
70633 }
70634
70635@@ -1799,7 +1799,7 @@ static int swaps_open(struct inode *inod
70636 }
70637
70638 s->seq.private = s;
70639- s->event = atomic_read(&proc_poll_event);
70640+ s->event = atomic_read_unchecked(&proc_poll_event);
70641 return ret;
70642 }
70643
70644@@ -2133,7 +2133,7 @@ SYSCALL_DEFINE2(swapon, const char __use
70645 (p->flags & SWP_DISCARDABLE) ? "D" : "");
70646
70647 mutex_unlock(&swapon_mutex);
70648- atomic_inc(&proc_poll_event);
70649+ atomic_inc_unchecked(&proc_poll_event);
70650 wake_up_interruptible(&proc_poll_wait);
70651
70652 if (S_ISREG(inode->i_mode))
70653diff -urNp linux-3.0.7/mm/util.c linux-3.0.7/mm/util.c
70654--- linux-3.0.7/mm/util.c 2011-07-21 22:17:23.000000000 -0400
70655+++ linux-3.0.7/mm/util.c 2011-08-23 21:47:56.000000000 -0400
70656@@ -114,6 +114,7 @@ EXPORT_SYMBOL(memdup_user);
70657 * allocated buffer. Use this if you don't want to free the buffer immediately
70658 * like, for example, with RCU.
70659 */
70660+#undef __krealloc
70661 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
70662 {
70663 void *ret;
70664@@ -147,6 +148,7 @@ EXPORT_SYMBOL(__krealloc);
70665 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
70666 * %NULL pointer, the object pointed to is freed.
70667 */
70668+#undef krealloc
70669 void *krealloc(const void *p, size_t new_size, gfp_t flags)
70670 {
70671 void *ret;
70672@@ -243,6 +245,12 @@ void __vma_link_list(struct mm_struct *m
70673 void arch_pick_mmap_layout(struct mm_struct *mm)
70674 {
70675 mm->mmap_base = TASK_UNMAPPED_BASE;
70676+
70677+#ifdef CONFIG_PAX_RANDMMAP
70678+ if (mm->pax_flags & MF_PAX_RANDMMAP)
70679+ mm->mmap_base += mm->delta_mmap;
70680+#endif
70681+
70682 mm->get_unmapped_area = arch_get_unmapped_area;
70683 mm->unmap_area = arch_unmap_area;
70684 }
70685diff -urNp linux-3.0.7/mm/vmalloc.c linux-3.0.7/mm/vmalloc.c
70686--- linux-3.0.7/mm/vmalloc.c 2011-10-16 21:54:54.000000000 -0400
70687+++ linux-3.0.7/mm/vmalloc.c 2011-10-16 21:55:28.000000000 -0400
70688@@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
70689
70690 pte = pte_offset_kernel(pmd, addr);
70691 do {
70692- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
70693- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
70694+
70695+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
70696+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
70697+ BUG_ON(!pte_exec(*pte));
70698+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
70699+ continue;
70700+ }
70701+#endif
70702+
70703+ {
70704+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
70705+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
70706+ }
70707 } while (pte++, addr += PAGE_SIZE, addr != end);
70708 }
70709
70710@@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
70711 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
70712 {
70713 pte_t *pte;
70714+ int ret = -ENOMEM;
70715
70716 /*
70717 * nr is a running index into the array which helps higher level
70718@@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
70719 pte = pte_alloc_kernel(pmd, addr);
70720 if (!pte)
70721 return -ENOMEM;
70722+
70723+ pax_open_kernel();
70724 do {
70725 struct page *page = pages[*nr];
70726
70727- if (WARN_ON(!pte_none(*pte)))
70728- return -EBUSY;
70729- if (WARN_ON(!page))
70730- return -ENOMEM;
70731+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
70732+ if (pgprot_val(prot) & _PAGE_NX)
70733+#endif
70734+
70735+ if (WARN_ON(!pte_none(*pte))) {
70736+ ret = -EBUSY;
70737+ goto out;
70738+ }
70739+ if (WARN_ON(!page)) {
70740+ ret = -ENOMEM;
70741+ goto out;
70742+ }
70743 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
70744 (*nr)++;
70745 } while (pte++, addr += PAGE_SIZE, addr != end);
70746- return 0;
70747+ ret = 0;
70748+out:
70749+ pax_close_kernel();
70750+ return ret;
70751 }
70752
70753 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
70754@@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
70755 * and fall back on vmalloc() if that fails. Others
70756 * just put it in the vmalloc space.
70757 */
70758-#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
70759+#ifdef CONFIG_MODULES
70760+#ifdef MODULES_VADDR
70761 unsigned long addr = (unsigned long)x;
70762 if (addr >= MODULES_VADDR && addr < MODULES_END)
70763 return 1;
70764 #endif
70765+
70766+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
70767+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
70768+ return 1;
70769+#endif
70770+
70771+#endif
70772+
70773 return is_vmalloc_addr(x);
70774 }
70775
70776@@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
70777
70778 if (!pgd_none(*pgd)) {
70779 pud_t *pud = pud_offset(pgd, addr);
70780+#ifdef CONFIG_X86
70781+ if (!pud_large(*pud))
70782+#endif
70783 if (!pud_none(*pud)) {
70784 pmd_t *pmd = pmd_offset(pud, addr);
70785+#ifdef CONFIG_X86
70786+ if (!pmd_large(*pmd))
70787+#endif
70788 if (!pmd_none(*pmd)) {
70789 pte_t *ptep, pte;
70790
70791@@ -1297,6 +1337,16 @@ static struct vm_struct *__get_vm_area_n
70792 struct vm_struct *area;
70793
70794 BUG_ON(in_interrupt());
70795+
70796+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
70797+ if (flags & VM_KERNEXEC) {
70798+ if (start != VMALLOC_START || end != VMALLOC_END)
70799+ return NULL;
70800+ start = (unsigned long)MODULES_EXEC_VADDR;
70801+ end = (unsigned long)MODULES_EXEC_END;
70802+ }
70803+#endif
70804+
70805 if (flags & VM_IOREMAP) {
70806 int bit = fls(size);
70807
70808@@ -1515,6 +1565,11 @@ void *vmap(struct page **pages, unsigned
70809 if (count > totalram_pages)
70810 return NULL;
70811
70812+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
70813+ if (!(pgprot_val(prot) & _PAGE_NX))
70814+ flags |= VM_KERNEXEC;
70815+#endif
70816+
70817 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
70818 __builtin_return_address(0));
70819 if (!area)
70820@@ -1616,6 +1671,13 @@ void *__vmalloc_node_range(unsigned long
70821 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
70822 return NULL;
70823
70824+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
70825+ if (!(pgprot_val(prot) & _PAGE_NX))
70826+ area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
70827+ node, gfp_mask, caller);
70828+ else
70829+#endif
70830+
70831 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
70832 gfp_mask, caller);
70833
70834@@ -1655,6 +1717,7 @@ static void *__vmalloc_node(unsigned lon
70835 gfp_mask, prot, node, caller);
70836 }
70837
70838+#undef __vmalloc
70839 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
70840 {
70841 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
70842@@ -1678,6 +1741,7 @@ static inline void *__vmalloc_node_flags
70843 * For tight control over page level allocator and protection flags
70844 * use __vmalloc() instead.
70845 */
70846+#undef vmalloc
70847 void *vmalloc(unsigned long size)
70848 {
70849 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
70850@@ -1694,6 +1758,7 @@ EXPORT_SYMBOL(vmalloc);
70851 * For tight control over page level allocator and protection flags
70852 * use __vmalloc() instead.
70853 */
70854+#undef vzalloc
70855 void *vzalloc(unsigned long size)
70856 {
70857 return __vmalloc_node_flags(size, -1,
70858@@ -1708,6 +1773,7 @@ EXPORT_SYMBOL(vzalloc);
70859 * The resulting memory area is zeroed so it can be mapped to userspace
70860 * without leaking data.
70861 */
70862+#undef vmalloc_user
70863 void *vmalloc_user(unsigned long size)
70864 {
70865 struct vm_struct *area;
70866@@ -1735,6 +1801,7 @@ EXPORT_SYMBOL(vmalloc_user);
70867 * For tight control over page level allocator and protection flags
70868 * use __vmalloc() instead.
70869 */
70870+#undef vmalloc_node
70871 void *vmalloc_node(unsigned long size, int node)
70872 {
70873 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
70874@@ -1754,6 +1821,7 @@ EXPORT_SYMBOL(vmalloc_node);
70875 * For tight control over page level allocator and protection flags
70876 * use __vmalloc_node() instead.
70877 */
70878+#undef vzalloc_node
70879 void *vzalloc_node(unsigned long size, int node)
70880 {
70881 return __vmalloc_node_flags(size, node,
70882@@ -1776,10 +1844,10 @@ EXPORT_SYMBOL(vzalloc_node);
70883 * For tight control over page level allocator and protection flags
70884 * use __vmalloc() instead.
70885 */
70886-
70887+#undef vmalloc_exec
70888 void *vmalloc_exec(unsigned long size)
70889 {
70890- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
70891+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
70892 -1, __builtin_return_address(0));
70893 }
70894
70895@@ -1798,6 +1866,7 @@ void *vmalloc_exec(unsigned long size)
70896 * Allocate enough 32bit PA addressable pages to cover @size from the
70897 * page level allocator and map them into contiguous kernel virtual space.
70898 */
70899+#undef vmalloc_32
70900 void *vmalloc_32(unsigned long size)
70901 {
70902 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
70903@@ -1812,6 +1881,7 @@ EXPORT_SYMBOL(vmalloc_32);
70904 * The resulting memory area is 32bit addressable and zeroed so it can be
70905 * mapped to userspace without leaking data.
70906 */
70907+#undef vmalloc_32_user
70908 void *vmalloc_32_user(unsigned long size)
70909 {
70910 struct vm_struct *area;
70911@@ -2074,6 +2144,8 @@ int remap_vmalloc_range(struct vm_area_s
70912 unsigned long uaddr = vma->vm_start;
70913 unsigned long usize = vma->vm_end - vma->vm_start;
70914
70915+ BUG_ON(vma->vm_mirror);
70916+
70917 if ((PAGE_SIZE-1) & (unsigned long)addr)
70918 return -EINVAL;
70919
70920diff -urNp linux-3.0.7/mm/vmstat.c linux-3.0.7/mm/vmstat.c
70921--- linux-3.0.7/mm/vmstat.c 2011-07-21 22:17:23.000000000 -0400
70922+++ linux-3.0.7/mm/vmstat.c 2011-08-23 21:48:14.000000000 -0400
70923@@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
70924 *
70925 * vm_stat contains the global counters
70926 */
70927-atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
70928+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
70929 EXPORT_SYMBOL(vm_stat);
70930
70931 #ifdef CONFIG_SMP
70932@@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
70933 v = p->vm_stat_diff[i];
70934 p->vm_stat_diff[i] = 0;
70935 local_irq_restore(flags);
70936- atomic_long_add(v, &zone->vm_stat[i]);
70937+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
70938 global_diff[i] += v;
70939 #ifdef CONFIG_NUMA
70940 /* 3 seconds idle till flush */
70941@@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
70942
70943 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
70944 if (global_diff[i])
70945- atomic_long_add(global_diff[i], &vm_stat[i]);
70946+ atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
70947 }
70948
70949 #endif
70950@@ -1207,10 +1207,20 @@ static int __init setup_vmstat(void)
70951 start_cpu_timer(cpu);
70952 #endif
70953 #ifdef CONFIG_PROC_FS
70954- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
70955- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
70956- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
70957- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
70958+ {
70959+ mode_t gr_mode = S_IRUGO;
70960+#ifdef CONFIG_GRKERNSEC_PROC_ADD
70961+ gr_mode = S_IRUSR;
70962+#endif
70963+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
70964+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
70965+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
70966+ proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
70967+#else
70968+ proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
70969+#endif
70970+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
70971+ }
70972 #endif
70973 return 0;
70974 }
70975diff -urNp linux-3.0.7/net/8021q/vlan.c linux-3.0.7/net/8021q/vlan.c
70976--- linux-3.0.7/net/8021q/vlan.c 2011-07-21 22:17:23.000000000 -0400
70977+++ linux-3.0.7/net/8021q/vlan.c 2011-08-23 21:47:56.000000000 -0400
70978@@ -591,8 +591,7 @@ static int vlan_ioctl_handler(struct net
70979 err = -EPERM;
70980 if (!capable(CAP_NET_ADMIN))
70981 break;
70982- if ((args.u.name_type >= 0) &&
70983- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
70984+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
70985 struct vlan_net *vn;
70986
70987 vn = net_generic(net, vlan_net_id);
70988diff -urNp linux-3.0.7/net/9p/trans_fd.c linux-3.0.7/net/9p/trans_fd.c
70989--- linux-3.0.7/net/9p/trans_fd.c 2011-07-21 22:17:23.000000000 -0400
70990+++ linux-3.0.7/net/9p/trans_fd.c 2011-10-06 04:17:55.000000000 -0400
70991@@ -423,7 +423,7 @@ static int p9_fd_write(struct p9_client
70992 oldfs = get_fs();
70993 set_fs(get_ds());
70994 /* The cast to a user pointer is valid due to the set_fs() */
70995- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
70996+ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
70997 set_fs(oldfs);
70998
70999 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
71000diff -urNp linux-3.0.7/net/9p/trans_virtio.c linux-3.0.7/net/9p/trans_virtio.c
71001--- linux-3.0.7/net/9p/trans_virtio.c 2011-10-16 21:54:54.000000000 -0400
71002+++ linux-3.0.7/net/9p/trans_virtio.c 2011-10-16 21:55:28.000000000 -0400
71003@@ -327,7 +327,7 @@ req_retry_pinned:
71004 } else {
71005 char *pbuf;
71006 if (req->tc->pubuf)
71007- pbuf = (__force char *) req->tc->pubuf;
71008+ pbuf = (char __force_kernel *) req->tc->pubuf;
71009 else
71010 pbuf = req->tc->pkbuf;
71011 outp = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, pbuf,
71012@@ -357,7 +357,7 @@ req_retry_pinned:
71013 } else {
71014 char *pbuf;
71015 if (req->tc->pubuf)
71016- pbuf = (__force char *) req->tc->pubuf;
71017+ pbuf = (char __force_kernel *) req->tc->pubuf;
71018 else
71019 pbuf = req->tc->pkbuf;
71020
71021diff -urNp linux-3.0.7/net/atm/atm_misc.c linux-3.0.7/net/atm/atm_misc.c
71022--- linux-3.0.7/net/atm/atm_misc.c 2011-07-21 22:17:23.000000000 -0400
71023+++ linux-3.0.7/net/atm/atm_misc.c 2011-08-23 21:47:56.000000000 -0400
71024@@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
71025 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
71026 return 1;
71027 atm_return(vcc, truesize);
71028- atomic_inc(&vcc->stats->rx_drop);
71029+ atomic_inc_unchecked(&vcc->stats->rx_drop);
71030 return 0;
71031 }
71032 EXPORT_SYMBOL(atm_charge);
71033@@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
71034 }
71035 }
71036 atm_return(vcc, guess);
71037- atomic_inc(&vcc->stats->rx_drop);
71038+ atomic_inc_unchecked(&vcc->stats->rx_drop);
71039 return NULL;
71040 }
71041 EXPORT_SYMBOL(atm_alloc_charge);
71042@@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
71043
71044 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71045 {
71046-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71047+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71048 __SONET_ITEMS
71049 #undef __HANDLE_ITEM
71050 }
71051@@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
71052
71053 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71054 {
71055-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71056+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
71057 __SONET_ITEMS
71058 #undef __HANDLE_ITEM
71059 }
71060diff -urNp linux-3.0.7/net/atm/lec.h linux-3.0.7/net/atm/lec.h
71061--- linux-3.0.7/net/atm/lec.h 2011-07-21 22:17:23.000000000 -0400
71062+++ linux-3.0.7/net/atm/lec.h 2011-08-23 21:47:56.000000000 -0400
71063@@ -48,7 +48,7 @@ struct lane2_ops {
71064 const u8 *tlvs, u32 sizeoftlvs);
71065 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
71066 const u8 *tlvs, u32 sizeoftlvs);
71067-};
71068+} __no_const;
71069
71070 /*
71071 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
71072diff -urNp linux-3.0.7/net/atm/mpc.h linux-3.0.7/net/atm/mpc.h
71073--- linux-3.0.7/net/atm/mpc.h 2011-07-21 22:17:23.000000000 -0400
71074+++ linux-3.0.7/net/atm/mpc.h 2011-08-23 21:47:56.000000000 -0400
71075@@ -33,7 +33,7 @@ struct mpoa_client {
71076 struct mpc_parameters parameters; /* parameters for this client */
71077
71078 const struct net_device_ops *old_ops;
71079- struct net_device_ops new_ops;
71080+ net_device_ops_no_const new_ops;
71081 };
71082
71083
71084diff -urNp linux-3.0.7/net/atm/mpoa_caches.c linux-3.0.7/net/atm/mpoa_caches.c
71085--- linux-3.0.7/net/atm/mpoa_caches.c 2011-07-21 22:17:23.000000000 -0400
71086+++ linux-3.0.7/net/atm/mpoa_caches.c 2011-08-23 21:48:14.000000000 -0400
71087@@ -255,6 +255,8 @@ static void check_resolving_entries(stru
71088 struct timeval now;
71089 struct k_message msg;
71090
71091+ pax_track_stack();
71092+
71093 do_gettimeofday(&now);
71094
71095 read_lock_bh(&client->ingress_lock);
71096diff -urNp linux-3.0.7/net/atm/proc.c linux-3.0.7/net/atm/proc.c
71097--- linux-3.0.7/net/atm/proc.c 2011-07-21 22:17:23.000000000 -0400
71098+++ linux-3.0.7/net/atm/proc.c 2011-08-23 21:47:56.000000000 -0400
71099@@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
71100 const struct k_atm_aal_stats *stats)
71101 {
71102 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
71103- atomic_read(&stats->tx), atomic_read(&stats->tx_err),
71104- atomic_read(&stats->rx), atomic_read(&stats->rx_err),
71105- atomic_read(&stats->rx_drop));
71106+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
71107+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
71108+ atomic_read_unchecked(&stats->rx_drop));
71109 }
71110
71111 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
71112diff -urNp linux-3.0.7/net/atm/resources.c linux-3.0.7/net/atm/resources.c
71113--- linux-3.0.7/net/atm/resources.c 2011-07-21 22:17:23.000000000 -0400
71114+++ linux-3.0.7/net/atm/resources.c 2011-08-23 21:47:56.000000000 -0400
71115@@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
71116 static void copy_aal_stats(struct k_atm_aal_stats *from,
71117 struct atm_aal_stats *to)
71118 {
71119-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71120+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71121 __AAL_STAT_ITEMS
71122 #undef __HANDLE_ITEM
71123 }
71124@@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
71125 static void subtract_aal_stats(struct k_atm_aal_stats *from,
71126 struct atm_aal_stats *to)
71127 {
71128-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71129+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
71130 __AAL_STAT_ITEMS
71131 #undef __HANDLE_ITEM
71132 }
71133diff -urNp linux-3.0.7/net/batman-adv/hard-interface.c linux-3.0.7/net/batman-adv/hard-interface.c
71134--- linux-3.0.7/net/batman-adv/hard-interface.c 2011-07-21 22:17:23.000000000 -0400
71135+++ linux-3.0.7/net/batman-adv/hard-interface.c 2011-08-23 21:47:56.000000000 -0400
71136@@ -351,8 +351,8 @@ int hardif_enable_interface(struct hard_
71137 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
71138 dev_add_pack(&hard_iface->batman_adv_ptype);
71139
71140- atomic_set(&hard_iface->seqno, 1);
71141- atomic_set(&hard_iface->frag_seqno, 1);
71142+ atomic_set_unchecked(&hard_iface->seqno, 1);
71143+ atomic_set_unchecked(&hard_iface->frag_seqno, 1);
71144 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
71145 hard_iface->net_dev->name);
71146
71147diff -urNp linux-3.0.7/net/batman-adv/routing.c linux-3.0.7/net/batman-adv/routing.c
71148--- linux-3.0.7/net/batman-adv/routing.c 2011-07-21 22:17:23.000000000 -0400
71149+++ linux-3.0.7/net/batman-adv/routing.c 2011-08-23 21:47:56.000000000 -0400
71150@@ -627,7 +627,7 @@ void receive_bat_packet(struct ethhdr *e
71151 return;
71152
71153 /* could be changed by schedule_own_packet() */
71154- if_incoming_seqno = atomic_read(&if_incoming->seqno);
71155+ if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
71156
71157 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
71158
71159diff -urNp linux-3.0.7/net/batman-adv/send.c linux-3.0.7/net/batman-adv/send.c
71160--- linux-3.0.7/net/batman-adv/send.c 2011-07-21 22:17:23.000000000 -0400
71161+++ linux-3.0.7/net/batman-adv/send.c 2011-08-23 21:47:56.000000000 -0400
71162@@ -279,7 +279,7 @@ void schedule_own_packet(struct hard_ifa
71163
71164 /* change sequence number to network order */
71165 batman_packet->seqno =
71166- htonl((uint32_t)atomic_read(&hard_iface->seqno));
71167+ htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
71168
71169 if (vis_server == VIS_TYPE_SERVER_SYNC)
71170 batman_packet->flags |= VIS_SERVER;
71171@@ -293,7 +293,7 @@ void schedule_own_packet(struct hard_ifa
71172 else
71173 batman_packet->gw_flags = 0;
71174
71175- atomic_inc(&hard_iface->seqno);
71176+ atomic_inc_unchecked(&hard_iface->seqno);
71177
71178 slide_own_bcast_window(hard_iface);
71179 send_time = own_send_time(bat_priv);
71180diff -urNp linux-3.0.7/net/batman-adv/soft-interface.c linux-3.0.7/net/batman-adv/soft-interface.c
71181--- linux-3.0.7/net/batman-adv/soft-interface.c 2011-07-21 22:17:23.000000000 -0400
71182+++ linux-3.0.7/net/batman-adv/soft-interface.c 2011-08-23 21:47:56.000000000 -0400
71183@@ -628,7 +628,7 @@ int interface_tx(struct sk_buff *skb, st
71184
71185 /* set broadcast sequence number */
71186 bcast_packet->seqno =
71187- htonl(atomic_inc_return(&bat_priv->bcast_seqno));
71188+ htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
71189
71190 add_bcast_packet_to_list(bat_priv, skb);
71191
71192@@ -830,7 +830,7 @@ struct net_device *softif_create(char *n
71193 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
71194
71195 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
71196- atomic_set(&bat_priv->bcast_seqno, 1);
71197+ atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
71198 atomic_set(&bat_priv->tt_local_changed, 0);
71199
71200 bat_priv->primary_if = NULL;
71201diff -urNp linux-3.0.7/net/batman-adv/types.h linux-3.0.7/net/batman-adv/types.h
71202--- linux-3.0.7/net/batman-adv/types.h 2011-07-21 22:17:23.000000000 -0400
71203+++ linux-3.0.7/net/batman-adv/types.h 2011-08-23 21:47:56.000000000 -0400
71204@@ -38,8 +38,8 @@ struct hard_iface {
71205 int16_t if_num;
71206 char if_status;
71207 struct net_device *net_dev;
71208- atomic_t seqno;
71209- atomic_t frag_seqno;
71210+ atomic_unchecked_t seqno;
71211+ atomic_unchecked_t frag_seqno;
71212 unsigned char *packet_buff;
71213 int packet_len;
71214 struct kobject *hardif_obj;
71215@@ -142,7 +142,7 @@ struct bat_priv {
71216 atomic_t orig_interval; /* uint */
71217 atomic_t hop_penalty; /* uint */
71218 atomic_t log_level; /* uint */
71219- atomic_t bcast_seqno;
71220+ atomic_unchecked_t bcast_seqno;
71221 atomic_t bcast_queue_left;
71222 atomic_t batman_queue_left;
71223 char num_ifaces;
71224diff -urNp linux-3.0.7/net/batman-adv/unicast.c linux-3.0.7/net/batman-adv/unicast.c
71225--- linux-3.0.7/net/batman-adv/unicast.c 2011-07-21 22:17:23.000000000 -0400
71226+++ linux-3.0.7/net/batman-adv/unicast.c 2011-08-23 21:47:56.000000000 -0400
71227@@ -265,7 +265,7 @@ int frag_send_skb(struct sk_buff *skb, s
71228 frag1->flags = UNI_FRAG_HEAD | large_tail;
71229 frag2->flags = large_tail;
71230
71231- seqno = atomic_add_return(2, &hard_iface->frag_seqno);
71232+ seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
71233 frag1->seqno = htons(seqno - 1);
71234 frag2->seqno = htons(seqno);
71235
71236diff -urNp linux-3.0.7/net/bridge/br_multicast.c linux-3.0.7/net/bridge/br_multicast.c
71237--- linux-3.0.7/net/bridge/br_multicast.c 2011-10-16 21:54:54.000000000 -0400
71238+++ linux-3.0.7/net/bridge/br_multicast.c 2011-10-16 21:55:28.000000000 -0400
71239@@ -1485,7 +1485,7 @@ static int br_multicast_ipv6_rcv(struct
71240 nexthdr = ip6h->nexthdr;
71241 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
71242
71243- if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
71244+ if (nexthdr != IPPROTO_ICMPV6)
71245 return 0;
71246
71247 /* Okay, we found ICMPv6 header */
71248diff -urNp linux-3.0.7/net/bridge/netfilter/ebtables.c linux-3.0.7/net/bridge/netfilter/ebtables.c
71249--- linux-3.0.7/net/bridge/netfilter/ebtables.c 2011-07-21 22:17:23.000000000 -0400
71250+++ linux-3.0.7/net/bridge/netfilter/ebtables.c 2011-08-23 21:48:14.000000000 -0400
71251@@ -1512,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
71252 tmp.valid_hooks = t->table->valid_hooks;
71253 }
71254 mutex_unlock(&ebt_mutex);
71255- if (copy_to_user(user, &tmp, *len) != 0){
71256+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
71257 BUGPRINT("c2u Didn't work\n");
71258 ret = -EFAULT;
71259 break;
71260@@ -1780,6 +1780,8 @@ static int compat_copy_everything_to_use
71261 int ret;
71262 void __user *pos;
71263
71264+ pax_track_stack();
71265+
71266 memset(&tinfo, 0, sizeof(tinfo));
71267
71268 if (cmd == EBT_SO_GET_ENTRIES) {
71269diff -urNp linux-3.0.7/net/caif/caif_socket.c linux-3.0.7/net/caif/caif_socket.c
71270--- linux-3.0.7/net/caif/caif_socket.c 2011-07-21 22:17:23.000000000 -0400
71271+++ linux-3.0.7/net/caif/caif_socket.c 2011-08-23 21:47:56.000000000 -0400
71272@@ -48,19 +48,20 @@ static struct dentry *debugfsdir;
71273 #ifdef CONFIG_DEBUG_FS
71274 struct debug_fs_counter {
71275 atomic_t caif_nr_socks;
71276- atomic_t caif_sock_create;
71277- atomic_t num_connect_req;
71278- atomic_t num_connect_resp;
71279- atomic_t num_connect_fail_resp;
71280- atomic_t num_disconnect;
71281- atomic_t num_remote_shutdown_ind;
71282- atomic_t num_tx_flow_off_ind;
71283- atomic_t num_tx_flow_on_ind;
71284- atomic_t num_rx_flow_off;
71285- atomic_t num_rx_flow_on;
71286+ atomic_unchecked_t caif_sock_create;
71287+ atomic_unchecked_t num_connect_req;
71288+ atomic_unchecked_t num_connect_resp;
71289+ atomic_unchecked_t num_connect_fail_resp;
71290+ atomic_unchecked_t num_disconnect;
71291+ atomic_unchecked_t num_remote_shutdown_ind;
71292+ atomic_unchecked_t num_tx_flow_off_ind;
71293+ atomic_unchecked_t num_tx_flow_on_ind;
71294+ atomic_unchecked_t num_rx_flow_off;
71295+ atomic_unchecked_t num_rx_flow_on;
71296 };
71297 static struct debug_fs_counter cnt;
71298 #define dbfs_atomic_inc(v) atomic_inc_return(v)
71299+#define dbfs_atomic_inc_unchecked(v) atomic_inc_return_unchecked(v)
71300 #define dbfs_atomic_dec(v) atomic_dec_return(v)
71301 #else
71302 #define dbfs_atomic_inc(v) 0
71303@@ -161,7 +162,7 @@ static int caif_queue_rcv_skb(struct soc
71304 atomic_read(&cf_sk->sk.sk_rmem_alloc),
71305 sk_rcvbuf_lowwater(cf_sk));
71306 set_rx_flow_off(cf_sk);
71307- dbfs_atomic_inc(&cnt.num_rx_flow_off);
71308+ dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71309 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71310 }
71311
71312@@ -172,7 +173,7 @@ static int caif_queue_rcv_skb(struct soc
71313 set_rx_flow_off(cf_sk);
71314 if (net_ratelimit())
71315 pr_debug("sending flow OFF due to rmem_schedule\n");
71316- dbfs_atomic_inc(&cnt.num_rx_flow_off);
71317+ dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71318 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71319 }
71320 skb->dev = NULL;
71321@@ -233,14 +234,14 @@ static void caif_ctrl_cb(struct cflayer
71322 switch (flow) {
71323 case CAIF_CTRLCMD_FLOW_ON_IND:
71324 /* OK from modem to start sending again */
71325- dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
71326+ dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
71327 set_tx_flow_on(cf_sk);
71328 cf_sk->sk.sk_state_change(&cf_sk->sk);
71329 break;
71330
71331 case CAIF_CTRLCMD_FLOW_OFF_IND:
71332 /* Modem asks us to shut up */
71333- dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
71334+ dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
71335 set_tx_flow_off(cf_sk);
71336 cf_sk->sk.sk_state_change(&cf_sk->sk);
71337 break;
71338@@ -249,7 +250,7 @@ static void caif_ctrl_cb(struct cflayer
71339 /* We're now connected */
71340 caif_client_register_refcnt(&cf_sk->layer,
71341 cfsk_hold, cfsk_put);
71342- dbfs_atomic_inc(&cnt.num_connect_resp);
71343+ dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
71344 cf_sk->sk.sk_state = CAIF_CONNECTED;
71345 set_tx_flow_on(cf_sk);
71346 cf_sk->sk.sk_state_change(&cf_sk->sk);
71347@@ -263,7 +264,7 @@ static void caif_ctrl_cb(struct cflayer
71348
71349 case CAIF_CTRLCMD_INIT_FAIL_RSP:
71350 /* Connect request failed */
71351- dbfs_atomic_inc(&cnt.num_connect_fail_resp);
71352+ dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
71353 cf_sk->sk.sk_err = ECONNREFUSED;
71354 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
71355 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71356@@ -277,7 +278,7 @@ static void caif_ctrl_cb(struct cflayer
71357
71358 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
71359 /* Modem has closed this connection, or device is down. */
71360- dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
71361+ dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
71362 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71363 cf_sk->sk.sk_err = ECONNRESET;
71364 set_rx_flow_on(cf_sk);
71365@@ -297,7 +298,7 @@ static void caif_check_flow_release(stru
71366 return;
71367
71368 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
71369- dbfs_atomic_inc(&cnt.num_rx_flow_on);
71370+ dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
71371 set_rx_flow_on(cf_sk);
71372 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
71373 }
71374@@ -854,7 +855,7 @@ static int caif_connect(struct socket *s
71375 /*ifindex = id of the interface.*/
71376 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
71377
71378- dbfs_atomic_inc(&cnt.num_connect_req);
71379+ dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
71380 cf_sk->layer.receive = caif_sktrecv_cb;
71381
71382 err = caif_connect_client(sock_net(sk), &cf_sk->conn_req,
71383@@ -943,7 +944,7 @@ static int caif_release(struct socket *s
71384 spin_unlock_bh(&sk->sk_receive_queue.lock);
71385 sock->sk = NULL;
71386
71387- dbfs_atomic_inc(&cnt.num_disconnect);
71388+ dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
71389
71390 WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir));
71391 if (cf_sk->debugfs_socket_dir != NULL)
71392@@ -1122,7 +1123,7 @@ static int caif_create(struct net *net,
71393 cf_sk->conn_req.protocol = protocol;
71394 /* Increase the number of sockets created. */
71395 dbfs_atomic_inc(&cnt.caif_nr_socks);
71396- num = dbfs_atomic_inc(&cnt.caif_sock_create);
71397+ num = dbfs_atomic_inc_unchecked(&cnt.caif_sock_create);
71398 #ifdef CONFIG_DEBUG_FS
71399 if (!IS_ERR(debugfsdir)) {
71400
71401diff -urNp linux-3.0.7/net/caif/cfctrl.c linux-3.0.7/net/caif/cfctrl.c
71402--- linux-3.0.7/net/caif/cfctrl.c 2011-07-21 22:17:23.000000000 -0400
71403+++ linux-3.0.7/net/caif/cfctrl.c 2011-08-23 21:48:14.000000000 -0400
71404@@ -9,6 +9,7 @@
71405 #include <linux/stddef.h>
71406 #include <linux/spinlock.h>
71407 #include <linux/slab.h>
71408+#include <linux/sched.h>
71409 #include <net/caif/caif_layer.h>
71410 #include <net/caif/cfpkt.h>
71411 #include <net/caif/cfctrl.h>
71412@@ -45,8 +46,8 @@ struct cflayer *cfctrl_create(void)
71413 dev_info.id = 0xff;
71414 memset(this, 0, sizeof(*this));
71415 cfsrvl_init(&this->serv, 0, &dev_info, false);
71416- atomic_set(&this->req_seq_no, 1);
71417- atomic_set(&this->rsp_seq_no, 1);
71418+ atomic_set_unchecked(&this->req_seq_no, 1);
71419+ atomic_set_unchecked(&this->rsp_seq_no, 1);
71420 this->serv.layer.receive = cfctrl_recv;
71421 sprintf(this->serv.layer.name, "ctrl");
71422 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
71423@@ -132,8 +133,8 @@ static void cfctrl_insert_req(struct cfc
71424 struct cfctrl_request_info *req)
71425 {
71426 spin_lock_bh(&ctrl->info_list_lock);
71427- atomic_inc(&ctrl->req_seq_no);
71428- req->sequence_no = atomic_read(&ctrl->req_seq_no);
71429+ atomic_inc_unchecked(&ctrl->req_seq_no);
71430+ req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
71431 list_add_tail(&req->list, &ctrl->list);
71432 spin_unlock_bh(&ctrl->info_list_lock);
71433 }
71434@@ -151,7 +152,7 @@ static struct cfctrl_request_info *cfctr
71435 if (p != first)
71436 pr_warn("Requests are not received in order\n");
71437
71438- atomic_set(&ctrl->rsp_seq_no,
71439+ atomic_set_unchecked(&ctrl->rsp_seq_no,
71440 p->sequence_no);
71441 list_del(&p->list);
71442 goto out;
71443@@ -364,6 +365,7 @@ static int cfctrl_recv(struct cflayer *l
71444 struct cfctrl *cfctrl = container_obj(layer);
71445 struct cfctrl_request_info rsp, *req;
71446
71447+ pax_track_stack();
71448
71449 cfpkt_extr_head(pkt, &cmdrsp, 1);
71450 cmd = cmdrsp & CFCTRL_CMD_MASK;
71451diff -urNp linux-3.0.7/net/compat.c linux-3.0.7/net/compat.c
71452--- linux-3.0.7/net/compat.c 2011-07-21 22:17:23.000000000 -0400
71453+++ linux-3.0.7/net/compat.c 2011-10-06 04:17:55.000000000 -0400
71454@@ -70,9 +70,9 @@ int get_compat_msghdr(struct msghdr *kms
71455 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
71456 __get_user(kmsg->msg_flags, &umsg->msg_flags))
71457 return -EFAULT;
71458- kmsg->msg_name = compat_ptr(tmp1);
71459- kmsg->msg_iov = compat_ptr(tmp2);
71460- kmsg->msg_control = compat_ptr(tmp3);
71461+ kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
71462+ kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
71463+ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
71464 return 0;
71465 }
71466
71467@@ -84,7 +84,7 @@ int verify_compat_iovec(struct msghdr *k
71468
71469 if (kern_msg->msg_namelen) {
71470 if (mode == VERIFY_READ) {
71471- int err = move_addr_to_kernel(kern_msg->msg_name,
71472+ int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name,
71473 kern_msg->msg_namelen,
71474 kern_address);
71475 if (err < 0)
71476@@ -95,7 +95,7 @@ int verify_compat_iovec(struct msghdr *k
71477 kern_msg->msg_name = NULL;
71478
71479 tot_len = iov_from_user_compat_to_kern(kern_iov,
71480- (struct compat_iovec __user *)kern_msg->msg_iov,
71481+ (struct compat_iovec __force_user *)kern_msg->msg_iov,
71482 kern_msg->msg_iovlen);
71483 if (tot_len >= 0)
71484 kern_msg->msg_iov = kern_iov;
71485@@ -115,20 +115,20 @@ int verify_compat_iovec(struct msghdr *k
71486
71487 #define CMSG_COMPAT_FIRSTHDR(msg) \
71488 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
71489- (struct compat_cmsghdr __user *)((msg)->msg_control) : \
71490+ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
71491 (struct compat_cmsghdr __user *)NULL)
71492
71493 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
71494 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
71495 (ucmlen) <= (unsigned long) \
71496 ((mhdr)->msg_controllen - \
71497- ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
71498+ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
71499
71500 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
71501 struct compat_cmsghdr __user *cmsg, int cmsg_len)
71502 {
71503 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
71504- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
71505+ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
71506 msg->msg_controllen)
71507 return NULL;
71508 return (struct compat_cmsghdr __user *)ptr;
71509@@ -220,7 +220,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71510 {
71511 struct compat_timeval ctv;
71512 struct compat_timespec cts[3];
71513- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71514+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71515 struct compat_cmsghdr cmhdr;
71516 int cmlen;
71517
71518@@ -272,7 +272,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71519
71520 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
71521 {
71522- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71523+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71524 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
71525 int fdnum = scm->fp->count;
71526 struct file **fp = scm->fp->fp;
71527@@ -369,7 +369,7 @@ static int do_set_sock_timeout(struct so
71528 return -EFAULT;
71529 old_fs = get_fs();
71530 set_fs(KERNEL_DS);
71531- err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
71532+ err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
71533 set_fs(old_fs);
71534
71535 return err;
71536@@ -430,7 +430,7 @@ static int do_get_sock_timeout(struct so
71537 len = sizeof(ktime);
71538 old_fs = get_fs();
71539 set_fs(KERNEL_DS);
71540- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
71541+ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
71542 set_fs(old_fs);
71543
71544 if (!err) {
71545@@ -565,7 +565,7 @@ int compat_mc_setsockopt(struct sock *so
71546 case MCAST_JOIN_GROUP:
71547 case MCAST_LEAVE_GROUP:
71548 {
71549- struct compat_group_req __user *gr32 = (void *)optval;
71550+ struct compat_group_req __user *gr32 = (void __user *)optval;
71551 struct group_req __user *kgr =
71552 compat_alloc_user_space(sizeof(struct group_req));
71553 u32 interface;
71554@@ -586,7 +586,7 @@ int compat_mc_setsockopt(struct sock *so
71555 case MCAST_BLOCK_SOURCE:
71556 case MCAST_UNBLOCK_SOURCE:
71557 {
71558- struct compat_group_source_req __user *gsr32 = (void *)optval;
71559+ struct compat_group_source_req __user *gsr32 = (void __user *)optval;
71560 struct group_source_req __user *kgsr = compat_alloc_user_space(
71561 sizeof(struct group_source_req));
71562 u32 interface;
71563@@ -607,7 +607,7 @@ int compat_mc_setsockopt(struct sock *so
71564 }
71565 case MCAST_MSFILTER:
71566 {
71567- struct compat_group_filter __user *gf32 = (void *)optval;
71568+ struct compat_group_filter __user *gf32 = (void __user *)optval;
71569 struct group_filter __user *kgf;
71570 u32 interface, fmode, numsrc;
71571
71572@@ -645,7 +645,7 @@ int compat_mc_getsockopt(struct sock *so
71573 char __user *optval, int __user *optlen,
71574 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
71575 {
71576- struct compat_group_filter __user *gf32 = (void *)optval;
71577+ struct compat_group_filter __user *gf32 = (void __user *)optval;
71578 struct group_filter __user *kgf;
71579 int __user *koptlen;
71580 u32 interface, fmode, numsrc;
71581diff -urNp linux-3.0.7/net/core/datagram.c linux-3.0.7/net/core/datagram.c
71582--- linux-3.0.7/net/core/datagram.c 2011-07-21 22:17:23.000000000 -0400
71583+++ linux-3.0.7/net/core/datagram.c 2011-08-23 21:47:56.000000000 -0400
71584@@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
71585 }
71586
71587 kfree_skb(skb);
71588- atomic_inc(&sk->sk_drops);
71589+ atomic_inc_unchecked(&sk->sk_drops);
71590 sk_mem_reclaim_partial(sk);
71591
71592 return err;
71593diff -urNp linux-3.0.7/net/core/dev.c linux-3.0.7/net/core/dev.c
71594--- linux-3.0.7/net/core/dev.c 2011-07-21 22:17:23.000000000 -0400
71595+++ linux-3.0.7/net/core/dev.c 2011-08-23 21:48:14.000000000 -0400
71596@@ -1125,10 +1125,14 @@ void dev_load(struct net *net, const cha
71597 if (no_module && capable(CAP_NET_ADMIN))
71598 no_module = request_module("netdev-%s", name);
71599 if (no_module && capable(CAP_SYS_MODULE)) {
71600+#ifdef CONFIG_GRKERNSEC_MODHARDEN
71601+ ___request_module(true, "grsec_modharden_netdev", "%s", name);
71602+#else
71603 if (!request_module("%s", name))
71604 pr_err("Loading kernel module for a network device "
71605 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
71606 "instead\n", name);
71607+#endif
71608 }
71609 }
71610 EXPORT_SYMBOL(dev_load);
71611@@ -1959,7 +1963,7 @@ static int illegal_highdma(struct net_de
71612
71613 struct dev_gso_cb {
71614 void (*destructor)(struct sk_buff *skb);
71615-};
71616+} __no_const;
71617
71618 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
71619
71620@@ -2912,7 +2916,7 @@ int netif_rx_ni(struct sk_buff *skb)
71621 }
71622 EXPORT_SYMBOL(netif_rx_ni);
71623
71624-static void net_tx_action(struct softirq_action *h)
71625+static void net_tx_action(void)
71626 {
71627 struct softnet_data *sd = &__get_cpu_var(softnet_data);
71628
71629@@ -3761,7 +3765,7 @@ void netif_napi_del(struct napi_struct *
71630 }
71631 EXPORT_SYMBOL(netif_napi_del);
71632
71633-static void net_rx_action(struct softirq_action *h)
71634+static void net_rx_action(void)
71635 {
71636 struct softnet_data *sd = &__get_cpu_var(softnet_data);
71637 unsigned long time_limit = jiffies + 2;
71638diff -urNp linux-3.0.7/net/core/flow.c linux-3.0.7/net/core/flow.c
71639--- linux-3.0.7/net/core/flow.c 2011-07-21 22:17:23.000000000 -0400
71640+++ linux-3.0.7/net/core/flow.c 2011-08-23 21:47:56.000000000 -0400
71641@@ -60,7 +60,7 @@ struct flow_cache {
71642 struct timer_list rnd_timer;
71643 };
71644
71645-atomic_t flow_cache_genid = ATOMIC_INIT(0);
71646+atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
71647 EXPORT_SYMBOL(flow_cache_genid);
71648 static struct flow_cache flow_cache_global;
71649 static struct kmem_cache *flow_cachep __read_mostly;
71650@@ -85,7 +85,7 @@ static void flow_cache_new_hashrnd(unsig
71651
71652 static int flow_entry_valid(struct flow_cache_entry *fle)
71653 {
71654- if (atomic_read(&flow_cache_genid) != fle->genid)
71655+ if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
71656 return 0;
71657 if (fle->object && !fle->object->ops->check(fle->object))
71658 return 0;
71659@@ -253,7 +253,7 @@ flow_cache_lookup(struct net *net, const
71660 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
71661 fcp->hash_count++;
71662 }
71663- } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
71664+ } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
71665 flo = fle->object;
71666 if (!flo)
71667 goto ret_object;
71668@@ -274,7 +274,7 @@ nocache:
71669 }
71670 flo = resolver(net, key, family, dir, flo, ctx);
71671 if (fle) {
71672- fle->genid = atomic_read(&flow_cache_genid);
71673+ fle->genid = atomic_read_unchecked(&flow_cache_genid);
71674 if (!IS_ERR(flo))
71675 fle->object = flo;
71676 else
71677diff -urNp linux-3.0.7/net/core/iovec.c linux-3.0.7/net/core/iovec.c
71678--- linux-3.0.7/net/core/iovec.c 2011-07-21 22:17:23.000000000 -0400
71679+++ linux-3.0.7/net/core/iovec.c 2011-10-06 04:17:55.000000000 -0400
71680@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struc
71681 if (m->msg_namelen) {
71682 if (mode == VERIFY_READ) {
71683 void __user *namep;
71684- namep = (void __user __force *) m->msg_name;
71685+ namep = (void __force_user *) m->msg_name;
71686 err = move_addr_to_kernel(namep, m->msg_namelen,
71687 address);
71688 if (err < 0)
71689@@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struc
71690 }
71691
71692 size = m->msg_iovlen * sizeof(struct iovec);
71693- if (copy_from_user(iov, (void __user __force *) m->msg_iov, size))
71694+ if (copy_from_user(iov, (void __force_user *) m->msg_iov, size))
71695 return -EFAULT;
71696
71697 m->msg_iov = iov;
71698diff -urNp linux-3.0.7/net/core/rtnetlink.c linux-3.0.7/net/core/rtnetlink.c
71699--- linux-3.0.7/net/core/rtnetlink.c 2011-07-21 22:17:23.000000000 -0400
71700+++ linux-3.0.7/net/core/rtnetlink.c 2011-08-23 21:47:56.000000000 -0400
71701@@ -56,7 +56,7 @@
71702 struct rtnl_link {
71703 rtnl_doit_func doit;
71704 rtnl_dumpit_func dumpit;
71705-};
71706+} __no_const;
71707
71708 static DEFINE_MUTEX(rtnl_mutex);
71709
71710diff -urNp linux-3.0.7/net/core/scm.c linux-3.0.7/net/core/scm.c
71711--- linux-3.0.7/net/core/scm.c 2011-10-16 21:54:54.000000000 -0400
71712+++ linux-3.0.7/net/core/scm.c 2011-10-16 21:55:28.000000000 -0400
71713@@ -218,7 +218,7 @@ EXPORT_SYMBOL(__scm_send);
71714 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
71715 {
71716 struct cmsghdr __user *cm
71717- = (__force struct cmsghdr __user *)msg->msg_control;
71718+ = (struct cmsghdr __force_user *)msg->msg_control;
71719 struct cmsghdr cmhdr;
71720 int cmlen = CMSG_LEN(len);
71721 int err;
71722@@ -241,7 +241,7 @@ int put_cmsg(struct msghdr * msg, int le
71723 err = -EFAULT;
71724 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
71725 goto out;
71726- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
71727+ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
71728 goto out;
71729 cmlen = CMSG_SPACE(len);
71730 if (msg->msg_controllen < cmlen)
71731@@ -257,7 +257,7 @@ EXPORT_SYMBOL(put_cmsg);
71732 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
71733 {
71734 struct cmsghdr __user *cm
71735- = (__force struct cmsghdr __user*)msg->msg_control;
71736+ = (struct cmsghdr __force_user *)msg->msg_control;
71737
71738 int fdmax = 0;
71739 int fdnum = scm->fp->count;
71740@@ -277,7 +277,7 @@ void scm_detach_fds(struct msghdr *msg,
71741 if (fdnum < fdmax)
71742 fdmax = fdnum;
71743
71744- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
71745+ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
71746 i++, cmfptr++)
71747 {
71748 int new_fd;
71749diff -urNp linux-3.0.7/net/core/skbuff.c linux-3.0.7/net/core/skbuff.c
71750--- linux-3.0.7/net/core/skbuff.c 2011-07-21 22:17:23.000000000 -0400
71751+++ linux-3.0.7/net/core/skbuff.c 2011-08-23 21:48:14.000000000 -0400
71752@@ -1543,6 +1543,8 @@ int skb_splice_bits(struct sk_buff *skb,
71753 struct sock *sk = skb->sk;
71754 int ret = 0;
71755
71756+ pax_track_stack();
71757+
71758 if (splice_grow_spd(pipe, &spd))
71759 return -ENOMEM;
71760
71761diff -urNp linux-3.0.7/net/core/sock.c linux-3.0.7/net/core/sock.c
71762--- linux-3.0.7/net/core/sock.c 2011-07-21 22:17:23.000000000 -0400
71763+++ linux-3.0.7/net/core/sock.c 2011-08-23 21:48:14.000000000 -0400
71764@@ -291,7 +291,7 @@ int sock_queue_rcv_skb(struct sock *sk,
71765 */
71766 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
71767 (unsigned)sk->sk_rcvbuf) {
71768- atomic_inc(&sk->sk_drops);
71769+ atomic_inc_unchecked(&sk->sk_drops);
71770 return -ENOMEM;
71771 }
71772
71773@@ -300,7 +300,7 @@ int sock_queue_rcv_skb(struct sock *sk,
71774 return err;
71775
71776 if (!sk_rmem_schedule(sk, skb->truesize)) {
71777- atomic_inc(&sk->sk_drops);
71778+ atomic_inc_unchecked(&sk->sk_drops);
71779 return -ENOBUFS;
71780 }
71781
71782@@ -320,7 +320,7 @@ int sock_queue_rcv_skb(struct sock *sk,
71783 skb_dst_force(skb);
71784
71785 spin_lock_irqsave(&list->lock, flags);
71786- skb->dropcount = atomic_read(&sk->sk_drops);
71787+ skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
71788 __skb_queue_tail(list, skb);
71789 spin_unlock_irqrestore(&list->lock, flags);
71790
71791@@ -340,7 +340,7 @@ int sk_receive_skb(struct sock *sk, stru
71792 skb->dev = NULL;
71793
71794 if (sk_rcvqueues_full(sk, skb)) {
71795- atomic_inc(&sk->sk_drops);
71796+ atomic_inc_unchecked(&sk->sk_drops);
71797 goto discard_and_relse;
71798 }
71799 if (nested)
71800@@ -358,7 +358,7 @@ int sk_receive_skb(struct sock *sk, stru
71801 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
71802 } else if (sk_add_backlog(sk, skb)) {
71803 bh_unlock_sock(sk);
71804- atomic_inc(&sk->sk_drops);
71805+ atomic_inc_unchecked(&sk->sk_drops);
71806 goto discard_and_relse;
71807 }
71808
71809@@ -921,7 +921,7 @@ int sock_getsockopt(struct socket *sock,
71810 if (len > sizeof(peercred))
71811 len = sizeof(peercred);
71812 cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
71813- if (copy_to_user(optval, &peercred, len))
71814+ if (len > sizeof(peercred) || copy_to_user(optval, &peercred, len))
71815 return -EFAULT;
71816 goto lenout;
71817 }
71818@@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
71819 return -ENOTCONN;
71820 if (lv < len)
71821 return -EINVAL;
71822- if (copy_to_user(optval, address, len))
71823+ if (len > sizeof(address) || copy_to_user(optval, address, len))
71824 return -EFAULT;
71825 goto lenout;
71826 }
71827@@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
71828
71829 if (len > lv)
71830 len = lv;
71831- if (copy_to_user(optval, &v, len))
71832+ if (len > sizeof(v) || copy_to_user(optval, &v, len))
71833 return -EFAULT;
71834 lenout:
71835 if (put_user(len, optlen))
71836@@ -2023,7 +2023,7 @@ void sock_init_data(struct socket *sock,
71837 */
71838 smp_wmb();
71839 atomic_set(&sk->sk_refcnt, 1);
71840- atomic_set(&sk->sk_drops, 0);
71841+ atomic_set_unchecked(&sk->sk_drops, 0);
71842 }
71843 EXPORT_SYMBOL(sock_init_data);
71844
71845diff -urNp linux-3.0.7/net/decnet/sysctl_net_decnet.c linux-3.0.7/net/decnet/sysctl_net_decnet.c
71846--- linux-3.0.7/net/decnet/sysctl_net_decnet.c 2011-07-21 22:17:23.000000000 -0400
71847+++ linux-3.0.7/net/decnet/sysctl_net_decnet.c 2011-08-23 21:47:56.000000000 -0400
71848@@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
71849
71850 if (len > *lenp) len = *lenp;
71851
71852- if (copy_to_user(buffer, addr, len))
71853+ if (len > sizeof addr || copy_to_user(buffer, addr, len))
71854 return -EFAULT;
71855
71856 *lenp = len;
71857@@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
71858
71859 if (len > *lenp) len = *lenp;
71860
71861- if (copy_to_user(buffer, devname, len))
71862+ if (len > sizeof devname || copy_to_user(buffer, devname, len))
71863 return -EFAULT;
71864
71865 *lenp = len;
71866diff -urNp linux-3.0.7/net/econet/Kconfig linux-3.0.7/net/econet/Kconfig
71867--- linux-3.0.7/net/econet/Kconfig 2011-07-21 22:17:23.000000000 -0400
71868+++ linux-3.0.7/net/econet/Kconfig 2011-08-23 21:48:14.000000000 -0400
71869@@ -4,7 +4,7 @@
71870
71871 config ECONET
71872 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
71873- depends on EXPERIMENTAL && INET
71874+ depends on EXPERIMENTAL && INET && BROKEN
71875 ---help---
71876 Econet is a fairly old and slow networking protocol mainly used by
71877 Acorn computers to access file and print servers. It uses native
71878diff -urNp linux-3.0.7/net/ipv4/fib_frontend.c linux-3.0.7/net/ipv4/fib_frontend.c
71879--- linux-3.0.7/net/ipv4/fib_frontend.c 2011-07-21 22:17:23.000000000 -0400
71880+++ linux-3.0.7/net/ipv4/fib_frontend.c 2011-08-23 21:47:56.000000000 -0400
71881@@ -970,12 +970,12 @@ static int fib_inetaddr_event(struct not
71882 #ifdef CONFIG_IP_ROUTE_MULTIPATH
71883 fib_sync_up(dev);
71884 #endif
71885- atomic_inc(&net->ipv4.dev_addr_genid);
71886+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
71887 rt_cache_flush(dev_net(dev), -1);
71888 break;
71889 case NETDEV_DOWN:
71890 fib_del_ifaddr(ifa, NULL);
71891- atomic_inc(&net->ipv4.dev_addr_genid);
71892+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
71893 if (ifa->ifa_dev->ifa_list == NULL) {
71894 /* Last address was deleted from this interface.
71895 * Disable IP.
71896@@ -1011,7 +1011,7 @@ static int fib_netdev_event(struct notif
71897 #ifdef CONFIG_IP_ROUTE_MULTIPATH
71898 fib_sync_up(dev);
71899 #endif
71900- atomic_inc(&net->ipv4.dev_addr_genid);
71901+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
71902 rt_cache_flush(dev_net(dev), -1);
71903 break;
71904 case NETDEV_DOWN:
71905diff -urNp linux-3.0.7/net/ipv4/fib_semantics.c linux-3.0.7/net/ipv4/fib_semantics.c
71906--- linux-3.0.7/net/ipv4/fib_semantics.c 2011-07-21 22:17:23.000000000 -0400
71907+++ linux-3.0.7/net/ipv4/fib_semantics.c 2011-08-23 21:47:56.000000000 -0400
71908@@ -691,7 +691,7 @@ __be32 fib_info_update_nh_saddr(struct n
71909 nh->nh_saddr = inet_select_addr(nh->nh_dev,
71910 nh->nh_gw,
71911 nh->nh_parent->fib_scope);
71912- nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
71913+ nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
71914
71915 return nh->nh_saddr;
71916 }
71917diff -urNp linux-3.0.7/net/ipv4/inet_diag.c linux-3.0.7/net/ipv4/inet_diag.c
71918--- linux-3.0.7/net/ipv4/inet_diag.c 2011-07-21 22:17:23.000000000 -0400
71919+++ linux-3.0.7/net/ipv4/inet_diag.c 2011-08-23 21:48:14.000000000 -0400
71920@@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
71921 r->idiag_retrans = 0;
71922
71923 r->id.idiag_if = sk->sk_bound_dev_if;
71924+
71925+#ifdef CONFIG_GRKERNSEC_HIDESYM
71926+ r->id.idiag_cookie[0] = 0;
71927+ r->id.idiag_cookie[1] = 0;
71928+#else
71929 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
71930 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
71931+#endif
71932
71933 r->id.idiag_sport = inet->inet_sport;
71934 r->id.idiag_dport = inet->inet_dport;
71935@@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
71936 r->idiag_family = tw->tw_family;
71937 r->idiag_retrans = 0;
71938 r->id.idiag_if = tw->tw_bound_dev_if;
71939+
71940+#ifdef CONFIG_GRKERNSEC_HIDESYM
71941+ r->id.idiag_cookie[0] = 0;
71942+ r->id.idiag_cookie[1] = 0;
71943+#else
71944 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
71945 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
71946+#endif
71947+
71948 r->id.idiag_sport = tw->tw_sport;
71949 r->id.idiag_dport = tw->tw_dport;
71950 r->id.idiag_src[0] = tw->tw_rcv_saddr;
71951@@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
71952 if (sk == NULL)
71953 goto unlock;
71954
71955+#ifndef CONFIG_GRKERNSEC_HIDESYM
71956 err = -ESTALE;
71957 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
71958 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
71959 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
71960 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
71961 goto out;
71962+#endif
71963
71964 err = -ENOMEM;
71965 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
71966@@ -580,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
71967 r->idiag_retrans = req->retrans;
71968
71969 r->id.idiag_if = sk->sk_bound_dev_if;
71970+
71971+#ifdef CONFIG_GRKERNSEC_HIDESYM
71972+ r->id.idiag_cookie[0] = 0;
71973+ r->id.idiag_cookie[1] = 0;
71974+#else
71975 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
71976 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
71977+#endif
71978
71979 tmo = req->expires - jiffies;
71980 if (tmo < 0)
71981diff -urNp linux-3.0.7/net/ipv4/inet_hashtables.c linux-3.0.7/net/ipv4/inet_hashtables.c
71982--- linux-3.0.7/net/ipv4/inet_hashtables.c 2011-09-02 18:11:21.000000000 -0400
71983+++ linux-3.0.7/net/ipv4/inet_hashtables.c 2011-08-23 21:55:24.000000000 -0400
71984@@ -18,12 +18,15 @@
71985 #include <linux/sched.h>
71986 #include <linux/slab.h>
71987 #include <linux/wait.h>
71988+#include <linux/security.h>
71989
71990 #include <net/inet_connection_sock.h>
71991 #include <net/inet_hashtables.h>
71992 #include <net/secure_seq.h>
71993 #include <net/ip.h>
71994
71995+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
71996+
71997 /*
71998 * Allocate and initialize a new local port bind bucket.
71999 * The bindhash mutex for snum's hash chain must be held here.
72000@@ -530,6 +533,8 @@ ok:
72001 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
72002 spin_unlock(&head->lock);
72003
72004+ gr_update_task_in_ip_table(current, inet_sk(sk));
72005+
72006 if (tw) {
72007 inet_twsk_deschedule(tw, death_row);
72008 while (twrefcnt) {
72009diff -urNp linux-3.0.7/net/ipv4/inetpeer.c linux-3.0.7/net/ipv4/inetpeer.c
72010--- linux-3.0.7/net/ipv4/inetpeer.c 2011-09-02 18:11:21.000000000 -0400
72011+++ linux-3.0.7/net/ipv4/inetpeer.c 2011-08-23 21:48:14.000000000 -0400
72012@@ -481,6 +481,8 @@ struct inet_peer *inet_getpeer(struct in
72013 unsigned int sequence;
72014 int invalidated, newrefcnt = 0;
72015
72016+ pax_track_stack();
72017+
72018 /* Look up for the address quickly, lockless.
72019 * Because of a concurrent writer, we might not find an existing entry.
72020 */
72021@@ -517,8 +519,8 @@ found: /* The existing node has been fo
72022 if (p) {
72023 p->daddr = *daddr;
72024 atomic_set(&p->refcnt, 1);
72025- atomic_set(&p->rid, 0);
72026- atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
72027+ atomic_set_unchecked(&p->rid, 0);
72028+ atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
72029 p->tcp_ts_stamp = 0;
72030 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
72031 p->rate_tokens = 0;
72032diff -urNp linux-3.0.7/net/ipv4/ip_fragment.c linux-3.0.7/net/ipv4/ip_fragment.c
72033--- linux-3.0.7/net/ipv4/ip_fragment.c 2011-07-21 22:17:23.000000000 -0400
72034+++ linux-3.0.7/net/ipv4/ip_fragment.c 2011-08-23 21:47:56.000000000 -0400
72035@@ -315,7 +315,7 @@ static inline int ip_frag_too_far(struct
72036 return 0;
72037
72038 start = qp->rid;
72039- end = atomic_inc_return(&peer->rid);
72040+ end = atomic_inc_return_unchecked(&peer->rid);
72041 qp->rid = end;
72042
72043 rc = qp->q.fragments && (end - start) > max;
72044diff -urNp linux-3.0.7/net/ipv4/ip_sockglue.c linux-3.0.7/net/ipv4/ip_sockglue.c
72045--- linux-3.0.7/net/ipv4/ip_sockglue.c 2011-07-21 22:17:23.000000000 -0400
72046+++ linux-3.0.7/net/ipv4/ip_sockglue.c 2011-10-06 04:17:55.000000000 -0400
72047@@ -1073,6 +1073,8 @@ static int do_ip_getsockopt(struct sock
72048 int val;
72049 int len;
72050
72051+ pax_track_stack();
72052+
72053 if (level != SOL_IP)
72054 return -EOPNOTSUPP;
72055
72056@@ -1110,7 +1112,8 @@ static int do_ip_getsockopt(struct sock
72057 len = min_t(unsigned int, len, opt->optlen);
72058 if (put_user(len, optlen))
72059 return -EFAULT;
72060- if (copy_to_user(optval, opt->__data, len))
72061+ if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
72062+ copy_to_user(optval, opt->__data, len))
72063 return -EFAULT;
72064 return 0;
72065 }
72066@@ -1238,7 +1241,7 @@ static int do_ip_getsockopt(struct sock
72067 if (sk->sk_type != SOCK_STREAM)
72068 return -ENOPROTOOPT;
72069
72070- msg.msg_control = optval;
72071+ msg.msg_control = (void __force_kernel *)optval;
72072 msg.msg_controllen = len;
72073 msg.msg_flags = 0;
72074
72075diff -urNp linux-3.0.7/net/ipv4/ipconfig.c linux-3.0.7/net/ipv4/ipconfig.c
72076--- linux-3.0.7/net/ipv4/ipconfig.c 2011-07-21 22:17:23.000000000 -0400
72077+++ linux-3.0.7/net/ipv4/ipconfig.c 2011-10-06 04:17:55.000000000 -0400
72078@@ -313,7 +313,7 @@ static int __init ic_devinet_ioctl(unsig
72079
72080 mm_segment_t oldfs = get_fs();
72081 set_fs(get_ds());
72082- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72083+ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72084 set_fs(oldfs);
72085 return res;
72086 }
72087@@ -324,7 +324,7 @@ static int __init ic_dev_ioctl(unsigned
72088
72089 mm_segment_t oldfs = get_fs();
72090 set_fs(get_ds());
72091- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72092+ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72093 set_fs(oldfs);
72094 return res;
72095 }
72096@@ -335,7 +335,7 @@ static int __init ic_route_ioctl(unsigne
72097
72098 mm_segment_t oldfs = get_fs();
72099 set_fs(get_ds());
72100- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
72101+ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
72102 set_fs(oldfs);
72103 return res;
72104 }
72105diff -urNp linux-3.0.7/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-3.0.7/net/ipv4/netfilter/nf_nat_snmp_basic.c
72106--- linux-3.0.7/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-07-21 22:17:23.000000000 -0400
72107+++ linux-3.0.7/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-08-23 21:47:56.000000000 -0400
72108@@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
72109
72110 *len = 0;
72111
72112- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
72113+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
72114 if (*octets == NULL) {
72115 if (net_ratelimit())
72116 pr_notice("OOM in bsalg (%d)\n", __LINE__);
72117diff -urNp linux-3.0.7/net/ipv4/ping.c linux-3.0.7/net/ipv4/ping.c
72118--- linux-3.0.7/net/ipv4/ping.c 2011-07-21 22:17:23.000000000 -0400
72119+++ linux-3.0.7/net/ipv4/ping.c 2011-08-23 21:47:56.000000000 -0400
72120@@ -837,7 +837,7 @@ static void ping_format_sock(struct sock
72121 sk_rmem_alloc_get(sp),
72122 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72123 atomic_read(&sp->sk_refcnt), sp,
72124- atomic_read(&sp->sk_drops), len);
72125+ atomic_read_unchecked(&sp->sk_drops), len);
72126 }
72127
72128 static int ping_seq_show(struct seq_file *seq, void *v)
72129diff -urNp linux-3.0.7/net/ipv4/raw.c linux-3.0.7/net/ipv4/raw.c
72130--- linux-3.0.7/net/ipv4/raw.c 2011-07-21 22:17:23.000000000 -0400
72131+++ linux-3.0.7/net/ipv4/raw.c 2011-08-23 21:48:14.000000000 -0400
72132@@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
72133 int raw_rcv(struct sock *sk, struct sk_buff *skb)
72134 {
72135 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
72136- atomic_inc(&sk->sk_drops);
72137+ atomic_inc_unchecked(&sk->sk_drops);
72138 kfree_skb(skb);
72139 return NET_RX_DROP;
72140 }
72141@@ -736,16 +736,20 @@ static int raw_init(struct sock *sk)
72142
72143 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
72144 {
72145+ struct icmp_filter filter;
72146+
72147 if (optlen > sizeof(struct icmp_filter))
72148 optlen = sizeof(struct icmp_filter);
72149- if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
72150+ if (copy_from_user(&filter, optval, optlen))
72151 return -EFAULT;
72152+ raw_sk(sk)->filter = filter;
72153 return 0;
72154 }
72155
72156 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
72157 {
72158 int len, ret = -EFAULT;
72159+ struct icmp_filter filter;
72160
72161 if (get_user(len, optlen))
72162 goto out;
72163@@ -755,8 +759,9 @@ static int raw_geticmpfilter(struct sock
72164 if (len > sizeof(struct icmp_filter))
72165 len = sizeof(struct icmp_filter);
72166 ret = -EFAULT;
72167- if (put_user(len, optlen) ||
72168- copy_to_user(optval, &raw_sk(sk)->filter, len))
72169+ filter = raw_sk(sk)->filter;
72170+ if (put_user(len, optlen) || len > sizeof filter ||
72171+ copy_to_user(optval, &filter, len))
72172 goto out;
72173 ret = 0;
72174 out: return ret;
72175@@ -984,7 +989,13 @@ static void raw_sock_seq_show(struct seq
72176 sk_wmem_alloc_get(sp),
72177 sk_rmem_alloc_get(sp),
72178 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72179- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
72180+ atomic_read(&sp->sk_refcnt),
72181+#ifdef CONFIG_GRKERNSEC_HIDESYM
72182+ NULL,
72183+#else
72184+ sp,
72185+#endif
72186+ atomic_read_unchecked(&sp->sk_drops));
72187 }
72188
72189 static int raw_seq_show(struct seq_file *seq, void *v)
72190diff -urNp linux-3.0.7/net/ipv4/route.c linux-3.0.7/net/ipv4/route.c
72191--- linux-3.0.7/net/ipv4/route.c 2011-10-16 21:54:54.000000000 -0400
72192+++ linux-3.0.7/net/ipv4/route.c 2011-10-16 21:55:28.000000000 -0400
72193@@ -304,7 +304,7 @@ static inline unsigned int rt_hash(__be3
72194
72195 static inline int rt_genid(struct net *net)
72196 {
72197- return atomic_read(&net->ipv4.rt_genid);
72198+ return atomic_read_unchecked(&net->ipv4.rt_genid);
72199 }
72200
72201 #ifdef CONFIG_PROC_FS
72202@@ -832,7 +832,7 @@ static void rt_cache_invalidate(struct n
72203 unsigned char shuffle;
72204
72205 get_random_bytes(&shuffle, sizeof(shuffle));
72206- atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
72207+ atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
72208 }
72209
72210 /*
72211@@ -2832,7 +2832,7 @@ static int rt_fill_info(struct net *net,
72212 error = rt->dst.error;
72213 if (peer) {
72214 inet_peer_refcheck(rt->peer);
72215- id = atomic_read(&peer->ip_id_count) & 0xffff;
72216+ id = atomic_read_unchecked(&peer->ip_id_count) & 0xffff;
72217 if (peer->tcp_ts_stamp) {
72218 ts = peer->tcp_ts;
72219 tsage = get_seconds() - peer->tcp_ts_stamp;
72220diff -urNp linux-3.0.7/net/ipv4/tcp.c linux-3.0.7/net/ipv4/tcp.c
72221--- linux-3.0.7/net/ipv4/tcp.c 2011-07-21 22:17:23.000000000 -0400
72222+++ linux-3.0.7/net/ipv4/tcp.c 2011-08-23 21:48:14.000000000 -0400
72223@@ -2122,6 +2122,8 @@ static int do_tcp_setsockopt(struct sock
72224 int val;
72225 int err = 0;
72226
72227+ pax_track_stack();
72228+
72229 /* These are data/string values, all the others are ints */
72230 switch (optname) {
72231 case TCP_CONGESTION: {
72232@@ -2501,6 +2503,8 @@ static int do_tcp_getsockopt(struct sock
72233 struct tcp_sock *tp = tcp_sk(sk);
72234 int val, len;
72235
72236+ pax_track_stack();
72237+
72238 if (get_user(len, optlen))
72239 return -EFAULT;
72240
72241diff -urNp linux-3.0.7/net/ipv4/tcp_ipv4.c linux-3.0.7/net/ipv4/tcp_ipv4.c
72242--- linux-3.0.7/net/ipv4/tcp_ipv4.c 2011-09-02 18:11:21.000000000 -0400
72243+++ linux-3.0.7/net/ipv4/tcp_ipv4.c 2011-08-23 21:48:14.000000000 -0400
72244@@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
72245 int sysctl_tcp_low_latency __read_mostly;
72246 EXPORT_SYMBOL(sysctl_tcp_low_latency);
72247
72248+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72249+extern int grsec_enable_blackhole;
72250+#endif
72251
72252 #ifdef CONFIG_TCP_MD5SIG
72253 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
72254@@ -1607,6 +1610,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
72255 return 0;
72256
72257 reset:
72258+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72259+ if (!grsec_enable_blackhole)
72260+#endif
72261 tcp_v4_send_reset(rsk, skb);
72262 discard:
72263 kfree_skb(skb);
72264@@ -1669,12 +1675,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
72265 TCP_SKB_CB(skb)->sacked = 0;
72266
72267 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
72268- if (!sk)
72269+ if (!sk) {
72270+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72271+ ret = 1;
72272+#endif
72273 goto no_tcp_socket;
72274-
72275+ }
72276 process:
72277- if (sk->sk_state == TCP_TIME_WAIT)
72278+ if (sk->sk_state == TCP_TIME_WAIT) {
72279+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72280+ ret = 2;
72281+#endif
72282 goto do_time_wait;
72283+ }
72284
72285 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
72286 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
72287@@ -1724,6 +1737,10 @@ no_tcp_socket:
72288 bad_packet:
72289 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
72290 } else {
72291+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72292+ if (!grsec_enable_blackhole || (ret == 1 &&
72293+ (skb->dev->flags & IFF_LOOPBACK)))
72294+#endif
72295 tcp_v4_send_reset(NULL, skb);
72296 }
72297
72298@@ -2388,7 +2405,11 @@ static void get_openreq4(struct sock *sk
72299 0, /* non standard timer */
72300 0, /* open_requests have no inode */
72301 atomic_read(&sk->sk_refcnt),
72302+#ifdef CONFIG_GRKERNSEC_HIDESYM
72303+ NULL,
72304+#else
72305 req,
72306+#endif
72307 len);
72308 }
72309
72310@@ -2438,7 +2459,12 @@ static void get_tcp4_sock(struct sock *s
72311 sock_i_uid(sk),
72312 icsk->icsk_probes_out,
72313 sock_i_ino(sk),
72314- atomic_read(&sk->sk_refcnt), sk,
72315+ atomic_read(&sk->sk_refcnt),
72316+#ifdef CONFIG_GRKERNSEC_HIDESYM
72317+ NULL,
72318+#else
72319+ sk,
72320+#endif
72321 jiffies_to_clock_t(icsk->icsk_rto),
72322 jiffies_to_clock_t(icsk->icsk_ack.ato),
72323 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
72324@@ -2466,7 +2492,13 @@ static void get_timewait4_sock(struct in
72325 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
72326 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
72327 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
72328- atomic_read(&tw->tw_refcnt), tw, len);
72329+ atomic_read(&tw->tw_refcnt),
72330+#ifdef CONFIG_GRKERNSEC_HIDESYM
72331+ NULL,
72332+#else
72333+ tw,
72334+#endif
72335+ len);
72336 }
72337
72338 #define TMPSZ 150
72339diff -urNp linux-3.0.7/net/ipv4/tcp_minisocks.c linux-3.0.7/net/ipv4/tcp_minisocks.c
72340--- linux-3.0.7/net/ipv4/tcp_minisocks.c 2011-07-21 22:17:23.000000000 -0400
72341+++ linux-3.0.7/net/ipv4/tcp_minisocks.c 2011-08-23 21:48:14.000000000 -0400
72342@@ -27,6 +27,10 @@
72343 #include <net/inet_common.h>
72344 #include <net/xfrm.h>
72345
72346+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72347+extern int grsec_enable_blackhole;
72348+#endif
72349+
72350 int sysctl_tcp_syncookies __read_mostly = 1;
72351 EXPORT_SYMBOL(sysctl_tcp_syncookies);
72352
72353@@ -745,6 +749,10 @@ listen_overflow:
72354
72355 embryonic_reset:
72356 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
72357+
72358+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72359+ if (!grsec_enable_blackhole)
72360+#endif
72361 if (!(flg & TCP_FLAG_RST))
72362 req->rsk_ops->send_reset(sk, skb);
72363
72364diff -urNp linux-3.0.7/net/ipv4/tcp_output.c linux-3.0.7/net/ipv4/tcp_output.c
72365--- linux-3.0.7/net/ipv4/tcp_output.c 2011-07-21 22:17:23.000000000 -0400
72366+++ linux-3.0.7/net/ipv4/tcp_output.c 2011-08-23 21:48:14.000000000 -0400
72367@@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
72368 int mss;
72369 int s_data_desired = 0;
72370
72371+ pax_track_stack();
72372+
72373 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
72374 s_data_desired = cvp->s_data_desired;
72375 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
72376diff -urNp linux-3.0.7/net/ipv4/tcp_probe.c linux-3.0.7/net/ipv4/tcp_probe.c
72377--- linux-3.0.7/net/ipv4/tcp_probe.c 2011-07-21 22:17:23.000000000 -0400
72378+++ linux-3.0.7/net/ipv4/tcp_probe.c 2011-08-23 21:47:56.000000000 -0400
72379@@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
72380 if (cnt + width >= len)
72381 break;
72382
72383- if (copy_to_user(buf + cnt, tbuf, width))
72384+ if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
72385 return -EFAULT;
72386 cnt += width;
72387 }
72388diff -urNp linux-3.0.7/net/ipv4/tcp_timer.c linux-3.0.7/net/ipv4/tcp_timer.c
72389--- linux-3.0.7/net/ipv4/tcp_timer.c 2011-07-21 22:17:23.000000000 -0400
72390+++ linux-3.0.7/net/ipv4/tcp_timer.c 2011-08-23 21:48:14.000000000 -0400
72391@@ -22,6 +22,10 @@
72392 #include <linux/gfp.h>
72393 #include <net/tcp.h>
72394
72395+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72396+extern int grsec_lastack_retries;
72397+#endif
72398+
72399 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
72400 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
72401 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
72402@@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
72403 }
72404 }
72405
72406+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72407+ if ((sk->sk_state == TCP_LAST_ACK) &&
72408+ (grsec_lastack_retries > 0) &&
72409+ (grsec_lastack_retries < retry_until))
72410+ retry_until = grsec_lastack_retries;
72411+#endif
72412+
72413 if (retransmits_timed_out(sk, retry_until,
72414 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
72415 /* Has it gone just too far? */
72416diff -urNp linux-3.0.7/net/ipv4/udp.c linux-3.0.7/net/ipv4/udp.c
72417--- linux-3.0.7/net/ipv4/udp.c 2011-07-21 22:17:23.000000000 -0400
72418+++ linux-3.0.7/net/ipv4/udp.c 2011-08-23 21:48:14.000000000 -0400
72419@@ -86,6 +86,7 @@
72420 #include <linux/types.h>
72421 #include <linux/fcntl.h>
72422 #include <linux/module.h>
72423+#include <linux/security.h>
72424 #include <linux/socket.h>
72425 #include <linux/sockios.h>
72426 #include <linux/igmp.h>
72427@@ -107,6 +108,10 @@
72428 #include <net/xfrm.h>
72429 #include "udp_impl.h"
72430
72431+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72432+extern int grsec_enable_blackhole;
72433+#endif
72434+
72435 struct udp_table udp_table __read_mostly;
72436 EXPORT_SYMBOL(udp_table);
72437
72438@@ -564,6 +569,9 @@ found:
72439 return s;
72440 }
72441
72442+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
72443+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
72444+
72445 /*
72446 * This routine is called by the ICMP module when it gets some
72447 * sort of error condition. If err < 0 then the socket should
72448@@ -855,9 +863,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
72449 dport = usin->sin_port;
72450 if (dport == 0)
72451 return -EINVAL;
72452+
72453+ err = gr_search_udp_sendmsg(sk, usin);
72454+ if (err)
72455+ return err;
72456 } else {
72457 if (sk->sk_state != TCP_ESTABLISHED)
72458 return -EDESTADDRREQ;
72459+
72460+ err = gr_search_udp_sendmsg(sk, NULL);
72461+ if (err)
72462+ return err;
72463+
72464 daddr = inet->inet_daddr;
72465 dport = inet->inet_dport;
72466 /* Open fast path for connected socket.
72467@@ -1098,7 +1115,7 @@ static unsigned int first_packet_length(
72468 udp_lib_checksum_complete(skb)) {
72469 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72470 IS_UDPLITE(sk));
72471- atomic_inc(&sk->sk_drops);
72472+ atomic_inc_unchecked(&sk->sk_drops);
72473 __skb_unlink(skb, rcvq);
72474 __skb_queue_tail(&list_kill, skb);
72475 }
72476@@ -1184,6 +1201,10 @@ try_again:
72477 if (!skb)
72478 goto out;
72479
72480+ err = gr_search_udp_recvmsg(sk, skb);
72481+ if (err)
72482+ goto out_free;
72483+
72484 ulen = skb->len - sizeof(struct udphdr);
72485 if (len > ulen)
72486 len = ulen;
72487@@ -1483,7 +1504,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
72488
72489 drop:
72490 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
72491- atomic_inc(&sk->sk_drops);
72492+ atomic_inc_unchecked(&sk->sk_drops);
72493 kfree_skb(skb);
72494 return -1;
72495 }
72496@@ -1502,7 +1523,7 @@ static void flush_stack(struct sock **st
72497 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
72498
72499 if (!skb1) {
72500- atomic_inc(&sk->sk_drops);
72501+ atomic_inc_unchecked(&sk->sk_drops);
72502 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
72503 IS_UDPLITE(sk));
72504 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72505@@ -1671,6 +1692,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
72506 goto csum_error;
72507
72508 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
72509+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72510+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
72511+#endif
72512 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
72513
72514 /*
72515@@ -2098,8 +2122,13 @@ static void udp4_format_sock(struct sock
72516 sk_wmem_alloc_get(sp),
72517 sk_rmem_alloc_get(sp),
72518 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72519- atomic_read(&sp->sk_refcnt), sp,
72520- atomic_read(&sp->sk_drops), len);
72521+ atomic_read(&sp->sk_refcnt),
72522+#ifdef CONFIG_GRKERNSEC_HIDESYM
72523+ NULL,
72524+#else
72525+ sp,
72526+#endif
72527+ atomic_read_unchecked(&sp->sk_drops), len);
72528 }
72529
72530 int udp4_seq_show(struct seq_file *seq, void *v)
72531diff -urNp linux-3.0.7/net/ipv6/addrconf.c linux-3.0.7/net/ipv6/addrconf.c
72532--- linux-3.0.7/net/ipv6/addrconf.c 2011-07-21 22:17:23.000000000 -0400
72533+++ linux-3.0.7/net/ipv6/addrconf.c 2011-10-06 04:17:55.000000000 -0400
72534@@ -2072,7 +2072,7 @@ int addrconf_set_dstaddr(struct net *net
72535 p.iph.ihl = 5;
72536 p.iph.protocol = IPPROTO_IPV6;
72537 p.iph.ttl = 64;
72538- ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
72539+ ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
72540
72541 if (ops->ndo_do_ioctl) {
72542 mm_segment_t oldfs = get_fs();
72543diff -urNp linux-3.0.7/net/ipv6/inet6_connection_sock.c linux-3.0.7/net/ipv6/inet6_connection_sock.c
72544--- linux-3.0.7/net/ipv6/inet6_connection_sock.c 2011-07-21 22:17:23.000000000 -0400
72545+++ linux-3.0.7/net/ipv6/inet6_connection_sock.c 2011-08-23 21:47:56.000000000 -0400
72546@@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
72547 #ifdef CONFIG_XFRM
72548 {
72549 struct rt6_info *rt = (struct rt6_info *)dst;
72550- rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
72551+ rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
72552 }
72553 #endif
72554 }
72555@@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
72556 #ifdef CONFIG_XFRM
72557 if (dst) {
72558 struct rt6_info *rt = (struct rt6_info *)dst;
72559- if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
72560+ if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
72561 __sk_dst_reset(sk);
72562 dst = NULL;
72563 }
72564diff -urNp linux-3.0.7/net/ipv6/ipv6_sockglue.c linux-3.0.7/net/ipv6/ipv6_sockglue.c
72565--- linux-3.0.7/net/ipv6/ipv6_sockglue.c 2011-10-16 21:54:54.000000000 -0400
72566+++ linux-3.0.7/net/ipv6/ipv6_sockglue.c 2011-10-16 21:55:28.000000000 -0400
72567@@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
72568 int val, valbool;
72569 int retv = -ENOPROTOOPT;
72570
72571+ pax_track_stack();
72572+
72573 if (optval == NULL)
72574 val=0;
72575 else {
72576@@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
72577 int len;
72578 int val;
72579
72580+ pax_track_stack();
72581+
72582 if (ip6_mroute_opt(optname))
72583 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
72584
72585@@ -960,7 +964,7 @@ static int do_ipv6_getsockopt(struct soc
72586 if (sk->sk_type != SOCK_STREAM)
72587 return -ENOPROTOOPT;
72588
72589- msg.msg_control = optval;
72590+ msg.msg_control = (void __force_kernel *)optval;
72591 msg.msg_controllen = len;
72592 msg.msg_flags = flags;
72593
72594diff -urNp linux-3.0.7/net/ipv6/raw.c linux-3.0.7/net/ipv6/raw.c
72595--- linux-3.0.7/net/ipv6/raw.c 2011-07-21 22:17:23.000000000 -0400
72596+++ linux-3.0.7/net/ipv6/raw.c 2011-08-23 21:48:14.000000000 -0400
72597@@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
72598 {
72599 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
72600 skb_checksum_complete(skb)) {
72601- atomic_inc(&sk->sk_drops);
72602+ atomic_inc_unchecked(&sk->sk_drops);
72603 kfree_skb(skb);
72604 return NET_RX_DROP;
72605 }
72606@@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
72607 struct raw6_sock *rp = raw6_sk(sk);
72608
72609 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
72610- atomic_inc(&sk->sk_drops);
72611+ atomic_inc_unchecked(&sk->sk_drops);
72612 kfree_skb(skb);
72613 return NET_RX_DROP;
72614 }
72615@@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
72616
72617 if (inet->hdrincl) {
72618 if (skb_checksum_complete(skb)) {
72619- atomic_inc(&sk->sk_drops);
72620+ atomic_inc_unchecked(&sk->sk_drops);
72621 kfree_skb(skb);
72622 return NET_RX_DROP;
72623 }
72624@@ -601,7 +601,7 @@ out:
72625 return err;
72626 }
72627
72628-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
72629+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
72630 struct flowi6 *fl6, struct dst_entry **dstp,
72631 unsigned int flags)
72632 {
72633@@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
72634 u16 proto;
72635 int err;
72636
72637+ pax_track_stack();
72638+
72639 /* Rough check on arithmetic overflow,
72640 better check is made in ip6_append_data().
72641 */
72642@@ -909,12 +911,15 @@ do_confirm:
72643 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
72644 char __user *optval, int optlen)
72645 {
72646+ struct icmp6_filter filter;
72647+
72648 switch (optname) {
72649 case ICMPV6_FILTER:
72650 if (optlen > sizeof(struct icmp6_filter))
72651 optlen = sizeof(struct icmp6_filter);
72652- if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
72653+ if (copy_from_user(&filter, optval, optlen))
72654 return -EFAULT;
72655+ raw6_sk(sk)->filter = filter;
72656 return 0;
72657 default:
72658 return -ENOPROTOOPT;
72659@@ -927,6 +932,7 @@ static int rawv6_geticmpfilter(struct so
72660 char __user *optval, int __user *optlen)
72661 {
72662 int len;
72663+ struct icmp6_filter filter;
72664
72665 switch (optname) {
72666 case ICMPV6_FILTER:
72667@@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
72668 len = sizeof(struct icmp6_filter);
72669 if (put_user(len, optlen))
72670 return -EFAULT;
72671- if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
72672+ filter = raw6_sk(sk)->filter;
72673+ if (len > sizeof filter || copy_to_user(optval, &filter, len))
72674 return -EFAULT;
72675 return 0;
72676 default:
72677@@ -1252,7 +1259,13 @@ static void raw6_sock_seq_show(struct se
72678 0, 0L, 0,
72679 sock_i_uid(sp), 0,
72680 sock_i_ino(sp),
72681- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
72682+ atomic_read(&sp->sk_refcnt),
72683+#ifdef CONFIG_GRKERNSEC_HIDESYM
72684+ NULL,
72685+#else
72686+ sp,
72687+#endif
72688+ atomic_read_unchecked(&sp->sk_drops));
72689 }
72690
72691 static int raw6_seq_show(struct seq_file *seq, void *v)
72692diff -urNp linux-3.0.7/net/ipv6/tcp_ipv6.c linux-3.0.7/net/ipv6/tcp_ipv6.c
72693--- linux-3.0.7/net/ipv6/tcp_ipv6.c 2011-09-02 18:11:21.000000000 -0400
72694+++ linux-3.0.7/net/ipv6/tcp_ipv6.c 2011-08-23 21:48:14.000000000 -0400
72695@@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
72696 }
72697 #endif
72698
72699+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72700+extern int grsec_enable_blackhole;
72701+#endif
72702+
72703 static void tcp_v6_hash(struct sock *sk)
72704 {
72705 if (sk->sk_state != TCP_CLOSE) {
72706@@ -1662,6 +1666,9 @@ static int tcp_v6_do_rcv(struct sock *sk
72707 return 0;
72708
72709 reset:
72710+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72711+ if (!grsec_enable_blackhole)
72712+#endif
72713 tcp_v6_send_reset(sk, skb);
72714 discard:
72715 if (opt_skb)
72716@@ -1741,12 +1748,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
72717 TCP_SKB_CB(skb)->sacked = 0;
72718
72719 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
72720- if (!sk)
72721+ if (!sk) {
72722+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72723+ ret = 1;
72724+#endif
72725 goto no_tcp_socket;
72726+ }
72727
72728 process:
72729- if (sk->sk_state == TCP_TIME_WAIT)
72730+ if (sk->sk_state == TCP_TIME_WAIT) {
72731+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72732+ ret = 2;
72733+#endif
72734 goto do_time_wait;
72735+ }
72736
72737 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
72738 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
72739@@ -1794,6 +1809,10 @@ no_tcp_socket:
72740 bad_packet:
72741 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
72742 } else {
72743+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72744+ if (!grsec_enable_blackhole || (ret == 1 &&
72745+ (skb->dev->flags & IFF_LOOPBACK)))
72746+#endif
72747 tcp_v6_send_reset(NULL, skb);
72748 }
72749
72750@@ -2054,7 +2073,13 @@ static void get_openreq6(struct seq_file
72751 uid,
72752 0, /* non standard timer */
72753 0, /* open_requests have no inode */
72754- 0, req);
72755+ 0,
72756+#ifdef CONFIG_GRKERNSEC_HIDESYM
72757+ NULL
72758+#else
72759+ req
72760+#endif
72761+ );
72762 }
72763
72764 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
72765@@ -2104,7 +2129,12 @@ static void get_tcp6_sock(struct seq_fil
72766 sock_i_uid(sp),
72767 icsk->icsk_probes_out,
72768 sock_i_ino(sp),
72769- atomic_read(&sp->sk_refcnt), sp,
72770+ atomic_read(&sp->sk_refcnt),
72771+#ifdef CONFIG_GRKERNSEC_HIDESYM
72772+ NULL,
72773+#else
72774+ sp,
72775+#endif
72776 jiffies_to_clock_t(icsk->icsk_rto),
72777 jiffies_to_clock_t(icsk->icsk_ack.ato),
72778 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
72779@@ -2139,7 +2169,13 @@ static void get_timewait6_sock(struct se
72780 dest->s6_addr32[2], dest->s6_addr32[3], destp,
72781 tw->tw_substate, 0, 0,
72782 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
72783- atomic_read(&tw->tw_refcnt), tw);
72784+ atomic_read(&tw->tw_refcnt),
72785+#ifdef CONFIG_GRKERNSEC_HIDESYM
72786+ NULL
72787+#else
72788+ tw
72789+#endif
72790+ );
72791 }
72792
72793 static int tcp6_seq_show(struct seq_file *seq, void *v)
72794diff -urNp linux-3.0.7/net/ipv6/udp.c linux-3.0.7/net/ipv6/udp.c
72795--- linux-3.0.7/net/ipv6/udp.c 2011-10-17 23:17:09.000000000 -0400
72796+++ linux-3.0.7/net/ipv6/udp.c 2011-10-17 23:17:19.000000000 -0400
72797@@ -50,6 +50,10 @@
72798 #include <linux/seq_file.h>
72799 #include "udp_impl.h"
72800
72801+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72802+extern int grsec_enable_blackhole;
72803+#endif
72804+
72805 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
72806 {
72807 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
72808@@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
72809
72810 return 0;
72811 drop:
72812- atomic_inc(&sk->sk_drops);
72813+ atomic_inc_unchecked(&sk->sk_drops);
72814 drop_no_sk_drops_inc:
72815 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
72816 kfree_skb(skb);
72817@@ -624,7 +628,7 @@ static void flush_stack(struct sock **st
72818 continue;
72819 }
72820 drop:
72821- atomic_inc(&sk->sk_drops);
72822+ atomic_inc_unchecked(&sk->sk_drops);
72823 UDP6_INC_STATS_BH(sock_net(sk),
72824 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
72825 UDP6_INC_STATS_BH(sock_net(sk),
72826@@ -779,6 +783,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
72827 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
72828 proto == IPPROTO_UDPLITE);
72829
72830+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72831+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
72832+#endif
72833 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
72834
72835 kfree_skb(skb);
72836@@ -795,7 +802,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
72837 if (!sock_owned_by_user(sk))
72838 udpv6_queue_rcv_skb(sk, skb);
72839 else if (sk_add_backlog(sk, skb)) {
72840- atomic_inc(&sk->sk_drops);
72841+ atomic_inc_unchecked(&sk->sk_drops);
72842 bh_unlock_sock(sk);
72843 sock_put(sk);
72844 goto discard;
72845@@ -1408,8 +1415,13 @@ static void udp6_sock_seq_show(struct se
72846 0, 0L, 0,
72847 sock_i_uid(sp), 0,
72848 sock_i_ino(sp),
72849- atomic_read(&sp->sk_refcnt), sp,
72850- atomic_read(&sp->sk_drops));
72851+ atomic_read(&sp->sk_refcnt),
72852+#ifdef CONFIG_GRKERNSEC_HIDESYM
72853+ NULL,
72854+#else
72855+ sp,
72856+#endif
72857+ atomic_read_unchecked(&sp->sk_drops));
72858 }
72859
72860 int udp6_seq_show(struct seq_file *seq, void *v)
72861diff -urNp linux-3.0.7/net/irda/ircomm/ircomm_tty.c linux-3.0.7/net/irda/ircomm/ircomm_tty.c
72862--- linux-3.0.7/net/irda/ircomm/ircomm_tty.c 2011-07-21 22:17:23.000000000 -0400
72863+++ linux-3.0.7/net/irda/ircomm/ircomm_tty.c 2011-08-23 21:47:56.000000000 -0400
72864@@ -282,16 +282,16 @@ static int ircomm_tty_block_til_ready(st
72865 add_wait_queue(&self->open_wait, &wait);
72866
72867 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
72868- __FILE__,__LINE__, tty->driver->name, self->open_count );
72869+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
72870
72871 /* As far as I can see, we protect open_count - Jean II */
72872 spin_lock_irqsave(&self->spinlock, flags);
72873 if (!tty_hung_up_p(filp)) {
72874 extra_count = 1;
72875- self->open_count--;
72876+ local_dec(&self->open_count);
72877 }
72878 spin_unlock_irqrestore(&self->spinlock, flags);
72879- self->blocked_open++;
72880+ local_inc(&self->blocked_open);
72881
72882 while (1) {
72883 if (tty->termios->c_cflag & CBAUD) {
72884@@ -331,7 +331,7 @@ static int ircomm_tty_block_til_ready(st
72885 }
72886
72887 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
72888- __FILE__,__LINE__, tty->driver->name, self->open_count );
72889+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
72890
72891 schedule();
72892 }
72893@@ -342,13 +342,13 @@ static int ircomm_tty_block_til_ready(st
72894 if (extra_count) {
72895 /* ++ is not atomic, so this should be protected - Jean II */
72896 spin_lock_irqsave(&self->spinlock, flags);
72897- self->open_count++;
72898+ local_inc(&self->open_count);
72899 spin_unlock_irqrestore(&self->spinlock, flags);
72900 }
72901- self->blocked_open--;
72902+ local_dec(&self->blocked_open);
72903
72904 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
72905- __FILE__,__LINE__, tty->driver->name, self->open_count);
72906+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
72907
72908 if (!retval)
72909 self->flags |= ASYNC_NORMAL_ACTIVE;
72910@@ -417,14 +417,14 @@ static int ircomm_tty_open(struct tty_st
72911 }
72912 /* ++ is not atomic, so this should be protected - Jean II */
72913 spin_lock_irqsave(&self->spinlock, flags);
72914- self->open_count++;
72915+ local_inc(&self->open_count);
72916
72917 tty->driver_data = self;
72918 self->tty = tty;
72919 spin_unlock_irqrestore(&self->spinlock, flags);
72920
72921 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
72922- self->line, self->open_count);
72923+ self->line, local_read(&self->open_count));
72924
72925 /* Not really used by us, but lets do it anyway */
72926 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
72927@@ -510,7 +510,7 @@ static void ircomm_tty_close(struct tty_
72928 return;
72929 }
72930
72931- if ((tty->count == 1) && (self->open_count != 1)) {
72932+ if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
72933 /*
72934 * Uh, oh. tty->count is 1, which means that the tty
72935 * structure will be freed. state->count should always
72936@@ -520,16 +520,16 @@ static void ircomm_tty_close(struct tty_
72937 */
72938 IRDA_DEBUG(0, "%s(), bad serial port count; "
72939 "tty->count is 1, state->count is %d\n", __func__ ,
72940- self->open_count);
72941- self->open_count = 1;
72942+ local_read(&self->open_count));
72943+ local_set(&self->open_count, 1);
72944 }
72945
72946- if (--self->open_count < 0) {
72947+ if (local_dec_return(&self->open_count) < 0) {
72948 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
72949- __func__, self->line, self->open_count);
72950- self->open_count = 0;
72951+ __func__, self->line, local_read(&self->open_count));
72952+ local_set(&self->open_count, 0);
72953 }
72954- if (self->open_count) {
72955+ if (local_read(&self->open_count)) {
72956 spin_unlock_irqrestore(&self->spinlock, flags);
72957
72958 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
72959@@ -561,7 +561,7 @@ static void ircomm_tty_close(struct tty_
72960 tty->closing = 0;
72961 self->tty = NULL;
72962
72963- if (self->blocked_open) {
72964+ if (local_read(&self->blocked_open)) {
72965 if (self->close_delay)
72966 schedule_timeout_interruptible(self->close_delay);
72967 wake_up_interruptible(&self->open_wait);
72968@@ -1013,7 +1013,7 @@ static void ircomm_tty_hangup(struct tty
72969 spin_lock_irqsave(&self->spinlock, flags);
72970 self->flags &= ~ASYNC_NORMAL_ACTIVE;
72971 self->tty = NULL;
72972- self->open_count = 0;
72973+ local_set(&self->open_count, 0);
72974 spin_unlock_irqrestore(&self->spinlock, flags);
72975
72976 wake_up_interruptible(&self->open_wait);
72977@@ -1360,7 +1360,7 @@ static void ircomm_tty_line_info(struct
72978 seq_putc(m, '\n');
72979
72980 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
72981- seq_printf(m, "Open count: %d\n", self->open_count);
72982+ seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
72983 seq_printf(m, "Max data size: %d\n", self->max_data_size);
72984 seq_printf(m, "Max header size: %d\n", self->max_header_size);
72985
72986diff -urNp linux-3.0.7/net/iucv/af_iucv.c linux-3.0.7/net/iucv/af_iucv.c
72987--- linux-3.0.7/net/iucv/af_iucv.c 2011-07-21 22:17:23.000000000 -0400
72988+++ linux-3.0.7/net/iucv/af_iucv.c 2011-08-23 21:47:56.000000000 -0400
72989@@ -648,10 +648,10 @@ static int iucv_sock_autobind(struct soc
72990
72991 write_lock_bh(&iucv_sk_list.lock);
72992
72993- sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
72994+ sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
72995 while (__iucv_get_sock_by_name(name)) {
72996 sprintf(name, "%08x",
72997- atomic_inc_return(&iucv_sk_list.autobind_name));
72998+ atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
72999 }
73000
73001 write_unlock_bh(&iucv_sk_list.lock);
73002diff -urNp linux-3.0.7/net/key/af_key.c linux-3.0.7/net/key/af_key.c
73003--- linux-3.0.7/net/key/af_key.c 2011-07-21 22:17:23.000000000 -0400
73004+++ linux-3.0.7/net/key/af_key.c 2011-08-23 21:48:14.000000000 -0400
73005@@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
73006 struct xfrm_migrate m[XFRM_MAX_DEPTH];
73007 struct xfrm_kmaddress k;
73008
73009+ pax_track_stack();
73010+
73011 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
73012 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
73013 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
73014@@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
73015 static u32 get_acqseq(void)
73016 {
73017 u32 res;
73018- static atomic_t acqseq;
73019+ static atomic_unchecked_t acqseq;
73020
73021 do {
73022- res = atomic_inc_return(&acqseq);
73023+ res = atomic_inc_return_unchecked(&acqseq);
73024 } while (!res);
73025 return res;
73026 }
73027diff -urNp linux-3.0.7/net/lapb/lapb_iface.c linux-3.0.7/net/lapb/lapb_iface.c
73028--- linux-3.0.7/net/lapb/lapb_iface.c 2011-07-21 22:17:23.000000000 -0400
73029+++ linux-3.0.7/net/lapb/lapb_iface.c 2011-08-23 21:47:56.000000000 -0400
73030@@ -158,7 +158,7 @@ int lapb_register(struct net_device *dev
73031 goto out;
73032
73033 lapb->dev = dev;
73034- lapb->callbacks = *callbacks;
73035+ lapb->callbacks = callbacks;
73036
73037 __lapb_insert_cb(lapb);
73038
73039@@ -380,32 +380,32 @@ int lapb_data_received(struct net_device
73040
73041 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
73042 {
73043- if (lapb->callbacks.connect_confirmation)
73044- lapb->callbacks.connect_confirmation(lapb->dev, reason);
73045+ if (lapb->callbacks->connect_confirmation)
73046+ lapb->callbacks->connect_confirmation(lapb->dev, reason);
73047 }
73048
73049 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
73050 {
73051- if (lapb->callbacks.connect_indication)
73052- lapb->callbacks.connect_indication(lapb->dev, reason);
73053+ if (lapb->callbacks->connect_indication)
73054+ lapb->callbacks->connect_indication(lapb->dev, reason);
73055 }
73056
73057 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
73058 {
73059- if (lapb->callbacks.disconnect_confirmation)
73060- lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
73061+ if (lapb->callbacks->disconnect_confirmation)
73062+ lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
73063 }
73064
73065 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
73066 {
73067- if (lapb->callbacks.disconnect_indication)
73068- lapb->callbacks.disconnect_indication(lapb->dev, reason);
73069+ if (lapb->callbacks->disconnect_indication)
73070+ lapb->callbacks->disconnect_indication(lapb->dev, reason);
73071 }
73072
73073 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
73074 {
73075- if (lapb->callbacks.data_indication)
73076- return lapb->callbacks.data_indication(lapb->dev, skb);
73077+ if (lapb->callbacks->data_indication)
73078+ return lapb->callbacks->data_indication(lapb->dev, skb);
73079
73080 kfree_skb(skb);
73081 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
73082@@ -415,8 +415,8 @@ int lapb_data_transmit(struct lapb_cb *l
73083 {
73084 int used = 0;
73085
73086- if (lapb->callbacks.data_transmit) {
73087- lapb->callbacks.data_transmit(lapb->dev, skb);
73088+ if (lapb->callbacks->data_transmit) {
73089+ lapb->callbacks->data_transmit(lapb->dev, skb);
73090 used = 1;
73091 }
73092
73093diff -urNp linux-3.0.7/net/mac80211/debugfs_sta.c linux-3.0.7/net/mac80211/debugfs_sta.c
73094--- linux-3.0.7/net/mac80211/debugfs_sta.c 2011-07-21 22:17:23.000000000 -0400
73095+++ linux-3.0.7/net/mac80211/debugfs_sta.c 2011-08-23 21:48:14.000000000 -0400
73096@@ -140,6 +140,8 @@ static ssize_t sta_agg_status_read(struc
73097 struct tid_ampdu_rx *tid_rx;
73098 struct tid_ampdu_tx *tid_tx;
73099
73100+ pax_track_stack();
73101+
73102 rcu_read_lock();
73103
73104 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
73105@@ -240,6 +242,8 @@ static ssize_t sta_ht_capa_read(struct f
73106 struct sta_info *sta = file->private_data;
73107 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
73108
73109+ pax_track_stack();
73110+
73111 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
73112 htc->ht_supported ? "" : "not ");
73113 if (htc->ht_supported) {
73114diff -urNp linux-3.0.7/net/mac80211/ieee80211_i.h linux-3.0.7/net/mac80211/ieee80211_i.h
73115--- linux-3.0.7/net/mac80211/ieee80211_i.h 2011-07-21 22:17:23.000000000 -0400
73116+++ linux-3.0.7/net/mac80211/ieee80211_i.h 2011-08-23 21:47:56.000000000 -0400
73117@@ -27,6 +27,7 @@
73118 #include <net/ieee80211_radiotap.h>
73119 #include <net/cfg80211.h>
73120 #include <net/mac80211.h>
73121+#include <asm/local.h>
73122 #include "key.h"
73123 #include "sta_info.h"
73124
73125@@ -721,7 +722,7 @@ struct ieee80211_local {
73126 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
73127 spinlock_t queue_stop_reason_lock;
73128
73129- int open_count;
73130+ local_t open_count;
73131 int monitors, cooked_mntrs;
73132 /* number of interfaces with corresponding FIF_ flags */
73133 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
73134diff -urNp linux-3.0.7/net/mac80211/iface.c linux-3.0.7/net/mac80211/iface.c
73135--- linux-3.0.7/net/mac80211/iface.c 2011-09-02 18:11:21.000000000 -0400
73136+++ linux-3.0.7/net/mac80211/iface.c 2011-08-23 21:47:56.000000000 -0400
73137@@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
73138 break;
73139 }
73140
73141- if (local->open_count == 0) {
73142+ if (local_read(&local->open_count) == 0) {
73143 res = drv_start(local);
73144 if (res)
73145 goto err_del_bss;
73146@@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
73147 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
73148
73149 if (!is_valid_ether_addr(dev->dev_addr)) {
73150- if (!local->open_count)
73151+ if (!local_read(&local->open_count))
73152 drv_stop(local);
73153 return -EADDRNOTAVAIL;
73154 }
73155@@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
73156 mutex_unlock(&local->mtx);
73157
73158 if (coming_up)
73159- local->open_count++;
73160+ local_inc(&local->open_count);
73161
73162 if (hw_reconf_flags) {
73163 ieee80211_hw_config(local, hw_reconf_flags);
73164@@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
73165 err_del_interface:
73166 drv_remove_interface(local, &sdata->vif);
73167 err_stop:
73168- if (!local->open_count)
73169+ if (!local_read(&local->open_count))
73170 drv_stop(local);
73171 err_del_bss:
73172 sdata->bss = NULL;
73173@@ -475,7 +475,7 @@ static void ieee80211_do_stop(struct iee
73174 }
73175
73176 if (going_down)
73177- local->open_count--;
73178+ local_dec(&local->open_count);
73179
73180 switch (sdata->vif.type) {
73181 case NL80211_IFTYPE_AP_VLAN:
73182@@ -534,7 +534,7 @@ static void ieee80211_do_stop(struct iee
73183
73184 ieee80211_recalc_ps(local, -1);
73185
73186- if (local->open_count == 0) {
73187+ if (local_read(&local->open_count) == 0) {
73188 if (local->ops->napi_poll)
73189 napi_disable(&local->napi);
73190 ieee80211_clear_tx_pending(local);
73191diff -urNp linux-3.0.7/net/mac80211/main.c linux-3.0.7/net/mac80211/main.c
73192--- linux-3.0.7/net/mac80211/main.c 2011-07-21 22:17:23.000000000 -0400
73193+++ linux-3.0.7/net/mac80211/main.c 2011-08-23 21:47:56.000000000 -0400
73194@@ -209,7 +209,7 @@ int ieee80211_hw_config(struct ieee80211
73195 local->hw.conf.power_level = power;
73196 }
73197
73198- if (changed && local->open_count) {
73199+ if (changed && local_read(&local->open_count)) {
73200 ret = drv_config(local, changed);
73201 /*
73202 * Goal:
73203diff -urNp linux-3.0.7/net/mac80211/mlme.c linux-3.0.7/net/mac80211/mlme.c
73204--- linux-3.0.7/net/mac80211/mlme.c 2011-09-02 18:11:21.000000000 -0400
73205+++ linux-3.0.7/net/mac80211/mlme.c 2011-08-23 21:48:14.000000000 -0400
73206@@ -1444,6 +1444,8 @@ static bool ieee80211_assoc_success(stru
73207 bool have_higher_than_11mbit = false;
73208 u16 ap_ht_cap_flags;
73209
73210+ pax_track_stack();
73211+
73212 /* AssocResp and ReassocResp have identical structure */
73213
73214 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
73215diff -urNp linux-3.0.7/net/mac80211/pm.c linux-3.0.7/net/mac80211/pm.c
73216--- linux-3.0.7/net/mac80211/pm.c 2011-07-21 22:17:23.000000000 -0400
73217+++ linux-3.0.7/net/mac80211/pm.c 2011-08-23 21:47:56.000000000 -0400
73218@@ -47,7 +47,7 @@ int __ieee80211_suspend(struct ieee80211
73219 cancel_work_sync(&local->dynamic_ps_enable_work);
73220 del_timer_sync(&local->dynamic_ps_timer);
73221
73222- local->wowlan = wowlan && local->open_count;
73223+ local->wowlan = wowlan && local_read(&local->open_count);
73224 if (local->wowlan) {
73225 int err = drv_suspend(local, wowlan);
73226 if (err) {
73227@@ -111,7 +111,7 @@ int __ieee80211_suspend(struct ieee80211
73228 }
73229
73230 /* stop hardware - this must stop RX */
73231- if (local->open_count)
73232+ if (local_read(&local->open_count))
73233 ieee80211_stop_device(local);
73234
73235 suspend:
73236diff -urNp linux-3.0.7/net/mac80211/rate.c linux-3.0.7/net/mac80211/rate.c
73237--- linux-3.0.7/net/mac80211/rate.c 2011-07-21 22:17:23.000000000 -0400
73238+++ linux-3.0.7/net/mac80211/rate.c 2011-08-23 21:47:56.000000000 -0400
73239@@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
73240
73241 ASSERT_RTNL();
73242
73243- if (local->open_count)
73244+ if (local_read(&local->open_count))
73245 return -EBUSY;
73246
73247 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
73248diff -urNp linux-3.0.7/net/mac80211/rc80211_pid_debugfs.c linux-3.0.7/net/mac80211/rc80211_pid_debugfs.c
73249--- linux-3.0.7/net/mac80211/rc80211_pid_debugfs.c 2011-07-21 22:17:23.000000000 -0400
73250+++ linux-3.0.7/net/mac80211/rc80211_pid_debugfs.c 2011-08-23 21:47:56.000000000 -0400
73251@@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
73252
73253 spin_unlock_irqrestore(&events->lock, status);
73254
73255- if (copy_to_user(buf, pb, p))
73256+ if (p > sizeof(pb) || copy_to_user(buf, pb, p))
73257 return -EFAULT;
73258
73259 return p;
73260diff -urNp linux-3.0.7/net/mac80211/util.c linux-3.0.7/net/mac80211/util.c
73261--- linux-3.0.7/net/mac80211/util.c 2011-07-21 22:17:23.000000000 -0400
73262+++ linux-3.0.7/net/mac80211/util.c 2011-08-23 21:47:56.000000000 -0400
73263@@ -1147,7 +1147,7 @@ int ieee80211_reconfig(struct ieee80211_
73264 #endif
73265
73266 /* restart hardware */
73267- if (local->open_count) {
73268+ if (local_read(&local->open_count)) {
73269 /*
73270 * Upon resume hardware can sometimes be goofy due to
73271 * various platform / driver / bus issues, so restarting
73272diff -urNp linux-3.0.7/net/netfilter/Kconfig linux-3.0.7/net/netfilter/Kconfig
73273--- linux-3.0.7/net/netfilter/Kconfig 2011-07-21 22:17:23.000000000 -0400
73274+++ linux-3.0.7/net/netfilter/Kconfig 2011-08-23 21:48:14.000000000 -0400
73275@@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
73276
73277 To compile it as a module, choose M here. If unsure, say N.
73278
73279+config NETFILTER_XT_MATCH_GRADM
73280+ tristate '"gradm" match support'
73281+ depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
73282+ depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
73283+ ---help---
73284+ The gradm match allows to match on grsecurity RBAC being enabled.
73285+ It is useful when iptables rules are applied early on bootup to
73286+ prevent connections to the machine (except from a trusted host)
73287+ while the RBAC system is disabled.
73288+
73289 config NETFILTER_XT_MATCH_HASHLIMIT
73290 tristate '"hashlimit" match support'
73291 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
73292diff -urNp linux-3.0.7/net/netfilter/Makefile linux-3.0.7/net/netfilter/Makefile
73293--- linux-3.0.7/net/netfilter/Makefile 2011-07-21 22:17:23.000000000 -0400
73294+++ linux-3.0.7/net/netfilter/Makefile 2011-08-23 21:48:14.000000000 -0400
73295@@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
73296 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
73297 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
73298 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
73299+obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
73300 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
73301 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
73302 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
73303diff -urNp linux-3.0.7/net/netfilter/ipvs/ip_vs_conn.c linux-3.0.7/net/netfilter/ipvs/ip_vs_conn.c
73304--- linux-3.0.7/net/netfilter/ipvs/ip_vs_conn.c 2011-07-21 22:17:23.000000000 -0400
73305+++ linux-3.0.7/net/netfilter/ipvs/ip_vs_conn.c 2011-08-23 21:47:56.000000000 -0400
73306@@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
73307 /* Increase the refcnt counter of the dest */
73308 atomic_inc(&dest->refcnt);
73309
73310- conn_flags = atomic_read(&dest->conn_flags);
73311+ conn_flags = atomic_read_unchecked(&dest->conn_flags);
73312 if (cp->protocol != IPPROTO_UDP)
73313 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
73314 /* Bind with the destination and its corresponding transmitter */
73315@@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
73316 atomic_set(&cp->refcnt, 1);
73317
73318 atomic_set(&cp->n_control, 0);
73319- atomic_set(&cp->in_pkts, 0);
73320+ atomic_set_unchecked(&cp->in_pkts, 0);
73321
73322 atomic_inc(&ipvs->conn_count);
73323 if (flags & IP_VS_CONN_F_NO_CPORT)
73324@@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip
73325
73326 /* Don't drop the entry if its number of incoming packets is not
73327 located in [0, 8] */
73328- i = atomic_read(&cp->in_pkts);
73329+ i = atomic_read_unchecked(&cp->in_pkts);
73330 if (i > 8 || i < 0) return 0;
73331
73332 if (!todrop_rate[i]) return 0;
73333diff -urNp linux-3.0.7/net/netfilter/ipvs/ip_vs_core.c linux-3.0.7/net/netfilter/ipvs/ip_vs_core.c
73334--- linux-3.0.7/net/netfilter/ipvs/ip_vs_core.c 2011-07-21 22:17:23.000000000 -0400
73335+++ linux-3.0.7/net/netfilter/ipvs/ip_vs_core.c 2011-08-23 21:47:56.000000000 -0400
73336@@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
73337 ret = cp->packet_xmit(skb, cp, pd->pp);
73338 /* do not touch skb anymore */
73339
73340- atomic_inc(&cp->in_pkts);
73341+ atomic_inc_unchecked(&cp->in_pkts);
73342 ip_vs_conn_put(cp);
73343 return ret;
73344 }
73345@@ -1613,7 +1613,7 @@ ip_vs_in(unsigned int hooknum, struct sk
73346 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
73347 pkts = sysctl_sync_threshold(ipvs);
73348 else
73349- pkts = atomic_add_return(1, &cp->in_pkts);
73350+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73351
73352 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
73353 cp->protocol == IPPROTO_SCTP) {
73354diff -urNp linux-3.0.7/net/netfilter/ipvs/ip_vs_ctl.c linux-3.0.7/net/netfilter/ipvs/ip_vs_ctl.c
73355--- linux-3.0.7/net/netfilter/ipvs/ip_vs_ctl.c 2011-09-02 18:11:21.000000000 -0400
73356+++ linux-3.0.7/net/netfilter/ipvs/ip_vs_ctl.c 2011-08-23 21:48:14.000000000 -0400
73357@@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
73358 ip_vs_rs_hash(ipvs, dest);
73359 write_unlock_bh(&ipvs->rs_lock);
73360 }
73361- atomic_set(&dest->conn_flags, conn_flags);
73362+ atomic_set_unchecked(&dest->conn_flags, conn_flags);
73363
73364 /* bind the service */
73365 if (!dest->svc) {
73366@@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
73367 " %-7s %-6d %-10d %-10d\n",
73368 &dest->addr.in6,
73369 ntohs(dest->port),
73370- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73371+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73372 atomic_read(&dest->weight),
73373 atomic_read(&dest->activeconns),
73374 atomic_read(&dest->inactconns));
73375@@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
73376 "%-7s %-6d %-10d %-10d\n",
73377 ntohl(dest->addr.ip),
73378 ntohs(dest->port),
73379- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73380+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73381 atomic_read(&dest->weight),
73382 atomic_read(&dest->activeconns),
73383 atomic_read(&dest->inactconns));
73384@@ -2284,6 +2284,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
73385 struct ip_vs_dest_user *udest_compat;
73386 struct ip_vs_dest_user_kern udest;
73387
73388+ pax_track_stack();
73389+
73390 if (!capable(CAP_NET_ADMIN))
73391 return -EPERM;
73392
73393@@ -2498,7 +2500,7 @@ __ip_vs_get_dest_entries(struct net *net
73394
73395 entry.addr = dest->addr.ip;
73396 entry.port = dest->port;
73397- entry.conn_flags = atomic_read(&dest->conn_flags);
73398+ entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
73399 entry.weight = atomic_read(&dest->weight);
73400 entry.u_threshold = dest->u_threshold;
73401 entry.l_threshold = dest->l_threshold;
73402@@ -3026,7 +3028,7 @@ static int ip_vs_genl_fill_dest(struct s
73403 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
73404
73405 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
73406- atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73407+ atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73408 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
73409 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
73410 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
73411diff -urNp linux-3.0.7/net/netfilter/ipvs/ip_vs_sync.c linux-3.0.7/net/netfilter/ipvs/ip_vs_sync.c
73412--- linux-3.0.7/net/netfilter/ipvs/ip_vs_sync.c 2011-07-21 22:17:23.000000000 -0400
73413+++ linux-3.0.7/net/netfilter/ipvs/ip_vs_sync.c 2011-08-23 21:47:56.000000000 -0400
73414@@ -648,7 +648,7 @@ control:
73415 * i.e only increment in_pkts for Templates.
73416 */
73417 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
73418- int pkts = atomic_add_return(1, &cp->in_pkts);
73419+ int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73420
73421 if (pkts % sysctl_sync_period(ipvs) != 1)
73422 return;
73423@@ -794,7 +794,7 @@ static void ip_vs_proc_conn(struct net *
73424
73425 if (opt)
73426 memcpy(&cp->in_seq, opt, sizeof(*opt));
73427- atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73428+ atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73429 cp->state = state;
73430 cp->old_state = cp->state;
73431 /*
73432diff -urNp linux-3.0.7/net/netfilter/ipvs/ip_vs_xmit.c linux-3.0.7/net/netfilter/ipvs/ip_vs_xmit.c
73433--- linux-3.0.7/net/netfilter/ipvs/ip_vs_xmit.c 2011-07-21 22:17:23.000000000 -0400
73434+++ linux-3.0.7/net/netfilter/ipvs/ip_vs_xmit.c 2011-08-23 21:47:56.000000000 -0400
73435@@ -1151,7 +1151,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
73436 else
73437 rc = NF_ACCEPT;
73438 /* do not touch skb anymore */
73439- atomic_inc(&cp->in_pkts);
73440+ atomic_inc_unchecked(&cp->in_pkts);
73441 goto out;
73442 }
73443
73444@@ -1272,7 +1272,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
73445 else
73446 rc = NF_ACCEPT;
73447 /* do not touch skb anymore */
73448- atomic_inc(&cp->in_pkts);
73449+ atomic_inc_unchecked(&cp->in_pkts);
73450 goto out;
73451 }
73452
73453diff -urNp linux-3.0.7/net/netfilter/nfnetlink_log.c linux-3.0.7/net/netfilter/nfnetlink_log.c
73454--- linux-3.0.7/net/netfilter/nfnetlink_log.c 2011-07-21 22:17:23.000000000 -0400
73455+++ linux-3.0.7/net/netfilter/nfnetlink_log.c 2011-08-23 21:47:56.000000000 -0400
73456@@ -70,7 +70,7 @@ struct nfulnl_instance {
73457 };
73458
73459 static DEFINE_SPINLOCK(instances_lock);
73460-static atomic_t global_seq;
73461+static atomic_unchecked_t global_seq;
73462
73463 #define INSTANCE_BUCKETS 16
73464 static struct hlist_head instance_table[INSTANCE_BUCKETS];
73465@@ -505,7 +505,7 @@ __build_packet_message(struct nfulnl_ins
73466 /* global sequence number */
73467 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
73468 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
73469- htonl(atomic_inc_return(&global_seq)));
73470+ htonl(atomic_inc_return_unchecked(&global_seq)));
73471
73472 if (data_len) {
73473 struct nlattr *nla;
73474diff -urNp linux-3.0.7/net/netfilter/nfnetlink_queue.c linux-3.0.7/net/netfilter/nfnetlink_queue.c
73475--- linux-3.0.7/net/netfilter/nfnetlink_queue.c 2011-07-21 22:17:23.000000000 -0400
73476+++ linux-3.0.7/net/netfilter/nfnetlink_queue.c 2011-08-23 21:47:56.000000000 -0400
73477@@ -58,7 +58,7 @@ struct nfqnl_instance {
73478 */
73479 spinlock_t lock;
73480 unsigned int queue_total;
73481- atomic_t id_sequence; /* 'sequence' of pkt ids */
73482+ atomic_unchecked_t id_sequence; /* 'sequence' of pkt ids */
73483 struct list_head queue_list; /* packets in queue */
73484 };
73485
73486@@ -272,7 +272,7 @@ nfqnl_build_packet_message(struct nfqnl_
73487 nfmsg->version = NFNETLINK_V0;
73488 nfmsg->res_id = htons(queue->queue_num);
73489
73490- entry->id = atomic_inc_return(&queue->id_sequence);
73491+ entry->id = atomic_inc_return_unchecked(&queue->id_sequence);
73492 pmsg.packet_id = htonl(entry->id);
73493 pmsg.hw_protocol = entskb->protocol;
73494 pmsg.hook = entry->hook;
73495@@ -870,7 +870,7 @@ static int seq_show(struct seq_file *s,
73496 inst->peer_pid, inst->queue_total,
73497 inst->copy_mode, inst->copy_range,
73498 inst->queue_dropped, inst->queue_user_dropped,
73499- atomic_read(&inst->id_sequence), 1);
73500+ atomic_read_unchecked(&inst->id_sequence), 1);
73501 }
73502
73503 static const struct seq_operations nfqnl_seq_ops = {
73504diff -urNp linux-3.0.7/net/netfilter/xt_gradm.c linux-3.0.7/net/netfilter/xt_gradm.c
73505--- linux-3.0.7/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
73506+++ linux-3.0.7/net/netfilter/xt_gradm.c 2011-08-23 21:48:14.000000000 -0400
73507@@ -0,0 +1,51 @@
73508+/*
73509+ * gradm match for netfilter
73510