]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blame - test/grsecurity-2.2.2-3.1.1-201111181902.patch
projects / thirdparty / grsecurity-scrape.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-3.1.1-201111181902.patch
CommitLineData
e291ad5d
PK		 1diff -urNp linux-3.1.1/arch/alpha/include/asm/elf.h linux-3.1.1/arch/alpha/include/asm/elf.h
2--- linux-3.1.1/arch/alpha/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
3+++ linux-3.1.1/arch/alpha/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
4@@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
5
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
7
8+#ifdef CONFIG_PAX_ASLR
9+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
10+
11+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
13+#endif
14+
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18diff -urNp linux-3.1.1/arch/alpha/include/asm/pgtable.h linux-3.1.1/arch/alpha/include/asm/pgtable.h
19--- linux-3.1.1/arch/alpha/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
20+++ linux-3.1.1/arch/alpha/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
21@@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
25+
26+#ifdef CONFIG_PAX_PAGEEXEC
27+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
30+#else
31+# define PAGE_SHARED_NOEXEC PAGE_SHARED
32+# define PAGE_COPY_NOEXEC PAGE_COPY
33+# define PAGE_READONLY_NOEXEC PAGE_READONLY
34+#endif
35+
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
37
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39diff -urNp linux-3.1.1/arch/alpha/kernel/module.c linux-3.1.1/arch/alpha/kernel/module.c
40--- linux-3.1.1/arch/alpha/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
41+++ linux-3.1.1/arch/alpha/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
42@@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
43
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46- gp = (u64)me->module_core + me->core_size - 0x8000;
47+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
49
50 for (i = 0; i < n; i++) {
51diff -urNp linux-3.1.1/arch/alpha/kernel/osf_sys.c linux-3.1.1/arch/alpha/kernel/osf_sys.c
52--- linux-3.1.1/arch/alpha/kernel/osf_sys.c 2011-11-11 15:19:27.000000000 -0500
53+++ linux-3.1.1/arch/alpha/kernel/osf_sys.c 2011-11-16 18:39:07.000000000 -0500
54@@ -1147,7 +1147,7 @@ arch_get_unmapped_area_1(unsigned long a
55 /* At this point: (!vma || addr < vma->vm_end). */
56 if (limit - len < addr)
57 return -ENOMEM;
58- if (!vma || addr + len <= vma->vm_start)
59+ if (check_heap_stack_gap(vma, addr, len))
60 return addr;
61 addr = vma->vm_end;
62 vma = vma->vm_next;
63@@ -1183,6 +1183,10 @@ arch_get_unmapped_area(struct file *filp
64 merely specific addresses, but regions of memory -- perhaps
65 this feature should be incorporated into all ports? */
66
67+#ifdef CONFIG_PAX_RANDMMAP
68+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
69+#endif
70+
71 if (addr) {
72 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
74@@ -1190,8 +1194,8 @@ arch_get_unmapped_area(struct file *filp
75 }
76
77 /* Next, try allocating at TASK_UNMAPPED_BASE. */
78- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
79- len, limit);
80+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
81+
82 if (addr != (unsigned long) -ENOMEM)
83 return addr;
84
85diff -urNp linux-3.1.1/arch/alpha/mm/fault.c linux-3.1.1/arch/alpha/mm/fault.c
86--- linux-3.1.1/arch/alpha/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
87+++ linux-3.1.1/arch/alpha/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
88@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
89 __reload_thread(pcb);
90 }
91
92+#ifdef CONFIG_PAX_PAGEEXEC
93+/*
94+ * PaX: decide what to do with offenders (regs->pc = fault address)
95+ *
96+ * returns 1 when task should be killed
97+ * 2 when patched PLT trampoline was detected
98+ * 3 when unpatched PLT trampoline was detected
99+ */
100+static int pax_handle_fetch_fault(struct pt_regs *regs)
101+{
102+
103+#ifdef CONFIG_PAX_EMUPLT
104+ int err;
105+
106+ do { /* PaX: patched PLT emulation #1 */
107+ unsigned int ldah, ldq, jmp;
108+
109+ err = get_user(ldah, (unsigned int *)regs->pc);
110+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
111+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
112+
113+ if (err)
114+ break;
115+
116+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
117+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
118+ jmp == 0x6BFB0000U)
119+ {
120+ unsigned long r27, addr;
121+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
122+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
123+
124+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
125+ err = get_user(r27, (unsigned long *)addr);
126+ if (err)
127+ break;
128+
129+ regs->r27 = r27;
130+ regs->pc = r27;
131+ return 2;
132+ }
133+ } while (0);
134+
135+ do { /* PaX: patched PLT emulation #2 */
136+ unsigned int ldah, lda, br;
137+
138+ err = get_user(ldah, (unsigned int *)regs->pc);
139+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
140+ err |= get_user(br, (unsigned int *)(regs->pc+8));
141+
142+ if (err)
143+ break;
144+
145+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
146+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
147+ (br & 0xFFE00000U) == 0xC3E00000U)
148+ {
149+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
150+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
151+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
152+
153+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
154+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
155+ return 2;
156+ }
157+ } while (0);
158+
159+ do { /* PaX: unpatched PLT emulation */
160+ unsigned int br;
161+
162+ err = get_user(br, (unsigned int *)regs->pc);
163+
164+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
165+ unsigned int br2, ldq, nop, jmp;
166+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
167+
168+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
169+ err = get_user(br2, (unsigned int *)addr);
170+ err |= get_user(ldq, (unsigned int *)(addr+4));
171+ err |= get_user(nop, (unsigned int *)(addr+8));
172+ err |= get_user(jmp, (unsigned int *)(addr+12));
173+ err |= get_user(resolver, (unsigned long *)(addr+16));
174+
175+ if (err)
176+ break;
177+
178+ if (br2 == 0xC3600000U &&
179+ ldq == 0xA77B000CU &&
180+ nop == 0x47FF041FU &&
181+ jmp == 0x6B7B0000U)
182+ {
183+ regs->r28 = regs->pc+4;
184+ regs->r27 = addr+16;
185+ regs->pc = resolver;
186+ return 3;
187+ }
188+ }
189+ } while (0);
190+#endif
191+
192+ return 1;
193+}
194+
195+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
196+{
197+ unsigned long i;
198+
199+ printk(KERN_ERR "PAX: bytes at PC: ");
200+ for (i = 0; i < 5; i++) {
201+ unsigned int c;
202+ if (get_user(c, (unsigned int *)pc+i))
203+ printk(KERN_CONT "???????? ");
204+ else
205+ printk(KERN_CONT "%08x ", c);
206+ }
207+ printk("\n");
208+}
209+#endif
210
211 /*
212 * This routine handles page faults. It determines the address,
213@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
214 good_area:
215 si_code = SEGV_ACCERR;
216 if (cause < 0) {
217- if (!(vma->vm_flags & VM_EXEC))
218+ if (!(vma->vm_flags & VM_EXEC)) {
219+
220+#ifdef CONFIG_PAX_PAGEEXEC
221+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
222+ goto bad_area;
223+
224+ up_read(&mm->mmap_sem);
225+ switch (pax_handle_fetch_fault(regs)) {
226+
227+#ifdef CONFIG_PAX_EMUPLT
228+ case 2:
229+ case 3:
230+ return;
231+#endif
232+
233+ }
234+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
235+ do_group_exit(SIGKILL);
236+#else
237 goto bad_area;
238+#endif
239+
240+ }
241 } else if (!cause) {
242 /* Allow reads even for write-only mappings */
243 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
244diff -urNp linux-3.1.1/arch/arm/include/asm/elf.h linux-3.1.1/arch/arm/include/asm/elf.h
245--- linux-3.1.1/arch/arm/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
246+++ linux-3.1.1/arch/arm/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
247@@ -116,7 +116,14 @@ int dump_task_regs(struct task_struct *t
248 the loader. We need to make sure that it is out of the way of the program
249 that it will "exec", and that there is sufficient room for the brk. */
250
251-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
252+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
253+
254+#ifdef CONFIG_PAX_ASLR
255+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
256+
257+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
258+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
259+#endif
260
261 /* When the program starts, a1 contains a pointer to a function to be
262 registered with atexit, as per the SVR4 ABI. A value of 0 means we
263@@ -126,10 +133,6 @@ int dump_task_regs(struct task_struct *t
264 extern void elf_set_personality(const struct elf32_hdr *);
265 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
266
267-struct mm_struct;
268-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
269-#define arch_randomize_brk arch_randomize_brk
270-
271 extern int vectors_user_mapping(void);
272 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
273 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
274diff -urNp linux-3.1.1/arch/arm/include/asm/kmap_types.h linux-3.1.1/arch/arm/include/asm/kmap_types.h
275--- linux-3.1.1/arch/arm/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
276+++ linux-3.1.1/arch/arm/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
277@@ -21,6 +21,7 @@ enum km_type {
278 KM_L1_CACHE,
279 KM_L2_CACHE,
280 KM_KDB,
281+ KM_CLEARPAGE,
282 KM_TYPE_NR
283 };
284
285diff -urNp linux-3.1.1/arch/arm/include/asm/uaccess.h linux-3.1.1/arch/arm/include/asm/uaccess.h
286--- linux-3.1.1/arch/arm/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
287+++ linux-3.1.1/arch/arm/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
288@@ -22,6 +22,8 @@
289 #define VERIFY_READ 0
290 #define VERIFY_WRITE 1
291
292+extern void check_object_size(const void *ptr, unsigned long n, bool to);
293+
294 /*
295 * The exception table consists of pairs of addresses: the first is the
296 * address of an instruction that is allowed to fault, and the second is
297@@ -387,8 +389,23 @@ do { \
298
299
300 #ifdef CONFIG_MMU
301-extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
302-extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
303+extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
304+extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
305+
306+static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
307+{
308+ if (!__builtin_constant_p(n))
309+ check_object_size(to, n, false);
310+ return ___copy_from_user(to, from, n);
311+}
312+
313+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
314+{
315+ if (!__builtin_constant_p(n))
316+ check_object_size(from, n, true);
317+ return ___copy_to_user(to, from, n);
318+}
319+
320 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
321 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
322 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
323@@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
324
325 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
326 {
327+ if ((long)n < 0)
328+ return n;
329+
330 if (access_ok(VERIFY_READ, from, n))
331 n = __copy_from_user(to, from, n);
332 else /* security hole - plug it */
333@@ -412,6 +432,9 @@ static inline unsigned long __must_check
334
335 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
336 {
337+ if ((long)n < 0)
338+ return n;
339+
340 if (access_ok(VERIFY_WRITE, to, n))
341 n = __copy_to_user(to, from, n);
342 return n;
343diff -urNp linux-3.1.1/arch/arm/kernel/armksyms.c linux-3.1.1/arch/arm/kernel/armksyms.c
344--- linux-3.1.1/arch/arm/kernel/armksyms.c 2011-11-11 15:19:27.000000000 -0500
345+++ linux-3.1.1/arch/arm/kernel/armksyms.c 2011-11-16 18:39:07.000000000 -0500
346@@ -98,8 +98,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
347 #ifdef CONFIG_MMU
348 EXPORT_SYMBOL(copy_page);
349
350-EXPORT_SYMBOL(__copy_from_user);
351-EXPORT_SYMBOL(__copy_to_user);
352+EXPORT_SYMBOL(___copy_from_user);
353+EXPORT_SYMBOL(___copy_to_user);
354 EXPORT_SYMBOL(__clear_user);
355
356 EXPORT_SYMBOL(__get_user_1);
357diff -urNp linux-3.1.1/arch/arm/kernel/process.c linux-3.1.1/arch/arm/kernel/process.c
358--- linux-3.1.1/arch/arm/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
359+++ linux-3.1.1/arch/arm/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
360@@ -28,7 +28,6 @@
361 #include <linux/tick.h>
362 #include <linux/utsname.h>
363 #include <linux/uaccess.h>
364-#include <linux/random.h>
365 #include <linux/hw_breakpoint.h>
366 #include <linux/cpuidle.h>
367
368@@ -481,12 +480,6 @@ unsigned long get_wchan(struct task_stru
369 return 0;
370 }
371
372-unsigned long arch_randomize_brk(struct mm_struct *mm)
373-{
374- unsigned long range_end = mm->brk + 0x02000000;
375- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
376-}
377-
378 #ifdef CONFIG_MMU
379 /*
380 * The vectors page is always readable from user space for the
381diff -urNp linux-3.1.1/arch/arm/kernel/traps.c linux-3.1.1/arch/arm/kernel/traps.c
382--- linux-3.1.1/arch/arm/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
383+++ linux-3.1.1/arch/arm/kernel/traps.c 2011-11-16 18:40:08.000000000 -0500
384@@ -257,6 +257,8 @@ static int __die(const char *str, int er
385
386 static DEFINE_SPINLOCK(die_lock);
387
388+extern void gr_handle_kernel_exploit(void);
389+
390 /*
391 * This function is protected against re-entrancy.
392 */
393@@ -284,6 +286,9 @@ void die(const char *str, struct pt_regs
394 panic("Fatal exception in interrupt");
395 if (panic_on_oops)
396 panic("Fatal exception");
397+
398+ gr_handle_kernel_exploit();
399+
400 if (ret != NOTIFY_STOP)
401 do_exit(SIGSEGV);
402 }
403diff -urNp linux-3.1.1/arch/arm/lib/copy_from_user.S linux-3.1.1/arch/arm/lib/copy_from_user.S
404--- linux-3.1.1/arch/arm/lib/copy_from_user.S 2011-11-11 15:19:27.000000000 -0500
405+++ linux-3.1.1/arch/arm/lib/copy_from_user.S 2011-11-16 18:39:07.000000000 -0500
406@@ -16,7 +16,7 @@
407 /*
408 * Prototype:
409 *
410- * size_t __copy_from_user(void *to, const void *from, size_t n)
411+ * size_t ___copy_from_user(void *to, const void *from, size_t n)
412 *
413 * Purpose:
414 *
415@@ -84,11 +84,11 @@
416
417 .text
418
419-ENTRY(__copy_from_user)
420+ENTRY(___copy_from_user)
421
422 #include "copy_template.S"
423
424-ENDPROC(__copy_from_user)
425+ENDPROC(___copy_from_user)
426
427 .pushsection .fixup,"ax"
428 .align 0
429diff -urNp linux-3.1.1/arch/arm/lib/copy_to_user.S linux-3.1.1/arch/arm/lib/copy_to_user.S
430--- linux-3.1.1/arch/arm/lib/copy_to_user.S 2011-11-11 15:19:27.000000000 -0500
431+++ linux-3.1.1/arch/arm/lib/copy_to_user.S 2011-11-16 18:39:07.000000000 -0500
432@@ -16,7 +16,7 @@
433 /*
434 * Prototype:
435 *
436- * size_t __copy_to_user(void *to, const void *from, size_t n)
437+ * size_t ___copy_to_user(void *to, const void *from, size_t n)
438 *
439 * Purpose:
440 *
441@@ -88,11 +88,11 @@
442 .text
443
444 ENTRY(__copy_to_user_std)
445-WEAK(__copy_to_user)
446+WEAK(___copy_to_user)
447
448 #include "copy_template.S"
449
450-ENDPROC(__copy_to_user)
451+ENDPROC(___copy_to_user)
452 ENDPROC(__copy_to_user_std)
453
454 .pushsection .fixup,"ax"
455diff -urNp linux-3.1.1/arch/arm/lib/uaccess.S linux-3.1.1/arch/arm/lib/uaccess.S
456--- linux-3.1.1/arch/arm/lib/uaccess.S 2011-11-11 15:19:27.000000000 -0500
457+++ linux-3.1.1/arch/arm/lib/uaccess.S 2011-11-16 18:39:07.000000000 -0500
458@@ -20,7 +20,7 @@
459
460 #define PAGE_SHIFT 12
461
462-/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
463+/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
464 * Purpose : copy a block to user memory from kernel memory
465 * Params : to - user memory
466 * : from - kernel memory
467@@ -40,7 +40,7 @@ USER( T(strgtb) r3, [r0], #1) @ May f
468 sub r2, r2, ip
469 b .Lc2u_dest_aligned
470
471-ENTRY(__copy_to_user)
472+ENTRY(___copy_to_user)
473 stmfd sp!, {r2, r4 - r7, lr}
474 cmp r2, #4
475 blt .Lc2u_not_enough
476@@ -278,14 +278,14 @@ USER( T(strgeb) r3, [r0], #1) @ May f
477 ldrgtb r3, [r1], #0
478 USER( T(strgtb) r3, [r0], #1) @ May fault
479 b .Lc2u_finished
480-ENDPROC(__copy_to_user)
481+ENDPROC(___copy_to_user)
482
483 .pushsection .fixup,"ax"
484 .align 0
485 9001: ldmfd sp!, {r0, r4 - r7, pc}
486 .popsection
487
488-/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
489+/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
490 * Purpose : copy a block from user memory to kernel memory
491 * Params : to - kernel memory
492 * : from - user memory
493@@ -304,7 +304,7 @@ USER( T(ldrgtb) r3, [r1], #1) @ May f
494 sub r2, r2, ip
495 b .Lcfu_dest_aligned
496
497-ENTRY(__copy_from_user)
498+ENTRY(___copy_from_user)
499 stmfd sp!, {r0, r2, r4 - r7, lr}
500 cmp r2, #4
501 blt .Lcfu_not_enough
502@@ -544,7 +544,7 @@ USER( T(ldrgeb) r3, [r1], #1) @ May f
503 USER( T(ldrgtb) r3, [r1], #1) @ May fault
504 strgtb r3, [r0], #1
505 b .Lcfu_finished
506-ENDPROC(__copy_from_user)
507+ENDPROC(___copy_from_user)
508
509 .pushsection .fixup,"ax"
510 .align 0
511diff -urNp linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c
512--- linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c 2011-11-11 15:19:27.000000000 -0500
513+++ linux-3.1.1/arch/arm/lib/uaccess_with_memcpy.c 2011-11-16 18:39:07.000000000 -0500
514@@ -103,7 +103,7 @@ out:
515 }
516
517 unsigned long
518-__copy_to_user(void __user *to, const void *from, unsigned long n)
519+___copy_to_user(void __user *to, const void *from, unsigned long n)
520 {
521 /*
522 * This test is stubbed out of the main function above to keep
523diff -urNp linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c
524--- linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c 2011-11-11 15:19:27.000000000 -0500
525+++ linux-3.1.1/arch/arm/mach-ux500/mbox-db5500.c 2011-11-16 18:40:08.000000000 -0500
526@@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
527 return sprintf(buf, "0x%X\n", mbox_value);
528 }
529
530-static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
531+static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
532
533 static int mbox_show(struct seq_file *s, void *data)
534 {
535diff -urNp linux-3.1.1/arch/arm/mm/fault.c linux-3.1.1/arch/arm/mm/fault.c
536--- linux-3.1.1/arch/arm/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
537+++ linux-3.1.1/arch/arm/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
538@@ -182,6 +182,13 @@ __do_user_fault(struct task_struct *tsk,
539 }
540 #endif
541
542+#ifdef CONFIG_PAX_PAGEEXEC
543+ if (fsr & FSR_LNX_PF) {
544+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
545+ do_group_exit(SIGKILL);
546+ }
547+#endif
548+
549 tsk->thread.address = addr;
550 tsk->thread.error_code = fsr;
551 tsk->thread.trap_no = 14;
552@@ -383,6 +390,33 @@ do_page_fault(unsigned long addr, unsign
553 }
554 #endif /* CONFIG_MMU */
555
556+#ifdef CONFIG_PAX_PAGEEXEC
557+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
558+{
559+ long i;
560+
561+ printk(KERN_ERR "PAX: bytes at PC: ");
562+ for (i = 0; i < 20; i++) {
563+ unsigned char c;
564+ if (get_user(c, (__force unsigned char __user *)pc+i))
565+ printk(KERN_CONT "?? ");
566+ else
567+ printk(KERN_CONT "%02x ", c);
568+ }
569+ printk("\n");
570+
571+ printk(KERN_ERR "PAX: bytes at SP-4: ");
572+ for (i = -1; i < 20; i++) {
573+ unsigned long c;
574+ if (get_user(c, (__force unsigned long __user *)sp+i))
575+ printk(KERN_CONT "???????? ");
576+ else
577+ printk(KERN_CONT "%08lx ", c);
578+ }
579+ printk("\n");
580+}
581+#endif
582+
583 /*
584 * First Level Translation Fault Handler
585 *
586diff -urNp linux-3.1.1/arch/arm/mm/mmap.c linux-3.1.1/arch/arm/mm/mmap.c
587--- linux-3.1.1/arch/arm/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
588+++ linux-3.1.1/arch/arm/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
589@@ -65,6 +65,10 @@ arch_get_unmapped_area(struct file *filp
590 if (len > TASK_SIZE)
591 return -ENOMEM;
592
593+#ifdef CONFIG_PAX_RANDMMAP
594+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
595+#endif
596+
597 if (addr) {
598 if (do_align)
599 addr = COLOUR_ALIGN(addr, pgoff);
600@@ -72,15 +76,14 @@ arch_get_unmapped_area(struct file *filp
601 addr = PAGE_ALIGN(addr);
602
603 vma = find_vma(mm, addr);
604- if (TASK_SIZE - len >= addr &&
605- (!vma || addr + len <= vma->vm_start))
606+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
607 return addr;
608 }
609 if (len > mm->cached_hole_size) {
610- start_addr = addr = mm->free_area_cache;
611+ start_addr = addr = mm->free_area_cache;
612 } else {
613- start_addr = addr = TASK_UNMAPPED_BASE;
614- mm->cached_hole_size = 0;
615+ start_addr = addr = mm->mmap_base;
616+ mm->cached_hole_size = 0;
617 }
618 /* 8 bits of randomness in 20 address space bits */
619 if ((current->flags & PF_RANDOMIZE) &&
620@@ -100,14 +103,14 @@ full_search:
621 * Start a new search - just in case we missed
622 * some holes.
623 */
624- if (start_addr != TASK_UNMAPPED_BASE) {
625- start_addr = addr = TASK_UNMAPPED_BASE;
626+ if (start_addr != mm->mmap_base) {
627+ start_addr = addr = mm->mmap_base;
628 mm->cached_hole_size = 0;
629 goto full_search;
630 }
631 return -ENOMEM;
632 }
633- if (!vma || addr + len <= vma->vm_start) {
634+ if (check_heap_stack_gap(vma, addr, len)) {
635 /*
636 * Remember the place where we stopped the search:
637 */
638diff -urNp linux-3.1.1/arch/avr32/include/asm/elf.h linux-3.1.1/arch/avr32/include/asm/elf.h
639--- linux-3.1.1/arch/avr32/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
640+++ linux-3.1.1/arch/avr32/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
641@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
642 the loader. We need to make sure that it is out of the way of the program
643 that it will "exec", and that there is sufficient room for the brk. */
644
645-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
646+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
647
648+#ifdef CONFIG_PAX_ASLR
649+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
650+
651+#define PAX_DELTA_MMAP_LEN 15
652+#define PAX_DELTA_STACK_LEN 15
653+#endif
654
655 /* This yields a mask that user programs can use to figure out what
656 instruction set this CPU supports. This could be done in user space,
657diff -urNp linux-3.1.1/arch/avr32/include/asm/kmap_types.h linux-3.1.1/arch/avr32/include/asm/kmap_types.h
658--- linux-3.1.1/arch/avr32/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
659+++ linux-3.1.1/arch/avr32/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
660@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
661 D(11) KM_IRQ1,
662 D(12) KM_SOFTIRQ0,
663 D(13) KM_SOFTIRQ1,
664-D(14) KM_TYPE_NR
665+D(14) KM_CLEARPAGE,
666+D(15) KM_TYPE_NR
667 };
668
669 #undef D
670diff -urNp linux-3.1.1/arch/avr32/mm/fault.c linux-3.1.1/arch/avr32/mm/fault.c
671--- linux-3.1.1/arch/avr32/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
672+++ linux-3.1.1/arch/avr32/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
673@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
674
675 int exception_trace = 1;
676
677+#ifdef CONFIG_PAX_PAGEEXEC
678+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
679+{
680+ unsigned long i;
681+
682+ printk(KERN_ERR "PAX: bytes at PC: ");
683+ for (i = 0; i < 20; i++) {
684+ unsigned char c;
685+ if (get_user(c, (unsigned char *)pc+i))
686+ printk(KERN_CONT "???????? ");
687+ else
688+ printk(KERN_CONT "%02x ", c);
689+ }
690+ printk("\n");
691+}
692+#endif
693+
694 /*
695 * This routine handles page faults. It determines the address and the
696 * problem, and then passes it off to one of the appropriate routines.
697@@ -156,6 +173,16 @@ bad_area:
698 up_read(&mm->mmap_sem);
699
700 if (user_mode(regs)) {
701+
702+#ifdef CONFIG_PAX_PAGEEXEC
703+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
704+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
705+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
706+ do_group_exit(SIGKILL);
707+ }
708+ }
709+#endif
710+
711 if (exception_trace && printk_ratelimit())
712 printk("%s%s[%d]: segfault at %08lx pc %08lx "
713 "sp %08lx ecr %lu\n",
714diff -urNp linux-3.1.1/arch/frv/include/asm/kmap_types.h linux-3.1.1/arch/frv/include/asm/kmap_types.h
715--- linux-3.1.1/arch/frv/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
716+++ linux-3.1.1/arch/frv/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
717@@ -23,6 +23,7 @@ enum km_type {
718 KM_IRQ1,
719 KM_SOFTIRQ0,
720 KM_SOFTIRQ1,
721+ KM_CLEARPAGE,
722 KM_TYPE_NR
723 };
724
725diff -urNp linux-3.1.1/arch/frv/mm/elf-fdpic.c linux-3.1.1/arch/frv/mm/elf-fdpic.c
726--- linux-3.1.1/arch/frv/mm/elf-fdpic.c 2011-11-11 15:19:27.000000000 -0500
727+++ linux-3.1.1/arch/frv/mm/elf-fdpic.c 2011-11-16 18:39:07.000000000 -0500
728@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
729 if (addr) {
730 addr = PAGE_ALIGN(addr);
731 vma = find_vma(current->mm, addr);
732- if (TASK_SIZE - len >= addr &&
733- (!vma || addr + len <= vma->vm_start))
734+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
735 goto success;
736 }
737
738@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
739 for (; vma; vma = vma->vm_next) {
740 if (addr > limit)
741 break;
742- if (addr + len <= vma->vm_start)
743+ if (check_heap_stack_gap(vma, addr, len))
744 goto success;
745 addr = vma->vm_end;
746 }
747@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
748 for (; vma; vma = vma->vm_next) {
749 if (addr > limit)
750 break;
751- if (addr + len <= vma->vm_start)
752+ if (check_heap_stack_gap(vma, addr, len))
753 goto success;
754 addr = vma->vm_end;
755 }
756diff -urNp linux-3.1.1/arch/ia64/include/asm/elf.h linux-3.1.1/arch/ia64/include/asm/elf.h
757--- linux-3.1.1/arch/ia64/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
758+++ linux-3.1.1/arch/ia64/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
759@@ -42,6 +42,13 @@
760 */
761 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
762
763+#ifdef CONFIG_PAX_ASLR
764+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
765+
766+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
767+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
768+#endif
769+
770 #define PT_IA_64_UNWIND 0x70000001
771
772 /* IA-64 relocations: */
773diff -urNp linux-3.1.1/arch/ia64/include/asm/pgtable.h linux-3.1.1/arch/ia64/include/asm/pgtable.h
774--- linux-3.1.1/arch/ia64/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
775+++ linux-3.1.1/arch/ia64/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
776@@ -12,7 +12,7 @@
777 * David Mosberger-Tang <davidm@hpl.hp.com>
778 */
779
780-
781+#include <linux/const.h>
782 #include <asm/mman.h>
783 #include <asm/page.h>
784 #include <asm/processor.h>
785@@ -143,6 +143,17 @@
786 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
787 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
788 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
789+
790+#ifdef CONFIG_PAX_PAGEEXEC
791+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
792+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
793+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
794+#else
795+# define PAGE_SHARED_NOEXEC PAGE_SHARED
796+# define PAGE_READONLY_NOEXEC PAGE_READONLY
797+# define PAGE_COPY_NOEXEC PAGE_COPY
798+#endif
799+
800 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
801 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
802 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
803diff -urNp linux-3.1.1/arch/ia64/include/asm/spinlock.h linux-3.1.1/arch/ia64/include/asm/spinlock.h
804--- linux-3.1.1/arch/ia64/include/asm/spinlock.h 2011-11-11 15:19:27.000000000 -0500
805+++ linux-3.1.1/arch/ia64/include/asm/spinlock.h 2011-11-16 18:39:07.000000000 -0500
806@@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
807 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
808
809 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
810- ACCESS_ONCE(*p) = (tmp + 2) & ~1;
811+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
812 }
813
814 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
815diff -urNp linux-3.1.1/arch/ia64/include/asm/uaccess.h linux-3.1.1/arch/ia64/include/asm/uaccess.h
816--- linux-3.1.1/arch/ia64/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
817+++ linux-3.1.1/arch/ia64/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
818@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
819 const void *__cu_from = (from); \
820 long __cu_len = (n); \
821 \
822- if (__access_ok(__cu_to, __cu_len, get_fs())) \
823+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
824 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
825 __cu_len; \
826 })
827@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
828 long __cu_len = (n); \
829 \
830 __chk_user_ptr(__cu_from); \
831- if (__access_ok(__cu_from, __cu_len, get_fs())) \
832+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
833 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
834 __cu_len; \
835 })
836diff -urNp linux-3.1.1/arch/ia64/kernel/module.c linux-3.1.1/arch/ia64/kernel/module.c
837--- linux-3.1.1/arch/ia64/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
838+++ linux-3.1.1/arch/ia64/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
839@@ -307,8 +307,7 @@ plt_target (struct plt_entry *plt)
840 void
841 module_free (struct module *mod, void *module_region)
842 {
843- if (mod && mod->arch.init_unw_table &&
844- module_region == mod->module_init) {
845+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
846 unw_remove_unwind_table(mod->arch.init_unw_table);
847 mod->arch.init_unw_table = NULL;
848 }
849@@ -494,15 +493,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
850 }
851
852 static inline int
853+in_init_rx (const struct module *mod, uint64_t addr)
854+{
855+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
856+}
857+
858+static inline int
859+in_init_rw (const struct module *mod, uint64_t addr)
860+{
861+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
862+}
863+
864+static inline int
865 in_init (const struct module *mod, uint64_t addr)
866 {
867- return addr - (uint64_t) mod->module_init < mod->init_size;
868+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
869+}
870+
871+static inline int
872+in_core_rx (const struct module *mod, uint64_t addr)
873+{
874+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
875+}
876+
877+static inline int
878+in_core_rw (const struct module *mod, uint64_t addr)
879+{
880+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
881 }
882
883 static inline int
884 in_core (const struct module *mod, uint64_t addr)
885 {
886- return addr - (uint64_t) mod->module_core < mod->core_size;
887+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
888 }
889
890 static inline int
891@@ -685,7 +708,14 @@ do_reloc (struct module *mod, uint8_t r_
892 break;
893
894 case RV_BDREL:
895- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
896+ if (in_init_rx(mod, val))
897+ val -= (uint64_t) mod->module_init_rx;
898+ else if (in_init_rw(mod, val))
899+ val -= (uint64_t) mod->module_init_rw;
900+ else if (in_core_rx(mod, val))
901+ val -= (uint64_t) mod->module_core_rx;
902+ else if (in_core_rw(mod, val))
903+ val -= (uint64_t) mod->module_core_rw;
904 break;
905
906 case RV_LTV:
907@@ -820,15 +850,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
908 * addresses have been selected...
909 */
910 uint64_t gp;
911- if (mod->core_size > MAX_LTOFF)
912+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
913 /*
914 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
915 * at the end of the module.
916 */
917- gp = mod->core_size - MAX_LTOFF / 2;
918+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
919 else
920- gp = mod->core_size / 2;
921- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
922+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
923+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
924 mod->arch.gp = gp;
925 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
926 }
927diff -urNp linux-3.1.1/arch/ia64/kernel/sys_ia64.c linux-3.1.1/arch/ia64/kernel/sys_ia64.c
928--- linux-3.1.1/arch/ia64/kernel/sys_ia64.c 2011-11-11 15:19:27.000000000 -0500
929+++ linux-3.1.1/arch/ia64/kernel/sys_ia64.c 2011-11-16 18:39:07.000000000 -0500
930@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
931 if (REGION_NUMBER(addr) == RGN_HPAGE)
932 addr = 0;
933 #endif
934+
935+#ifdef CONFIG_PAX_RANDMMAP
936+ if (mm->pax_flags & MF_PAX_RANDMMAP)
937+ addr = mm->free_area_cache;
938+ else
939+#endif
940+
941 if (!addr)
942 addr = mm->free_area_cache;
943
944@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
945 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
946 /* At this point: (!vma || addr < vma->vm_end). */
947 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
948- if (start_addr != TASK_UNMAPPED_BASE) {
949+ if (start_addr != mm->mmap_base) {
950 /* Start a new search --- just in case we missed some holes. */
951- addr = TASK_UNMAPPED_BASE;
952+ addr = mm->mmap_base;
953 goto full_search;
954 }
955 return -ENOMEM;
956 }
957- if (!vma || addr + len <= vma->vm_start) {
958+ if (check_heap_stack_gap(vma, addr, len)) {
959 /* Remember the address where we stopped this search: */
960 mm->free_area_cache = addr + len;
961 return addr;
962diff -urNp linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S
963--- linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S 2011-11-11 15:19:27.000000000 -0500
964+++ linux-3.1.1/arch/ia64/kernel/vmlinux.lds.S 2011-11-16 18:39:07.000000000 -0500
965@@ -199,7 +199,7 @@ SECTIONS {
966 /* Per-cpu data: */
967 . = ALIGN(PERCPU_PAGE_SIZE);
968 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
969- __phys_per_cpu_start = __per_cpu_load;
970+ __phys_per_cpu_start = per_cpu_load;
971 /*
972 * ensure percpu data fits
973 * into percpu page size
974diff -urNp linux-3.1.1/arch/ia64/mm/fault.c linux-3.1.1/arch/ia64/mm/fault.c
975--- linux-3.1.1/arch/ia64/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
976+++ linux-3.1.1/arch/ia64/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
977@@ -73,6 +73,23 @@ mapped_kernel_page_is_present (unsigned
978 return pte_present(pte);
979 }
980
981+#ifdef CONFIG_PAX_PAGEEXEC
982+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
983+{
984+ unsigned long i;
985+
986+ printk(KERN_ERR "PAX: bytes at PC: ");
987+ for (i = 0; i < 8; i++) {
988+ unsigned int c;
989+ if (get_user(c, (unsigned int *)pc+i))
990+ printk(KERN_CONT "???????? ");
991+ else
992+ printk(KERN_CONT "%08x ", c);
993+ }
994+ printk("\n");
995+}
996+#endif
997+
998 void __kprobes
999 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1000 {
1001@@ -146,9 +163,23 @@ ia64_do_page_fault (unsigned long addres
1002 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1003 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1004
1005- if ((vma->vm_flags & mask) != mask)
1006+ if ((vma->vm_flags & mask) != mask) {
1007+
1008+#ifdef CONFIG_PAX_PAGEEXEC
1009+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1010+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1011+ goto bad_area;
1012+
1013+ up_read(&mm->mmap_sem);
1014+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1015+ do_group_exit(SIGKILL);
1016+ }
1017+#endif
1018+
1019 goto bad_area;
1020
1021+ }
1022+
1023 /*
1024 * If for any reason at all we couldn't handle the fault, make
1025 * sure we exit gracefully rather than endlessly redo the
1026diff -urNp linux-3.1.1/arch/ia64/mm/hugetlbpage.c linux-3.1.1/arch/ia64/mm/hugetlbpage.c
1027--- linux-3.1.1/arch/ia64/mm/hugetlbpage.c 2011-11-11 15:19:27.000000000 -0500
1028+++ linux-3.1.1/arch/ia64/mm/hugetlbpage.c 2011-11-16 18:39:07.000000000 -0500
1029@@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1030 /* At this point: (!vmm || addr < vmm->vm_end). */
1031 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1032 return -ENOMEM;
1033- if (!vmm || (addr + len) <= vmm->vm_start)
1034+ if (check_heap_stack_gap(vmm, addr, len))
1035 return addr;
1036 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1037 }
1038diff -urNp linux-3.1.1/arch/ia64/mm/init.c linux-3.1.1/arch/ia64/mm/init.c
1039--- linux-3.1.1/arch/ia64/mm/init.c 2011-11-11 15:19:27.000000000 -0500
1040+++ linux-3.1.1/arch/ia64/mm/init.c 2011-11-16 18:39:07.000000000 -0500
1041@@ -120,6 +120,19 @@ ia64_init_addr_space (void)
1042 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1043 vma->vm_end = vma->vm_start + PAGE_SIZE;
1044 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1045+
1046+#ifdef CONFIG_PAX_PAGEEXEC
1047+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1048+ vma->vm_flags &= ~VM_EXEC;
1049+
1050+#ifdef CONFIG_PAX_MPROTECT
1051+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
1052+ vma->vm_flags &= ~VM_MAYEXEC;
1053+#endif
1054+
1055+ }
1056+#endif
1057+
1058 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1059 down_write(&current->mm->mmap_sem);
1060 if (insert_vm_struct(current->mm, vma)) {
1061diff -urNp linux-3.1.1/arch/m32r/lib/usercopy.c linux-3.1.1/arch/m32r/lib/usercopy.c
1062--- linux-3.1.1/arch/m32r/lib/usercopy.c 2011-11-11 15:19:27.000000000 -0500
1063+++ linux-3.1.1/arch/m32r/lib/usercopy.c 2011-11-16 18:39:07.000000000 -0500
1064@@ -14,6 +14,9 @@
1065 unsigned long
1066 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1067 {
1068+ if ((long)n < 0)
1069+ return n;
1070+
1071 prefetch(from);
1072 if (access_ok(VERIFY_WRITE, to, n))
1073 __copy_user(to,from,n);
1074@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1075 unsigned long
1076 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1077 {
1078+ if ((long)n < 0)
1079+ return n;
1080+
1081 prefetchw(to);
1082 if (access_ok(VERIFY_READ, from, n))
1083 __copy_user_zeroing(to,from,n);
1084diff -urNp linux-3.1.1/arch/mips/include/asm/elf.h linux-3.1.1/arch/mips/include/asm/elf.h
1085--- linux-3.1.1/arch/mips/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
1086+++ linux-3.1.1/arch/mips/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
1087@@ -372,13 +372,16 @@ extern const char *__elf_platform;
1088 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1089 #endif
1090
1091+#ifdef CONFIG_PAX_ASLR
1092+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1093+
1094+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1095+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1096+#endif
1097+
1098 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1099 struct linux_binprm;
1100 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1101 int uses_interp);
1102
1103-struct mm_struct;
1104-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1105-#define arch_randomize_brk arch_randomize_brk
1106-
1107 #endif /* _ASM_ELF_H */
1108diff -urNp linux-3.1.1/arch/mips/include/asm/page.h linux-3.1.1/arch/mips/include/asm/page.h
1109--- linux-3.1.1/arch/mips/include/asm/page.h 2011-11-11 15:19:27.000000000 -0500
1110+++ linux-3.1.1/arch/mips/include/asm/page.h 2011-11-16 18:39:07.000000000 -0500
1111@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1112 #ifdef CONFIG_CPU_MIPS32
1113 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1114 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1115- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1116+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1117 #else
1118 typedef struct { unsigned long long pte; } pte_t;
1119 #define pte_val(x) ((x).pte)
1120diff -urNp linux-3.1.1/arch/mips/include/asm/system.h linux-3.1.1/arch/mips/include/asm/system.h
1121--- linux-3.1.1/arch/mips/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
1122+++ linux-3.1.1/arch/mips/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
1123@@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1124 */
1125 #define __ARCH_WANT_UNLOCKED_CTXSW
1126
1127-extern unsigned long arch_align_stack(unsigned long sp);
1128+#define arch_align_stack(x) ((x) & ~0xfUL)
1129
1130 #endif /* _ASM_SYSTEM_H */
1131diff -urNp linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c
1132--- linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c 2011-11-11 15:19:27.000000000 -0500
1133+++ linux-3.1.1/arch/mips/kernel/binfmt_elfn32.c 2011-11-16 18:39:07.000000000 -0500
1134@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1135 #undef ELF_ET_DYN_BASE
1136 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1137
1138+#ifdef CONFIG_PAX_ASLR
1139+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1140+
1141+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1142+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1143+#endif
1144+
1145 #include <asm/processor.h>
1146 #include <linux/module.h>
1147 #include <linux/elfcore.h>
1148diff -urNp linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c
1149--- linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c 2011-11-11 15:19:27.000000000 -0500
1150+++ linux-3.1.1/arch/mips/kernel/binfmt_elfo32.c 2011-11-16 18:39:07.000000000 -0500
1151@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1152 #undef ELF_ET_DYN_BASE
1153 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1154
1155+#ifdef CONFIG_PAX_ASLR
1156+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
1157+
1158+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1159+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1160+#endif
1161+
1162 #include <asm/processor.h>
1163
1164 /*
1165diff -urNp linux-3.1.1/arch/mips/kernel/process.c linux-3.1.1/arch/mips/kernel/process.c
1166--- linux-3.1.1/arch/mips/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
1167+++ linux-3.1.1/arch/mips/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
1168@@ -481,15 +481,3 @@ unsigned long get_wchan(struct task_stru
1169 out:
1170 return pc;
1171 }
1172-
1173-/*
1174- * Don't forget that the stack pointer must be aligned on a 8 bytes
1175- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1176- */
1177-unsigned long arch_align_stack(unsigned long sp)
1178-{
1179- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1180- sp -= get_random_int() & ~PAGE_MASK;
1181-
1182- return sp & ALMASK;
1183-}
1184diff -urNp linux-3.1.1/arch/mips/mm/fault.c linux-3.1.1/arch/mips/mm/fault.c
1185--- linux-3.1.1/arch/mips/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
1186+++ linux-3.1.1/arch/mips/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
1187@@ -28,6 +28,23 @@
1188 #include <asm/highmem.h> /* For VMALLOC_END */
1189 #include <linux/kdebug.h>
1190
1191+#ifdef CONFIG_PAX_PAGEEXEC
1192+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1193+{
1194+ unsigned long i;
1195+
1196+ printk(KERN_ERR "PAX: bytes at PC: ");
1197+ for (i = 0; i < 5; i++) {
1198+ unsigned int c;
1199+ if (get_user(c, (unsigned int *)pc+i))
1200+ printk(KERN_CONT "???????? ");
1201+ else
1202+ printk(KERN_CONT "%08x ", c);
1203+ }
1204+ printk("\n");
1205+}
1206+#endif
1207+
1208 /*
1209 * This routine handles page faults. It determines the address,
1210 * and the problem, and then passes it off to one of the appropriate
1211diff -urNp linux-3.1.1/arch/mips/mm/mmap.c linux-3.1.1/arch/mips/mm/mmap.c
1212--- linux-3.1.1/arch/mips/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
1213+++ linux-3.1.1/arch/mips/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
1214@@ -95,6 +95,11 @@ static unsigned long arch_get_unmapped_a
1215 do_color_align = 1;
1216
1217 /* requesting a specific address */
1218+
1219+#ifdef CONFIG_PAX_RANDMMAP
1220+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1221+#endif
1222+
1223 if (addr) {
1224 if (do_color_align)
1225 addr = COLOUR_ALIGN(addr, pgoff);
1226@@ -102,8 +107,7 @@ static unsigned long arch_get_unmapped_a
1227 addr = PAGE_ALIGN(addr);
1228
1229 vma = find_vma(mm, addr);
1230- if (TASK_SIZE - len >= addr &&
1231- (!vma || addr + len <= vma->vm_start))
1232+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vmm, addr, len))
1233 return addr;
1234 }
1235
1236@@ -118,7 +122,7 @@ static unsigned long arch_get_unmapped_a
1237 /* At this point: (!vma || addr < vma->vm_end). */
1238 if (TASK_SIZE - len < addr)
1239 return -ENOMEM;
1240- if (!vma || addr + len <= vma->vm_start)
1241+ if (check_heap_stack_gap(vmm, addr, len))
1242 return addr;
1243 addr = vma->vm_end;
1244 if (do_color_align)
1245@@ -145,7 +149,7 @@ static unsigned long arch_get_unmapped_a
1246 /* make sure it can fit in the remaining address space */
1247 if (likely(addr > len)) {
1248 vma = find_vma(mm, addr - len);
1249- if (!vma || addr <= vma->vm_start) {
1250+ if (check_heap_stack_gap(vmm, addr - len, len))
1251 /* cache the address as a hint for next time */
1252 return mm->free_area_cache = addr - len;
1253 }
1254@@ -165,7 +169,7 @@ static unsigned long arch_get_unmapped_a
1255 * return with success:
1256 */
1257 vma = find_vma(mm, addr);
1258- if (likely(!vma || addr + len <= vma->vm_start)) {
1259+ if (check_heap_stack_gap(vmm, addr, len)) {
1260 /* cache the address as a hint for next time */
1261 return mm->free_area_cache = addr;
1262 }
1263@@ -242,30 +246,3 @@ void arch_pick_mmap_layout(struct mm_str
1264 mm->unmap_area = arch_unmap_area_topdown;
1265 }
1266 }
1267-
1268-static inline unsigned long brk_rnd(void)
1269-{
1270- unsigned long rnd = get_random_int();
1271-
1272- rnd = rnd << PAGE_SHIFT;
1273- /* 8MB for 32bit, 256MB for 64bit */
1274- if (TASK_IS_32BIT_ADDR)
1275- rnd = rnd & 0x7ffffful;
1276- else
1277- rnd = rnd & 0xffffffful;
1278-
1279- return rnd;
1280-}
1281-
1282-unsigned long arch_randomize_brk(struct mm_struct *mm)
1283-{
1284- unsigned long base = mm->brk;
1285- unsigned long ret;
1286-
1287- ret = PAGE_ALIGN(base + brk_rnd());
1288-
1289- if (ret < mm->brk)
1290- return mm->brk;
1291-
1292- return ret;
1293-}
1294diff -urNp linux-3.1.1/arch/parisc/include/asm/elf.h linux-3.1.1/arch/parisc/include/asm/elf.h
1295--- linux-3.1.1/arch/parisc/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
1296+++ linux-3.1.1/arch/parisc/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
1297@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1298
1299 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1300
1301+#ifdef CONFIG_PAX_ASLR
1302+#define PAX_ELF_ET_DYN_BASE 0x10000UL
1303+
1304+#define PAX_DELTA_MMAP_LEN 16
1305+#define PAX_DELTA_STACK_LEN 16
1306+#endif
1307+
1308 /* This yields a mask that user programs can use to figure out what
1309 instruction set this CPU supports. This could be done in user space,
1310 but it's not easy, and we've already done it here. */
1311diff -urNp linux-3.1.1/arch/parisc/include/asm/pgtable.h linux-3.1.1/arch/parisc/include/asm/pgtable.h
1312--- linux-3.1.1/arch/parisc/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
1313+++ linux-3.1.1/arch/parisc/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
1314@@ -210,6 +210,17 @@ struct vm_area_struct;
1315 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1316 #define PAGE_COPY PAGE_EXECREAD
1317 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1318+
1319+#ifdef CONFIG_PAX_PAGEEXEC
1320+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1321+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1322+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1323+#else
1324+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1325+# define PAGE_COPY_NOEXEC PAGE_COPY
1326+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1327+#endif
1328+
1329 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1330 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
1331 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
1332diff -urNp linux-3.1.1/arch/parisc/kernel/module.c linux-3.1.1/arch/parisc/kernel/module.c
1333--- linux-3.1.1/arch/parisc/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
1334+++ linux-3.1.1/arch/parisc/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
1335@@ -98,16 +98,38 @@
1336
1337 /* three functions to determine where in the module core
1338 * or init pieces the location is */
1339+static inline int in_init_rx(struct module *me, void *loc)
1340+{
1341+ return (loc >= me->module_init_rx &&
1342+ loc < (me->module_init_rx + me->init_size_rx));
1343+}
1344+
1345+static inline int in_init_rw(struct module *me, void *loc)
1346+{
1347+ return (loc >= me->module_init_rw &&
1348+ loc < (me->module_init_rw + me->init_size_rw));
1349+}
1350+
1351 static inline int in_init(struct module *me, void *loc)
1352 {
1353- return (loc >= me->module_init &&
1354- loc <= (me->module_init + me->init_size));
1355+ return in_init_rx(me, loc) || in_init_rw(me, loc);
1356+}
1357+
1358+static inline int in_core_rx(struct module *me, void *loc)
1359+{
1360+ return (loc >= me->module_core_rx &&
1361+ loc < (me->module_core_rx + me->core_size_rx));
1362+}
1363+
1364+static inline int in_core_rw(struct module *me, void *loc)
1365+{
1366+ return (loc >= me->module_core_rw &&
1367+ loc < (me->module_core_rw + me->core_size_rw));
1368 }
1369
1370 static inline int in_core(struct module *me, void *loc)
1371 {
1372- return (loc >= me->module_core &&
1373- loc <= (me->module_core + me->core_size));
1374+ return in_core_rx(me, loc) || in_core_rw(me, loc);
1375 }
1376
1377 static inline int in_local(struct module *me, void *loc)
1378@@ -373,13 +395,13 @@ int module_frob_arch_sections(CONST Elf_
1379 }
1380
1381 /* align things a bit */
1382- me->core_size = ALIGN(me->core_size, 16);
1383- me->arch.got_offset = me->core_size;
1384- me->core_size += gots * sizeof(struct got_entry);
1385-
1386- me->core_size = ALIGN(me->core_size, 16);
1387- me->arch.fdesc_offset = me->core_size;
1388- me->core_size += fdescs * sizeof(Elf_Fdesc);
1389+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1390+ me->arch.got_offset = me->core_size_rw;
1391+ me->core_size_rw += gots * sizeof(struct got_entry);
1392+
1393+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1394+ me->arch.fdesc_offset = me->core_size_rw;
1395+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1396
1397 me->arch.got_max = gots;
1398 me->arch.fdesc_max = fdescs;
1399@@ -397,7 +419,7 @@ static Elf64_Word get_got(struct module
1400
1401 BUG_ON(value == 0);
1402
1403- got = me->module_core + me->arch.got_offset;
1404+ got = me->module_core_rw + me->arch.got_offset;
1405 for (i = 0; got[i].addr; i++)
1406 if (got[i].addr == value)
1407 goto out;
1408@@ -415,7 +437,7 @@ static Elf64_Word get_got(struct module
1409 #ifdef CONFIG_64BIT
1410 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1411 {
1412- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1413+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1414
1415 if (!value) {
1416 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1417@@ -433,7 +455,7 @@ static Elf_Addr get_fdesc(struct module
1418
1419 /* Create new one */
1420 fdesc->addr = value;
1421- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1422+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1423 return (Elf_Addr)fdesc;
1424 }
1425 #endif /* CONFIG_64BIT */
1426@@ -845,7 +867,7 @@ register_unwind_table(struct module *me,
1427
1428 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1429 end = table + sechdrs[me->arch.unwind_section].sh_size;
1430- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1431+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1432
1433 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1434 me->arch.unwind_section, table, end, gp);
1435diff -urNp linux-3.1.1/arch/parisc/kernel/sys_parisc.c linux-3.1.1/arch/parisc/kernel/sys_parisc.c
1436--- linux-3.1.1/arch/parisc/kernel/sys_parisc.c 2011-11-11 15:19:27.000000000 -0500
1437+++ linux-3.1.1/arch/parisc/kernel/sys_parisc.c 2011-11-16 18:39:07.000000000 -0500
1438@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1439 /* At this point: (!vma || addr < vma->vm_end). */
1440 if (TASK_SIZE - len < addr)
1441 return -ENOMEM;
1442- if (!vma || addr + len <= vma->vm_start)
1443+ if (check_heap_stack_gap(vma, addr, len))
1444 return addr;
1445 addr = vma->vm_end;
1446 }
1447@@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1448 /* At this point: (!vma || addr < vma->vm_end). */
1449 if (TASK_SIZE - len < addr)
1450 return -ENOMEM;
1451- if (!vma || addr + len <= vma->vm_start)
1452+ if (check_heap_stack_gap(vma, addr, len))
1453 return addr;
1454 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1455 if (addr < vma->vm_end) /* handle wraparound */
1456@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1457 if (flags & MAP_FIXED)
1458 return addr;
1459 if (!addr)
1460- addr = TASK_UNMAPPED_BASE;
1461+ addr = current->mm->mmap_base;
1462
1463 if (filp) {
1464 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1465diff -urNp linux-3.1.1/arch/parisc/kernel/traps.c linux-3.1.1/arch/parisc/kernel/traps.c
1466--- linux-3.1.1/arch/parisc/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
1467+++ linux-3.1.1/arch/parisc/kernel/traps.c 2011-11-16 18:39:07.000000000 -0500
1468@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1469
1470 down_read(&current->mm->mmap_sem);
1471 vma = find_vma(current->mm,regs->iaoq[0]);
1472- if (vma && (regs->iaoq[0] >= vma->vm_start)
1473- && (vma->vm_flags & VM_EXEC)) {
1474-
1475+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1476 fault_address = regs->iaoq[0];
1477 fault_space = regs->iasq[0];
1478
1479diff -urNp linux-3.1.1/arch/parisc/mm/fault.c linux-3.1.1/arch/parisc/mm/fault.c
1480--- linux-3.1.1/arch/parisc/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
1481+++ linux-3.1.1/arch/parisc/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
1482@@ -15,6 +15,7 @@
1483 #include <linux/sched.h>
1484 #include <linux/interrupt.h>
1485 #include <linux/module.h>
1486+#include <linux/unistd.h>
1487
1488 #include <asm/uaccess.h>
1489 #include <asm/traps.h>
1490@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1491 static unsigned long
1492 parisc_acctyp(unsigned long code, unsigned int inst)
1493 {
1494- if (code == 6 || code == 16)
1495+ if (code == 6 || code == 7 || code == 16)
1496 return VM_EXEC;
1497
1498 switch (inst & 0xf0000000) {
1499@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1500 }
1501 #endif
1502
1503+#ifdef CONFIG_PAX_PAGEEXEC
1504+/*
1505+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1506+ *
1507+ * returns 1 when task should be killed
1508+ * 2 when rt_sigreturn trampoline was detected
1509+ * 3 when unpatched PLT trampoline was detected
1510+ */
1511+static int pax_handle_fetch_fault(struct pt_regs *regs)
1512+{
1513+
1514+#ifdef CONFIG_PAX_EMUPLT
1515+ int err;
1516+
1517+ do { /* PaX: unpatched PLT emulation */
1518+ unsigned int bl, depwi;
1519+
1520+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1521+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1522+
1523+ if (err)
1524+ break;
1525+
1526+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1527+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1528+
1529+ err = get_user(ldw, (unsigned int *)addr);
1530+ err |= get_user(bv, (unsigned int *)(addr+4));
1531+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1532+
1533+ if (err)
1534+ break;
1535+
1536+ if (ldw == 0x0E801096U &&
1537+ bv == 0xEAC0C000U &&
1538+ ldw2 == 0x0E881095U)
1539+ {
1540+ unsigned int resolver, map;
1541+
1542+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1543+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1544+ if (err)
1545+ break;
1546+
1547+ regs->gr[20] = instruction_pointer(regs)+8;
1548+ regs->gr[21] = map;
1549+ regs->gr[22] = resolver;
1550+ regs->iaoq[0] = resolver | 3UL;
1551+ regs->iaoq[1] = regs->iaoq[0] + 4;
1552+ return 3;
1553+ }
1554+ }
1555+ } while (0);
1556+#endif
1557+
1558+#ifdef CONFIG_PAX_EMUTRAMP
1559+
1560+#ifndef CONFIG_PAX_EMUSIGRT
1561+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1562+ return 1;
1563+#endif
1564+
1565+ do { /* PaX: rt_sigreturn emulation */
1566+ unsigned int ldi1, ldi2, bel, nop;
1567+
1568+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1569+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1570+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1571+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1572+
1573+ if (err)
1574+ break;
1575+
1576+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1577+ ldi2 == 0x3414015AU &&
1578+ bel == 0xE4008200U &&
1579+ nop == 0x08000240U)
1580+ {
1581+ regs->gr[25] = (ldi1 & 2) >> 1;
1582+ regs->gr[20] = __NR_rt_sigreturn;
1583+ regs->gr[31] = regs->iaoq[1] + 16;
1584+ regs->sr[0] = regs->iasq[1];
1585+ regs->iaoq[0] = 0x100UL;
1586+ regs->iaoq[1] = regs->iaoq[0] + 4;
1587+ regs->iasq[0] = regs->sr[2];
1588+ regs->iasq[1] = regs->sr[2];
1589+ return 2;
1590+ }
1591+ } while (0);
1592+#endif
1593+
1594+ return 1;
1595+}
1596+
1597+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1598+{
1599+ unsigned long i;
1600+
1601+ printk(KERN_ERR "PAX: bytes at PC: ");
1602+ for (i = 0; i < 5; i++) {
1603+ unsigned int c;
1604+ if (get_user(c, (unsigned int *)pc+i))
1605+ printk(KERN_CONT "???????? ");
1606+ else
1607+ printk(KERN_CONT "%08x ", c);
1608+ }
1609+ printk("\n");
1610+}
1611+#endif
1612+
1613 int fixup_exception(struct pt_regs *regs)
1614 {
1615 const struct exception_table_entry *fix;
1616@@ -192,8 +303,33 @@ good_area:
1617
1618 acc_type = parisc_acctyp(code,regs->iir);
1619
1620- if ((vma->vm_flags & acc_type) != acc_type)
1621+ if ((vma->vm_flags & acc_type) != acc_type) {
1622+
1623+#ifdef CONFIG_PAX_PAGEEXEC
1624+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1625+ (address & ~3UL) == instruction_pointer(regs))
1626+ {
1627+ up_read(&mm->mmap_sem);
1628+ switch (pax_handle_fetch_fault(regs)) {
1629+
1630+#ifdef CONFIG_PAX_EMUPLT
1631+ case 3:
1632+ return;
1633+#endif
1634+
1635+#ifdef CONFIG_PAX_EMUTRAMP
1636+ case 2:
1637+ return;
1638+#endif
1639+
1640+ }
1641+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1642+ do_group_exit(SIGKILL);
1643+ }
1644+#endif
1645+
1646 goto bad_area;
1647+ }
1648
1649 /*
1650 * If for any reason at all we couldn't handle the fault, make
1651diff -urNp linux-3.1.1/arch/powerpc/include/asm/elf.h linux-3.1.1/arch/powerpc/include/asm/elf.h
1652--- linux-3.1.1/arch/powerpc/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
1653+++ linux-3.1.1/arch/powerpc/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
1654@@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1655 the loader. We need to make sure that it is out of the way of the program
1656 that it will "exec", and that there is sufficient room for the brk. */
1657
1658-extern unsigned long randomize_et_dyn(unsigned long base);
1659-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1660+#define ELF_ET_DYN_BASE (0x20000000)
1661+
1662+#ifdef CONFIG_PAX_ASLR
1663+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1664+
1665+#ifdef __powerpc64__
1666+#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
1667+#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
1668+#else
1669+#define PAX_DELTA_MMAP_LEN 15
1670+#define PAX_DELTA_STACK_LEN 15
1671+#endif
1672+#endif
1673
1674 /*
1675 * Our registers are always unsigned longs, whether we're a 32 bit
1676@@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
1677 (0x7ff >> (PAGE_SHIFT - 12)) : \
1678 (0x3ffff >> (PAGE_SHIFT - 12)))
1679
1680-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1681-#define arch_randomize_brk arch_randomize_brk
1682-
1683 #endif /* __KERNEL__ */
1684
1685 /*
1686diff -urNp linux-3.1.1/arch/powerpc/include/asm/kmap_types.h linux-3.1.1/arch/powerpc/include/asm/kmap_types.h
1687--- linux-3.1.1/arch/powerpc/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
1688+++ linux-3.1.1/arch/powerpc/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
1689@@ -27,6 +27,7 @@ enum km_type {
1690 KM_PPC_SYNC_PAGE,
1691 KM_PPC_SYNC_ICACHE,
1692 KM_KDB,
1693+ KM_CLEARPAGE,
1694 KM_TYPE_NR
1695 };
1696
1697diff -urNp linux-3.1.1/arch/powerpc/include/asm/mman.h linux-3.1.1/arch/powerpc/include/asm/mman.h
1698--- linux-3.1.1/arch/powerpc/include/asm/mman.h 2011-11-11 15:19:27.000000000 -0500
1699+++ linux-3.1.1/arch/powerpc/include/asm/mman.h 2011-11-16 18:39:07.000000000 -0500
1700@@ -44,7 +44,7 @@ static inline unsigned long arch_calc_vm
1701 }
1702 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
1703
1704-static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
1705+static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
1706 {
1707 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
1708 }
1709diff -urNp linux-3.1.1/arch/powerpc/include/asm/page_64.h linux-3.1.1/arch/powerpc/include/asm/page_64.h
1710--- linux-3.1.1/arch/powerpc/include/asm/page_64.h 2011-11-11 15:19:27.000000000 -0500
1711+++ linux-3.1.1/arch/powerpc/include/asm/page_64.h 2011-11-16 18:39:07.000000000 -0500
1712@@ -155,15 +155,18 @@ do { \
1713 * stack by default, so in the absence of a PT_GNU_STACK program header
1714 * we turn execute permission off.
1715 */
1716-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1717- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1718+#define VM_STACK_DEFAULT_FLAGS32 \
1719+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1720+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1721
1722 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1723 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1724
1725+#ifndef CONFIG_PAX_PAGEEXEC
1726 #define VM_STACK_DEFAULT_FLAGS \
1727 (is_32bit_task() ? \
1728 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
1729+#endif
1730
1731 #include <asm-generic/getorder.h>
1732
1733diff -urNp linux-3.1.1/arch/powerpc/include/asm/page.h linux-3.1.1/arch/powerpc/include/asm/page.h
1734--- linux-3.1.1/arch/powerpc/include/asm/page.h 2011-11-11 15:19:27.000000000 -0500
1735+++ linux-3.1.1/arch/powerpc/include/asm/page.h 2011-11-16 18:39:07.000000000 -0500
1736@@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
1737 * and needs to be executable. This means the whole heap ends
1738 * up being executable.
1739 */
1740-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
1741- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1742+#define VM_DATA_DEFAULT_FLAGS32 \
1743+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
1744+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1745
1746 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
1747 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
1748@@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
1749 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
1750 #endif
1751
1752+#define ktla_ktva(addr) (addr)
1753+#define ktva_ktla(addr) (addr)
1754+
1755 #ifndef __ASSEMBLY__
1756
1757 #undef STRICT_MM_TYPECHECKS
1758diff -urNp linux-3.1.1/arch/powerpc/include/asm/pgtable.h linux-3.1.1/arch/powerpc/include/asm/pgtable.h
1759--- linux-3.1.1/arch/powerpc/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
1760+++ linux-3.1.1/arch/powerpc/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
1761@@ -2,6 +2,7 @@
1762 #define _ASM_POWERPC_PGTABLE_H
1763 #ifdef __KERNEL__
1764
1765+#include <linux/const.h>
1766 #ifndef __ASSEMBLY__
1767 #include <asm/processor.h> /* For TASK_SIZE */
1768 #include <asm/mmu.h>
1769diff -urNp linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h
1770--- linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h 2011-11-11 15:19:27.000000000 -0500
1771+++ linux-3.1.1/arch/powerpc/include/asm/pte-hash32.h 2011-11-16 18:39:07.000000000 -0500
1772@@ -21,6 +21,7 @@
1773 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
1774 #define _PAGE_USER 0x004 /* usermode access allowed */
1775 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
1776+#define _PAGE_EXEC _PAGE_GUARDED
1777 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
1778 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
1779 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
1780diff -urNp linux-3.1.1/arch/powerpc/include/asm/reg.h linux-3.1.1/arch/powerpc/include/asm/reg.h
1781--- linux-3.1.1/arch/powerpc/include/asm/reg.h 2011-11-11 15:19:27.000000000 -0500
1782+++ linux-3.1.1/arch/powerpc/include/asm/reg.h 2011-11-16 18:39:07.000000000 -0500
1783@@ -212,6 +212,7 @@
1784 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
1785 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
1786 #define DSISR_NOHPTE 0x40000000 /* no translation found */
1787+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
1788 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
1789 #define DSISR_ISSTORE 0x02000000 /* access was a store */
1790 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
1791diff -urNp linux-3.1.1/arch/powerpc/include/asm/system.h linux-3.1.1/arch/powerpc/include/asm/system.h
1792--- linux-3.1.1/arch/powerpc/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
1793+++ linux-3.1.1/arch/powerpc/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
1794@@ -530,7 +530,7 @@ __cmpxchg_local(volatile void *ptr, unsi
1795 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
1796 #endif
1797
1798-extern unsigned long arch_align_stack(unsigned long sp);
1799+#define arch_align_stack(x) ((x) & ~0xfUL)
1800
1801 /* Used in very early kernel initialization. */
1802 extern unsigned long reloc_offset(void);
1803diff -urNp linux-3.1.1/arch/powerpc/include/asm/uaccess.h linux-3.1.1/arch/powerpc/include/asm/uaccess.h
1804--- linux-3.1.1/arch/powerpc/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
1805+++ linux-3.1.1/arch/powerpc/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
1806@@ -13,6 +13,8 @@
1807 #define VERIFY_READ 0
1808 #define VERIFY_WRITE 1
1809
1810+extern void check_object_size(const void *ptr, unsigned long n, bool to);
1811+
1812 /*
1813 * The fs value determines whether argument validity checking should be
1814 * performed or not. If get_fs() == USER_DS, checking is performed, with
1815@@ -327,52 +329,6 @@ do { \
1816 extern unsigned long __copy_tofrom_user(void __user *to,
1817 const void __user *from, unsigned long size);
1818
1819-#ifndef __powerpc64__
1820-
1821-static inline unsigned long copy_from_user(void *to,
1822- const void __user *from, unsigned long n)
1823-{
1824- unsigned long over;
1825-
1826- if (access_ok(VERIFY_READ, from, n))
1827- return __copy_tofrom_user((__force void __user *)to, from, n);
1828- if ((unsigned long)from < TASK_SIZE) {
1829- over = (unsigned long)from + n - TASK_SIZE;
1830- return __copy_tofrom_user((__force void __user *)to, from,
1831- n - over) + over;
1832- }
1833- return n;
1834-}
1835-
1836-static inline unsigned long copy_to_user(void __user *to,
1837- const void *from, unsigned long n)
1838-{
1839- unsigned long over;
1840-
1841- if (access_ok(VERIFY_WRITE, to, n))
1842- return __copy_tofrom_user(to, (__force void __user *)from, n);
1843- if ((unsigned long)to < TASK_SIZE) {
1844- over = (unsigned long)to + n - TASK_SIZE;
1845- return __copy_tofrom_user(to, (__force void __user *)from,
1846- n - over) + over;
1847- }
1848- return n;
1849-}
1850-
1851-#else /* __powerpc64__ */
1852-
1853-#define __copy_in_user(to, from, size) \
1854- __copy_tofrom_user((to), (from), (size))
1855-
1856-extern unsigned long copy_from_user(void *to, const void __user *from,
1857- unsigned long n);
1858-extern unsigned long copy_to_user(void __user *to, const void *from,
1859- unsigned long n);
1860-extern unsigned long copy_in_user(void __user *to, const void __user *from,
1861- unsigned long n);
1862-
1863-#endif /* __powerpc64__ */
1864-
1865 static inline unsigned long __copy_from_user_inatomic(void *to,
1866 const void __user *from, unsigned long n)
1867 {
1868@@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
1869 if (ret == 0)
1870 return 0;
1871 }
1872+
1873+ if (!__builtin_constant_p(n))
1874+ check_object_size(to, n, false);
1875+
1876 return __copy_tofrom_user((__force void __user *)to, from, n);
1877 }
1878
1879@@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
1880 if (ret == 0)
1881 return 0;
1882 }
1883+
1884+ if (!__builtin_constant_p(n))
1885+ check_object_size(from, n, true);
1886+
1887 return __copy_tofrom_user(to, (__force const void __user *)from, n);
1888 }
1889
1890@@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
1891 return __copy_to_user_inatomic(to, from, size);
1892 }
1893
1894+#ifndef __powerpc64__
1895+
1896+static inline unsigned long __must_check copy_from_user(void *to,
1897+ const void __user *from, unsigned long n)
1898+{
1899+ unsigned long over;
1900+
1901+ if ((long)n < 0)
1902+ return n;
1903+
1904+ if (access_ok(VERIFY_READ, from, n)) {
1905+ if (!__builtin_constant_p(n))
1906+ check_object_size(to, n, false);
1907+ return __copy_tofrom_user((__force void __user *)to, from, n);
1908+ }
1909+ if ((unsigned long)from < TASK_SIZE) {
1910+ over = (unsigned long)from + n - TASK_SIZE;
1911+ if (!__builtin_constant_p(n - over))
1912+ check_object_size(to, n - over, false);
1913+ return __copy_tofrom_user((__force void __user *)to, from,
1914+ n - over) + over;
1915+ }
1916+ return n;
1917+}
1918+
1919+static inline unsigned long __must_check copy_to_user(void __user *to,
1920+ const void *from, unsigned long n)
1921+{
1922+ unsigned long over;
1923+
1924+ if ((long)n < 0)
1925+ return n;
1926+
1927+ if (access_ok(VERIFY_WRITE, to, n)) {
1928+ if (!__builtin_constant_p(n))
1929+ check_object_size(from, n, true);
1930+ return __copy_tofrom_user(to, (__force void __user *)from, n);
1931+ }
1932+ if ((unsigned long)to < TASK_SIZE) {
1933+ over = (unsigned long)to + n - TASK_SIZE;
1934+ if (!__builtin_constant_p(n))
1935+ check_object_size(from, n - over, true);
1936+ return __copy_tofrom_user(to, (__force void __user *)from,
1937+ n - over) + over;
1938+ }
1939+ return n;
1940+}
1941+
1942+#else /* __powerpc64__ */
1943+
1944+#define __copy_in_user(to, from, size) \
1945+ __copy_tofrom_user((to), (from), (size))
1946+
1947+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
1948+{
1949+ if ((long)n < 0 || n > INT_MAX)
1950+ return n;
1951+
1952+ if (!__builtin_constant_p(n))
1953+ check_object_size(to, n, false);
1954+
1955+ if (likely(access_ok(VERIFY_READ, from, n)))
1956+ n = __copy_from_user(to, from, n);
1957+ else
1958+ memset(to, 0, n);
1959+ return n;
1960+}
1961+
1962+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
1963+{
1964+ if ((long)n < 0 || n > INT_MAX)
1965+ return n;
1966+
1967+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
1968+ if (!__builtin_constant_p(n))
1969+ check_object_size(from, n, true);
1970+ n = __copy_to_user(to, from, n);
1971+ }
1972+ return n;
1973+}
1974+
1975+extern unsigned long copy_in_user(void __user *to, const void __user *from,
1976+ unsigned long n);
1977+
1978+#endif /* __powerpc64__ */
1979+
1980 extern unsigned long __clear_user(void __user *addr, unsigned long size);
1981
1982 static inline unsigned long clear_user(void __user *addr, unsigned long size)
1983diff -urNp linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S
1984--- linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S 2011-11-11 15:19:27.000000000 -0500
1985+++ linux-3.1.1/arch/powerpc/kernel/exceptions-64e.S 2011-11-16 18:39:07.000000000 -0500
1986@@ -587,6 +587,7 @@ storage_fault_common:
1987 std r14,_DAR(r1)
1988 std r15,_DSISR(r1)
1989 addi r3,r1,STACK_FRAME_OVERHEAD
1990+ bl .save_nvgprs
1991 mr r4,r14
1992 mr r5,r15
1993 ld r14,PACA_EXGEN+EX_R14(r13)
1994@@ -596,8 +597,7 @@ storage_fault_common:
1995 cmpdi r3,0
1996 bne- 1f
1997 b .ret_from_except_lite
1998-1: bl .save_nvgprs
1999- mr r5,r3
2000+1: mr r5,r3
2001 addi r3,r1,STACK_FRAME_OVERHEAD
2002 ld r4,_DAR(r1)
2003 bl .bad_page_fault
2004diff -urNp linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S
2005--- linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S 2011-11-11 15:19:27.000000000 -0500
2006+++ linux-3.1.1/arch/powerpc/kernel/exceptions-64s.S 2011-11-16 18:39:07.000000000 -0500
2007@@ -1014,10 +1014,10 @@ handle_page_fault:
2008 11: ld r4,_DAR(r1)
2009 ld r5,_DSISR(r1)
2010 addi r3,r1,STACK_FRAME_OVERHEAD
2011+ bl .save_nvgprs
2012 bl .do_page_fault
2013 cmpdi r3,0
2014 beq+ 13f
2015- bl .save_nvgprs
2016 mr r5,r3
2017 addi r3,r1,STACK_FRAME_OVERHEAD
2018 lwz r4,_DAR(r1)
2019diff -urNp linux-3.1.1/arch/powerpc/kernel/module_32.c linux-3.1.1/arch/powerpc/kernel/module_32.c
2020--- linux-3.1.1/arch/powerpc/kernel/module_32.c 2011-11-11 15:19:27.000000000 -0500
2021+++ linux-3.1.1/arch/powerpc/kernel/module_32.c 2011-11-16 18:39:07.000000000 -0500
2022@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2023 me->arch.core_plt_section = i;
2024 }
2025 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2026- printk("Module doesn't contain .plt or .init.plt sections.\n");
2027+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2028 return -ENOEXEC;
2029 }
2030
2031@@ -192,11 +192,16 @@ static uint32_t do_plt_call(void *locati
2032
2033 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2034 /* Init, or core PLT? */
2035- if (location >= mod->module_core
2036- && location < mod->module_core + mod->core_size)
2037+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2038+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2039 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2040- else
2041+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2042+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2043 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2044+ else {
2045+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2046+ return ~0UL;
2047+ }
2048
2049 /* Find this entry, or if that fails, the next avail. entry */
2050 while (entry->jump[0]) {
2051diff -urNp linux-3.1.1/arch/powerpc/kernel/process.c linux-3.1.1/arch/powerpc/kernel/process.c
2052--- linux-3.1.1/arch/powerpc/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
2053+++ linux-3.1.1/arch/powerpc/kernel/process.c 2011-11-16 18:40:08.000000000 -0500
2054@@ -682,8 +682,8 @@ void show_regs(struct pt_regs * regs)
2055 * Lookup NIP late so we have the best change of getting the
2056 * above info out without failing
2057 */
2058- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2059- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2060+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2061+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2062 #endif
2063 show_stack(current, (unsigned long *) regs->gpr[1]);
2064 if (!user_mode(regs))
2065@@ -1187,10 +1187,10 @@ void show_stack(struct task_struct *tsk,
2066 newsp = stack[0];
2067 ip = stack[STACK_FRAME_LR_SAVE];
2068 if (!firstframe || ip != lr) {
2069- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2070+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2071 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2072 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2073- printk(" (%pS)",
2074+ printk(" (%pA)",
2075 (void *)current->ret_stack[curr_frame].ret);
2076 curr_frame--;
2077 }
2078@@ -1210,7 +1210,7 @@ void show_stack(struct task_struct *tsk,
2079 struct pt_regs *regs = (struct pt_regs *)
2080 (sp + STACK_FRAME_OVERHEAD);
2081 lr = regs->link;
2082- printk("--- Exception: %lx at %pS\n LR = %pS\n",
2083+ printk("--- Exception: %lx at %pA\n LR = %pA\n",
2084 regs->trap, (void *)regs->nip, (void *)lr);
2085 firstframe = 1;
2086 }
2087@@ -1285,58 +1285,3 @@ void thread_info_cache_init(void)
2088 }
2089
2090 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2091-
2092-unsigned long arch_align_stack(unsigned long sp)
2093-{
2094- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2095- sp -= get_random_int() & ~PAGE_MASK;
2096- return sp & ~0xf;
2097-}
2098-
2099-static inline unsigned long brk_rnd(void)
2100-{
2101- unsigned long rnd = 0;
2102-
2103- /* 8MB for 32bit, 1GB for 64bit */
2104- if (is_32bit_task())
2105- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2106- else
2107- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2108-
2109- return rnd << PAGE_SHIFT;
2110-}
2111-
2112-unsigned long arch_randomize_brk(struct mm_struct *mm)
2113-{
2114- unsigned long base = mm->brk;
2115- unsigned long ret;
2116-
2117-#ifdef CONFIG_PPC_STD_MMU_64
2118- /*
2119- * If we are using 1TB segments and we are allowed to randomise
2120- * the heap, we can put it above 1TB so it is backed by a 1TB
2121- * segment. Otherwise the heap will be in the bottom 1TB
2122- * which always uses 256MB segments and this may result in a
2123- * performance penalty.
2124- */
2125- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2126- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2127-#endif
2128-
2129- ret = PAGE_ALIGN(base + brk_rnd());
2130-
2131- if (ret < mm->brk)
2132- return mm->brk;
2133-
2134- return ret;
2135-}
2136-
2137-unsigned long randomize_et_dyn(unsigned long base)
2138-{
2139- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2140-
2141- if (ret < base)
2142- return base;
2143-
2144- return ret;
2145-}
2146diff -urNp linux-3.1.1/arch/powerpc/kernel/signal_32.c linux-3.1.1/arch/powerpc/kernel/signal_32.c
2147--- linux-3.1.1/arch/powerpc/kernel/signal_32.c 2011-11-11 15:19:27.000000000 -0500
2148+++ linux-3.1.1/arch/powerpc/kernel/signal_32.c 2011-11-16 18:39:07.000000000 -0500
2149@@ -859,7 +859,7 @@ int handle_rt_signal32(unsigned long sig
2150 /* Save user registers on the stack */
2151 frame = &rt_sf->uc.uc_mcontext;
2152 addr = frame;
2153- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2154+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2155 if (save_user_regs(regs, frame, 0, 1))
2156 goto badframe;
2157 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2158diff -urNp linux-3.1.1/arch/powerpc/kernel/signal_64.c linux-3.1.1/arch/powerpc/kernel/signal_64.c
2159--- linux-3.1.1/arch/powerpc/kernel/signal_64.c 2011-11-11 15:19:27.000000000 -0500
2160+++ linux-3.1.1/arch/powerpc/kernel/signal_64.c 2011-11-16 18:39:07.000000000 -0500
2161@@ -430,7 +430,7 @@ int handle_rt_signal64(int signr, struct
2162 current->thread.fpscr.val = 0;
2163
2164 /* Set up to return from userspace. */
2165- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2166+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2167 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2168 } else {
2169 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2170diff -urNp linux-3.1.1/arch/powerpc/kernel/traps.c linux-3.1.1/arch/powerpc/kernel/traps.c
2171--- linux-3.1.1/arch/powerpc/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
2172+++ linux-3.1.1/arch/powerpc/kernel/traps.c 2011-11-16 18:40:08.000000000 -0500
2173@@ -98,6 +98,8 @@ static void pmac_backlight_unblank(void)
2174 static inline void pmac_backlight_unblank(void) { }
2175 #endif
2176
2177+extern void gr_handle_kernel_exploit(void);
2178+
2179 int die(const char *str, struct pt_regs *regs, long err)
2180 {
2181 static struct {
2182@@ -171,6 +173,8 @@ int die(const char *str, struct pt_regs
2183 if (panic_on_oops)
2184 panic("Fatal exception");
2185
2186+ gr_handle_kernel_exploit();
2187+
2188 oops_exit();
2189 do_exit(err);
2190
2191diff -urNp linux-3.1.1/arch/powerpc/kernel/vdso.c linux-3.1.1/arch/powerpc/kernel/vdso.c
2192--- linux-3.1.1/arch/powerpc/kernel/vdso.c 2011-11-11 15:19:27.000000000 -0500
2193+++ linux-3.1.1/arch/powerpc/kernel/vdso.c 2011-11-16 18:39:07.000000000 -0500
2194@@ -36,6 +36,7 @@
2195 #include <asm/firmware.h>
2196 #include <asm/vdso.h>
2197 #include <asm/vdso_datapage.h>
2198+#include <asm/mman.h>
2199
2200 #include "setup.h"
2201
2202@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2203 vdso_base = VDSO32_MBASE;
2204 #endif
2205
2206- current->mm->context.vdso_base = 0;
2207+ current->mm->context.vdso_base = ~0UL;
2208
2209 /* vDSO has a problem and was disabled, just don't "enable" it for the
2210 * process
2211@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2212 vdso_base = get_unmapped_area(NULL, vdso_base,
2213 (vdso_pages << PAGE_SHIFT) +
2214 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2215- 0, 0);
2216+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
2217 if (IS_ERR_VALUE(vdso_base)) {
2218 rc = vdso_base;
2219 goto fail_mmapsem;
2220diff -urNp linux-3.1.1/arch/powerpc/lib/usercopy_64.c linux-3.1.1/arch/powerpc/lib/usercopy_64.c
2221--- linux-3.1.1/arch/powerpc/lib/usercopy_64.c 2011-11-11 15:19:27.000000000 -0500
2222+++ linux-3.1.1/arch/powerpc/lib/usercopy_64.c 2011-11-16 18:39:07.000000000 -0500
2223@@ -9,22 +9,6 @@
2224 #include <linux/module.h>
2225 #include <asm/uaccess.h>
2226
2227-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2228-{
2229- if (likely(access_ok(VERIFY_READ, from, n)))
2230- n = __copy_from_user(to, from, n);
2231- else
2232- memset(to, 0, n);
2233- return n;
2234-}
2235-
2236-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2237-{
2238- if (likely(access_ok(VERIFY_WRITE, to, n)))
2239- n = __copy_to_user(to, from, n);
2240- return n;
2241-}
2242-
2243 unsigned long copy_in_user(void __user *to, const void __user *from,
2244 unsigned long n)
2245 {
2246@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2247 return n;
2248 }
2249
2250-EXPORT_SYMBOL(copy_from_user);
2251-EXPORT_SYMBOL(copy_to_user);
2252 EXPORT_SYMBOL(copy_in_user);
2253
2254diff -urNp linux-3.1.1/arch/powerpc/mm/fault.c linux-3.1.1/arch/powerpc/mm/fault.c
2255--- linux-3.1.1/arch/powerpc/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
2256+++ linux-3.1.1/arch/powerpc/mm/fault.c 2011-11-16 18:39:07.000000000 -0500
2257@@ -32,6 +32,10 @@
2258 #include <linux/perf_event.h>
2259 #include <linux/magic.h>
2260 #include <linux/ratelimit.h>
2261+#include <linux/slab.h>
2262+#include <linux/pagemap.h>
2263+#include <linux/compiler.h>
2264+#include <linux/unistd.h>
2265
2266 #include <asm/firmware.h>
2267 #include <asm/page.h>
2268@@ -43,6 +47,7 @@
2269 #include <asm/tlbflush.h>
2270 #include <asm/siginfo.h>
2271 #include <mm/mmu_decl.h>
2272+#include <asm/ptrace.h>
2273
2274 #ifdef CONFIG_KPROBES
2275 static inline int notify_page_fault(struct pt_regs *regs)
2276@@ -66,6 +71,33 @@ static inline int notify_page_fault(stru
2277 }
2278 #endif
2279
2280+#ifdef CONFIG_PAX_PAGEEXEC
2281+/*
2282+ * PaX: decide what to do with offenders (regs->nip = fault address)
2283+ *
2284+ * returns 1 when task should be killed
2285+ */
2286+static int pax_handle_fetch_fault(struct pt_regs *regs)
2287+{
2288+ return 1;
2289+}
2290+
2291+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
2292+{
2293+ unsigned long i;
2294+
2295+ printk(KERN_ERR "PAX: bytes at PC: ");
2296+ for (i = 0; i < 5; i++) {
2297+ unsigned int c;
2298+ if (get_user(c, (unsigned int __user *)pc+i))
2299+ printk(KERN_CONT "???????? ");
2300+ else
2301+ printk(KERN_CONT "%08x ", c);
2302+ }
2303+ printk("\n");
2304+}
2305+#endif
2306+
2307 /*
2308 * Check whether the instruction at regs->nip is a store using
2309 * an update addressing form which will update r1.
2310@@ -136,7 +168,7 @@ int __kprobes do_page_fault(struct pt_re
2311 * indicate errors in DSISR but can validly be set in SRR1.
2312 */
2313 if (trap == 0x400)
2314- error_code &= 0x48200000;
2315+ error_code &= 0x58200000;
2316 else
2317 is_write = error_code & DSISR_ISSTORE;
2318 #else
2319@@ -259,7 +291,7 @@ good_area:
2320 * "undefined". Of those that can be set, this is the only
2321 * one which seems bad.
2322 */
2323- if (error_code & 0x10000000)
2324+ if (error_code & DSISR_GUARDED)
2325 /* Guarded storage error. */
2326 goto bad_area;
2327 #endif /* CONFIG_8xx */
2328@@ -274,7 +306,7 @@ good_area:
2329 * processors use the same I/D cache coherency mechanism
2330 * as embedded.
2331 */
2332- if (error_code & DSISR_PROTFAULT)
2333+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2334 goto bad_area;
2335 #endif /* CONFIG_PPC_STD_MMU */
2336
2337@@ -343,6 +375,23 @@ bad_area:
2338 bad_area_nosemaphore:
2339 /* User mode accesses cause a SIGSEGV */
2340 if (user_mode(regs)) {
2341+
2342+#ifdef CONFIG_PAX_PAGEEXEC
2343+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2344+#ifdef CONFIG_PPC_STD_MMU
2345+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2346+#else
2347+ if (is_exec && regs->nip == address) {
2348+#endif
2349+ switch (pax_handle_fetch_fault(regs)) {
2350+ }
2351+
2352+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2353+ do_group_exit(SIGKILL);
2354+ }
2355+ }
2356+#endif
2357+
2358 _exception(SIGSEGV, regs, code, address);
2359 return 0;
2360 }
2361diff -urNp linux-3.1.1/arch/powerpc/mm/mmap_64.c linux-3.1.1/arch/powerpc/mm/mmap_64.c
2362--- linux-3.1.1/arch/powerpc/mm/mmap_64.c 2011-11-11 15:19:27.000000000 -0500
2363+++ linux-3.1.1/arch/powerpc/mm/mmap_64.c 2011-11-16 18:39:07.000000000 -0500
2364@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2365 */
2366 if (mmap_is_legacy()) {
2367 mm->mmap_base = TASK_UNMAPPED_BASE;
2368+
2369+#ifdef CONFIG_PAX_RANDMMAP
2370+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2371+ mm->mmap_base += mm->delta_mmap;
2372+#endif
2373+
2374 mm->get_unmapped_area = arch_get_unmapped_area;
2375 mm->unmap_area = arch_unmap_area;
2376 } else {
2377 mm->mmap_base = mmap_base();
2378+
2379+#ifdef CONFIG_PAX_RANDMMAP
2380+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2381+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2382+#endif
2383+
2384 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2385 mm->unmap_area = arch_unmap_area_topdown;
2386 }
2387diff -urNp linux-3.1.1/arch/powerpc/mm/slice.c linux-3.1.1/arch/powerpc/mm/slice.c
2388--- linux-3.1.1/arch/powerpc/mm/slice.c 2011-11-11 15:19:27.000000000 -0500
2389+++ linux-3.1.1/arch/powerpc/mm/slice.c 2011-11-16 18:39:07.000000000 -0500
2390@@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2391 if ((mm->task_size - len) < addr)
2392 return 0;
2393 vma = find_vma(mm, addr);
2394- return (!vma || (addr + len) <= vma->vm_start);
2395+ return check_heap_stack_gap(vma, addr, len);
2396 }
2397
2398 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2399@@ -256,7 +256,7 @@ full_search:
2400 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2401 continue;
2402 }
2403- if (!vma || addr + len <= vma->vm_start) {
2404+ if (check_heap_stack_gap(vma, addr, len)) {
2405 /*
2406 * Remember the place where we stopped the search:
2407 */
2408@@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2409 }
2410 }
2411
2412- addr = mm->mmap_base;
2413- while (addr > len) {
2414+ if (mm->mmap_base < len)
2415+ addr = -ENOMEM;
2416+ else
2417+ addr = mm->mmap_base - len;
2418+
2419+ while (!IS_ERR_VALUE(addr)) {
2420 /* Go down by chunk size */
2421- addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
2422+ addr = _ALIGN_DOWN(addr, 1ul << pshift);
2423
2424 /* Check for hit with different page size */
2425 mask = slice_range_to_mask(addr, len);
2426@@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
2427 * return with success:
2428 */
2429 vma = find_vma(mm, addr);
2430- if (!vma || (addr + len) <= vma->vm_start) {
2431+ if (check_heap_stack_gap(vma, addr, len)) {
2432 /* remember the address as a hint for next time */
2433 if (use_cache)
2434 mm->free_area_cache = addr;
2435@@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
2436 mm->cached_hole_size = vma->vm_start - addr;
2437
2438 /* try just below the current vma->vm_start */
2439- addr = vma->vm_start;
2440+ addr = skip_heap_stack_gap(vma, len);
2441 }
2442
2443 /*
2444@@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
2445 if (fixed && addr > (mm->task_size - len))
2446 return -EINVAL;
2447
2448+#ifdef CONFIG_PAX_RANDMMAP
2449+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2450+ addr = 0;
2451+#endif
2452+
2453 /* If hint, make sure it matches our alignment restrictions */
2454 if (!fixed && addr) {
2455 addr = _ALIGN_UP(addr, 1ul << pshift);
2456diff -urNp linux-3.1.1/arch/s390/include/asm/elf.h linux-3.1.1/arch/s390/include/asm/elf.h
2457--- linux-3.1.1/arch/s390/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
2458+++ linux-3.1.1/arch/s390/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
2459@@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
2460 the loader. We need to make sure that it is out of the way of the program
2461 that it will "exec", and that there is sufficient room for the brk. */
2462
2463-extern unsigned long randomize_et_dyn(unsigned long base);
2464-#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
2465+#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2466+
2467+#ifdef CONFIG_PAX_ASLR
2468+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2469+
2470+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2471+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2472+#endif
2473
2474 /* This yields a mask that user programs can use to figure out what
2475 instruction set this CPU supports. */
2476@@ -211,7 +217,4 @@ struct linux_binprm;
2477 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
2478 int arch_setup_additional_pages(struct linux_binprm *, int);
2479
2480-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2481-#define arch_randomize_brk arch_randomize_brk
2482-
2483 #endif
2484diff -urNp linux-3.1.1/arch/s390/include/asm/system.h linux-3.1.1/arch/s390/include/asm/system.h
2485--- linux-3.1.1/arch/s390/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
2486+++ linux-3.1.1/arch/s390/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
2487@@ -256,7 +256,7 @@ extern void (*_machine_restart)(char *co
2488 extern void (*_machine_halt)(void);
2489 extern void (*_machine_power_off)(void);
2490
2491-extern unsigned long arch_align_stack(unsigned long sp);
2492+#define arch_align_stack(x) ((x) & ~0xfUL)
2493
2494 static inline int tprot(unsigned long addr)
2495 {
2496diff -urNp linux-3.1.1/arch/s390/include/asm/uaccess.h linux-3.1.1/arch/s390/include/asm/uaccess.h
2497--- linux-3.1.1/arch/s390/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
2498+++ linux-3.1.1/arch/s390/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
2499@@ -235,6 +235,10 @@ static inline unsigned long __must_check
2500 copy_to_user(void __user *to, const void *from, unsigned long n)
2501 {
2502 might_fault();
2503+
2504+ if ((long)n < 0)
2505+ return n;
2506+
2507 if (access_ok(VERIFY_WRITE, to, n))
2508 n = __copy_to_user(to, from, n);
2509 return n;
2510@@ -260,6 +264,9 @@ copy_to_user(void __user *to, const void
2511 static inline unsigned long __must_check
2512 __copy_from_user(void *to, const void __user *from, unsigned long n)
2513 {
2514+ if ((long)n < 0)
2515+ return n;
2516+
2517 if (__builtin_constant_p(n) && (n <= 256))
2518 return uaccess.copy_from_user_small(n, from, to);
2519 else
2520@@ -294,6 +301,10 @@ copy_from_user(void *to, const void __us
2521 unsigned int sz = __compiletime_object_size(to);
2522
2523 might_fault();
2524+
2525+ if ((long)n < 0)
2526+ return n;
2527+
2528 if (unlikely(sz != -1 && sz < n)) {
2529 copy_from_user_overflow();
2530 return n;
2531diff -urNp linux-3.1.1/arch/s390/kernel/module.c linux-3.1.1/arch/s390/kernel/module.c
2532--- linux-3.1.1/arch/s390/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
2533+++ linux-3.1.1/arch/s390/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
2534@@ -161,11 +161,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
2535
2536 /* Increase core size by size of got & plt and set start
2537 offsets for got and plt. */
2538- me->core_size = ALIGN(me->core_size, 4);
2539- me->arch.got_offset = me->core_size;
2540- me->core_size += me->arch.got_size;
2541- me->arch.plt_offset = me->core_size;
2542- me->core_size += me->arch.plt_size;
2543+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
2544+ me->arch.got_offset = me->core_size_rw;
2545+ me->core_size_rw += me->arch.got_size;
2546+ me->arch.plt_offset = me->core_size_rx;
2547+ me->core_size_rx += me->arch.plt_size;
2548 return 0;
2549 }
2550
2551@@ -242,7 +242,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2552 if (info->got_initialized == 0) {
2553 Elf_Addr *gotent;
2554
2555- gotent = me->module_core + me->arch.got_offset +
2556+ gotent = me->module_core_rw + me->arch.got_offset +
2557 info->got_offset;
2558 *gotent = val;
2559 info->got_initialized = 1;
2560@@ -266,7 +266,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2561 else if (r_type == R_390_GOTENT ||
2562 r_type == R_390_GOTPLTENT)
2563 *(unsigned int *) loc =
2564- (val + (Elf_Addr) me->module_core - loc) >> 1;
2565+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
2566 else if (r_type == R_390_GOT64 ||
2567 r_type == R_390_GOTPLT64)
2568 *(unsigned long *) loc = val;
2569@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2570 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
2571 if (info->plt_initialized == 0) {
2572 unsigned int *ip;
2573- ip = me->module_core + me->arch.plt_offset +
2574+ ip = me->module_core_rx + me->arch.plt_offset +
2575 info->plt_offset;
2576 #ifndef CONFIG_64BIT
2577 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
2578@@ -305,7 +305,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2579 val - loc + 0xffffUL < 0x1ffffeUL) ||
2580 (r_type == R_390_PLT32DBL &&
2581 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
2582- val = (Elf_Addr) me->module_core +
2583+ val = (Elf_Addr) me->module_core_rx +
2584 me->arch.plt_offset +
2585 info->plt_offset;
2586 val += rela->r_addend - loc;
2587@@ -327,7 +327,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2588 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
2589 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
2590 val = val + rela->r_addend -
2591- ((Elf_Addr) me->module_core + me->arch.got_offset);
2592+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
2593 if (r_type == R_390_GOTOFF16)
2594 *(unsigned short *) loc = val;
2595 else if (r_type == R_390_GOTOFF32)
2596@@ -337,7 +337,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
2597 break;
2598 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
2599 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
2600- val = (Elf_Addr) me->module_core + me->arch.got_offset +
2601+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
2602 rela->r_addend - loc;
2603 if (r_type == R_390_GOTPC)
2604 *(unsigned int *) loc = val;
2605diff -urNp linux-3.1.1/arch/s390/kernel/process.c linux-3.1.1/arch/s390/kernel/process.c
2606--- linux-3.1.1/arch/s390/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
2607+++ linux-3.1.1/arch/s390/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
2608@@ -319,39 +319,3 @@ unsigned long get_wchan(struct task_stru
2609 }
2610 return 0;
2611 }
2612-
2613-unsigned long arch_align_stack(unsigned long sp)
2614-{
2615- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2616- sp -= get_random_int() & ~PAGE_MASK;
2617- return sp & ~0xf;
2618-}
2619-
2620-static inline unsigned long brk_rnd(void)
2621-{
2622- /* 8MB for 32bit, 1GB for 64bit */
2623- if (is_32bit_task())
2624- return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
2625- else
2626- return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
2627-}
2628-
2629-unsigned long arch_randomize_brk(struct mm_struct *mm)
2630-{
2631- unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
2632-
2633- if (ret < mm->brk)
2634- return mm->brk;
2635- return ret;
2636-}
2637-
2638-unsigned long randomize_et_dyn(unsigned long base)
2639-{
2640- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2641-
2642- if (!(current->flags & PF_RANDOMIZE))
2643- return base;
2644- if (ret < base)
2645- return base;
2646- return ret;
2647-}
2648diff -urNp linux-3.1.1/arch/s390/kernel/setup.c linux-3.1.1/arch/s390/kernel/setup.c
2649--- linux-3.1.1/arch/s390/kernel/setup.c 2011-11-11 15:19:27.000000000 -0500
2650+++ linux-3.1.1/arch/s390/kernel/setup.c 2011-11-16 18:39:07.000000000 -0500
2651@@ -271,7 +271,7 @@ static int __init early_parse_mem(char *
2652 }
2653 early_param("mem", early_parse_mem);
2654
2655-unsigned int user_mode = HOME_SPACE_MODE;
2656+unsigned int user_mode = SECONDARY_SPACE_MODE;
2657 EXPORT_SYMBOL_GPL(user_mode);
2658
2659 static int set_amode_and_uaccess(unsigned long user_amode,
2660diff -urNp linux-3.1.1/arch/s390/mm/mmap.c linux-3.1.1/arch/s390/mm/mmap.c
2661--- linux-3.1.1/arch/s390/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
2662+++ linux-3.1.1/arch/s390/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
2663@@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
2664 */
2665 if (mmap_is_legacy()) {
2666 mm->mmap_base = TASK_UNMAPPED_BASE;
2667+
2668+#ifdef CONFIG_PAX_RANDMMAP
2669+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2670+ mm->mmap_base += mm->delta_mmap;
2671+#endif
2672+
2673 mm->get_unmapped_area = arch_get_unmapped_area;
2674 mm->unmap_area = arch_unmap_area;
2675 } else {
2676 mm->mmap_base = mmap_base();
2677+
2678+#ifdef CONFIG_PAX_RANDMMAP
2679+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2680+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2681+#endif
2682+
2683 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2684 mm->unmap_area = arch_unmap_area_topdown;
2685 }
2686@@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
2687 */
2688 if (mmap_is_legacy()) {
2689 mm->mmap_base = TASK_UNMAPPED_BASE;
2690+
2691+#ifdef CONFIG_PAX_RANDMMAP
2692+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2693+ mm->mmap_base += mm->delta_mmap;
2694+#endif
2695+
2696 mm->get_unmapped_area = s390_get_unmapped_area;
2697 mm->unmap_area = arch_unmap_area;
2698 } else {
2699 mm->mmap_base = mmap_base();
2700+
2701+#ifdef CONFIG_PAX_RANDMMAP
2702+ if (mm->pax_flags & MF_PAX_RANDMMAP)
2703+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2704+#endif
2705+
2706 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
2707 mm->unmap_area = arch_unmap_area_topdown;
2708 }
2709diff -urNp linux-3.1.1/arch/score/include/asm/system.h linux-3.1.1/arch/score/include/asm/system.h
2710--- linux-3.1.1/arch/score/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
2711+++ linux-3.1.1/arch/score/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
2712@@ -17,7 +17,7 @@ do { \
2713 #define finish_arch_switch(prev) do {} while (0)
2714
2715 typedef void (*vi_handler_t)(void);
2716-extern unsigned long arch_align_stack(unsigned long sp);
2717+#define arch_align_stack(x) (x)
2718
2719 #define mb() barrier()
2720 #define rmb() barrier()
2721diff -urNp linux-3.1.1/arch/score/kernel/process.c linux-3.1.1/arch/score/kernel/process.c
2722--- linux-3.1.1/arch/score/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
2723+++ linux-3.1.1/arch/score/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
2724@@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
2725
2726 return task_pt_regs(task)->cp0_epc;
2727 }
2728-
2729-unsigned long arch_align_stack(unsigned long sp)
2730-{
2731- return sp;
2732-}
2733diff -urNp linux-3.1.1/arch/sh/mm/mmap.c linux-3.1.1/arch/sh/mm/mmap.c
2734--- linux-3.1.1/arch/sh/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
2735+++ linux-3.1.1/arch/sh/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
2736@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
2737 addr = PAGE_ALIGN(addr);
2738
2739 vma = find_vma(mm, addr);
2740- if (TASK_SIZE - len >= addr &&
2741- (!vma || addr + len <= vma->vm_start))
2742+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
2743 return addr;
2744 }
2745
2746@@ -106,7 +105,7 @@ full_search:
2747 }
2748 return -ENOMEM;
2749 }
2750- if (likely(!vma || addr + len <= vma->vm_start)) {
2751+ if (likely(check_heap_stack_gap(vma, addr, len))) {
2752 /*
2753 * Remember the place where we stopped the search:
2754 */
2755@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
2756 addr = PAGE_ALIGN(addr);
2757
2758 vma = find_vma(mm, addr);
2759- if (TASK_SIZE - len >= addr &&
2760- (!vma || addr + len <= vma->vm_start))
2761+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
2762 return addr;
2763 }
2764
2765@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
2766 /* make sure it can fit in the remaining address space */
2767 if (likely(addr > len)) {
2768 vma = find_vma(mm, addr-len);
2769- if (!vma || addr <= vma->vm_start) {
2770+ if (check_heap_stack_gap(vma, addr - len, len)) {
2771 /* remember the address as a hint for next time */
2772 return (mm->free_area_cache = addr-len);
2773 }
2774@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
2775 if (unlikely(mm->mmap_base < len))
2776 goto bottomup;
2777
2778- addr = mm->mmap_base-len;
2779- if (do_colour_align)
2780- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2781+ addr = mm->mmap_base - len;
2782
2783 do {
2784+ if (do_colour_align)
2785+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2786 /*
2787 * Lookup failure means no vma is above this address,
2788 * else if new region fits below vma->vm_start,
2789 * return with success:
2790 */
2791 vma = find_vma(mm, addr);
2792- if (likely(!vma || addr+len <= vma->vm_start)) {
2793+ if (likely(check_heap_stack_gap(vma, addr, len))) {
2794 /* remember the address as a hint for next time */
2795 return (mm->free_area_cache = addr);
2796 }
2797@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
2798 mm->cached_hole_size = vma->vm_start - addr;
2799
2800 /* try just below the current vma->vm_start */
2801- addr = vma->vm_start-len;
2802- if (do_colour_align)
2803- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
2804- } while (likely(len < vma->vm_start));
2805+ addr = skip_heap_stack_gap(vma, len);
2806+ } while (!IS_ERR_VALUE(addr));
2807
2808 bottomup:
2809 /*
2810diff -urNp linux-3.1.1/arch/sparc/include/asm/atomic_64.h linux-3.1.1/arch/sparc/include/asm/atomic_64.h
2811--- linux-3.1.1/arch/sparc/include/asm/atomic_64.h 2011-11-11 15:19:27.000000000 -0500
2812+++ linux-3.1.1/arch/sparc/include/asm/atomic_64.h 2011-11-16 18:39:07.000000000 -0500
2813@@ -14,18 +14,40 @@
2814 #define ATOMIC64_INIT(i) { (i) }
2815
2816 #define atomic_read(v) (*(volatile int *)&(v)->counter)
2817+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
2818+{
2819+ return v->counter;
2820+}
2821 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
2822+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
2823+{
2824+ return v->counter;
2825+}
2826
2827 #define atomic_set(v, i) (((v)->counter) = i)
2828+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
2829+{
2830+ v->counter = i;
2831+}
2832 #define atomic64_set(v, i) (((v)->counter) = i)
2833+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
2834+{
2835+ v->counter = i;
2836+}
2837
2838 extern void atomic_add(int, atomic_t *);
2839+extern void atomic_add_unchecked(int, atomic_unchecked_t *);
2840 extern void atomic64_add(long, atomic64_t *);
2841+extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
2842 extern void atomic_sub(int, atomic_t *);
2843+extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
2844 extern void atomic64_sub(long, atomic64_t *);
2845+extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
2846
2847 extern int atomic_add_ret(int, atomic_t *);
2848+extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
2849 extern long atomic64_add_ret(long, atomic64_t *);
2850+extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
2851 extern int atomic_sub_ret(int, atomic_t *);
2852 extern long atomic64_sub_ret(long, atomic64_t *);
2853
2854@@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
2855 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
2856
2857 #define atomic_inc_return(v) atomic_add_ret(1, v)
2858+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
2859+{
2860+ return atomic_add_ret_unchecked(1, v);
2861+}
2862 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
2863+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
2864+{
2865+ return atomic64_add_ret_unchecked(1, v);
2866+}
2867
2868 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
2869 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
2870
2871 #define atomic_add_return(i, v) atomic_add_ret(i, v)
2872+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
2873+{
2874+ return atomic_add_ret_unchecked(i, v);
2875+}
2876 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
2877+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
2878+{
2879+ return atomic64_add_ret_unchecked(i, v);
2880+}
2881
2882 /*
2883 * atomic_inc_and_test - increment and test
2884@@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
2885 * other cases.
2886 */
2887 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
2888+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
2889+{
2890+ return atomic_inc_return_unchecked(v) == 0;
2891+}
2892 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
2893
2894 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
2895@@ -59,25 +101,60 @@ extern long atomic64_sub_ret(long, atomi
2896 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
2897
2898 #define atomic_inc(v) atomic_add(1, v)
2899+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
2900+{
2901+ atomic_add_unchecked(1, v);
2902+}
2903 #define atomic64_inc(v) atomic64_add(1, v)
2904+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
2905+{
2906+ atomic64_add_unchecked(1, v);
2907+}
2908
2909 #define atomic_dec(v) atomic_sub(1, v)
2910+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
2911+{
2912+ atomic_sub_unchecked(1, v);
2913+}
2914 #define atomic64_dec(v) atomic64_sub(1, v)
2915+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
2916+{
2917+ atomic64_sub_unchecked(1, v);
2918+}
2919
2920 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
2921 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
2922
2923 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
2924+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
2925+{
2926+ return cmpxchg(&v->counter, old, new);
2927+}
2928 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
2929+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
2930+{
2931+ return xchg(&v->counter, new);
2932+}
2933
2934 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
2935 {
2936- int c, old;
2937+ int c, old, new;
2938 c = atomic_read(v);
2939 for (;;) {
2940- if (unlikely(c == (u)))
2941+ if (unlikely(c == u))
2942 break;
2943- old = atomic_cmpxchg((v), c, c + (a));
2944+
2945+ asm volatile("addcc %2, %0, %0\n"
2946+
2947+#ifdef CONFIG_PAX_REFCOUNT
2948+ "tvs %%icc, 6\n"
2949+#endif
2950+
2951+ : "=r" (new)
2952+ : "0" (c), "ir" (a)
2953+ : "cc");
2954+
2955+ old = atomic_cmpxchg(v, c, new);
2956 if (likely(old == c))
2957 break;
2958 c = old;
2959@@ -89,20 +166,35 @@ static inline int __atomic_add_unless(at
2960 #define atomic64_cmpxchg(v, o, n) \
2961 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
2962 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
2963+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
2964+{
2965+ return xchg(&v->counter, new);
2966+}
2967
2968 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
2969 {
2970- long c, old;
2971+ long c, old, new;
2972 c = atomic64_read(v);
2973 for (;;) {
2974- if (unlikely(c == (u)))
2975+ if (unlikely(c == u))
2976 break;
2977- old = atomic64_cmpxchg((v), c, c + (a));
2978+
2979+ asm volatile("addcc %2, %0, %0\n"
2980+
2981+#ifdef CONFIG_PAX_REFCOUNT
2982+ "tvs %%xcc, 6\n"
2983+#endif
2984+
2985+ : "=r" (new)
2986+ : "0" (c), "ir" (a)
2987+ : "cc");
2988+
2989+ old = atomic64_cmpxchg(v, c, new);
2990 if (likely(old == c))
2991 break;
2992 c = old;
2993 }
2994- return c != (u);
2995+ return c != u;
2996 }
2997
2998 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
2999diff -urNp linux-3.1.1/arch/sparc/include/asm/cache.h linux-3.1.1/arch/sparc/include/asm/cache.h
3000--- linux-3.1.1/arch/sparc/include/asm/cache.h 2011-11-11 15:19:27.000000000 -0500
3001+++ linux-3.1.1/arch/sparc/include/asm/cache.h 2011-11-16 18:39:07.000000000 -0500
3002@@ -10,7 +10,7 @@
3003 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
3004
3005 #define L1_CACHE_SHIFT 5
3006-#define L1_CACHE_BYTES 32
3007+#define L1_CACHE_BYTES 32UL
3008
3009 #ifdef CONFIG_SPARC32
3010 #define SMP_CACHE_BYTES_SHIFT 5
3011diff -urNp linux-3.1.1/arch/sparc/include/asm/elf_32.h linux-3.1.1/arch/sparc/include/asm/elf_32.h
3012--- linux-3.1.1/arch/sparc/include/asm/elf_32.h 2011-11-11 15:19:27.000000000 -0500
3013+++ linux-3.1.1/arch/sparc/include/asm/elf_32.h 2011-11-16 18:39:07.000000000 -0500
3014@@ -114,6 +114,13 @@ typedef struct {
3015
3016 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3017
3018+#ifdef CONFIG_PAX_ASLR
3019+#define PAX_ELF_ET_DYN_BASE 0x10000UL
3020+
3021+#define PAX_DELTA_MMAP_LEN 16
3022+#define PAX_DELTA_STACK_LEN 16
3023+#endif
3024+
3025 /* This yields a mask that user programs can use to figure out what
3026 instruction set this cpu supports. This can NOT be done in userspace
3027 on Sparc. */
3028diff -urNp linux-3.1.1/arch/sparc/include/asm/elf_64.h linux-3.1.1/arch/sparc/include/asm/elf_64.h
3029--- linux-3.1.1/arch/sparc/include/asm/elf_64.h 2011-11-11 15:19:27.000000000 -0500
3030+++ linux-3.1.1/arch/sparc/include/asm/elf_64.h 2011-11-16 18:39:07.000000000 -0500
3031@@ -180,6 +180,13 @@ typedef struct {
3032 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3033 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3034
3035+#ifdef CONFIG_PAX_ASLR
3036+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3037+
3038+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3039+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3040+#endif
3041+
3042 extern unsigned long sparc64_elf_hwcap;
3043 #define ELF_HWCAP sparc64_elf_hwcap
3044
3045diff -urNp linux-3.1.1/arch/sparc/include/asm/pgtable_32.h linux-3.1.1/arch/sparc/include/asm/pgtable_32.h
3046--- linux-3.1.1/arch/sparc/include/asm/pgtable_32.h 2011-11-11 15:19:27.000000000 -0500
3047+++ linux-3.1.1/arch/sparc/include/asm/pgtable_32.h 2011-11-16 18:39:07.000000000 -0500
3048@@ -45,6 +45,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3049 BTFIXUPDEF_INT(page_none)
3050 BTFIXUPDEF_INT(page_copy)
3051 BTFIXUPDEF_INT(page_readonly)
3052+
3053+#ifdef CONFIG_PAX_PAGEEXEC
3054+BTFIXUPDEF_INT(page_shared_noexec)
3055+BTFIXUPDEF_INT(page_copy_noexec)
3056+BTFIXUPDEF_INT(page_readonly_noexec)
3057+#endif
3058+
3059 BTFIXUPDEF_INT(page_kernel)
3060
3061 #define PMD_SHIFT SUN4C_PMD_SHIFT
3062@@ -66,6 +73,16 @@ extern pgprot_t PAGE_SHARED;
3063 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3064 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3065
3066+#ifdef CONFIG_PAX_PAGEEXEC
3067+extern pgprot_t PAGE_SHARED_NOEXEC;
3068+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3069+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3070+#else
3071+# define PAGE_SHARED_NOEXEC PAGE_SHARED
3072+# define PAGE_COPY_NOEXEC PAGE_COPY
3073+# define PAGE_READONLY_NOEXEC PAGE_READONLY
3074+#endif
3075+
3076 extern unsigned long page_kernel;
3077
3078 #ifdef MODULE
3079diff -urNp linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h
3080--- linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h 2011-11-11 15:19:27.000000000 -0500
3081+++ linux-3.1.1/arch/sparc/include/asm/pgtsrmmu.h 2011-11-16 18:39:07.000000000 -0500
3082@@ -115,6 +115,13 @@
3083 SRMMU_EXEC | SRMMU_REF)
3084 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3085 SRMMU_EXEC | SRMMU_REF)
3086+
3087+#ifdef CONFIG_PAX_PAGEEXEC
3088+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3089+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3090+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3091+#endif
3092+
3093 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3094 SRMMU_DIRTY | SRMMU_REF)
3095
3096diff -urNp linux-3.1.1/arch/sparc/include/asm/spinlock_64.h linux-3.1.1/arch/sparc/include/asm/spinlock_64.h
3097--- linux-3.1.1/arch/sparc/include/asm/spinlock_64.h 2011-11-11 15:19:27.000000000 -0500
3098+++ linux-3.1.1/arch/sparc/include/asm/spinlock_64.h 2011-11-16 18:39:07.000000000 -0500
3099@@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(
3100
3101 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
3102
3103-static void inline arch_read_lock(arch_rwlock_t *lock)
3104+static inline void arch_read_lock(arch_rwlock_t *lock)
3105 {
3106 unsigned long tmp1, tmp2;
3107
3108 __asm__ __volatile__ (
3109 "1: ldsw [%2], %0\n"
3110 " brlz,pn %0, 2f\n"
3111-"4: add %0, 1, %1\n"
3112+"4: addcc %0, 1, %1\n"
3113+
3114+#ifdef CONFIG_PAX_REFCOUNT
3115+" tvs %%icc, 6\n"
3116+#endif
3117+
3118 " cas [%2], %0, %1\n"
3119 " cmp %0, %1\n"
3120 " bne,pn %%icc, 1b\n"
3121@@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_r
3122 " .previous"
3123 : "=&r" (tmp1), "=&r" (tmp2)
3124 : "r" (lock)
3125- : "memory");
3126+ : "memory", "cc");
3127 }
3128
3129-static int inline arch_read_trylock(arch_rwlock_t *lock)
3130+static inline int arch_read_trylock(arch_rwlock_t *lock)
3131 {
3132 int tmp1, tmp2;
3133
3134@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3135 "1: ldsw [%2], %0\n"
3136 " brlz,a,pn %0, 2f\n"
3137 " mov 0, %0\n"
3138-" add %0, 1, %1\n"
3139+" addcc %0, 1, %1\n"
3140+
3141+#ifdef CONFIG_PAX_REFCOUNT
3142+" tvs %%icc, 6\n"
3143+#endif
3144+
3145 " cas [%2], %0, %1\n"
3146 " cmp %0, %1\n"
3147 " bne,pn %%icc, 1b\n"
3148@@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch
3149 return tmp1;
3150 }
3151
3152-static void inline arch_read_unlock(arch_rwlock_t *lock)
3153+static inline void arch_read_unlock(arch_rwlock_t *lock)
3154 {
3155 unsigned long tmp1, tmp2;
3156
3157 __asm__ __volatile__(
3158 "1: lduw [%2], %0\n"
3159-" sub %0, 1, %1\n"
3160+" subcc %0, 1, %1\n"
3161+
3162+#ifdef CONFIG_PAX_REFCOUNT
3163+" tvs %%icc, 6\n"
3164+#endif
3165+
3166 " cas [%2], %0, %1\n"
3167 " cmp %0, %1\n"
3168 " bne,pn %%xcc, 1b\n"
3169@@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch
3170 : "memory");
3171 }
3172
3173-static void inline arch_write_lock(arch_rwlock_t *lock)
3174+static inline void arch_write_lock(arch_rwlock_t *lock)
3175 {
3176 unsigned long mask, tmp1, tmp2;
3177
3178@@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_
3179 : "memory");
3180 }
3181
3182-static void inline arch_write_unlock(arch_rwlock_t *lock)
3183+static inline void arch_write_unlock(arch_rwlock_t *lock)
3184 {
3185 __asm__ __volatile__(
3186 " stw %%g0, [%0]"
3187@@ -186,7 +201,7 @@ static void inline arch_write_unlock(arc
3188 : "memory");
3189 }
3190
3191-static int inline arch_write_trylock(arch_rwlock_t *lock)
3192+static inline int arch_write_trylock(arch_rwlock_t *lock)
3193 {
3194 unsigned long mask, tmp1, tmp2, result;
3195
3196diff -urNp linux-3.1.1/arch/sparc/include/asm/thread_info_32.h linux-3.1.1/arch/sparc/include/asm/thread_info_32.h
3197--- linux-3.1.1/arch/sparc/include/asm/thread_info_32.h 2011-11-11 15:19:27.000000000 -0500
3198+++ linux-3.1.1/arch/sparc/include/asm/thread_info_32.h 2011-11-16 18:39:07.000000000 -0500
3199@@ -50,6 +50,8 @@ struct thread_info {
3200 unsigned long w_saved;
3201
3202 struct restart_block restart_block;
3203+
3204+ unsigned long lowest_stack;
3205 };
3206
3207 /*
3208diff -urNp linux-3.1.1/arch/sparc/include/asm/thread_info_64.h linux-3.1.1/arch/sparc/include/asm/thread_info_64.h
3209--- linux-3.1.1/arch/sparc/include/asm/thread_info_64.h 2011-11-11 15:19:27.000000000 -0500
3210+++ linux-3.1.1/arch/sparc/include/asm/thread_info_64.h 2011-11-16 18:39:07.000000000 -0500
3211@@ -63,6 +63,8 @@ struct thread_info {
3212 struct pt_regs *kern_una_regs;
3213 unsigned int kern_una_insn;
3214
3215+ unsigned long lowest_stack;
3216+
3217 unsigned long fpregs[0] __attribute__ ((aligned(64)));
3218 };
3219
3220diff -urNp linux-3.1.1/arch/sparc/include/asm/uaccess_32.h linux-3.1.1/arch/sparc/include/asm/uaccess_32.h
3221--- linux-3.1.1/arch/sparc/include/asm/uaccess_32.h 2011-11-11 15:19:27.000000000 -0500
3222+++ linux-3.1.1/arch/sparc/include/asm/uaccess_32.h 2011-11-16 18:39:07.000000000 -0500
3223@@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3224
3225 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3226 {
3227- if (n && __access_ok((unsigned long) to, n))
3228+ if ((long)n < 0)
3229+ return n;
3230+
3231+ if (n && __access_ok((unsigned long) to, n)) {
3232+ if (!__builtin_constant_p(n))
3233+ check_object_size(from, n, true);
3234 return __copy_user(to, (__force void __user *) from, n);
3235- else
3236+ } else
3237 return n;
3238 }
3239
3240 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3241 {
3242+ if ((long)n < 0)
3243+ return n;
3244+
3245+ if (!__builtin_constant_p(n))
3246+ check_object_size(from, n, true);
3247+
3248 return __copy_user(to, (__force void __user *) from, n);
3249 }
3250
3251 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3252 {
3253- if (n && __access_ok((unsigned long) from, n))
3254+ if ((long)n < 0)
3255+ return n;
3256+
3257+ if (n && __access_ok((unsigned long) from, n)) {
3258+ if (!__builtin_constant_p(n))
3259+ check_object_size(to, n, false);
3260 return __copy_user((__force void __user *) to, from, n);
3261- else
3262+ } else
3263 return n;
3264 }
3265
3266 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3267 {
3268+ if ((long)n < 0)
3269+ return n;
3270+
3271 return __copy_user((__force void __user *) to, from, n);
3272 }
3273
3274diff -urNp linux-3.1.1/arch/sparc/include/asm/uaccess_64.h linux-3.1.1/arch/sparc/include/asm/uaccess_64.h
3275--- linux-3.1.1/arch/sparc/include/asm/uaccess_64.h 2011-11-11 15:19:27.000000000 -0500
3276+++ linux-3.1.1/arch/sparc/include/asm/uaccess_64.h 2011-11-16 18:39:07.000000000 -0500
3277@@ -10,6 +10,7 @@
3278 #include <linux/compiler.h>
3279 #include <linux/string.h>
3280 #include <linux/thread_info.h>
3281+#include <linux/kernel.h>
3282 #include <asm/asi.h>
3283 #include <asm/system.h>
3284 #include <asm/spitfire.h>
3285@@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3286 static inline unsigned long __must_check
3287 copy_from_user(void *to, const void __user *from, unsigned long size)
3288 {
3289- unsigned long ret = ___copy_from_user(to, from, size);
3290+ unsigned long ret;
3291
3292+ if ((long)size < 0 || size > INT_MAX)
3293+ return size;
3294+
3295+ if (!__builtin_constant_p(size))
3296+ check_object_size(to, size, false);
3297+
3298+ ret = ___copy_from_user(to, from, size);
3299 if (unlikely(ret))
3300 ret = copy_from_user_fixup(to, from, size);
3301
3302@@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
3303 static inline unsigned long __must_check
3304 copy_to_user(void __user *to, const void *from, unsigned long size)
3305 {
3306- unsigned long ret = ___copy_to_user(to, from, size);
3307+ unsigned long ret;
3308+
3309+ if ((long)size < 0 || size > INT_MAX)
3310+ return size;
3311+
3312+ if (!__builtin_constant_p(size))
3313+ check_object_size(from, size, true);
3314
3315+ ret = ___copy_to_user(to, from, size);
3316 if (unlikely(ret))
3317 ret = copy_to_user_fixup(to, from, size);
3318 return ret;
3319diff -urNp linux-3.1.1/arch/sparc/include/asm/uaccess.h linux-3.1.1/arch/sparc/include/asm/uaccess.h
3320--- linux-3.1.1/arch/sparc/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
3321+++ linux-3.1.1/arch/sparc/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
3322@@ -1,5 +1,13 @@
3323 #ifndef ___ASM_SPARC_UACCESS_H
3324 #define ___ASM_SPARC_UACCESS_H
3325+
3326+#ifdef __KERNEL__
3327+#ifndef __ASSEMBLY__
3328+#include <linux/types.h>
3329+extern void check_object_size(const void *ptr, unsigned long n, bool to);
3330+#endif
3331+#endif
3332+
3333 #if defined(__sparc__) && defined(__arch64__)
3334 #include <asm/uaccess_64.h>
3335 #else
3336diff -urNp linux-3.1.1/arch/sparc/kernel/Makefile linux-3.1.1/arch/sparc/kernel/Makefile
3337--- linux-3.1.1/arch/sparc/kernel/Makefile 2011-11-11 15:19:27.000000000 -0500
3338+++ linux-3.1.1/arch/sparc/kernel/Makefile 2011-11-16 18:39:07.000000000 -0500
3339@@ -3,7 +3,7 @@
3340 #
3341
3342 asflags-y := -ansi
3343-ccflags-y := -Werror
3344+#ccflags-y := -Werror
3345
3346 extra-y := head_$(BITS).o
3347 extra-y += init_task.o
3348diff -urNp linux-3.1.1/arch/sparc/kernel/process_32.c linux-3.1.1/arch/sparc/kernel/process_32.c
3349--- linux-3.1.1/arch/sparc/kernel/process_32.c 2011-11-11 15:19:27.000000000 -0500
3350+++ linux-3.1.1/arch/sparc/kernel/process_32.c 2011-11-16 18:40:08.000000000 -0500
3351@@ -204,7 +204,7 @@ void __show_backtrace(unsigned long fp)
3352 rw->ins[4], rw->ins[5],
3353 rw->ins[6],
3354 rw->ins[7]);
3355- printk("%pS\n", (void *) rw->ins[7]);
3356+ printk("%pA\n", (void *) rw->ins[7]);
3357 rw = (struct reg_window32 *) rw->ins[6];
3358 }
3359 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
3360@@ -271,14 +271,14 @@ void show_regs(struct pt_regs *r)
3361
3362 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
3363 r->psr, r->pc, r->npc, r->y, print_tainted());
3364- printk("PC: <%pS>\n", (void *) r->pc);
3365+ printk("PC: <%pA>\n", (void *) r->pc);
3366 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3367 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
3368 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
3369 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3370 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
3371 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
3372- printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
3373+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
3374
3375 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
3376 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
3377@@ -313,7 +313,7 @@ void show_stack(struct task_struct *tsk,
3378 rw = (struct reg_window32 *) fp;
3379 pc = rw->ins[7];
3380 printk("[%08lx : ", pc);
3381- printk("%pS ] ", (void *) pc);
3382+ printk("%pA ] ", (void *) pc);
3383 fp = rw->ins[6];
3384 } while (++count < 16);
3385 printk("\n");
3386diff -urNp linux-3.1.1/arch/sparc/kernel/process_64.c linux-3.1.1/arch/sparc/kernel/process_64.c
3387--- linux-3.1.1/arch/sparc/kernel/process_64.c 2011-11-11 15:19:27.000000000 -0500
3388+++ linux-3.1.1/arch/sparc/kernel/process_64.c 2011-11-16 18:40:08.000000000 -0500
3389@@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
3390 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
3391 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
3392 if (regs->tstate & TSTATE_PRIV)
3393- printk("I7: <%pS>\n", (void *) rwk->ins[7]);
3394+ printk("I7: <%pA>\n", (void *) rwk->ins[7]);
3395 }
3396
3397 void show_regs(struct pt_regs *regs)
3398 {
3399 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
3400 regs->tpc, regs->tnpc, regs->y, print_tainted());
3401- printk("TPC: <%pS>\n", (void *) regs->tpc);
3402+ printk("TPC: <%pA>\n", (void *) regs->tpc);
3403 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
3404 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
3405 regs->u_regs[3]);
3406@@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
3407 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
3408 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
3409 regs->u_regs[15]);
3410- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
3411+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
3412 show_regwindow(regs);
3413 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
3414 }
3415@@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
3416 ((tp && tp->task) ? tp->task->pid : -1));
3417
3418 if (gp->tstate & TSTATE_PRIV) {
3419- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
3420+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
3421 (void *) gp->tpc,
3422 (void *) gp->o7,
3423 (void *) gp->i7,
3424diff -urNp linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c
3425--- linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c 2011-11-11 15:19:27.000000000 -0500
3426+++ linux-3.1.1/arch/sparc/kernel/sys_sparc_32.c 2011-11-16 18:39:07.000000000 -0500
3427@@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
3428 if (ARCH_SUN4C && len > 0x20000000)
3429 return -ENOMEM;
3430 if (!addr)
3431- addr = TASK_UNMAPPED_BASE;
3432+ addr = current->mm->mmap_base;
3433
3434 if (flags & MAP_SHARED)
3435 addr = COLOUR_ALIGN(addr);
3436@@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
3437 }
3438 if (TASK_SIZE - PAGE_SIZE - len < addr)
3439 return -ENOMEM;
3440- if (!vmm || addr + len <= vmm->vm_start)
3441+ if (check_heap_stack_gap(vmm, addr, len))
3442 return addr;
3443 addr = vmm->vm_end;
3444 if (flags & MAP_SHARED)
3445diff -urNp linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c
3446--- linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c 2011-11-11 15:19:27.000000000 -0500
3447+++ linux-3.1.1/arch/sparc/kernel/sys_sparc_64.c 2011-11-16 18:39:07.000000000 -0500
3448@@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3449 /* We do not accept a shared mapping if it would violate
3450 * cache aliasing constraints.
3451 */
3452- if ((flags & MAP_SHARED) &&
3453+ if ((filp || (flags & MAP_SHARED)) &&
3454 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3455 return -EINVAL;
3456 return addr;
3457@@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
3458 if (filp || (flags & MAP_SHARED))
3459 do_color_align = 1;
3460
3461+#ifdef CONFIG_PAX_RANDMMAP
3462+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
3463+#endif
3464+
3465 if (addr) {
3466 if (do_color_align)
3467 addr = COLOUR_ALIGN(addr, pgoff);
3468@@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
3469 addr = PAGE_ALIGN(addr);
3470
3471 vma = find_vma(mm, addr);
3472- if (task_size - len >= addr &&
3473- (!vma || addr + len <= vma->vm_start))
3474+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3475 return addr;
3476 }
3477
3478 if (len > mm->cached_hole_size) {
3479- start_addr = addr = mm->free_area_cache;
3480+ start_addr = addr = mm->free_area_cache;
3481 } else {
3482- start_addr = addr = TASK_UNMAPPED_BASE;
3483+ start_addr = addr = mm->mmap_base;
3484 mm->cached_hole_size = 0;
3485 }
3486
3487@@ -174,14 +177,14 @@ full_search:
3488 vma = find_vma(mm, VA_EXCLUDE_END);
3489 }
3490 if (unlikely(task_size < addr)) {
3491- if (start_addr != TASK_UNMAPPED_BASE) {
3492- start_addr = addr = TASK_UNMAPPED_BASE;
3493+ if (start_addr != mm->mmap_base) {
3494+ start_addr = addr = mm->mmap_base;
3495 mm->cached_hole_size = 0;
3496 goto full_search;
3497 }
3498 return -ENOMEM;
3499 }
3500- if (likely(!vma || addr + len <= vma->vm_start)) {
3501+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3502 /*
3503 * Remember the place where we stopped the search:
3504 */
3505@@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
3506 /* We do not accept a shared mapping if it would violate
3507 * cache aliasing constraints.
3508 */
3509- if ((flags & MAP_SHARED) &&
3510+ if ((filp || (flags & MAP_SHARED)) &&
3511 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3512 return -EINVAL;
3513 return addr;
3514@@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
3515 addr = PAGE_ALIGN(addr);
3516
3517 vma = find_vma(mm, addr);
3518- if (task_size - len >= addr &&
3519- (!vma || addr + len <= vma->vm_start))
3520+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
3521 return addr;
3522 }
3523
3524@@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
3525 /* make sure it can fit in the remaining address space */
3526 if (likely(addr > len)) {
3527 vma = find_vma(mm, addr-len);
3528- if (!vma || addr <= vma->vm_start) {
3529+ if (check_heap_stack_gap(vma, addr - len, len)) {
3530 /* remember the address as a hint for next time */
3531 return (mm->free_area_cache = addr-len);
3532 }
3533@@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
3534 if (unlikely(mm->mmap_base < len))
3535 goto bottomup;
3536
3537- addr = mm->mmap_base-len;
3538- if (do_color_align)
3539- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3540+ addr = mm->mmap_base - len;
3541
3542 do {
3543+ if (do_color_align)
3544+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3545 /*
3546 * Lookup failure means no vma is above this address,
3547 * else if new region fits below vma->vm_start,
3548 * return with success:
3549 */
3550 vma = find_vma(mm, addr);
3551- if (likely(!vma || addr+len <= vma->vm_start)) {
3552+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3553 /* remember the address as a hint for next time */
3554 return (mm->free_area_cache = addr);
3555 }
3556@@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
3557 mm->cached_hole_size = vma->vm_start - addr;
3558
3559 /* try just below the current vma->vm_start */
3560- addr = vma->vm_start-len;
3561- if (do_color_align)
3562- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3563- } while (likely(len < vma->vm_start));
3564+ addr = skip_heap_stack_gap(vma, len);
3565+ } while (!IS_ERR_VALUE(addr));
3566
3567 bottomup:
3568 /*
3569@@ -390,6 +390,12 @@ void arch_pick_mmap_layout(struct mm_str
3570 gap == RLIM_INFINITY ||
3571 sysctl_legacy_va_layout) {
3572 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
3573+
3574+#ifdef CONFIG_PAX_RANDMMAP
3575+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3576+ mm->mmap_base += mm->delta_mmap;
3577+#endif
3578+
3579 mm->get_unmapped_area = arch_get_unmapped_area;
3580 mm->unmap_area = arch_unmap_area;
3581 } else {
3582@@ -402,6 +408,12 @@ void arch_pick_mmap_layout(struct mm_str
3583 gap = (task_size / 6 * 5);
3584
3585 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
3586+
3587+#ifdef CONFIG_PAX_RANDMMAP
3588+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3589+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3590+#endif
3591+
3592 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3593 mm->unmap_area = arch_unmap_area_topdown;
3594 }
3595diff -urNp linux-3.1.1/arch/sparc/kernel/traps_32.c linux-3.1.1/arch/sparc/kernel/traps_32.c
3596--- linux-3.1.1/arch/sparc/kernel/traps_32.c 2011-11-11 15:19:27.000000000 -0500
3597+++ linux-3.1.1/arch/sparc/kernel/traps_32.c 2011-11-16 18:40:08.000000000 -0500
3598@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
3599 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
3600 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
3601
3602+extern void gr_handle_kernel_exploit(void);
3603+
3604 void die_if_kernel(char *str, struct pt_regs *regs)
3605 {
3606 static int die_counter;
3607@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
3608 count++ < 30 &&
3609 (((unsigned long) rw) >= PAGE_OFFSET) &&
3610 !(((unsigned long) rw) & 0x7)) {
3611- printk("Caller[%08lx]: %pS\n", rw->ins[7],
3612+ printk("Caller[%08lx]: %pA\n", rw->ins[7],
3613 (void *) rw->ins[7]);
3614 rw = (struct reg_window32 *)rw->ins[6];
3615 }
3616 }
3617 printk("Instruction DUMP:");
3618 instruction_dump ((unsigned long *) regs->pc);
3619- if(regs->psr & PSR_PS)
3620+ if(regs->psr & PSR_PS) {
3621+ gr_handle_kernel_exploit();
3622 do_exit(SIGKILL);
3623+ }
3624 do_exit(SIGSEGV);
3625 }
3626
3627diff -urNp linux-3.1.1/arch/sparc/kernel/traps_64.c linux-3.1.1/arch/sparc/kernel/traps_64.c
3628--- linux-3.1.1/arch/sparc/kernel/traps_64.c 2011-11-11 15:19:27.000000000 -0500
3629+++ linux-3.1.1/arch/sparc/kernel/traps_64.c 2011-11-16 18:40:08.000000000 -0500
3630@@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
3631 i + 1,
3632 p->trapstack[i].tstate, p->trapstack[i].tpc,
3633 p->trapstack[i].tnpc, p->trapstack[i].tt);
3634- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
3635+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
3636 }
3637 }
3638
3639@@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
3640
3641 lvl -= 0x100;
3642 if (regs->tstate & TSTATE_PRIV) {
3643+
3644+#ifdef CONFIG_PAX_REFCOUNT
3645+ if (lvl == 6)
3646+ pax_report_refcount_overflow(regs);
3647+#endif
3648+
3649 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
3650 die_if_kernel(buffer, regs);
3651 }
3652@@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
3653 void bad_trap_tl1(struct pt_regs *regs, long lvl)
3654 {
3655 char buffer[32];
3656-
3657+
3658 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
3659 0, lvl, SIGTRAP) == NOTIFY_STOP)
3660 return;
3661
3662+#ifdef CONFIG_PAX_REFCOUNT
3663+ if (lvl == 6)
3664+ pax_report_refcount_overflow(regs);
3665+#endif
3666+
3667 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
3668
3669 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
3670@@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
3671 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
3672 printk("%s" "ERROR(%d): ",
3673 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
3674- printk("TPC<%pS>\n", (void *) regs->tpc);
3675+ printk("TPC<%pA>\n", (void *) regs->tpc);
3676 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
3677 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
3678 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
3679@@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
3680 smp_processor_id(),
3681 (type & 0x1) ? 'I' : 'D',
3682 regs->tpc);
3683- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
3684+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
3685 panic("Irrecoverable Cheetah+ parity error.");
3686 }
3687
3688@@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
3689 smp_processor_id(),
3690 (type & 0x1) ? 'I' : 'D',
3691 regs->tpc);
3692- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
3693+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
3694 }
3695
3696 struct sun4v_error_entry {
3697@@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
3698
3699 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
3700 regs->tpc, tl);
3701- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
3702+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
3703 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
3704- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
3705+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
3706 (void *) regs->u_regs[UREG_I7]);
3707 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
3708 "pte[%lx] error[%lx]\n",
3709@@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
3710
3711 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
3712 regs->tpc, tl);
3713- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
3714+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
3715 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
3716- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
3717+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
3718 (void *) regs->u_regs[UREG_I7]);
3719 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
3720 "pte[%lx] error[%lx]\n",
3721@@ -2195,13 +2206,13 @@ void show_stack(struct task_struct *tsk,
3722 fp = (unsigned long)sf->fp + STACK_BIAS;
3723 }
3724
3725- printk(" [%016lx] %pS\n", pc, (void *) pc);
3726+ printk(" [%016lx] %pA\n", pc, (void *) pc);
3727 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
3728 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
3729 int index = tsk->curr_ret_stack;
3730 if (tsk->ret_stack && index >= graph) {
3731 pc = tsk->ret_stack[index - graph].ret;
3732- printk(" [%016lx] %pS\n", pc, (void *) pc);
3733+ printk(" [%016lx] %pA\n", pc, (void *) pc);
3734 graph++;
3735 }
3736 }
3737@@ -2226,6 +2237,8 @@ static inline struct reg_window *kernel_
3738 return (struct reg_window *) (fp + STACK_BIAS);
3739 }
3740
3741+extern void gr_handle_kernel_exploit(void);
3742+
3743 void die_if_kernel(char *str, struct pt_regs *regs)
3744 {
3745 static int die_counter;
3746@@ -2254,7 +2267,7 @@ void die_if_kernel(char *str, struct pt_
3747 while (rw &&
3748 count++ < 30 &&
3749 kstack_valid(tp, (unsigned long) rw)) {
3750- printk("Caller[%016lx]: %pS\n", rw->ins[7],
3751+ printk("Caller[%016lx]: %pA\n", rw->ins[7],
3752 (void *) rw->ins[7]);
3753
3754 rw = kernel_stack_up(rw);
3755@@ -2267,8 +2280,10 @@ void die_if_kernel(char *str, struct pt_
3756 }
3757 user_instruction_dump ((unsigned int __user *) regs->tpc);
3758 }
3759- if (regs->tstate & TSTATE_PRIV)
3760+ if (regs->tstate & TSTATE_PRIV) {
3761+ gr_handle_kernel_exploit();
3762 do_exit(SIGKILL);
3763+ }
3764 do_exit(SIGSEGV);
3765 }
3766 EXPORT_SYMBOL(die_if_kernel);
3767diff -urNp linux-3.1.1/arch/sparc/kernel/unaligned_64.c linux-3.1.1/arch/sparc/kernel/unaligned_64.c
3768--- linux-3.1.1/arch/sparc/kernel/unaligned_64.c 2011-11-11 15:19:27.000000000 -0500
3769+++ linux-3.1.1/arch/sparc/kernel/unaligned_64.c 2011-11-16 18:40:08.000000000 -0500
3770@@ -279,7 +279,7 @@ static void log_unaligned(struct pt_regs
3771 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
3772
3773 if (__ratelimit(&ratelimit)) {
3774- printk("Kernel unaligned access at TPC[%lx] %pS\n",
3775+ printk("Kernel unaligned access at TPC[%lx] %pA\n",
3776 regs->tpc, (void *) regs->tpc);
3777 }
3778 }
3779diff -urNp linux-3.1.1/arch/sparc/lib/atomic_64.S linux-3.1.1/arch/sparc/lib/atomic_64.S
3780--- linux-3.1.1/arch/sparc/lib/atomic_64.S 2011-11-11 15:19:27.000000000 -0500
3781+++ linux-3.1.1/arch/sparc/lib/atomic_64.S 2011-11-16 18:39:07.000000000 -0500
3782@@ -18,7 +18,12 @@
3783 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
3784 BACKOFF_SETUP(%o2)
3785 1: lduw [%o1], %g1
3786- add %g1, %o0, %g7
3787+ addcc %g1, %o0, %g7
3788+
3789+#ifdef CONFIG_PAX_REFCOUNT
3790+ tvs %icc, 6
3791+#endif
3792+
3793 cas [%o1], %g1, %g7
3794 cmp %g1, %g7
3795 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3796@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
3797 2: BACKOFF_SPIN(%o2, %o3, 1b)
3798 .size atomic_add, .-atomic_add
3799
3800+ .globl atomic_add_unchecked
3801+ .type atomic_add_unchecked,#function
3802+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3803+ BACKOFF_SETUP(%o2)
3804+1: lduw [%o1], %g1
3805+ add %g1, %o0, %g7
3806+ cas [%o1], %g1, %g7
3807+ cmp %g1, %g7
3808+ bne,pn %icc, 2f
3809+ nop
3810+ retl
3811+ nop
3812+2: BACKOFF_SPIN(%o2, %o3, 1b)
3813+ .size atomic_add_unchecked, .-atomic_add_unchecked
3814+
3815 .globl atomic_sub
3816 .type atomic_sub,#function
3817 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3818 BACKOFF_SETUP(%o2)
3819 1: lduw [%o1], %g1
3820- sub %g1, %o0, %g7
3821+ subcc %g1, %o0, %g7
3822+
3823+#ifdef CONFIG_PAX_REFCOUNT
3824+ tvs %icc, 6
3825+#endif
3826+
3827 cas [%o1], %g1, %g7
3828 cmp %g1, %g7
3829 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3830@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
3831 2: BACKOFF_SPIN(%o2, %o3, 1b)
3832 .size atomic_sub, .-atomic_sub
3833
3834+ .globl atomic_sub_unchecked
3835+ .type atomic_sub_unchecked,#function
3836+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3837+ BACKOFF_SETUP(%o2)
3838+1: lduw [%o1], %g1
3839+ sub %g1, %o0, %g7
3840+ cas [%o1], %g1, %g7
3841+ cmp %g1, %g7
3842+ bne,pn %icc, 2f
3843+ nop
3844+ retl
3845+ nop
3846+2: BACKOFF_SPIN(%o2, %o3, 1b)
3847+ .size atomic_sub_unchecked, .-atomic_sub_unchecked
3848+
3849 .globl atomic_add_ret
3850 .type atomic_add_ret,#function
3851 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3852 BACKOFF_SETUP(%o2)
3853 1: lduw [%o1], %g1
3854- add %g1, %o0, %g7
3855+ addcc %g1, %o0, %g7
3856+
3857+#ifdef CONFIG_PAX_REFCOUNT
3858+ tvs %icc, 6
3859+#endif
3860+
3861 cas [%o1], %g1, %g7
3862 cmp %g1, %g7
3863 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3864@@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
3865 2: BACKOFF_SPIN(%o2, %o3, 1b)
3866 .size atomic_add_ret, .-atomic_add_ret
3867
3868+ .globl atomic_add_ret_unchecked
3869+ .type atomic_add_ret_unchecked,#function
3870+atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3871+ BACKOFF_SETUP(%o2)
3872+1: lduw [%o1], %g1
3873+ addcc %g1, %o0, %g7
3874+ cas [%o1], %g1, %g7
3875+ cmp %g1, %g7
3876+ bne,pn %icc, 2f
3877+ add %g7, %o0, %g7
3878+ sra %g7, 0, %o0
3879+ retl
3880+ nop
3881+2: BACKOFF_SPIN(%o2, %o3, 1b)
3882+ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
3883+
3884 .globl atomic_sub_ret
3885 .type atomic_sub_ret,#function
3886 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
3887 BACKOFF_SETUP(%o2)
3888 1: lduw [%o1], %g1
3889- sub %g1, %o0, %g7
3890+ subcc %g1, %o0, %g7
3891+
3892+#ifdef CONFIG_PAX_REFCOUNT
3893+ tvs %icc, 6
3894+#endif
3895+
3896 cas [%o1], %g1, %g7
3897 cmp %g1, %g7
3898 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
3899@@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
3900 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
3901 BACKOFF_SETUP(%o2)
3902 1: ldx [%o1], %g1
3903- add %g1, %o0, %g7
3904+ addcc %g1, %o0, %g7
3905+
3906+#ifdef CONFIG_PAX_REFCOUNT
3907+ tvs %xcc, 6
3908+#endif
3909+
3910 casx [%o1], %g1, %g7
3911 cmp %g1, %g7
3912 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3913@@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
3914 2: BACKOFF_SPIN(%o2, %o3, 1b)
3915 .size atomic64_add, .-atomic64_add
3916
3917+ .globl atomic64_add_unchecked
3918+ .type atomic64_add_unchecked,#function
3919+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3920+ BACKOFF_SETUP(%o2)
3921+1: ldx [%o1], %g1
3922+ addcc %g1, %o0, %g7
3923+ casx [%o1], %g1, %g7
3924+ cmp %g1, %g7
3925+ bne,pn %xcc, 2f
3926+ nop
3927+ retl
3928+ nop
3929+2: BACKOFF_SPIN(%o2, %o3, 1b)
3930+ .size atomic64_add_unchecked, .-atomic64_add_unchecked
3931+
3932 .globl atomic64_sub
3933 .type atomic64_sub,#function
3934 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
3935 BACKOFF_SETUP(%o2)
3936 1: ldx [%o1], %g1
3937- sub %g1, %o0, %g7
3938+ subcc %g1, %o0, %g7
3939+
3940+#ifdef CONFIG_PAX_REFCOUNT
3941+ tvs %xcc, 6
3942+#endif
3943+
3944 casx [%o1], %g1, %g7
3945 cmp %g1, %g7
3946 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3947@@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
3948 2: BACKOFF_SPIN(%o2, %o3, 1b)
3949 .size atomic64_sub, .-atomic64_sub
3950
3951+ .globl atomic64_sub_unchecked
3952+ .type atomic64_sub_unchecked,#function
3953+atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
3954+ BACKOFF_SETUP(%o2)
3955+1: ldx [%o1], %g1
3956+ subcc %g1, %o0, %g7
3957+ casx [%o1], %g1, %g7
3958+ cmp %g1, %g7
3959+ bne,pn %xcc, 2f
3960+ nop
3961+ retl
3962+ nop
3963+2: BACKOFF_SPIN(%o2, %o3, 1b)
3964+ .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
3965+
3966 .globl atomic64_add_ret
3967 .type atomic64_add_ret,#function
3968 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
3969 BACKOFF_SETUP(%o2)
3970 1: ldx [%o1], %g1
3971- add %g1, %o0, %g7
3972+ addcc %g1, %o0, %g7
3973+
3974+#ifdef CONFIG_PAX_REFCOUNT
3975+ tvs %xcc, 6
3976+#endif
3977+
3978 casx [%o1], %g1, %g7
3979 cmp %g1, %g7
3980 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
3981@@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
3982 2: BACKOFF_SPIN(%o2, %o3, 1b)
3983 .size atomic64_add_ret, .-atomic64_add_ret
3984
3985+ .globl atomic64_add_ret_unchecked
3986+ .type atomic64_add_ret_unchecked,#function
3987+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
3988+ BACKOFF_SETUP(%o2)
3989+1: ldx [%o1], %g1
3990+ addcc %g1, %o0, %g7
3991+ casx [%o1], %g1, %g7
3992+ cmp %g1, %g7
3993+ bne,pn %xcc, 2f
3994+ add %g7, %o0, %g7
3995+ mov %g7, %o0
3996+ retl
3997+ nop
3998+2: BACKOFF_SPIN(%o2, %o3, 1b)
3999+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4000+
4001 .globl atomic64_sub_ret
4002 .type atomic64_sub_ret,#function
4003 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4004 BACKOFF_SETUP(%o2)
4005 1: ldx [%o1], %g1
4006- sub %g1, %o0, %g7
4007+ subcc %g1, %o0, %g7
4008+
4009+#ifdef CONFIG_PAX_REFCOUNT
4010+ tvs %xcc, 6
4011+#endif
4012+
4013 casx [%o1], %g1, %g7
4014 cmp %g1, %g7
4015 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4016diff -urNp linux-3.1.1/arch/sparc/lib/ksyms.c linux-3.1.1/arch/sparc/lib/ksyms.c
4017--- linux-3.1.1/arch/sparc/lib/ksyms.c 2011-11-11 15:19:27.000000000 -0500
4018+++ linux-3.1.1/arch/sparc/lib/ksyms.c 2011-11-16 18:39:07.000000000 -0500
4019@@ -142,12 +142,18 @@ EXPORT_SYMBOL(__downgrade_write);
4020
4021 /* Atomic counter implementation. */
4022 EXPORT_SYMBOL(atomic_add);
4023+EXPORT_SYMBOL(atomic_add_unchecked);
4024 EXPORT_SYMBOL(atomic_add_ret);
4025+EXPORT_SYMBOL(atomic_add_ret_unchecked);
4026 EXPORT_SYMBOL(atomic_sub);
4027+EXPORT_SYMBOL(atomic_sub_unchecked);
4028 EXPORT_SYMBOL(atomic_sub_ret);
4029 EXPORT_SYMBOL(atomic64_add);
4030+EXPORT_SYMBOL(atomic64_add_unchecked);
4031 EXPORT_SYMBOL(atomic64_add_ret);
4032+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4033 EXPORT_SYMBOL(atomic64_sub);
4034+EXPORT_SYMBOL(atomic64_sub_unchecked);
4035 EXPORT_SYMBOL(atomic64_sub_ret);
4036
4037 /* Atomic bit operations. */
4038diff -urNp linux-3.1.1/arch/sparc/lib/Makefile linux-3.1.1/arch/sparc/lib/Makefile
4039--- linux-3.1.1/arch/sparc/lib/Makefile 2011-11-11 15:19:27.000000000 -0500
4040+++ linux-3.1.1/arch/sparc/lib/Makefile 2011-11-16 18:39:07.000000000 -0500
4041@@ -2,7 +2,7 @@
4042 #
4043
4044 asflags-y := -ansi -DST_DIV0=0x02
4045-ccflags-y := -Werror
4046+#ccflags-y := -Werror
4047
4048 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
4049 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
4050diff -urNp linux-3.1.1/arch/sparc/Makefile linux-3.1.1/arch/sparc/Makefile
4051--- linux-3.1.1/arch/sparc/Makefile 2011-11-11 15:19:27.000000000 -0500
4052+++ linux-3.1.1/arch/sparc/Makefile 2011-11-16 18:40:08.000000000 -0500
4053@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4054 # Export what is needed by arch/sparc/boot/Makefile
4055 export VMLINUX_INIT VMLINUX_MAIN
4056 VMLINUX_INIT := $(head-y) $(init-y)
4057-VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4058+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4059 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4060 VMLINUX_MAIN += $(drivers-y) $(net-y)
4061
4062diff -urNp linux-3.1.1/arch/sparc/mm/fault_32.c linux-3.1.1/arch/sparc/mm/fault_32.c
4063--- linux-3.1.1/arch/sparc/mm/fault_32.c 2011-11-11 15:19:27.000000000 -0500
4064+++ linux-3.1.1/arch/sparc/mm/fault_32.c 2011-11-16 18:39:07.000000000 -0500
4065@@ -22,6 +22,9 @@
4066 #include <linux/interrupt.h>
4067 #include <linux/module.h>
4068 #include <linux/kdebug.h>
4069+#include <linux/slab.h>
4070+#include <linux/pagemap.h>
4071+#include <linux/compiler.h>
4072
4073 #include <asm/system.h>
4074 #include <asm/page.h>
4075@@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4076 return safe_compute_effective_address(regs, insn);
4077 }
4078
4079+#ifdef CONFIG_PAX_PAGEEXEC
4080+#ifdef CONFIG_PAX_DLRESOLVE
4081+static void pax_emuplt_close(struct vm_area_struct *vma)
4082+{
4083+ vma->vm_mm->call_dl_resolve = 0UL;
4084+}
4085+
4086+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4087+{
4088+ unsigned int *kaddr;
4089+
4090+ vmf->page = alloc_page(GFP_HIGHUSER);
4091+ if (!vmf->page)
4092+ return VM_FAULT_OOM;
4093+
4094+ kaddr = kmap(vmf->page);
4095+ memset(kaddr, 0, PAGE_SIZE);
4096+ kaddr[0] = 0x9DE3BFA8U; /* save */
4097+ flush_dcache_page(vmf->page);
4098+ kunmap(vmf->page);
4099+ return VM_FAULT_MAJOR;
4100+}
4101+
4102+static const struct vm_operations_struct pax_vm_ops = {
4103+ .close = pax_emuplt_close,
4104+ .fault = pax_emuplt_fault
4105+};
4106+
4107+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4108+{
4109+ int ret;
4110+
4111+ INIT_LIST_HEAD(&vma->anon_vma_chain);
4112+ vma->vm_mm = current->mm;
4113+ vma->vm_start = addr;
4114+ vma->vm_end = addr + PAGE_SIZE;
4115+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4116+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4117+ vma->vm_ops = &pax_vm_ops;
4118+
4119+ ret = insert_vm_struct(current->mm, vma);
4120+ if (ret)
4121+ return ret;
4122+
4123+ ++current->mm->total_vm;
4124+ return 0;
4125+}
4126+#endif
4127+
4128+/*
4129+ * PaX: decide what to do with offenders (regs->pc = fault address)
4130+ *
4131+ * returns 1 when task should be killed
4132+ * 2 when patched PLT trampoline was detected
4133+ * 3 when unpatched PLT trampoline was detected
4134+ */
4135+static int pax_handle_fetch_fault(struct pt_regs *regs)
4136+{
4137+
4138+#ifdef CONFIG_PAX_EMUPLT
4139+ int err;
4140+
4141+ do { /* PaX: patched PLT emulation #1 */
4142+ unsigned int sethi1, sethi2, jmpl;
4143+
4144+ err = get_user(sethi1, (unsigned int *)regs->pc);
4145+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4146+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4147+
4148+ if (err)
4149+ break;
4150+
4151+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4152+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4153+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4154+ {
4155+ unsigned int addr;
4156+
4157+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4158+ addr = regs->u_regs[UREG_G1];
4159+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4160+ regs->pc = addr;
4161+ regs->npc = addr+4;
4162+ return 2;
4163+ }
4164+ } while (0);
4165+
4166+ { /* PaX: patched PLT emulation #2 */
4167+ unsigned int ba;
4168+
4169+ err = get_user(ba, (unsigned int *)regs->pc);
4170+
4171+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4172+ unsigned int addr;
4173+
4174+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4175+ regs->pc = addr;
4176+ regs->npc = addr+4;
4177+ return 2;
4178+ }
4179+ }
4180+
4181+ do { /* PaX: patched PLT emulation #3 */
4182+ unsigned int sethi, jmpl, nop;
4183+
4184+ err = get_user(sethi, (unsigned int *)regs->pc);
4185+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4186+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4187+
4188+ if (err)
4189+ break;
4190+
4191+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4192+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4193+ nop == 0x01000000U)
4194+ {
4195+ unsigned int addr;
4196+
4197+ addr = (sethi & 0x003FFFFFU) << 10;
4198+ regs->u_regs[UREG_G1] = addr;
4199+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4200+ regs->pc = addr;
4201+ regs->npc = addr+4;
4202+ return 2;
4203+ }
4204+ } while (0);
4205+
4206+ do { /* PaX: unpatched PLT emulation step 1 */
4207+ unsigned int sethi, ba, nop;
4208+
4209+ err = get_user(sethi, (unsigned int *)regs->pc);
4210+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
4211+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
4212+
4213+ if (err)
4214+ break;
4215+
4216+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4217+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4218+ nop == 0x01000000U)
4219+ {
4220+ unsigned int addr, save, call;
4221+
4222+ if ((ba & 0xFFC00000U) == 0x30800000U)
4223+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4224+ else
4225+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4226+
4227+ err = get_user(save, (unsigned int *)addr);
4228+ err |= get_user(call, (unsigned int *)(addr+4));
4229+ err |= get_user(nop, (unsigned int *)(addr+8));
4230+ if (err)
4231+ break;
4232+
4233+#ifdef CONFIG_PAX_DLRESOLVE
4234+ if (save == 0x9DE3BFA8U &&
4235+ (call & 0xC0000000U) == 0x40000000U &&
4236+ nop == 0x01000000U)
4237+ {
4238+ struct vm_area_struct *vma;
4239+ unsigned long call_dl_resolve;
4240+
4241+ down_read(&current->mm->mmap_sem);
4242+ call_dl_resolve = current->mm->call_dl_resolve;
4243+ up_read(&current->mm->mmap_sem);
4244+ if (likely(call_dl_resolve))
4245+ goto emulate;
4246+
4247+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4248+
4249+ down_write(&current->mm->mmap_sem);
4250+ if (current->mm->call_dl_resolve) {
4251+ call_dl_resolve = current->mm->call_dl_resolve;
4252+ up_write(&current->mm->mmap_sem);
4253+ if (vma)
4254+ kmem_cache_free(vm_area_cachep, vma);
4255+ goto emulate;
4256+ }
4257+
4258+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4259+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4260+ up_write(&current->mm->mmap_sem);
4261+ if (vma)
4262+ kmem_cache_free(vm_area_cachep, vma);
4263+ return 1;
4264+ }
4265+
4266+ if (pax_insert_vma(vma, call_dl_resolve)) {
4267+ up_write(&current->mm->mmap_sem);
4268+ kmem_cache_free(vm_area_cachep, vma);
4269+ return 1;
4270+ }
4271+
4272+ current->mm->call_dl_resolve = call_dl_resolve;
4273+ up_write(&current->mm->mmap_sem);
4274+
4275+emulate:
4276+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4277+ regs->pc = call_dl_resolve;
4278+ regs->npc = addr+4;
4279+ return 3;
4280+ }
4281+#endif
4282+
4283+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4284+ if ((save & 0xFFC00000U) == 0x05000000U &&
4285+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4286+ nop == 0x01000000U)
4287+ {
4288+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4289+ regs->u_regs[UREG_G2] = addr + 4;
4290+ addr = (save & 0x003FFFFFU) << 10;
4291+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4292+ regs->pc = addr;
4293+ regs->npc = addr+4;
4294+ return 3;
4295+ }
4296+ }
4297+ } while (0);
4298+
4299+ do { /* PaX: unpatched PLT emulation step 2 */
4300+ unsigned int save, call, nop;
4301+
4302+ err = get_user(save, (unsigned int *)(regs->pc-4));
4303+ err |= get_user(call, (unsigned int *)regs->pc);
4304+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
4305+ if (err)
4306+ break;
4307+
4308+ if (save == 0x9DE3BFA8U &&
4309+ (call & 0xC0000000U) == 0x40000000U &&
4310+ nop == 0x01000000U)
4311+ {
4312+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4313+
4314+ regs->u_regs[UREG_RETPC] = regs->pc;
4315+ regs->pc = dl_resolve;
4316+ regs->npc = dl_resolve+4;
4317+ return 3;
4318+ }
4319+ } while (0);
4320+#endif
4321+
4322+ return 1;
4323+}
4324+
4325+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4326+{
4327+ unsigned long i;
4328+
4329+ printk(KERN_ERR "PAX: bytes at PC: ");
4330+ for (i = 0; i < 8; i++) {
4331+ unsigned int c;
4332+ if (get_user(c, (unsigned int *)pc+i))
4333+ printk(KERN_CONT "???????? ");
4334+ else
4335+ printk(KERN_CONT "%08x ", c);
4336+ }
4337+ printk("\n");
4338+}
4339+#endif
4340+
4341 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4342 int text_fault)
4343 {
4344@@ -281,6 +546,24 @@ good_area:
4345 if(!(vma->vm_flags & VM_WRITE))
4346 goto bad_area;
4347 } else {
4348+
4349+#ifdef CONFIG_PAX_PAGEEXEC
4350+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4351+ up_read(&mm->mmap_sem);
4352+ switch (pax_handle_fetch_fault(regs)) {
4353+
4354+#ifdef CONFIG_PAX_EMUPLT
4355+ case 2:
4356+ case 3:
4357+ return;
4358+#endif
4359+
4360+ }
4361+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4362+ do_group_exit(SIGKILL);
4363+ }
4364+#endif
4365+
4366 /* Allow reads even for write-only mappings */
4367 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4368 goto bad_area;
4369diff -urNp linux-3.1.1/arch/sparc/mm/fault_64.c linux-3.1.1/arch/sparc/mm/fault_64.c
4370--- linux-3.1.1/arch/sparc/mm/fault_64.c 2011-11-11 15:19:27.000000000 -0500
4371+++ linux-3.1.1/arch/sparc/mm/fault_64.c 2011-11-16 18:40:08.000000000 -0500
4372@@ -21,6 +21,9 @@
4373 #include <linux/kprobes.h>
4374 #include <linux/kdebug.h>
4375 #include <linux/percpu.h>
4376+#include <linux/slab.h>
4377+#include <linux/pagemap.h>
4378+#include <linux/compiler.h>
4379
4380 #include <asm/page.h>
4381 #include <asm/pgtable.h>
4382@@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
4383 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
4384 regs->tpc);
4385 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
4386- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
4387+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
4388 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
4389 dump_stack();
4390 unhandled_fault(regs->tpc, current, regs);
4391@@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4392 show_regs(regs);
4393 }
4394
4395+#ifdef CONFIG_PAX_PAGEEXEC
4396+#ifdef CONFIG_PAX_DLRESOLVE
4397+static void pax_emuplt_close(struct vm_area_struct *vma)
4398+{
4399+ vma->vm_mm->call_dl_resolve = 0UL;
4400+}
4401+
4402+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4403+{
4404+ unsigned int *kaddr;
4405+
4406+ vmf->page = alloc_page(GFP_HIGHUSER);
4407+ if (!vmf->page)
4408+ return VM_FAULT_OOM;
4409+
4410+ kaddr = kmap(vmf->page);
4411+ memset(kaddr, 0, PAGE_SIZE);
4412+ kaddr[0] = 0x9DE3BFA8U; /* save */
4413+ flush_dcache_page(vmf->page);
4414+ kunmap(vmf->page);
4415+ return VM_FAULT_MAJOR;
4416+}
4417+
4418+static const struct vm_operations_struct pax_vm_ops = {
4419+ .close = pax_emuplt_close,
4420+ .fault = pax_emuplt_fault
4421+};
4422+
4423+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4424+{
4425+ int ret;
4426+
4427+ INIT_LIST_HEAD(&vma->anon_vma_chain);
4428+ vma->vm_mm = current->mm;
4429+ vma->vm_start = addr;
4430+ vma->vm_end = addr + PAGE_SIZE;
4431+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4432+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4433+ vma->vm_ops = &pax_vm_ops;
4434+
4435+ ret = insert_vm_struct(current->mm, vma);
4436+ if (ret)
4437+ return ret;
4438+
4439+ ++current->mm->total_vm;
4440+ return 0;
4441+}
4442+#endif
4443+
4444+/*
4445+ * PaX: decide what to do with offenders (regs->tpc = fault address)
4446+ *
4447+ * returns 1 when task should be killed
4448+ * 2 when patched PLT trampoline was detected
4449+ * 3 when unpatched PLT trampoline was detected
4450+ */
4451+static int pax_handle_fetch_fault(struct pt_regs *regs)
4452+{
4453+
4454+#ifdef CONFIG_PAX_EMUPLT
4455+ int err;
4456+
4457+ do { /* PaX: patched PLT emulation #1 */
4458+ unsigned int sethi1, sethi2, jmpl;
4459+
4460+ err = get_user(sethi1, (unsigned int *)regs->tpc);
4461+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4462+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4463+
4464+ if (err)
4465+ break;
4466+
4467+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4468+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
4469+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
4470+ {
4471+ unsigned long addr;
4472+
4473+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4474+ addr = regs->u_regs[UREG_G1];
4475+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4476+
4477+ if (test_thread_flag(TIF_32BIT))
4478+ addr &= 0xFFFFFFFFUL;
4479+
4480+ regs->tpc = addr;
4481+ regs->tnpc = addr+4;
4482+ return 2;
4483+ }
4484+ } while (0);
4485+
4486+ { /* PaX: patched PLT emulation #2 */
4487+ unsigned int ba;
4488+
4489+ err = get_user(ba, (unsigned int *)regs->tpc);
4490+
4491+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4492+ unsigned long addr;
4493+
4494+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4495+
4496+ if (test_thread_flag(TIF_32BIT))
4497+ addr &= 0xFFFFFFFFUL;
4498+
4499+ regs->tpc = addr;
4500+ regs->tnpc = addr+4;
4501+ return 2;
4502+ }
4503+ }
4504+
4505+ do { /* PaX: patched PLT emulation #3 */
4506+ unsigned int sethi, jmpl, nop;
4507+
4508+ err = get_user(sethi, (unsigned int *)regs->tpc);
4509+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4510+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4511+
4512+ if (err)
4513+ break;
4514+
4515+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4516+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4517+ nop == 0x01000000U)
4518+ {
4519+ unsigned long addr;
4520+
4521+ addr = (sethi & 0x003FFFFFU) << 10;
4522+ regs->u_regs[UREG_G1] = addr;
4523+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4524+
4525+ if (test_thread_flag(TIF_32BIT))
4526+ addr &= 0xFFFFFFFFUL;
4527+
4528+ regs->tpc = addr;
4529+ regs->tnpc = addr+4;
4530+ return 2;
4531+ }
4532+ } while (0);
4533+
4534+ do { /* PaX: patched PLT emulation #4 */
4535+ unsigned int sethi, mov1, call, mov2;
4536+
4537+ err = get_user(sethi, (unsigned int *)regs->tpc);
4538+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4539+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
4540+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4541+
4542+ if (err)
4543+ break;
4544+
4545+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4546+ mov1 == 0x8210000FU &&
4547+ (call & 0xC0000000U) == 0x40000000U &&
4548+ mov2 == 0x9E100001U)
4549+ {
4550+ unsigned long addr;
4551+
4552+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4553+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4554+
4555+ if (test_thread_flag(TIF_32BIT))
4556+ addr &= 0xFFFFFFFFUL;
4557+
4558+ regs->tpc = addr;
4559+ regs->tnpc = addr+4;
4560+ return 2;
4561+ }
4562+ } while (0);
4563+
4564+ do { /* PaX: patched PLT emulation #5 */
4565+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
4566+
4567+ err = get_user(sethi, (unsigned int *)regs->tpc);
4568+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4569+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4570+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
4571+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
4572+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
4573+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
4574+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
4575+
4576+ if (err)
4577+ break;
4578+
4579+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4580+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
4581+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4582+ (or1 & 0xFFFFE000U) == 0x82106000U &&
4583+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
4584+ sllx == 0x83287020U &&
4585+ jmpl == 0x81C04005U &&
4586+ nop == 0x01000000U)
4587+ {
4588+ unsigned long addr;
4589+
4590+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4591+ regs->u_regs[UREG_G1] <<= 32;
4592+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4593+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4594+ regs->tpc = addr;
4595+ regs->tnpc = addr+4;
4596+ return 2;
4597+ }
4598+ } while (0);
4599+
4600+ do { /* PaX: patched PLT emulation #6 */
4601+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
4602+
4603+ err = get_user(sethi, (unsigned int *)regs->tpc);
4604+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
4605+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
4606+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
4607+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
4608+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
4609+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
4610+
4611+ if (err)
4612+ break;
4613+
4614+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4615+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
4616+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4617+ sllx == 0x83287020U &&
4618+ (or & 0xFFFFE000U) == 0x8A116000U &&
4619+ jmpl == 0x81C04005U &&
4620+ nop == 0x01000000U)
4621+ {
4622+ unsigned long addr;
4623+
4624+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
4625+ regs->u_regs[UREG_G1] <<= 32;
4626+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
4627+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
4628+ regs->tpc = addr;
4629+ regs->tnpc = addr+4;
4630+ return 2;
4631+ }
4632+ } while (0);
4633+
4634+ do { /* PaX: unpatched PLT emulation step 1 */
4635+ unsigned int sethi, ba, nop;
4636+
4637+ err = get_user(sethi, (unsigned int *)regs->tpc);
4638+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4639+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4640+
4641+ if (err)
4642+ break;
4643+
4644+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4645+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4646+ nop == 0x01000000U)
4647+ {
4648+ unsigned long addr;
4649+ unsigned int save, call;
4650+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
4651+
4652+ if ((ba & 0xFFC00000U) == 0x30800000U)
4653+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4654+ else
4655+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4656+
4657+ if (test_thread_flag(TIF_32BIT))
4658+ addr &= 0xFFFFFFFFUL;
4659+
4660+ err = get_user(save, (unsigned int *)addr);
4661+ err |= get_user(call, (unsigned int *)(addr+4));
4662+ err |= get_user(nop, (unsigned int *)(addr+8));
4663+ if (err)
4664+ break;
4665+
4666+#ifdef CONFIG_PAX_DLRESOLVE
4667+ if (save == 0x9DE3BFA8U &&
4668+ (call & 0xC0000000U) == 0x40000000U &&
4669+ nop == 0x01000000U)
4670+ {
4671+ struct vm_area_struct *vma;
4672+ unsigned long call_dl_resolve;
4673+
4674+ down_read(&current->mm->mmap_sem);
4675+ call_dl_resolve = current->mm->call_dl_resolve;
4676+ up_read(&current->mm->mmap_sem);
4677+ if (likely(call_dl_resolve))
4678+ goto emulate;
4679+
4680+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4681+
4682+ down_write(&current->mm->mmap_sem);
4683+ if (current->mm->call_dl_resolve) {
4684+ call_dl_resolve = current->mm->call_dl_resolve;
4685+ up_write(&current->mm->mmap_sem);
4686+ if (vma)
4687+ kmem_cache_free(vm_area_cachep, vma);
4688+ goto emulate;
4689+ }
4690+
4691+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4692+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4693+ up_write(&current->mm->mmap_sem);
4694+ if (vma)
4695+ kmem_cache_free(vm_area_cachep, vma);
4696+ return 1;
4697+ }
4698+
4699+ if (pax_insert_vma(vma, call_dl_resolve)) {
4700+ up_write(&current->mm->mmap_sem);
4701+ kmem_cache_free(vm_area_cachep, vma);
4702+ return 1;
4703+ }
4704+
4705+ current->mm->call_dl_resolve = call_dl_resolve;
4706+ up_write(&current->mm->mmap_sem);
4707+
4708+emulate:
4709+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4710+ regs->tpc = call_dl_resolve;
4711+ regs->tnpc = addr+4;
4712+ return 3;
4713+ }
4714+#endif
4715+
4716+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4717+ if ((save & 0xFFC00000U) == 0x05000000U &&
4718+ (call & 0xFFFFE000U) == 0x85C0A000U &&
4719+ nop == 0x01000000U)
4720+ {
4721+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4722+ regs->u_regs[UREG_G2] = addr + 4;
4723+ addr = (save & 0x003FFFFFU) << 10;
4724+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4725+
4726+ if (test_thread_flag(TIF_32BIT))
4727+ addr &= 0xFFFFFFFFUL;
4728+
4729+ regs->tpc = addr;
4730+ regs->tnpc = addr+4;
4731+ return 3;
4732+ }
4733+
4734+ /* PaX: 64-bit PLT stub */
4735+ err = get_user(sethi1, (unsigned int *)addr);
4736+ err |= get_user(sethi2, (unsigned int *)(addr+4));
4737+ err |= get_user(or1, (unsigned int *)(addr+8));
4738+ err |= get_user(or2, (unsigned int *)(addr+12));
4739+ err |= get_user(sllx, (unsigned int *)(addr+16));
4740+ err |= get_user(add, (unsigned int *)(addr+20));
4741+ err |= get_user(jmpl, (unsigned int *)(addr+24));
4742+ err |= get_user(nop, (unsigned int *)(addr+28));
4743+ if (err)
4744+ break;
4745+
4746+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
4747+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
4748+ (or1 & 0xFFFFE000U) == 0x88112000U &&
4749+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
4750+ sllx == 0x89293020U &&
4751+ add == 0x8A010005U &&
4752+ jmpl == 0x89C14000U &&
4753+ nop == 0x01000000U)
4754+ {
4755+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4756+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
4757+ regs->u_regs[UREG_G4] <<= 32;
4758+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
4759+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
4760+ regs->u_regs[UREG_G4] = addr + 24;
4761+ addr = regs->u_regs[UREG_G5];
4762+ regs->tpc = addr;
4763+ regs->tnpc = addr+4;
4764+ return 3;
4765+ }
4766+ }
4767+ } while (0);
4768+
4769+#ifdef CONFIG_PAX_DLRESOLVE
4770+ do { /* PaX: unpatched PLT emulation step 2 */
4771+ unsigned int save, call, nop;
4772+
4773+ err = get_user(save, (unsigned int *)(regs->tpc-4));
4774+ err |= get_user(call, (unsigned int *)regs->tpc);
4775+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
4776+ if (err)
4777+ break;
4778+
4779+ if (save == 0x9DE3BFA8U &&
4780+ (call & 0xC0000000U) == 0x40000000U &&
4781+ nop == 0x01000000U)
4782+ {
4783+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4784+
4785+ if (test_thread_flag(TIF_32BIT))
4786+ dl_resolve &= 0xFFFFFFFFUL;
4787+
4788+ regs->u_regs[UREG_RETPC] = regs->tpc;
4789+ regs->tpc = dl_resolve;
4790+ regs->tnpc = dl_resolve+4;
4791+ return 3;
4792+ }
4793+ } while (0);
4794+#endif
4795+
4796+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
4797+ unsigned int sethi, ba, nop;
4798+
4799+ err = get_user(sethi, (unsigned int *)regs->tpc);
4800+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
4801+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4802+
4803+ if (err)
4804+ break;
4805+
4806+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
4807+ (ba & 0xFFF00000U) == 0x30600000U &&
4808+ nop == 0x01000000U)
4809+ {
4810+ unsigned long addr;
4811+
4812+ addr = (sethi & 0x003FFFFFU) << 10;
4813+ regs->u_regs[UREG_G1] = addr;
4814+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
4815+
4816+ if (test_thread_flag(TIF_32BIT))
4817+ addr &= 0xFFFFFFFFUL;
4818+
4819+ regs->tpc = addr;
4820+ regs->tnpc = addr+4;
4821+ return 2;
4822+ }
4823+ } while (0);
4824+
4825+#endif
4826+
4827+ return 1;
4828+}
4829+
4830+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4831+{
4832+ unsigned long i;
4833+
4834+ printk(KERN_ERR "PAX: bytes at PC: ");
4835+ for (i = 0; i < 8; i++) {
4836+ unsigned int c;
4837+ if (get_user(c, (unsigned int *)pc+i))
4838+ printk(KERN_CONT "???????? ");
4839+ else
4840+ printk(KERN_CONT "%08x ", c);
4841+ }
4842+ printk("\n");
4843+}
4844+#endif
4845+
4846 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
4847 {
4848 struct mm_struct *mm = current->mm;
4849@@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
4850 if (!vma)
4851 goto bad_area;
4852
4853+#ifdef CONFIG_PAX_PAGEEXEC
4854+ /* PaX: detect ITLB misses on non-exec pages */
4855+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
4856+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
4857+ {
4858+ if (address != regs->tpc)
4859+ goto good_area;
4860+
4861+ up_read(&mm->mmap_sem);
4862+ switch (pax_handle_fetch_fault(regs)) {
4863+
4864+#ifdef CONFIG_PAX_EMUPLT
4865+ case 2:
4866+ case 3:
4867+ return;
4868+#endif
4869+
4870+ }
4871+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
4872+ do_group_exit(SIGKILL);
4873+ }
4874+#endif
4875+
4876 /* Pure DTLB misses do not tell us whether the fault causing
4877 * load/store/atomic was a write or not, it only says that there
4878 * was no match. So in such a case we (carefully) read the
4879diff -urNp linux-3.1.1/arch/sparc/mm/hugetlbpage.c linux-3.1.1/arch/sparc/mm/hugetlbpage.c
4880--- linux-3.1.1/arch/sparc/mm/hugetlbpage.c 2011-11-11 15:19:27.000000000 -0500
4881+++ linux-3.1.1/arch/sparc/mm/hugetlbpage.c 2011-11-16 18:39:07.000000000 -0500
4882@@ -68,7 +68,7 @@ full_search:
4883 }
4884 return -ENOMEM;
4885 }
4886- if (likely(!vma || addr + len <= vma->vm_start)) {
4887+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4888 /*
4889 * Remember the place where we stopped the search:
4890 */
4891@@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
4892 /* make sure it can fit in the remaining address space */
4893 if (likely(addr > len)) {
4894 vma = find_vma(mm, addr-len);
4895- if (!vma || addr <= vma->vm_start) {
4896+ if (check_heap_stack_gap(vma, addr - len, len)) {
4897 /* remember the address as a hint for next time */
4898 return (mm->free_area_cache = addr-len);
4899 }
4900@@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
4901 if (unlikely(mm->mmap_base < len))
4902 goto bottomup;
4903
4904- addr = (mm->mmap_base-len) & HPAGE_MASK;
4905+ addr = mm->mmap_base - len;
4906
4907 do {
4908+ addr &= HPAGE_MASK;
4909 /*
4910 * Lookup failure means no vma is above this address,
4911 * else if new region fits below vma->vm_start,
4912 * return with success:
4913 */
4914 vma = find_vma(mm, addr);
4915- if (likely(!vma || addr+len <= vma->vm_start)) {
4916+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4917 /* remember the address as a hint for next time */
4918 return (mm->free_area_cache = addr);
4919 }
4920@@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
4921 mm->cached_hole_size = vma->vm_start - addr;
4922
4923 /* try just below the current vma->vm_start */
4924- addr = (vma->vm_start-len) & HPAGE_MASK;
4925- } while (likely(len < vma->vm_start));
4926+ addr = skip_heap_stack_gap(vma, len);
4927+ } while (!IS_ERR_VALUE(addr));
4928
4929 bottomup:
4930 /*
4931@@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
4932 if (addr) {
4933 addr = ALIGN(addr, HPAGE_SIZE);
4934 vma = find_vma(mm, addr);
4935- if (task_size - len >= addr &&
4936- (!vma || addr + len <= vma->vm_start))
4937+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4938 return addr;
4939 }
4940 if (mm->get_unmapped_area == arch_get_unmapped_area)
4941diff -urNp linux-3.1.1/arch/sparc/mm/init_32.c linux-3.1.1/arch/sparc/mm/init_32.c
4942--- linux-3.1.1/arch/sparc/mm/init_32.c 2011-11-11 15:19:27.000000000 -0500
4943+++ linux-3.1.1/arch/sparc/mm/init_32.c 2011-11-16 18:39:07.000000000 -0500
4944@@ -316,6 +316,9 @@ extern void device_scan(void);
4945 pgprot_t PAGE_SHARED __read_mostly;
4946 EXPORT_SYMBOL(PAGE_SHARED);
4947
4948+pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
4949+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
4950+
4951 void __init paging_init(void)
4952 {
4953 switch(sparc_cpu_model) {
4954@@ -344,17 +347,17 @@ void __init paging_init(void)
4955
4956 /* Initialize the protection map with non-constant, MMU dependent values. */
4957 protection_map[0] = PAGE_NONE;
4958- protection_map[1] = PAGE_READONLY;
4959- protection_map[2] = PAGE_COPY;
4960- protection_map[3] = PAGE_COPY;
4961+ protection_map[1] = PAGE_READONLY_NOEXEC;
4962+ protection_map[2] = PAGE_COPY_NOEXEC;
4963+ protection_map[3] = PAGE_COPY_NOEXEC;
4964 protection_map[4] = PAGE_READONLY;
4965 protection_map[5] = PAGE_READONLY;
4966 protection_map[6] = PAGE_COPY;
4967 protection_map[7] = PAGE_COPY;
4968 protection_map[8] = PAGE_NONE;
4969- protection_map[9] = PAGE_READONLY;
4970- protection_map[10] = PAGE_SHARED;
4971- protection_map[11] = PAGE_SHARED;
4972+ protection_map[9] = PAGE_READONLY_NOEXEC;
4973+ protection_map[10] = PAGE_SHARED_NOEXEC;
4974+ protection_map[11] = PAGE_SHARED_NOEXEC;
4975 protection_map[12] = PAGE_READONLY;
4976 protection_map[13] = PAGE_READONLY;
4977 protection_map[14] = PAGE_SHARED;
4978diff -urNp linux-3.1.1/arch/sparc/mm/Makefile linux-3.1.1/arch/sparc/mm/Makefile
4979--- linux-3.1.1/arch/sparc/mm/Makefile 2011-11-11 15:19:27.000000000 -0500
4980+++ linux-3.1.1/arch/sparc/mm/Makefile 2011-11-16 18:39:07.000000000 -0500
4981@@ -2,7 +2,7 @@
4982 #
4983
4984 asflags-y := -ansi
4985-ccflags-y := -Werror
4986+#ccflags-y := -Werror
4987
4988 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o
4989 obj-y += fault_$(BITS).o
4990diff -urNp linux-3.1.1/arch/sparc/mm/srmmu.c linux-3.1.1/arch/sparc/mm/srmmu.c
4991--- linux-3.1.1/arch/sparc/mm/srmmu.c 2011-11-11 15:19:27.000000000 -0500
4992+++ linux-3.1.1/arch/sparc/mm/srmmu.c 2011-11-16 18:39:07.000000000 -0500
4993@@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
4994 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
4995 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
4996 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
4997+
4998+#ifdef CONFIG_PAX_PAGEEXEC
4999+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5000+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5001+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5002+#endif
5003+
5004 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5005 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5006
5007diff -urNp linux-3.1.1/arch/um/include/asm/kmap_types.h linux-3.1.1/arch/um/include/asm/kmap_types.h
5008--- linux-3.1.1/arch/um/include/asm/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
5009+++ linux-3.1.1/arch/um/include/asm/kmap_types.h 2011-11-16 18:39:07.000000000 -0500
5010@@ -23,6 +23,7 @@ enum km_type {
5011 KM_IRQ1,
5012 KM_SOFTIRQ0,
5013 KM_SOFTIRQ1,
5014+ KM_CLEARPAGE,
5015 KM_TYPE_NR
5016 };
5017
5018diff -urNp linux-3.1.1/arch/um/include/asm/page.h linux-3.1.1/arch/um/include/asm/page.h
5019--- linux-3.1.1/arch/um/include/asm/page.h 2011-11-11 15:19:27.000000000 -0500
5020+++ linux-3.1.1/arch/um/include/asm/page.h 2011-11-16 18:39:07.000000000 -0500
5021@@ -14,6 +14,9 @@
5022 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5023 #define PAGE_MASK (~(PAGE_SIZE-1))
5024
5025+#define ktla_ktva(addr) (addr)
5026+#define ktva_ktla(addr) (addr)
5027+
5028 #ifndef __ASSEMBLY__
5029
5030 struct page;
5031diff -urNp linux-3.1.1/arch/um/kernel/process.c linux-3.1.1/arch/um/kernel/process.c
5032--- linux-3.1.1/arch/um/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
5033+++ linux-3.1.1/arch/um/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
5034@@ -404,22 +404,6 @@ int singlestepping(void * t)
5035 return 2;
5036 }
5037
5038-/*
5039- * Only x86 and x86_64 have an arch_align_stack().
5040- * All other arches have "#define arch_align_stack(x) (x)"
5041- * in their asm/system.h
5042- * As this is included in UML from asm-um/system-generic.h,
5043- * we can use it to behave as the subarch does.
5044- */
5045-#ifndef arch_align_stack
5046-unsigned long arch_align_stack(unsigned long sp)
5047-{
5048- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5049- sp -= get_random_int() % 8192;
5050- return sp & ~0xf;
5051-}
5052-#endif
5053-
5054 unsigned long get_wchan(struct task_struct *p)
5055 {
5056 unsigned long stack_page, sp, ip;
5057diff -urNp linux-3.1.1/arch/um/Makefile linux-3.1.1/arch/um/Makefile
5058--- linux-3.1.1/arch/um/Makefile 2011-11-11 15:19:27.000000000 -0500
5059+++ linux-3.1.1/arch/um/Makefile 2011-11-16 18:39:07.000000000 -0500
5060@@ -49,6 +49,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINE
5061 $(patsubst -I%,,$(KBUILD_CFLAGS)))) $(ARCH_INCLUDE) $(MODE_INCLUDE) \
5062 $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64
5063
5064+ifdef CONSTIFY_PLUGIN
5065+USER_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5066+endif
5067+
5068 include $(srctree)/$(ARCH_DIR)/Makefile-$(SUBARCH)
5069
5070 #This will adjust *FLAGS accordingly to the platform.
5071diff -urNp linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h
5072--- linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h 2011-11-11 15:19:27.000000000 -0500
5073+++ linux-3.1.1/arch/um/sys-i386/shared/sysdep/system.h 2011-11-16 18:39:07.000000000 -0500
5074@@ -17,7 +17,7 @@
5075 # define AT_VECTOR_SIZE_ARCH 1
5076 #endif
5077
5078-extern unsigned long arch_align_stack(unsigned long sp);
5079+#define arch_align_stack(x) ((x) & ~0xfUL)
5080
5081 void default_idle(void);
5082
5083diff -urNp linux-3.1.1/arch/um/sys-i386/syscalls.c linux-3.1.1/arch/um/sys-i386/syscalls.c
5084--- linux-3.1.1/arch/um/sys-i386/syscalls.c 2011-11-11 15:19:27.000000000 -0500
5085+++ linux-3.1.1/arch/um/sys-i386/syscalls.c 2011-11-16 18:39:07.000000000 -0500
5086@@ -11,6 +11,21 @@
5087 #include "asm/uaccess.h"
5088 #include "asm/unistd.h"
5089
5090+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5091+{
5092+ unsigned long pax_task_size = TASK_SIZE;
5093+
5094+#ifdef CONFIG_PAX_SEGMEXEC
5095+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5096+ pax_task_size = SEGMEXEC_TASK_SIZE;
5097+#endif
5098+
5099+ if (len > pax_task_size || addr > pax_task_size - len)
5100+ return -EINVAL;
5101+
5102+ return 0;
5103+}
5104+
5105 /*
5106 * The prototype on i386 is:
5107 *
5108diff -urNp linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h
5109--- linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-11 15:19:27.000000000 -0500
5110+++ linux-3.1.1/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-16 18:39:07.000000000 -0500
5111@@ -17,7 +17,7 @@
5112 # define AT_VECTOR_SIZE_ARCH 1
5113 #endif
5114
5115-extern unsigned long arch_align_stack(unsigned long sp);
5116+#define arch_align_stack(x) ((x) & ~0xfUL)
5117
5118 void default_idle(void);
5119
5120diff -urNp linux-3.1.1/arch/x86/boot/bitops.h linux-3.1.1/arch/x86/boot/bitops.h
5121--- linux-3.1.1/arch/x86/boot/bitops.h 2011-11-11 15:19:27.000000000 -0500
5122+++ linux-3.1.1/arch/x86/boot/bitops.h 2011-11-16 18:39:07.000000000 -0500
5123@@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5124 u8 v;
5125 const u32 *p = (const u32 *)addr;
5126
5127- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5128+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5129 return v;
5130 }
5131
5132@@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5133
5134 static inline void set_bit(int nr, void *addr)
5135 {
5136- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5137+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5138 }
5139
5140 #endif /* BOOT_BITOPS_H */
5141diff -urNp linux-3.1.1/arch/x86/boot/boot.h linux-3.1.1/arch/x86/boot/boot.h
5142--- linux-3.1.1/arch/x86/boot/boot.h 2011-11-11 15:19:27.000000000 -0500
5143+++ linux-3.1.1/arch/x86/boot/boot.h 2011-11-16 18:39:07.000000000 -0500
5144@@ -85,7 +85,7 @@ static inline void io_delay(void)
5145 static inline u16 ds(void)
5146 {
5147 u16 seg;
5148- asm("movw %%ds,%0" : "=rm" (seg));
5149+ asm volatile("movw %%ds,%0" : "=rm" (seg));
5150 return seg;
5151 }
5152
5153@@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5154 static inline int memcmp(const void *s1, const void *s2, size_t len)
5155 {
5156 u8 diff;
5157- asm("repe; cmpsb; setnz %0"
5158+ asm volatile("repe; cmpsb; setnz %0"
5159 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5160 return diff;
5161 }
5162diff -urNp linux-3.1.1/arch/x86/boot/compressed/head_32.S linux-3.1.1/arch/x86/boot/compressed/head_32.S
5163--- linux-3.1.1/arch/x86/boot/compressed/head_32.S 2011-11-11 15:19:27.000000000 -0500
5164+++ linux-3.1.1/arch/x86/boot/compressed/head_32.S 2011-11-16 18:39:07.000000000 -0500
5165@@ -76,7 +76,7 @@ ENTRY(startup_32)
5166 notl %eax
5167 andl %eax, %ebx
5168 #else
5169- movl $LOAD_PHYSICAL_ADDR, %ebx
5170+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5171 #endif
5172
5173 /* Target address to relocate to for decompression */
5174@@ -162,7 +162,7 @@ relocated:
5175 * and where it was actually loaded.
5176 */
5177 movl %ebp, %ebx
5178- subl $LOAD_PHYSICAL_ADDR, %ebx
5179+ subl $____LOAD_PHYSICAL_ADDR, %ebx
5180 jz 2f /* Nothing to be done if loaded at compiled addr. */
5181 /*
5182 * Process relocations.
5183@@ -170,8 +170,7 @@ relocated:
5184
5185 1: subl $4, %edi
5186 movl (%edi), %ecx
5187- testl %ecx, %ecx
5188- jz 2f
5189+ jecxz 2f
5190 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5191 jmp 1b
5192 2:
5193diff -urNp linux-3.1.1/arch/x86/boot/compressed/head_64.S linux-3.1.1/arch/x86/boot/compressed/head_64.S
5194--- linux-3.1.1/arch/x86/boot/compressed/head_64.S 2011-11-11 15:19:27.000000000 -0500
5195+++ linux-3.1.1/arch/x86/boot/compressed/head_64.S 2011-11-16 18:39:07.000000000 -0500
5196@@ -91,7 +91,7 @@ ENTRY(startup_32)
5197 notl %eax
5198 andl %eax, %ebx
5199 #else
5200- movl $LOAD_PHYSICAL_ADDR, %ebx
5201+ movl $____LOAD_PHYSICAL_ADDR, %ebx
5202 #endif
5203
5204 /* Target address to relocate to for decompression */
5205@@ -233,7 +233,7 @@ ENTRY(startup_64)
5206 notq %rax
5207 andq %rax, %rbp
5208 #else
5209- movq $LOAD_PHYSICAL_ADDR, %rbp
5210+ movq $____LOAD_PHYSICAL_ADDR, %rbp
5211 #endif
5212
5213 /* Target address to relocate to for decompression */
5214diff -urNp linux-3.1.1/arch/x86/boot/compressed/Makefile linux-3.1.1/arch/x86/boot/compressed/Makefile
5215--- linux-3.1.1/arch/x86/boot/compressed/Makefile 2011-11-11 15:19:27.000000000 -0500
5216+++ linux-3.1.1/arch/x86/boot/compressed/Makefile 2011-11-16 18:39:07.000000000 -0500
5217@@ -14,6 +14,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
5218 KBUILD_CFLAGS += $(cflags-y)
5219 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
5220 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
5221+ifdef CONSTIFY_PLUGIN
5222+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5223+endif
5224
5225 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5226 GCOV_PROFILE := n
5227diff -urNp linux-3.1.1/arch/x86/boot/compressed/misc.c linux-3.1.1/arch/x86/boot/compressed/misc.c
5228--- linux-3.1.1/arch/x86/boot/compressed/misc.c 2011-11-11 15:19:27.000000000 -0500
5229+++ linux-3.1.1/arch/x86/boot/compressed/misc.c 2011-11-16 18:39:07.000000000 -0500
5230@@ -310,7 +310,7 @@ static void parse_elf(void *output)
5231 case PT_LOAD:
5232 #ifdef CONFIG_RELOCATABLE
5233 dest = output;
5234- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5235+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5236 #else
5237 dest = (void *)(phdr->p_paddr);
5238 #endif
5239@@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5240 error("Destination address too large");
5241 #endif
5242 #ifndef CONFIG_RELOCATABLE
5243- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5244+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5245 error("Wrong destination address");
5246 #endif
5247
5248diff -urNp linux-3.1.1/arch/x86/boot/compressed/relocs.c linux-3.1.1/arch/x86/boot/compressed/relocs.c
5249--- linux-3.1.1/arch/x86/boot/compressed/relocs.c 2011-11-11 15:19:27.000000000 -0500
5250+++ linux-3.1.1/arch/x86/boot/compressed/relocs.c 2011-11-16 18:39:07.000000000 -0500
5251@@ -13,8 +13,11 @@
5252
5253 static void die(char *fmt, ...);
5254
5255+#include "../../../../include/generated/autoconf.h"
5256+
5257 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5258 static Elf32_Ehdr ehdr;
5259+static Elf32_Phdr *phdr;
5260 static unsigned long reloc_count, reloc_idx;
5261 static unsigned long *relocs;
5262
5263@@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5264 }
5265 }
5266
5267+static void read_phdrs(FILE *fp)
5268+{
5269+ unsigned int i;
5270+
5271+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5272+ if (!phdr) {
5273+ die("Unable to allocate %d program headers\n",
5274+ ehdr.e_phnum);
5275+ }
5276+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5277+ die("Seek to %d failed: %s\n",
5278+ ehdr.e_phoff, strerror(errno));
5279+ }
5280+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5281+ die("Cannot read ELF program headers: %s\n",
5282+ strerror(errno));
5283+ }
5284+ for(i = 0; i < ehdr.e_phnum; i++) {
5285+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5286+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5287+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5288+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5289+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5290+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5291+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5292+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5293+ }
5294+
5295+}
5296+
5297 static void read_shdrs(FILE *fp)
5298 {
5299- int i;
5300+ unsigned int i;
5301 Elf32_Shdr shdr;
5302
5303 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5304@@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5305
5306 static void read_strtabs(FILE *fp)
5307 {
5308- int i;
5309+ unsigned int i;
5310 for (i = 0; i < ehdr.e_shnum; i++) {
5311 struct section *sec = &secs[i];
5312 if (sec->shdr.sh_type != SHT_STRTAB) {
5313@@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5314
5315 static void read_symtabs(FILE *fp)
5316 {
5317- int i,j;
5318+ unsigned int i,j;
5319 for (i = 0; i < ehdr.e_shnum; i++) {
5320 struct section *sec = &secs[i];
5321 if (sec->shdr.sh_type != SHT_SYMTAB) {
5322@@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5323
5324 static void read_relocs(FILE *fp)
5325 {
5326- int i,j;
5327+ unsigned int i,j;
5328+ uint32_t base;
5329+
5330 for (i = 0; i < ehdr.e_shnum; i++) {
5331 struct section *sec = &secs[i];
5332 if (sec->shdr.sh_type != SHT_REL) {
5333@@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5334 die("Cannot read symbol table: %s\n",
5335 strerror(errno));
5336 }
5337+ base = 0;
5338+ for (j = 0; j < ehdr.e_phnum; j++) {
5339+ if (phdr[j].p_type != PT_LOAD )
5340+ continue;
5341+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5342+ continue;
5343+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5344+ break;
5345+ }
5346 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5347 Elf32_Rel *rel = &sec->reltab[j];
5348- rel->r_offset = elf32_to_cpu(rel->r_offset);
5349+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5350 rel->r_info = elf32_to_cpu(rel->r_info);
5351 }
5352 }
5353@@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5354
5355 static void print_absolute_symbols(void)
5356 {
5357- int i;
5358+ unsigned int i;
5359 printf("Absolute symbols\n");
5360 printf(" Num: Value Size Type Bind Visibility Name\n");
5361 for (i = 0; i < ehdr.e_shnum; i++) {
5362 struct section *sec = &secs[i];
5363 char *sym_strtab;
5364 Elf32_Sym *sh_symtab;
5365- int j;
5366+ unsigned int j;
5367
5368 if (sec->shdr.sh_type != SHT_SYMTAB) {
5369 continue;
5370@@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5371
5372 static void print_absolute_relocs(void)
5373 {
5374- int i, printed = 0;
5375+ unsigned int i, printed = 0;
5376
5377 for (i = 0; i < ehdr.e_shnum; i++) {
5378 struct section *sec = &secs[i];
5379 struct section *sec_applies, *sec_symtab;
5380 char *sym_strtab;
5381 Elf32_Sym *sh_symtab;
5382- int j;
5383+ unsigned int j;
5384 if (sec->shdr.sh_type != SHT_REL) {
5385 continue;
5386 }
5387@@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5388
5389 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5390 {
5391- int i;
5392+ unsigned int i;
5393 /* Walk through the relocations */
5394 for (i = 0; i < ehdr.e_shnum; i++) {
5395 char *sym_strtab;
5396 Elf32_Sym *sh_symtab;
5397 struct section *sec_applies, *sec_symtab;
5398- int j;
5399+ unsigned int j;
5400 struct section *sec = &secs[i];
5401
5402 if (sec->shdr.sh_type != SHT_REL) {
5403@@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5404 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5405 continue;
5406 }
5407+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5408+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5409+ continue;
5410+
5411+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5412+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5413+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5414+ continue;
5415+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5416+ continue;
5417+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5418+ continue;
5419+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5420+ continue;
5421+#endif
5422+
5423 switch (r_type) {
5424 case R_386_NONE:
5425 case R_386_PC32:
5426@@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5427
5428 static void emit_relocs(int as_text)
5429 {
5430- int i;
5431+ unsigned int i;
5432 /* Count how many relocations I have and allocate space for them. */
5433 reloc_count = 0;
5434 walk_relocs(count_reloc);
5435@@ -665,6 +725,7 @@ int main(int argc, char **argv)
5436 fname, strerror(errno));
5437 }
5438 read_ehdr(fp);
5439+ read_phdrs(fp);
5440 read_shdrs(fp);
5441 read_strtabs(fp);
5442 read_symtabs(fp);
5443diff -urNp linux-3.1.1/arch/x86/boot/cpucheck.c linux-3.1.1/arch/x86/boot/cpucheck.c
5444--- linux-3.1.1/arch/x86/boot/cpucheck.c 2011-11-11 15:19:27.000000000 -0500
5445+++ linux-3.1.1/arch/x86/boot/cpucheck.c 2011-11-16 18:39:07.000000000 -0500
5446@@ -74,7 +74,7 @@ static int has_fpu(void)
5447 u16 fcw = -1, fsw = -1;
5448 u32 cr0;
5449
5450- asm("movl %%cr0,%0" : "=r" (cr0));
5451+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
5452 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5453 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5454 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5455@@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5456 {
5457 u32 f0, f1;
5458
5459- asm("pushfl ; "
5460+ asm volatile("pushfl ; "
5461 "pushfl ; "
5462 "popl %0 ; "
5463 "movl %0,%1 ; "
5464@@ -115,7 +115,7 @@ static void get_flags(void)
5465 set_bit(X86_FEATURE_FPU, cpu.flags);
5466
5467 if (has_eflag(X86_EFLAGS_ID)) {
5468- asm("cpuid"
5469+ asm volatile("cpuid"
5470 : "=a" (max_intel_level),
5471 "=b" (cpu_vendor[0]),
5472 "=d" (cpu_vendor[1]),
5473@@ -124,7 +124,7 @@ static void get_flags(void)
5474
5475 if (max_intel_level >= 0x00000001 &&
5476 max_intel_level <= 0x0000ffff) {
5477- asm("cpuid"
5478+ asm volatile("cpuid"
5479 : "=a" (tfms),
5480 "=c" (cpu.flags[4]),
5481 "=d" (cpu.flags[0])
5482@@ -136,7 +136,7 @@ static void get_flags(void)
5483 cpu.model += ((tfms >> 16) & 0xf) << 4;
5484 }
5485
5486- asm("cpuid"
5487+ asm volatile("cpuid"
5488 : "=a" (max_amd_level)
5489 : "a" (0x80000000)
5490 : "ebx", "ecx", "edx");
5491@@ -144,7 +144,7 @@ static void get_flags(void)
5492 if (max_amd_level >= 0x80000001 &&
5493 max_amd_level <= 0x8000ffff) {
5494 u32 eax = 0x80000001;
5495- asm("cpuid"
5496+ asm volatile("cpuid"
5497 : "+a" (eax),
5498 "=c" (cpu.flags[6]),
5499 "=d" (cpu.flags[1])
5500@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5501 u32 ecx = MSR_K7_HWCR;
5502 u32 eax, edx;
5503
5504- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5505+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5506 eax &= ~(1 << 15);
5507- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5508+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5509
5510 get_flags(); /* Make sure it really did something */
5511 err = check_flags();
5512@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5513 u32 ecx = MSR_VIA_FCR;
5514 u32 eax, edx;
5515
5516- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5517+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5518 eax |= (1<<1)|(1<<7);
5519- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5520+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5521
5522 set_bit(X86_FEATURE_CX8, cpu.flags);
5523 err = check_flags();
5524@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5525 u32 eax, edx;
5526 u32 level = 1;
5527
5528- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5529- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5530- asm("cpuid"
5531+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5532+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5533+ asm volatile("cpuid"
5534 : "+a" (level), "=d" (cpu.flags[0])
5535 : : "ecx", "ebx");
5536- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5537+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5538
5539 err = check_flags();
5540 }
5541diff -urNp linux-3.1.1/arch/x86/boot/header.S linux-3.1.1/arch/x86/boot/header.S
5542--- linux-3.1.1/arch/x86/boot/header.S 2011-11-11 15:19:27.000000000 -0500
5543+++ linux-3.1.1/arch/x86/boot/header.S 2011-11-16 18:39:07.000000000 -0500
5544@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5545 # single linked list of
5546 # struct setup_data
5547
5548-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5549+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5550
5551 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5552 #define VO_INIT_SIZE (VO__end - VO__text)
5553diff -urNp linux-3.1.1/arch/x86/boot/Makefile linux-3.1.1/arch/x86/boot/Makefile
5554--- linux-3.1.1/arch/x86/boot/Makefile 2011-11-11 15:19:27.000000000 -0500
5555+++ linux-3.1.1/arch/x86/boot/Makefile 2011-11-16 18:39:07.000000000 -0500
5556@@ -63,6 +63,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
5557 $(call cc-option, -fno-stack-protector) \
5558 $(call cc-option, -mpreferred-stack-boundary=2)
5559 KBUILD_CFLAGS += $(call cc-option, -m32)
5560+ifdef CONSTIFY_PLUGIN
5561+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
5562+endif
5563 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
5564 GCOV_PROFILE := n
5565
5566diff -urNp linux-3.1.1/arch/x86/boot/memory.c linux-3.1.1/arch/x86/boot/memory.c
5567--- linux-3.1.1/arch/x86/boot/memory.c 2011-11-11 15:19:27.000000000 -0500
5568+++ linux-3.1.1/arch/x86/boot/memory.c 2011-11-16 18:39:07.000000000 -0500
5569@@ -19,7 +19,7 @@
5570
5571 static int detect_memory_e820(void)
5572 {
5573- int count = 0;
5574+ unsigned int count = 0;
5575 struct biosregs ireg, oreg;
5576 struct e820entry *desc = boot_params.e820_map;
5577 static struct e820entry buf; /* static so it is zeroed */
5578diff -urNp linux-3.1.1/arch/x86/boot/video.c linux-3.1.1/arch/x86/boot/video.c
5579--- linux-3.1.1/arch/x86/boot/video.c 2011-11-11 15:19:27.000000000 -0500
5580+++ linux-3.1.1/arch/x86/boot/video.c 2011-11-16 18:39:07.000000000 -0500
5581@@ -96,7 +96,7 @@ static void store_mode_params(void)
5582 static unsigned int get_entry(void)
5583 {
5584 char entry_buf[4];
5585- int i, len = 0;
5586+ unsigned int i, len = 0;
5587 int key;
5588 unsigned int v;
5589
5590diff -urNp linux-3.1.1/arch/x86/boot/video-vesa.c linux-3.1.1/arch/x86/boot/video-vesa.c
5591--- linux-3.1.1/arch/x86/boot/video-vesa.c 2011-11-11 15:19:27.000000000 -0500
5592+++ linux-3.1.1/arch/x86/boot/video-vesa.c 2011-11-16 18:39:07.000000000 -0500
5593@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5594
5595 boot_params.screen_info.vesapm_seg = oreg.es;
5596 boot_params.screen_info.vesapm_off = oreg.di;
5597+ boot_params.screen_info.vesapm_size = oreg.cx;
5598 }
5599
5600 /*
5601diff -urNp linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S
5602--- linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-11 15:19:27.000000000 -0500
5603+++ linux-3.1.1/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-16 18:39:07.000000000 -0500
5604@@ -8,6 +8,8 @@
5605 * including this sentence is retained in full.
5606 */
5607
5608+#include <asm/alternative-asm.h>
5609+
5610 .extern crypto_ft_tab
5611 .extern crypto_it_tab
5612 .extern crypto_fl_tab
5613@@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
5614 je B192; \
5615 leaq 32(r9),r9;
5616
5617+#define ret pax_force_retaddr; ret
5618+
5619 #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
5620 movq r1,r2; \
5621 movq r3,r4; \
5622diff -urNp linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S
5623--- linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-11 15:19:27.000000000 -0500
5624+++ linux-3.1.1/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-16 18:39:07.000000000 -0500
5625@@ -1,3 +1,5 @@
5626+#include <asm/alternative-asm.h>
5627+
5628 # enter ECRYPT_encrypt_bytes
5629 .text
5630 .p2align 5
5631@@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
5632 add %r11,%rsp
5633 mov %rdi,%rax
5634 mov %rsi,%rdx
5635+ pax_force_retaddr
5636 ret
5637 # bytesatleast65:
5638 ._bytesatleast65:
5639@@ -891,6 +894,7 @@ ECRYPT_keysetup:
5640 add %r11,%rsp
5641 mov %rdi,%rax
5642 mov %rsi,%rdx
5643+ pax_force_retaddr
5644 ret
5645 # enter ECRYPT_ivsetup
5646 .text
5647@@ -917,4 +921,5 @@ ECRYPT_ivsetup:
5648 add %r11,%rsp
5649 mov %rdi,%rax
5650 mov %rsi,%rdx
5651+ pax_force_retaddr
5652 ret
5653diff -urNp linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S
5654--- linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-11 15:19:27.000000000 -0500
5655+++ linux-3.1.1/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-16 18:39:07.000000000 -0500
5656@@ -21,6 +21,7 @@
5657 .text
5658
5659 #include <asm/asm-offsets.h>
5660+#include <asm/alternative-asm.h>
5661
5662 #define a_offset 0
5663 #define b_offset 4
5664@@ -269,6 +270,7 @@ twofish_enc_blk:
5665
5666 popq R1
5667 movq $1,%rax
5668+ pax_force_retaddr
5669 ret
5670
5671 twofish_dec_blk:
5672@@ -321,4 +323,5 @@ twofish_dec_blk:
5673
5674 popq R1
5675 movq $1,%rax
5676+ pax_force_retaddr
5677 ret
5678diff -urNp linux-3.1.1/arch/x86/ia32/ia32_aout.c linux-3.1.1/arch/x86/ia32/ia32_aout.c
5679--- linux-3.1.1/arch/x86/ia32/ia32_aout.c 2011-11-11 15:19:27.000000000 -0500
5680+++ linux-3.1.1/arch/x86/ia32/ia32_aout.c 2011-11-16 18:40:08.000000000 -0500
5681@@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
5682 unsigned long dump_start, dump_size;
5683 struct user32 dump;
5684
5685+ memset(&dump, 0, sizeof(dump));
5686+
5687 fs = get_fs();
5688 set_fs(KERNEL_DS);
5689 has_dumped = 1;
5690diff -urNp linux-3.1.1/arch/x86/ia32/ia32entry.S linux-3.1.1/arch/x86/ia32/ia32entry.S
5691--- linux-3.1.1/arch/x86/ia32/ia32entry.S 2011-11-11 15:19:27.000000000 -0500
5692+++ linux-3.1.1/arch/x86/ia32/ia32entry.S 2011-11-17 18:27:57.000000000 -0500
5693@@ -13,7 +13,9 @@
5694 #include <asm/thread_info.h>
5695 #include <asm/segment.h>
5696 #include <asm/irqflags.h>
5697+#include <asm/pgtable.h>
5698 #include <linux/linkage.h>
5699+#include <asm/alternative-asm.h>
5700
5701 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
5702 #include <linux/elf-em.h>
5703@@ -95,6 +97,29 @@ ENTRY(native_irq_enable_sysexit)
5704 ENDPROC(native_irq_enable_sysexit)
5705 #endif
5706
5707+ .macro pax_enter_kernel_user
5708+#ifdef CONFIG_PAX_MEMORY_UDEREF
5709+ call pax_enter_kernel_user
5710+#endif
5711+ .endm
5712+
5713+ .macro pax_exit_kernel_user
5714+#ifdef CONFIG_PAX_MEMORY_UDEREF
5715+ call pax_exit_kernel_user
5716+#endif
5717+#ifdef CONFIG_PAX_RANDKSTACK
5718+ pushq %rax
5719+ call pax_randomize_kstack
5720+ popq %rax
5721+#endif
5722+ .endm
5723+
5724+.macro pax_erase_kstack
5725+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
5726+ call pax_erase_kstack
5727+#endif
5728+.endm
5729+
5730 /*
5731 * 32bit SYSENTER instruction entry.
5732 *
5733@@ -121,7 +146,7 @@ ENTRY(ia32_sysenter_target)
5734 CFI_REGISTER rsp,rbp
5735 SWAPGS_UNSAFE_STACK
5736 movq PER_CPU_VAR(kernel_stack), %rsp
5737- addq $(KERNEL_STACK_OFFSET),%rsp
5738+ pax_enter_kernel_user
5739 /*
5740 * No need to follow this irqs on/off section: the syscall
5741 * disabled irqs, here we enable it straight after entry:
5742@@ -134,7 +159,8 @@ ENTRY(ia32_sysenter_target)
5743 CFI_REL_OFFSET rsp,0
5744 pushfq_cfi
5745 /*CFI_REL_OFFSET rflags,0*/
5746- movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
5747+ GET_THREAD_INFO(%r10)
5748+ movl TI_sysenter_return(%r10), %r10d
5749 CFI_REGISTER rip,r10
5750 pushq_cfi $__USER32_CS
5751 /*CFI_REL_OFFSET cs,0*/
5752@@ -146,6 +172,12 @@ ENTRY(ia32_sysenter_target)
5753 SAVE_ARGS 0,1,0
5754 /* no need to do an access_ok check here because rbp has been
5755 32bit zero extended */
5756+
5757+#ifdef CONFIG_PAX_MEMORY_UDEREF
5758+ mov $PAX_USER_SHADOW_BASE,%r10
5759+ add %r10,%rbp
5760+#endif
5761+
5762 1: movl (%rbp),%ebp
5763 .section __ex_table,"a"
5764 .quad 1b,ia32_badarg
5765@@ -168,6 +200,8 @@ sysenter_dispatch:
5766 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
5767 jnz sysexit_audit
5768 sysexit_from_sys_call:
5769+ pax_exit_kernel_user
5770+ pax_erase_kstack
5771 andl $~TS_COMPAT,TI_status(%r10)
5772 /* clear IF, that popfq doesn't enable interrupts early */
5773 andl $~0x200,EFLAGS-R11(%rsp)
5774@@ -194,6 +228,9 @@ sysexit_from_sys_call:
5775 movl %eax,%esi /* 2nd arg: syscall number */
5776 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
5777 call audit_syscall_entry
5778+
5779+ pax_erase_kstack
5780+
5781 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
5782 cmpq $(IA32_NR_syscalls-1),%rax
5783 ja ia32_badsys
5784@@ -246,6 +283,9 @@ sysenter_tracesys:
5785 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
5786 movq %rsp,%rdi /* &pt_regs -> arg1 */
5787 call syscall_trace_enter
5788+
5789+ pax_erase_kstack
5790+
5791 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
5792 RESTORE_REST
5793 cmpq $(IA32_NR_syscalls-1),%rax
5794@@ -277,19 +317,24 @@ ENDPROC(ia32_sysenter_target)
5795 ENTRY(ia32_cstar_target)
5796 CFI_STARTPROC32 simple
5797 CFI_SIGNAL_FRAME
5798- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
5799+ CFI_DEF_CFA rsp,0
5800 CFI_REGISTER rip,rcx
5801 /*CFI_REGISTER rflags,r11*/
5802 SWAPGS_UNSAFE_STACK
5803 movl %esp,%r8d
5804 CFI_REGISTER rsp,r8
5805 movq PER_CPU_VAR(kernel_stack),%rsp
5806+
5807+#ifdef CONFIG_PAX_MEMORY_UDEREF
5808+ pax_enter_kernel_user
5809+#endif
5810+
5811 /*
5812 * No need to follow this irqs on/off section: the syscall
5813 * disabled irqs and here we enable it straight after entry:
5814 */
5815 ENABLE_INTERRUPTS(CLBR_NONE)
5816- SAVE_ARGS 8,0,0
5817+ SAVE_ARGS 8*6,0,0
5818 movl %eax,%eax /* zero extension */
5819 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
5820 movq %rcx,RIP-ARGOFFSET(%rsp)
5821@@ -305,6 +350,12 @@ ENTRY(ia32_cstar_target)
5822 /* no need to do an access_ok check here because r8 has been
5823 32bit zero extended */
5824 /* hardware stack frame is complete now */
5825+
5826+#ifdef CONFIG_PAX_MEMORY_UDEREF
5827+ mov $PAX_USER_SHADOW_BASE,%r10
5828+ add %r10,%r8
5829+#endif
5830+
5831 1: movl (%r8),%r9d
5832 .section __ex_table,"a"
5833 .quad 1b,ia32_badarg
5834@@ -327,6 +378,8 @@ cstar_dispatch:
5835 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
5836 jnz sysretl_audit
5837 sysretl_from_sys_call:
5838+ pax_exit_kernel_user
5839+ pax_erase_kstack
5840 andl $~TS_COMPAT,TI_status(%r10)
5841 RESTORE_ARGS 0,-ARG_SKIP,0,0,0
5842 movl RIP-ARGOFFSET(%rsp),%ecx
5843@@ -364,6 +417,9 @@ cstar_tracesys:
5844 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
5845 movq %rsp,%rdi /* &pt_regs -> arg1 */
5846 call syscall_trace_enter
5847+
5848+ pax_erase_kstack
5849+
5850 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
5851 RESTORE_REST
5852 xchgl %ebp,%r9d
5853@@ -409,6 +465,7 @@ ENTRY(ia32_syscall)
5854 CFI_REL_OFFSET rip,RIP-RIP
5855 PARAVIRT_ADJUST_EXCEPTION_FRAME
5856 SWAPGS
5857+ pax_enter_kernel_user
5858 /*
5859 * No need to follow this irqs on/off section: the syscall
5860 * disabled irqs and here we enable it straight after entry:
5861@@ -441,6 +498,9 @@ ia32_tracesys:
5862 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
5863 movq %rsp,%rdi /* &pt_regs -> arg1 */
5864 call syscall_trace_enter
5865+
5866+ pax_erase_kstack
5867+
5868 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
5869 RESTORE_REST
5870 cmpq $(IA32_NR_syscalls-1),%rax
5871@@ -455,6 +515,7 @@ ia32_badsys:
5872
5873 quiet_ni_syscall:
5874 movq $-ENOSYS,%rax
5875+ pax_force_retaddr
5876 ret
5877 CFI_ENDPROC
5878
5879diff -urNp linux-3.1.1/arch/x86/ia32/ia32_signal.c linux-3.1.1/arch/x86/ia32/ia32_signal.c
5880--- linux-3.1.1/arch/x86/ia32/ia32_signal.c 2011-11-11 15:19:27.000000000 -0500
5881+++ linux-3.1.1/arch/x86/ia32/ia32_signal.c 2011-11-16 18:39:07.000000000 -0500
5882@@ -169,7 +169,7 @@ asmlinkage long sys32_sigaltstack(const
5883 }
5884 seg = get_fs();
5885 set_fs(KERNEL_DS);
5886- ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
5887+ ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
5888 set_fs(seg);
5889 if (ret >= 0 && uoss_ptr) {
5890 if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
5891@@ -370,7 +370,7 @@ static int ia32_setup_sigcontext(struct
5892 */
5893 static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
5894 size_t frame_size,
5895- void **fpstate)
5896+ void __user **fpstate)
5897 {
5898 unsigned long sp;
5899
5900@@ -391,7 +391,7 @@ static void __user *get_sigframe(struct
5901
5902 if (used_math()) {
5903 sp = sp - sig_xstate_ia32_size;
5904- *fpstate = (struct _fpstate_ia32 *) sp;
5905+ *fpstate = (struct _fpstate_ia32 __user *) sp;
5906 if (save_i387_xstate_ia32(*fpstate) < 0)
5907 return (void __user *) -1L;
5908 }
5909@@ -399,7 +399,7 @@ static void __user *get_sigframe(struct
5910 sp -= frame_size;
5911 /* Align the stack pointer according to the i386 ABI,
5912 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
5913- sp = ((sp + 4) & -16ul) - 4;
5914+ sp = ((sp - 12) & -16ul) - 4;
5915 return (void __user *) sp;
5916 }
5917
5918@@ -457,7 +457,7 @@ int ia32_setup_frame(int sig, struct k_s
5919 * These are actually not used anymore, but left because some
5920 * gdb versions depend on them as a marker.
5921 */
5922- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
5923+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
5924 } put_user_catch(err);
5925
5926 if (err)
5927@@ -499,7 +499,7 @@ int ia32_setup_rt_frame(int sig, struct
5928 0xb8,
5929 __NR_ia32_rt_sigreturn,
5930 0x80cd,
5931- 0,
5932+ 0
5933 };
5934
5935 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
5936@@ -529,16 +529,18 @@ int ia32_setup_rt_frame(int sig, struct
5937
5938 if (ka->sa.sa_flags & SA_RESTORER)
5939 restorer = ka->sa.sa_restorer;
5940+ else if (current->mm->context.vdso)
5941+ /* Return stub is in 32bit vsyscall page */
5942+ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
5943 else
5944- restorer = VDSO32_SYMBOL(current->mm->context.vdso,
5945- rt_sigreturn);
5946+ restorer = &frame->retcode;
5947 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
5948
5949 /*
5950 * Not actually used anymore, but left because some gdb
5951 * versions need it.
5952 */
5953- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
5954+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
5955 } put_user_catch(err);
5956
5957 if (err)
5958diff -urNp linux-3.1.1/arch/x86/ia32/sys_ia32.c linux-3.1.1/arch/x86/ia32/sys_ia32.c
5959--- linux-3.1.1/arch/x86/ia32/sys_ia32.c 2011-11-11 15:19:27.000000000 -0500
5960+++ linux-3.1.1/arch/x86/ia32/sys_ia32.c 2011-11-16 18:39:07.000000000 -0500
5961@@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
5962 */
5963 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
5964 {
5965- typeof(ubuf->st_uid) uid = 0;
5966- typeof(ubuf->st_gid) gid = 0;
5967+ typeof(((struct stat64 *)0)->st_uid) uid = 0;
5968+ typeof(((struct stat64 *)0)->st_gid) gid = 0;
5969 SET_UID(uid, stat->uid);
5970 SET_GID(gid, stat->gid);
5971 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
5972@@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
5973 }
5974 set_fs(KERNEL_DS);
5975 ret = sys_rt_sigprocmask(how,
5976- set ? (sigset_t __user *)&s : NULL,
5977- oset ? (sigset_t __user *)&s : NULL,
5978+ set ? (sigset_t __force_user *)&s : NULL,
5979+ oset ? (sigset_t __force_user *)&s : NULL,
5980 sigsetsize);
5981 set_fs(old_fs);
5982 if (ret)
5983@@ -332,7 +332,7 @@ asmlinkage long sys32_alarm(unsigned int
5984 return alarm_setitimer(seconds);
5985 }
5986
5987-asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int *stat_addr,
5988+asmlinkage long sys32_waitpid(compat_pid_t pid, unsigned int __user *stat_addr,
5989 int options)
5990 {
5991 return compat_sys_wait4(pid, stat_addr, options, NULL);
5992@@ -353,7 +353,7 @@ asmlinkage long sys32_sched_rr_get_inter
5993 mm_segment_t old_fs = get_fs();
5994
5995 set_fs(KERNEL_DS);
5996- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
5997+ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
5998 set_fs(old_fs);
5999 if (put_compat_timespec(&t, interval))
6000 return -EFAULT;
6001@@ -369,7 +369,7 @@ asmlinkage long sys32_rt_sigpending(comp
6002 mm_segment_t old_fs = get_fs();
6003
6004 set_fs(KERNEL_DS);
6005- ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
6006+ ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
6007 set_fs(old_fs);
6008 if (!ret) {
6009 switch (_NSIG_WORDS) {
6010@@ -394,7 +394,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
6011 if (copy_siginfo_from_user32(&info, uinfo))
6012 return -EFAULT;
6013 set_fs(KERNEL_DS);
6014- ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
6015+ ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
6016 set_fs(old_fs);
6017 return ret;
6018 }
6019@@ -439,7 +439,7 @@ asmlinkage long sys32_sendfile(int out_f
6020 return -EFAULT;
6021
6022 set_fs(KERNEL_DS);
6023- ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
6024+ ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
6025 count);
6026 set_fs(old_fs);
6027
6028diff -urNp linux-3.1.1/arch/x86/include/asm/alternative-asm.h linux-3.1.1/arch/x86/include/asm/alternative-asm.h
6029--- linux-3.1.1/arch/x86/include/asm/alternative-asm.h 2011-11-11 15:19:27.000000000 -0500
6030+++ linux-3.1.1/arch/x86/include/asm/alternative-asm.h 2011-11-16 18:39:07.000000000 -0500
6031@@ -15,6 +15,20 @@
6032 .endm
6033 #endif
6034
6035+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
6036+ .macro pax_force_retaddr rip=0
6037+ btsq $63,\rip(%rsp)
6038+ .endm
6039+ .macro pax_force_fptr ptr
6040+ btsq $63,\ptr
6041+ .endm
6042+#else
6043+ .macro pax_force_retaddr rip=0
6044+ .endm
6045+ .macro pax_force_fptr ptr
6046+ .endm
6047+#endif
6048+
6049 .macro altinstruction_entry orig alt feature orig_len alt_len
6050 .long \orig - .
6051 .long \alt - .
6052diff -urNp linux-3.1.1/arch/x86/include/asm/alternative.h linux-3.1.1/arch/x86/include/asm/alternative.h
6053--- linux-3.1.1/arch/x86/include/asm/alternative.h 2011-11-11 15:19:27.000000000 -0500
6054+++ linux-3.1.1/arch/x86/include/asm/alternative.h 2011-11-16 18:39:07.000000000 -0500
6055@@ -89,7 +89,7 @@ static inline int alternatives_text_rese
6056 ".section .discard,\"aw\",@progbits\n" \
6057 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6058 ".previous\n" \
6059- ".section .altinstr_replacement, \"ax\"\n" \
6060+ ".section .altinstr_replacement, \"a\"\n" \
6061 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6062 ".previous"
6063
6064diff -urNp linux-3.1.1/arch/x86/include/asm/apic.h linux-3.1.1/arch/x86/include/asm/apic.h
6065--- linux-3.1.1/arch/x86/include/asm/apic.h 2011-11-11 15:19:27.000000000 -0500
6066+++ linux-3.1.1/arch/x86/include/asm/apic.h 2011-11-16 18:39:07.000000000 -0500
6067@@ -45,7 +45,7 @@ static inline void generic_apic_probe(vo
6068
6069 #ifdef CONFIG_X86_LOCAL_APIC
6070
6071-extern unsigned int apic_verbosity;
6072+extern int apic_verbosity;
6073 extern int local_apic_timer_c2_ok;
6074
6075 extern int disable_apic;
6076diff -urNp linux-3.1.1/arch/x86/include/asm/apm.h linux-3.1.1/arch/x86/include/asm/apm.h
6077--- linux-3.1.1/arch/x86/include/asm/apm.h 2011-11-11 15:19:27.000000000 -0500
6078+++ linux-3.1.1/arch/x86/include/asm/apm.h 2011-11-16 18:39:07.000000000 -0500
6079@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6080 __asm__ __volatile__(APM_DO_ZERO_SEGS
6081 "pushl %%edi\n\t"
6082 "pushl %%ebp\n\t"
6083- "lcall *%%cs:apm_bios_entry\n\t"
6084+ "lcall *%%ss:apm_bios_entry\n\t"
6085 "setc %%al\n\t"
6086 "popl %%ebp\n\t"
6087 "popl %%edi\n\t"
6088@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6089 __asm__ __volatile__(APM_DO_ZERO_SEGS
6090 "pushl %%edi\n\t"
6091 "pushl %%ebp\n\t"
6092- "lcall *%%cs:apm_bios_entry\n\t"
6093+ "lcall *%%ss:apm_bios_entry\n\t"
6094 "setc %%bl\n\t"
6095 "popl %%ebp\n\t"
6096 "popl %%edi\n\t"
6097diff -urNp linux-3.1.1/arch/x86/include/asm/atomic64_32.h linux-3.1.1/arch/x86/include/asm/atomic64_32.h
6098--- linux-3.1.1/arch/x86/include/asm/atomic64_32.h 2011-11-11 15:19:27.000000000 -0500
6099+++ linux-3.1.1/arch/x86/include/asm/atomic64_32.h 2011-11-16 18:39:07.000000000 -0500
6100@@ -12,6 +12,14 @@ typedef struct {
6101 u64 __aligned(8) counter;
6102 } atomic64_t;
6103
6104+#ifdef CONFIG_PAX_REFCOUNT
6105+typedef struct {
6106+ u64 __aligned(8) counter;
6107+} atomic64_unchecked_t;
6108+#else
6109+typedef atomic64_t atomic64_unchecked_t;
6110+#endif
6111+
6112 #define ATOMIC64_INIT(val) { (val) }
6113
6114 #ifdef CONFIG_X86_CMPXCHG64
6115@@ -38,6 +46,21 @@ static inline long long atomic64_cmpxchg
6116 }
6117
6118 /**
6119+ * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
6120+ * @p: pointer to type atomic64_unchecked_t
6121+ * @o: expected value
6122+ * @n: new value
6123+ *
6124+ * Atomically sets @v to @n if it was equal to @o and returns
6125+ * the old value.
6126+ */
6127+
6128+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
6129+{
6130+ return cmpxchg64(&v->counter, o, n);
6131+}
6132+
6133+/**
6134 * atomic64_xchg - xchg atomic64 variable
6135 * @v: pointer to type atomic64_t
6136 * @n: value to assign
6137@@ -77,6 +100,24 @@ static inline void atomic64_set(atomic64
6138 }
6139
6140 /**
6141+ * atomic64_set_unchecked - set atomic64 variable
6142+ * @v: pointer to type atomic64_unchecked_t
6143+ * @n: value to assign
6144+ *
6145+ * Atomically sets the value of @v to @n.
6146+ */
6147+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
6148+{
6149+ unsigned high = (unsigned)(i >> 32);
6150+ unsigned low = (unsigned)i;
6151+ asm volatile(ATOMIC64_ALTERNATIVE(set)
6152+ : "+b" (low), "+c" (high)
6153+ : "S" (v)
6154+ : "eax", "edx", "memory"
6155+ );
6156+}
6157+
6158+/**
6159 * atomic64_read - read atomic64 variable
6160 * @v: pointer to type atomic64_t
6161 *
6162@@ -93,6 +134,22 @@ static inline long long atomic64_read(at
6163 }
6164
6165 /**
6166+ * atomic64_read_unchecked - read atomic64 variable
6167+ * @v: pointer to type atomic64_unchecked_t
6168+ *
6169+ * Atomically reads the value of @v and returns it.
6170+ */
6171+static inline long long atomic64_read_unchecked(atomic64_unchecked_t *v)
6172+{
6173+ long long r;
6174+ asm volatile(ATOMIC64_ALTERNATIVE(read_unchecked)
6175+ : "=A" (r), "+c" (v)
6176+ : : "memory"
6177+ );
6178+ return r;
6179+ }
6180+
6181+/**
6182 * atomic64_add_return - add and return
6183 * @i: integer value to add
6184 * @v: pointer to type atomic64_t
6185@@ -108,6 +165,22 @@ static inline long long atomic64_add_ret
6186 return i;
6187 }
6188
6189+/**
6190+ * atomic64_add_return_unchecked - add and return
6191+ * @i: integer value to add
6192+ * @v: pointer to type atomic64_unchecked_t
6193+ *
6194+ * Atomically adds @i to @v and returns @i + *@v
6195+ */
6196+static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
6197+{
6198+ asm volatile(ATOMIC64_ALTERNATIVE(add_return_unchecked)
6199+ : "+A" (i), "+c" (v)
6200+ : : "memory"
6201+ );
6202+ return i;
6203+}
6204+
6205 /*
6206 * Other variants with different arithmetic operators:
6207 */
6208@@ -131,6 +204,17 @@ static inline long long atomic64_inc_ret
6209 return a;
6210 }
6211
6212+static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6213+{
6214+ long long a;
6215+ asm volatile(ATOMIC64_ALTERNATIVE(inc_return_unchecked)
6216+ : "=A" (a)
6217+ : "S" (v)
6218+ : "memory", "ecx"
6219+ );
6220+ return a;
6221+}
6222+
6223 static inline long long atomic64_dec_return(atomic64_t *v)
6224 {
6225 long long a;
6226@@ -159,6 +243,22 @@ static inline long long atomic64_add(lon
6227 }
6228
6229 /**
6230+ * atomic64_add_unchecked - add integer to atomic64 variable
6231+ * @i: integer value to add
6232+ * @v: pointer to type atomic64_unchecked_t
6233+ *
6234+ * Atomically adds @i to @v.
6235+ */
6236+static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
6237+{
6238+ asm volatile(ATOMIC64_ALTERNATIVE_(add_unchecked, add_return_unchecked)
6239+ : "+A" (i), "+c" (v)
6240+ : : "memory"
6241+ );
6242+ return i;
6243+}
6244+
6245+/**
6246 * atomic64_sub - subtract the atomic64 variable
6247 * @i: integer value to subtract
6248 * @v: pointer to type atomic64_t
6249diff -urNp linux-3.1.1/arch/x86/include/asm/atomic64_64.h linux-3.1.1/arch/x86/include/asm/atomic64_64.h
6250--- linux-3.1.1/arch/x86/include/asm/atomic64_64.h 2011-11-11 15:19:27.000000000 -0500
6251+++ linux-3.1.1/arch/x86/include/asm/atomic64_64.h 2011-11-16 18:39:07.000000000 -0500
6252@@ -18,7 +18,19 @@
6253 */
6254 static inline long atomic64_read(const atomic64_t *v)
6255 {
6256- return (*(volatile long *)&(v)->counter);
6257+ return (*(volatile const long *)&(v)->counter);
6258+}
6259+
6260+/**
6261+ * atomic64_read_unchecked - read atomic64 variable
6262+ * @v: pointer of type atomic64_unchecked_t
6263+ *
6264+ * Atomically reads the value of @v.
6265+ * Doesn't imply a read memory barrier.
6266+ */
6267+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6268+{
6269+ return (*(volatile const long *)&(v)->counter);
6270 }
6271
6272 /**
6273@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6274 }
6275
6276 /**
6277+ * atomic64_set_unchecked - set atomic64 variable
6278+ * @v: pointer to type atomic64_unchecked_t
6279+ * @i: required value
6280+ *
6281+ * Atomically sets the value of @v to @i.
6282+ */
6283+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6284+{
6285+ v->counter = i;
6286+}
6287+
6288+/**
6289 * atomic64_add - add integer to atomic64 variable
6290 * @i: integer value to add
6291 * @v: pointer to type atomic64_t
6292@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6293 */
6294 static inline void atomic64_add(long i, atomic64_t *v)
6295 {
6296+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
6297+
6298+#ifdef CONFIG_PAX_REFCOUNT
6299+ "jno 0f\n"
6300+ LOCK_PREFIX "subq %1,%0\n"
6301+ "int $4\n0:\n"
6302+ _ASM_EXTABLE(0b, 0b)
6303+#endif
6304+
6305+ : "=m" (v->counter)
6306+ : "er" (i), "m" (v->counter));
6307+}
6308+
6309+/**
6310+ * atomic64_add_unchecked - add integer to atomic64 variable
6311+ * @i: integer value to add
6312+ * @v: pointer to type atomic64_unchecked_t
6313+ *
6314+ * Atomically adds @i to @v.
6315+ */
6316+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6317+{
6318 asm volatile(LOCK_PREFIX "addq %1,%0"
6319 : "=m" (v->counter)
6320 : "er" (i), "m" (v->counter));
6321@@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6322 */
6323 static inline void atomic64_sub(long i, atomic64_t *v)
6324 {
6325- asm volatile(LOCK_PREFIX "subq %1,%0"
6326+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
6327+
6328+#ifdef CONFIG_PAX_REFCOUNT
6329+ "jno 0f\n"
6330+ LOCK_PREFIX "addq %1,%0\n"
6331+ "int $4\n0:\n"
6332+ _ASM_EXTABLE(0b, 0b)
6333+#endif
6334+
6335+ : "=m" (v->counter)
6336+ : "er" (i), "m" (v->counter));
6337+}
6338+
6339+/**
6340+ * atomic64_sub_unchecked - subtract the atomic64 variable
6341+ * @i: integer value to subtract
6342+ * @v: pointer to type atomic64_unchecked_t
6343+ *
6344+ * Atomically subtracts @i from @v.
6345+ */
6346+static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6347+{
6348+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
6349 : "=m" (v->counter)
6350 : "er" (i), "m" (v->counter));
6351 }
6352@@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6353 {
6354 unsigned char c;
6355
6356- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6357+ asm volatile(LOCK_PREFIX "subq %2,%0\n"
6358+
6359+#ifdef CONFIG_PAX_REFCOUNT
6360+ "jno 0f\n"
6361+ LOCK_PREFIX "addq %2,%0\n"
6362+ "int $4\n0:\n"
6363+ _ASM_EXTABLE(0b, 0b)
6364+#endif
6365+
6366+ "sete %1\n"
6367 : "=m" (v->counter), "=qm" (c)
6368 : "er" (i), "m" (v->counter) : "memory");
6369 return c;
6370@@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6371 */
6372 static inline void atomic64_inc(atomic64_t *v)
6373 {
6374+ asm volatile(LOCK_PREFIX "incq %0\n"
6375+
6376+#ifdef CONFIG_PAX_REFCOUNT
6377+ "jno 0f\n"
6378+ LOCK_PREFIX "decq %0\n"
6379+ "int $4\n0:\n"
6380+ _ASM_EXTABLE(0b, 0b)
6381+#endif
6382+
6383+ : "=m" (v->counter)
6384+ : "m" (v->counter));
6385+}
6386+
6387+/**
6388+ * atomic64_inc_unchecked - increment atomic64 variable
6389+ * @v: pointer to type atomic64_unchecked_t
6390+ *
6391+ * Atomically increments @v by 1.
6392+ */
6393+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6394+{
6395 asm volatile(LOCK_PREFIX "incq %0"
6396 : "=m" (v->counter)
6397 : "m" (v->counter));
6398@@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6399 */
6400 static inline void atomic64_dec(atomic64_t *v)
6401 {
6402- asm volatile(LOCK_PREFIX "decq %0"
6403+ asm volatile(LOCK_PREFIX "decq %0\n"
6404+
6405+#ifdef CONFIG_PAX_REFCOUNT
6406+ "jno 0f\n"
6407+ LOCK_PREFIX "incq %0\n"
6408+ "int $4\n0:\n"
6409+ _ASM_EXTABLE(0b, 0b)
6410+#endif
6411+
6412+ : "=m" (v->counter)
6413+ : "m" (v->counter));
6414+}
6415+
6416+/**
6417+ * atomic64_dec_unchecked - decrement atomic64 variable
6418+ * @v: pointer to type atomic64_t
6419+ *
6420+ * Atomically decrements @v by 1.
6421+ */
6422+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6423+{
6424+ asm volatile(LOCK_PREFIX "decq %0\n"
6425 : "=m" (v->counter)
6426 : "m" (v->counter));
6427 }
6428@@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6429 {
6430 unsigned char c;
6431
6432- asm volatile(LOCK_PREFIX "decq %0; sete %1"
6433+ asm volatile(LOCK_PREFIX "decq %0\n"
6434+
6435+#ifdef CONFIG_PAX_REFCOUNT
6436+ "jno 0f\n"
6437+ LOCK_PREFIX "incq %0\n"
6438+ "int $4\n0:\n"
6439+ _ASM_EXTABLE(0b, 0b)
6440+#endif
6441+
6442+ "sete %1\n"
6443 : "=m" (v->counter), "=qm" (c)
6444 : "m" (v->counter) : "memory");
6445 return c != 0;
6446@@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6447 {
6448 unsigned char c;
6449
6450- asm volatile(LOCK_PREFIX "incq %0; sete %1"
6451+ asm volatile(LOCK_PREFIX "incq %0\n"
6452+
6453+#ifdef CONFIG_PAX_REFCOUNT
6454+ "jno 0f\n"
6455+ LOCK_PREFIX "decq %0\n"
6456+ "int $4\n0:\n"
6457+ _ASM_EXTABLE(0b, 0b)
6458+#endif
6459+
6460+ "sete %1\n"
6461 : "=m" (v->counter), "=qm" (c)
6462 : "m" (v->counter) : "memory");
6463 return c != 0;
6464@@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6465 {
6466 unsigned char c;
6467
6468- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6469+ asm volatile(LOCK_PREFIX "addq %2,%0\n"
6470+
6471+#ifdef CONFIG_PAX_REFCOUNT
6472+ "jno 0f\n"
6473+ LOCK_PREFIX "subq %2,%0\n"
6474+ "int $4\n0:\n"
6475+ _ASM_EXTABLE(0b, 0b)
6476+#endif
6477+
6478+ "sets %1\n"
6479 : "=m" (v->counter), "=qm" (c)
6480 : "er" (i), "m" (v->counter) : "memory");
6481 return c;
6482@@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6483 static inline long atomic64_add_return(long i, atomic64_t *v)
6484 {
6485 long __i = i;
6486- asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6487+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6488+
6489+#ifdef CONFIG_PAX_REFCOUNT
6490+ "jno 0f\n"
6491+ "movq %0, %1\n"
6492+ "int $4\n0:\n"
6493+ _ASM_EXTABLE(0b, 0b)
6494+#endif
6495+
6496+ : "+r" (i), "+m" (v->counter)
6497+ : : "memory");
6498+ return i + __i;
6499+}
6500+
6501+/**
6502+ * atomic64_add_return_unchecked - add and return
6503+ * @i: integer value to add
6504+ * @v: pointer to type atomic64_unchecked_t
6505+ *
6506+ * Atomically adds @i to @v and returns @i + @v
6507+ */
6508+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6509+{
6510+ long __i = i;
6511+ asm volatile(LOCK_PREFIX "xaddq %0, %1"
6512 : "+r" (i), "+m" (v->counter)
6513 : : "memory");
6514 return i + __i;
6515@@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6516 }
6517
6518 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6519+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6520+{
6521+ return atomic64_add_return_unchecked(1, v);
6522+}
6523 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6524
6525 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6526@@ -190,6 +364,11 @@ static inline long atomic64_cmpxchg(atom
6527 return cmpxchg(&v->counter, old, new);
6528 }
6529
6530+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
6531+{
6532+ return cmpxchg(&v->counter, old, new);
6533+}
6534+
6535 static inline long atomic64_xchg(atomic64_t *v, long new)
6536 {
6537 return xchg(&v->counter, new);
6538@@ -206,17 +385,30 @@ static inline long atomic64_xchg(atomic6
6539 */
6540 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6541 {
6542- long c, old;
6543+ long c, old, new;
6544 c = atomic64_read(v);
6545 for (;;) {
6546- if (unlikely(c == (u)))
6547+ if (unlikely(c == u))
6548 break;
6549- old = atomic64_cmpxchg((v), c, c + (a));
6550+
6551+ asm volatile("add %2,%0\n"
6552+
6553+#ifdef CONFIG_PAX_REFCOUNT
6554+ "jno 0f\n"
6555+ "sub %2,%0\n"
6556+ "int $4\n0:\n"
6557+ _ASM_EXTABLE(0b, 0b)
6558+#endif
6559+
6560+ : "=r" (new)
6561+ : "0" (c), "ir" (a));
6562+
6563+ old = atomic64_cmpxchg(v, c, new);
6564 if (likely(old == c))
6565 break;
6566 c = old;
6567 }
6568- return c != (u);
6569+ return c != u;
6570 }
6571
6572 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6573diff -urNp linux-3.1.1/arch/x86/include/asm/atomic.h linux-3.1.1/arch/x86/include/asm/atomic.h
6574--- linux-3.1.1/arch/x86/include/asm/atomic.h 2011-11-11 15:19:27.000000000 -0500
6575+++ linux-3.1.1/arch/x86/include/asm/atomic.h 2011-11-16 18:39:07.000000000 -0500
6576@@ -22,7 +22,18 @@
6577 */
6578 static inline int atomic_read(const atomic_t *v)
6579 {
6580- return (*(volatile int *)&(v)->counter);
6581+ return (*(volatile const int *)&(v)->counter);
6582+}
6583+
6584+/**
6585+ * atomic_read_unchecked - read atomic variable
6586+ * @v: pointer of type atomic_unchecked_t
6587+ *
6588+ * Atomically reads the value of @v.
6589+ */
6590+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6591+{
6592+ return (*(volatile const int *)&(v)->counter);
6593 }
6594
6595 /**
6596@@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6597 }
6598
6599 /**
6600+ * atomic_set_unchecked - set atomic variable
6601+ * @v: pointer of type atomic_unchecked_t
6602+ * @i: required value
6603+ *
6604+ * Atomically sets the value of @v to @i.
6605+ */
6606+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6607+{
6608+ v->counter = i;
6609+}
6610+
6611+/**
6612 * atomic_add - add integer to atomic variable
6613 * @i: integer value to add
6614 * @v: pointer of type atomic_t
6615@@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6616 */
6617 static inline void atomic_add(int i, atomic_t *v)
6618 {
6619- asm volatile(LOCK_PREFIX "addl %1,%0"
6620+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
6621+
6622+#ifdef CONFIG_PAX_REFCOUNT
6623+ "jno 0f\n"
6624+ LOCK_PREFIX "subl %1,%0\n"
6625+ "int $4\n0:\n"
6626+ _ASM_EXTABLE(0b, 0b)
6627+#endif
6628+
6629+ : "+m" (v->counter)
6630+ : "ir" (i));
6631+}
6632+
6633+/**
6634+ * atomic_add_unchecked - add integer to atomic variable
6635+ * @i: integer value to add
6636+ * @v: pointer of type atomic_unchecked_t
6637+ *
6638+ * Atomically adds @i to @v.
6639+ */
6640+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6641+{
6642+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
6643 : "+m" (v->counter)
6644 : "ir" (i));
6645 }
6646@@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6647 */
6648 static inline void atomic_sub(int i, atomic_t *v)
6649 {
6650- asm volatile(LOCK_PREFIX "subl %1,%0"
6651+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
6652+
6653+#ifdef CONFIG_PAX_REFCOUNT
6654+ "jno 0f\n"
6655+ LOCK_PREFIX "addl %1,%0\n"
6656+ "int $4\n0:\n"
6657+ _ASM_EXTABLE(0b, 0b)
6658+#endif
6659+
6660+ : "+m" (v->counter)
6661+ : "ir" (i));
6662+}
6663+
6664+/**
6665+ * atomic_sub_unchecked - subtract integer from atomic variable
6666+ * @i: integer value to subtract
6667+ * @v: pointer of type atomic_unchecked_t
6668+ *
6669+ * Atomically subtracts @i from @v.
6670+ */
6671+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6672+{
6673+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
6674 : "+m" (v->counter)
6675 : "ir" (i));
6676 }
6677@@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6678 {
6679 unsigned char c;
6680
6681- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6682+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
6683+
6684+#ifdef CONFIG_PAX_REFCOUNT
6685+ "jno 0f\n"
6686+ LOCK_PREFIX "addl %2,%0\n"
6687+ "int $4\n0:\n"
6688+ _ASM_EXTABLE(0b, 0b)
6689+#endif
6690+
6691+ "sete %1\n"
6692 : "+m" (v->counter), "=qm" (c)
6693 : "ir" (i) : "memory");
6694 return c;
6695@@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6696 */
6697 static inline void atomic_inc(atomic_t *v)
6698 {
6699- asm volatile(LOCK_PREFIX "incl %0"
6700+ asm volatile(LOCK_PREFIX "incl %0\n"
6701+
6702+#ifdef CONFIG_PAX_REFCOUNT
6703+ "jno 0f\n"
6704+ LOCK_PREFIX "decl %0\n"
6705+ "int $4\n0:\n"
6706+ _ASM_EXTABLE(0b, 0b)
6707+#endif
6708+
6709+ : "+m" (v->counter));
6710+}
6711+
6712+/**
6713+ * atomic_inc_unchecked - increment atomic variable
6714+ * @v: pointer of type atomic_unchecked_t
6715+ *
6716+ * Atomically increments @v by 1.
6717+ */
6718+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6719+{
6720+ asm volatile(LOCK_PREFIX "incl %0\n"
6721 : "+m" (v->counter));
6722 }
6723
6724@@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6725 */
6726 static inline void atomic_dec(atomic_t *v)
6727 {
6728- asm volatile(LOCK_PREFIX "decl %0"
6729+ asm volatile(LOCK_PREFIX "decl %0\n"
6730+
6731+#ifdef CONFIG_PAX_REFCOUNT
6732+ "jno 0f\n"
6733+ LOCK_PREFIX "incl %0\n"
6734+ "int $4\n0:\n"
6735+ _ASM_EXTABLE(0b, 0b)
6736+#endif
6737+
6738+ : "+m" (v->counter));
6739+}
6740+
6741+/**
6742+ * atomic_dec_unchecked - decrement atomic variable
6743+ * @v: pointer of type atomic_unchecked_t
6744+ *
6745+ * Atomically decrements @v by 1.
6746+ */
6747+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6748+{
6749+ asm volatile(LOCK_PREFIX "decl %0\n"
6750 : "+m" (v->counter));
6751 }
6752
6753@@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6754 {
6755 unsigned char c;
6756
6757- asm volatile(LOCK_PREFIX "decl %0; sete %1"
6758+ asm volatile(LOCK_PREFIX "decl %0\n"
6759+
6760+#ifdef CONFIG_PAX_REFCOUNT
6761+ "jno 0f\n"
6762+ LOCK_PREFIX "incl %0\n"
6763+ "int $4\n0:\n"
6764+ _ASM_EXTABLE(0b, 0b)
6765+#endif
6766+
6767+ "sete %1\n"
6768 : "+m" (v->counter), "=qm" (c)
6769 : : "memory");
6770 return c != 0;
6771@@ -138,7 +263,35 @@ static inline int atomic_inc_and_test(at
6772 {
6773 unsigned char c;
6774
6775- asm volatile(LOCK_PREFIX "incl %0; sete %1"
6776+ asm volatile(LOCK_PREFIX "incl %0\n"
6777+
6778+#ifdef CONFIG_PAX_REFCOUNT
6779+ "jno 0f\n"
6780+ LOCK_PREFIX "decl %0\n"
6781+ "int $4\n0:\n"
6782+ _ASM_EXTABLE(0b, 0b)
6783+#endif
6784+
6785+ "sete %1\n"
6786+ : "+m" (v->counter), "=qm" (c)
6787+ : : "memory");
6788+ return c != 0;
6789+}
6790+
6791+/**
6792+ * atomic_inc_and_test_unchecked - increment and test
6793+ * @v: pointer of type atomic_unchecked_t
6794+ *
6795+ * Atomically increments @v by 1
6796+ * and returns true if the result is zero, or false for all
6797+ * other cases.
6798+ */
6799+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6800+{
6801+ unsigned char c;
6802+
6803+ asm volatile(LOCK_PREFIX "incl %0\n"
6804+ "sete %1\n"
6805 : "+m" (v->counter), "=qm" (c)
6806 : : "memory");
6807 return c != 0;
6808@@ -157,7 +310,16 @@ static inline int atomic_add_negative(in
6809 {
6810 unsigned char c;
6811
6812- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6813+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
6814+
6815+#ifdef CONFIG_PAX_REFCOUNT
6816+ "jno 0f\n"
6817+ LOCK_PREFIX "subl %2,%0\n"
6818+ "int $4\n0:\n"
6819+ _ASM_EXTABLE(0b, 0b)
6820+#endif
6821+
6822+ "sets %1\n"
6823 : "+m" (v->counter), "=qm" (c)
6824 : "ir" (i) : "memory");
6825 return c;
6826@@ -180,6 +342,46 @@ static inline int atomic_add_return(int
6827 #endif
6828 /* Modern 486+ processor */
6829 __i = i;
6830+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6831+
6832+#ifdef CONFIG_PAX_REFCOUNT
6833+ "jno 0f\n"
6834+ "movl %0, %1\n"
6835+ "int $4\n0:\n"
6836+ _ASM_EXTABLE(0b, 0b)
6837+#endif
6838+
6839+ : "+r" (i), "+m" (v->counter)
6840+ : : "memory");
6841+ return i + __i;
6842+
6843+#ifdef CONFIG_M386
6844+no_xadd: /* Legacy 386 processor */
6845+ local_irq_save(flags);
6846+ __i = atomic_read(v);
6847+ atomic_set(v, i + __i);
6848+ local_irq_restore(flags);
6849+ return i + __i;
6850+#endif
6851+}
6852+
6853+/**
6854+ * atomic_add_return_unchecked - add integer and return
6855+ * @v: pointer of type atomic_unchecked_t
6856+ * @i: integer value to add
6857+ *
6858+ * Atomically adds @i to @v and returns @i + @v
6859+ */
6860+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6861+{
6862+ int __i;
6863+#ifdef CONFIG_M386
6864+ unsigned long flags;
6865+ if (unlikely(boot_cpu_data.x86 <= 3))
6866+ goto no_xadd;
6867+#endif
6868+ /* Modern 486+ processor */
6869+ __i = i;
6870 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6871 : "+r" (i), "+m" (v->counter)
6872 : : "memory");
6873@@ -208,6 +410,10 @@ static inline int atomic_sub_return(int
6874 }
6875
6876 #define atomic_inc_return(v) (atomic_add_return(1, v))
6877+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6878+{
6879+ return atomic_add_return_unchecked(1, v);
6880+}
6881 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6882
6883 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6884@@ -215,11 +421,21 @@ static inline int atomic_cmpxchg(atomic_
6885 return cmpxchg(&v->counter, old, new);
6886 }
6887
6888+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
6889+{
6890+ return cmpxchg(&v->counter, old, new);
6891+}
6892+
6893 static inline int atomic_xchg(atomic_t *v, int new)
6894 {
6895 return xchg(&v->counter, new);
6896 }
6897
6898+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
6899+{
6900+ return xchg(&v->counter, new);
6901+}
6902+
6903 /**
6904 * __atomic_add_unless - add unless the number is already a given value
6905 * @v: pointer of type atomic_t
6906@@ -231,12 +447,25 @@ static inline int atomic_xchg(atomic_t *
6907 */
6908 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
6909 {
6910- int c, old;
6911+ int c, old, new;
6912 c = atomic_read(v);
6913 for (;;) {
6914- if (unlikely(c == (u)))
6915+ if (unlikely(c == u))
6916 break;
6917- old = atomic_cmpxchg((v), c, c + (a));
6918+
6919+ asm volatile("addl %2,%0\n"
6920+
6921+#ifdef CONFIG_PAX_REFCOUNT
6922+ "jno 0f\n"
6923+ "subl %2,%0\n"
6924+ "int $4\n0:\n"
6925+ _ASM_EXTABLE(0b, 0b)
6926+#endif
6927+
6928+ : "=r" (new)
6929+ : "0" (c), "ir" (a));
6930+
6931+ old = atomic_cmpxchg(v, c, new);
6932 if (likely(old == c))
6933 break;
6934 c = old;
6935@@ -244,6 +473,48 @@ static inline int __atomic_add_unless(at
6936 return c;
6937 }
6938
6939+/**
6940+ * atomic_inc_not_zero_hint - increment if not null
6941+ * @v: pointer of type atomic_t
6942+ * @hint: probable value of the atomic before the increment
6943+ *
6944+ * This version of atomic_inc_not_zero() gives a hint of probable
6945+ * value of the atomic. This helps processor to not read the memory
6946+ * before doing the atomic read/modify/write cycle, lowering
6947+ * number of bus transactions on some arches.
6948+ *
6949+ * Returns: 0 if increment was not done, 1 otherwise.
6950+ */
6951+#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
6952+static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
6953+{
6954+ int val, c = hint, new;
6955+
6956+ /* sanity test, should be removed by compiler if hint is a constant */
6957+ if (!hint)
6958+ return __atomic_add_unless(v, 1, 0);
6959+
6960+ do {
6961+ asm volatile("incl %0\n"
6962+
6963+#ifdef CONFIG_PAX_REFCOUNT
6964+ "jno 0f\n"
6965+ "decl %0\n"
6966+ "int $4\n0:\n"
6967+ _ASM_EXTABLE(0b, 0b)
6968+#endif
6969+
6970+ : "=r" (new)
6971+ : "0" (c));
6972+
6973+ val = atomic_cmpxchg(v, c, new);
6974+ if (val == c)
6975+ return 1;
6976+ c = val;
6977+ } while (c);
6978+
6979+ return 0;
6980+}
6981
6982 /*
6983 * atomic_dec_if_positive - decrement by 1 if old value positive
6984diff -urNp linux-3.1.1/arch/x86/include/asm/bitops.h linux-3.1.1/arch/x86/include/asm/bitops.h
6985--- linux-3.1.1/arch/x86/include/asm/bitops.h 2011-11-11 15:19:27.000000000 -0500
6986+++ linux-3.1.1/arch/x86/include/asm/bitops.h 2011-11-16 18:39:07.000000000 -0500
6987@@ -38,7 +38,7 @@
6988 * a mask operation on a byte.
6989 */
6990 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
6991-#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
6992+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
6993 #define CONST_MASK(nr) (1 << ((nr) & 7))
6994
6995 /**
6996diff -urNp linux-3.1.1/arch/x86/include/asm/boot.h linux-3.1.1/arch/x86/include/asm/boot.h
6997--- linux-3.1.1/arch/x86/include/asm/boot.h 2011-11-11 15:19:27.000000000 -0500
6998+++ linux-3.1.1/arch/x86/include/asm/boot.h 2011-11-16 18:39:07.000000000 -0500
6999@@ -11,10 +11,15 @@
7000 #include <asm/pgtable_types.h>
7001
7002 /* Physical address where kernel should be loaded. */
7003-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7004+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7005 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7006 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7007
7008+#ifndef __ASSEMBLY__
7009+extern unsigned char __LOAD_PHYSICAL_ADDR[];
7010+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7011+#endif
7012+
7013 /* Minimum kernel alignment, as a power of two */
7014 #ifdef CONFIG_X86_64
7015 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7016diff -urNp linux-3.1.1/arch/x86/include/asm/cacheflush.h linux-3.1.1/arch/x86/include/asm/cacheflush.h
7017--- linux-3.1.1/arch/x86/include/asm/cacheflush.h 2011-11-11 15:19:27.000000000 -0500
7018+++ linux-3.1.1/arch/x86/include/asm/cacheflush.h 2011-11-16 18:39:07.000000000 -0500
7019@@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7020 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7021
7022 if (pg_flags == _PGMT_DEFAULT)
7023- return -1;
7024+ return ~0UL;
7025 else if (pg_flags == _PGMT_WC)
7026 return _PAGE_CACHE_WC;
7027 else if (pg_flags == _PGMT_UC_MINUS)
7028diff -urNp linux-3.1.1/arch/x86/include/asm/cache.h linux-3.1.1/arch/x86/include/asm/cache.h
7029--- linux-3.1.1/arch/x86/include/asm/cache.h 2011-11-11 15:19:27.000000000 -0500
7030+++ linux-3.1.1/arch/x86/include/asm/cache.h 2011-11-16 18:39:07.000000000 -0500
7031@@ -5,12 +5,13 @@
7032
7033 /* L1 cache line size */
7034 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
7035-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7036+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7037
7038 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7039+#define __read_only __attribute__((__section__(".data..read_only")))
7040
7041 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7042-#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7043+#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
7044
7045 #ifdef CONFIG_X86_VSMP
7046 #ifdef CONFIG_SMP
7047diff -urNp linux-3.1.1/arch/x86/include/asm/checksum_32.h linux-3.1.1/arch/x86/include/asm/checksum_32.h
7048--- linux-3.1.1/arch/x86/include/asm/checksum_32.h 2011-11-11 15:19:27.000000000 -0500
7049+++ linux-3.1.1/arch/x86/include/asm/checksum_32.h 2011-11-16 18:39:07.000000000 -0500
7050@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7051 int len, __wsum sum,
7052 int *src_err_ptr, int *dst_err_ptr);
7053
7054+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7055+ int len, __wsum sum,
7056+ int *src_err_ptr, int *dst_err_ptr);
7057+
7058+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7059+ int len, __wsum sum,
7060+ int *src_err_ptr, int *dst_err_ptr);
7061+
7062 /*
7063 * Note: when you get a NULL pointer exception here this means someone
7064 * passed in an incorrect kernel address to one of these functions.
7065@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7066 int *err_ptr)
7067 {
7068 might_sleep();
7069- return csum_partial_copy_generic((__force void *)src, dst,
7070+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
7071 len, sum, err_ptr, NULL);
7072 }
7073
7074@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7075 {
7076 might_sleep();
7077 if (access_ok(VERIFY_WRITE, dst, len))
7078- return csum_partial_copy_generic(src, (__force void *)dst,
7079+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7080 len, sum, NULL, err_ptr);
7081
7082 if (len)
7083diff -urNp linux-3.1.1/arch/x86/include/asm/cpufeature.h linux-3.1.1/arch/x86/include/asm/cpufeature.h
7084--- linux-3.1.1/arch/x86/include/asm/cpufeature.h 2011-11-11 15:19:27.000000000 -0500
7085+++ linux-3.1.1/arch/x86/include/asm/cpufeature.h 2011-11-16 18:39:07.000000000 -0500
7086@@ -358,7 +358,7 @@ static __always_inline __pure bool __sta
7087 ".section .discard,\"aw\",@progbits\n"
7088 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7089 ".previous\n"
7090- ".section .altinstr_replacement,\"ax\"\n"
7091+ ".section .altinstr_replacement,\"a\"\n"
7092 "3: movb $1,%0\n"
7093 "4:\n"
7094 ".previous\n"
7095diff -urNp linux-3.1.1/arch/x86/include/asm/desc_defs.h linux-3.1.1/arch/x86/include/asm/desc_defs.h
7096--- linux-3.1.1/arch/x86/include/asm/desc_defs.h 2011-11-11 15:19:27.000000000 -0500
7097+++ linux-3.1.1/arch/x86/include/asm/desc_defs.h 2011-11-16 18:39:07.000000000 -0500
7098@@ -31,6 +31,12 @@ struct desc_struct {
7099 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7100 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7101 };
7102+ struct {
7103+ u16 offset_low;
7104+ u16 seg;
7105+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7106+ unsigned offset_high: 16;
7107+ } gate;
7108 };
7109 } __attribute__((packed));
7110
7111diff -urNp linux-3.1.1/arch/x86/include/asm/desc.h linux-3.1.1/arch/x86/include/asm/desc.h
7112--- linux-3.1.1/arch/x86/include/asm/desc.h 2011-11-11 15:19:27.000000000 -0500
7113+++ linux-3.1.1/arch/x86/include/asm/desc.h 2011-11-16 18:39:07.000000000 -0500
7114@@ -4,6 +4,7 @@
7115 #include <asm/desc_defs.h>
7116 #include <asm/ldt.h>
7117 #include <asm/mmu.h>
7118+#include <asm/pgtable.h>
7119
7120 #include <linux/smp.h>
7121
7122@@ -16,6 +17,7 @@ static inline void fill_ldt(struct desc_
7123
7124 desc->type = (info->read_exec_only ^ 1) << 1;
7125 desc->type |= info->contents << 2;
7126+ desc->type |= info->seg_not_present ^ 1;
7127
7128 desc->s = 1;
7129 desc->dpl = 0x3;
7130@@ -34,17 +36,12 @@ static inline void fill_ldt(struct desc_
7131 }
7132
7133 extern struct desc_ptr idt_descr;
7134-extern gate_desc idt_table[];
7135-
7136-struct gdt_page {
7137- struct desc_struct gdt[GDT_ENTRIES];
7138-} __attribute__((aligned(PAGE_SIZE)));
7139-
7140-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7141+extern gate_desc idt_table[256];
7142
7143+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7144 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7145 {
7146- return per_cpu(gdt_page, cpu).gdt;
7147+ return cpu_gdt_table[cpu];
7148 }
7149
7150 #ifdef CONFIG_X86_64
7151@@ -69,8 +66,14 @@ static inline void pack_gate(gate_desc *
7152 unsigned long base, unsigned dpl, unsigned flags,
7153 unsigned short seg)
7154 {
7155- gate->a = (seg << 16) | (base & 0xffff);
7156- gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7157+ gate->gate.offset_low = base;
7158+ gate->gate.seg = seg;
7159+ gate->gate.reserved = 0;
7160+ gate->gate.type = type;
7161+ gate->gate.s = 0;
7162+ gate->gate.dpl = dpl;
7163+ gate->gate.p = 1;
7164+ gate->gate.offset_high = base >> 16;
7165 }
7166
7167 #endif
7168@@ -115,12 +118,16 @@ static inline void paravirt_free_ldt(str
7169
7170 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
7171 {
7172+ pax_open_kernel();
7173 memcpy(&idt[entry], gate, sizeof(*gate));
7174+ pax_close_kernel();
7175 }
7176
7177 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
7178 {
7179+ pax_open_kernel();
7180 memcpy(&ldt[entry], desc, 8);
7181+ pax_close_kernel();
7182 }
7183
7184 static inline void
7185@@ -134,7 +141,9 @@ native_write_gdt_entry(struct desc_struc
7186 default: size = sizeof(*gdt); break;
7187 }
7188
7189+ pax_open_kernel();
7190 memcpy(&gdt[entry], desc, size);
7191+ pax_close_kernel();
7192 }
7193
7194 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7195@@ -207,7 +216,9 @@ static inline void native_set_ldt(const
7196
7197 static inline void native_load_tr_desc(void)
7198 {
7199+ pax_open_kernel();
7200 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7201+ pax_close_kernel();
7202 }
7203
7204 static inline void native_load_gdt(const struct desc_ptr *dtr)
7205@@ -244,8 +255,10 @@ static inline void native_load_tls(struc
7206 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7207 unsigned int i;
7208
7209+ pax_open_kernel();
7210 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7211 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7212+ pax_close_kernel();
7213 }
7214
7215 #define _LDT_empty(info) \
7216@@ -307,7 +320,7 @@ static inline void set_desc_limit(struct
7217 desc->limit = (limit >> 16) & 0xf;
7218 }
7219
7220-static inline void _set_gate(int gate, unsigned type, void *addr,
7221+static inline void _set_gate(int gate, unsigned type, const void *addr,
7222 unsigned dpl, unsigned ist, unsigned seg)
7223 {
7224 gate_desc s;
7225@@ -326,7 +339,7 @@ static inline void _set_gate(int gate, u
7226 * Pentium F0 0F bugfix can have resulted in the mapped
7227 * IDT being write-protected.
7228 */
7229-static inline void set_intr_gate(unsigned int n, void *addr)
7230+static inline void set_intr_gate(unsigned int n, const void *addr)
7231 {
7232 BUG_ON((unsigned)n > 0xFF);
7233 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7234@@ -356,19 +369,19 @@ static inline void alloc_intr_gate(unsig
7235 /*
7236 * This routine sets up an interrupt gate at directory privilege level 3.
7237 */
7238-static inline void set_system_intr_gate(unsigned int n, void *addr)
7239+static inline void set_system_intr_gate(unsigned int n, const void *addr)
7240 {
7241 BUG_ON((unsigned)n > 0xFF);
7242 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7243 }
7244
7245-static inline void set_system_trap_gate(unsigned int n, void *addr)
7246+static inline void set_system_trap_gate(unsigned int n, const void *addr)
7247 {
7248 BUG_ON((unsigned)n > 0xFF);
7249 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7250 }
7251
7252-static inline void set_trap_gate(unsigned int n, void *addr)
7253+static inline void set_trap_gate(unsigned int n, const void *addr)
7254 {
7255 BUG_ON((unsigned)n > 0xFF);
7256 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7257@@ -377,19 +390,31 @@ static inline void set_trap_gate(unsigne
7258 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7259 {
7260 BUG_ON((unsigned)n > 0xFF);
7261- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7262+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7263 }
7264
7265-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7266+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7267 {
7268 BUG_ON((unsigned)n > 0xFF);
7269 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7270 }
7271
7272-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7273+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7274 {
7275 BUG_ON((unsigned)n > 0xFF);
7276 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7277 }
7278
7279+#ifdef CONFIG_X86_32
7280+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7281+{
7282+ struct desc_struct d;
7283+
7284+ if (likely(limit))
7285+ limit = (limit - 1UL) >> PAGE_SHIFT;
7286+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
7287+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7288+}
7289+#endif
7290+
7291 #endif /* _ASM_X86_DESC_H */
7292diff -urNp linux-3.1.1/arch/x86/include/asm/e820.h linux-3.1.1/arch/x86/include/asm/e820.h
7293--- linux-3.1.1/arch/x86/include/asm/e820.h 2011-11-11 15:19:27.000000000 -0500
7294+++ linux-3.1.1/arch/x86/include/asm/e820.h 2011-11-16 18:39:07.000000000 -0500
7295@@ -69,7 +69,7 @@ struct e820map {
7296 #define ISA_START_ADDRESS 0xa0000
7297 #define ISA_END_ADDRESS 0x100000
7298
7299-#define BIOS_BEGIN 0x000a0000
7300+#define BIOS_BEGIN 0x000c0000
7301 #define BIOS_END 0x00100000
7302
7303 #define BIOS_ROM_BASE 0xffe00000
7304diff -urNp linux-3.1.1/arch/x86/include/asm/elf.h linux-3.1.1/arch/x86/include/asm/elf.h
7305--- linux-3.1.1/arch/x86/include/asm/elf.h 2011-11-11 15:19:27.000000000 -0500
7306+++ linux-3.1.1/arch/x86/include/asm/elf.h 2011-11-16 18:39:07.000000000 -0500
7307@@ -237,7 +237,25 @@ extern int force_personality32;
7308 the loader. We need to make sure that it is out of the way of the program
7309 that it will "exec", and that there is sufficient room for the brk. */
7310
7311+#ifdef CONFIG_PAX_SEGMEXEC
7312+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7313+#else
7314 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7315+#endif
7316+
7317+#ifdef CONFIG_PAX_ASLR
7318+#ifdef CONFIG_X86_32
7319+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7320+
7321+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7322+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7323+#else
7324+#define PAX_ELF_ET_DYN_BASE 0x400000UL
7325+
7326+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7327+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7328+#endif
7329+#endif
7330
7331 /* This yields a mask that user programs can use to figure out what
7332 instruction set this CPU supports. This could be done in user space,
7333@@ -290,9 +308,7 @@ do { \
7334
7335 #define ARCH_DLINFO \
7336 do { \
7337- if (vdso_enabled) \
7338- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7339- (unsigned long)current->mm->context.vdso); \
7340+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
7341 } while (0)
7342
7343 #define AT_SYSINFO 32
7344@@ -303,7 +319,7 @@ do { \
7345
7346 #endif /* !CONFIG_X86_32 */
7347
7348-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7349+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7350
7351 #define VDSO_ENTRY \
7352 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7353@@ -317,7 +333,4 @@ extern int arch_setup_additional_pages(s
7354 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7355 #define compat_arch_setup_additional_pages syscall32_setup_pages
7356
7357-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7358-#define arch_randomize_brk arch_randomize_brk
7359-
7360 #endif /* _ASM_X86_ELF_H */
7361diff -urNp linux-3.1.1/arch/x86/include/asm/emergency-restart.h linux-3.1.1/arch/x86/include/asm/emergency-restart.h
7362--- linux-3.1.1/arch/x86/include/asm/emergency-restart.h 2011-11-11 15:19:27.000000000 -0500
7363+++ linux-3.1.1/arch/x86/include/asm/emergency-restart.h 2011-11-16 18:39:07.000000000 -0500
7364@@ -15,6 +15,6 @@ enum reboot_type {
7365
7366 extern enum reboot_type reboot_type;
7367
7368-extern void machine_emergency_restart(void);
7369+extern void machine_emergency_restart(void) __noreturn;
7370
7371 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
7372diff -urNp linux-3.1.1/arch/x86/include/asm/futex.h linux-3.1.1/arch/x86/include/asm/futex.h
7373--- linux-3.1.1/arch/x86/include/asm/futex.h 2011-11-11 15:19:27.000000000 -0500
7374+++ linux-3.1.1/arch/x86/include/asm/futex.h 2011-11-16 18:39:07.000000000 -0500
7375@@ -12,16 +12,18 @@
7376 #include <asm/system.h>
7377
7378 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7379+ typecheck(u32 __user *, uaddr); \
7380 asm volatile("1:\t" insn "\n" \
7381 "2:\t.section .fixup,\"ax\"\n" \
7382 "3:\tmov\t%3, %1\n" \
7383 "\tjmp\t2b\n" \
7384 "\t.previous\n" \
7385 _ASM_EXTABLE(1b, 3b) \
7386- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7387+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
7388 : "i" (-EFAULT), "0" (oparg), "1" (0))
7389
7390 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7391+ typecheck(u32 __user *, uaddr); \
7392 asm volatile("1:\tmovl %2, %0\n" \
7393 "\tmovl\t%0, %3\n" \
7394 "\t" insn "\n" \
7395@@ -34,7 +36,7 @@
7396 _ASM_EXTABLE(1b, 4b) \
7397 _ASM_EXTABLE(2b, 4b) \
7398 : "=&a" (oldval), "=&r" (ret), \
7399- "+m" (*uaddr), "=&r" (tem) \
7400+ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
7401 : "r" (oparg), "i" (-EFAULT), "1" (0))
7402
7403 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7404@@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7405
7406 switch (op) {
7407 case FUTEX_OP_SET:
7408- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7409+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7410 break;
7411 case FUTEX_OP_ADD:
7412- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7413+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7414 uaddr, oparg);
7415 break;
7416 case FUTEX_OP_OR:
7417@@ -123,13 +125,13 @@ static inline int futex_atomic_cmpxchg_i
7418 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7419 return -EFAULT;
7420
7421- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n"
7422+ asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"
7423 "2:\t.section .fixup, \"ax\"\n"
7424 "3:\tmov %3, %0\n"
7425 "\tjmp 2b\n"
7426 "\t.previous\n"
7427 _ASM_EXTABLE(1b, 3b)
7428- : "+r" (ret), "=a" (oldval), "+m" (*uaddr)
7429+ : "+r" (ret), "=a" (oldval), "+m" (*(u32 __user *)____m(uaddr))
7430 : "i" (-EFAULT), "r" (newval), "1" (oldval)
7431 : "memory"
7432 );
7433diff -urNp linux-3.1.1/arch/x86/include/asm/hw_irq.h linux-3.1.1/arch/x86/include/asm/hw_irq.h
7434--- linux-3.1.1/arch/x86/include/asm/hw_irq.h 2011-11-11 15:19:27.000000000 -0500
7435+++ linux-3.1.1/arch/x86/include/asm/hw_irq.h 2011-11-16 18:39:07.000000000 -0500
7436@@ -136,8 +136,8 @@ extern void setup_ioapic_dest(void);
7437 extern void enable_IO_APIC(void);
7438
7439 /* Statistics */
7440-extern atomic_t irq_err_count;
7441-extern atomic_t irq_mis_count;
7442+extern atomic_unchecked_t irq_err_count;
7443+extern atomic_unchecked_t irq_mis_count;
7444
7445 /* EISA */
7446 extern void eisa_set_level_irq(unsigned int irq);
7447diff -urNp linux-3.1.1/arch/x86/include/asm/i387.h linux-3.1.1/arch/x86/include/asm/i387.h
7448--- linux-3.1.1/arch/x86/include/asm/i387.h 2011-11-11 15:19:27.000000000 -0500
7449+++ linux-3.1.1/arch/x86/include/asm/i387.h 2011-11-16 18:39:07.000000000 -0500
7450@@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7451 {
7452 int err;
7453
7454+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7455+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7456+ fx = (struct i387_fxsave_struct __user *)((void *)fx + PAX_USER_SHADOW_BASE);
7457+#endif
7458+
7459 /* See comment in fxsave() below. */
7460 #ifdef CONFIG_AS_FXSAVEQ
7461 asm volatile("1: fxrstorq %[fx]\n\t"
7462@@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7463 {
7464 int err;
7465
7466+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7467+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7468+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7469+#endif
7470+
7471 /*
7472 * Clear the bytes not touched by the fxsave and reserved
7473 * for the SW usage.
7474@@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
7475 #endif /* CONFIG_X86_64 */
7476
7477 /* We need a safe address that is cheap to find and that is already
7478- in L1 during context switch. The best choices are unfortunately
7479- different for UP and SMP */
7480-#ifdef CONFIG_SMP
7481-#define safe_address (__per_cpu_offset[0])
7482-#else
7483-#define safe_address (kstat_cpu(0).cpustat.user)
7484-#endif
7485+ in L1 during context switch. */
7486+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7487
7488 /*
7489 * These must be called with preempt disabled
7490@@ -312,7 +317,7 @@ static inline void kernel_fpu_begin(void
7491 struct thread_info *me = current_thread_info();
7492 preempt_disable();
7493 if (me->status & TS_USEDFPU)
7494- __save_init_fpu(me->task);
7495+ __save_init_fpu(current);
7496 else
7497 clts();
7498 }
7499diff -urNp linux-3.1.1/arch/x86/include/asm/io.h linux-3.1.1/arch/x86/include/asm/io.h
7500--- linux-3.1.1/arch/x86/include/asm/io.h 2011-11-11 15:19:27.000000000 -0500
7501+++ linux-3.1.1/arch/x86/include/asm/io.h 2011-11-16 18:39:07.000000000 -0500
7502@@ -194,6 +194,17 @@ extern void set_iounmap_nonlazy(void);
7503
7504 #include <linux/vmalloc.h>
7505
7506+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7507+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7508+{
7509+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7510+}
7511+
7512+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7513+{
7514+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7515+}
7516+
7517 /*
7518 * Convert a virtual cached pointer to an uncached pointer
7519 */
7520diff -urNp linux-3.1.1/arch/x86/include/asm/irqflags.h linux-3.1.1/arch/x86/include/asm/irqflags.h
7521--- linux-3.1.1/arch/x86/include/asm/irqflags.h 2011-11-11 15:19:27.000000000 -0500
7522+++ linux-3.1.1/arch/x86/include/asm/irqflags.h 2011-11-16 18:39:07.000000000 -0500
7523@@ -141,6 +141,11 @@ static inline notrace unsigned long arch
7524 sti; \
7525 sysexit
7526
7527+#define GET_CR0_INTO_RDI mov %cr0, %rdi
7528+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7529+#define GET_CR3_INTO_RDI mov %cr3, %rdi
7530+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7531+
7532 #else
7533 #define INTERRUPT_RETURN iret
7534 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7535diff -urNp linux-3.1.1/arch/x86/include/asm/kprobes.h linux-3.1.1/arch/x86/include/asm/kprobes.h
7536--- linux-3.1.1/arch/x86/include/asm/kprobes.h 2011-11-11 15:19:27.000000000 -0500
7537+++ linux-3.1.1/arch/x86/include/asm/kprobes.h 2011-11-16 18:39:07.000000000 -0500
7538@@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
7539 #define RELATIVEJUMP_SIZE 5
7540 #define RELATIVECALL_OPCODE 0xe8
7541 #define RELATIVE_ADDR_SIZE 4
7542-#define MAX_STACK_SIZE 64
7543-#define MIN_STACK_SIZE(ADDR) \
7544- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
7545- THREAD_SIZE - (unsigned long)(ADDR))) \
7546- ? (MAX_STACK_SIZE) \
7547- : (((unsigned long)current_thread_info()) + \
7548- THREAD_SIZE - (unsigned long)(ADDR)))
7549+#define MAX_STACK_SIZE 64UL
7550+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
7551
7552 #define flush_insn_slot(p) do { } while (0)
7553
7554diff -urNp linux-3.1.1/arch/x86/include/asm/kvm_host.h linux-3.1.1/arch/x86/include/asm/kvm_host.h
7555--- linux-3.1.1/arch/x86/include/asm/kvm_host.h 2011-11-11 15:19:27.000000000 -0500
7556+++ linux-3.1.1/arch/x86/include/asm/kvm_host.h 2011-11-16 18:39:07.000000000 -0500
7557@@ -456,7 +456,7 @@ struct kvm_arch {
7558 unsigned int n_requested_mmu_pages;
7559 unsigned int n_max_mmu_pages;
7560 unsigned int indirect_shadow_pages;
7561- atomic_t invlpg_counter;
7562+ atomic_unchecked_t invlpg_counter;
7563 struct hlist_head mmu_page_hash[KVM_NUM_MMU_PAGES];
7564 /*
7565 * Hash table of struct kvm_mmu_page.
7566@@ -636,7 +636,7 @@ struct kvm_x86_ops {
7567 enum x86_intercept_stage stage);
7568
7569 const struct trace_print_flags *exit_reasons_str;
7570-};
7571+} __do_const;
7572
7573 struct kvm_arch_async_pf {
7574 u32 token;
7575diff -urNp linux-3.1.1/arch/x86/include/asm/local.h linux-3.1.1/arch/x86/include/asm/local.h
7576--- linux-3.1.1/arch/x86/include/asm/local.h 2011-11-11 15:19:27.000000000 -0500
7577+++ linux-3.1.1/arch/x86/include/asm/local.h 2011-11-16 18:39:07.000000000 -0500
7578@@ -18,26 +18,58 @@ typedef struct {
7579
7580 static inline void local_inc(local_t *l)
7581 {
7582- asm volatile(_ASM_INC "%0"
7583+ asm volatile(_ASM_INC "%0\n"
7584+
7585+#ifdef CONFIG_PAX_REFCOUNT
7586+ "jno 0f\n"
7587+ _ASM_DEC "%0\n"
7588+ "int $4\n0:\n"
7589+ _ASM_EXTABLE(0b, 0b)
7590+#endif
7591+
7592 : "+m" (l->a.counter));
7593 }
7594
7595 static inline void local_dec(local_t *l)
7596 {
7597- asm volatile(_ASM_DEC "%0"
7598+ asm volatile(_ASM_DEC "%0\n"
7599+
7600+#ifdef CONFIG_PAX_REFCOUNT
7601+ "jno 0f\n"
7602+ _ASM_INC "%0\n"
7603+ "int $4\n0:\n"
7604+ _ASM_EXTABLE(0b, 0b)
7605+#endif
7606+
7607 : "+m" (l->a.counter));
7608 }
7609
7610 static inline void local_add(long i, local_t *l)
7611 {
7612- asm volatile(_ASM_ADD "%1,%0"
7613+ asm volatile(_ASM_ADD "%1,%0\n"
7614+
7615+#ifdef CONFIG_PAX_REFCOUNT
7616+ "jno 0f\n"
7617+ _ASM_SUB "%1,%0\n"
7618+ "int $4\n0:\n"
7619+ _ASM_EXTABLE(0b, 0b)
7620+#endif
7621+
7622 : "+m" (l->a.counter)
7623 : "ir" (i));
7624 }
7625
7626 static inline void local_sub(long i, local_t *l)
7627 {
7628- asm volatile(_ASM_SUB "%1,%0"
7629+ asm volatile(_ASM_SUB "%1,%0\n"
7630+
7631+#ifdef CONFIG_PAX_REFCOUNT
7632+ "jno 0f\n"
7633+ _ASM_ADD "%1,%0\n"
7634+ "int $4\n0:\n"
7635+ _ASM_EXTABLE(0b, 0b)
7636+#endif
7637+
7638 : "+m" (l->a.counter)
7639 : "ir" (i));
7640 }
7641@@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7642 {
7643 unsigned char c;
7644
7645- asm volatile(_ASM_SUB "%2,%0; sete %1"
7646+ asm volatile(_ASM_SUB "%2,%0\n"
7647+
7648+#ifdef CONFIG_PAX_REFCOUNT
7649+ "jno 0f\n"
7650+ _ASM_ADD "%2,%0\n"
7651+ "int $4\n0:\n"
7652+ _ASM_EXTABLE(0b, 0b)
7653+#endif
7654+
7655+ "sete %1\n"
7656 : "+m" (l->a.counter), "=qm" (c)
7657 : "ir" (i) : "memory");
7658 return c;
7659@@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7660 {
7661 unsigned char c;
7662
7663- asm volatile(_ASM_DEC "%0; sete %1"
7664+ asm volatile(_ASM_DEC "%0\n"
7665+
7666+#ifdef CONFIG_PAX_REFCOUNT
7667+ "jno 0f\n"
7668+ _ASM_INC "%0\n"
7669+ "int $4\n0:\n"
7670+ _ASM_EXTABLE(0b, 0b)
7671+#endif
7672+
7673+ "sete %1\n"
7674 : "+m" (l->a.counter), "=qm" (c)
7675 : : "memory");
7676 return c != 0;
7677@@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7678 {
7679 unsigned char c;
7680
7681- asm volatile(_ASM_INC "%0; sete %1"
7682+ asm volatile(_ASM_INC "%0\n"
7683+
7684+#ifdef CONFIG_PAX_REFCOUNT
7685+ "jno 0f\n"
7686+ _ASM_DEC "%0\n"
7687+ "int $4\n0:\n"
7688+ _ASM_EXTABLE(0b, 0b)
7689+#endif
7690+
7691+ "sete %1\n"
7692 : "+m" (l->a.counter), "=qm" (c)
7693 : : "memory");
7694 return c != 0;
7695@@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7696 {
7697 unsigned char c;
7698
7699- asm volatile(_ASM_ADD "%2,%0; sets %1"
7700+ asm volatile(_ASM_ADD "%2,%0\n"
7701+
7702+#ifdef CONFIG_PAX_REFCOUNT
7703+ "jno 0f\n"
7704+ _ASM_SUB "%2,%0\n"
7705+ "int $4\n0:\n"
7706+ _ASM_EXTABLE(0b, 0b)
7707+#endif
7708+
7709+ "sets %1\n"
7710 : "+m" (l->a.counter), "=qm" (c)
7711 : "ir" (i) : "memory");
7712 return c;
7713@@ -133,7 +201,15 @@ static inline long local_add_return(long
7714 #endif
7715 /* Modern 486+ processor */
7716 __i = i;
7717- asm volatile(_ASM_XADD "%0, %1;"
7718+ asm volatile(_ASM_XADD "%0, %1\n"
7719+
7720+#ifdef CONFIG_PAX_REFCOUNT
7721+ "jno 0f\n"
7722+ _ASM_MOV "%0,%1\n"
7723+ "int $4\n0:\n"
7724+ _ASM_EXTABLE(0b, 0b)
7725+#endif
7726+
7727 : "+r" (i), "+m" (l->a.counter)
7728 : : "memory");
7729 return i + __i;
7730diff -urNp linux-3.1.1/arch/x86/include/asm/mman.h linux-3.1.1/arch/x86/include/asm/mman.h
7731--- linux-3.1.1/arch/x86/include/asm/mman.h 2011-11-11 15:19:27.000000000 -0500
7732+++ linux-3.1.1/arch/x86/include/asm/mman.h 2011-11-16 18:39:07.000000000 -0500
7733@@ -5,4 +5,14 @@
7734
7735 #include <asm-generic/mman.h>
7736
7737+#ifdef __KERNEL__
7738+#ifndef __ASSEMBLY__
7739+#ifdef CONFIG_X86_32
7740+#define arch_mmap_check i386_mmap_check
7741+int i386_mmap_check(unsigned long addr, unsigned long len,
7742+ unsigned long flags);
7743+#endif
7744+#endif
7745+#endif
7746+
7747 #endif /* _ASM_X86_MMAN_H */
7748diff -urNp linux-3.1.1/arch/x86/include/asm/mmu_context.h linux-3.1.1/arch/x86/include/asm/mmu_context.h
7749--- linux-3.1.1/arch/x86/include/asm/mmu_context.h 2011-11-11 15:19:27.000000000 -0500
7750+++ linux-3.1.1/arch/x86/include/asm/mmu_context.h 2011-11-16 18:39:07.000000000 -0500
7751@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
7752
7753 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7754 {
7755+
7756+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7757+ unsigned int i;
7758+ pgd_t *pgd;
7759+
7760+ pax_open_kernel();
7761+ pgd = get_cpu_pgd(smp_processor_id());
7762+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7763+ set_pgd_batched(pgd+i, native_make_pgd(0));
7764+ pax_close_kernel();
7765+#endif
7766+
7767 #ifdef CONFIG_SMP
7768 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7769 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7770@@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
7771 struct task_struct *tsk)
7772 {
7773 unsigned cpu = smp_processor_id();
7774+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7775+ int tlbstate = TLBSTATE_OK;
7776+#endif
7777
7778 if (likely(prev != next)) {
7779 #ifdef CONFIG_SMP
7780+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7781+ tlbstate = percpu_read(cpu_tlbstate.state);
7782+#endif
7783 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7784 percpu_write(cpu_tlbstate.active_mm, next);
7785 #endif
7786 cpumask_set_cpu(cpu, mm_cpumask(next));
7787
7788 /* Re-load page tables */
7789+#ifdef CONFIG_PAX_PER_CPU_PGD
7790+ pax_open_kernel();
7791+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7792+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7793+ pax_close_kernel();
7794+ load_cr3(get_cpu_pgd(cpu));
7795+#else
7796 load_cr3(next->pgd);
7797+#endif
7798
7799 /* stop flush ipis for the previous mm */
7800 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7801@@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
7802 */
7803 if (unlikely(prev->context.ldt != next->context.ldt))
7804 load_LDT_nolock(&next->context);
7805- }
7806+
7807+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7808+ if (!(__supported_pte_mask & _PAGE_NX)) {
7809+ smp_mb__before_clear_bit();
7810+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7811+ smp_mb__after_clear_bit();
7812+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7813+ }
7814+#endif
7815+
7816+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7817+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7818+ prev->context.user_cs_limit != next->context.user_cs_limit))
7819+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7820 #ifdef CONFIG_SMP
7821+ else if (unlikely(tlbstate != TLBSTATE_OK))
7822+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7823+#endif
7824+#endif
7825+
7826+ }
7827 else {
7828+
7829+#ifdef CONFIG_PAX_PER_CPU_PGD
7830+ pax_open_kernel();
7831+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7832+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7833+ pax_close_kernel();
7834+ load_cr3(get_cpu_pgd(cpu));
7835+#endif
7836+
7837+#ifdef CONFIG_SMP
7838 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7839 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7840
7841@@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
7842 * tlb flush IPI delivery. We must reload CR3
7843 * to make sure to use no freed page tables.
7844 */
7845+
7846+#ifndef CONFIG_PAX_PER_CPU_PGD
7847 load_cr3(next->pgd);
7848+#endif
7849+
7850 load_LDT_nolock(&next->context);
7851+
7852+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7853+ if (!(__supported_pte_mask & _PAGE_NX))
7854+ cpu_set(cpu, next->context.cpu_user_cs_mask);
7855+#endif
7856+
7857+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7858+#ifdef CONFIG_PAX_PAGEEXEC
7859+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7860+#endif
7861+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7862+#endif
7863+
7864 }
7865- }
7866 #endif
7867+ }
7868 }
7869
7870 #define activate_mm(prev, next) \
7871diff -urNp linux-3.1.1/arch/x86/include/asm/mmu.h linux-3.1.1/arch/x86/include/asm/mmu.h
7872--- linux-3.1.1/arch/x86/include/asm/mmu.h 2011-11-11 15:19:27.000000000 -0500
7873+++ linux-3.1.1/arch/x86/include/asm/mmu.h 2011-11-16 18:39:07.000000000 -0500
7874@@ -9,7 +9,7 @@
7875 * we put the segment information here.
7876 */
7877 typedef struct {
7878- void *ldt;
7879+ struct desc_struct *ldt;
7880 int size;
7881
7882 #ifdef CONFIG_X86_64
7883@@ -18,7 +18,19 @@ typedef struct {
7884 #endif
7885
7886 struct mutex lock;
7887- void *vdso;
7888+ unsigned long vdso;
7889+
7890+#ifdef CONFIG_X86_32
7891+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7892+ unsigned long user_cs_base;
7893+ unsigned long user_cs_limit;
7894+
7895+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7896+ cpumask_t cpu_user_cs_mask;
7897+#endif
7898+
7899+#endif
7900+#endif
7901 } mm_context_t;
7902
7903 #ifdef CONFIG_SMP
7904diff -urNp linux-3.1.1/arch/x86/include/asm/module.h linux-3.1.1/arch/x86/include/asm/module.h
7905--- linux-3.1.1/arch/x86/include/asm/module.h 2011-11-11 15:19:27.000000000 -0500
7906+++ linux-3.1.1/arch/x86/include/asm/module.h 2011-11-16 18:39:07.000000000 -0500
7907@@ -5,6 +5,7 @@
7908
7909 #ifdef CONFIG_X86_64
7910 /* X86_64 does not define MODULE_PROC_FAMILY */
7911+#define MODULE_PROC_FAMILY ""
7912 #elif defined CONFIG_M386
7913 #define MODULE_PROC_FAMILY "386 "
7914 #elif defined CONFIG_M486
7915@@ -59,8 +60,18 @@
7916 #error unknown processor family
7917 #endif
7918
7919-#ifdef CONFIG_X86_32
7920-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
7921+#ifdef CONFIG_PAX_KERNEXEC
7922+#define MODULE_PAX_KERNEXEC "KERNEXEC "
7923+#else
7924+#define MODULE_PAX_KERNEXEC ""
7925 #endif
7926
7927+#ifdef CONFIG_PAX_MEMORY_UDEREF
7928+#define MODULE_PAX_UDEREF "UDEREF "
7929+#else
7930+#define MODULE_PAX_UDEREF ""
7931+#endif
7932+
7933+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
7934+
7935 #endif /* _ASM_X86_MODULE_H */
7936diff -urNp linux-3.1.1/arch/x86/include/asm/page_64_types.h linux-3.1.1/arch/x86/include/asm/page_64_types.h
7937--- linux-3.1.1/arch/x86/include/asm/page_64_types.h 2011-11-11 15:19:27.000000000 -0500
7938+++ linux-3.1.1/arch/x86/include/asm/page_64_types.h 2011-11-16 18:39:07.000000000 -0500
7939@@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
7940
7941 /* duplicated to the one in bootmem.h */
7942 extern unsigned long max_pfn;
7943-extern unsigned long phys_base;
7944+extern const unsigned long phys_base;
7945
7946 extern unsigned long __phys_addr(unsigned long);
7947 #define __phys_reloc_hide(x) (x)
7948diff -urNp linux-3.1.1/arch/x86/include/asm/paravirt.h linux-3.1.1/arch/x86/include/asm/paravirt.h
7949--- linux-3.1.1/arch/x86/include/asm/paravirt.h 2011-11-11 15:19:27.000000000 -0500
7950+++ linux-3.1.1/arch/x86/include/asm/paravirt.h 2011-11-16 18:39:07.000000000 -0500
7951@@ -667,6 +667,18 @@ static inline void set_pgd(pgd_t *pgdp,
7952 val);
7953 }
7954
7955+static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
7956+{
7957+ pgdval_t val = native_pgd_val(pgd);
7958+
7959+ if (sizeof(pgdval_t) > sizeof(long))
7960+ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
7961+ val, (u64)val >> 32);
7962+ else
7963+ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
7964+ val);
7965+}
7966+
7967 static inline void pgd_clear(pgd_t *pgdp)
7968 {
7969 set_pgd(pgdp, __pgd(0));
7970@@ -748,6 +760,21 @@ static inline void __set_fixmap(unsigned
7971 pv_mmu_ops.set_fixmap(idx, phys, flags);
7972 }
7973
7974+#ifdef CONFIG_PAX_KERNEXEC
7975+static inline unsigned long pax_open_kernel(void)
7976+{
7977+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
7978+}
7979+
7980+static inline unsigned long pax_close_kernel(void)
7981+{
7982+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
7983+}
7984+#else
7985+static inline unsigned long pax_open_kernel(void) { return 0; }
7986+static inline unsigned long pax_close_kernel(void) { return 0; }
7987+#endif
7988+
7989 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7990
7991 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7992@@ -964,7 +991,7 @@ extern void default_banner(void);
7993
7994 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7995 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7996-#define PARA_INDIRECT(addr) *%cs:addr
7997+#define PARA_INDIRECT(addr) *%ss:addr
7998 #endif
7999
8000 #define INTERRUPT_RETURN \
8001@@ -1041,6 +1068,21 @@ extern void default_banner(void);
8002 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8003 CLBR_NONE, \
8004 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8005+
8006+#define GET_CR0_INTO_RDI \
8007+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8008+ mov %rax,%rdi
8009+
8010+#define SET_RDI_INTO_CR0 \
8011+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8012+
8013+#define GET_CR3_INTO_RDI \
8014+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8015+ mov %rax,%rdi
8016+
8017+#define SET_RDI_INTO_CR3 \
8018+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8019+
8020 #endif /* CONFIG_X86_32 */
8021
8022 #endif /* __ASSEMBLY__ */
8023diff -urNp linux-3.1.1/arch/x86/include/asm/paravirt_types.h linux-3.1.1/arch/x86/include/asm/paravirt_types.h
8024--- linux-3.1.1/arch/x86/include/asm/paravirt_types.h 2011-11-11 15:19:27.000000000 -0500
8025+++ linux-3.1.1/arch/x86/include/asm/paravirt_types.h 2011-11-16 18:39:07.000000000 -0500
8026@@ -84,20 +84,20 @@ struct pv_init_ops {
8027 */
8028 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
8029 unsigned long addr, unsigned len);
8030-};
8031+} __no_const;
8032
8033
8034 struct pv_lazy_ops {
8035 /* Set deferred update mode, used for batching operations. */
8036 void (*enter)(void);
8037 void (*leave)(void);
8038-};
8039+} __no_const;
8040
8041 struct pv_time_ops {
8042 unsigned long long (*sched_clock)(void);
8043 unsigned long long (*steal_clock)(int cpu);
8044 unsigned long (*get_tsc_khz)(void);
8045-};
8046+} __no_const;
8047
8048 struct pv_cpu_ops {
8049 /* hooks for various privileged instructions */
8050@@ -193,7 +193,7 @@ struct pv_cpu_ops {
8051
8052 void (*start_context_switch)(struct task_struct *prev);
8053 void (*end_context_switch)(struct task_struct *next);
8054-};
8055+} __no_const;
8056
8057 struct pv_irq_ops {
8058 /*
8059@@ -224,7 +224,7 @@ struct pv_apic_ops {
8060 unsigned long start_eip,
8061 unsigned long start_esp);
8062 #endif
8063-};
8064+} __no_const;
8065
8066 struct pv_mmu_ops {
8067 unsigned long (*read_cr2)(void);
8068@@ -313,6 +313,7 @@ struct pv_mmu_ops {
8069 struct paravirt_callee_save make_pud;
8070
8071 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
8072+ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
8073 #endif /* PAGETABLE_LEVELS == 4 */
8074 #endif /* PAGETABLE_LEVELS >= 3 */
8075
8076@@ -324,6 +325,12 @@ struct pv_mmu_ops {
8077 an mfn. We can tell which is which from the index. */
8078 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8079 phys_addr_t phys, pgprot_t flags);
8080+
8081+#ifdef CONFIG_PAX_KERNEXEC
8082+ unsigned long (*pax_open_kernel)(void);
8083+ unsigned long (*pax_close_kernel)(void);
8084+#endif
8085+
8086 };
8087
8088 struct arch_spinlock;
8089@@ -334,7 +341,7 @@ struct pv_lock_ops {
8090 void (*spin_lock_flags)(struct arch_spinlock *lock, unsigned long flags);
8091 int (*spin_trylock)(struct arch_spinlock *lock);
8092 void (*spin_unlock)(struct arch_spinlock *lock);
8093-};
8094+} __no_const;
8095
8096 /* This contains all the paravirt structures: we get a convenient
8097 * number for each function using the offset which we use to indicate
8098diff -urNp linux-3.1.1/arch/x86/include/asm/pgalloc.h linux-3.1.1/arch/x86/include/asm/pgalloc.h
8099--- linux-3.1.1/arch/x86/include/asm/pgalloc.h 2011-11-11 15:19:27.000000000 -0500
8100+++ linux-3.1.1/arch/x86/include/asm/pgalloc.h 2011-11-16 18:39:07.000000000 -0500
8101@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8102 pmd_t *pmd, pte_t *pte)
8103 {
8104 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8105+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8106+}
8107+
8108+static inline void pmd_populate_user(struct mm_struct *mm,
8109+ pmd_t *pmd, pte_t *pte)
8110+{
8111+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8112 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8113 }
8114
8115diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable-2level.h linux-3.1.1/arch/x86/include/asm/pgtable-2level.h
8116--- linux-3.1.1/arch/x86/include/asm/pgtable-2level.h 2011-11-11 15:19:27.000000000 -0500
8117+++ linux-3.1.1/arch/x86/include/asm/pgtable-2level.h 2011-11-16 18:39:07.000000000 -0500
8118@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8119
8120 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8121 {
8122+ pax_open_kernel();
8123 *pmdp = pmd;
8124+ pax_close_kernel();
8125 }
8126
8127 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8128diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_32.h linux-3.1.1/arch/x86/include/asm/pgtable_32.h
8129--- linux-3.1.1/arch/x86/include/asm/pgtable_32.h 2011-11-11 15:19:27.000000000 -0500
8130+++ linux-3.1.1/arch/x86/include/asm/pgtable_32.h 2011-11-16 18:39:07.000000000 -0500
8131@@ -25,9 +25,6 @@
8132 struct mm_struct;
8133 struct vm_area_struct;
8134
8135-extern pgd_t swapper_pg_dir[1024];
8136-extern pgd_t initial_page_table[1024];
8137-
8138 static inline void pgtable_cache_init(void) { }
8139 static inline void check_pgt_cache(void) { }
8140 void paging_init(void);
8141@@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8142 # include <asm/pgtable-2level.h>
8143 #endif
8144
8145+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8146+extern pgd_t initial_page_table[PTRS_PER_PGD];
8147+#ifdef CONFIG_X86_PAE
8148+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8149+#endif
8150+
8151 #if defined(CONFIG_HIGHPTE)
8152 #define pte_offset_map(dir, address) \
8153 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8154@@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8155 /* Clear a kernel PTE and flush it from the TLB */
8156 #define kpte_clear_flush(ptep, vaddr) \
8157 do { \
8158+ pax_open_kernel(); \
8159 pte_clear(&init_mm, (vaddr), (ptep)); \
8160+ pax_close_kernel(); \
8161 __flush_tlb_one((vaddr)); \
8162 } while (0)
8163
8164@@ -74,6 +79,9 @@ do { \
8165
8166 #endif /* !__ASSEMBLY__ */
8167
8168+#define HAVE_ARCH_UNMAPPED_AREA
8169+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8170+
8171 /*
8172 * kern_addr_valid() is (1) for FLATMEM and (0) for
8173 * SPARSEMEM and DISCONTIGMEM
8174diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h
8175--- linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h 2011-11-11 15:19:27.000000000 -0500
8176+++ linux-3.1.1/arch/x86/include/asm/pgtable_32_types.h 2011-11-16 18:39:07.000000000 -0500
8177@@ -8,7 +8,7 @@
8178 */
8179 #ifdef CONFIG_X86_PAE
8180 # include <asm/pgtable-3level_types.h>
8181-# define PMD_SIZE (1UL << PMD_SHIFT)
8182+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8183 # define PMD_MASK (~(PMD_SIZE - 1))
8184 #else
8185 # include <asm/pgtable-2level_types.h>
8186@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8187 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8188 #endif
8189
8190+#ifdef CONFIG_PAX_KERNEXEC
8191+#ifndef __ASSEMBLY__
8192+extern unsigned char MODULES_EXEC_VADDR[];
8193+extern unsigned char MODULES_EXEC_END[];
8194+#endif
8195+#include <asm/boot.h>
8196+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8197+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8198+#else
8199+#define ktla_ktva(addr) (addr)
8200+#define ktva_ktla(addr) (addr)
8201+#endif
8202+
8203 #define MODULES_VADDR VMALLOC_START
8204 #define MODULES_END VMALLOC_END
8205 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8206diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable-3level.h linux-3.1.1/arch/x86/include/asm/pgtable-3level.h
8207--- linux-3.1.1/arch/x86/include/asm/pgtable-3level.h 2011-11-11 15:19:27.000000000 -0500
8208+++ linux-3.1.1/arch/x86/include/asm/pgtable-3level.h 2011-11-16 18:39:07.000000000 -0500
8209@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8210
8211 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8212 {
8213+ pax_open_kernel();
8214 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8215+ pax_close_kernel();
8216 }
8217
8218 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8219 {
8220+ pax_open_kernel();
8221 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8222+ pax_close_kernel();
8223 }
8224
8225 /*
8226diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_64.h linux-3.1.1/arch/x86/include/asm/pgtable_64.h
8227--- linux-3.1.1/arch/x86/include/asm/pgtable_64.h 2011-11-11 15:19:27.000000000 -0500
8228+++ linux-3.1.1/arch/x86/include/asm/pgtable_64.h 2011-11-16 18:39:07.000000000 -0500
8229@@ -16,10 +16,13 @@
8230
8231 extern pud_t level3_kernel_pgt[512];
8232 extern pud_t level3_ident_pgt[512];
8233+extern pud_t level3_vmalloc_pgt[512];
8234+extern pud_t level3_vmemmap_pgt[512];
8235+extern pud_t level2_vmemmap_pgt[512];
8236 extern pmd_t level2_kernel_pgt[512];
8237 extern pmd_t level2_fixmap_pgt[512];
8238-extern pmd_t level2_ident_pgt[512];
8239-extern pgd_t init_level4_pgt[];
8240+extern pmd_t level2_ident_pgt[512*2];
8241+extern pgd_t init_level4_pgt[512];
8242
8243 #define swapper_pg_dir init_level4_pgt
8244
8245@@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8246
8247 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8248 {
8249+ pax_open_kernel();
8250 *pmdp = pmd;
8251+ pax_close_kernel();
8252 }
8253
8254 static inline void native_pmd_clear(pmd_t *pmd)
8255@@ -107,6 +112,13 @@ static inline void native_pud_clear(pud_
8256
8257 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8258 {
8259+ pax_open_kernel();
8260+ *pgdp = pgd;
8261+ pax_close_kernel();
8262+}
8263+
8264+static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
8265+{
8266 *pgdp = pgd;
8267 }
8268
8269diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h
8270--- linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h 2011-11-11 15:19:27.000000000 -0500
8271+++ linux-3.1.1/arch/x86/include/asm/pgtable_64_types.h 2011-11-16 18:39:07.000000000 -0500
8272@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8273 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8274 #define MODULES_END _AC(0xffffffffff000000, UL)
8275 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8276+#define MODULES_EXEC_VADDR MODULES_VADDR
8277+#define MODULES_EXEC_END MODULES_END
8278+
8279+#define ktla_ktva(addr) (addr)
8280+#define ktva_ktla(addr) (addr)
8281
8282 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8283diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable.h linux-3.1.1/arch/x86/include/asm/pgtable.h
8284--- linux-3.1.1/arch/x86/include/asm/pgtable.h 2011-11-11 15:19:27.000000000 -0500
8285+++ linux-3.1.1/arch/x86/include/asm/pgtable.h 2011-11-16 18:39:07.000000000 -0500
8286@@ -44,6 +44,7 @@ extern struct mm_struct *pgd_page_get_mm
8287
8288 #ifndef __PAGETABLE_PUD_FOLDED
8289 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
8290+#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
8291 #define pgd_clear(pgd) native_pgd_clear(pgd)
8292 #endif
8293
8294@@ -81,12 +82,51 @@ extern struct mm_struct *pgd_page_get_mm
8295
8296 #define arch_end_context_switch(prev) do {} while(0)
8297
8298+#define pax_open_kernel() native_pax_open_kernel()
8299+#define pax_close_kernel() native_pax_close_kernel()
8300 #endif /* CONFIG_PARAVIRT */
8301
8302+#define __HAVE_ARCH_PAX_OPEN_KERNEL
8303+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8304+
8305+#ifdef CONFIG_PAX_KERNEXEC
8306+static inline unsigned long native_pax_open_kernel(void)
8307+{
8308+ unsigned long cr0;
8309+
8310+ preempt_disable();
8311+ barrier();
8312+ cr0 = read_cr0() ^ X86_CR0_WP;
8313+ BUG_ON(unlikely(cr0 & X86_CR0_WP));
8314+ write_cr0(cr0);
8315+ return cr0 ^ X86_CR0_WP;
8316+}
8317+
8318+static inline unsigned long native_pax_close_kernel(void)
8319+{
8320+ unsigned long cr0;
8321+
8322+ cr0 = read_cr0() ^ X86_CR0_WP;
8323+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8324+ write_cr0(cr0);
8325+ barrier();
8326+ preempt_enable_no_resched();
8327+ return cr0 ^ X86_CR0_WP;
8328+}
8329+#else
8330+static inline unsigned long native_pax_open_kernel(void) { return 0; }
8331+static inline unsigned long native_pax_close_kernel(void) { return 0; }
8332+#endif
8333+
8334 /*
8335 * The following only work if pte_present() is true.
8336 * Undefined behaviour if not..
8337 */
8338+static inline int pte_user(pte_t pte)
8339+{
8340+ return pte_val(pte) & _PAGE_USER;
8341+}
8342+
8343 static inline int pte_dirty(pte_t pte)
8344 {
8345 return pte_flags(pte) & _PAGE_DIRTY;
8346@@ -196,9 +236,29 @@ static inline pte_t pte_wrprotect(pte_t
8347 return pte_clear_flags(pte, _PAGE_RW);
8348 }
8349
8350+static inline pte_t pte_mkread(pte_t pte)
8351+{
8352+ return __pte(pte_val(pte) | _PAGE_USER);
8353+}
8354+
8355 static inline pte_t pte_mkexec(pte_t pte)
8356 {
8357- return pte_clear_flags(pte, _PAGE_NX);
8358+#ifdef CONFIG_X86_PAE
8359+ if (__supported_pte_mask & _PAGE_NX)
8360+ return pte_clear_flags(pte, _PAGE_NX);
8361+ else
8362+#endif
8363+ return pte_set_flags(pte, _PAGE_USER);
8364+}
8365+
8366+static inline pte_t pte_exprotect(pte_t pte)
8367+{
8368+#ifdef CONFIG_X86_PAE
8369+ if (__supported_pte_mask & _PAGE_NX)
8370+ return pte_set_flags(pte, _PAGE_NX);
8371+ else
8372+#endif
8373+ return pte_clear_flags(pte, _PAGE_USER);
8374 }
8375
8376 static inline pte_t pte_mkdirty(pte_t pte)
8377@@ -390,6 +450,15 @@ pte_t *populate_extra_pte(unsigned long
8378 #endif
8379
8380 #ifndef __ASSEMBLY__
8381+
8382+#ifdef CONFIG_PAX_PER_CPU_PGD
8383+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8384+static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8385+{
8386+ return cpu_pgd[cpu];
8387+}
8388+#endif
8389+
8390 #include <linux/mm_types.h>
8391
8392 static inline int pte_none(pte_t pte)
8393@@ -560,7 +629,7 @@ static inline pud_t *pud_offset(pgd_t *p
8394
8395 static inline int pgd_bad(pgd_t pgd)
8396 {
8397- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8398+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8399 }
8400
8401 static inline int pgd_none(pgd_t pgd)
8402@@ -583,7 +652,12 @@ static inline int pgd_none(pgd_t pgd)
8403 * pgd_offset() returns a (pgd_t *)
8404 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8405 */
8406-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8407+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8408+
8409+#ifdef CONFIG_PAX_PER_CPU_PGD
8410+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8411+#endif
8412+
8413 /*
8414 * a shortcut which implies the use of the kernel's pgd, instead
8415 * of a process's
8416@@ -594,6 +668,20 @@ static inline int pgd_none(pgd_t pgd)
8417 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8418 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8419
8420+#ifdef CONFIG_X86_32
8421+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8422+#else
8423+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8424+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8425+
8426+#ifdef CONFIG_PAX_MEMORY_UDEREF
8427+#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8428+#else
8429+#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8430+#endif
8431+
8432+#endif
8433+
8434 #ifndef __ASSEMBLY__
8435
8436 extern int direct_gbpages;
8437@@ -758,11 +846,23 @@ static inline void pmdp_set_wrprotect(st
8438 * dst and src can be on the same page, but the range must not overlap,
8439 * and must not cross a page boundary.
8440 */
8441-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8442+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8443 {
8444- memcpy(dst, src, count * sizeof(pgd_t));
8445+ pax_open_kernel();
8446+ while (count--)
8447+ *dst++ = *src++;
8448+ pax_close_kernel();
8449 }
8450
8451+#ifdef CONFIG_PAX_PER_CPU_PGD
8452+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8453+#endif
8454+
8455+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8456+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8457+#else
8458+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8459+#endif
8460
8461 #include <asm-generic/pgtable.h>
8462 #endif /* __ASSEMBLY__ */
8463diff -urNp linux-3.1.1/arch/x86/include/asm/pgtable_types.h linux-3.1.1/arch/x86/include/asm/pgtable_types.h
8464--- linux-3.1.1/arch/x86/include/asm/pgtable_types.h 2011-11-11 15:19:27.000000000 -0500
8465+++ linux-3.1.1/arch/x86/include/asm/pgtable_types.h 2011-11-16 18:39:07.000000000 -0500
8466@@ -16,13 +16,12 @@
8467 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8468 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8469 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8470-#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8471+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8472 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8473 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8474 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8475-#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8476-#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8477-#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8478+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8479+#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8480 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8481
8482 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8483@@ -40,7 +39,6 @@
8484 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8485 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8486 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8487-#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8488 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8489 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8490 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8491@@ -57,8 +55,10 @@
8492
8493 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8494 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8495-#else
8496+#elif defined(CONFIG_KMEMCHECK)
8497 #define _PAGE_NX (_AT(pteval_t, 0))
8498+#else
8499+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8500 #endif
8501
8502 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8503@@ -96,6 +96,9 @@
8504 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8505 _PAGE_ACCESSED)
8506
8507+#define PAGE_READONLY_NOEXEC PAGE_READONLY
8508+#define PAGE_SHARED_NOEXEC PAGE_SHARED
8509+
8510 #define __PAGE_KERNEL_EXEC \
8511 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8512 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8513@@ -106,7 +109,7 @@
8514 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8515 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8516 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8517-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8518+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8519 #define __PAGE_KERNEL_VVAR (__PAGE_KERNEL_RO | _PAGE_USER)
8520 #define __PAGE_KERNEL_VVAR_NOCACHE (__PAGE_KERNEL_VVAR | _PAGE_PCD | _PAGE_PWT)
8521 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8522@@ -168,8 +171,8 @@
8523 * bits are combined, this will alow user to access the high address mapped
8524 * VDSO in the presence of CONFIG_COMPAT_VDSO
8525 */
8526-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8527-#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8528+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8529+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8530 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8531 #endif
8532
8533@@ -207,7 +210,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8534 {
8535 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8536 }
8537+#endif
8538
8539+#if PAGETABLE_LEVELS == 3
8540+#include <asm-generic/pgtable-nopud.h>
8541+#endif
8542+
8543+#if PAGETABLE_LEVELS == 2
8544+#include <asm-generic/pgtable-nopmd.h>
8545+#endif
8546+
8547+#ifndef __ASSEMBLY__
8548 #if PAGETABLE_LEVELS > 3
8549 typedef struct { pudval_t pud; } pud_t;
8550
8551@@ -221,8 +234,6 @@ static inline pudval_t native_pud_val(pu
8552 return pud.pud;
8553 }
8554 #else
8555-#include <asm-generic/pgtable-nopud.h>
8556-
8557 static inline pudval_t native_pud_val(pud_t pud)
8558 {
8559 return native_pgd_val(pud.pgd);
8560@@ -242,8 +253,6 @@ static inline pmdval_t native_pmd_val(pm
8561 return pmd.pmd;
8562 }
8563 #else
8564-#include <asm-generic/pgtable-nopmd.h>
8565-
8566 static inline pmdval_t native_pmd_val(pmd_t pmd)
8567 {
8568 return native_pgd_val(pmd.pud.pgd);
8569@@ -283,7 +292,6 @@ typedef struct page *pgtable_t;
8570
8571 extern pteval_t __supported_pte_mask;
8572 extern void set_nx(void);
8573-extern int nx_enabled;
8574
8575 #define pgprot_writecombine pgprot_writecombine
8576 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8577diff -urNp linux-3.1.1/arch/x86/include/asm/processor.h linux-3.1.1/arch/x86/include/asm/processor.h
8578--- linux-3.1.1/arch/x86/include/asm/processor.h 2011-11-11 15:19:27.000000000 -0500
8579+++ linux-3.1.1/arch/x86/include/asm/processor.h 2011-11-16 18:39:07.000000000 -0500
8580@@ -266,7 +266,7 @@ struct tss_struct {
8581
8582 } ____cacheline_aligned;
8583
8584-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8585+extern struct tss_struct init_tss[NR_CPUS];
8586
8587 /*
8588 * Save the original ist values for checking stack pointers during debugging
8589@@ -858,11 +858,18 @@ static inline void spin_lock_prefetch(co
8590 */
8591 #define TASK_SIZE PAGE_OFFSET
8592 #define TASK_SIZE_MAX TASK_SIZE
8593+
8594+#ifdef CONFIG_PAX_SEGMEXEC
8595+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8596+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8597+#else
8598 #define STACK_TOP TASK_SIZE
8599-#define STACK_TOP_MAX STACK_TOP
8600+#endif
8601+
8602+#define STACK_TOP_MAX TASK_SIZE
8603
8604 #define INIT_THREAD { \
8605- .sp0 = sizeof(init_stack) + (long)&init_stack, \
8606+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8607 .vm86_info = NULL, \
8608 .sysenter_cs = __KERNEL_CS, \
8609 .io_bitmap_ptr = NULL, \
8610@@ -876,7 +883,7 @@ static inline void spin_lock_prefetch(co
8611 */
8612 #define INIT_TSS { \
8613 .x86_tss = { \
8614- .sp0 = sizeof(init_stack) + (long)&init_stack, \
8615+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8616 .ss0 = __KERNEL_DS, \
8617 .ss1 = __KERNEL_CS, \
8618 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8619@@ -887,11 +894,7 @@ static inline void spin_lock_prefetch(co
8620 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8621
8622 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8623-#define KSTK_TOP(info) \
8624-({ \
8625- unsigned long *__ptr = (unsigned long *)(info); \
8626- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8627-})
8628+#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
8629
8630 /*
8631 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8632@@ -906,7 +909,7 @@ extern unsigned long thread_saved_pc(str
8633 #define task_pt_regs(task) \
8634 ({ \
8635 struct pt_regs *__regs__; \
8636- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8637+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8638 __regs__ - 1; \
8639 })
8640
8641@@ -916,13 +919,13 @@ extern unsigned long thread_saved_pc(str
8642 /*
8643 * User space process size. 47bits minus one guard page.
8644 */
8645-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8646+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8647
8648 /* This decides where the kernel will search for a free chunk of vm
8649 * space during mmap's.
8650 */
8651 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8652- 0xc0000000 : 0xFFFFe000)
8653+ 0xc0000000 : 0xFFFFf000)
8654
8655 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8656 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8657@@ -933,11 +936,11 @@ extern unsigned long thread_saved_pc(str
8658 #define STACK_TOP_MAX TASK_SIZE_MAX
8659
8660 #define INIT_THREAD { \
8661- .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
8662+ .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
8663 }
8664
8665 #define INIT_TSS { \
8666- .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
8667+ .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
8668 }
8669
8670 /*
8671@@ -959,6 +962,10 @@ extern void start_thread(struct pt_regs
8672 */
8673 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8674
8675+#ifdef CONFIG_PAX_SEGMEXEC
8676+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8677+#endif
8678+
8679 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8680
8681 /* Get/set a process' ability to use the timestamp counter instruction */
8682diff -urNp linux-3.1.1/arch/x86/include/asm/ptrace.h linux-3.1.1/arch/x86/include/asm/ptrace.h
8683--- linux-3.1.1/arch/x86/include/asm/ptrace.h 2011-11-11 15:19:27.000000000 -0500
8684+++ linux-3.1.1/arch/x86/include/asm/ptrace.h 2011-11-16 18:39:07.000000000 -0500
8685@@ -156,28 +156,29 @@ static inline unsigned long regs_return_
8686 }
8687
8688 /*
8689- * user_mode_vm(regs) determines whether a register set came from user mode.
8690+ * user_mode(regs) determines whether a register set came from user mode.
8691 * This is true if V8086 mode was enabled OR if the register set was from
8692 * protected mode with RPL-3 CS value. This tricky test checks that with
8693 * one comparison. Many places in the kernel can bypass this full check
8694- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8695+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8696+ * be used.
8697 */
8698-static inline int user_mode(struct pt_regs *regs)
8699+static inline int user_mode_novm(struct pt_regs *regs)
8700 {
8701 #ifdef CONFIG_X86_32
8702 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8703 #else
8704- return !!(regs->cs & 3);
8705+ return !!(regs->cs & SEGMENT_RPL_MASK);
8706 #endif
8707 }
8708
8709-static inline int user_mode_vm(struct pt_regs *regs)
8710+static inline int user_mode(struct pt_regs *regs)
8711 {
8712 #ifdef CONFIG_X86_32
8713 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8714 USER_RPL;
8715 #else
8716- return user_mode(regs);
8717+ return user_mode_novm(regs);
8718 #endif
8719 }
8720
8721@@ -193,15 +194,16 @@ static inline int v8086_mode(struct pt_r
8722 #ifdef CONFIG_X86_64
8723 static inline bool user_64bit_mode(struct pt_regs *regs)
8724 {
8725+ unsigned long cs = regs->cs & 0xffff;
8726 #ifndef CONFIG_PARAVIRT
8727 /*
8728 * On non-paravirt systems, this is the only long mode CPL 3
8729 * selector. We do not allow long mode selectors in the LDT.
8730 */
8731- return regs->cs == __USER_CS;
8732+ return cs == __USER_CS;
8733 #else
8734 /* Headers are too twisted for this to go in paravirt.h. */
8735- return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs;
8736+ return cs == __USER_CS || cs == pv_info.extra_user_64bit_cs;
8737 #endif
8738 }
8739 #endif
8740diff -urNp linux-3.1.1/arch/x86/include/asm/reboot.h linux-3.1.1/arch/x86/include/asm/reboot.h
8741--- linux-3.1.1/arch/x86/include/asm/reboot.h 2011-11-11 15:19:27.000000000 -0500
8742+++ linux-3.1.1/arch/x86/include/asm/reboot.h 2011-11-16 18:39:07.000000000 -0500
8743@@ -6,19 +6,19 @@
8744 struct pt_regs;
8745
8746 struct machine_ops {
8747- void (*restart)(char *cmd);
8748- void (*halt)(void);
8749- void (*power_off)(void);
8750+ void (* __noreturn restart)(char *cmd);
8751+ void (* __noreturn halt)(void);
8752+ void (* __noreturn power_off)(void);
8753 void (*shutdown)(void);
8754 void (*crash_shutdown)(struct pt_regs *);
8755- void (*emergency_restart)(void);
8756-};
8757+ void (* __noreturn emergency_restart)(void);
8758+} __no_const;
8759
8760 extern struct machine_ops machine_ops;
8761
8762 void native_machine_crash_shutdown(struct pt_regs *regs);
8763 void native_machine_shutdown(void);
8764-void machine_real_restart(unsigned int type);
8765+void machine_real_restart(unsigned int type) __noreturn;
8766 /* These must match dispatch_table in reboot_32.S */
8767 #define MRR_BIOS 0
8768 #define MRR_APM 1
8769diff -urNp linux-3.1.1/arch/x86/include/asm/rwsem.h linux-3.1.1/arch/x86/include/asm/rwsem.h
8770--- linux-3.1.1/arch/x86/include/asm/rwsem.h 2011-11-11 15:19:27.000000000 -0500
8771+++ linux-3.1.1/arch/x86/include/asm/rwsem.h 2011-11-16 18:39:07.000000000 -0500
8772@@ -64,6 +64,14 @@ static inline void __down_read(struct rw
8773 {
8774 asm volatile("# beginning down_read\n\t"
8775 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8776+
8777+#ifdef CONFIG_PAX_REFCOUNT
8778+ "jno 0f\n"
8779+ LOCK_PREFIX _ASM_DEC "(%1)\n"
8780+ "int $4\n0:\n"
8781+ _ASM_EXTABLE(0b, 0b)
8782+#endif
8783+
8784 /* adds 0x00000001 */
8785 " jns 1f\n"
8786 " call call_rwsem_down_read_failed\n"
8787@@ -85,6 +93,14 @@ static inline int __down_read_trylock(st
8788 "1:\n\t"
8789 " mov %1,%2\n\t"
8790 " add %3,%2\n\t"
8791+
8792+#ifdef CONFIG_PAX_REFCOUNT
8793+ "jno 0f\n"
8794+ "sub %3,%2\n"
8795+ "int $4\n0:\n"
8796+ _ASM_EXTABLE(0b, 0b)
8797+#endif
8798+
8799 " jle 2f\n\t"
8800 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8801 " jnz 1b\n\t"
8802@@ -104,6 +120,14 @@ static inline void __down_write_nested(s
8803 long tmp;
8804 asm volatile("# beginning down_write\n\t"
8805 LOCK_PREFIX " xadd %1,(%2)\n\t"
8806+
8807+#ifdef CONFIG_PAX_REFCOUNT
8808+ "jno 0f\n"
8809+ "mov %1,(%2)\n"
8810+ "int $4\n0:\n"
8811+ _ASM_EXTABLE(0b, 0b)
8812+#endif
8813+
8814 /* adds 0xffff0001, returns the old value */
8815 " test %1,%1\n\t"
8816 /* was the count 0 before? */
8817@@ -141,6 +165,14 @@ static inline void __up_read(struct rw_s
8818 long tmp;
8819 asm volatile("# beginning __up_read\n\t"
8820 LOCK_PREFIX " xadd %1,(%2)\n\t"
8821+
8822+#ifdef CONFIG_PAX_REFCOUNT
8823+ "jno 0f\n"
8824+ "mov %1,(%2)\n"
8825+ "int $4\n0:\n"
8826+ _ASM_EXTABLE(0b, 0b)
8827+#endif
8828+
8829 /* subtracts 1, returns the old value */
8830 " jns 1f\n\t"
8831 " call call_rwsem_wake\n" /* expects old value in %edx */
8832@@ -159,6 +191,14 @@ static inline void __up_write(struct rw_
8833 long tmp;
8834 asm volatile("# beginning __up_write\n\t"
8835 LOCK_PREFIX " xadd %1,(%2)\n\t"
8836+
8837+#ifdef CONFIG_PAX_REFCOUNT
8838+ "jno 0f\n"
8839+ "mov %1,(%2)\n"
8840+ "int $4\n0:\n"
8841+ _ASM_EXTABLE(0b, 0b)
8842+#endif
8843+
8844 /* subtracts 0xffff0001, returns the old value */
8845 " jns 1f\n\t"
8846 " call call_rwsem_wake\n" /* expects old value in %edx */
8847@@ -176,6 +216,14 @@ static inline void __downgrade_write(str
8848 {
8849 asm volatile("# beginning __downgrade_write\n\t"
8850 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8851+
8852+#ifdef CONFIG_PAX_REFCOUNT
8853+ "jno 0f\n"
8854+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8855+ "int $4\n0:\n"
8856+ _ASM_EXTABLE(0b, 0b)
8857+#endif
8858+
8859 /*
8860 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8861 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8862@@ -194,7 +242,15 @@ static inline void __downgrade_write(str
8863 */
8864 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
8865 {
8866- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8867+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8868+
8869+#ifdef CONFIG_PAX_REFCOUNT
8870+ "jno 0f\n"
8871+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
8872+ "int $4\n0:\n"
8873+ _ASM_EXTABLE(0b, 0b)
8874+#endif
8875+
8876 : "+m" (sem->count)
8877 : "er" (delta));
8878 }
8879@@ -206,7 +262,15 @@ static inline long rwsem_atomic_update(l
8880 {
8881 long tmp = delta;
8882
8883- asm volatile(LOCK_PREFIX "xadd %0,%1"
8884+ asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8885+
8886+#ifdef CONFIG_PAX_REFCOUNT
8887+ "jno 0f\n"
8888+ "mov %0,%1\n"
8889+ "int $4\n0:\n"
8890+ _ASM_EXTABLE(0b, 0b)
8891+#endif
8892+
8893 : "+r" (tmp), "+m" (sem->count)
8894 : : "memory");
8895
8896diff -urNp linux-3.1.1/arch/x86/include/asm/segment.h linux-3.1.1/arch/x86/include/asm/segment.h
8897--- linux-3.1.1/arch/x86/include/asm/segment.h 2011-11-11 15:19:27.000000000 -0500
8898+++ linux-3.1.1/arch/x86/include/asm/segment.h 2011-11-16 18:39:07.000000000 -0500
8899@@ -64,10 +64,15 @@
8900 * 26 - ESPFIX small SS
8901 * 27 - per-cpu [ offset to per-cpu data area ]
8902 * 28 - stack_canary-20 [ for stack protector ]
8903- * 29 - unused
8904- * 30 - unused
8905+ * 29 - PCI BIOS CS
8906+ * 30 - PCI BIOS DS
8907 * 31 - TSS for double fault handler
8908 */
8909+#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
8910+#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
8911+#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
8912+#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
8913+
8914 #define GDT_ENTRY_TLS_MIN 6
8915 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
8916
8917@@ -79,6 +84,8 @@
8918
8919 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
8920
8921+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8922+
8923 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
8924
8925 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
8926@@ -104,6 +111,12 @@
8927 #define __KERNEL_STACK_CANARY 0
8928 #endif
8929
8930+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
8931+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8932+
8933+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
8934+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8935+
8936 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8937
8938 /*
8939@@ -141,7 +154,7 @@
8940 */
8941
8942 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8943-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8944+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8945
8946
8947 #else
8948@@ -165,6 +178,8 @@
8949 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8+3)
8950 #define __USER32_DS __USER_DS
8951
8952+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8953+
8954 #define GDT_ENTRY_TSS 8 /* needs two entries */
8955 #define GDT_ENTRY_LDT 10 /* needs two entries */
8956 #define GDT_ENTRY_TLS_MIN 12
8957@@ -185,6 +200,7 @@
8958 #endif
8959
8960 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
8961+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
8962 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
8963 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
8964 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
8965diff -urNp linux-3.1.1/arch/x86/include/asm/smp.h linux-3.1.1/arch/x86/include/asm/smp.h
8966--- linux-3.1.1/arch/x86/include/asm/smp.h 2011-11-11 15:19:27.000000000 -0500
8967+++ linux-3.1.1/arch/x86/include/asm/smp.h 2011-11-16 18:39:07.000000000 -0500
8968@@ -36,7 +36,7 @@ DECLARE_PER_CPU(cpumask_var_t, cpu_core_
8969 /* cpus sharing the last level cache: */
8970 DECLARE_PER_CPU(cpumask_var_t, cpu_llc_shared_map);
8971 DECLARE_PER_CPU(u16, cpu_llc_id);
8972-DECLARE_PER_CPU(int, cpu_number);
8973+DECLARE_PER_CPU(unsigned int, cpu_number);
8974
8975 static inline struct cpumask *cpu_sibling_mask(int cpu)
8976 {
8977@@ -77,7 +77,7 @@ struct smp_ops {
8978
8979 void (*send_call_func_ipi)(const struct cpumask *mask);
8980 void (*send_call_func_single_ipi)(int cpu);
8981-};
8982+} __no_const;
8983
8984 /* Globals due to paravirt */
8985 extern void set_cpu_sibling_map(int cpu);
8986@@ -192,14 +192,8 @@ extern unsigned disabled_cpus __cpuinitd
8987 extern int safe_smp_processor_id(void);
8988
8989 #elif defined(CONFIG_X86_64_SMP)
8990-#define raw_smp_processor_id() (percpu_read(cpu_number))
8991-
8992-#define stack_smp_processor_id() \
8993-({ \
8994- struct thread_info *ti; \
8995- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
8996- ti->cpu; \
8997-})
8998+#define raw_smp_processor_id() (percpu_read(cpu_number))
8999+#define stack_smp_processor_id() raw_smp_processor_id()
9000 #define safe_smp_processor_id() smp_processor_id()
9001
9002 #endif
9003diff -urNp linux-3.1.1/arch/x86/include/asm/spinlock.h linux-3.1.1/arch/x86/include/asm/spinlock.h
9004--- linux-3.1.1/arch/x86/include/asm/spinlock.h 2011-11-11 15:19:27.000000000 -0500
9005+++ linux-3.1.1/arch/x86/include/asm/spinlock.h 2011-11-16 18:39:07.000000000 -0500
9006@@ -248,6 +248,14 @@ static inline int arch_write_can_lock(ar
9007 static inline void arch_read_lock(arch_rwlock_t *rw)
9008 {
9009 asm volatile(LOCK_PREFIX READ_LOCK_SIZE(dec) " (%0)\n\t"
9010+
9011+#ifdef CONFIG_PAX_REFCOUNT
9012+ "jno 0f\n"
9013+ LOCK_PREFIX READ_LOCK_SIZE(inc) " (%0)\n"
9014+ "int $4\n0:\n"
9015+ _ASM_EXTABLE(0b, 0b)
9016+#endif
9017+
9018 "jns 1f\n"
9019 "call __read_lock_failed\n\t"
9020 "1:\n"
9021@@ -257,6 +265,14 @@ static inline void arch_read_lock(arch_r
9022 static inline void arch_write_lock(arch_rwlock_t *rw)
9023 {
9024 asm volatile(LOCK_PREFIX WRITE_LOCK_SUB(%1) "(%0)\n\t"
9025+
9026+#ifdef CONFIG_PAX_REFCOUNT
9027+ "jno 0f\n"
9028+ LOCK_PREFIX WRITE_LOCK_ADD(%1) "(%0)\n"
9029+ "int $4\n0:\n"
9030+ _ASM_EXTABLE(0b, 0b)
9031+#endif
9032+
9033 "jz 1f\n"
9034 "call __write_lock_failed\n\t"
9035 "1:\n"
9036@@ -286,13 +302,29 @@ static inline int arch_write_trylock(arc
9037
9038 static inline void arch_read_unlock(arch_rwlock_t *rw)
9039 {
9040- asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0"
9041+ asm volatile(LOCK_PREFIX READ_LOCK_SIZE(inc) " %0\n"
9042+
9043+#ifdef CONFIG_PAX_REFCOUNT
9044+ "jno 0f\n"
9045+ LOCK_PREFIX READ_LOCK_SIZE(dec) " %0\n"
9046+ "int $4\n0:\n"
9047+ _ASM_EXTABLE(0b, 0b)
9048+#endif
9049+
9050 :"+m" (rw->lock) : : "memory");
9051 }
9052
9053 static inline void arch_write_unlock(arch_rwlock_t *rw)
9054 {
9055- asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0"
9056+ asm volatile(LOCK_PREFIX WRITE_LOCK_ADD(%1) "%0\n"
9057+
9058+#ifdef CONFIG_PAX_REFCOUNT
9059+ "jno 0f\n"
9060+ LOCK_PREFIX WRITE_LOCK_SUB(%1) "%0\n"
9061+ "int $4\n0:\n"
9062+ _ASM_EXTABLE(0b, 0b)
9063+#endif
9064+
9065 : "+m" (rw->write) : "i" (RW_LOCK_BIAS) : "memory");
9066 }
9067
9068diff -urNp linux-3.1.1/arch/x86/include/asm/stackprotector.h linux-3.1.1/arch/x86/include/asm/stackprotector.h
9069--- linux-3.1.1/arch/x86/include/asm/stackprotector.h 2011-11-11 15:19:27.000000000 -0500
9070+++ linux-3.1.1/arch/x86/include/asm/stackprotector.h 2011-11-16 18:39:07.000000000 -0500
9071@@ -48,7 +48,7 @@
9072 * head_32 for boot CPU and setup_per_cpu_areas() for others.
9073 */
9074 #define GDT_STACK_CANARY_INIT \
9075- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
9076+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
9077
9078 /*
9079 * Initialize the stackprotector canary value.
9080@@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9081
9082 static inline void load_stack_canary_segment(void)
9083 {
9084-#ifdef CONFIG_X86_32
9085+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9086 asm volatile ("mov %0, %%gs" : : "r" (0));
9087 #endif
9088 }
9089diff -urNp linux-3.1.1/arch/x86/include/asm/stacktrace.h linux-3.1.1/arch/x86/include/asm/stacktrace.h
9090--- linux-3.1.1/arch/x86/include/asm/stacktrace.h 2011-11-11 15:19:27.000000000 -0500
9091+++ linux-3.1.1/arch/x86/include/asm/stacktrace.h 2011-11-16 18:39:07.000000000 -0500
9092@@ -11,28 +11,20 @@
9093
9094 extern int kstack_depth_to_print;
9095
9096-struct thread_info;
9097+struct task_struct;
9098 struct stacktrace_ops;
9099
9100-typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
9101- unsigned long *stack,
9102- unsigned long bp,
9103- const struct stacktrace_ops *ops,
9104- void *data,
9105- unsigned long *end,
9106- int *graph);
9107-
9108-extern unsigned long
9109-print_context_stack(struct thread_info *tinfo,
9110- unsigned long *stack, unsigned long bp,
9111- const struct stacktrace_ops *ops, void *data,
9112- unsigned long *end, int *graph);
9113-
9114-extern unsigned long
9115-print_context_stack_bp(struct thread_info *tinfo,
9116- unsigned long *stack, unsigned long bp,
9117- const struct stacktrace_ops *ops, void *data,
9118- unsigned long *end, int *graph);
9119+typedef unsigned long walk_stack_t(struct task_struct *task,
9120+ void *stack_start,
9121+ unsigned long *stack,
9122+ unsigned long bp,
9123+ const struct stacktrace_ops *ops,
9124+ void *data,
9125+ unsigned long *end,
9126+ int *graph);
9127+
9128+extern walk_stack_t print_context_stack;
9129+extern walk_stack_t print_context_stack_bp;
9130
9131 /* Generic stack tracer with callbacks */
9132
9133@@ -40,7 +32,7 @@ struct stacktrace_ops {
9134 void (*address)(void *data, unsigned long address, int reliable);
9135 /* On negative return stop dumping */
9136 int (*stack)(void *data, char *name);
9137- walk_stack_t walk_stack;
9138+ walk_stack_t *walk_stack;
9139 };
9140
9141 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
9142diff -urNp linux-3.1.1/arch/x86/include/asm/sys_ia32.h linux-3.1.1/arch/x86/include/asm/sys_ia32.h
9143--- linux-3.1.1/arch/x86/include/asm/sys_ia32.h 2011-11-11 15:19:27.000000000 -0500
9144+++ linux-3.1.1/arch/x86/include/asm/sys_ia32.h 2011-11-16 18:39:07.000000000 -0500
9145@@ -40,7 +40,7 @@ asmlinkage long sys32_rt_sigprocmask(int
9146 compat_sigset_t __user *, unsigned int);
9147 asmlinkage long sys32_alarm(unsigned int);
9148
9149-asmlinkage long sys32_waitpid(compat_pid_t, unsigned int *, int);
9150+asmlinkage long sys32_waitpid(compat_pid_t, unsigned int __user *, int);
9151 asmlinkage long sys32_sysfs(int, u32, u32);
9152
9153 asmlinkage long sys32_sched_rr_get_interval(compat_pid_t,
9154diff -urNp linux-3.1.1/arch/x86/include/asm/system.h linux-3.1.1/arch/x86/include/asm/system.h
9155--- linux-3.1.1/arch/x86/include/asm/system.h 2011-11-11 15:19:27.000000000 -0500
9156+++ linux-3.1.1/arch/x86/include/asm/system.h 2011-11-16 18:39:07.000000000 -0500
9157@@ -129,7 +129,7 @@ do { \
9158 "call __switch_to\n\t" \
9159 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
9160 __switch_canary \
9161- "movq %P[thread_info](%%rsi),%%r8\n\t" \
9162+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \
9163 "movq %%rax,%%rdi\n\t" \
9164 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
9165 "jnz ret_from_fork\n\t" \
9166@@ -140,7 +140,7 @@ do { \
9167 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
9168 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
9169 [_tif_fork] "i" (_TIF_FORK), \
9170- [thread_info] "i" (offsetof(struct task_struct, stack)), \
9171+ [thread_info] "m" (current_tinfo), \
9172 [current_task] "m" (current_task) \
9173 __switch_canary_iparam \
9174 : "memory", "cc" __EXTRA_CLOBBER)
9175@@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
9176 {
9177 unsigned long __limit;
9178 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9179- return __limit + 1;
9180+ return __limit;
9181 }
9182
9183 static inline void native_clts(void)
9184@@ -397,12 +397,12 @@ void enable_hlt(void);
9185
9186 void cpu_idle_wait(void);
9187
9188-extern unsigned long arch_align_stack(unsigned long sp);
9189+#define arch_align_stack(x) ((x) & ~0xfUL)
9190 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9191
9192 void default_idle(void);
9193
9194-void stop_this_cpu(void *dummy);
9195+void stop_this_cpu(void *dummy) __noreturn;
9196
9197 /*
9198 * Force strict CPU ordering.
9199diff -urNp linux-3.1.1/arch/x86/include/asm/thread_info.h linux-3.1.1/arch/x86/include/asm/thread_info.h
9200--- linux-3.1.1/arch/x86/include/asm/thread_info.h 2011-11-11 15:19:27.000000000 -0500
9201+++ linux-3.1.1/arch/x86/include/asm/thread_info.h 2011-11-16 18:39:07.000000000 -0500
9202@@ -10,6 +10,7 @@
9203 #include <linux/compiler.h>
9204 #include <asm/page.h>
9205 #include <asm/types.h>
9206+#include <asm/percpu.h>
9207
9208 /*
9209 * low level task data that entry.S needs immediate access to
9210@@ -24,7 +25,6 @@ struct exec_domain;
9211 #include <linux/atomic.h>
9212
9213 struct thread_info {
9214- struct task_struct *task; /* main task structure */
9215 struct exec_domain *exec_domain; /* execution domain */
9216 __u32 flags; /* low level flags */
9217 __u32 status; /* thread synchronous flags */
9218@@ -34,18 +34,12 @@ struct thread_info {
9219 mm_segment_t addr_limit;
9220 struct restart_block restart_block;
9221 void __user *sysenter_return;
9222-#ifdef CONFIG_X86_32
9223- unsigned long previous_esp; /* ESP of the previous stack in
9224- case of nested (IRQ) stacks
9225- */
9226- __u8 supervisor_stack[0];
9227-#endif
9228+ unsigned long lowest_stack;
9229 int uaccess_err;
9230 };
9231
9232-#define INIT_THREAD_INFO(tsk) \
9233+#define INIT_THREAD_INFO \
9234 { \
9235- .task = &tsk, \
9236 .exec_domain = &default_exec_domain, \
9237 .flags = 0, \
9238 .cpu = 0, \
9239@@ -56,7 +50,7 @@ struct thread_info {
9240 }, \
9241 }
9242
9243-#define init_thread_info (init_thread_union.thread_info)
9244+#define init_thread_info (init_thread_union.stack)
9245 #define init_stack (init_thread_union.stack)
9246
9247 #else /* !__ASSEMBLY__ */
9248@@ -170,6 +164,23 @@ struct thread_info {
9249 ret; \
9250 })
9251
9252+#ifdef __ASSEMBLY__
9253+/* how to get the thread information struct from ASM */
9254+#define GET_THREAD_INFO(reg) \
9255+ mov PER_CPU_VAR(current_tinfo), reg
9256+
9257+/* use this one if reg already contains %esp */
9258+#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
9259+#else
9260+/* how to get the thread information struct from C */
9261+DECLARE_PER_CPU(struct thread_info *, current_tinfo);
9262+
9263+static __always_inline struct thread_info *current_thread_info(void)
9264+{
9265+ return percpu_read_stable(current_tinfo);
9266+}
9267+#endif
9268+
9269 #ifdef CONFIG_X86_32
9270
9271 #define STACK_WARN (THREAD_SIZE/8)
9272@@ -180,35 +191,13 @@ struct thread_info {
9273 */
9274 #ifndef __ASSEMBLY__
9275
9276-
9277 /* how to get the current stack pointer from C */
9278 register unsigned long current_stack_pointer asm("esp") __used;
9279
9280-/* how to get the thread information struct from C */
9281-static inline struct thread_info *current_thread_info(void)
9282-{
9283- return (struct thread_info *)
9284- (current_stack_pointer & ~(THREAD_SIZE - 1));
9285-}
9286-
9287-#else /* !__ASSEMBLY__ */
9288-
9289-/* how to get the thread information struct from ASM */
9290-#define GET_THREAD_INFO(reg) \
9291- movl $-THREAD_SIZE, reg; \
9292- andl %esp, reg
9293-
9294-/* use this one if reg already contains %esp */
9295-#define GET_THREAD_INFO_WITH_ESP(reg) \
9296- andl $-THREAD_SIZE, reg
9297-
9298 #endif
9299
9300 #else /* X86_32 */
9301
9302-#include <asm/percpu.h>
9303-#define KERNEL_STACK_OFFSET (5*8)
9304-
9305 /*
9306 * macros/functions for gaining access to the thread information structure
9307 * preempt_count needs to be 1 initially, until the scheduler is functional.
9308@@ -216,21 +205,8 @@ static inline struct thread_info *curren
9309 #ifndef __ASSEMBLY__
9310 DECLARE_PER_CPU(unsigned long, kernel_stack);
9311
9312-static inline struct thread_info *current_thread_info(void)
9313-{
9314- struct thread_info *ti;
9315- ti = (void *)(percpu_read_stable(kernel_stack) +
9316- KERNEL_STACK_OFFSET - THREAD_SIZE);
9317- return ti;
9318-}
9319-
9320-#else /* !__ASSEMBLY__ */
9321-
9322-/* how to get the thread information struct from ASM */
9323-#define GET_THREAD_INFO(reg) \
9324- movq PER_CPU_VAR(kernel_stack),reg ; \
9325- subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
9326-
9327+/* how to get the current stack pointer from C */
9328+register unsigned long current_stack_pointer asm("rsp") __used;
9329 #endif
9330
9331 #endif /* !X86_32 */
9332@@ -266,5 +242,16 @@ extern void arch_task_cache_init(void);
9333 extern void free_thread_info(struct thread_info *ti);
9334 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
9335 #define arch_task_cache_init arch_task_cache_init
9336+
9337+#define __HAVE_THREAD_FUNCTIONS
9338+#define task_thread_info(task) (&(task)->tinfo)
9339+#define task_stack_page(task) ((task)->stack)
9340+#define setup_thread_stack(p, org) do {} while (0)
9341+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
9342+
9343+#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
9344+extern struct task_struct *alloc_task_struct_node(int node);
9345+extern void free_task_struct(struct task_struct *);
9346+
9347 #endif
9348 #endif /* _ASM_X86_THREAD_INFO_H */
9349diff -urNp linux-3.1.1/arch/x86/include/asm/uaccess_32.h linux-3.1.1/arch/x86/include/asm/uaccess_32.h
9350--- linux-3.1.1/arch/x86/include/asm/uaccess_32.h 2011-11-11 15:19:27.000000000 -0500
9351+++ linux-3.1.1/arch/x86/include/asm/uaccess_32.h 2011-11-16 18:40:08.000000000 -0500
9352@@ -43,6 +43,11 @@ unsigned long __must_check __copy_from_u
9353 static __always_inline unsigned long __must_check
9354 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9355 {
9356+ pax_track_stack();
9357+
9358+ if ((long)n < 0)
9359+ return n;
9360+
9361 if (__builtin_constant_p(n)) {
9362 unsigned long ret;
9363
9364@@ -61,6 +66,8 @@ __copy_to_user_inatomic(void __user *to,
9365 return ret;
9366 }
9367 }
9368+ if (!__builtin_constant_p(n))
9369+ check_object_size(from, n, true);
9370 return __copy_to_user_ll(to, from, n);
9371 }
9372
9373@@ -82,12 +89,16 @@ static __always_inline unsigned long __m
9374 __copy_to_user(void __user *to, const void *from, unsigned long n)
9375 {
9376 might_fault();
9377+
9378 return __copy_to_user_inatomic(to, from, n);
9379 }
9380
9381 static __always_inline unsigned long
9382 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9383 {
9384+ if ((long)n < 0)
9385+ return n;
9386+
9387 /* Avoid zeroing the tail if the copy fails..
9388 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9389 * but as the zeroing behaviour is only significant when n is not
9390@@ -137,6 +148,12 @@ static __always_inline unsigned long
9391 __copy_from_user(void *to, const void __user *from, unsigned long n)
9392 {
9393 might_fault();
9394+
9395+ pax_track_stack();
9396+
9397+ if ((long)n < 0)
9398+ return n;
9399+
9400 if (__builtin_constant_p(n)) {
9401 unsigned long ret;
9402
9403@@ -152,6 +169,8 @@ __copy_from_user(void *to, const void __
9404 return ret;
9405 }
9406 }
9407+ if (!__builtin_constant_p(n))
9408+ check_object_size(to, n, false);
9409 return __copy_from_user_ll(to, from, n);
9410 }
9411
9412@@ -159,6 +178,10 @@ static __always_inline unsigned long __c
9413 const void __user *from, unsigned long n)
9414 {
9415 might_fault();
9416+
9417+ if ((long)n < 0)
9418+ return n;
9419+
9420 if (__builtin_constant_p(n)) {
9421 unsigned long ret;
9422
9423@@ -181,15 +204,19 @@ static __always_inline unsigned long
9424 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9425 unsigned long n)
9426 {
9427- return __copy_from_user_ll_nocache_nozero(to, from, n);
9428-}
9429+ if ((long)n < 0)
9430+ return n;
9431
9432-unsigned long __must_check copy_to_user(void __user *to,
9433- const void *from, unsigned long n);
9434-unsigned long __must_check _copy_from_user(void *to,
9435- const void __user *from,
9436- unsigned long n);
9437+ return __copy_from_user_ll_nocache_nozero(to, from, n);
9438+}
9439
9440+extern void copy_to_user_overflow(void)
9441+#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9442+ __compiletime_error("copy_to_user() buffer size is not provably correct")
9443+#else
9444+ __compiletime_warning("copy_to_user() buffer size is not provably correct")
9445+#endif
9446+;
9447
9448 extern void copy_from_user_overflow(void)
9449 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9450@@ -199,17 +226,61 @@ extern void copy_from_user_overflow(void
9451 #endif
9452 ;
9453
9454-static inline unsigned long __must_check copy_from_user(void *to,
9455- const void __user *from,
9456- unsigned long n)
9457+/**
9458+ * copy_to_user: - Copy a block of data into user space.
9459+ * @to: Destination address, in user space.
9460+ * @from: Source address, in kernel space.
9461+ * @n: Number of bytes to copy.
9462+ *
9463+ * Context: User context only. This function may sleep.
9464+ *
9465+ * Copy data from kernel space to user space.
9466+ *
9467+ * Returns number of bytes that could not be copied.
9468+ * On success, this will be zero.
9469+ */
9470+static inline unsigned long __must_check
9471+copy_to_user(void __user *to, const void *from, unsigned long n)
9472+{
9473+ int sz = __compiletime_object_size(from);
9474+
9475+ if (unlikely(sz != -1 && sz < n))
9476+ copy_to_user_overflow();
9477+ else if (access_ok(VERIFY_WRITE, to, n))
9478+ n = __copy_to_user(to, from, n);
9479+ return n;
9480+}
9481+
9482+/**
9483+ * copy_from_user: - Copy a block of data from user space.
9484+ * @to: Destination address, in kernel space.
9485+ * @from: Source address, in user space.
9486+ * @n: Number of bytes to copy.
9487+ *
9488+ * Context: User context only. This function may sleep.
9489+ *
9490+ * Copy data from user space to kernel space.
9491+ *
9492+ * Returns number of bytes that could not be copied.
9493+ * On success, this will be zero.
9494+ *
9495+ * If some data could not be copied, this function will pad the copied
9496+ * data to the requested size using zero bytes.
9497+ */
9498+static inline unsigned long __must_check
9499+copy_from_user(void *to, const void __user *from, unsigned long n)
9500 {
9501 int sz = __compiletime_object_size(to);
9502
9503- if (likely(sz == -1 || sz >= n))
9504- n = _copy_from_user(to, from, n);
9505- else
9506+ if (unlikely(sz != -1 && sz < n))
9507 copy_from_user_overflow();
9508-
9509+ else if (access_ok(VERIFY_READ, from, n))
9510+ n = __copy_from_user(to, from, n);
9511+ else if ((long)n > 0) {
9512+ if (!__builtin_constant_p(n))
9513+ check_object_size(to, n, false);
9514+ memset(to, 0, n);
9515+ }
9516 return n;
9517 }
9518
9519diff -urNp linux-3.1.1/arch/x86/include/asm/uaccess_64.h linux-3.1.1/arch/x86/include/asm/uaccess_64.h
9520--- linux-3.1.1/arch/x86/include/asm/uaccess_64.h 2011-11-11 15:19:27.000000000 -0500
9521+++ linux-3.1.1/arch/x86/include/asm/uaccess_64.h 2011-11-16 18:40:08.000000000 -0500
9522@@ -10,6 +10,9 @@
9523 #include <asm/alternative.h>
9524 #include <asm/cpufeature.h>
9525 #include <asm/page.h>
9526+#include <asm/pgtable.h>
9527+
9528+#define set_fs(x) (current_thread_info()->addr_limit = (x))
9529
9530 /*
9531 * Copy To/From Userspace
9532@@ -36,26 +39,26 @@ copy_user_generic(void *to, const void *
9533 return ret;
9534 }
9535
9536-__must_check unsigned long
9537-_copy_to_user(void __user *to, const void *from, unsigned len);
9538-__must_check unsigned long
9539-_copy_from_user(void *to, const void __user *from, unsigned len);
9540+static __always_inline __must_check unsigned long
9541+__copy_to_user(void __user *to, const void *from, unsigned len);
9542+static __always_inline __must_check unsigned long
9543+__copy_from_user(void *to, const void __user *from, unsigned len);
9544 __must_check unsigned long
9545 copy_in_user(void __user *to, const void __user *from, unsigned len);
9546
9547 static inline unsigned long __must_check copy_from_user(void *to,
9548 const void __user *from,
9549- unsigned long n)
9550+ unsigned n)
9551 {
9552- int sz = __compiletime_object_size(to);
9553-
9554 might_fault();
9555- if (likely(sz == -1 || sz >= n))
9556- n = _copy_from_user(to, from, n);
9557-#ifdef CONFIG_DEBUG_VM
9558- else
9559- WARN(1, "Buffer overflow detected!\n");
9560-#endif
9561+
9562+ if (access_ok(VERIFY_READ, from, n))
9563+ n = __copy_from_user(to, from, n);
9564+ else if ((int)n > 0) {
9565+ if (!__builtin_constant_p(n))
9566+ check_object_size(to, n, false);
9567+ memset(to, 0, n);
9568+ }
9569 return n;
9570 }
9571
9572@@ -64,110 +67,198 @@ int copy_to_user(void __user *dst, const
9573 {
9574 might_fault();
9575
9576- return _copy_to_user(dst, src, size);
9577+ if (access_ok(VERIFY_WRITE, dst, size))
9578+ size = __copy_to_user(dst, src, size);
9579+ return size;
9580 }
9581
9582 static __always_inline __must_check
9583-int __copy_from_user(void *dst, const void __user *src, unsigned size)
9584+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9585 {
9586- int ret = 0;
9587+ int sz = __compiletime_object_size(dst);
9588+ unsigned ret = 0;
9589
9590 might_fault();
9591- if (!__builtin_constant_p(size))
9592- return copy_user_generic(dst, (__force void *)src, size);
9593+
9594+ pax_track_stack();
9595+
9596+ if ((int)size < 0)
9597+ return size;
9598+
9599+#ifdef CONFIG_PAX_MEMORY_UDEREF
9600+ if (!__access_ok(VERIFY_READ, src, size))
9601+ return size;
9602+#endif
9603+
9604+ if (unlikely(sz != -1 && sz < size)) {
9605+#ifdef CONFIG_DEBUG_VM
9606+ WARN(1, "Buffer overflow detected!\n");
9607+#endif
9608+ return size;
9609+ }
9610+
9611+ if (!__builtin_constant_p(size)) {
9612+ check_object_size(dst, size, false);
9613+
9614+#ifdef CONFIG_PAX_MEMORY_UDEREF
9615+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9616+ src += PAX_USER_SHADOW_BASE;
9617+#endif
9618+
9619+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
9620+ }
9621 switch (size) {
9622- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9623+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9624 ret, "b", "b", "=q", 1);
9625 return ret;
9626- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9627+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9628 ret, "w", "w", "=r", 2);
9629 return ret;
9630- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9631+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9632 ret, "l", "k", "=r", 4);
9633 return ret;
9634- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9635+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9636 ret, "q", "", "=r", 8);
9637 return ret;
9638 case 10:
9639- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9640+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9641 ret, "q", "", "=r", 10);
9642 if (unlikely(ret))
9643 return ret;
9644 __get_user_asm(*(u16 *)(8 + (char *)dst),
9645- (u16 __user *)(8 + (char __user *)src),
9646+ (const u16 __user *)(8 + (const char __user *)src),
9647 ret, "w", "w", "=r", 2);
9648 return ret;
9649 case 16:
9650- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9651+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9652 ret, "q", "", "=r", 16);
9653 if (unlikely(ret))
9654 return ret;
9655 __get_user_asm(*(u64 *)(8 + (char *)dst),
9656- (u64 __user *)(8 + (char __user *)src),
9657+ (const u64 __user *)(8 + (const char __user *)src),
9658 ret, "q", "", "=r", 8);
9659 return ret;
9660 default:
9661- return copy_user_generic(dst, (__force void *)src, size);
9662+
9663+#ifdef CONFIG_PAX_MEMORY_UDEREF
9664+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9665+ src += PAX_USER_SHADOW_BASE;
9666+#endif
9667+
9668+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
9669 }
9670 }
9671
9672 static __always_inline __must_check
9673-int __copy_to_user(void __user *dst, const void *src, unsigned size)
9674+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9675 {
9676- int ret = 0;
9677+ int sz = __compiletime_object_size(src);
9678+ unsigned ret = 0;
9679
9680 might_fault();
9681- if (!__builtin_constant_p(size))
9682- return copy_user_generic((__force void *)dst, src, size);
9683+
9684+ pax_track_stack();
9685+
9686+ if ((int)size < 0)
9687+ return size;
9688+
9689+#ifdef CONFIG_PAX_MEMORY_UDEREF
9690+ if (!__access_ok(VERIFY_WRITE, dst, size))
9691+ return size;
9692+#endif
9693+
9694+ if (unlikely(sz != -1 && sz < size)) {
9695+#ifdef CONFIG_DEBUG_VM
9696+ WARN(1, "Buffer overflow detected!\n");
9697+#endif
9698+ return size;
9699+ }
9700+
9701+ if (!__builtin_constant_p(size)) {
9702+ check_object_size(src, size, true);
9703+
9704+#ifdef CONFIG_PAX_MEMORY_UDEREF
9705+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9706+ dst += PAX_USER_SHADOW_BASE;
9707+#endif
9708+
9709+ return copy_user_generic((__force_kernel void *)dst, src, size);
9710+ }
9711 switch (size) {
9712- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9713+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9714 ret, "b", "b", "iq", 1);
9715 return ret;
9716- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9717+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9718 ret, "w", "w", "ir", 2);
9719 return ret;
9720- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9721+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9722 ret, "l", "k", "ir", 4);
9723 return ret;
9724- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9725+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9726 ret, "q", "", "er", 8);
9727 return ret;
9728 case 10:
9729- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9730+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9731 ret, "q", "", "er", 10);
9732 if (unlikely(ret))
9733 return ret;
9734 asm("":::"memory");
9735- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9736+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9737 ret, "w", "w", "ir", 2);
9738 return ret;
9739 case 16:
9740- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9741+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9742 ret, "q", "", "er", 16);
9743 if (unlikely(ret))
9744 return ret;
9745 asm("":::"memory");
9746- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9747+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9748 ret, "q", "", "er", 8);
9749 return ret;
9750 default:
9751- return copy_user_generic((__force void *)dst, src, size);
9752+
9753+#ifdef CONFIG_PAX_MEMORY_UDEREF
9754+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9755+ dst += PAX_USER_SHADOW_BASE;
9756+#endif
9757+
9758+ return copy_user_generic((__force_kernel void *)dst, src, size);
9759 }
9760 }
9761
9762 static __always_inline __must_check
9763-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9764+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9765 {
9766- int ret = 0;
9767+ unsigned ret = 0;
9768
9769 might_fault();
9770- if (!__builtin_constant_p(size))
9771- return copy_user_generic((__force void *)dst,
9772- (__force void *)src, size);
9773+
9774+ if ((int)size < 0)
9775+ return size;
9776+
9777+#ifdef CONFIG_PAX_MEMORY_UDEREF
9778+ if (!__access_ok(VERIFY_READ, src, size))
9779+ return size;
9780+ if (!__access_ok(VERIFY_WRITE, dst, size))
9781+ return size;
9782+#endif
9783+
9784+ if (!__builtin_constant_p(size)) {
9785+
9786+#ifdef CONFIG_PAX_MEMORY_UDEREF
9787+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9788+ src += PAX_USER_SHADOW_BASE;
9789+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9790+ dst += PAX_USER_SHADOW_BASE;
9791+#endif
9792+
9793+ return copy_user_generic((__force_kernel void *)dst,
9794+ (__force_kernel const void *)src, size);
9795+ }
9796 switch (size) {
9797 case 1: {
9798 u8 tmp;
9799- __get_user_asm(tmp, (u8 __user *)src,
9800+ __get_user_asm(tmp, (const u8 __user *)src,
9801 ret, "b", "b", "=q", 1);
9802 if (likely(!ret))
9803 __put_user_asm(tmp, (u8 __user *)dst,
9804@@ -176,7 +267,7 @@ int __copy_in_user(void __user *dst, con
9805 }
9806 case 2: {
9807 u16 tmp;
9808- __get_user_asm(tmp, (u16 __user *)src,
9809+ __get_user_asm(tmp, (const u16 __user *)src,
9810 ret, "w", "w", "=r", 2);
9811 if (likely(!ret))
9812 __put_user_asm(tmp, (u16 __user *)dst,
9813@@ -186,7 +277,7 @@ int __copy_in_user(void __user *dst, con
9814
9815 case 4: {
9816 u32 tmp;
9817- __get_user_asm(tmp, (u32 __user *)src,
9818+ __get_user_asm(tmp, (const u32 __user *)src,
9819 ret, "l", "k", "=r", 4);
9820 if (likely(!ret))
9821 __put_user_asm(tmp, (u32 __user *)dst,
9822@@ -195,7 +286,7 @@ int __copy_in_user(void __user *dst, con
9823 }
9824 case 8: {
9825 u64 tmp;
9826- __get_user_asm(tmp, (u64 __user *)src,
9827+ __get_user_asm(tmp, (const u64 __user *)src,
9828 ret, "q", "", "=r", 8);
9829 if (likely(!ret))
9830 __put_user_asm(tmp, (u64 __user *)dst,
9831@@ -203,8 +294,16 @@ int __copy_in_user(void __user *dst, con
9832 return ret;
9833 }
9834 default:
9835- return copy_user_generic((__force void *)dst,
9836- (__force void *)src, size);
9837+
9838+#ifdef CONFIG_PAX_MEMORY_UDEREF
9839+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9840+ src += PAX_USER_SHADOW_BASE;
9841+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9842+ dst += PAX_USER_SHADOW_BASE;
9843+#endif
9844+
9845+ return copy_user_generic((__force_kernel void *)dst,
9846+ (__force_kernel const void *)src, size);
9847 }
9848 }
9849
9850@@ -221,33 +320,72 @@ __must_check unsigned long __clear_user(
9851 static __must_check __always_inline int
9852 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9853 {
9854- return copy_user_generic(dst, (__force const void *)src, size);
9855+ pax_track_stack();
9856+
9857+ if ((int)size < 0)
9858+ return size;
9859+
9860+#ifdef CONFIG_PAX_MEMORY_UDEREF
9861+ if (!__access_ok(VERIFY_READ, src, size))
9862+ return size;
9863+
9864+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9865+ src += PAX_USER_SHADOW_BASE;
9866+#endif
9867+
9868+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
9869 }
9870
9871-static __must_check __always_inline int
9872+static __must_check __always_inline unsigned long
9873 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9874 {
9875- return copy_user_generic((__force void *)dst, src, size);
9876+ if ((int)size < 0)
9877+ return size;
9878+
9879+#ifdef CONFIG_PAX_MEMORY_UDEREF
9880+ if (!__access_ok(VERIFY_WRITE, dst, size))
9881+ return size;
9882+
9883+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9884+ dst += PAX_USER_SHADOW_BASE;
9885+#endif
9886+
9887+ return copy_user_generic((__force_kernel void *)dst, src, size);
9888 }
9889
9890-extern long __copy_user_nocache(void *dst, const void __user *src,
9891+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9892 unsigned size, int zerorest);
9893
9894-static inline int
9895-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9896+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9897 {
9898 might_sleep();
9899+
9900+ if ((int)size < 0)
9901+ return size;
9902+
9903+#ifdef CONFIG_PAX_MEMORY_UDEREF
9904+ if (!__access_ok(VERIFY_READ, src, size))
9905+ return size;
9906+#endif
9907+
9908 return __copy_user_nocache(dst, src, size, 1);
9909 }
9910
9911-static inline int
9912-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9913+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9914 unsigned size)
9915 {
9916+ if ((int)size < 0)
9917+ return size;
9918+
9919+#ifdef CONFIG_PAX_MEMORY_UDEREF
9920+ if (!__access_ok(VERIFY_READ, src, size))
9921+ return size;
9922+#endif
9923+
9924 return __copy_user_nocache(dst, src, size, 0);
9925 }
9926
9927-unsigned long
9928-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9929+extern unsigned long
9930+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
9931
9932 #endif /* _ASM_X86_UACCESS_64_H */
9933diff -urNp linux-3.1.1/arch/x86/include/asm/uaccess.h linux-3.1.1/arch/x86/include/asm/uaccess.h
9934--- linux-3.1.1/arch/x86/include/asm/uaccess.h 2011-11-11 15:19:27.000000000 -0500
9935+++ linux-3.1.1/arch/x86/include/asm/uaccess.h 2011-11-16 18:39:07.000000000 -0500
9936@@ -7,12 +7,15 @@
9937 #include <linux/compiler.h>
9938 #include <linux/thread_info.h>
9939 #include <linux/string.h>
9940+#include <linux/sched.h>
9941 #include <asm/asm.h>
9942 #include <asm/page.h>
9943
9944 #define VERIFY_READ 0
9945 #define VERIFY_WRITE 1
9946
9947+extern void check_object_size(const void *ptr, unsigned long n, bool to);
9948+
9949 /*
9950 * The fs value determines whether argument validity checking should be
9951 * performed or not. If get_fs() == USER_DS, checking is performed, with
9952@@ -28,7 +31,12 @@
9953
9954 #define get_ds() (KERNEL_DS)
9955 #define get_fs() (current_thread_info()->addr_limit)
9956+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9957+void __set_fs(mm_segment_t x);
9958+void set_fs(mm_segment_t x);
9959+#else
9960 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9961+#endif
9962
9963 #define segment_eq(a, b) ((a).seg == (b).seg)
9964
9965@@ -76,7 +84,33 @@
9966 * checks that the pointer is in the user space range - after calling
9967 * this function, memory access functions may still return -EFAULT.
9968 */
9969-#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9970+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9971+#define access_ok(type, addr, size) \
9972+({ \
9973+ long __size = size; \
9974+ unsigned long __addr = (unsigned long)addr; \
9975+ unsigned long __addr_ao = __addr & PAGE_MASK; \
9976+ unsigned long __end_ao = __addr + __size - 1; \
9977+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9978+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9979+ while(__addr_ao <= __end_ao) { \
9980+ char __c_ao; \
9981+ __addr_ao += PAGE_SIZE; \
9982+ if (__size > PAGE_SIZE) \
9983+ cond_resched(); \
9984+ if (__get_user(__c_ao, (char __user *)__addr)) \
9985+ break; \
9986+ if (type != VERIFY_WRITE) { \
9987+ __addr = __addr_ao; \
9988+ continue; \
9989+ } \
9990+ if (__put_user(__c_ao, (char __user *)__addr)) \
9991+ break; \
9992+ __addr = __addr_ao; \
9993+ } \
9994+ } \
9995+ __ret_ao; \
9996+})
9997
9998 /*
9999 * The exception table consists of pairs of addresses: the first is the
10000@@ -182,12 +216,20 @@ extern int __get_user_bad(void);
10001 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10002 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10003
10004-
10005+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10006+#define __copyuser_seg "gs;"
10007+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
10008+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
10009+#else
10010+#define __copyuser_seg
10011+#define __COPYUSER_SET_ES
10012+#define __COPYUSER_RESTORE_ES
10013+#endif
10014
10015 #ifdef CONFIG_X86_32
10016 #define __put_user_asm_u64(x, addr, err, errret) \
10017- asm volatile("1: movl %%eax,0(%2)\n" \
10018- "2: movl %%edx,4(%2)\n" \
10019+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
10020+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
10021 "3:\n" \
10022 ".section .fixup,\"ax\"\n" \
10023 "4: movl %3,%0\n" \
10024@@ -199,8 +241,8 @@ extern int __get_user_bad(void);
10025 : "A" (x), "r" (addr), "i" (errret), "0" (err))
10026
10027 #define __put_user_asm_ex_u64(x, addr) \
10028- asm volatile("1: movl %%eax,0(%1)\n" \
10029- "2: movl %%edx,4(%1)\n" \
10030+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
10031+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
10032 "3:\n" \
10033 _ASM_EXTABLE(1b, 2b - 1b) \
10034 _ASM_EXTABLE(2b, 3b - 2b) \
10035@@ -252,7 +294,7 @@ extern void __put_user_8(void);
10036 __typeof__(*(ptr)) __pu_val; \
10037 __chk_user_ptr(ptr); \
10038 might_fault(); \
10039- __pu_val = x; \
10040+ __pu_val = (x); \
10041 switch (sizeof(*(ptr))) { \
10042 case 1: \
10043 __put_user_x(1, __pu_val, ptr, __ret_pu); \
10044@@ -373,7 +415,7 @@ do { \
10045 } while (0)
10046
10047 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10048- asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10049+ asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
10050 "2:\n" \
10051 ".section .fixup,\"ax\"\n" \
10052 "3: mov %3,%0\n" \
10053@@ -381,7 +423,7 @@ do { \
10054 " jmp 2b\n" \
10055 ".previous\n" \
10056 _ASM_EXTABLE(1b, 3b) \
10057- : "=r" (err), ltype(x) \
10058+ : "=r" (err), ltype (x) \
10059 : "m" (__m(addr)), "i" (errret), "0" (err))
10060
10061 #define __get_user_size_ex(x, ptr, size) \
10062@@ -406,7 +448,7 @@ do { \
10063 } while (0)
10064
10065 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10066- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10067+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
10068 "2:\n" \
10069 _ASM_EXTABLE(1b, 2b - 1b) \
10070 : ltype(x) : "m" (__m(addr)))
10071@@ -423,13 +465,24 @@ do { \
10072 int __gu_err; \
10073 unsigned long __gu_val; \
10074 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10075- (x) = (__force __typeof__(*(ptr)))__gu_val; \
10076+ (x) = (__typeof__(*(ptr)))__gu_val; \
10077 __gu_err; \
10078 })
10079
10080 /* FIXME: this hack is definitely wrong -AK */
10081 struct __large_struct { unsigned long buf[100]; };
10082-#define __m(x) (*(struct __large_struct __user *)(x))
10083+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10084+#define ____m(x) \
10085+({ \
10086+ unsigned long ____x = (unsigned long)(x); \
10087+ if (____x < PAX_USER_SHADOW_BASE) \
10088+ ____x += PAX_USER_SHADOW_BASE; \
10089+ (void __user *)____x; \
10090+})
10091+#else
10092+#define ____m(x) (x)
10093+#endif
10094+#define __m(x) (*(struct __large_struct __user *)____m(x))
10095
10096 /*
10097 * Tell gcc we read from memory instead of writing: this is because
10098@@ -437,7 +490,7 @@ struct __large_struct { unsigned long bu
10099 * aliasing issues.
10100 */
10101 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10102- asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10103+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
10104 "2:\n" \
10105 ".section .fixup,\"ax\"\n" \
10106 "3: mov %3,%0\n" \
10107@@ -445,10 +498,10 @@ struct __large_struct { unsigned long bu
10108 ".previous\n" \
10109 _ASM_EXTABLE(1b, 3b) \
10110 : "=r"(err) \
10111- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10112+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
10113
10114 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10115- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10116+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
10117 "2:\n" \
10118 _ASM_EXTABLE(1b, 2b - 1b) \
10119 : : ltype(x), "m" (__m(addr)))
10120@@ -487,8 +540,12 @@ struct __large_struct { unsigned long bu
10121 * On error, the variable @x is set to zero.
10122 */
10123
10124+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10125+#define __get_user(x, ptr) get_user((x), (ptr))
10126+#else
10127 #define __get_user(x, ptr) \
10128 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
10129+#endif
10130
10131 /**
10132 * __put_user: - Write a simple value into user space, with less checking.
10133@@ -510,8 +567,12 @@ struct __large_struct { unsigned long bu
10134 * Returns zero on success, or -EFAULT on error.
10135 */
10136
10137+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10138+#define __put_user(x, ptr) put_user((x), (ptr))
10139+#else
10140 #define __put_user(x, ptr) \
10141 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10142+#endif
10143
10144 #define __get_user_unaligned __get_user
10145 #define __put_user_unaligned __put_user
10146@@ -529,7 +590,7 @@ struct __large_struct { unsigned long bu
10147 #define get_user_ex(x, ptr) do { \
10148 unsigned long __gue_val; \
10149 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10150- (x) = (__force __typeof__(*(ptr)))__gue_val; \
10151+ (x) = (__typeof__(*(ptr)))__gue_val; \
10152 } while (0)
10153
10154 #ifdef CONFIG_X86_WP_WORKS_OK
10155diff -urNp linux-3.1.1/arch/x86/include/asm/vdso.h linux-3.1.1/arch/x86/include/asm/vdso.h
10156--- linux-3.1.1/arch/x86/include/asm/vdso.h 2011-11-11 15:19:27.000000000 -0500
10157+++ linux-3.1.1/arch/x86/include/asm/vdso.h 2011-11-16 18:39:07.000000000 -0500
10158@@ -11,7 +11,7 @@ extern const char VDSO32_PRELINK[];
10159 #define VDSO32_SYMBOL(base, name) \
10160 ({ \
10161 extern const char VDSO32_##name[]; \
10162- (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10163+ (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
10164 })
10165 #endif
10166
10167diff -urNp linux-3.1.1/arch/x86/include/asm/x86_init.h linux-3.1.1/arch/x86/include/asm/x86_init.h
10168--- linux-3.1.1/arch/x86/include/asm/x86_init.h 2011-11-11 15:19:27.000000000 -0500
10169+++ linux-3.1.1/arch/x86/include/asm/x86_init.h 2011-11-16 18:39:07.000000000 -0500
10170@@ -28,7 +28,7 @@ struct x86_init_mpparse {
10171 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
10172 void (*find_smp_config)(void);
10173 void (*get_smp_config)(unsigned int early);
10174-};
10175+} __no_const;
10176
10177 /**
10178 * struct x86_init_resources - platform specific resource related ops
10179@@ -42,7 +42,7 @@ struct x86_init_resources {
10180 void (*probe_roms)(void);
10181 void (*reserve_resources)(void);
10182 char *(*memory_setup)(void);
10183-};
10184+} __no_const;
10185
10186 /**
10187 * struct x86_init_irqs - platform specific interrupt setup
10188@@ -55,7 +55,7 @@ struct x86_init_irqs {
10189 void (*pre_vector_init)(void);
10190 void (*intr_init)(void);
10191 void (*trap_init)(void);
10192-};
10193+} __no_const;
10194
10195 /**
10196 * struct x86_init_oem - oem platform specific customizing functions
10197@@ -65,7 +65,7 @@ struct x86_init_irqs {
10198 struct x86_init_oem {
10199 void (*arch_setup)(void);
10200 void (*banner)(void);
10201-};
10202+} __no_const;
10203
10204 /**
10205 * struct x86_init_mapping - platform specific initial kernel pagetable setup
10206@@ -76,7 +76,7 @@ struct x86_init_oem {
10207 */
10208 struct x86_init_mapping {
10209 void (*pagetable_reserve)(u64 start, u64 end);
10210-};
10211+} __no_const;
10212
10213 /**
10214 * struct x86_init_paging - platform specific paging functions
10215@@ -86,7 +86,7 @@ struct x86_init_mapping {
10216 struct x86_init_paging {
10217 void (*pagetable_setup_start)(pgd_t *base);
10218 void (*pagetable_setup_done)(pgd_t *base);
10219-};
10220+} __no_const;
10221
10222 /**
10223 * struct x86_init_timers - platform specific timer setup
10224@@ -101,7 +101,7 @@ struct x86_init_timers {
10225 void (*tsc_pre_init)(void);
10226 void (*timer_init)(void);
10227 void (*wallclock_init)(void);
10228-};
10229+} __no_const;
10230
10231 /**
10232 * struct x86_init_iommu - platform specific iommu setup
10233@@ -109,7 +109,7 @@ struct x86_init_timers {
10234 */
10235 struct x86_init_iommu {
10236 int (*iommu_init)(void);
10237-};
10238+} __no_const;
10239
10240 /**
10241 * struct x86_init_pci - platform specific pci init functions
10242@@ -123,7 +123,7 @@ struct x86_init_pci {
10243 int (*init)(void);
10244 void (*init_irq)(void);
10245 void (*fixup_irqs)(void);
10246-};
10247+} __no_const;
10248
10249 /**
10250 * struct x86_init_ops - functions for platform specific setup
10251@@ -139,7 +139,7 @@ struct x86_init_ops {
10252 struct x86_init_timers timers;
10253 struct x86_init_iommu iommu;
10254 struct x86_init_pci pci;
10255-};
10256+} __no_const;
10257
10258 /**
10259 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
10260@@ -147,7 +147,7 @@ struct x86_init_ops {
10261 */
10262 struct x86_cpuinit_ops {
10263 void (*setup_percpu_clockev)(void);
10264-};
10265+} __no_const;
10266
10267 /**
10268 * struct x86_platform_ops - platform specific runtime functions
10269@@ -166,7 +166,7 @@ struct x86_platform_ops {
10270 bool (*is_untracked_pat_range)(u64 start, u64 end);
10271 void (*nmi_init)(void);
10272 int (*i8042_detect)(void);
10273-};
10274+} __no_const;
10275
10276 struct pci_dev;
10277
10278@@ -174,7 +174,7 @@ struct x86_msi_ops {
10279 int (*setup_msi_irqs)(struct pci_dev *dev, int nvec, int type);
10280 void (*teardown_msi_irq)(unsigned int irq);
10281 void (*teardown_msi_irqs)(struct pci_dev *dev);
10282-};
10283+} __no_const;
10284
10285 extern struct x86_init_ops x86_init;
10286 extern struct x86_cpuinit_ops x86_cpuinit;
10287diff -urNp linux-3.1.1/arch/x86/include/asm/xsave.h linux-3.1.1/arch/x86/include/asm/xsave.h
10288--- linux-3.1.1/arch/x86/include/asm/xsave.h 2011-11-11 15:19:27.000000000 -0500
10289+++ linux-3.1.1/arch/x86/include/asm/xsave.h 2011-11-16 18:39:07.000000000 -0500
10290@@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10291 {
10292 int err;
10293
10294+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10295+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10296+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10297+#endif
10298+
10299 /*
10300 * Clear the xsave header first, so that reserved fields are
10301 * initialized to zero.
10302@@ -96,10 +101,15 @@ static inline int xsave_user(struct xsav
10303 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
10304 {
10305 int err;
10306- struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
10307+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
10308 u32 lmask = mask;
10309 u32 hmask = mask >> 32;
10310
10311+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10312+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10313+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10314+#endif
10315+
10316 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10317 "2:\n"
10318 ".section .fixup,\"ax\"\n"
10319diff -urNp linux-3.1.1/arch/x86/Kconfig linux-3.1.1/arch/x86/Kconfig
10320--- linux-3.1.1/arch/x86/Kconfig 2011-11-11 15:19:27.000000000 -0500
10321+++ linux-3.1.1/arch/x86/Kconfig 2011-11-16 18:40:08.000000000 -0500
10322@@ -236,7 +236,7 @@ config X86_HT
10323
10324 config X86_32_LAZY_GS
10325 def_bool y
10326- depends on X86_32 && !CC_STACKPROTECTOR
10327+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10328
10329 config ARCH_HWEIGHT_CFLAGS
10330 string
10331@@ -1019,7 +1019,7 @@ choice
10332
10333 config NOHIGHMEM
10334 bool "off"
10335- depends on !X86_NUMAQ
10336+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10337 ---help---
10338 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10339 However, the address space of 32-bit x86 processors is only 4
10340@@ -1056,7 +1056,7 @@ config NOHIGHMEM
10341
10342 config HIGHMEM4G
10343 bool "4GB"
10344- depends on !X86_NUMAQ
10345+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10346 ---help---
10347 Select this if you have a 32-bit processor and between 1 and 4
10348 gigabytes of physical RAM.
10349@@ -1110,7 +1110,7 @@ config PAGE_OFFSET
10350 hex
10351 default 0xB0000000 if VMSPLIT_3G_OPT
10352 default 0x80000000 if VMSPLIT_2G
10353- default 0x78000000 if VMSPLIT_2G_OPT
10354+ default 0x70000000 if VMSPLIT_2G_OPT
10355 default 0x40000000 if VMSPLIT_1G
10356 default 0xC0000000
10357 depends on X86_32
10358@@ -1484,6 +1484,7 @@ config SECCOMP
10359
10360 config CC_STACKPROTECTOR
10361 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10362+ depends on X86_64 || !PAX_MEMORY_UDEREF
10363 ---help---
10364 This option turns on the -fstack-protector GCC feature. This
10365 feature puts, at the beginning of functions, a canary value on
10366@@ -1541,6 +1542,7 @@ config KEXEC_JUMP
10367 config PHYSICAL_START
10368 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10369 default "0x1000000"
10370+ range 0x400000 0x40000000
10371 ---help---
10372 This gives the physical address where the kernel is loaded.
10373
10374@@ -1604,6 +1606,7 @@ config X86_NEED_RELOCS
10375 config PHYSICAL_ALIGN
10376 hex "Alignment value to which kernel should be aligned" if X86_32
10377 default "0x1000000"
10378+ range 0x400000 0x1000000 if PAX_KERNEXEC
10379 range 0x2000 0x1000000
10380 ---help---
10381 This value puts the alignment restrictions on physical address
10382@@ -1635,9 +1638,10 @@ config HOTPLUG_CPU
10383 Say N if you want to disable CPU hotplug.
10384
10385 config COMPAT_VDSO
10386- def_bool y
10387+ def_bool n
10388 prompt "Compat VDSO support"
10389 depends on X86_32 || IA32_EMULATION
10390+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10391 ---help---
10392 Map the 32-bit VDSO to the predictable old-style address too.
10393
10394diff -urNp linux-3.1.1/arch/x86/Kconfig.cpu linux-3.1.1/arch/x86/Kconfig.cpu
10395--- linux-3.1.1/arch/x86/Kconfig.cpu 2011-11-11 15:19:27.000000000 -0500
10396+++ linux-3.1.1/arch/x86/Kconfig.cpu 2011-11-16 18:39:07.000000000 -0500
10397@@ -341,7 +341,7 @@ config X86_PPRO_FENCE
10398
10399 config X86_F00F_BUG
10400 def_bool y
10401- depends on M586MMX || M586TSC || M586 || M486 || M386
10402+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10403
10404 config X86_INVD_BUG
10405 def_bool y
10406@@ -365,7 +365,7 @@ config X86_POPAD_OK
10407
10408 config X86_ALIGNMENT_16
10409 def_bool y
10410- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10411+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10412
10413 config X86_INTEL_USERCOPY
10414 def_bool y
10415@@ -411,7 +411,7 @@ config X86_CMPXCHG64
10416 # generates cmov.
10417 config X86_CMOV
10418 def_bool y
10419- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10420+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10421
10422 config X86_MINIMUM_CPU_FAMILY
10423 int
10424diff -urNp linux-3.1.1/arch/x86/Kconfig.debug linux-3.1.1/arch/x86/Kconfig.debug
10425--- linux-3.1.1/arch/x86/Kconfig.debug 2011-11-11 15:19:27.000000000 -0500
10426+++ linux-3.1.1/arch/x86/Kconfig.debug 2011-11-16 18:39:07.000000000 -0500
10427@@ -81,7 +81,7 @@ config X86_PTDUMP
10428 config DEBUG_RODATA
10429 bool "Write protect kernel read-only data structures"
10430 default y
10431- depends on DEBUG_KERNEL
10432+ depends on DEBUG_KERNEL && BROKEN
10433 ---help---
10434 Mark the kernel read-only data as write-protected in the pagetables,
10435 in order to catch accidental (and incorrect) writes to such const
10436@@ -99,7 +99,7 @@ config DEBUG_RODATA_TEST
10437
10438 config DEBUG_SET_MODULE_RONX
10439 bool "Set loadable kernel module data as NX and text as RO"
10440- depends on MODULES
10441+ depends on MODULES && BROKEN
10442 ---help---
10443 This option helps catch unintended modifications to loadable
10444 kernel module's text and read-only data. It also prevents execution
10445diff -urNp linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile
10446--- linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile 2011-11-11 15:19:27.000000000 -0500
10447+++ linux-3.1.1/arch/x86/kernel/acpi/realmode/Makefile 2011-11-16 18:39:07.000000000 -0500
10448@@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
10449 $(call cc-option, -fno-stack-protector) \
10450 $(call cc-option, -mpreferred-stack-boundary=2)
10451 KBUILD_CFLAGS += $(call cc-option, -m32)
10452+ifdef CONSTIFY_PLUGIN
10453+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
10454+endif
10455 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
10456 GCOV_PROFILE := n
10457
10458diff -urNp linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S
10459--- linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-11 15:19:27.000000000 -0500
10460+++ linux-3.1.1/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-16 18:40:08.000000000 -0500
10461@@ -108,6 +108,9 @@ wakeup_code:
10462 /* Do any other stuff... */
10463
10464 #ifndef CONFIG_64BIT
10465+ /* Recheck NX bit overrides (64bit path does this in trampoline */
10466+ call verify_cpu
10467+
10468 /* This could also be done in C code... */
10469 movl pmode_cr3, %eax
10470 movl %eax, %cr3
10471@@ -131,6 +134,7 @@ wakeup_code:
10472 movl pmode_cr0, %eax
10473 movl %eax, %cr0
10474 jmp pmode_return
10475+# include "../../verify_cpu.S"
10476 #else
10477 pushw $0
10478 pushw trampoline_segment
10479diff -urNp linux-3.1.1/arch/x86/kernel/acpi/sleep.c linux-3.1.1/arch/x86/kernel/acpi/sleep.c
10480--- linux-3.1.1/arch/x86/kernel/acpi/sleep.c 2011-11-11 15:19:27.000000000 -0500
10481+++ linux-3.1.1/arch/x86/kernel/acpi/sleep.c 2011-11-16 18:39:07.000000000 -0500
10482@@ -94,8 +94,12 @@ int acpi_suspend_lowlevel(void)
10483 header->trampoline_segment = trampoline_address() >> 4;
10484 #ifdef CONFIG_SMP
10485 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10486+
10487+ pax_open_kernel();
10488 early_gdt_descr.address =
10489 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10490+ pax_close_kernel();
10491+
10492 initial_gs = per_cpu_offset(smp_processor_id());
10493 #endif
10494 initial_code = (unsigned long)wakeup_long64;
10495diff -urNp linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S
10496--- linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S 2011-11-11 15:19:27.000000000 -0500
10497+++ linux-3.1.1/arch/x86/kernel/acpi/wakeup_32.S 2011-11-16 18:39:07.000000000 -0500
10498@@ -30,13 +30,11 @@ wakeup_pmode_return:
10499 # and restore the stack ... but you need gdt for this to work
10500 movl saved_context_esp, %esp
10501
10502- movl %cs:saved_magic, %eax
10503- cmpl $0x12345678, %eax
10504+ cmpl $0x12345678, saved_magic
10505 jne bogus_magic
10506
10507 # jump to place where we left off
10508- movl saved_eip, %eax
10509- jmp *%eax
10510+ jmp *(saved_eip)
10511
10512 bogus_magic:
10513 jmp bogus_magic
10514diff -urNp linux-3.1.1/arch/x86/kernel/alternative.c linux-3.1.1/arch/x86/kernel/alternative.c
10515--- linux-3.1.1/arch/x86/kernel/alternative.c 2011-11-11 15:19:27.000000000 -0500
10516+++ linux-3.1.1/arch/x86/kernel/alternative.c 2011-11-16 18:39:07.000000000 -0500
10517@@ -276,6 +276,13 @@ void __init_or_module apply_alternatives
10518 */
10519 for (a = start; a < end; a++) {
10520 instr = (u8 *)&a->instr_offset + a->instr_offset;
10521+
10522+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
10523+ instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10524+ if (instr < (u8 *)_text || (u8 *)_einittext <= instr)
10525+ instr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10526+#endif
10527+
10528 replacement = (u8 *)&a->repl_offset + a->repl_offset;
10529 BUG_ON(a->replacementlen > a->instrlen);
10530 BUG_ON(a->instrlen > sizeof(insnbuf));
10531@@ -307,10 +314,16 @@ static void alternatives_smp_lock(const
10532 for (poff = start; poff < end; poff++) {
10533 u8 *ptr = (u8 *)poff + *poff;
10534
10535+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
10536+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10537+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
10538+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10539+#endif
10540+
10541 if (!*poff || ptr < text || ptr >= text_end)
10542 continue;
10543 /* turn DS segment override prefix into lock prefix */
10544- if (*ptr == 0x3e)
10545+ if (*ktla_ktva(ptr) == 0x3e)
10546 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10547 };
10548 mutex_unlock(&text_mutex);
10549@@ -328,10 +341,16 @@ static void alternatives_smp_unlock(cons
10550 for (poff = start; poff < end; poff++) {
10551 u8 *ptr = (u8 *)poff + *poff;
10552
10553+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
10554+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10555+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
10556+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
10557+#endif
10558+
10559 if (!*poff || ptr < text || ptr >= text_end)
10560 continue;
10561 /* turn lock prefix into DS segment override prefix */
10562- if (*ptr == 0xf0)
10563+ if (*ktla_ktva(ptr) == 0xf0)
10564 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10565 };
10566 mutex_unlock(&text_mutex);
10567@@ -500,7 +519,7 @@ void __init_or_module apply_paravirt(str
10568
10569 BUG_ON(p->len > MAX_PATCH_LEN);
10570 /* prep the buffer with the original instructions */
10571- memcpy(insnbuf, p->instr, p->len);
10572+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10573 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10574 (unsigned long)p->instr, p->len);
10575
10576@@ -568,7 +587,7 @@ void __init alternative_instructions(voi
10577 if (smp_alt_once)
10578 free_init_pages("SMP alternatives",
10579 (unsigned long)__smp_locks,
10580- (unsigned long)__smp_locks_end);
10581+ PAGE_ALIGN((unsigned long)__smp_locks_end));
10582
10583 restart_nmi();
10584 }
10585@@ -585,13 +604,17 @@ void __init alternative_instructions(voi
10586 * instructions. And on the local CPU you need to be protected again NMI or MCE
10587 * handlers seeing an inconsistent instruction while you patch.
10588 */
10589-void *__init_or_module text_poke_early(void *addr, const void *opcode,
10590+void *__kprobes text_poke_early(void *addr, const void *opcode,
10591 size_t len)
10592 {
10593 unsigned long flags;
10594 local_irq_save(flags);
10595- memcpy(addr, opcode, len);
10596+
10597+ pax_open_kernel();
10598+ memcpy(ktla_ktva(addr), opcode, len);
10599 sync_core();
10600+ pax_close_kernel();
10601+
10602 local_irq_restore(flags);
10603 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10604 that causes hangs on some VIA CPUs. */
10605@@ -613,36 +636,22 @@ void *__init_or_module text_poke_early(v
10606 */
10607 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10608 {
10609- unsigned long flags;
10610- char *vaddr;
10611+ unsigned char *vaddr = ktla_ktva(addr);
10612 struct page *pages[2];
10613- int i;
10614+ size_t i;
10615
10616 if (!core_kernel_text((unsigned long)addr)) {
10617- pages[0] = vmalloc_to_page(addr);
10618- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10619+ pages[0] = vmalloc_to_page(vaddr);
10620+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10621 } else {
10622- pages[0] = virt_to_page(addr);
10623+ pages[0] = virt_to_page(vaddr);
10624 WARN_ON(!PageReserved(pages[0]));
10625- pages[1] = virt_to_page(addr + PAGE_SIZE);
10626+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10627 }
10628 BUG_ON(!pages[0]);
10629- local_irq_save(flags);
10630- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10631- if (pages[1])
10632- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10633- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10634- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10635- clear_fixmap(FIX_TEXT_POKE0);
10636- if (pages[1])
10637- clear_fixmap(FIX_TEXT_POKE1);
10638- local_flush_tlb();
10639- sync_core();
10640- /* Could also do a CLFLUSH here to speed up CPU recovery; but
10641- that causes hangs on some VIA CPUs. */
10642+ text_poke_early(addr, opcode, len);
10643 for (i = 0; i < len; i++)
10644- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10645- local_irq_restore(flags);
10646+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10647 return addr;
10648 }
10649
10650diff -urNp linux-3.1.1/arch/x86/kernel/apic/apic.c linux-3.1.1/arch/x86/kernel/apic/apic.c
10651--- linux-3.1.1/arch/x86/kernel/apic/apic.c 2011-11-11 15:19:27.000000000 -0500
10652+++ linux-3.1.1/arch/x86/kernel/apic/apic.c 2011-11-16 18:40:08.000000000 -0500
10653@@ -174,7 +174,7 @@ int first_system_vector = 0xfe;
10654 /*
10655 * Debug level, exported for io_apic.c
10656 */
10657-unsigned int apic_verbosity;
10658+int apic_verbosity;
10659
10660 int pic_mode;
10661
10662@@ -1835,7 +1835,7 @@ void smp_error_interrupt(struct pt_regs
10663 apic_write(APIC_ESR, 0);
10664 v1 = apic_read(APIC_ESR);
10665 ack_APIC_irq();
10666- atomic_inc(&irq_err_count);
10667+ atomic_inc_unchecked(&irq_err_count);
10668
10669 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x(%02x)",
10670 smp_processor_id(), v0 , v1);
10671@@ -2209,6 +2209,8 @@ static int __cpuinit apic_cluster_num(vo
10672 u16 *bios_cpu_apicid;
10673 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
10674
10675+ pax_track_stack();
10676+
10677 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
10678 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
10679
10680diff -urNp linux-3.1.1/arch/x86/kernel/apic/io_apic.c linux-3.1.1/arch/x86/kernel/apic/io_apic.c
10681--- linux-3.1.1/arch/x86/kernel/apic/io_apic.c 2011-11-11 15:19:27.000000000 -0500
10682+++ linux-3.1.1/arch/x86/kernel/apic/io_apic.c 2011-11-16 18:39:07.000000000 -0500
10683@@ -1028,7 +1028,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10684 }
10685 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10686
10687-void lock_vector_lock(void)
10688+void lock_vector_lock(void) __acquires(vector_lock)
10689 {
10690 /* Used to the online set of cpus does not change
10691 * during assign_irq_vector.
10692@@ -1036,7 +1036,7 @@ void lock_vector_lock(void)
10693 raw_spin_lock(&vector_lock);
10694 }
10695
10696-void unlock_vector_lock(void)
10697+void unlock_vector_lock(void) __releases(vector_lock)
10698 {
10699 raw_spin_unlock(&vector_lock);
10700 }
10701@@ -2405,7 +2405,7 @@ static void ack_apic_edge(struct irq_dat
10702 ack_APIC_irq();
10703 }
10704
10705-atomic_t irq_mis_count;
10706+atomic_unchecked_t irq_mis_count;
10707
10708 /*
10709 * IO-APIC versions below 0x20 don't support EOI register.
10710@@ -2513,7 +2513,7 @@ static void ack_apic_level(struct irq_da
10711 * at the cpu.
10712 */
10713 if (!(v & (1 << (i & 0x1f)))) {
10714- atomic_inc(&irq_mis_count);
10715+ atomic_inc_unchecked(&irq_mis_count);
10716
10717 eoi_ioapic_irq(irq, cfg);
10718 }
10719diff -urNp linux-3.1.1/arch/x86/kernel/apm_32.c linux-3.1.1/arch/x86/kernel/apm_32.c
10720--- linux-3.1.1/arch/x86/kernel/apm_32.c 2011-11-11 15:19:27.000000000 -0500
10721+++ linux-3.1.1/arch/x86/kernel/apm_32.c 2011-11-16 18:39:07.000000000 -0500
10722@@ -413,7 +413,7 @@ static DEFINE_MUTEX(apm_mutex);
10723 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10724 * even though they are called in protected mode.
10725 */
10726-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10727+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10728 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10729
10730 static const char driver_version[] = "1.16ac"; /* no spaces */
10731@@ -591,7 +591,10 @@ static long __apm_bios_call(void *_call)
10732 BUG_ON(cpu != 0);
10733 gdt = get_cpu_gdt_table(cpu);
10734 save_desc_40 = gdt[0x40 / 8];
10735+
10736+ pax_open_kernel();
10737 gdt[0x40 / 8] = bad_bios_desc;
10738+ pax_close_kernel();
10739
10740 apm_irq_save(flags);
10741 APM_DO_SAVE_SEGS;
10742@@ -600,7 +603,11 @@ static long __apm_bios_call(void *_call)
10743 &call->esi);
10744 APM_DO_RESTORE_SEGS;
10745 apm_irq_restore(flags);
10746+
10747+ pax_open_kernel();
10748 gdt[0x40 / 8] = save_desc_40;
10749+ pax_close_kernel();
10750+
10751 put_cpu();
10752
10753 return call->eax & 0xff;
10754@@ -667,7 +674,10 @@ static long __apm_bios_call_simple(void
10755 BUG_ON(cpu != 0);
10756 gdt = get_cpu_gdt_table(cpu);
10757 save_desc_40 = gdt[0x40 / 8];
10758+
10759+ pax_open_kernel();
10760 gdt[0x40 / 8] = bad_bios_desc;
10761+ pax_close_kernel();
10762
10763 apm_irq_save(flags);
10764 APM_DO_SAVE_SEGS;
10765@@ -675,7 +685,11 @@ static long __apm_bios_call_simple(void
10766 &call->eax);
10767 APM_DO_RESTORE_SEGS;
10768 apm_irq_restore(flags);
10769+
10770+ pax_open_kernel();
10771 gdt[0x40 / 8] = save_desc_40;
10772+ pax_close_kernel();
10773+
10774 put_cpu();
10775 return error;
10776 }
10777@@ -2349,12 +2363,15 @@ static int __init apm_init(void)
10778 * code to that CPU.
10779 */
10780 gdt = get_cpu_gdt_table(0);
10781+
10782+ pax_open_kernel();
10783 set_desc_base(&gdt[APM_CS >> 3],
10784 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10785 set_desc_base(&gdt[APM_CS_16 >> 3],
10786 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10787 set_desc_base(&gdt[APM_DS >> 3],
10788 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10789+ pax_close_kernel();
10790
10791 proc_create("apm", 0, NULL, &apm_file_ops);
10792
10793diff -urNp linux-3.1.1/arch/x86/kernel/asm-offsets_64.c linux-3.1.1/arch/x86/kernel/asm-offsets_64.c
10794--- linux-3.1.1/arch/x86/kernel/asm-offsets_64.c 2011-11-11 15:19:27.000000000 -0500
10795+++ linux-3.1.1/arch/x86/kernel/asm-offsets_64.c 2011-11-16 18:39:07.000000000 -0500
10796@@ -69,6 +69,7 @@ int main(void)
10797 BLANK();
10798 #undef ENTRY
10799
10800+ DEFINE(TSS_size, sizeof(struct tss_struct));
10801 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
10802 BLANK();
10803
10804diff -urNp linux-3.1.1/arch/x86/kernel/asm-offsets.c linux-3.1.1/arch/x86/kernel/asm-offsets.c
10805--- linux-3.1.1/arch/x86/kernel/asm-offsets.c 2011-11-11 15:19:27.000000000 -0500
10806+++ linux-3.1.1/arch/x86/kernel/asm-offsets.c 2011-11-16 18:39:07.000000000 -0500
10807@@ -33,6 +33,8 @@ void common(void) {
10808 OFFSET(TI_status, thread_info, status);
10809 OFFSET(TI_addr_limit, thread_info, addr_limit);
10810 OFFSET(TI_preempt_count, thread_info, preempt_count);
10811+ OFFSET(TI_lowest_stack, thread_info, lowest_stack);
10812+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
10813
10814 BLANK();
10815 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
10816@@ -53,8 +55,26 @@ void common(void) {
10817 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10818 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10819 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10820+
10821+#ifdef CONFIG_PAX_KERNEXEC
10822+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10823+#endif
10824+
10825+#ifdef CONFIG_PAX_MEMORY_UDEREF
10826+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10827+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10828+#ifdef CONFIG_X86_64
10829+ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
10830+#endif
10831 #endif
10832
10833+#endif
10834+
10835+ BLANK();
10836+ DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
10837+ DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
10838+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
10839+
10840 #ifdef CONFIG_XEN
10841 BLANK();
10842 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
10843diff -urNp linux-3.1.1/arch/x86/kernel/cpu/amd.c linux-3.1.1/arch/x86/kernel/cpu/amd.c
10844--- linux-3.1.1/arch/x86/kernel/cpu/amd.c 2011-11-11 15:19:27.000000000 -0500
10845+++ linux-3.1.1/arch/x86/kernel/cpu/amd.c 2011-11-16 18:39:07.000000000 -0500
10846@@ -647,7 +647,7 @@ static unsigned int __cpuinit amd_size_c
10847 unsigned int size)
10848 {
10849 /* AMD errata T13 (order #21922) */
10850- if ((c->x86 == 6)) {
10851+ if (c->x86 == 6) {
10852 /* Duron Rev A0 */
10853 if (c->x86_model == 3 && c->x86_mask == 0)
10854 size = 64;
10855diff -urNp linux-3.1.1/arch/x86/kernel/cpu/common.c linux-3.1.1/arch/x86/kernel/cpu/common.c
10856--- linux-3.1.1/arch/x86/kernel/cpu/common.c 2011-11-11 15:19:27.000000000 -0500
10857+++ linux-3.1.1/arch/x86/kernel/cpu/common.c 2011-11-16 18:39:07.000000000 -0500
10858@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10859
10860 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10861
10862-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10863-#ifdef CONFIG_X86_64
10864- /*
10865- * We need valid kernel segments for data and code in long mode too
10866- * IRET will check the segment types kkeil 2000/10/28
10867- * Also sysret mandates a special GDT layout
10868- *
10869- * TLS descriptors are currently at a different place compared to i386.
10870- * Hopefully nobody expects them at a fixed place (Wine?)
10871- */
10872- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10873- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10874- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10875- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10876- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10877- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10878-#else
10879- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10880- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10881- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10882- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10883- /*
10884- * Segments used for calling PnP BIOS have byte granularity.
10885- * They code segments and data segments have fixed 64k limits,
10886- * the transfer segment sizes are set at run time.
10887- */
10888- /* 32-bit code */
10889- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10890- /* 16-bit code */
10891- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10892- /* 16-bit data */
10893- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10894- /* 16-bit data */
10895- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10896- /* 16-bit data */
10897- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10898- /*
10899- * The APM segments have byte granularity and their bases
10900- * are set at run time. All have 64k limits.
10901- */
10902- /* 32-bit code */
10903- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10904- /* 16-bit code */
10905- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10906- /* data */
10907- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10908-
10909- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10910- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10911- GDT_STACK_CANARY_INIT
10912-#endif
10913-} };
10914-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10915-
10916 static int __init x86_xsave_setup(char *s)
10917 {
10918 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10919@@ -371,7 +317,7 @@ void switch_to_new_gdt(int cpu)
10920 {
10921 struct desc_ptr gdt_descr;
10922
10923- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10924+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10925 gdt_descr.size = GDT_SIZE - 1;
10926 load_gdt(&gdt_descr);
10927 /* Reload the per-cpu base */
10928@@ -840,6 +786,10 @@ static void __cpuinit identify_cpu(struc
10929 /* Filter out anything that depends on CPUID levels we don't have */
10930 filter_cpuid_features(c, true);
10931
10932+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10933+ setup_clear_cpu_cap(X86_FEATURE_SEP);
10934+#endif
10935+
10936 /* If the model name is still unset, do table lookup. */
10937 if (!c->x86_model_id[0]) {
10938 const char *p;
10939@@ -1019,6 +969,9 @@ static __init int setup_disablecpuid(cha
10940 }
10941 __setup("clearcpuid=", setup_disablecpuid);
10942
10943+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
10944+EXPORT_PER_CPU_SYMBOL(current_tinfo);
10945+
10946 #ifdef CONFIG_X86_64
10947 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
10948
10949@@ -1034,7 +987,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
10950 EXPORT_PER_CPU_SYMBOL(current_task);
10951
10952 DEFINE_PER_CPU(unsigned long, kernel_stack) =
10953- (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
10954+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
10955 EXPORT_PER_CPU_SYMBOL(kernel_stack);
10956
10957 DEFINE_PER_CPU(char *, irq_stack_ptr) =
10958@@ -1099,7 +1052,7 @@ struct pt_regs * __cpuinit idle_regs(str
10959 {
10960 memset(regs, 0, sizeof(struct pt_regs));
10961 regs->fs = __KERNEL_PERCPU;
10962- regs->gs = __KERNEL_STACK_CANARY;
10963+ savesegment(gs, regs->gs);
10964
10965 return regs;
10966 }
10967@@ -1154,7 +1107,7 @@ void __cpuinit cpu_init(void)
10968 int i;
10969
10970 cpu = stack_smp_processor_id();
10971- t = &per_cpu(init_tss, cpu);
10972+ t = init_tss + cpu;
10973 oist = &per_cpu(orig_ist, cpu);
10974
10975 #ifdef CONFIG_NUMA
10976@@ -1180,7 +1133,7 @@ void __cpuinit cpu_init(void)
10977 switch_to_new_gdt(cpu);
10978 loadsegment(fs, 0);
10979
10980- load_idt((const struct desc_ptr *)&idt_descr);
10981+ load_idt(&idt_descr);
10982
10983 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10984 syscall_init();
10985@@ -1189,7 +1142,6 @@ void __cpuinit cpu_init(void)
10986 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10987 barrier();
10988
10989- x86_configure_nx();
10990 if (cpu != 0)
10991 enable_x2apic();
10992
10993@@ -1243,7 +1195,7 @@ void __cpuinit cpu_init(void)
10994 {
10995 int cpu = smp_processor_id();
10996 struct task_struct *curr = current;
10997- struct tss_struct *t = &per_cpu(init_tss, cpu);
10998+ struct tss_struct *t = init_tss + cpu;
10999 struct thread_struct *thread = &curr->thread;
11000
11001 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
11002diff -urNp linux-3.1.1/arch/x86/kernel/cpu/intel.c linux-3.1.1/arch/x86/kernel/cpu/intel.c
11003--- linux-3.1.1/arch/x86/kernel/cpu/intel.c 2011-11-11 15:19:27.000000000 -0500
11004+++ linux-3.1.1/arch/x86/kernel/cpu/intel.c 2011-11-16 18:39:07.000000000 -0500
11005@@ -172,7 +172,7 @@ static void __cpuinit trap_init_f00f_bug
11006 * Update the IDT descriptor and reload the IDT so that
11007 * it uses the read-only mapped virtual address.
11008 */
11009- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
11010+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
11011 load_idt(&idt_descr);
11012 }
11013 #endif
11014diff -urNp linux-3.1.1/arch/x86/kernel/cpu/Makefile linux-3.1.1/arch/x86/kernel/cpu/Makefile
11015--- linux-3.1.1/arch/x86/kernel/cpu/Makefile 2011-11-11 15:19:27.000000000 -0500
11016+++ linux-3.1.1/arch/x86/kernel/cpu/Makefile 2011-11-16 18:39:07.000000000 -0500
11017@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
11018 CFLAGS_REMOVE_perf_event.o = -pg
11019 endif
11020
11021-# Make sure load_percpu_segment has no stackprotector
11022-nostackp := $(call cc-option, -fno-stack-protector)
11023-CFLAGS_common.o := $(nostackp)
11024-
11025 obj-y := intel_cacheinfo.o scattered.o topology.o
11026 obj-y += proc.o capflags.o powerflags.o common.o
11027 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
11028diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c
11029--- linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-11 15:19:27.000000000 -0500
11030+++ linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-16 18:39:07.000000000 -0500
11031@@ -42,6 +42,7 @@
11032 #include <asm/processor.h>
11033 #include <asm/mce.h>
11034 #include <asm/msr.h>
11035+#include <asm/local.h>
11036
11037 #include "mce-internal.h"
11038
11039@@ -205,7 +206,7 @@ static void print_mce(struct mce *m)
11040 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11041 m->cs, m->ip);
11042
11043- if (m->cs == __KERNEL_CS)
11044+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11045 print_symbol("{%s}", m->ip);
11046 pr_cont("\n");
11047 }
11048@@ -233,10 +234,10 @@ static void print_mce(struct mce *m)
11049
11050 #define PANIC_TIMEOUT 5 /* 5 seconds */
11051
11052-static atomic_t mce_paniced;
11053+static atomic_unchecked_t mce_paniced;
11054
11055 static int fake_panic;
11056-static atomic_t mce_fake_paniced;
11057+static atomic_unchecked_t mce_fake_paniced;
11058
11059 /* Panic in progress. Enable interrupts and wait for final IPI */
11060 static void wait_for_panic(void)
11061@@ -260,7 +261,7 @@ static void mce_panic(char *msg, struct
11062 /*
11063 * Make sure only one CPU runs in machine check panic
11064 */
11065- if (atomic_inc_return(&mce_paniced) > 1)
11066+ if (atomic_inc_return_unchecked(&mce_paniced) > 1)
11067 wait_for_panic();
11068 barrier();
11069
11070@@ -268,7 +269,7 @@ static void mce_panic(char *msg, struct
11071 console_verbose();
11072 } else {
11073 /* Don't log too much for fake panic */
11074- if (atomic_inc_return(&mce_fake_paniced) > 1)
11075+ if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
11076 return;
11077 }
11078 /* First print corrected ones that are still unlogged */
11079@@ -610,7 +611,7 @@ static int mce_timed_out(u64 *t)
11080 * might have been modified by someone else.
11081 */
11082 rmb();
11083- if (atomic_read(&mce_paniced))
11084+ if (atomic_read_unchecked(&mce_paniced))
11085 wait_for_panic();
11086 if (!monarch_timeout)
11087 goto out;
11088@@ -1429,7 +1430,7 @@ void __cpuinit mcheck_cpu_init(struct cp
11089 */
11090
11091 static DEFINE_SPINLOCK(mce_chrdev_state_lock);
11092-static int mce_chrdev_open_count; /* #times opened */
11093+static local_t mce_chrdev_open_count; /* #times opened */
11094 static int mce_chrdev_open_exclu; /* already open exclusive? */
11095
11096 static int mce_chrdev_open(struct inode *inode, struct file *file)
11097@@ -1437,7 +1438,7 @@ static int mce_chrdev_open(struct inode
11098 spin_lock(&mce_chrdev_state_lock);
11099
11100 if (mce_chrdev_open_exclu ||
11101- (mce_chrdev_open_count && (file->f_flags & O_EXCL))) {
11102+ (local_read(&mce_chrdev_open_count) && (file->f_flags & O_EXCL))) {
11103 spin_unlock(&mce_chrdev_state_lock);
11104
11105 return -EBUSY;
11106@@ -1445,7 +1446,7 @@ static int mce_chrdev_open(struct inode
11107
11108 if (file->f_flags & O_EXCL)
11109 mce_chrdev_open_exclu = 1;
11110- mce_chrdev_open_count++;
11111+ local_inc(&mce_chrdev_open_count);
11112
11113 spin_unlock(&mce_chrdev_state_lock);
11114
11115@@ -1456,7 +1457,7 @@ static int mce_chrdev_release(struct ino
11116 {
11117 spin_lock(&mce_chrdev_state_lock);
11118
11119- mce_chrdev_open_count--;
11120+ local_dec(&mce_chrdev_open_count);
11121 mce_chrdev_open_exclu = 0;
11122
11123 spin_unlock(&mce_chrdev_state_lock);
11124@@ -2147,7 +2148,7 @@ struct dentry *mce_get_debugfs_dir(void)
11125 static void mce_reset(void)
11126 {
11127 cpu_missing = 0;
11128- atomic_set(&mce_fake_paniced, 0);
11129+ atomic_set_unchecked(&mce_fake_paniced, 0);
11130 atomic_set(&mce_executing, 0);
11131 atomic_set(&mce_callin, 0);
11132 atomic_set(&global_nwo, 0);
11133diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c
11134--- linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-11 15:19:27.000000000 -0500
11135+++ linux-3.1.1/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-16 18:39:07.000000000 -0500
11136@@ -215,7 +215,9 @@ static int inject_init(void)
11137 if (!alloc_cpumask_var(&mce_inject_cpumask, GFP_KERNEL))
11138 return -ENOMEM;
11139 printk(KERN_INFO "Machine check injector initialized\n");
11140- mce_chrdev_ops.write = mce_write;
11141+ pax_open_kernel();
11142+ *(void **)&mce_chrdev_ops.write = mce_write;
11143+ pax_close_kernel();
11144 register_die_notifier(&mce_raise_nb);
11145 return 0;
11146 }
11147diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c
11148--- linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c 2011-11-11 15:19:27.000000000 -0500
11149+++ linux-3.1.1/arch/x86/kernel/cpu/mtrr/main.c 2011-11-16 18:39:07.000000000 -0500
11150@@ -62,7 +62,7 @@ static DEFINE_MUTEX(mtrr_mutex);
11151 u64 size_or_mask, size_and_mask;
11152 static bool mtrr_aps_delayed_init;
11153
11154-static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11155+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11156
11157 const struct mtrr_ops *mtrr_if;
11158
11159diff -urNp linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h
11160--- linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-11 15:19:27.000000000 -0500
11161+++ linux-3.1.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-16 18:39:07.000000000 -0500
11162@@ -25,7 +25,7 @@ struct mtrr_ops {
11163 int (*validate_add_page)(unsigned long base, unsigned long size,
11164 unsigned int type);
11165 int (*have_wrcomb)(void);
11166-};
11167+} __do_const;
11168
11169 extern int generic_get_free_region(unsigned long base, unsigned long size,
11170 int replace_reg);
11171diff -urNp linux-3.1.1/arch/x86/kernel/cpu/perf_event.c linux-3.1.1/arch/x86/kernel/cpu/perf_event.c
11172--- linux-3.1.1/arch/x86/kernel/cpu/perf_event.c 2011-11-11 15:19:27.000000000 -0500
11173+++ linux-3.1.1/arch/x86/kernel/cpu/perf_event.c 2011-11-16 18:40:08.000000000 -0500
11174@@ -795,6 +795,8 @@ static int x86_schedule_events(struct cp
11175 int i, j, w, wmax, num = 0;
11176 struct hw_perf_event *hwc;
11177
11178+ pax_track_stack();
11179+
11180 bitmap_zero(used_mask, X86_PMC_IDX_MAX);
11181
11182 for (i = 0; i < n; i++) {
11183@@ -1919,7 +1921,7 @@ perf_callchain_user(struct perf_callchai
11184 break;
11185
11186 perf_callchain_store(entry, frame.return_address);
11187- fp = frame.next_frame;
11188+ fp = (const void __force_user *)frame.next_frame;
11189 }
11190 }
11191
11192diff -urNp linux-3.1.1/arch/x86/kernel/crash.c linux-3.1.1/arch/x86/kernel/crash.c
11193--- linux-3.1.1/arch/x86/kernel/crash.c 2011-11-11 15:19:27.000000000 -0500
11194+++ linux-3.1.1/arch/x86/kernel/crash.c 2011-11-16 18:39:07.000000000 -0500
11195@@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
11196 regs = args->regs;
11197
11198 #ifdef CONFIG_X86_32
11199- if (!user_mode_vm(regs)) {
11200+ if (!user_mode(regs)) {
11201 crash_fixup_ss_esp(&fixed_regs, regs);
11202 regs = &fixed_regs;
11203 }
11204diff -urNp linux-3.1.1/arch/x86/kernel/doublefault_32.c linux-3.1.1/arch/x86/kernel/doublefault_32.c
11205--- linux-3.1.1/arch/x86/kernel/doublefault_32.c 2011-11-11 15:19:27.000000000 -0500
11206+++ linux-3.1.1/arch/x86/kernel/doublefault_32.c 2011-11-16 18:39:07.000000000 -0500
11207@@ -11,7 +11,7 @@
11208
11209 #define DOUBLEFAULT_STACKSIZE (1024)
11210 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
11211-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
11212+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
11213
11214 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
11215
11216@@ -21,7 +21,7 @@ static void doublefault_fn(void)
11217 unsigned long gdt, tss;
11218
11219 store_gdt(&gdt_desc);
11220- gdt = gdt_desc.address;
11221+ gdt = (unsigned long)gdt_desc.address;
11222
11223 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
11224
11225@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
11226 /* 0x2 bit is always set */
11227 .flags = X86_EFLAGS_SF | 0x2,
11228 .sp = STACK_START,
11229- .es = __USER_DS,
11230+ .es = __KERNEL_DS,
11231 .cs = __KERNEL_CS,
11232 .ss = __KERNEL_DS,
11233- .ds = __USER_DS,
11234+ .ds = __KERNEL_DS,
11235 .fs = __KERNEL_PERCPU,
11236
11237 .__cr3 = __pa_nodebug(swapper_pg_dir),
11238diff -urNp linux-3.1.1/arch/x86/kernel/dumpstack_32.c linux-3.1.1/arch/x86/kernel/dumpstack_32.c
11239--- linux-3.1.1/arch/x86/kernel/dumpstack_32.c 2011-11-11 15:19:27.000000000 -0500
11240+++ linux-3.1.1/arch/x86/kernel/dumpstack_32.c 2011-11-16 18:39:07.000000000 -0500
11241@@ -38,15 +38,13 @@ void dump_trace(struct task_struct *task
11242 bp = stack_frame(task, regs);
11243
11244 for (;;) {
11245- struct thread_info *context;
11246+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11247
11248- context = (struct thread_info *)
11249- ((unsigned long)stack & (~(THREAD_SIZE - 1)));
11250- bp = ops->walk_stack(context, stack, bp, ops, data, NULL, &graph);
11251+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11252
11253- stack = (unsigned long *)context->previous_esp;
11254- if (!stack)
11255+ if (stack_start == task_stack_page(task))
11256 break;
11257+ stack = *(unsigned long **)stack_start;
11258 if (ops->stack(data, "IRQ") < 0)
11259 break;
11260 touch_nmi_watchdog();
11261@@ -96,21 +94,22 @@ void show_registers(struct pt_regs *regs
11262 * When in-kernel, we also print out the stack and code at the
11263 * time of the fault..
11264 */
11265- if (!user_mode_vm(regs)) {
11266+ if (!user_mode(regs)) {
11267 unsigned int code_prologue = code_bytes * 43 / 64;
11268 unsigned int code_len = code_bytes;
11269 unsigned char c;
11270 u8 *ip;
11271+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
11272
11273 printk(KERN_EMERG "Stack:\n");
11274 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
11275
11276 printk(KERN_EMERG "Code: ");
11277
11278- ip = (u8 *)regs->ip - code_prologue;
11279+ ip = (u8 *)regs->ip - code_prologue + cs_base;
11280 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
11281 /* try starting at IP */
11282- ip = (u8 *)regs->ip;
11283+ ip = (u8 *)regs->ip + cs_base;
11284 code_len = code_len - code_prologue + 1;
11285 }
11286 for (i = 0; i < code_len; i++, ip++) {
11287@@ -119,7 +118,7 @@ void show_registers(struct pt_regs *regs
11288 printk(" Bad EIP value.");
11289 break;
11290 }
11291- if (ip == (u8 *)regs->ip)
11292+ if (ip == (u8 *)regs->ip + cs_base)
11293 printk("<%02x> ", c);
11294 else
11295 printk("%02x ", c);
11296@@ -132,6 +131,7 @@ int is_valid_bugaddr(unsigned long ip)
11297 {
11298 unsigned short ud2;
11299
11300+ ip = ktla_ktva(ip);
11301 if (ip < PAGE_OFFSET)
11302 return 0;
11303 if (probe_kernel_address((unsigned short *)ip, ud2))
11304@@ -139,3 +139,15 @@ int is_valid_bugaddr(unsigned long ip)
11305
11306 return ud2 == 0x0b0f;
11307 }
11308+
11309+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11310+void pax_check_alloca(unsigned long size)
11311+{
11312+ unsigned long sp = (unsigned long)&sp, stack_left;
11313+
11314+ /* all kernel stacks are of the same size */
11315+ stack_left = sp & (THREAD_SIZE - 1);
11316+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
11317+}
11318+EXPORT_SYMBOL(pax_check_alloca);
11319+#endif
11320diff -urNp linux-3.1.1/arch/x86/kernel/dumpstack_64.c linux-3.1.1/arch/x86/kernel/dumpstack_64.c
11321--- linux-3.1.1/arch/x86/kernel/dumpstack_64.c 2011-11-11 15:19:27.000000000 -0500
11322+++ linux-3.1.1/arch/x86/kernel/dumpstack_64.c 2011-11-16 18:39:07.000000000 -0500
11323@@ -119,9 +119,9 @@ void dump_trace(struct task_struct *task
11324 unsigned long *irq_stack_end =
11325 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
11326 unsigned used = 0;
11327- struct thread_info *tinfo;
11328 int graph = 0;
11329 unsigned long dummy;
11330+ void *stack_start;
11331
11332 if (!task)
11333 task = current;
11334@@ -142,10 +142,10 @@ void dump_trace(struct task_struct *task
11335 * current stack address. If the stacks consist of nested
11336 * exceptions
11337 */
11338- tinfo = task_thread_info(task);
11339 for (;;) {
11340 char *id;
11341 unsigned long *estack_end;
11342+
11343 estack_end = in_exception_stack(cpu, (unsigned long)stack,
11344 &used, &id);
11345
11346@@ -153,7 +153,7 @@ void dump_trace(struct task_struct *task
11347 if (ops->stack(data, id) < 0)
11348 break;
11349
11350- bp = ops->walk_stack(tinfo, stack, bp, ops,
11351+ bp = ops->walk_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
11352 data, estack_end, &graph);
11353 ops->stack(data, "<EOE>");
11354 /*
11355@@ -172,7 +172,7 @@ void dump_trace(struct task_struct *task
11356 if (in_irq_stack(stack, irq_stack, irq_stack_end)) {
11357 if (ops->stack(data, "IRQ") < 0)
11358 break;
11359- bp = ops->walk_stack(tinfo, stack, bp,
11360+ bp = ops->walk_stack(task, irq_stack, stack, bp,
11361 ops, data, irq_stack_end, &graph);
11362 /*
11363 * We link to the next stack (which would be
11364@@ -191,7 +191,8 @@ void dump_trace(struct task_struct *task
11365 /*
11366 * This handles the process stack:
11367 */
11368- bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
11369+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
11370+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
11371 put_cpu();
11372 }
11373 EXPORT_SYMBOL(dump_trace);
11374@@ -305,3 +306,50 @@ int is_valid_bugaddr(unsigned long ip)
11375
11376 return ud2 == 0x0b0f;
11377 }
11378+
11379+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11380+void pax_check_alloca(unsigned long size)
11381+{
11382+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
11383+ unsigned cpu, used;
11384+ char *id;
11385+
11386+ /* check the process stack first */
11387+ stack_start = (unsigned long)task_stack_page(current);
11388+ stack_end = stack_start + THREAD_SIZE;
11389+ if (likely(stack_start <= sp && sp < stack_end)) {
11390+ unsigned long stack_left = sp & (THREAD_SIZE - 1);
11391+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
11392+ return;
11393+ }
11394+
11395+ cpu = get_cpu();
11396+
11397+ /* check the irq stacks */
11398+ stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
11399+ stack_start = stack_end - IRQ_STACK_SIZE;
11400+ if (stack_start <= sp && sp < stack_end) {
11401+ unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
11402+ put_cpu();
11403+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
11404+ return;
11405+ }
11406+
11407+ /* check the exception stacks */
11408+ used = 0;
11409+ stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
11410+ stack_start = stack_end - EXCEPTION_STKSZ;
11411+ if (stack_end && stack_start <= sp && sp < stack_end) {
11412+ unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
11413+ put_cpu();
11414+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
11415+ return;
11416+ }
11417+
11418+ put_cpu();
11419+
11420+ /* unknown stack */
11421+ BUG();
11422+}
11423+EXPORT_SYMBOL(pax_check_alloca);
11424+#endif
11425diff -urNp linux-3.1.1/arch/x86/kernel/dumpstack.c linux-3.1.1/arch/x86/kernel/dumpstack.c
11426--- linux-3.1.1/arch/x86/kernel/dumpstack.c 2011-11-11 15:19:27.000000000 -0500
11427+++ linux-3.1.1/arch/x86/kernel/dumpstack.c 2011-11-16 18:40:08.000000000 -0500
11428@@ -2,6 +2,9 @@
11429 * Copyright (C) 1991, 1992 Linus Torvalds
11430 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11431 */
11432+#ifdef CONFIG_GRKERNSEC_HIDESYM
11433+#define __INCLUDED_BY_HIDESYM 1
11434+#endif
11435 #include <linux/kallsyms.h>
11436 #include <linux/kprobes.h>
11437 #include <linux/uaccess.h>
11438@@ -35,9 +38,8 @@ void printk_address(unsigned long addres
11439 static void
11440 print_ftrace_graph_addr(unsigned long addr, void *data,
11441 const struct stacktrace_ops *ops,
11442- struct thread_info *tinfo, int *graph)
11443+ struct task_struct *task, int *graph)
11444 {
11445- struct task_struct *task = tinfo->task;
11446 unsigned long ret_addr;
11447 int index = task->curr_ret_stack;
11448
11449@@ -58,7 +60,7 @@ print_ftrace_graph_addr(unsigned long ad
11450 static inline void
11451 print_ftrace_graph_addr(unsigned long addr, void *data,
11452 const struct stacktrace_ops *ops,
11453- struct thread_info *tinfo, int *graph)
11454+ struct task_struct *task, int *graph)
11455 { }
11456 #endif
11457
11458@@ -69,10 +71,8 @@ print_ftrace_graph_addr(unsigned long ad
11459 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
11460 */
11461
11462-static inline int valid_stack_ptr(struct thread_info *tinfo,
11463- void *p, unsigned int size, void *end)
11464+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
11465 {
11466- void *t = tinfo;
11467 if (end) {
11468 if (p < end && p >= (end-THREAD_SIZE))
11469 return 1;
11470@@ -83,14 +83,14 @@ static inline int valid_stack_ptr(struct
11471 }
11472
11473 unsigned long
11474-print_context_stack(struct thread_info *tinfo,
11475+print_context_stack(struct task_struct *task, void *stack_start,
11476 unsigned long *stack, unsigned long bp,
11477 const struct stacktrace_ops *ops, void *data,
11478 unsigned long *end, int *graph)
11479 {
11480 struct stack_frame *frame = (struct stack_frame *)bp;
11481
11482- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
11483+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
11484 unsigned long addr;
11485
11486 addr = *stack;
11487@@ -102,7 +102,7 @@ print_context_stack(struct thread_info *
11488 } else {
11489 ops->address(data, addr, 0);
11490 }
11491- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11492+ print_ftrace_graph_addr(addr, data, ops, task, graph);
11493 }
11494 stack++;
11495 }
11496@@ -111,7 +111,7 @@ print_context_stack(struct thread_info *
11497 EXPORT_SYMBOL_GPL(print_context_stack);
11498
11499 unsigned long
11500-print_context_stack_bp(struct thread_info *tinfo,
11501+print_context_stack_bp(struct task_struct *task, void *stack_start,
11502 unsigned long *stack, unsigned long bp,
11503 const struct stacktrace_ops *ops, void *data,
11504 unsigned long *end, int *graph)
11505@@ -119,7 +119,7 @@ print_context_stack_bp(struct thread_inf
11506 struct stack_frame *frame = (struct stack_frame *)bp;
11507 unsigned long *ret_addr = &frame->return_address;
11508
11509- while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
11510+ while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
11511 unsigned long addr = *ret_addr;
11512
11513 if (!__kernel_text_address(addr))
11514@@ -128,7 +128,7 @@ print_context_stack_bp(struct thread_inf
11515 ops->address(data, addr, 1);
11516 frame = frame->next_frame;
11517 ret_addr = &frame->return_address;
11518- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
11519+ print_ftrace_graph_addr(addr, data, ops, task, graph);
11520 }
11521
11522 return (unsigned long)frame;
11523@@ -186,7 +186,7 @@ void dump_stack(void)
11524
11525 bp = stack_frame(current, NULL);
11526 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
11527- current->pid, current->comm, print_tainted(),
11528+ task_pid_nr(current), current->comm, print_tainted(),
11529 init_utsname()->release,
11530 (int)strcspn(init_utsname()->version, " "),
11531 init_utsname()->version);
11532@@ -222,6 +222,8 @@ unsigned __kprobes long oops_begin(void)
11533 }
11534 EXPORT_SYMBOL_GPL(oops_begin);
11535
11536+extern void gr_handle_kernel_exploit(void);
11537+
11538 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
11539 {
11540 if (regs && kexec_should_crash(current))
11541@@ -243,7 +245,10 @@ void __kprobes oops_end(unsigned long fl
11542 panic("Fatal exception in interrupt");
11543 if (panic_on_oops)
11544 panic("Fatal exception");
11545- do_exit(signr);
11546+
11547+ gr_handle_kernel_exploit();
11548+
11549+ do_group_exit(signr);
11550 }
11551
11552 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11553@@ -269,7 +274,7 @@ int __kprobes __die(const char *str, str
11554
11555 show_registers(regs);
11556 #ifdef CONFIG_X86_32
11557- if (user_mode_vm(regs)) {
11558+ if (user_mode(regs)) {
11559 sp = regs->sp;
11560 ss = regs->ss & 0xffff;
11561 } else {
11562@@ -297,7 +302,7 @@ void die(const char *str, struct pt_regs
11563 unsigned long flags = oops_begin();
11564 int sig = SIGSEGV;
11565
11566- if (!user_mode_vm(regs))
11567+ if (!user_mode(regs))
11568 report_bug(regs->ip, regs);
11569
11570 if (__die(str, regs, err))
11571diff -urNp linux-3.1.1/arch/x86/kernel/early_printk.c linux-3.1.1/arch/x86/kernel/early_printk.c
11572--- linux-3.1.1/arch/x86/kernel/early_printk.c 2011-11-11 15:19:27.000000000 -0500
11573+++ linux-3.1.1/arch/x86/kernel/early_printk.c 2011-11-16 18:40:08.000000000 -0500
11574@@ -7,6 +7,7 @@
11575 #include <linux/pci_regs.h>
11576 #include <linux/pci_ids.h>
11577 #include <linux/errno.h>
11578+#include <linux/sched.h>
11579 #include <asm/io.h>
11580 #include <asm/processor.h>
11581 #include <asm/fcntl.h>
11582@@ -179,6 +180,8 @@ asmlinkage void early_printk(const char
11583 int n;
11584 va_list ap;
11585
11586+ pax_track_stack();
11587+
11588 va_start(ap, fmt);
11589 n = vscnprintf(buf, sizeof(buf), fmt, ap);
11590 early_console->write(early_console, buf, n);
11591diff -urNp linux-3.1.1/arch/x86/kernel/entry_32.S linux-3.1.1/arch/x86/kernel/entry_32.S
11592--- linux-3.1.1/arch/x86/kernel/entry_32.S 2011-11-11 15:19:27.000000000 -0500
11593+++ linux-3.1.1/arch/x86/kernel/entry_32.S 2011-11-16 18:40:08.000000000 -0500
11594@@ -186,13 +186,146 @@
11595 /*CFI_REL_OFFSET gs, PT_GS*/
11596 .endm
11597 .macro SET_KERNEL_GS reg
11598+
11599+#ifdef CONFIG_CC_STACKPROTECTOR
11600 movl $(__KERNEL_STACK_CANARY), \reg
11601+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11602+ movl $(__USER_DS), \reg
11603+#else
11604+ xorl \reg, \reg
11605+#endif
11606+
11607 movl \reg, %gs
11608 .endm
11609
11610 #endif /* CONFIG_X86_32_LAZY_GS */
11611
11612-.macro SAVE_ALL
11613+.macro pax_enter_kernel
11614+#ifdef CONFIG_PAX_KERNEXEC
11615+ call pax_enter_kernel
11616+#endif
11617+.endm
11618+
11619+.macro pax_exit_kernel
11620+#ifdef CONFIG_PAX_KERNEXEC
11621+ call pax_exit_kernel
11622+#endif
11623+.endm
11624+
11625+#ifdef CONFIG_PAX_KERNEXEC
11626+ENTRY(pax_enter_kernel)
11627+#ifdef CONFIG_PARAVIRT
11628+ pushl %eax
11629+ pushl %ecx
11630+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11631+ mov %eax, %esi
11632+#else
11633+ mov %cr0, %esi
11634+#endif
11635+ bts $16, %esi
11636+ jnc 1f
11637+ mov %cs, %esi
11638+ cmp $__KERNEL_CS, %esi
11639+ jz 3f
11640+ ljmp $__KERNEL_CS, $3f
11641+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11642+2:
11643+#ifdef CONFIG_PARAVIRT
11644+ mov %esi, %eax
11645+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11646+#else
11647+ mov %esi, %cr0
11648+#endif
11649+3:
11650+#ifdef CONFIG_PARAVIRT
11651+ popl %ecx
11652+ popl %eax
11653+#endif
11654+ ret
11655+ENDPROC(pax_enter_kernel)
11656+
11657+ENTRY(pax_exit_kernel)
11658+#ifdef CONFIG_PARAVIRT
11659+ pushl %eax
11660+ pushl %ecx
11661+#endif
11662+ mov %cs, %esi
11663+ cmp $__KERNEXEC_KERNEL_CS, %esi
11664+ jnz 2f
11665+#ifdef CONFIG_PARAVIRT
11666+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11667+ mov %eax, %esi
11668+#else
11669+ mov %cr0, %esi
11670+#endif
11671+ btr $16, %esi
11672+ ljmp $__KERNEL_CS, $1f
11673+1:
11674+#ifdef CONFIG_PARAVIRT
11675+ mov %esi, %eax
11676+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11677+#else
11678+ mov %esi, %cr0
11679+#endif
11680+2:
11681+#ifdef CONFIG_PARAVIRT
11682+ popl %ecx
11683+ popl %eax
11684+#endif
11685+ ret
11686+ENDPROC(pax_exit_kernel)
11687+#endif
11688+
11689+.macro pax_erase_kstack
11690+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11691+ call pax_erase_kstack
11692+#endif
11693+.endm
11694+
11695+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
11696+/*
11697+ * ebp: thread_info
11698+ * ecx, edx: can be clobbered
11699+ */
11700+ENTRY(pax_erase_kstack)
11701+ pushl %edi
11702+ pushl %eax
11703+
11704+ mov TI_lowest_stack(%ebp), %edi
11705+ mov $-0xBEEF, %eax
11706+ std
11707+
11708+1: mov %edi, %ecx
11709+ and $THREAD_SIZE_asm - 1, %ecx
11710+ shr $2, %ecx
11711+ repne scasl
11712+ jecxz 2f
11713+
11714+ cmp $2*16, %ecx
11715+ jc 2f
11716+
11717+ mov $2*16, %ecx
11718+ repe scasl
11719+ jecxz 2f
11720+ jne 1b
11721+
11722+2: cld
11723+ mov %esp, %ecx
11724+ sub %edi, %ecx
11725+ shr $2, %ecx
11726+ rep stosl
11727+
11728+ mov TI_task_thread_sp0(%ebp), %edi
11729+ sub $128, %edi
11730+ mov %edi, TI_lowest_stack(%ebp)
11731+
11732+ popl %eax
11733+ popl %edi
11734+ ret
11735+ENDPROC(pax_erase_kstack)
11736+#endif
11737+
11738+.macro __SAVE_ALL _DS
11739 cld
11740 PUSH_GS
11741 pushl_cfi %fs
11742@@ -215,7 +348,7 @@
11743 CFI_REL_OFFSET ecx, 0
11744 pushl_cfi %ebx
11745 CFI_REL_OFFSET ebx, 0
11746- movl $(__USER_DS), %edx
11747+ movl $\_DS, %edx
11748 movl %edx, %ds
11749 movl %edx, %es
11750 movl $(__KERNEL_PERCPU), %edx
11751@@ -223,6 +356,15 @@
11752 SET_KERNEL_GS %edx
11753 .endm
11754
11755+.macro SAVE_ALL
11756+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11757+ __SAVE_ALL __KERNEL_DS
11758+ pax_enter_kernel
11759+#else
11760+ __SAVE_ALL __USER_DS
11761+#endif
11762+.endm
11763+
11764 .macro RESTORE_INT_REGS
11765 popl_cfi %ebx
11766 CFI_RESTORE ebx
11767@@ -308,7 +450,7 @@ ENTRY(ret_from_fork)
11768 popfl_cfi
11769 jmp syscall_exit
11770 CFI_ENDPROC
11771-END(ret_from_fork)
11772+ENDPROC(ret_from_fork)
11773
11774 /*
11775 * Interrupt exit functions should be protected against kprobes
11776@@ -333,7 +475,15 @@ check_userspace:
11777 movb PT_CS(%esp), %al
11778 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11779 cmpl $USER_RPL, %eax
11780+
11781+#ifdef CONFIG_PAX_KERNEXEC
11782+ jae resume_userspace
11783+
11784+ PAX_EXIT_KERNEL
11785+ jmp resume_kernel
11786+#else
11787 jb resume_kernel # not returning to v8086 or userspace
11788+#endif
11789
11790 ENTRY(resume_userspace)
11791 LOCKDEP_SYS_EXIT
11792@@ -345,8 +495,8 @@ ENTRY(resume_userspace)
11793 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
11794 # int/exception return?
11795 jne work_pending
11796- jmp restore_all
11797-END(ret_from_exception)
11798+ jmp restore_all_pax
11799+ENDPROC(ret_from_exception)
11800
11801 #ifdef CONFIG_PREEMPT
11802 ENTRY(resume_kernel)
11803@@ -361,7 +511,7 @@ need_resched:
11804 jz restore_all
11805 call preempt_schedule_irq
11806 jmp need_resched
11807-END(resume_kernel)
11808+ENDPROC(resume_kernel)
11809 #endif
11810 CFI_ENDPROC
11811 /*
11812@@ -395,23 +545,34 @@ sysenter_past_esp:
11813 /*CFI_REL_OFFSET cs, 0*/
11814 /*
11815 * Push current_thread_info()->sysenter_return to the stack.
11816- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11817- * pushed above; +8 corresponds to copy_thread's esp0 setting.
11818 */
11819- pushl_cfi ((TI_sysenter_return)-THREAD_SIZE+8+4*4)(%esp)
11820+ pushl_cfi $0
11821 CFI_REL_OFFSET eip, 0
11822
11823 pushl_cfi %eax
11824 SAVE_ALL
11825+ GET_THREAD_INFO(%ebp)
11826+ movl TI_sysenter_return(%ebp),%ebp
11827+ movl %ebp,PT_EIP(%esp)
11828 ENABLE_INTERRUPTS(CLBR_NONE)
11829
11830 /*
11831 * Load the potential sixth argument from user stack.
11832 * Careful about security.
11833 */
11834+ movl PT_OLDESP(%esp),%ebp
11835+
11836+#ifdef CONFIG_PAX_MEMORY_UDEREF
11837+ mov PT_OLDSS(%esp),%ds
11838+1: movl %ds:(%ebp),%ebp
11839+ push %ss
11840+ pop %ds
11841+#else
11842 cmpl $__PAGE_OFFSET-3,%ebp
11843 jae syscall_fault
11844 1: movl (%ebp),%ebp
11845+#endif
11846+
11847 movl %ebp,PT_EBP(%esp)
11848 .section __ex_table,"a"
11849 .align 4
11850@@ -434,12 +595,24 @@ sysenter_do_call:
11851 testl $_TIF_ALLWORK_MASK, %ecx
11852 jne sysexit_audit
11853 sysenter_exit:
11854+
11855+#ifdef CONFIG_PAX_RANDKSTACK
11856+ pushl_cfi %eax
11857+ movl %esp, %eax
11858+ call pax_randomize_kstack
11859+ popl_cfi %eax
11860+#endif
11861+
11862+ pax_erase_kstack
11863+
11864 /* if something modifies registers it must also disable sysexit */
11865 movl PT_EIP(%esp), %edx
11866 movl PT_OLDESP(%esp), %ecx
11867 xorl %ebp,%ebp
11868 TRACE_IRQS_ON
11869 1: mov PT_FS(%esp), %fs
11870+2: mov PT_DS(%esp), %ds
11871+3: mov PT_ES(%esp), %es
11872 PTGS_TO_GS
11873 ENABLE_INTERRUPTS_SYSEXIT
11874
11875@@ -456,6 +629,9 @@ sysenter_audit:
11876 movl %eax,%edx /* 2nd arg: syscall number */
11877 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
11878 call audit_syscall_entry
11879+
11880+ pax_erase_kstack
11881+
11882 pushl_cfi %ebx
11883 movl PT_EAX(%esp),%eax /* reload syscall number */
11884 jmp sysenter_do_call
11885@@ -482,11 +658,17 @@ sysexit_audit:
11886
11887 CFI_ENDPROC
11888 .pushsection .fixup,"ax"
11889-2: movl $0,PT_FS(%esp)
11890+4: movl $0,PT_FS(%esp)
11891+ jmp 1b
11892+5: movl $0,PT_DS(%esp)
11893+ jmp 1b
11894+6: movl $0,PT_ES(%esp)
11895 jmp 1b
11896 .section __ex_table,"a"
11897 .align 4
11898- .long 1b,2b
11899+ .long 1b,4b
11900+ .long 2b,5b
11901+ .long 3b,6b
11902 .popsection
11903 PTGS_TO_GS_EX
11904 ENDPROC(ia32_sysenter_target)
11905@@ -519,6 +701,15 @@ syscall_exit:
11906 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11907 jne syscall_exit_work
11908
11909+restore_all_pax:
11910+
11911+#ifdef CONFIG_PAX_RANDKSTACK
11912+ movl %esp, %eax
11913+ call pax_randomize_kstack
11914+#endif
11915+
11916+ pax_erase_kstack
11917+
11918 restore_all:
11919 TRACE_IRQS_IRET
11920 restore_all_notrace:
11921@@ -578,14 +769,34 @@ ldt_ss:
11922 * compensating for the offset by changing to the ESPFIX segment with
11923 * a base address that matches for the difference.
11924 */
11925-#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11926+#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11927 mov %esp, %edx /* load kernel esp */
11928 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11929 mov %dx, %ax /* eax: new kernel esp */
11930 sub %eax, %edx /* offset (low word is 0) */
11931+#ifdef CONFIG_SMP
11932+ movl PER_CPU_VAR(cpu_number), %ebx
11933+ shll $PAGE_SHIFT_asm, %ebx
11934+ addl $cpu_gdt_table, %ebx
11935+#else
11936+ movl $cpu_gdt_table, %ebx
11937+#endif
11938 shr $16, %edx
11939- mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11940- mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11941+
11942+#ifdef CONFIG_PAX_KERNEXEC
11943+ mov %cr0, %esi
11944+ btr $16, %esi
11945+ mov %esi, %cr0
11946+#endif
11947+
11948+ mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11949+ mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11950+
11951+#ifdef CONFIG_PAX_KERNEXEC
11952+ bts $16, %esi
11953+ mov %esi, %cr0
11954+#endif
11955+
11956 pushl_cfi $__ESPFIX_SS
11957 pushl_cfi %eax /* new kernel esp */
11958 /* Disable interrupts, but do not irqtrace this section: we
11959@@ -614,34 +825,28 @@ work_resched:
11960 movl TI_flags(%ebp), %ecx
11961 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
11962 # than syscall tracing?
11963- jz restore_all
11964+ jz restore_all_pax
11965 testb $_TIF_NEED_RESCHED, %cl
11966 jnz work_resched
11967
11968 work_notifysig: # deal with pending signals and
11969 # notify-resume requests
11970+ movl %esp, %eax
11971 #ifdef CONFIG_VM86
11972 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11973- movl %esp, %eax
11974- jne work_notifysig_v86 # returning to kernel-space or
11975+ jz 1f # returning to kernel-space or
11976 # vm86-space
11977- xorl %edx, %edx
11978- call do_notify_resume
11979- jmp resume_userspace_sig
11980
11981- ALIGN
11982-work_notifysig_v86:
11983 pushl_cfi %ecx # save ti_flags for do_notify_resume
11984 call save_v86_state # %eax contains pt_regs pointer
11985 popl_cfi %ecx
11986 movl %eax, %esp
11987-#else
11988- movl %esp, %eax
11989+1:
11990 #endif
11991 xorl %edx, %edx
11992 call do_notify_resume
11993 jmp resume_userspace_sig
11994-END(work_pending)
11995+ENDPROC(work_pending)
11996
11997 # perform syscall exit tracing
11998 ALIGN
11999@@ -649,11 +854,14 @@ syscall_trace_entry:
12000 movl $-ENOSYS,PT_EAX(%esp)
12001 movl %esp, %eax
12002 call syscall_trace_enter
12003+
12004+ pax_erase_kstack
12005+
12006 /* What it returned is what we'll actually use. */
12007 cmpl $(nr_syscalls), %eax
12008 jnae syscall_call
12009 jmp syscall_exit
12010-END(syscall_trace_entry)
12011+ENDPROC(syscall_trace_entry)
12012
12013 # perform syscall exit tracing
12014 ALIGN
12015@@ -666,20 +874,24 @@ syscall_exit_work:
12016 movl %esp, %eax
12017 call syscall_trace_leave
12018 jmp resume_userspace
12019-END(syscall_exit_work)
12020+ENDPROC(syscall_exit_work)
12021 CFI_ENDPROC
12022
12023 RING0_INT_FRAME # can't unwind into user space anyway
12024 syscall_fault:
12025+#ifdef CONFIG_PAX_MEMORY_UDEREF
12026+ push %ss
12027+ pop %ds
12028+#endif
12029 GET_THREAD_INFO(%ebp)
12030 movl $-EFAULT,PT_EAX(%esp)
12031 jmp resume_userspace
12032-END(syscall_fault)
12033+ENDPROC(syscall_fault)
12034
12035 syscall_badsys:
12036 movl $-ENOSYS,PT_EAX(%esp)
12037 jmp resume_userspace
12038-END(syscall_badsys)
12039+ENDPROC(syscall_badsys)
12040 CFI_ENDPROC
12041 /*
12042 * End of kprobes section
12043@@ -753,6 +965,36 @@ ptregs_clone:
12044 CFI_ENDPROC
12045 ENDPROC(ptregs_clone)
12046
12047+ ALIGN;
12048+ENTRY(kernel_execve)
12049+ CFI_STARTPROC
12050+ pushl_cfi %ebp
12051+ sub $PT_OLDSS+4,%esp
12052+ pushl_cfi %edi
12053+ pushl_cfi %ecx
12054+ pushl_cfi %eax
12055+ lea 3*4(%esp),%edi
12056+ mov $PT_OLDSS/4+1,%ecx
12057+ xorl %eax,%eax
12058+ rep stosl
12059+ popl_cfi %eax
12060+ popl_cfi %ecx
12061+ popl_cfi %edi
12062+ movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
12063+ pushl_cfi %esp
12064+ call sys_execve
12065+ add $4,%esp
12066+ CFI_ADJUST_CFA_OFFSET -4
12067+ GET_THREAD_INFO(%ebp)
12068+ test %eax,%eax
12069+ jz syscall_exit
12070+ add $PT_OLDSS+4,%esp
12071+ CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
12072+ popl_cfi %ebp
12073+ ret
12074+ CFI_ENDPROC
12075+ENDPROC(kernel_execve)
12076+
12077 .macro FIXUP_ESPFIX_STACK
12078 /*
12079 * Switch back for ESPFIX stack to the normal zerobased stack
12080@@ -762,8 +1004,15 @@ ENDPROC(ptregs_clone)
12081 * normal stack and adjusts ESP with the matching offset.
12082 */
12083 /* fixup the stack */
12084- mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
12085- mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
12086+#ifdef CONFIG_SMP
12087+ movl PER_CPU_VAR(cpu_number), %ebx
12088+ shll $PAGE_SHIFT_asm, %ebx
12089+ addl $cpu_gdt_table, %ebx
12090+#else
12091+ movl $cpu_gdt_table, %ebx
12092+#endif
12093+ mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
12094+ mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
12095 shl $16, %eax
12096 addl %esp, %eax /* the adjusted stack pointer */
12097 pushl_cfi $__KERNEL_DS
12098@@ -816,7 +1065,7 @@ vector=vector+1
12099 .endr
12100 2: jmp common_interrupt
12101 .endr
12102-END(irq_entries_start)
12103+ENDPROC(irq_entries_start)
12104
12105 .previous
12106 END(interrupt)
12107@@ -864,7 +1113,7 @@ ENTRY(coprocessor_error)
12108 pushl_cfi $do_coprocessor_error
12109 jmp error_code
12110 CFI_ENDPROC
12111-END(coprocessor_error)
12112+ENDPROC(coprocessor_error)
12113
12114 ENTRY(simd_coprocessor_error)
12115 RING0_INT_FRAME
12116@@ -885,7 +1134,7 @@ ENTRY(simd_coprocessor_error)
12117 #endif
12118 jmp error_code
12119 CFI_ENDPROC
12120-END(simd_coprocessor_error)
12121+ENDPROC(simd_coprocessor_error)
12122
12123 ENTRY(device_not_available)
12124 RING0_INT_FRAME
12125@@ -893,7 +1142,7 @@ ENTRY(device_not_available)
12126 pushl_cfi $do_device_not_available
12127 jmp error_code
12128 CFI_ENDPROC
12129-END(device_not_available)
12130+ENDPROC(device_not_available)
12131
12132 #ifdef CONFIG_PARAVIRT
12133 ENTRY(native_iret)
12134@@ -902,12 +1151,12 @@ ENTRY(native_iret)
12135 .align 4
12136 .long native_iret, iret_exc
12137 .previous
12138-END(native_iret)
12139+ENDPROC(native_iret)
12140
12141 ENTRY(native_irq_enable_sysexit)
12142 sti
12143 sysexit
12144-END(native_irq_enable_sysexit)
12145+ENDPROC(native_irq_enable_sysexit)
12146 #endif
12147
12148 ENTRY(overflow)
12149@@ -916,7 +1165,7 @@ ENTRY(overflow)
12150 pushl_cfi $do_overflow
12151 jmp error_code
12152 CFI_ENDPROC
12153-END(overflow)
12154+ENDPROC(overflow)
12155
12156 ENTRY(bounds)
12157 RING0_INT_FRAME
12158@@ -924,7 +1173,7 @@ ENTRY(bounds)
12159 pushl_cfi $do_bounds
12160 jmp error_code
12161 CFI_ENDPROC
12162-END(bounds)
12163+ENDPROC(bounds)
12164
12165 ENTRY(invalid_op)
12166 RING0_INT_FRAME
12167@@ -932,7 +1181,7 @@ ENTRY(invalid_op)
12168 pushl_cfi $do_invalid_op
12169 jmp error_code
12170 CFI_ENDPROC
12171-END(invalid_op)
12172+ENDPROC(invalid_op)
12173
12174 ENTRY(coprocessor_segment_overrun)
12175 RING0_INT_FRAME
12176@@ -940,35 +1189,35 @@ ENTRY(coprocessor_segment_overrun)
12177 pushl_cfi $do_coprocessor_segment_overrun
12178 jmp error_code
12179 CFI_ENDPROC
12180-END(coprocessor_segment_overrun)
12181+ENDPROC(coprocessor_segment_overrun)
12182
12183 ENTRY(invalid_TSS)
12184 RING0_EC_FRAME
12185 pushl_cfi $do_invalid_TSS
12186 jmp error_code
12187 CFI_ENDPROC
12188-END(invalid_TSS)
12189+ENDPROC(invalid_TSS)
12190
12191 ENTRY(segment_not_present)
12192 RING0_EC_FRAME
12193 pushl_cfi $do_segment_not_present
12194 jmp error_code
12195 CFI_ENDPROC
12196-END(segment_not_present)
12197+ENDPROC(segment_not_present)
12198
12199 ENTRY(stack_segment)
12200 RING0_EC_FRAME
12201 pushl_cfi $do_stack_segment
12202 jmp error_code
12203 CFI_ENDPROC
12204-END(stack_segment)
12205+ENDPROC(stack_segment)
12206
12207 ENTRY(alignment_check)
12208 RING0_EC_FRAME
12209 pushl_cfi $do_alignment_check
12210 jmp error_code
12211 CFI_ENDPROC
12212-END(alignment_check)
12213+ENDPROC(alignment_check)
12214
12215 ENTRY(divide_error)
12216 RING0_INT_FRAME
12217@@ -976,7 +1225,7 @@ ENTRY(divide_error)
12218 pushl_cfi $do_divide_error
12219 jmp error_code
12220 CFI_ENDPROC
12221-END(divide_error)
12222+ENDPROC(divide_error)
12223
12224 #ifdef CONFIG_X86_MCE
12225 ENTRY(machine_check)
12226@@ -985,7 +1234,7 @@ ENTRY(machine_check)
12227 pushl_cfi machine_check_vector
12228 jmp error_code
12229 CFI_ENDPROC
12230-END(machine_check)
12231+ENDPROC(machine_check)
12232 #endif
12233
12234 ENTRY(spurious_interrupt_bug)
12235@@ -994,7 +1243,7 @@ ENTRY(spurious_interrupt_bug)
12236 pushl_cfi $do_spurious_interrupt_bug
12237 jmp error_code
12238 CFI_ENDPROC
12239-END(spurious_interrupt_bug)
12240+ENDPROC(spurious_interrupt_bug)
12241 /*
12242 * End of kprobes section
12243 */
12244@@ -1109,7 +1358,7 @@ BUILD_INTERRUPT3(xen_hvm_callback_vector
12245
12246 ENTRY(mcount)
12247 ret
12248-END(mcount)
12249+ENDPROC(mcount)
12250
12251 ENTRY(ftrace_caller)
12252 cmpl $0, function_trace_stop
12253@@ -1138,7 +1387,7 @@ ftrace_graph_call:
12254 .globl ftrace_stub
12255 ftrace_stub:
12256 ret
12257-END(ftrace_caller)
12258+ENDPROC(ftrace_caller)
12259
12260 #else /* ! CONFIG_DYNAMIC_FTRACE */
12261
12262@@ -1174,7 +1423,7 @@ trace:
12263 popl %ecx
12264 popl %eax
12265 jmp ftrace_stub
12266-END(mcount)
12267+ENDPROC(mcount)
12268 #endif /* CONFIG_DYNAMIC_FTRACE */
12269 #endif /* CONFIG_FUNCTION_TRACER */
12270
12271@@ -1195,7 +1444,7 @@ ENTRY(ftrace_graph_caller)
12272 popl %ecx
12273 popl %eax
12274 ret
12275-END(ftrace_graph_caller)
12276+ENDPROC(ftrace_graph_caller)
12277
12278 .globl return_to_handler
12279 return_to_handler:
12280@@ -1209,7 +1458,6 @@ return_to_handler:
12281 jmp *%ecx
12282 #endif
12283
12284-.section .rodata,"a"
12285 #include "syscall_table_32.S"
12286
12287 syscall_table_size=(.-sys_call_table)
12288@@ -1255,15 +1503,18 @@ error_code:
12289 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
12290 REG_TO_PTGS %ecx
12291 SET_KERNEL_GS %ecx
12292- movl $(__USER_DS), %ecx
12293+ movl $(__KERNEL_DS), %ecx
12294 movl %ecx, %ds
12295 movl %ecx, %es
12296+
12297+ pax_enter_kernel
12298+
12299 TRACE_IRQS_OFF
12300 movl %esp,%eax # pt_regs pointer
12301 call *%edi
12302 jmp ret_from_exception
12303 CFI_ENDPROC
12304-END(page_fault)
12305+ENDPROC(page_fault)
12306
12307 /*
12308 * Debug traps and NMI can happen at the one SYSENTER instruction
12309@@ -1305,7 +1556,7 @@ debug_stack_correct:
12310 call do_debug
12311 jmp ret_from_exception
12312 CFI_ENDPROC
12313-END(debug)
12314+ENDPROC(debug)
12315
12316 /*
12317 * NMI is doubly nasty. It can happen _while_ we're handling
12318@@ -1342,6 +1593,9 @@ nmi_stack_correct:
12319 xorl %edx,%edx # zero error code
12320 movl %esp,%eax # pt_regs pointer
12321 call do_nmi
12322+
12323+ pax_exit_kernel
12324+
12325 jmp restore_all_notrace
12326 CFI_ENDPROC
12327
12328@@ -1378,12 +1632,15 @@ nmi_espfix_stack:
12329 FIXUP_ESPFIX_STACK # %eax == %esp
12330 xorl %edx,%edx # zero error code
12331 call do_nmi
12332+
12333+ pax_exit_kernel
12334+
12335 RESTORE_REGS
12336 lss 12+4(%esp), %esp # back to espfix stack
12337 CFI_ADJUST_CFA_OFFSET -24
12338 jmp irq_return
12339 CFI_ENDPROC
12340-END(nmi)
12341+ENDPROC(nmi)
12342
12343 ENTRY(int3)
12344 RING0_INT_FRAME
12345@@ -1395,14 +1652,14 @@ ENTRY(int3)
12346 call do_int3
12347 jmp ret_from_exception
12348 CFI_ENDPROC
12349-END(int3)
12350+ENDPROC(int3)
12351
12352 ENTRY(general_protection)
12353 RING0_EC_FRAME
12354 pushl_cfi $do_general_protection
12355 jmp error_code
12356 CFI_ENDPROC
12357-END(general_protection)
12358+ENDPROC(general_protection)
12359
12360 #ifdef CONFIG_KVM_GUEST
12361 ENTRY(async_page_fault)
12362@@ -1410,7 +1667,7 @@ ENTRY(async_page_fault)
12363 pushl_cfi $do_async_page_fault
12364 jmp error_code
12365 CFI_ENDPROC
12366-END(async_page_fault)
12367+ENDPROC(async_page_fault)
12368 #endif
12369
12370 /*
12371diff -urNp linux-3.1.1/arch/x86/kernel/entry_64.S linux-3.1.1/arch/x86/kernel/entry_64.S
12372--- linux-3.1.1/arch/x86/kernel/entry_64.S 2011-11-11 15:19:27.000000000 -0500
12373+++ linux-3.1.1/arch/x86/kernel/entry_64.S 2011-11-17 18:28:56.000000000 -0500
12374@@ -55,6 +55,8 @@
12375 #include <asm/paravirt.h>
12376 #include <asm/ftrace.h>
12377 #include <asm/percpu.h>
12378+#include <asm/pgtable.h>
12379+#include <asm/alternative-asm.h>
12380
12381 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
12382 #include <linux/elf-em.h>
12383@@ -68,8 +70,9 @@
12384 #ifdef CONFIG_FUNCTION_TRACER
12385 #ifdef CONFIG_DYNAMIC_FTRACE
12386 ENTRY(mcount)
12387+ pax_force_retaddr
12388 retq
12389-END(mcount)
12390+ENDPROC(mcount)
12391
12392 ENTRY(ftrace_caller)
12393 cmpl $0, function_trace_stop
12394@@ -92,8 +95,9 @@ GLOBAL(ftrace_graph_call)
12395 #endif
12396
12397 GLOBAL(ftrace_stub)
12398+ pax_force_retaddr
12399 retq
12400-END(ftrace_caller)
12401+ENDPROC(ftrace_caller)
12402
12403 #else /* ! CONFIG_DYNAMIC_FTRACE */
12404 ENTRY(mcount)
12405@@ -112,6 +116,7 @@ ENTRY(mcount)
12406 #endif
12407
12408 GLOBAL(ftrace_stub)
12409+ pax_force_retaddr
12410 retq
12411
12412 trace:
12413@@ -121,12 +126,13 @@ trace:
12414 movq 8(%rbp), %rsi
12415 subq $MCOUNT_INSN_SIZE, %rdi
12416
12417+ pax_force_fptr ftrace_trace_function
12418 call *ftrace_trace_function
12419
12420 MCOUNT_RESTORE_FRAME
12421
12422 jmp ftrace_stub
12423-END(mcount)
12424+ENDPROC(mcount)
12425 #endif /* CONFIG_DYNAMIC_FTRACE */
12426 #endif /* CONFIG_FUNCTION_TRACER */
12427
12428@@ -146,8 +152,9 @@ ENTRY(ftrace_graph_caller)
12429
12430 MCOUNT_RESTORE_FRAME
12431
12432+ pax_force_retaddr
12433 retq
12434-END(ftrace_graph_caller)
12435+ENDPROC(ftrace_graph_caller)
12436
12437 GLOBAL(return_to_handler)
12438 subq $24, %rsp
12439@@ -163,6 +170,7 @@ GLOBAL(return_to_handler)
12440 movq 8(%rsp), %rdx
12441 movq (%rsp), %rax
12442 addq $24, %rsp
12443+ pax_force_fptr %rdi
12444 jmp *%rdi
12445 #endif
12446
12447@@ -178,6 +186,269 @@ ENTRY(native_usergs_sysret64)
12448 ENDPROC(native_usergs_sysret64)
12449 #endif /* CONFIG_PARAVIRT */
12450
12451+ .macro ljmpq sel, off
12452+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
12453+ .byte 0x48; ljmp *1234f(%rip)
12454+ .pushsection .rodata
12455+ .align 16
12456+ 1234: .quad \off; .word \sel
12457+ .popsection
12458+#else
12459+ pushq $\sel
12460+ pushq $\off
12461+ lretq
12462+#endif
12463+ .endm
12464+
12465+ .macro pax_enter_kernel
12466+#ifdef CONFIG_PAX_KERNEXEC
12467+ call pax_enter_kernel
12468+#endif
12469+ .endm
12470+
12471+ .macro pax_exit_kernel
12472+#ifdef CONFIG_PAX_KERNEXEC
12473+ call pax_exit_kernel
12474+#endif
12475+ .endm
12476+
12477+#ifdef CONFIG_PAX_KERNEXEC
12478+ENTRY(pax_enter_kernel)
12479+ pushq %rdi
12480+
12481+#ifdef CONFIG_PARAVIRT
12482+ PV_SAVE_REGS(CLBR_RDI)
12483+#endif
12484+
12485+ GET_CR0_INTO_RDI
12486+ bts $16,%rdi
12487+ jnc 1f
12488+ mov %cs,%edi
12489+ cmp $__KERNEL_CS,%edi
12490+ jz 3f
12491+ ljmpq __KERNEL_CS,3f
12492+1: ljmpq __KERNEXEC_KERNEL_CS,2f
12493+2: SET_RDI_INTO_CR0
12494+3:
12495+
12496+#ifdef CONFIG_PARAVIRT
12497+ PV_RESTORE_REGS(CLBR_RDI)
12498+#endif
12499+
12500+ popq %rdi
12501+ pax_force_retaddr
12502+ retq
12503+ENDPROC(pax_enter_kernel)
12504+
12505+ENTRY(pax_exit_kernel)
12506+ pushq %rdi
12507+
12508+#ifdef CONFIG_PARAVIRT
12509+ PV_SAVE_REGS(CLBR_RDI)
12510+#endif
12511+
12512+ mov %cs,%rdi
12513+ cmp $__KERNEXEC_KERNEL_CS,%edi
12514+ jnz 2f
12515+ GET_CR0_INTO_RDI
12516+ btr $16,%rdi
12517+ ljmpq __KERNEL_CS,1f
12518+1: SET_RDI_INTO_CR0
12519+2:
12520+
12521+#ifdef CONFIG_PARAVIRT
12522+ PV_RESTORE_REGS(CLBR_RDI);
12523+#endif
12524+
12525+ popq %rdi
12526+ pax_force_retaddr
12527+ retq
12528+ENDPROC(pax_exit_kernel)
12529+#endif
12530+
12531+ .macro pax_enter_kernel_user
12532+#ifdef CONFIG_PAX_MEMORY_UDEREF
12533+ call pax_enter_kernel_user
12534+#endif
12535+ .endm
12536+
12537+ .macro pax_exit_kernel_user
12538+#ifdef CONFIG_PAX_MEMORY_UDEREF
12539+ call pax_exit_kernel_user
12540+#endif
12541+#ifdef CONFIG_PAX_RANDKSTACK
12542+ push %rax
12543+ call pax_randomize_kstack
12544+ pop %rax
12545+#endif
12546+ .endm
12547+
12548+#ifdef CONFIG_PAX_MEMORY_UDEREF
12549+ENTRY(pax_enter_kernel_user)
12550+ pushq %rdi
12551+ pushq %rbx
12552+
12553+#ifdef CONFIG_PARAVIRT
12554+ PV_SAVE_REGS(CLBR_RDI)
12555+#endif
12556+
12557+ GET_CR3_INTO_RDI
12558+ mov %rdi,%rbx
12559+ add $__START_KERNEL_map,%rbx
12560+ sub phys_base(%rip),%rbx
12561+
12562+#ifdef CONFIG_PARAVIRT
12563+ pushq %rdi
12564+ cmpl $0, pv_info+PARAVIRT_enabled
12565+ jz 1f
12566+ i = 0
12567+ .rept USER_PGD_PTRS
12568+ mov i*8(%rbx),%rsi
12569+ mov $0,%sil
12570+ lea i*8(%rbx),%rdi
12571+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12572+ i = i + 1
12573+ .endr
12574+ jmp 2f
12575+1:
12576+#endif
12577+
12578+ i = 0
12579+ .rept USER_PGD_PTRS
12580+ movb $0,i*8(%rbx)
12581+ i = i + 1
12582+ .endr
12583+
12584+#ifdef CONFIG_PARAVIRT
12585+2: popq %rdi
12586+#endif
12587+ SET_RDI_INTO_CR3
12588+
12589+#ifdef CONFIG_PAX_KERNEXEC
12590+ GET_CR0_INTO_RDI
12591+ bts $16,%rdi
12592+ SET_RDI_INTO_CR0
12593+#endif
12594+
12595+#ifdef CONFIG_PARAVIRT
12596+ PV_RESTORE_REGS(CLBR_RDI)
12597+#endif
12598+
12599+ popq %rbx
12600+ popq %rdi
12601+ pax_force_retaddr
12602+ retq
12603+ENDPROC(pax_enter_kernel_user)
12604+
12605+ENTRY(pax_exit_kernel_user)
12606+ push %rdi
12607+
12608+#ifdef CONFIG_PARAVIRT
12609+ pushq %rbx
12610+ PV_SAVE_REGS(CLBR_RDI)
12611+#endif
12612+
12613+#ifdef CONFIG_PAX_KERNEXEC
12614+ GET_CR0_INTO_RDI
12615+ btr $16,%rdi
12616+ SET_RDI_INTO_CR0
12617+#endif
12618+
12619+ GET_CR3_INTO_RDI
12620+ add $__START_KERNEL_map,%rdi
12621+ sub phys_base(%rip),%rdi
12622+
12623+#ifdef CONFIG_PARAVIRT
12624+ cmpl $0, pv_info+PARAVIRT_enabled
12625+ jz 1f
12626+ mov %rdi,%rbx
12627+ i = 0
12628+ .rept USER_PGD_PTRS
12629+ mov i*8(%rbx),%rsi
12630+ mov $0x67,%sil
12631+ lea i*8(%rbx),%rdi
12632+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
12633+ i = i + 1
12634+ .endr
12635+ jmp 2f
12636+1:
12637+#endif
12638+
12639+ i = 0
12640+ .rept USER_PGD_PTRS
12641+ movb $0x67,i*8(%rdi)
12642+ i = i + 1
12643+ .endr
12644+
12645+#ifdef CONFIG_PARAVIRT
12646+2: PV_RESTORE_REGS(CLBR_RDI)
12647+ popq %rbx
12648+#endif
12649+
12650+ popq %rdi
12651+ pax_force_retaddr
12652+ retq
12653+ENDPROC(pax_exit_kernel_user)
12654+#endif
12655+
12656+.macro pax_erase_kstack
12657+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12658+ call pax_erase_kstack
12659+#endif
12660+.endm
12661+
12662+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12663+/*
12664+ * r10: thread_info
12665+ * rcx, rdx: can be clobbered
12666+ */
12667+ENTRY(pax_erase_kstack)
12668+ pushq %rdi
12669+ pushq %rax
12670+ pushq %r10
12671+
12672+ GET_THREAD_INFO(%r10)
12673+ mov TI_lowest_stack(%r10), %rdi
12674+ mov $-0xBEEF, %rax
12675+ std
12676+
12677+1: mov %edi, %ecx
12678+ and $THREAD_SIZE_asm - 1, %ecx
12679+ shr $3, %ecx
12680+ repne scasq
12681+ jecxz 2f
12682+
12683+ cmp $2*8, %ecx
12684+ jc 2f
12685+
12686+ mov $2*8, %ecx
12687+ repe scasq
12688+ jecxz 2f
12689+ jne 1b
12690+
12691+2: cld
12692+ mov %esp, %ecx
12693+ sub %edi, %ecx
12694+
12695+ cmp $THREAD_SIZE_asm, %rcx
12696+ jb 3f
12697+ ud2
12698+3:
12699+
12700+ shr $3, %ecx
12701+ rep stosq
12702+
12703+ mov TI_task_thread_sp0(%r10), %rdi
12704+ sub $256, %rdi
12705+ mov %rdi, TI_lowest_stack(%r10)
12706+
12707+ popq %r10
12708+ popq %rax
12709+ popq %rdi
12710+ pax_force_retaddr
12711+ ret
12712+ENDPROC(pax_erase_kstack)
12713+#endif
12714
12715 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
12716 #ifdef CONFIG_TRACE_IRQFLAGS
12717@@ -319,7 +590,7 @@ ENDPROC(native_usergs_sysret64)
12718 movq %rsp, %rsi
12719
12720 leaq -RBP(%rsp),%rdi /* arg1 for handler */
12721- testl $3, CS(%rdi)
12722+ testb $3, CS(%rdi)
12723 je 1f
12724 SWAPGS
12725 /*
12726@@ -350,9 +621,10 @@ ENTRY(save_rest)
12727 movq_cfi r15, R15+16
12728 movq %r11, 8(%rsp) /* return address */
12729 FIXUP_TOP_OF_STACK %r11, 16
12730+ pax_force_retaddr
12731 ret
12732 CFI_ENDPROC
12733-END(save_rest)
12734+ENDPROC(save_rest)
12735
12736 /* save complete stack frame */
12737 .pushsection .kprobes.text, "ax"
12738@@ -381,9 +653,10 @@ ENTRY(save_paranoid)
12739 js 1f /* negative -> in kernel */
12740 SWAPGS
12741 xorl %ebx,%ebx
12742-1: ret
12743+1: pax_force_retaddr
12744+ ret
12745 CFI_ENDPROC
12746-END(save_paranoid)
12747+ENDPROC(save_paranoid)
12748 .popsection
12749
12750 /*
12751@@ -405,7 +678,7 @@ ENTRY(ret_from_fork)
12752
12753 RESTORE_REST
12754
12755- testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12756+ testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
12757 je int_ret_from_sys_call
12758
12759 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
12760@@ -415,7 +688,7 @@ ENTRY(ret_from_fork)
12761 jmp ret_from_sys_call # go to the SYSRET fastpath
12762
12763 CFI_ENDPROC
12764-END(ret_from_fork)
12765+ENDPROC(ret_from_fork)
12766
12767 /*
12768 * System call entry. Up to 6 arguments in registers are supported.
12769@@ -451,7 +724,7 @@ END(ret_from_fork)
12770 ENTRY(system_call)
12771 CFI_STARTPROC simple
12772 CFI_SIGNAL_FRAME
12773- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
12774+ CFI_DEF_CFA rsp,0
12775 CFI_REGISTER rip,rcx
12776 /*CFI_REGISTER rflags,r11*/
12777 SWAPGS_UNSAFE_STACK
12778@@ -464,12 +737,13 @@ ENTRY(system_call_after_swapgs)
12779
12780 movq %rsp,PER_CPU_VAR(old_rsp)
12781 movq PER_CPU_VAR(kernel_stack),%rsp
12782+ pax_enter_kernel_user
12783 /*
12784 * No need to follow this irqs off/on section - it's straight
12785 * and short:
12786 */
12787 ENABLE_INTERRUPTS(CLBR_NONE)
12788- SAVE_ARGS 8,0
12789+ SAVE_ARGS 8*6,0
12790 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
12791 movq %rcx,RIP-ARGOFFSET(%rsp)
12792 CFI_REL_OFFSET rip,RIP-ARGOFFSET
12793@@ -498,6 +772,8 @@ sysret_check:
12794 andl %edi,%edx
12795 jnz sysret_careful
12796 CFI_REMEMBER_STATE
12797+ pax_exit_kernel_user
12798+ pax_erase_kstack
12799 /*
12800 * sysretq will re-enable interrupts:
12801 */
12802@@ -556,6 +832,9 @@ auditsys:
12803 movq %rax,%rsi /* 2nd arg: syscall number */
12804 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
12805 call audit_syscall_entry
12806+
12807+ pax_erase_kstack
12808+
12809 LOAD_ARGS 0 /* reload call-clobbered registers */
12810 jmp system_call_fastpath
12811
12812@@ -586,6 +865,9 @@ tracesys:
12813 FIXUP_TOP_OF_STACK %rdi
12814 movq %rsp,%rdi
12815 call syscall_trace_enter
12816+
12817+ pax_erase_kstack
12818+
12819 /*
12820 * Reload arg registers from stack in case ptrace changed them.
12821 * We don't reload %rax because syscall_trace_enter() returned
12822@@ -607,7 +889,7 @@ tracesys:
12823 GLOBAL(int_ret_from_sys_call)
12824 DISABLE_INTERRUPTS(CLBR_NONE)
12825 TRACE_IRQS_OFF
12826- testl $3,CS-ARGOFFSET(%rsp)
12827+ testb $3,CS-ARGOFFSET(%rsp)
12828 je retint_restore_args
12829 movl $_TIF_ALLWORK_MASK,%edi
12830 /* edi: mask to check */
12831@@ -664,7 +946,7 @@ int_restore_rest:
12832 TRACE_IRQS_OFF
12833 jmp int_with_check
12834 CFI_ENDPROC
12835-END(system_call)
12836+ENDPROC(system_call)
12837
12838 /*
12839 * Certain special system calls that need to save a complete full stack frame.
12840@@ -680,7 +962,7 @@ ENTRY(\label)
12841 call \func
12842 jmp ptregscall_common
12843 CFI_ENDPROC
12844-END(\label)
12845+ENDPROC(\label)
12846 .endm
12847
12848 PTREGSCALL stub_clone, sys_clone, %r8
12849@@ -698,9 +980,10 @@ ENTRY(ptregscall_common)
12850 movq_cfi_restore R12+8, r12
12851 movq_cfi_restore RBP+8, rbp
12852 movq_cfi_restore RBX+8, rbx
12853+ pax_force_retaddr
12854 ret $REST_SKIP /* pop extended registers */
12855 CFI_ENDPROC
12856-END(ptregscall_common)
12857+ENDPROC(ptregscall_common)
12858
12859 ENTRY(stub_execve)
12860 CFI_STARTPROC
12861@@ -715,7 +998,7 @@ ENTRY(stub_execve)
12862 RESTORE_REST
12863 jmp int_ret_from_sys_call
12864 CFI_ENDPROC
12865-END(stub_execve)
12866+ENDPROC(stub_execve)
12867
12868 /*
12869 * sigreturn is special because it needs to restore all registers on return.
12870@@ -733,7 +1016,7 @@ ENTRY(stub_rt_sigreturn)
12871 RESTORE_REST
12872 jmp int_ret_from_sys_call
12873 CFI_ENDPROC
12874-END(stub_rt_sigreturn)
12875+ENDPROC(stub_rt_sigreturn)
12876
12877 /*
12878 * Build the entry stubs and pointer table with some assembler magic.
12879@@ -768,7 +1051,7 @@ vector=vector+1
12880 2: jmp common_interrupt
12881 .endr
12882 CFI_ENDPROC
12883-END(irq_entries_start)
12884+ENDPROC(irq_entries_start)
12885
12886 .previous
12887 END(interrupt)
12888@@ -789,6 +1072,16 @@ END(interrupt)
12889 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
12890 SAVE_ARGS_IRQ
12891 PARTIAL_FRAME 0
12892+#ifdef CONFIG_PAX_MEMORY_UDEREF
12893+ testb $3, CS(%rdi)
12894+ jnz 1f
12895+ pax_enter_kernel
12896+ jmp 2f
12897+1: pax_enter_kernel_user
12898+2:
12899+#else
12900+ pax_enter_kernel
12901+#endif
12902 call \func
12903 .endm
12904
12905@@ -820,7 +1113,7 @@ ret_from_intr:
12906
12907 exit_intr:
12908 GET_THREAD_INFO(%rcx)
12909- testl $3,CS-ARGOFFSET(%rsp)
12910+ testb $3,CS-ARGOFFSET(%rsp)
12911 je retint_kernel
12912
12913 /* Interrupt came from user space */
12914@@ -842,12 +1135,16 @@ retint_swapgs: /* return to user-space
12915 * The iretq could re-enable interrupts:
12916 */
12917 DISABLE_INTERRUPTS(CLBR_ANY)
12918+ pax_exit_kernel_user
12919+ pax_erase_kstack
12920 TRACE_IRQS_IRETQ
12921 SWAPGS
12922 jmp restore_args
12923
12924 retint_restore_args: /* return to kernel space */
12925 DISABLE_INTERRUPTS(CLBR_ANY)
12926+ pax_exit_kernel
12927+ pax_force_retaddr RIP-ARGOFFSET
12928 /*
12929 * The iretq could re-enable interrupts:
12930 */
12931@@ -936,7 +1233,7 @@ ENTRY(retint_kernel)
12932 #endif
12933
12934 CFI_ENDPROC
12935-END(common_interrupt)
12936+ENDPROC(common_interrupt)
12937 /*
12938 * End of kprobes section
12939 */
12940@@ -952,7 +1249,7 @@ ENTRY(\sym)
12941 interrupt \do_sym
12942 jmp ret_from_intr
12943 CFI_ENDPROC
12944-END(\sym)
12945+ENDPROC(\sym)
12946 .endm
12947
12948 #ifdef CONFIG_SMP
12949@@ -1017,12 +1314,22 @@ ENTRY(\sym)
12950 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12951 call error_entry
12952 DEFAULT_FRAME 0
12953+#ifdef CONFIG_PAX_MEMORY_UDEREF
12954+ testb $3, CS(%rsp)
12955+ jnz 1f
12956+ pax_enter_kernel
12957+ jmp 2f
12958+1: pax_enter_kernel_user
12959+2:
12960+#else
12961+ pax_enter_kernel
12962+#endif
12963 movq %rsp,%rdi /* pt_regs pointer */
12964 xorl %esi,%esi /* no error code */
12965 call \do_sym
12966 jmp error_exit /* %ebx: no swapgs flag */
12967 CFI_ENDPROC
12968-END(\sym)
12969+ENDPROC(\sym)
12970 .endm
12971
12972 .macro paranoidzeroentry sym do_sym
12973@@ -1034,15 +1341,25 @@ ENTRY(\sym)
12974 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
12975 call save_paranoid
12976 TRACE_IRQS_OFF
12977+#ifdef CONFIG_PAX_MEMORY_UDEREF
12978+ testb $3, CS(%rsp)
12979+ jnz 1f
12980+ pax_enter_kernel
12981+ jmp 2f
12982+1: pax_enter_kernel_user
12983+2:
12984+#else
12985+ pax_enter_kernel
12986+#endif
12987 movq %rsp,%rdi /* pt_regs pointer */
12988 xorl %esi,%esi /* no error code */
12989 call \do_sym
12990 jmp paranoid_exit /* %ebx: no swapgs flag */
12991 CFI_ENDPROC
12992-END(\sym)
12993+ENDPROC(\sym)
12994 .endm
12995
12996-#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
12997+#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
12998 .macro paranoidzeroentry_ist sym do_sym ist
12999 ENTRY(\sym)
13000 INTR_FRAME
13001@@ -1052,14 +1369,30 @@ ENTRY(\sym)
13002 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
13003 call save_paranoid
13004 TRACE_IRQS_OFF
13005+#ifdef CONFIG_PAX_MEMORY_UDEREF
13006+ testb $3, CS(%rsp)
13007+ jnz 1f
13008+ pax_enter_kernel
13009+ jmp 2f
13010+1: pax_enter_kernel_user
13011+2:
13012+#else
13013+ pax_enter_kernel
13014+#endif
13015 movq %rsp,%rdi /* pt_regs pointer */
13016 xorl %esi,%esi /* no error code */
13017+#ifdef CONFIG_SMP
13018+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
13019+ lea init_tss(%r12), %r12
13020+#else
13021+ lea init_tss(%rip), %r12
13022+#endif
13023 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
13024 call \do_sym
13025 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
13026 jmp paranoid_exit /* %ebx: no swapgs flag */
13027 CFI_ENDPROC
13028-END(\sym)
13029+ENDPROC(\sym)
13030 .endm
13031
13032 .macro errorentry sym do_sym
13033@@ -1070,13 +1403,23 @@ ENTRY(\sym)
13034 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
13035 call error_entry
13036 DEFAULT_FRAME 0
13037+#ifdef CONFIG_PAX_MEMORY_UDEREF
13038+ testb $3, CS(%rsp)
13039+ jnz 1f
13040+ pax_enter_kernel
13041+ jmp 2f
13042+1: pax_enter_kernel_user
13043+2:
13044+#else
13045+ pax_enter_kernel
13046+#endif
13047 movq %rsp,%rdi /* pt_regs pointer */
13048 movq ORIG_RAX(%rsp),%rsi /* get error code */
13049 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
13050 call \do_sym
13051 jmp error_exit /* %ebx: no swapgs flag */
13052 CFI_ENDPROC
13053-END(\sym)
13054+ENDPROC(\sym)
13055 .endm
13056
13057 /* error code is on the stack already */
13058@@ -1089,13 +1432,23 @@ ENTRY(\sym)
13059 call save_paranoid
13060 DEFAULT_FRAME 0
13061 TRACE_IRQS_OFF
13062+#ifdef CONFIG_PAX_MEMORY_UDEREF
13063+ testb $3, CS(%rsp)
13064+ jnz 1f
13065+ pax_enter_kernel
13066+ jmp 2f
13067+1: pax_enter_kernel_user
13068+2:
13069+#else
13070+ pax_enter_kernel
13071+#endif
13072 movq %rsp,%rdi /* pt_regs pointer */
13073 movq ORIG_RAX(%rsp),%rsi /* get error code */
13074 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
13075 call \do_sym
13076 jmp paranoid_exit /* %ebx: no swapgs flag */
13077 CFI_ENDPROC
13078-END(\sym)
13079+ENDPROC(\sym)
13080 .endm
13081
13082 zeroentry divide_error do_divide_error
13083@@ -1125,9 +1478,10 @@ gs_change:
13084 2: mfence /* workaround */
13085 SWAPGS
13086 popfq_cfi
13087+ pax_force_retaddr
13088 ret
13089 CFI_ENDPROC
13090-END(native_load_gs_index)
13091+ENDPROC(native_load_gs_index)
13092
13093 .section __ex_table,"a"
13094 .align 8
13095@@ -1149,13 +1503,14 @@ ENTRY(kernel_thread_helper)
13096 * Here we are in the child and the registers are set as they were
13097 * at kernel_thread() invocation in the parent.
13098 */
13099+ pax_force_fptr %rsi
13100 call *%rsi
13101 # exit
13102 mov %eax, %edi
13103 call do_exit
13104 ud2 # padding for call trace
13105 CFI_ENDPROC
13106-END(kernel_thread_helper)
13107+ENDPROC(kernel_thread_helper)
13108
13109 /*
13110 * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
13111@@ -1184,9 +1539,10 @@ ENTRY(kernel_execve)
13112 je int_ret_from_sys_call
13113 RESTORE_ARGS
13114 UNFAKE_STACK_FRAME
13115+ pax_force_retaddr
13116 ret
13117 CFI_ENDPROC
13118-END(kernel_execve)
13119+ENDPROC(kernel_execve)
13120
13121 /* Call softirq on interrupt stack. Interrupts are off. */
13122 ENTRY(call_softirq)
13123@@ -1204,9 +1560,10 @@ ENTRY(call_softirq)
13124 CFI_DEF_CFA_REGISTER rsp
13125 CFI_ADJUST_CFA_OFFSET -8
13126 decl PER_CPU_VAR(irq_count)
13127+ pax_force_retaddr
13128 ret
13129 CFI_ENDPROC
13130-END(call_softirq)
13131+ENDPROC(call_softirq)
13132
13133 #ifdef CONFIG_XEN
13134 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
13135@@ -1244,7 +1601,7 @@ ENTRY(xen_do_hypervisor_callback) # do
13136 decl PER_CPU_VAR(irq_count)
13137 jmp error_exit
13138 CFI_ENDPROC
13139-END(xen_do_hypervisor_callback)
13140+ENDPROC(xen_do_hypervisor_callback)
13141
13142 /*
13143 * Hypervisor uses this for application faults while it executes.
13144@@ -1303,7 +1660,7 @@ ENTRY(xen_failsafe_callback)
13145 SAVE_ALL
13146 jmp error_exit
13147 CFI_ENDPROC
13148-END(xen_failsafe_callback)
13149+ENDPROC(xen_failsafe_callback)
13150
13151 apicinterrupt XEN_HVM_EVTCHN_CALLBACK \
13152 xen_hvm_callback_vector xen_evtchn_do_upcall
13153@@ -1352,16 +1709,31 @@ ENTRY(paranoid_exit)
13154 TRACE_IRQS_OFF
13155 testl %ebx,%ebx /* swapgs needed? */
13156 jnz paranoid_restore
13157- testl $3,CS(%rsp)
13158+ testb $3,CS(%rsp)
13159 jnz paranoid_userspace
13160+#ifdef CONFIG_PAX_MEMORY_UDEREF
13161+ pax_exit_kernel
13162+ TRACE_IRQS_IRETQ 0
13163+ SWAPGS_UNSAFE_STACK
13164+ RESTORE_ALL 8
13165+ pax_force_retaddr
13166+ jmp irq_return
13167+#endif
13168 paranoid_swapgs:
13169+#ifdef CONFIG_PAX_MEMORY_UDEREF
13170+ pax_exit_kernel_user
13171+#else
13172+ pax_exit_kernel
13173+#endif
13174 TRACE_IRQS_IRETQ 0
13175 SWAPGS_UNSAFE_STACK
13176 RESTORE_ALL 8
13177 jmp irq_return
13178 paranoid_restore:
13179+ pax_exit_kernel
13180 TRACE_IRQS_IRETQ 0
13181 RESTORE_ALL 8
13182+ pax_force_retaddr
13183 jmp irq_return
13184 paranoid_userspace:
13185 GET_THREAD_INFO(%rcx)
13186@@ -1390,7 +1762,7 @@ paranoid_schedule:
13187 TRACE_IRQS_OFF
13188 jmp paranoid_userspace
13189 CFI_ENDPROC
13190-END(paranoid_exit)
13191+ENDPROC(paranoid_exit)
13192
13193 /*
13194 * Exception entry point. This expects an error code/orig_rax on the stack.
13195@@ -1417,12 +1789,13 @@ ENTRY(error_entry)
13196 movq_cfi r14, R14+8
13197 movq_cfi r15, R15+8
13198 xorl %ebx,%ebx
13199- testl $3,CS+8(%rsp)
13200+ testb $3,CS+8(%rsp)
13201 je error_kernelspace
13202 error_swapgs:
13203 SWAPGS
13204 error_sti:
13205 TRACE_IRQS_OFF
13206+ pax_force_retaddr
13207 ret
13208
13209 /*
13210@@ -1449,7 +1822,7 @@ bstep_iret:
13211 movq %rcx,RIP+8(%rsp)
13212 jmp error_swapgs
13213 CFI_ENDPROC
13214-END(error_entry)
13215+ENDPROC(error_entry)
13216
13217
13218 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
13219@@ -1469,7 +1842,7 @@ ENTRY(error_exit)
13220 jnz retint_careful
13221 jmp retint_swapgs
13222 CFI_ENDPROC
13223-END(error_exit)
13224+ENDPROC(error_exit)
13225
13226
13227 /* runs on exception stack */
13228@@ -1481,6 +1854,16 @@ ENTRY(nmi)
13229 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
13230 call save_paranoid
13231 DEFAULT_FRAME 0
13232+#ifdef CONFIG_PAX_MEMORY_UDEREF
13233+ testb $3, CS(%rsp)
13234+ jnz 1f
13235+ pax_enter_kernel
13236+ jmp 2f
13237+1: pax_enter_kernel_user
13238+2:
13239+#else
13240+ pax_enter_kernel
13241+#endif
13242 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
13243 movq %rsp,%rdi
13244 movq $-1,%rsi
13245@@ -1491,12 +1874,28 @@ ENTRY(nmi)
13246 DISABLE_INTERRUPTS(CLBR_NONE)
13247 testl %ebx,%ebx /* swapgs needed? */
13248 jnz nmi_restore
13249- testl $3,CS(%rsp)
13250+ testb $3,CS(%rsp)
13251 jnz nmi_userspace
13252+#ifdef CONFIG_PAX_MEMORY_UDEREF
13253+ pax_exit_kernel
13254+ SWAPGS_UNSAFE_STACK
13255+ RESTORE_ALL 8
13256+ pax_force_retaddr
13257+ jmp irq_return
13258+#endif
13259 nmi_swapgs:
13260+#ifdef CONFIG_PAX_MEMORY_UDEREF
13261+ pax_exit_kernel_user
13262+#else
13263+ pax_exit_kernel
13264+#endif
13265 SWAPGS_UNSAFE_STACK
13266+ RESTORE_ALL 8
13267+ jmp irq_return
13268 nmi_restore:
13269+ pax_exit_kernel
13270 RESTORE_ALL 8
13271+ pax_force_retaddr
13272 jmp irq_return
13273 nmi_userspace:
13274 GET_THREAD_INFO(%rcx)
13275@@ -1525,14 +1924,14 @@ nmi_schedule:
13276 jmp paranoid_exit
13277 CFI_ENDPROC
13278 #endif
13279-END(nmi)
13280+ENDPROC(nmi)
13281
13282 ENTRY(ignore_sysret)
13283 CFI_STARTPROC
13284 mov $-ENOSYS,%eax
13285 sysret
13286 CFI_ENDPROC
13287-END(ignore_sysret)
13288+ENDPROC(ignore_sysret)
13289
13290 /*
13291 * End of kprobes section
13292diff -urNp linux-3.1.1/arch/x86/kernel/ftrace.c linux-3.1.1/arch/x86/kernel/ftrace.c
13293--- linux-3.1.1/arch/x86/kernel/ftrace.c 2011-11-11 15:19:27.000000000 -0500
13294+++ linux-3.1.1/arch/x86/kernel/ftrace.c 2011-11-16 18:39:07.000000000 -0500
13295@@ -126,7 +126,7 @@ static void *mod_code_ip; /* holds the
13296 static const void *mod_code_newcode; /* holds the text to write to the IP */
13297
13298 static unsigned nmi_wait_count;
13299-static atomic_t nmi_update_count = ATOMIC_INIT(0);
13300+static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
13301
13302 int ftrace_arch_read_dyn_info(char *buf, int size)
13303 {
13304@@ -134,7 +134,7 @@ int ftrace_arch_read_dyn_info(char *buf,
13305
13306 r = snprintf(buf, size, "%u %u",
13307 nmi_wait_count,
13308- atomic_read(&nmi_update_count));
13309+ atomic_read_unchecked(&nmi_update_count));
13310 return r;
13311 }
13312
13313@@ -177,8 +177,10 @@ void ftrace_nmi_enter(void)
13314
13315 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
13316 smp_rmb();
13317+ pax_open_kernel();
13318 ftrace_mod_code();
13319- atomic_inc(&nmi_update_count);
13320+ pax_close_kernel();
13321+ atomic_inc_unchecked(&nmi_update_count);
13322 }
13323 /* Must have previous changes seen before executions */
13324 smp_mb();
13325@@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
13326 {
13327 unsigned char replaced[MCOUNT_INSN_SIZE];
13328
13329+ ip = ktla_ktva(ip);
13330+
13331 /*
13332 * Note: Due to modules and __init, code can
13333 * disappear and change, we need to protect against faulting
13334@@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
13335 unsigned char old[MCOUNT_INSN_SIZE], *new;
13336 int ret;
13337
13338- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
13339+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
13340 new = ftrace_call_replace(ip, (unsigned long)func);
13341 ret = ftrace_modify_code(ip, old, new);
13342
13343@@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
13344 {
13345 unsigned char code[MCOUNT_INSN_SIZE];
13346
13347+ ip = ktla_ktva(ip);
13348+
13349 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
13350 return -EFAULT;
13351
13352diff -urNp linux-3.1.1/arch/x86/kernel/head32.c linux-3.1.1/arch/x86/kernel/head32.c
13353--- linux-3.1.1/arch/x86/kernel/head32.c 2011-11-11 15:19:27.000000000 -0500
13354+++ linux-3.1.1/arch/x86/kernel/head32.c 2011-11-16 18:39:07.000000000 -0500
13355@@ -19,6 +19,7 @@
13356 #include <asm/io_apic.h>
13357 #include <asm/bios_ebda.h>
13358 #include <asm/tlbflush.h>
13359+#include <asm/boot.h>
13360
13361 static void __init i386_default_early_setup(void)
13362 {
13363@@ -33,7 +34,7 @@ void __init i386_start_kernel(void)
13364 {
13365 memblock_init();
13366
13367- memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13368+ memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13369
13370 #ifdef CONFIG_BLK_DEV_INITRD
13371 /* Reserve INITRD */
13372diff -urNp linux-3.1.1/arch/x86/kernel/head_32.S linux-3.1.1/arch/x86/kernel/head_32.S
13373--- linux-3.1.1/arch/x86/kernel/head_32.S 2011-11-11 15:19:27.000000000 -0500
13374+++ linux-3.1.1/arch/x86/kernel/head_32.S 2011-11-16 18:39:07.000000000 -0500
13375@@ -25,6 +25,12 @@
13376 /* Physical address */
13377 #define pa(X) ((X) - __PAGE_OFFSET)
13378
13379+#ifdef CONFIG_PAX_KERNEXEC
13380+#define ta(X) (X)
13381+#else
13382+#define ta(X) ((X) - __PAGE_OFFSET)
13383+#endif
13384+
13385 /*
13386 * References to members of the new_cpu_data structure.
13387 */
13388@@ -54,11 +60,7 @@
13389 * and small than max_low_pfn, otherwise will waste some page table entries
13390 */
13391
13392-#if PTRS_PER_PMD > 1
13393-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
13394-#else
13395-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
13396-#endif
13397+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
13398
13399 /* Number of possible pages in the lowmem region */
13400 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
13401@@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
13402 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13403
13404 /*
13405+ * Real beginning of normal "text" segment
13406+ */
13407+ENTRY(stext)
13408+ENTRY(_stext)
13409+
13410+/*
13411 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
13412 * %esi points to the real-mode code as a 32-bit pointer.
13413 * CS and DS must be 4 GB flat segments, but we don't depend on
13414@@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13415 * can.
13416 */
13417 __HEAD
13418+
13419+#ifdef CONFIG_PAX_KERNEXEC
13420+ jmp startup_32
13421+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
13422+.fill PAGE_SIZE-5,1,0xcc
13423+#endif
13424+
13425 ENTRY(startup_32)
13426 movl pa(stack_start),%ecx
13427
13428@@ -105,6 +120,57 @@ ENTRY(startup_32)
13429 2:
13430 leal -__PAGE_OFFSET(%ecx),%esp
13431
13432+#ifdef CONFIG_SMP
13433+ movl $pa(cpu_gdt_table),%edi
13434+ movl $__per_cpu_load,%eax
13435+ movw %ax,__KERNEL_PERCPU + 2(%edi)
13436+ rorl $16,%eax
13437+ movb %al,__KERNEL_PERCPU + 4(%edi)
13438+ movb %ah,__KERNEL_PERCPU + 7(%edi)
13439+ movl $__per_cpu_end - 1,%eax
13440+ subl $__per_cpu_start,%eax
13441+ movw %ax,__KERNEL_PERCPU + 0(%edi)
13442+#endif
13443+
13444+#ifdef CONFIG_PAX_MEMORY_UDEREF
13445+ movl $NR_CPUS,%ecx
13446+ movl $pa(cpu_gdt_table),%edi
13447+1:
13448+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
13449+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
13450+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
13451+ addl $PAGE_SIZE_asm,%edi
13452+ loop 1b
13453+#endif
13454+
13455+#ifdef CONFIG_PAX_KERNEXEC
13456+ movl $pa(boot_gdt),%edi
13457+ movl $__LOAD_PHYSICAL_ADDR,%eax
13458+ movw %ax,__BOOT_CS + 2(%edi)
13459+ rorl $16,%eax
13460+ movb %al,__BOOT_CS + 4(%edi)
13461+ movb %ah,__BOOT_CS + 7(%edi)
13462+ rorl $16,%eax
13463+
13464+ ljmp $(__BOOT_CS),$1f
13465+1:
13466+
13467+ movl $NR_CPUS,%ecx
13468+ movl $pa(cpu_gdt_table),%edi
13469+ addl $__PAGE_OFFSET,%eax
13470+1:
13471+ movw %ax,__KERNEL_CS + 2(%edi)
13472+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
13473+ rorl $16,%eax
13474+ movb %al,__KERNEL_CS + 4(%edi)
13475+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
13476+ movb %ah,__KERNEL_CS + 7(%edi)
13477+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
13478+ rorl $16,%eax
13479+ addl $PAGE_SIZE_asm,%edi
13480+ loop 1b
13481+#endif
13482+
13483 /*
13484 * Clear BSS first so that there are no surprises...
13485 */
13486@@ -195,8 +261,11 @@ ENTRY(startup_32)
13487 movl %eax, pa(max_pfn_mapped)
13488
13489 /* Do early initialization of the fixmap area */
13490- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13491- movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
13492+#ifdef CONFIG_COMPAT_VDSO
13493+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
13494+#else
13495+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
13496+#endif
13497 #else /* Not PAE */
13498
13499 page_pde_offset = (__PAGE_OFFSET >> 20);
13500@@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13501 movl %eax, pa(max_pfn_mapped)
13502
13503 /* Do early initialization of the fixmap area */
13504- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
13505- movl %eax,pa(initial_page_table+0xffc)
13506+#ifdef CONFIG_COMPAT_VDSO
13507+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
13508+#else
13509+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
13510+#endif
13511 #endif
13512
13513 #ifdef CONFIG_PARAVIRT
13514@@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13515 cmpl $num_subarch_entries, %eax
13516 jae bad_subarch
13517
13518- movl pa(subarch_entries)(,%eax,4), %eax
13519- subl $__PAGE_OFFSET, %eax
13520- jmp *%eax
13521+ jmp *pa(subarch_entries)(,%eax,4)
13522
13523 bad_subarch:
13524 WEAK(lguest_entry)
13525@@ -255,10 +325,10 @@ WEAK(xen_entry)
13526 __INITDATA
13527
13528 subarch_entries:
13529- .long default_entry /* normal x86/PC */
13530- .long lguest_entry /* lguest hypervisor */
13531- .long xen_entry /* Xen hypervisor */
13532- .long default_entry /* Moorestown MID */
13533+ .long ta(default_entry) /* normal x86/PC */
13534+ .long ta(lguest_entry) /* lguest hypervisor */
13535+ .long ta(xen_entry) /* Xen hypervisor */
13536+ .long ta(default_entry) /* Moorestown MID */
13537 num_subarch_entries = (. - subarch_entries) / 4
13538 .previous
13539 #else
13540@@ -312,6 +382,7 @@ default_entry:
13541 orl %edx,%eax
13542 movl %eax,%cr4
13543
13544+#ifdef CONFIG_X86_PAE
13545 testb $X86_CR4_PAE, %al # check if PAE is enabled
13546 jz 6f
13547
13548@@ -340,6 +411,9 @@ default_entry:
13549 /* Make changes effective */
13550 wrmsr
13551
13552+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
13553+#endif
13554+
13555 6:
13556
13557 /*
13558@@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
13559 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
13560 movl %eax,%ss # after changing gdt.
13561
13562- movl $(__USER_DS),%eax # DS/ES contains default USER segment
13563+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
13564 movl %eax,%ds
13565 movl %eax,%es
13566
13567@@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
13568 */
13569 cmpb $0,ready
13570 jne 1f
13571- movl $gdt_page,%eax
13572+ movl $cpu_gdt_table,%eax
13573 movl $stack_canary,%ecx
13574+#ifdef CONFIG_SMP
13575+ addl $__per_cpu_load,%ecx
13576+#endif
13577 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
13578 shrl $16, %ecx
13579 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
13580 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
13581 1:
13582-#endif
13583 movl $(__KERNEL_STACK_CANARY),%eax
13584+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13585+ movl $(__USER_DS),%eax
13586+#else
13587+ xorl %eax,%eax
13588+#endif
13589 movl %eax,%gs
13590
13591 xorl %eax,%eax # Clear LDT
13592@@ -558,22 +639,22 @@ early_page_fault:
13593 jmp early_fault
13594
13595 early_fault:
13596- cld
13597 #ifdef CONFIG_PRINTK
13598+ cmpl $1,%ss:early_recursion_flag
13599+ je hlt_loop
13600+ incl %ss:early_recursion_flag
13601+ cld
13602 pusha
13603 movl $(__KERNEL_DS),%eax
13604 movl %eax,%ds
13605 movl %eax,%es
13606- cmpl $2,early_recursion_flag
13607- je hlt_loop
13608- incl early_recursion_flag
13609 movl %cr2,%eax
13610 pushl %eax
13611 pushl %edx /* trapno */
13612 pushl $fault_msg
13613 call printk
13614+; call dump_stack
13615 #endif
13616- call dump_stack
13617 hlt_loop:
13618 hlt
13619 jmp hlt_loop
13620@@ -581,8 +662,11 @@ hlt_loop:
13621 /* This is the default interrupt "handler" :-) */
13622 ALIGN
13623 ignore_int:
13624- cld
13625 #ifdef CONFIG_PRINTK
13626+ cmpl $2,%ss:early_recursion_flag
13627+ je hlt_loop
13628+ incl %ss:early_recursion_flag
13629+ cld
13630 pushl %eax
13631 pushl %ecx
13632 pushl %edx
13633@@ -591,9 +675,6 @@ ignore_int:
13634 movl $(__KERNEL_DS),%eax
13635 movl %eax,%ds
13636 movl %eax,%es
13637- cmpl $2,early_recursion_flag
13638- je hlt_loop
13639- incl early_recursion_flag
13640 pushl 16(%esp)
13641 pushl 24(%esp)
13642 pushl 32(%esp)
13643@@ -622,29 +703,43 @@ ENTRY(initial_code)
13644 /*
13645 * BSS section
13646 */
13647-__PAGE_ALIGNED_BSS
13648- .align PAGE_SIZE
13649 #ifdef CONFIG_X86_PAE
13650+.section .initial_pg_pmd,"a",@progbits
13651 initial_pg_pmd:
13652 .fill 1024*KPMDS,4,0
13653 #else
13654+.section .initial_page_table,"a",@progbits
13655 ENTRY(initial_page_table)
13656 .fill 1024,4,0
13657 #endif
13658+.section .initial_pg_fixmap,"a",@progbits
13659 initial_pg_fixmap:
13660 .fill 1024,4,0
13661+.section .empty_zero_page,"a",@progbits
13662 ENTRY(empty_zero_page)
13663 .fill 4096,1,0
13664+.section .swapper_pg_dir,"a",@progbits
13665 ENTRY(swapper_pg_dir)
13666+#ifdef CONFIG_X86_PAE
13667+ .fill 4,8,0
13668+#else
13669 .fill 1024,4,0
13670+#endif
13671+
13672+/*
13673+ * The IDT has to be page-aligned to simplify the Pentium
13674+ * F0 0F bug workaround.. We have a special link segment
13675+ * for this.
13676+ */
13677+.section .idt,"a",@progbits
13678+ENTRY(idt_table)
13679+ .fill 256,8,0
13680
13681 /*
13682 * This starts the data section.
13683 */
13684 #ifdef CONFIG_X86_PAE
13685-__PAGE_ALIGNED_DATA
13686- /* Page-aligned for the benefit of paravirt? */
13687- .align PAGE_SIZE
13688+.section .initial_page_table,"a",@progbits
13689 ENTRY(initial_page_table)
13690 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
13691 # if KPMDS == 3
13692@@ -663,18 +758,27 @@ ENTRY(initial_page_table)
13693 # error "Kernel PMDs should be 1, 2 or 3"
13694 # endif
13695 .align PAGE_SIZE /* needs to be page-sized too */
13696+
13697+#ifdef CONFIG_PAX_PER_CPU_PGD
13698+ENTRY(cpu_pgd)
13699+ .rept NR_CPUS
13700+ .fill 4,8,0
13701+ .endr
13702+#endif
13703+
13704 #endif
13705
13706 .data
13707 .balign 4
13708 ENTRY(stack_start)
13709- .long init_thread_union+THREAD_SIZE
13710+ .long init_thread_union+THREAD_SIZE-8
13711+
13712+ready: .byte 0
13713
13714+.section .rodata,"a",@progbits
13715 early_recursion_flag:
13716 .long 0
13717
13718-ready: .byte 0
13719-
13720 int_msg:
13721 .asciz "Unknown interrupt or fault at: %p %p %p\n"
13722
13723@@ -707,7 +811,7 @@ fault_msg:
13724 .word 0 # 32 bit align gdt_desc.address
13725 boot_gdt_descr:
13726 .word __BOOT_DS+7
13727- .long boot_gdt - __PAGE_OFFSET
13728+ .long pa(boot_gdt)
13729
13730 .word 0 # 32-bit align idt_desc.address
13731 idt_descr:
13732@@ -718,7 +822,7 @@ idt_descr:
13733 .word 0 # 32 bit align gdt_desc.address
13734 ENTRY(early_gdt_descr)
13735 .word GDT_ENTRIES*8-1
13736- .long gdt_page /* Overwritten for secondary CPUs */
13737+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
13738
13739 /*
13740 * The boot_gdt must mirror the equivalent in setup.S and is
13741@@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
13742 .align L1_CACHE_BYTES
13743 ENTRY(boot_gdt)
13744 .fill GDT_ENTRY_BOOT_CS,8,0
13745- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
13746- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
13747+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
13748+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
13749+
13750+ .align PAGE_SIZE_asm
13751+ENTRY(cpu_gdt_table)
13752+ .rept NR_CPUS
13753+ .quad 0x0000000000000000 /* NULL descriptor */
13754+ .quad 0x0000000000000000 /* 0x0b reserved */
13755+ .quad 0x0000000000000000 /* 0x13 reserved */
13756+ .quad 0x0000000000000000 /* 0x1b reserved */
13757+
13758+#ifdef CONFIG_PAX_KERNEXEC
13759+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
13760+#else
13761+ .quad 0x0000000000000000 /* 0x20 unused */
13762+#endif
13763+
13764+ .quad 0x0000000000000000 /* 0x28 unused */
13765+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
13766+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
13767+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
13768+ .quad 0x0000000000000000 /* 0x4b reserved */
13769+ .quad 0x0000000000000000 /* 0x53 reserved */
13770+ .quad 0x0000000000000000 /* 0x5b reserved */
13771+
13772+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
13773+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
13774+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
13775+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
13776+
13777+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
13778+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
13779+
13780+ /*
13781+ * Segments used for calling PnP BIOS have byte granularity.
13782+ * The code segments and data segments have fixed 64k limits,
13783+ * the transfer segment sizes are set at run time.
13784+ */
13785+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
13786+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
13787+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
13788+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
13789+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
13790+
13791+ /*
13792+ * The APM segments have byte granularity and their bases
13793+ * are set at run time. All have 64k limits.
13794+ */
13795+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
13796+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
13797+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
13798+
13799+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
13800+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
13801+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
13802+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
13803+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
13804+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
13805+
13806+ /* Be sure this is zeroed to avoid false validations in Xen */
13807+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
13808+ .endr
13809diff -urNp linux-3.1.1/arch/x86/kernel/head_64.S linux-3.1.1/arch/x86/kernel/head_64.S
13810--- linux-3.1.1/arch/x86/kernel/head_64.S 2011-11-11 15:19:27.000000000 -0500
13811+++ linux-3.1.1/arch/x86/kernel/head_64.S 2011-11-16 18:39:07.000000000 -0500
13812@@ -19,6 +19,7 @@
13813 #include <asm/cache.h>
13814 #include <asm/processor-flags.h>
13815 #include <asm/percpu.h>
13816+#include <asm/cpufeature.h>
13817
13818 #ifdef CONFIG_PARAVIRT
13819 #include <asm/asm-offsets.h>
13820@@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
13821 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
13822 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
13823 L3_START_KERNEL = pud_index(__START_KERNEL_map)
13824+L4_VMALLOC_START = pgd_index(VMALLOC_START)
13825+L3_VMALLOC_START = pud_index(VMALLOC_START)
13826+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
13827+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
13828
13829 .text
13830 __HEAD
13831@@ -85,35 +90,22 @@ startup_64:
13832 */
13833 addq %rbp, init_level4_pgt + 0(%rip)
13834 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
13835+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
13836+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
13837 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
13838
13839 addq %rbp, level3_ident_pgt + 0(%rip)
13840+#ifndef CONFIG_XEN
13841+ addq %rbp, level3_ident_pgt + 8(%rip)
13842+#endif
13843
13844- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
13845- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
13846+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
13847
13848- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13849+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
13850+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
13851
13852- /* Add an Identity mapping if I am above 1G */
13853- leaq _text(%rip), %rdi
13854- andq $PMD_PAGE_MASK, %rdi
13855-
13856- movq %rdi, %rax
13857- shrq $PUD_SHIFT, %rax
13858- andq $(PTRS_PER_PUD - 1), %rax
13859- jz ident_complete
13860-
13861- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
13862- leaq level3_ident_pgt(%rip), %rbx
13863- movq %rdx, 0(%rbx, %rax, 8)
13864-
13865- movq %rdi, %rax
13866- shrq $PMD_SHIFT, %rax
13867- andq $(PTRS_PER_PMD - 1), %rax
13868- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
13869- leaq level2_spare_pgt(%rip), %rbx
13870- movq %rdx, 0(%rbx, %rax, 8)
13871-ident_complete:
13872+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
13873+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
13874
13875 /*
13876 * Fixup the kernel text+data virtual addresses. Note that
13877@@ -160,8 +152,8 @@ ENTRY(secondary_startup_64)
13878 * after the boot processor executes this code.
13879 */
13880
13881- /* Enable PAE mode and PGE */
13882- movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
13883+ /* Enable PAE mode and PSE/PGE */
13884+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
13885 movq %rax, %cr4
13886
13887 /* Setup early boot stage 4 level pagetables. */
13888@@ -183,9 +175,14 @@ ENTRY(secondary_startup_64)
13889 movl $MSR_EFER, %ecx
13890 rdmsr
13891 btsl $_EFER_SCE, %eax /* Enable System Call */
13892- btl $20,%edi /* No Execute supported? */
13893+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
13894 jnc 1f
13895 btsl $_EFER_NX, %eax
13896+ leaq init_level4_pgt(%rip), %rdi
13897+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
13898+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
13899+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
13900+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
13901 1: wrmsr /* Make changes effective */
13902
13903 /* Setup cr0 */
13904@@ -269,7 +266,7 @@ ENTRY(secondary_startup_64)
13905 bad_address:
13906 jmp bad_address
13907
13908- .section ".init.text","ax"
13909+ __INIT
13910 #ifdef CONFIG_EARLY_PRINTK
13911 .globl early_idt_handlers
13912 early_idt_handlers:
13913@@ -314,18 +311,23 @@ ENTRY(early_idt_handler)
13914 #endif /* EARLY_PRINTK */
13915 1: hlt
13916 jmp 1b
13917+ .previous
13918
13919 #ifdef CONFIG_EARLY_PRINTK
13920+ __INITDATA
13921 early_recursion_flag:
13922 .long 0
13923+ .previous
13924
13925+ .section .rodata,"a",@progbits
13926 early_idt_msg:
13927 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
13928 early_idt_ripmsg:
13929 .asciz "RIP %s\n"
13930-#endif /* CONFIG_EARLY_PRINTK */
13931 .previous
13932+#endif /* CONFIG_EARLY_PRINTK */
13933
13934+ .section .rodata,"a",@progbits
13935 #define NEXT_PAGE(name) \
13936 .balign PAGE_SIZE; \
13937 ENTRY(name)
13938@@ -338,7 +340,6 @@ ENTRY(name)
13939 i = i + 1 ; \
13940 .endr
13941
13942- .data
13943 /*
13944 * This default setting generates an ident mapping at address 0x100000
13945 * and a mapping for the kernel that precisely maps virtual address
13946@@ -349,13 +350,36 @@ NEXT_PAGE(init_level4_pgt)
13947 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13948 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
13949 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13950+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
13951+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
13952+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
13953+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13954 .org init_level4_pgt + L4_START_KERNEL*8, 0
13955 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
13956 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
13957
13958+#ifdef CONFIG_PAX_PER_CPU_PGD
13959+NEXT_PAGE(cpu_pgd)
13960+ .rept NR_CPUS
13961+ .fill 512,8,0
13962+ .endr
13963+#endif
13964+
13965 NEXT_PAGE(level3_ident_pgt)
13966 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
13967+#ifdef CONFIG_XEN
13968 .fill 511,8,0
13969+#else
13970+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
13971+ .fill 510,8,0
13972+#endif
13973+
13974+NEXT_PAGE(level3_vmalloc_pgt)
13975+ .fill 512,8,0
13976+
13977+NEXT_PAGE(level3_vmemmap_pgt)
13978+ .fill L3_VMEMMAP_START,8,0
13979+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
13980
13981 NEXT_PAGE(level3_kernel_pgt)
13982 .fill L3_START_KERNEL,8,0
13983@@ -363,20 +387,23 @@ NEXT_PAGE(level3_kernel_pgt)
13984 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
13985 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13986
13987+NEXT_PAGE(level2_vmemmap_pgt)
13988+ .fill 512,8,0
13989+
13990 NEXT_PAGE(level2_fixmap_pgt)
13991- .fill 506,8,0
13992- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
13993- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
13994- .fill 5,8,0
13995+ .fill 507,8,0
13996+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
13997+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
13998+ .fill 4,8,0
13999
14000-NEXT_PAGE(level1_fixmap_pgt)
14001+NEXT_PAGE(level1_vsyscall_pgt)
14002 .fill 512,8,0
14003
14004-NEXT_PAGE(level2_ident_pgt)
14005- /* Since I easily can, map the first 1G.
14006+ /* Since I easily can, map the first 2G.
14007 * Don't set NX because code runs from these pages.
14008 */
14009- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
14010+NEXT_PAGE(level2_ident_pgt)
14011+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
14012
14013 NEXT_PAGE(level2_kernel_pgt)
14014 /*
14015@@ -389,33 +416,55 @@ NEXT_PAGE(level2_kernel_pgt)
14016 * If you want to increase this then increase MODULES_VADDR
14017 * too.)
14018 */
14019- PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
14020- KERNEL_IMAGE_SIZE/PMD_SIZE)
14021-
14022-NEXT_PAGE(level2_spare_pgt)
14023- .fill 512, 8, 0
14024+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
14025
14026 #undef PMDS
14027 #undef NEXT_PAGE
14028
14029- .data
14030+ .align PAGE_SIZE
14031+ENTRY(cpu_gdt_table)
14032+ .rept NR_CPUS
14033+ .quad 0x0000000000000000 /* NULL descriptor */
14034+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
14035+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
14036+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
14037+ .quad 0x00cffb000000ffff /* __USER32_CS */
14038+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
14039+ .quad 0x00affb000000ffff /* __USER_CS */
14040+
14041+#ifdef CONFIG_PAX_KERNEXEC
14042+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
14043+#else
14044+ .quad 0x0 /* unused */
14045+#endif
14046+
14047+ .quad 0,0 /* TSS */
14048+ .quad 0,0 /* LDT */
14049+ .quad 0,0,0 /* three TLS descriptors */
14050+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
14051+ /* asm/segment.h:GDT_ENTRIES must match this */
14052+
14053+ /* zero the remaining page */
14054+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
14055+ .endr
14056+
14057 .align 16
14058 .globl early_gdt_descr
14059 early_gdt_descr:
14060 .word GDT_ENTRIES*8-1
14061 early_gdt_descr_base:
14062- .quad INIT_PER_CPU_VAR(gdt_page)
14063+ .quad cpu_gdt_table
14064
14065 ENTRY(phys_base)
14066 /* This must match the first entry in level2_kernel_pgt */
14067 .quad 0x0000000000000000
14068
14069 #include "../../x86/xen/xen-head.S"
14070-
14071- .section .bss, "aw", @nobits
14072+
14073+ .section .rodata,"a",@progbits
14074 .align L1_CACHE_BYTES
14075 ENTRY(idt_table)
14076- .skip IDT_ENTRIES * 16
14077+ .fill 512,8,0
14078
14079 __PAGE_ALIGNED_BSS
14080 .align PAGE_SIZE
14081diff -urNp linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c
14082--- linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c 2011-11-11 15:19:27.000000000 -0500
14083+++ linux-3.1.1/arch/x86/kernel/i386_ksyms_32.c 2011-11-16 18:39:07.000000000 -0500
14084@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
14085 EXPORT_SYMBOL(cmpxchg8b_emu);
14086 #endif
14087
14088+EXPORT_SYMBOL_GPL(cpu_gdt_table);
14089+
14090 /* Networking helper routines. */
14091 EXPORT_SYMBOL(csum_partial_copy_generic);
14092+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
14093+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
14094
14095 EXPORT_SYMBOL(__get_user_1);
14096 EXPORT_SYMBOL(__get_user_2);
14097@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
14098
14099 EXPORT_SYMBOL(csum_partial);
14100 EXPORT_SYMBOL(empty_zero_page);
14101+
14102+#ifdef CONFIG_PAX_KERNEXEC
14103+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
14104+#endif
14105diff -urNp linux-3.1.1/arch/x86/kernel/i8259.c linux-3.1.1/arch/x86/kernel/i8259.c
14106--- linux-3.1.1/arch/x86/kernel/i8259.c 2011-11-11 15:19:27.000000000 -0500
14107+++ linux-3.1.1/arch/x86/kernel/i8259.c 2011-11-16 18:39:07.000000000 -0500
14108@@ -210,7 +210,7 @@ spurious_8259A_irq:
14109 "spurious 8259A interrupt: IRQ%d.\n", irq);
14110 spurious_irq_mask |= irqmask;
14111 }
14112- atomic_inc(&irq_err_count);
14113+ atomic_inc_unchecked(&irq_err_count);
14114 /*
14115 * Theoretically we do not have to handle this IRQ,
14116 * but in Linux this does not cause problems and is
14117diff -urNp linux-3.1.1/arch/x86/kernel/init_task.c linux-3.1.1/arch/x86/kernel/init_task.c
14118--- linux-3.1.1/arch/x86/kernel/init_task.c 2011-11-11 15:19:27.000000000 -0500
14119+++ linux-3.1.1/arch/x86/kernel/init_task.c 2011-11-16 18:39:07.000000000 -0500
14120@@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
14121 * way process stacks are handled. This is done by having a special
14122 * "init_task" linker map entry..
14123 */
14124-union thread_union init_thread_union __init_task_data =
14125- { INIT_THREAD_INFO(init_task) };
14126+union thread_union init_thread_union __init_task_data;
14127
14128 /*
14129 * Initial task structure.
14130@@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
14131 * section. Since TSS's are completely CPU-local, we want them
14132 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
14133 */
14134-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
14135-
14136+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
14137+EXPORT_SYMBOL(init_tss);
14138diff -urNp linux-3.1.1/arch/x86/kernel/ioport.c linux-3.1.1/arch/x86/kernel/ioport.c
14139--- linux-3.1.1/arch/x86/kernel/ioport.c 2011-11-11 15:19:27.000000000 -0500
14140+++ linux-3.1.1/arch/x86/kernel/ioport.c 2011-11-16 18:40:08.000000000 -0500
14141@@ -6,6 +6,7 @@
14142 #include <linux/sched.h>
14143 #include <linux/kernel.h>
14144 #include <linux/capability.h>
14145+#include <linux/security.h>
14146 #include <linux/errno.h>
14147 #include <linux/types.h>
14148 #include <linux/ioport.h>
14149@@ -28,6 +29,12 @@ asmlinkage long sys_ioperm(unsigned long
14150
14151 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
14152 return -EINVAL;
14153+#ifdef CONFIG_GRKERNSEC_IO
14154+ if (turn_on && grsec_disable_privio) {
14155+ gr_handle_ioperm();
14156+ return -EPERM;
14157+ }
14158+#endif
14159 if (turn_on && !capable(CAP_SYS_RAWIO))
14160 return -EPERM;
14161
14162@@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long
14163 * because the ->io_bitmap_max value must match the bitmap
14164 * contents:
14165 */
14166- tss = &per_cpu(init_tss, get_cpu());
14167+ tss = init_tss + get_cpu();
14168
14169 if (turn_on)
14170 bitmap_clear(t->io_bitmap_ptr, from, num);
14171@@ -102,6 +109,12 @@ long sys_iopl(unsigned int level, struct
14172 return -EINVAL;
14173 /* Trying to gain more privileges? */
14174 if (level > old) {
14175+#ifdef CONFIG_GRKERNSEC_IO
14176+ if (grsec_disable_privio) {
14177+ gr_handle_iopl();
14178+ return -EPERM;
14179+ }
14180+#endif
14181 if (!capable(CAP_SYS_RAWIO))
14182 return -EPERM;
14183 }
14184diff -urNp linux-3.1.1/arch/x86/kernel/irq_32.c linux-3.1.1/arch/x86/kernel/irq_32.c
14185--- linux-3.1.1/arch/x86/kernel/irq_32.c 2011-11-11 15:19:27.000000000 -0500
14186+++ linux-3.1.1/arch/x86/kernel/irq_32.c 2011-11-16 18:39:07.000000000 -0500
14187@@ -36,7 +36,7 @@ static int check_stack_overflow(void)
14188 __asm__ __volatile__("andl %%esp,%0" :
14189 "=r" (sp) : "0" (THREAD_SIZE - 1));
14190
14191- return sp < (sizeof(struct thread_info) + STACK_WARN);
14192+ return sp < STACK_WARN;
14193 }
14194
14195 static void print_stack_overflow(void)
14196@@ -54,8 +54,8 @@ static inline void print_stack_overflow(
14197 * per-CPU IRQ handling contexts (thread information and stack)
14198 */
14199 union irq_ctx {
14200- struct thread_info tinfo;
14201- u32 stack[THREAD_SIZE/sizeof(u32)];
14202+ unsigned long previous_esp;
14203+ u32 stack[THREAD_SIZE/sizeof(u32)];
14204 } __attribute__((aligned(THREAD_SIZE)));
14205
14206 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
14207@@ -75,10 +75,9 @@ static void call_on_stack(void *func, vo
14208 static inline int
14209 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
14210 {
14211- union irq_ctx *curctx, *irqctx;
14212+ union irq_ctx *irqctx;
14213 u32 *isp, arg1, arg2;
14214
14215- curctx = (union irq_ctx *) current_thread_info();
14216 irqctx = __this_cpu_read(hardirq_ctx);
14217
14218 /*
14219@@ -87,21 +86,16 @@ execute_on_irq_stack(int overflow, struc
14220 * handler) we can't do that and just have to keep using the
14221 * current stack (which is the irq stack already after all)
14222 */
14223- if (unlikely(curctx == irqctx))
14224+ if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
14225 return 0;
14226
14227 /* build the stack frame on the IRQ stack */
14228- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14229- irqctx->tinfo.task = curctx->tinfo.task;
14230- irqctx->tinfo.previous_esp = current_stack_pointer;
14231+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14232+ irqctx->previous_esp = current_stack_pointer;
14233
14234- /*
14235- * Copy the softirq bits in preempt_count so that the
14236- * softirq checks work in the hardirq context.
14237- */
14238- irqctx->tinfo.preempt_count =
14239- (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
14240- (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
14241+#ifdef CONFIG_PAX_MEMORY_UDEREF
14242+ __set_fs(MAKE_MM_SEG(0));
14243+#endif
14244
14245 if (unlikely(overflow))
14246 call_on_stack(print_stack_overflow, isp);
14247@@ -113,6 +107,11 @@ execute_on_irq_stack(int overflow, struc
14248 : "0" (irq), "1" (desc), "2" (isp),
14249 "D" (desc->handle_irq)
14250 : "memory", "cc", "ecx");
14251+
14252+#ifdef CONFIG_PAX_MEMORY_UDEREF
14253+ __set_fs(current_thread_info()->addr_limit);
14254+#endif
14255+
14256 return 1;
14257 }
14258
14259@@ -121,29 +120,11 @@ execute_on_irq_stack(int overflow, struc
14260 */
14261 void __cpuinit irq_ctx_init(int cpu)
14262 {
14263- union irq_ctx *irqctx;
14264-
14265 if (per_cpu(hardirq_ctx, cpu))
14266 return;
14267
14268- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14269- THREAD_FLAGS,
14270- THREAD_ORDER));
14271- memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14272- irqctx->tinfo.cpu = cpu;
14273- irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
14274- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14275-
14276- per_cpu(hardirq_ctx, cpu) = irqctx;
14277-
14278- irqctx = page_address(alloc_pages_node(cpu_to_node(cpu),
14279- THREAD_FLAGS,
14280- THREAD_ORDER));
14281- memset(&irqctx->tinfo, 0, sizeof(struct thread_info));
14282- irqctx->tinfo.cpu = cpu;
14283- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14284-
14285- per_cpu(softirq_ctx, cpu) = irqctx;
14286+ per_cpu(hardirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14287+ per_cpu(softirq_ctx, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREAD_FLAGS, THREAD_ORDER));
14288
14289 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
14290 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
14291@@ -152,7 +133,6 @@ void __cpuinit irq_ctx_init(int cpu)
14292 asmlinkage void do_softirq(void)
14293 {
14294 unsigned long flags;
14295- struct thread_info *curctx;
14296 union irq_ctx *irqctx;
14297 u32 *isp;
14298
14299@@ -162,15 +142,22 @@ asmlinkage void do_softirq(void)
14300 local_irq_save(flags);
14301
14302 if (local_softirq_pending()) {
14303- curctx = current_thread_info();
14304 irqctx = __this_cpu_read(softirq_ctx);
14305- irqctx->tinfo.task = curctx->task;
14306- irqctx->tinfo.previous_esp = current_stack_pointer;
14307+ irqctx->previous_esp = current_stack_pointer;
14308
14309 /* build the stack frame on the softirq stack */
14310- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14311+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14312+
14313+#ifdef CONFIG_PAX_MEMORY_UDEREF
14314+ __set_fs(MAKE_MM_SEG(0));
14315+#endif
14316
14317 call_on_stack(__do_softirq, isp);
14318+
14319+#ifdef CONFIG_PAX_MEMORY_UDEREF
14320+ __set_fs(current_thread_info()->addr_limit);
14321+#endif
14322+
14323 /*
14324 * Shouldn't happen, we returned above if in_interrupt():
14325 */
14326diff -urNp linux-3.1.1/arch/x86/kernel/irq.c linux-3.1.1/arch/x86/kernel/irq.c
14327--- linux-3.1.1/arch/x86/kernel/irq.c 2011-11-11 15:19:27.000000000 -0500
14328+++ linux-3.1.1/arch/x86/kernel/irq.c 2011-11-16 18:39:07.000000000 -0500
14329@@ -17,7 +17,7 @@
14330 #include <asm/mce.h>
14331 #include <asm/hw_irq.h>
14332
14333-atomic_t irq_err_count;
14334+atomic_unchecked_t irq_err_count;
14335
14336 /* Function pointer for generic interrupt vector handling */
14337 void (*x86_platform_ipi_callback)(void) = NULL;
14338@@ -116,9 +116,9 @@ int arch_show_interrupts(struct seq_file
14339 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
14340 seq_printf(p, " Machine check polls\n");
14341 #endif
14342- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
14343+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
14344 #if defined(CONFIG_X86_IO_APIC)
14345- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
14346+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
14347 #endif
14348 return 0;
14349 }
14350@@ -158,10 +158,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
14351
14352 u64 arch_irq_stat(void)
14353 {
14354- u64 sum = atomic_read(&irq_err_count);
14355+ u64 sum = atomic_read_unchecked(&irq_err_count);
14356
14357 #ifdef CONFIG_X86_IO_APIC
14358- sum += atomic_read(&irq_mis_count);
14359+ sum += atomic_read_unchecked(&irq_mis_count);
14360 #endif
14361 return sum;
14362 }
14363diff -urNp linux-3.1.1/arch/x86/kernel/kgdb.c linux-3.1.1/arch/x86/kernel/kgdb.c
14364--- linux-3.1.1/arch/x86/kernel/kgdb.c 2011-11-11 15:19:27.000000000 -0500
14365+++ linux-3.1.1/arch/x86/kernel/kgdb.c 2011-11-16 18:39:07.000000000 -0500
14366@@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
14367 #ifdef CONFIG_X86_32
14368 switch (regno) {
14369 case GDB_SS:
14370- if (!user_mode_vm(regs))
14371+ if (!user_mode(regs))
14372 *(unsigned long *)mem = __KERNEL_DS;
14373 break;
14374 case GDB_SP:
14375- if (!user_mode_vm(regs))
14376+ if (!user_mode(regs))
14377 *(unsigned long *)mem = kernel_stack_pointer(regs);
14378 break;
14379 case GDB_GS:
14380@@ -473,12 +473,12 @@ int kgdb_arch_handle_exception(int e_vec
14381 case 'k':
14382 /* clear the trace bit */
14383 linux_regs->flags &= ~X86_EFLAGS_TF;
14384- atomic_set(&kgdb_cpu_doing_single_step, -1);
14385+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
14386
14387 /* set the trace bit if we're stepping */
14388 if (remcomInBuffer[0] == 's') {
14389 linux_regs->flags |= X86_EFLAGS_TF;
14390- atomic_set(&kgdb_cpu_doing_single_step,
14391+ atomic_set_unchecked(&kgdb_cpu_doing_single_step,
14392 raw_smp_processor_id());
14393 }
14394
14395@@ -534,7 +534,7 @@ static int __kgdb_notify(struct die_args
14396 return NOTIFY_DONE;
14397
14398 case DIE_DEBUG:
14399- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
14400+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
14401 if (user_mode(regs))
14402 return single_step_cont(regs, args);
14403 break;
14404diff -urNp linux-3.1.1/arch/x86/kernel/kprobes.c linux-3.1.1/arch/x86/kernel/kprobes.c
14405--- linux-3.1.1/arch/x86/kernel/kprobes.c 2011-11-11 15:19:27.000000000 -0500
14406+++ linux-3.1.1/arch/x86/kernel/kprobes.c 2011-11-16 18:39:07.000000000 -0500
14407@@ -117,8 +117,11 @@ static void __kprobes __synthesize_relat
14408 } __attribute__((packed)) *insn;
14409
14410 insn = (struct __arch_relative_insn *)from;
14411+
14412+ pax_open_kernel();
14413 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
14414 insn->op = op;
14415+ pax_close_kernel();
14416 }
14417
14418 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
14419@@ -155,7 +158,7 @@ static int __kprobes can_boost(kprobe_op
14420 kprobe_opcode_t opcode;
14421 kprobe_opcode_t *orig_opcodes = opcodes;
14422
14423- if (search_exception_tables((unsigned long)opcodes))
14424+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
14425 return 0; /* Page fault may occur on this address. */
14426
14427 retry:
14428@@ -316,7 +319,9 @@ static int __kprobes __copy_instruction(
14429 }
14430 }
14431 insn_get_length(&insn);
14432+ pax_open_kernel();
14433 memcpy(dest, insn.kaddr, insn.length);
14434+ pax_close_kernel();
14435
14436 #ifdef CONFIG_X86_64
14437 if (insn_rip_relative(&insn)) {
14438@@ -340,7 +345,9 @@ static int __kprobes __copy_instruction(
14439 (u8 *) dest;
14440 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
14441 disp = (u8 *) dest + insn_offset_displacement(&insn);
14442+ pax_open_kernel();
14443 *(s32 *) disp = (s32) newdisp;
14444+ pax_close_kernel();
14445 }
14446 #endif
14447 return insn.length;
14448@@ -354,12 +361,12 @@ static void __kprobes arch_copy_kprobe(s
14449 */
14450 __copy_instruction(p->ainsn.insn, p->addr, 0);
14451
14452- if (can_boost(p->addr))
14453+ if (can_boost(ktla_ktva(p->addr)))
14454 p->ainsn.boostable = 0;
14455 else
14456 p->ainsn.boostable = -1;
14457
14458- p->opcode = *p->addr;
14459+ p->opcode = *(ktla_ktva(p->addr));
14460 }
14461
14462 int __kprobes arch_prepare_kprobe(struct kprobe *p)
14463@@ -476,7 +483,7 @@ static void __kprobes setup_singlestep(s
14464 * nor set current_kprobe, because it doesn't use single
14465 * stepping.
14466 */
14467- regs->ip = (unsigned long)p->ainsn.insn;
14468+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14469 preempt_enable_no_resched();
14470 return;
14471 }
14472@@ -495,7 +502,7 @@ static void __kprobes setup_singlestep(s
14473 if (p->opcode == BREAKPOINT_INSTRUCTION)
14474 regs->ip = (unsigned long)p->addr;
14475 else
14476- regs->ip = (unsigned long)p->ainsn.insn;
14477+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14478 }
14479
14480 /*
14481@@ -574,7 +581,7 @@ static int __kprobes kprobe_handler(stru
14482 setup_singlestep(p, regs, kcb, 0);
14483 return 1;
14484 }
14485- } else if (*addr != BREAKPOINT_INSTRUCTION) {
14486+ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
14487 /*
14488 * The breakpoint instruction was removed right
14489 * after we hit it. Another cpu has removed
14490@@ -682,6 +689,9 @@ static void __used __kprobes kretprobe_t
14491 " movq %rax, 152(%rsp)\n"
14492 RESTORE_REGS_STRING
14493 " popfq\n"
14494+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
14495+ " btsq $63,(%rsp)\n"
14496+#endif
14497 #else
14498 " pushf\n"
14499 SAVE_REGS_STRING
14500@@ -819,7 +829,7 @@ static void __kprobes resume_execution(s
14501 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
14502 {
14503 unsigned long *tos = stack_addr(regs);
14504- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
14505+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
14506 unsigned long orig_ip = (unsigned long)p->addr;
14507 kprobe_opcode_t *insn = p->ainsn.insn;
14508
14509@@ -1001,7 +1011,7 @@ int __kprobes kprobe_exceptions_notify(s
14510 struct die_args *args = data;
14511 int ret = NOTIFY_DONE;
14512
14513- if (args->regs && user_mode_vm(args->regs))
14514+ if (args->regs && user_mode(args->regs))
14515 return ret;
14516
14517 switch (val) {
14518@@ -1383,7 +1393,7 @@ int __kprobes arch_prepare_optimized_kpr
14519 * Verify if the address gap is in 2GB range, because this uses
14520 * a relative jump.
14521 */
14522- rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
14523+ rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
14524 if (abs(rel) > 0x7fffffff)
14525 return -ERANGE;
14526
14527@@ -1404,11 +1414,11 @@ int __kprobes arch_prepare_optimized_kpr
14528 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
14529
14530 /* Set probe function call */
14531- synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
14532+ synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
14533
14534 /* Set returning jmp instruction at the tail of out-of-line buffer */
14535 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
14536- (u8 *)op->kp.addr + op->optinsn.size);
14537+ (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
14538
14539 flush_icache_range((unsigned long) buf,
14540 (unsigned long) buf + TMPL_END_IDX +
14541@@ -1430,7 +1440,7 @@ static void __kprobes setup_optimize_kpr
14542 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
14543
14544 /* Backup instructions which will be replaced by jump address */
14545- memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
14546+ memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
14547 RELATIVE_ADDR_SIZE);
14548
14549 insn_buf[0] = RELATIVEJUMP_OPCODE;
14550diff -urNp linux-3.1.1/arch/x86/kernel/kvm.c linux-3.1.1/arch/x86/kernel/kvm.c
14551--- linux-3.1.1/arch/x86/kernel/kvm.c 2011-11-11 15:19:27.000000000 -0500
14552+++ linux-3.1.1/arch/x86/kernel/kvm.c 2011-11-16 18:39:07.000000000 -0500
14553@@ -437,6 +437,7 @@ static void __init paravirt_ops_setup(vo
14554 pv_mmu_ops.set_pud = kvm_set_pud;
14555 #if PAGETABLE_LEVELS == 4
14556 pv_mmu_ops.set_pgd = kvm_set_pgd;
14557+ pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
14558 #endif
14559 #endif
14560 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
14561diff -urNp linux-3.1.1/arch/x86/kernel/ldt.c linux-3.1.1/arch/x86/kernel/ldt.c
14562--- linux-3.1.1/arch/x86/kernel/ldt.c 2011-11-11 15:19:27.000000000 -0500
14563+++ linux-3.1.1/arch/x86/kernel/ldt.c 2011-11-16 18:39:07.000000000 -0500
14564@@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
14565 if (reload) {
14566 #ifdef CONFIG_SMP
14567 preempt_disable();
14568- load_LDT(pc);
14569+ load_LDT_nolock(pc);
14570 if (!cpumask_equal(mm_cpumask(current->mm),
14571 cpumask_of(smp_processor_id())))
14572 smp_call_function(flush_ldt, current->mm, 1);
14573 preempt_enable();
14574 #else
14575- load_LDT(pc);
14576+ load_LDT_nolock(pc);
14577 #endif
14578 }
14579 if (oldsize) {
14580@@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
14581 return err;
14582
14583 for (i = 0; i < old->size; i++)
14584- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
14585+ write_ldt_entry(new->ldt, i, old->ldt + i);
14586 return 0;
14587 }
14588
14589@@ -116,6 +116,24 @@ int init_new_context(struct task_struct
14590 retval = copy_ldt(&mm->context, &old_mm->context);
14591 mutex_unlock(&old_mm->context.lock);
14592 }
14593+
14594+ if (tsk == current) {
14595+ mm->context.vdso = 0;
14596+
14597+#ifdef CONFIG_X86_32
14598+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
14599+ mm->context.user_cs_base = 0UL;
14600+ mm->context.user_cs_limit = ~0UL;
14601+
14602+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
14603+ cpus_clear(mm->context.cpu_user_cs_mask);
14604+#endif
14605+
14606+#endif
14607+#endif
14608+
14609+ }
14610+
14611 return retval;
14612 }
14613
14614@@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
14615 }
14616 }
14617
14618+#ifdef CONFIG_PAX_SEGMEXEC
14619+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
14620+ error = -EINVAL;
14621+ goto out_unlock;
14622+ }
14623+#endif
14624+
14625 fill_ldt(&ldt, &ldt_info);
14626 if (oldmode)
14627 ldt.avl = 0;
14628diff -urNp linux-3.1.1/arch/x86/kernel/machine_kexec_32.c linux-3.1.1/arch/x86/kernel/machine_kexec_32.c
14629--- linux-3.1.1/arch/x86/kernel/machine_kexec_32.c 2011-11-11 15:19:27.000000000 -0500
14630+++ linux-3.1.1/arch/x86/kernel/machine_kexec_32.c 2011-11-16 18:39:07.000000000 -0500
14631@@ -27,7 +27,7 @@
14632 #include <asm/cacheflush.h>
14633 #include <asm/debugreg.h>
14634
14635-static void set_idt(void *newidt, __u16 limit)
14636+static void set_idt(struct desc_struct *newidt, __u16 limit)
14637 {
14638 struct desc_ptr curidt;
14639
14640@@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
14641 }
14642
14643
14644-static void set_gdt(void *newgdt, __u16 limit)
14645+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
14646 {
14647 struct desc_ptr curgdt;
14648
14649@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
14650 }
14651
14652 control_page = page_address(image->control_code_page);
14653- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
14654+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
14655
14656 relocate_kernel_ptr = control_page;
14657 page_list[PA_CONTROL_PAGE] = __pa(control_page);
14658diff -urNp linux-3.1.1/arch/x86/kernel/microcode_intel.c linux-3.1.1/arch/x86/kernel/microcode_intel.c
14659--- linux-3.1.1/arch/x86/kernel/microcode_intel.c 2011-11-11 15:19:27.000000000 -0500
14660+++ linux-3.1.1/arch/x86/kernel/microcode_intel.c 2011-11-16 18:39:07.000000000 -0500
14661@@ -440,13 +440,13 @@ static enum ucode_state request_microcod
14662
14663 static int get_ucode_user(void *to, const void *from, size_t n)
14664 {
14665- return copy_from_user(to, from, n);
14666+ return copy_from_user(to, (const void __force_user *)from, n);
14667 }
14668
14669 static enum ucode_state
14670 request_microcode_user(int cpu, const void __user *buf, size_t size)
14671 {
14672- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
14673+ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
14674 }
14675
14676 static void microcode_fini_cpu(int cpu)
14677diff -urNp linux-3.1.1/arch/x86/kernel/module.c linux-3.1.1/arch/x86/kernel/module.c
14678--- linux-3.1.1/arch/x86/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
14679+++ linux-3.1.1/arch/x86/kernel/module.c 2011-11-16 18:39:07.000000000 -0500
14680@@ -36,15 +36,60 @@
14681 #define DEBUGP(fmt...)
14682 #endif
14683
14684-void *module_alloc(unsigned long size)
14685+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
14686 {
14687 if (PAGE_ALIGN(size) > MODULES_LEN)
14688 return NULL;
14689 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
14690- GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
14691+ GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
14692 -1, __builtin_return_address(0));
14693 }
14694
14695+void *module_alloc(unsigned long size)
14696+{
14697+
14698+#ifdef CONFIG_PAX_KERNEXEC
14699+ return __module_alloc(size, PAGE_KERNEL);
14700+#else
14701+ return __module_alloc(size, PAGE_KERNEL_EXEC);
14702+#endif
14703+
14704+}
14705+
14706+#ifdef CONFIG_PAX_KERNEXEC
14707+#ifdef CONFIG_X86_32
14708+void *module_alloc_exec(unsigned long size)
14709+{
14710+ struct vm_struct *area;
14711+
14712+ if (size == 0)
14713+ return NULL;
14714+
14715+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
14716+ return area ? area->addr : NULL;
14717+}
14718+EXPORT_SYMBOL(module_alloc_exec);
14719+
14720+void module_free_exec(struct module *mod, void *module_region)
14721+{
14722+ vunmap(module_region);
14723+}
14724+EXPORT_SYMBOL(module_free_exec);
14725+#else
14726+void module_free_exec(struct module *mod, void *module_region)
14727+{
14728+ module_free(mod, module_region);
14729+}
14730+EXPORT_SYMBOL(module_free_exec);
14731+
14732+void *module_alloc_exec(unsigned long size)
14733+{
14734+ return __module_alloc(size, PAGE_KERNEL_RX);
14735+}
14736+EXPORT_SYMBOL(module_alloc_exec);
14737+#endif
14738+#endif
14739+
14740 #ifdef CONFIG_X86_32
14741 int apply_relocate(Elf32_Shdr *sechdrs,
14742 const char *strtab,
14743@@ -55,14 +100,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14744 unsigned int i;
14745 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
14746 Elf32_Sym *sym;
14747- uint32_t *location;
14748+ uint32_t *plocation, location;
14749
14750 DEBUGP("Applying relocate section %u to %u\n", relsec,
14751 sechdrs[relsec].sh_info);
14752 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
14753 /* This is where to make the change */
14754- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
14755- + rel[i].r_offset;
14756+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
14757+ location = (uint32_t)plocation;
14758+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
14759+ plocation = ktla_ktva((void *)plocation);
14760 /* This is the symbol it is referring to. Note that all
14761 undefined symbols have been resolved. */
14762 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
14763@@ -71,11 +118,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
14764 switch (ELF32_R_TYPE(rel[i].r_info)) {
14765 case R_386_32:
14766 /* We add the value into the location given */
14767- *location += sym->st_value;
14768+ pax_open_kernel();
14769+ *plocation += sym->st_value;
14770+ pax_close_kernel();
14771 break;
14772 case R_386_PC32:
14773 /* Add the value, subtract its postition */
14774- *location += sym->st_value - (uint32_t)location;
14775+ pax_open_kernel();
14776+ *plocation += sym->st_value - location;
14777+ pax_close_kernel();
14778 break;
14779 default:
14780 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
14781@@ -120,21 +171,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
14782 case R_X86_64_NONE:
14783 break;
14784 case R_X86_64_64:
14785+ pax_open_kernel();
14786 *(u64 *)loc = val;
14787+ pax_close_kernel();
14788 break;
14789 case R_X86_64_32:
14790+ pax_open_kernel();
14791 *(u32 *)loc = val;
14792+ pax_close_kernel();
14793 if (val != *(u32 *)loc)
14794 goto overflow;
14795 break;
14796 case R_X86_64_32S:
14797+ pax_open_kernel();
14798 *(s32 *)loc = val;
14799+ pax_close_kernel();
14800 if ((s64)val != *(s32 *)loc)
14801 goto overflow;
14802 break;
14803 case R_X86_64_PC32:
14804 val -= (u64)loc;
14805+ pax_open_kernel();
14806 *(u32 *)loc = val;
14807+ pax_close_kernel();
14808+
14809 #if 0
14810 if ((s64)val != *(s32 *)loc)
14811 goto overflow;
14812diff -urNp linux-3.1.1/arch/x86/kernel/paravirt.c linux-3.1.1/arch/x86/kernel/paravirt.c
14813--- linux-3.1.1/arch/x86/kernel/paravirt.c 2011-11-11 15:19:27.000000000 -0500
14814+++ linux-3.1.1/arch/x86/kernel/paravirt.c 2011-11-17 18:29:42.000000000 -0500
14815@@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
14816 {
14817 return x;
14818 }
14819+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14820+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
14821+#endif
14822
14823 void __init default_banner(void)
14824 {
14825@@ -133,6 +136,9 @@ static void *get_call_destination(u8 typ
14826 .pv_lock_ops = pv_lock_ops,
14827 #endif
14828 };
14829+
14830+ pax_track_stack();
14831+
14832 return *((void **)&tmpl + type);
14833 }
14834
14835@@ -145,15 +151,19 @@ unsigned paravirt_patch_default(u8 type,
14836 if (opfunc == NULL)
14837 /* If there's no function, patch it with a ud2a (BUG) */
14838 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
14839- else if (opfunc == _paravirt_nop)
14840+ else if (opfunc == (void *)_paravirt_nop)
14841 /* If the operation is a nop, then nop the callsite */
14842 ret = paravirt_patch_nop();
14843
14844 /* identity functions just return their single argument */
14845- else if (opfunc == _paravirt_ident_32)
14846+ else if (opfunc == (void *)_paravirt_ident_32)
14847 ret = paravirt_patch_ident_32(insnbuf, len);
14848- else if (opfunc == _paravirt_ident_64)
14849+ else if (opfunc == (void *)_paravirt_ident_64)
14850 ret = paravirt_patch_ident_64(insnbuf, len);
14851+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
14852+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
14853+ ret = paravirt_patch_ident_64(insnbuf, len);
14854+#endif
14855
14856 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
14857 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
14858@@ -178,7 +188,7 @@ unsigned paravirt_patch_insns(void *insn
14859 if (insn_len > len || start == NULL)
14860 insn_len = len;
14861 else
14862- memcpy(insnbuf, start, insn_len);
14863+ memcpy(insnbuf, ktla_ktva(start), insn_len);
14864
14865 return insn_len;
14866 }
14867@@ -302,7 +312,7 @@ void arch_flush_lazy_mmu_mode(void)
14868 preempt_enable();
14869 }
14870
14871-struct pv_info pv_info = {
14872+struct pv_info pv_info __read_only = {
14873 .name = "bare hardware",
14874 .paravirt_enabled = 0,
14875 .kernel_rpl = 0,
14876@@ -313,16 +323,16 @@ struct pv_info pv_info = {
14877 #endif
14878 };
14879
14880-struct pv_init_ops pv_init_ops = {
14881+struct pv_init_ops pv_init_ops __read_only = {
14882 .patch = native_patch,
14883 };
14884
14885-struct pv_time_ops pv_time_ops = {
14886+struct pv_time_ops pv_time_ops __read_only = {
14887 .sched_clock = native_sched_clock,
14888 .steal_clock = native_steal_clock,
14889 };
14890
14891-struct pv_irq_ops pv_irq_ops = {
14892+struct pv_irq_ops pv_irq_ops __read_only = {
14893 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
14894 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
14895 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
14896@@ -334,7 +344,7 @@ struct pv_irq_ops pv_irq_ops = {
14897 #endif
14898 };
14899
14900-struct pv_cpu_ops pv_cpu_ops = {
14901+struct pv_cpu_ops pv_cpu_ops __read_only = {
14902 .cpuid = native_cpuid,
14903 .get_debugreg = native_get_debugreg,
14904 .set_debugreg = native_set_debugreg,
14905@@ -395,21 +405,26 @@ struct pv_cpu_ops pv_cpu_ops = {
14906 .end_context_switch = paravirt_nop,
14907 };
14908
14909-struct pv_apic_ops pv_apic_ops = {
14910+struct pv_apic_ops pv_apic_ops __read_only = {
14911 #ifdef CONFIG_X86_LOCAL_APIC
14912 .startup_ipi_hook = paravirt_nop,
14913 #endif
14914 };
14915
14916-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
14917+#ifdef CONFIG_X86_32
14918+#ifdef CONFIG_X86_PAE
14919+/* 64-bit pagetable entries */
14920+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
14921+#else
14922 /* 32-bit pagetable entries */
14923 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
14924+#endif
14925 #else
14926 /* 64-bit pagetable entries */
14927 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
14928 #endif
14929
14930-struct pv_mmu_ops pv_mmu_ops = {
14931+struct pv_mmu_ops pv_mmu_ops __read_only = {
14932
14933 .read_cr2 = native_read_cr2,
14934 .write_cr2 = native_write_cr2,
14935@@ -459,6 +474,7 @@ struct pv_mmu_ops pv_mmu_ops = {
14936 .make_pud = PTE_IDENT,
14937
14938 .set_pgd = native_set_pgd,
14939+ .set_pgd_batched = native_set_pgd_batched,
14940 #endif
14941 #endif /* PAGETABLE_LEVELS >= 3 */
14942
14943@@ -478,6 +494,12 @@ struct pv_mmu_ops pv_mmu_ops = {
14944 },
14945
14946 .set_fixmap = native_set_fixmap,
14947+
14948+#ifdef CONFIG_PAX_KERNEXEC
14949+ .pax_open_kernel = native_pax_open_kernel,
14950+ .pax_close_kernel = native_pax_close_kernel,
14951+#endif
14952+
14953 };
14954
14955 EXPORT_SYMBOL_GPL(pv_time_ops);
14956diff -urNp linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c
14957--- linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c 2011-11-11 15:19:27.000000000 -0500
14958+++ linux-3.1.1/arch/x86/kernel/paravirt-spinlocks.c 2011-11-16 18:39:07.000000000 -0500
14959@@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
14960 arch_spin_lock(lock);
14961 }
14962
14963-struct pv_lock_ops pv_lock_ops = {
14964+struct pv_lock_ops pv_lock_ops __read_only = {
14965 #ifdef CONFIG_SMP
14966 .spin_is_locked = __ticket_spin_is_locked,
14967 .spin_is_contended = __ticket_spin_is_contended,
14968diff -urNp linux-3.1.1/arch/x86/kernel/pci-iommu_table.c linux-3.1.1/arch/x86/kernel/pci-iommu_table.c
14969--- linux-3.1.1/arch/x86/kernel/pci-iommu_table.c 2011-11-11 15:19:27.000000000 -0500
14970+++ linux-3.1.1/arch/x86/kernel/pci-iommu_table.c 2011-11-16 18:40:08.000000000 -0500
14971@@ -2,7 +2,7 @@
14972 #include <asm/iommu_table.h>
14973 #include <linux/string.h>
14974 #include <linux/kallsyms.h>
14975-
14976+#include <linux/sched.h>
14977
14978 #define DEBUG 1
14979
14980@@ -51,6 +51,8 @@ void __init check_iommu_entries(struct i
14981 {
14982 struct iommu_table_entry *p, *q, *x;
14983
14984+ pax_track_stack();
14985+
14986 /* Simple cyclic dependency checker. */
14987 for (p = start; p < finish; p++) {
14988 q = find_dependents_of(start, finish, p);
14989diff -urNp linux-3.1.1/arch/x86/kernel/process_32.c linux-3.1.1/arch/x86/kernel/process_32.c
14990--- linux-3.1.1/arch/x86/kernel/process_32.c 2011-11-11 15:19:27.000000000 -0500
14991+++ linux-3.1.1/arch/x86/kernel/process_32.c 2011-11-16 18:39:07.000000000 -0500
14992@@ -66,6 +66,7 @@ asmlinkage void ret_from_fork(void) __as
14993 unsigned long thread_saved_pc(struct task_struct *tsk)
14994 {
14995 return ((unsigned long *)tsk->thread.sp)[3];
14996+//XXX return tsk->thread.eip;
14997 }
14998
14999 #ifndef CONFIG_SMP
15000@@ -128,15 +129,14 @@ void __show_regs(struct pt_regs *regs, i
15001 unsigned long sp;
15002 unsigned short ss, gs;
15003
15004- if (user_mode_vm(regs)) {
15005+ if (user_mode(regs)) {
15006 sp = regs->sp;
15007 ss = regs->ss & 0xffff;
15008- gs = get_user_gs(regs);
15009 } else {
15010 sp = kernel_stack_pointer(regs);
15011 savesegment(ss, ss);
15012- savesegment(gs, gs);
15013 }
15014+ gs = get_user_gs(regs);
15015
15016 show_regs_common();
15017
15018@@ -198,13 +198,14 @@ int copy_thread(unsigned long clone_flag
15019 struct task_struct *tsk;
15020 int err;
15021
15022- childregs = task_pt_regs(p);
15023+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
15024 *childregs = *regs;
15025 childregs->ax = 0;
15026 childregs->sp = sp;
15027
15028 p->thread.sp = (unsigned long) childregs;
15029 p->thread.sp0 = (unsigned long) (childregs+1);
15030+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15031
15032 p->thread.ip = (unsigned long) ret_from_fork;
15033
15034@@ -294,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
15035 struct thread_struct *prev = &prev_p->thread,
15036 *next = &next_p->thread;
15037 int cpu = smp_processor_id();
15038- struct tss_struct *tss = &per_cpu(init_tss, cpu);
15039+ struct tss_struct *tss = init_tss + cpu;
15040 bool preload_fpu;
15041
15042 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
15043@@ -329,6 +330,10 @@ __switch_to(struct task_struct *prev_p,
15044 */
15045 lazy_save_gs(prev->gs);
15046
15047+#ifdef CONFIG_PAX_MEMORY_UDEREF
15048+ __set_fs(task_thread_info(next_p)->addr_limit);
15049+#endif
15050+
15051 /*
15052 * Load the per-thread Thread-Local Storage descriptor.
15053 */
15054@@ -364,6 +369,9 @@ __switch_to(struct task_struct *prev_p,
15055 */
15056 arch_end_context_switch(next_p);
15057
15058+ percpu_write(current_task, next_p);
15059+ percpu_write(current_tinfo, &next_p->tinfo);
15060+
15061 if (preload_fpu)
15062 __math_state_restore();
15063
15064@@ -373,8 +381,6 @@ __switch_to(struct task_struct *prev_p,
15065 if (prev->gs | next->gs)
15066 lazy_load_gs(next->gs);
15067
15068- percpu_write(current_task, next_p);
15069-
15070 return prev_p;
15071 }
15072
15073@@ -404,4 +410,3 @@ unsigned long get_wchan(struct task_stru
15074 } while (count++ < 16);
15075 return 0;
15076 }
15077-
15078diff -urNp linux-3.1.1/arch/x86/kernel/process_64.c linux-3.1.1/arch/x86/kernel/process_64.c
15079--- linux-3.1.1/arch/x86/kernel/process_64.c 2011-11-11 15:19:27.000000000 -0500
15080+++ linux-3.1.1/arch/x86/kernel/process_64.c 2011-11-16 18:39:07.000000000 -0500
15081@@ -88,7 +88,7 @@ static void __exit_idle(void)
15082 void exit_idle(void)
15083 {
15084 /* idle loop has pid 0 */
15085- if (current->pid)
15086+ if (task_pid_nr(current))
15087 return;
15088 __exit_idle();
15089 }
15090@@ -262,8 +262,7 @@ int copy_thread(unsigned long clone_flag
15091 struct pt_regs *childregs;
15092 struct task_struct *me = current;
15093
15094- childregs = ((struct pt_regs *)
15095- (THREAD_SIZE + task_stack_page(p))) - 1;
15096+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
15097 *childregs = *regs;
15098
15099 childregs->ax = 0;
15100@@ -275,6 +274,7 @@ int copy_thread(unsigned long clone_flag
15101 p->thread.sp = (unsigned long) childregs;
15102 p->thread.sp0 = (unsigned long) (childregs+1);
15103 p->thread.usersp = me->thread.usersp;
15104+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15105
15106 set_tsk_thread_flag(p, TIF_FORK);
15107
15108@@ -377,7 +377,7 @@ __switch_to(struct task_struct *prev_p,
15109 struct thread_struct *prev = &prev_p->thread;
15110 struct thread_struct *next = &next_p->thread;
15111 int cpu = smp_processor_id();
15112- struct tss_struct *tss = &per_cpu(init_tss, cpu);
15113+ struct tss_struct *tss = init_tss + cpu;
15114 unsigned fsindex, gsindex;
15115 bool preload_fpu;
15116
15117@@ -473,10 +473,9 @@ __switch_to(struct task_struct *prev_p,
15118 prev->usersp = percpu_read(old_rsp);
15119 percpu_write(old_rsp, next->usersp);
15120 percpu_write(current_task, next_p);
15121+ percpu_write(current_tinfo, &next_p->tinfo);
15122
15123- percpu_write(kernel_stack,
15124- (unsigned long)task_stack_page(next_p) +
15125- THREAD_SIZE - KERNEL_STACK_OFFSET);
15126+ percpu_write(kernel_stack, next->sp0);
15127
15128 /*
15129 * Now maybe reload the debug registers and handle I/O bitmaps
15130@@ -538,12 +537,11 @@ unsigned long get_wchan(struct task_stru
15131 if (!p || p == current || p->state == TASK_RUNNING)
15132 return 0;
15133 stack = (unsigned long)task_stack_page(p);
15134- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
15135+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
15136 return 0;
15137 fp = *(u64 *)(p->thread.sp);
15138 do {
15139- if (fp < (unsigned long)stack ||
15140- fp >= (unsigned long)stack+THREAD_SIZE)
15141+ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
15142 return 0;
15143 ip = *(u64 *)(fp+8);
15144 if (!in_sched_functions(ip))
15145diff -urNp linux-3.1.1/arch/x86/kernel/process.c linux-3.1.1/arch/x86/kernel/process.c
15146--- linux-3.1.1/arch/x86/kernel/process.c 2011-11-11 15:19:27.000000000 -0500
15147+++ linux-3.1.1/arch/x86/kernel/process.c 2011-11-16 18:39:07.000000000 -0500
15148@@ -48,16 +48,33 @@ void free_thread_xstate(struct task_stru
15149
15150 void free_thread_info(struct thread_info *ti)
15151 {
15152- free_thread_xstate(ti->task);
15153 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
15154 }
15155
15156+static struct kmem_cache *task_struct_cachep;
15157+
15158 void arch_task_cache_init(void)
15159 {
15160- task_xstate_cachep =
15161- kmem_cache_create("task_xstate", xstate_size,
15162+ /* create a slab on which task_structs can be allocated */
15163+ task_struct_cachep =
15164+ kmem_cache_create("task_struct", sizeof(struct task_struct),
15165+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
15166+
15167+ task_xstate_cachep =
15168+ kmem_cache_create("task_xstate", xstate_size,
15169 __alignof__(union thread_xstate),
15170- SLAB_PANIC | SLAB_NOTRACK, NULL);
15171+ SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
15172+}
15173+
15174+struct task_struct *alloc_task_struct_node(int node)
15175+{
15176+ return kmem_cache_alloc_node(task_struct_cachep, GFP_KERNEL, node);
15177+}
15178+
15179+void free_task_struct(struct task_struct *task)
15180+{
15181+ free_thread_xstate(task);
15182+ kmem_cache_free(task_struct_cachep, task);
15183 }
15184
15185 /*
15186@@ -70,7 +87,7 @@ void exit_thread(void)
15187 unsigned long *bp = t->io_bitmap_ptr;
15188
15189 if (bp) {
15190- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
15191+ struct tss_struct *tss = init_tss + get_cpu();
15192
15193 t->io_bitmap_ptr = NULL;
15194 clear_thread_flag(TIF_IO_BITMAP);
15195@@ -106,7 +123,7 @@ void show_regs_common(void)
15196
15197 printk(KERN_CONT "\n");
15198 printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
15199- current->pid, current->comm, print_tainted(),
15200+ task_pid_nr(current), current->comm, print_tainted(),
15201 init_utsname()->release,
15202 (int)strcspn(init_utsname()->version, " "),
15203 init_utsname()->version);
15204@@ -120,6 +137,9 @@ void flush_thread(void)
15205 {
15206 struct task_struct *tsk = current;
15207
15208+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
15209+ loadsegment(gs, 0);
15210+#endif
15211 flush_ptrace_hw_breakpoint(tsk);
15212 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
15213 /*
15214@@ -282,10 +302,10 @@ int kernel_thread(int (*fn)(void *), voi
15215 regs.di = (unsigned long) arg;
15216
15217 #ifdef CONFIG_X86_32
15218- regs.ds = __USER_DS;
15219- regs.es = __USER_DS;
15220+ regs.ds = __KERNEL_DS;
15221+ regs.es = __KERNEL_DS;
15222 regs.fs = __KERNEL_PERCPU;
15223- regs.gs = __KERNEL_STACK_CANARY;
15224+ savesegment(gs, regs.gs);
15225 #else
15226 regs.ss = __KERNEL_DS;
15227 #endif
15228@@ -403,7 +423,7 @@ void default_idle(void)
15229 EXPORT_SYMBOL(default_idle);
15230 #endif
15231
15232-void stop_this_cpu(void *dummy)
15233+__noreturn void stop_this_cpu(void *dummy)
15234 {
15235 local_irq_disable();
15236 /*
15237@@ -645,16 +665,37 @@ static int __init idle_setup(char *str)
15238 }
15239 early_param("idle", idle_setup);
15240
15241-unsigned long arch_align_stack(unsigned long sp)
15242+#ifdef CONFIG_PAX_RANDKSTACK
15243+void pax_randomize_kstack(struct pt_regs *regs)
15244 {
15245- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
15246- sp -= get_random_int() % 8192;
15247- return sp & ~0xf;
15248-}
15249+ struct thread_struct *thread = &current->thread;
15250+ unsigned long time;
15251
15252-unsigned long arch_randomize_brk(struct mm_struct *mm)
15253-{
15254- unsigned long range_end = mm->brk + 0x02000000;
15255- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
15256-}
15257+ if (!randomize_va_space)
15258+ return;
15259+
15260+ if (v8086_mode(regs))
15261+ return;
15262
15263+ rdtscl(time);
15264+
15265+ /* P4 seems to return a 0 LSB, ignore it */
15266+#ifdef CONFIG_MPENTIUM4
15267+ time &= 0x3EUL;
15268+ time <<= 2;
15269+#elif defined(CONFIG_X86_64)
15270+ time &= 0xFUL;
15271+ time <<= 4;
15272+#else
15273+ time &= 0x1FUL;
15274+ time <<= 3;
15275+#endif
15276+
15277+ thread->sp0 ^= time;
15278+ load_sp0(init_tss + smp_processor_id(), thread);
15279+
15280+#ifdef CONFIG_X86_64
15281+ percpu_write(kernel_stack, thread->sp0);
15282+#endif
15283+}
15284+#endif
15285diff -urNp linux-3.1.1/arch/x86/kernel/ptrace.c linux-3.1.1/arch/x86/kernel/ptrace.c
15286--- linux-3.1.1/arch/x86/kernel/ptrace.c 2011-11-11 15:19:27.000000000 -0500
15287+++ linux-3.1.1/arch/x86/kernel/ptrace.c 2011-11-16 18:39:07.000000000 -0500
15288@@ -822,7 +822,7 @@ long arch_ptrace(struct task_struct *chi
15289 unsigned long addr, unsigned long data)
15290 {
15291 int ret;
15292- unsigned long __user *datap = (unsigned long __user *)data;
15293+ unsigned long __user *datap = (__force unsigned long __user *)data;
15294
15295 switch (request) {
15296 /* read the word at location addr in the USER area. */
15297@@ -907,14 +907,14 @@ long arch_ptrace(struct task_struct *chi
15298 if ((int) addr < 0)
15299 return -EIO;
15300 ret = do_get_thread_area(child, addr,
15301- (struct user_desc __user *)data);
15302+ (__force struct user_desc __user *) data);
15303 break;
15304
15305 case PTRACE_SET_THREAD_AREA:
15306 if ((int) addr < 0)
15307 return -EIO;
15308 ret = do_set_thread_area(child, addr,
15309- (struct user_desc __user *)data, 0);
15310+ (__force struct user_desc __user *) data, 0);
15311 break;
15312 #endif
15313
15314@@ -1331,7 +1331,7 @@ static void fill_sigtrap_info(struct tas
15315 memset(info, 0, sizeof(*info));
15316 info->si_signo = SIGTRAP;
15317 info->si_code = si_code;
15318- info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
15319+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
15320 }
15321
15322 void user_single_step_siginfo(struct task_struct *tsk,
15323diff -urNp linux-3.1.1/arch/x86/kernel/pvclock.c linux-3.1.1/arch/x86/kernel/pvclock.c
15324--- linux-3.1.1/arch/x86/kernel/pvclock.c 2011-11-11 15:19:27.000000000 -0500
15325+++ linux-3.1.1/arch/x86/kernel/pvclock.c 2011-11-16 18:39:07.000000000 -0500
15326@@ -81,11 +81,11 @@ unsigned long pvclock_tsc_khz(struct pvc
15327 return pv_tsc_khz;
15328 }
15329
15330-static atomic64_t last_value = ATOMIC64_INIT(0);
15331+static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
15332
15333 void pvclock_resume(void)
15334 {
15335- atomic64_set(&last_value, 0);
15336+ atomic64_set_unchecked(&last_value, 0);
15337 }
15338
15339 cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
15340@@ -121,11 +121,11 @@ cycle_t pvclock_clocksource_read(struct
15341 * updating at the same time, and one of them could be slightly behind,
15342 * making the assumption that last_value always go forward fail to hold.
15343 */
15344- last = atomic64_read(&last_value);
15345+ last = atomic64_read_unchecked(&last_value);
15346 do {
15347 if (ret < last)
15348 return last;
15349- last = atomic64_cmpxchg(&last_value, last, ret);
15350+ last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
15351 } while (unlikely(last != ret));
15352
15353 return ret;
15354diff -urNp linux-3.1.1/arch/x86/kernel/reboot.c linux-3.1.1/arch/x86/kernel/reboot.c
15355--- linux-3.1.1/arch/x86/kernel/reboot.c 2011-11-11 15:19:27.000000000 -0500
15356+++ linux-3.1.1/arch/x86/kernel/reboot.c 2011-11-16 18:39:07.000000000 -0500
15357@@ -35,7 +35,7 @@ void (*pm_power_off)(void);
15358 EXPORT_SYMBOL(pm_power_off);
15359
15360 static const struct desc_ptr no_idt = {};
15361-static int reboot_mode;
15362+static unsigned short reboot_mode;
15363 enum reboot_type reboot_type = BOOT_ACPI;
15364 int reboot_force;
15365
15366@@ -315,13 +315,17 @@ core_initcall(reboot_init);
15367 extern const unsigned char machine_real_restart_asm[];
15368 extern const u64 machine_real_restart_gdt[3];
15369
15370-void machine_real_restart(unsigned int type)
15371+__noreturn void machine_real_restart(unsigned int type)
15372 {
15373 void *restart_va;
15374 unsigned long restart_pa;
15375- void (*restart_lowmem)(unsigned int);
15376+ void (* __noreturn restart_lowmem)(unsigned int);
15377 u64 *lowmem_gdt;
15378
15379+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15380+ struct desc_struct *gdt;
15381+#endif
15382+
15383 local_irq_disable();
15384
15385 /* Write zero to CMOS register number 0x0f, which the BIOS POST
15386@@ -347,14 +351,14 @@ void machine_real_restart(unsigned int t
15387 boot)". This seems like a fairly standard thing that gets set by
15388 REBOOT.COM programs, and the previous reset routine did this
15389 too. */
15390- *((unsigned short *)0x472) = reboot_mode;
15391+ *(unsigned short *)(__va(0x472)) = reboot_mode;
15392
15393 /* Patch the GDT in the low memory trampoline */
15394 lowmem_gdt = TRAMPOLINE_SYM(machine_real_restart_gdt);
15395
15396 restart_va = TRAMPOLINE_SYM(machine_real_restart_asm);
15397 restart_pa = virt_to_phys(restart_va);
15398- restart_lowmem = (void (*)(unsigned int))restart_pa;
15399+ restart_lowmem = (void *)restart_pa;
15400
15401 /* GDT[0]: GDT self-pointer */
15402 lowmem_gdt[0] =
15403@@ -365,7 +369,33 @@ void machine_real_restart(unsigned int t
15404 GDT_ENTRY(0x009b, restart_pa, 0xffff);
15405
15406 /* Jump to the identity-mapped low memory code */
15407+
15408+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
15409+ gdt = get_cpu_gdt_table(smp_processor_id());
15410+ pax_open_kernel();
15411+#ifdef CONFIG_PAX_MEMORY_UDEREF
15412+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
15413+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
15414+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
15415+#endif
15416+#ifdef CONFIG_PAX_KERNEXEC
15417+ gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
15418+ gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
15419+ gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
15420+ gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
15421+ gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
15422+ gdt[GDT_ENTRY_KERNEL_CS].g = 1;
15423+#endif
15424+ pax_close_kernel();
15425+#endif
15426+
15427+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15428+ asm volatile("push %0; push %1; lret\n" : : "i" (__KERNEL_CS), "rm" (restart_lowmem), "a" (type));
15429+ unreachable();
15430+#else
15431 restart_lowmem(type);
15432+#endif
15433+
15434 }
15435 #ifdef CONFIG_APM_MODULE
15436 EXPORT_SYMBOL(machine_real_restart);
15437@@ -523,7 +553,7 @@ void __attribute__((weak)) mach_reboot_f
15438 * try to force a triple fault and then cycle between hitting the keyboard
15439 * controller and doing that
15440 */
15441-static void native_machine_emergency_restart(void)
15442+__noreturn static void native_machine_emergency_restart(void)
15443 {
15444 int i;
15445 int attempt = 0;
15446@@ -647,13 +677,13 @@ void native_machine_shutdown(void)
15447 #endif
15448 }
15449
15450-static void __machine_emergency_restart(int emergency)
15451+static __noreturn void __machine_emergency_restart(int emergency)
15452 {
15453 reboot_emergency = emergency;
15454 machine_ops.emergency_restart();
15455 }
15456
15457-static void native_machine_restart(char *__unused)
15458+static __noreturn void native_machine_restart(char *__unused)
15459 {
15460 printk("machine restart\n");
15461
15462@@ -662,7 +692,7 @@ static void native_machine_restart(char
15463 __machine_emergency_restart(0);
15464 }
15465
15466-static void native_machine_halt(void)
15467+static __noreturn void native_machine_halt(void)
15468 {
15469 /* stop other cpus and apics */
15470 machine_shutdown();
15471@@ -673,7 +703,7 @@ static void native_machine_halt(void)
15472 stop_this_cpu(NULL);
15473 }
15474
15475-static void native_machine_power_off(void)
15476+__noreturn static void native_machine_power_off(void)
15477 {
15478 if (pm_power_off) {
15479 if (!reboot_force)
15480@@ -682,6 +712,7 @@ static void native_machine_power_off(voi
15481 }
15482 /* a fallback in case there is no PM info available */
15483 tboot_shutdown(TB_SHUTDOWN_HALT);
15484+ unreachable();
15485 }
15486
15487 struct machine_ops machine_ops = {
15488diff -urNp linux-3.1.1/arch/x86/kernel/setup.c linux-3.1.1/arch/x86/kernel/setup.c
15489--- linux-3.1.1/arch/x86/kernel/setup.c 2011-11-11 15:19:27.000000000 -0500
15490+++ linux-3.1.1/arch/x86/kernel/setup.c 2011-11-16 18:39:07.000000000 -0500
15491@@ -447,7 +447,7 @@ static void __init parse_setup_data(void
15492
15493 switch (data->type) {
15494 case SETUP_E820_EXT:
15495- parse_e820_ext(data);
15496+ parse_e820_ext((struct setup_data __force_kernel *)data);
15497 break;
15498 case SETUP_DTB:
15499 add_dtb(pa_data);
15500@@ -650,7 +650,7 @@ static void __init trim_bios_range(void)
15501 * area (640->1Mb) as ram even though it is not.
15502 * take them out.
15503 */
15504- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
15505+ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
15506 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
15507 }
15508
15509@@ -773,14 +773,14 @@ void __init setup_arch(char **cmdline_p)
15510
15511 if (!boot_params.hdr.root_flags)
15512 root_mountflags &= ~MS_RDONLY;
15513- init_mm.start_code = (unsigned long) _text;
15514- init_mm.end_code = (unsigned long) _etext;
15515+ init_mm.start_code = ktla_ktva((unsigned long) _text);
15516+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
15517 init_mm.end_data = (unsigned long) _edata;
15518 init_mm.brk = _brk_end;
15519
15520- code_resource.start = virt_to_phys(_text);
15521- code_resource.end = virt_to_phys(_etext)-1;
15522- data_resource.start = virt_to_phys(_etext);
15523+ code_resource.start = virt_to_phys(ktla_ktva(_text));
15524+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
15525+ data_resource.start = virt_to_phys(_sdata);
15526 data_resource.end = virt_to_phys(_edata)-1;
15527 bss_resource.start = virt_to_phys(&__bss_start);
15528 bss_resource.end = virt_to_phys(&__bss_stop)-1;
15529diff -urNp linux-3.1.1/arch/x86/kernel/setup_percpu.c linux-3.1.1/arch/x86/kernel/setup_percpu.c
15530--- linux-3.1.1/arch/x86/kernel/setup_percpu.c 2011-11-11 15:19:27.000000000 -0500
15531+++ linux-3.1.1/arch/x86/kernel/setup_percpu.c 2011-11-16 18:39:07.000000000 -0500
15532@@ -21,19 +21,17 @@
15533 #include <asm/cpu.h>
15534 #include <asm/stackprotector.h>
15535
15536-DEFINE_PER_CPU(int, cpu_number);
15537+#ifdef CONFIG_SMP
15538+DEFINE_PER_CPU(unsigned int, cpu_number);
15539 EXPORT_PER_CPU_SYMBOL(cpu_number);
15540+#endif
15541
15542-#ifdef CONFIG_X86_64
15543 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
15544-#else
15545-#define BOOT_PERCPU_OFFSET 0
15546-#endif
15547
15548 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
15549 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
15550
15551-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
15552+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
15553 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
15554 };
15555 EXPORT_SYMBOL(__per_cpu_offset);
15556@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
15557 {
15558 #ifdef CONFIG_X86_32
15559 struct desc_struct gdt;
15560+ unsigned long base = per_cpu_offset(cpu);
15561
15562- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
15563- 0x2 | DESCTYPE_S, 0x8);
15564- gdt.s = 1;
15565+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
15566+ 0x83 | DESCTYPE_S, 0xC);
15567 write_gdt_entry(get_cpu_gdt_table(cpu),
15568 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
15569 #endif
15570@@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
15571 /* alrighty, percpu areas up and running */
15572 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
15573 for_each_possible_cpu(cpu) {
15574+#ifdef CONFIG_CC_STACKPROTECTOR
15575+#ifdef CONFIG_X86_32
15576+ unsigned long canary = per_cpu(stack_canary.canary, cpu);
15577+#endif
15578+#endif
15579 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
15580 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
15581 per_cpu(cpu_number, cpu) = cpu;
15582@@ -247,6 +250,12 @@ void __init setup_per_cpu_areas(void)
15583 */
15584 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
15585 #endif
15586+#ifdef CONFIG_CC_STACKPROTECTOR
15587+#ifdef CONFIG_X86_32
15588+ if (!cpu)
15589+ per_cpu(stack_canary.canary, cpu) = canary;
15590+#endif
15591+#endif
15592 /*
15593 * Up to this point, the boot CPU has been using .init.data
15594 * area. Reload any changed state for the boot CPU.
15595diff -urNp linux-3.1.1/arch/x86/kernel/signal.c linux-3.1.1/arch/x86/kernel/signal.c
15596--- linux-3.1.1/arch/x86/kernel/signal.c 2011-11-11 15:19:27.000000000 -0500
15597+++ linux-3.1.1/arch/x86/kernel/signal.c 2011-11-16 19:39:49.000000000 -0500
15598@@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
15599 * Align the stack pointer according to the i386 ABI,
15600 * i.e. so that on function entry ((sp + 4) & 15) == 0.
15601 */
15602- sp = ((sp + 4) & -16ul) - 4;
15603+ sp = ((sp - 12) & -16ul) - 4;
15604 #else /* !CONFIG_X86_32 */
15605 sp = round_down(sp, 16) - 8;
15606 #endif
15607@@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
15608 * Return an always-bogus address instead so we will die with SIGSEGV.
15609 */
15610 if (onsigstack && !likely(on_sig_stack(sp)))
15611- return (void __user *)-1L;
15612+ return (__force void __user *)-1L;
15613
15614 /* save i387 state */
15615 if (used_math() && save_i387_xstate(*fpstate) < 0)
15616- return (void __user *)-1L;
15617+ return (__force void __user *)-1L;
15618
15619 return (void __user *)sp;
15620 }
15621@@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
15622 }
15623
15624 if (current->mm->context.vdso)
15625- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15626+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
15627 else
15628- restorer = &frame->retcode;
15629+ restorer = (void __user *)&frame->retcode;
15630 if (ka->sa.sa_flags & SA_RESTORER)
15631 restorer = ka->sa.sa_restorer;
15632
15633@@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
15634 * reasons and because gdb uses it as a signature to notice
15635 * signal handler stack frames.
15636 */
15637- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
15638+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
15639
15640 if (err)
15641 return -EFAULT;
15642@@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
15643 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
15644
15645 /* Set up to return from userspace. */
15646- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15647+ if (current->mm->context.vdso)
15648+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
15649+ else
15650+ restorer = (void __user *)&frame->retcode;
15651 if (ka->sa.sa_flags & SA_RESTORER)
15652 restorer = ka->sa.sa_restorer;
15653 put_user_ex(restorer, &frame->pretcode);
15654@@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
15655 * reasons and because gdb uses it as a signature to notice
15656 * signal handler stack frames.
15657 */
15658- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
15659+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
15660 } put_user_catch(err);
15661
15662 if (err)
15663@@ -762,6 +765,8 @@ static void do_signal(struct pt_regs *re
15664 siginfo_t info;
15665 int signr;
15666
15667+ pax_track_stack();
15668+
15669 /*
15670 * We want the common case to go fast, which is why we may in certain
15671 * cases get here from kernel mode. Just return without doing anything
15672@@ -769,7 +774,7 @@ static void do_signal(struct pt_regs *re
15673 * X86_32: vm86 regs switched out by assembly code before reaching
15674 * here, so testing against kernel CS suffices.
15675 */
15676- if (!user_mode(regs))
15677+ if (!user_mode_novm(regs))
15678 return;
15679
15680 signr = get_signal_to_deliver(&info, &ka, regs, NULL);
15681diff -urNp linux-3.1.1/arch/x86/kernel/smpboot.c linux-3.1.1/arch/x86/kernel/smpboot.c
15682--- linux-3.1.1/arch/x86/kernel/smpboot.c 2011-11-11 15:19:27.000000000 -0500
15683+++ linux-3.1.1/arch/x86/kernel/smpboot.c 2011-11-16 18:39:07.000000000 -0500
15684@@ -709,17 +709,20 @@ static int __cpuinit do_boot_cpu(int api
15685 set_idle_for_cpu(cpu, c_idle.idle);
15686 do_rest:
15687 per_cpu(current_task, cpu) = c_idle.idle;
15688+ per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
15689 #ifdef CONFIG_X86_32
15690 /* Stack for startup_32 can be just as for start_secondary onwards */
15691 irq_ctx_init(cpu);
15692 #else
15693 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
15694 initial_gs = per_cpu_offset(cpu);
15695- per_cpu(kernel_stack, cpu) =
15696- (unsigned long)task_stack_page(c_idle.idle) -
15697- KERNEL_STACK_OFFSET + THREAD_SIZE;
15698+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
15699 #endif
15700+
15701+ pax_open_kernel();
15702 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
15703+ pax_close_kernel();
15704+
15705 initial_code = (unsigned long)start_secondary;
15706 stack_start = c_idle.idle->thread.sp;
15707
15708@@ -861,6 +864,12 @@ int __cpuinit native_cpu_up(unsigned int
15709
15710 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
15711
15712+#ifdef CONFIG_PAX_PER_CPU_PGD
15713+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
15714+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
15715+ KERNEL_PGD_PTRS);
15716+#endif
15717+
15718 err = do_boot_cpu(apicid, cpu);
15719 if (err) {
15720 pr_debug("do_boot_cpu failed %d\n", err);
15721diff -urNp linux-3.1.1/arch/x86/kernel/step.c linux-3.1.1/arch/x86/kernel/step.c
15722--- linux-3.1.1/arch/x86/kernel/step.c 2011-11-11 15:19:27.000000000 -0500
15723+++ linux-3.1.1/arch/x86/kernel/step.c 2011-11-16 18:39:07.000000000 -0500
15724@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
15725 struct desc_struct *desc;
15726 unsigned long base;
15727
15728- seg &= ~7UL;
15729+ seg >>= 3;
15730
15731 mutex_lock(&child->mm->context.lock);
15732- if (unlikely((seg >> 3) >= child->mm->context.size))
15733+ if (unlikely(seg >= child->mm->context.size))
15734 addr = -1L; /* bogus selector, access would fault */
15735 else {
15736 desc = child->mm->context.ldt + seg;
15737@@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
15738 addr += base;
15739 }
15740 mutex_unlock(&child->mm->context.lock);
15741- }
15742+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
15743+ addr = ktla_ktva(addr);
15744
15745 return addr;
15746 }
15747@@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
15748 unsigned char opcode[15];
15749 unsigned long addr = convert_ip_to_linear(child, regs);
15750
15751+ if (addr == -EINVAL)
15752+ return 0;
15753+
15754 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
15755 for (i = 0; i < copied; i++) {
15756 switch (opcode[i]) {
15757diff -urNp linux-3.1.1/arch/x86/kernel/syscall_table_32.S linux-3.1.1/arch/x86/kernel/syscall_table_32.S
15758--- linux-3.1.1/arch/x86/kernel/syscall_table_32.S 2011-11-11 15:19:27.000000000 -0500
15759+++ linux-3.1.1/arch/x86/kernel/syscall_table_32.S 2011-11-16 18:39:07.000000000 -0500
15760@@ -1,3 +1,4 @@
15761+.section .rodata,"a",@progbits
15762 ENTRY(sys_call_table)
15763 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
15764 .long sys_exit
15765diff -urNp linux-3.1.1/arch/x86/kernel/sys_i386_32.c linux-3.1.1/arch/x86/kernel/sys_i386_32.c
15766--- linux-3.1.1/arch/x86/kernel/sys_i386_32.c 2011-11-11 15:19:27.000000000 -0500
15767+++ linux-3.1.1/arch/x86/kernel/sys_i386_32.c 2011-11-16 18:39:07.000000000 -0500
15768@@ -24,17 +24,224 @@
15769
15770 #include <asm/syscalls.h>
15771
15772-/*
15773- * Do a system call from kernel instead of calling sys_execve so we
15774- * end up with proper pt_regs.
15775- */
15776-int kernel_execve(const char *filename,
15777- const char *const argv[],
15778- const char *const envp[])
15779+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
15780 {
15781- long __res;
15782- asm volatile ("int $0x80"
15783- : "=a" (__res)
15784- : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
15785- return __res;
15786+ unsigned long pax_task_size = TASK_SIZE;
15787+
15788+#ifdef CONFIG_PAX_SEGMEXEC
15789+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
15790+ pax_task_size = SEGMEXEC_TASK_SIZE;
15791+#endif
15792+
15793+ if (len > pax_task_size || addr > pax_task_size - len)
15794+ return -EINVAL;
15795+
15796+ return 0;
15797+}
15798+
15799+unsigned long
15800+arch_get_unmapped_area(struct file *filp, unsigned long addr,
15801+ unsigned long len, unsigned long pgoff, unsigned long flags)
15802+{
15803+ struct mm_struct *mm = current->mm;
15804+ struct vm_area_struct *vma;
15805+ unsigned long start_addr, pax_task_size = TASK_SIZE;
15806+
15807+#ifdef CONFIG_PAX_SEGMEXEC
15808+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
15809+ pax_task_size = SEGMEXEC_TASK_SIZE;
15810+#endif
15811+
15812+ pax_task_size -= PAGE_SIZE;
15813+
15814+ if (len > pax_task_size)
15815+ return -ENOMEM;
15816+
15817+ if (flags & MAP_FIXED)
15818+ return addr;
15819+
15820+#ifdef CONFIG_PAX_RANDMMAP
15821+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15822+#endif
15823+
15824+ if (addr) {
15825+ addr = PAGE_ALIGN(addr);
15826+ if (pax_task_size - len >= addr) {
15827+ vma = find_vma(mm, addr);
15828+ if (check_heap_stack_gap(vma, addr, len))
15829+ return addr;
15830+ }
15831+ }
15832+ if (len > mm->cached_hole_size) {
15833+ start_addr = addr = mm->free_area_cache;
15834+ } else {
15835+ start_addr = addr = mm->mmap_base;
15836+ mm->cached_hole_size = 0;
15837+ }
15838+
15839+#ifdef CONFIG_PAX_PAGEEXEC
15840+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
15841+ start_addr = 0x00110000UL;
15842+
15843+#ifdef CONFIG_PAX_RANDMMAP
15844+ if (mm->pax_flags & MF_PAX_RANDMMAP)
15845+ start_addr += mm->delta_mmap & 0x03FFF000UL;
15846+#endif
15847+
15848+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
15849+ start_addr = addr = mm->mmap_base;
15850+ else
15851+ addr = start_addr;
15852+ }
15853+#endif
15854+
15855+full_search:
15856+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
15857+ /* At this point: (!vma || addr < vma->vm_end). */
15858+ if (pax_task_size - len < addr) {
15859+ /*
15860+ * Start a new search - just in case we missed
15861+ * some holes.
15862+ */
15863+ if (start_addr != mm->mmap_base) {
15864+ start_addr = addr = mm->mmap_base;
15865+ mm->cached_hole_size = 0;
15866+ goto full_search;
15867+ }
15868+ return -ENOMEM;
15869+ }
15870+ if (check_heap_stack_gap(vma, addr, len))
15871+ break;
15872+ if (addr + mm->cached_hole_size < vma->vm_start)
15873+ mm->cached_hole_size = vma->vm_start - addr;
15874+ addr = vma->vm_end;
15875+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
15876+ start_addr = addr = mm->mmap_base;
15877+ mm->cached_hole_size = 0;
15878+ goto full_search;
15879+ }
15880+ }
15881+
15882+ /*
15883+ * Remember the place where we stopped the search:
15884+ */
15885+ mm->free_area_cache = addr + len;
15886+ return addr;
15887+}
15888+
15889+unsigned long
15890+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
15891+ const unsigned long len, const unsigned long pgoff,
15892+ const unsigned long flags)
15893+{
15894+ struct vm_area_struct *vma;
15895+ struct mm_struct *mm = current->mm;
15896+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
15897+
15898+#ifdef CONFIG_PAX_SEGMEXEC
15899+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
15900+ pax_task_size = SEGMEXEC_TASK_SIZE;
15901+#endif
15902+
15903+ pax_task_size -= PAGE_SIZE;
15904+
15905+ /* requested length too big for entire address space */
15906+ if (len > pax_task_size)
15907+ return -ENOMEM;
15908+
15909+ if (flags & MAP_FIXED)
15910+ return addr;
15911+
15912+#ifdef CONFIG_PAX_PAGEEXEC
15913+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
15914+ goto bottomup;
15915+#endif
15916+
15917+#ifdef CONFIG_PAX_RANDMMAP
15918+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
15919+#endif
15920+
15921+ /* requesting a specific address */
15922+ if (addr) {
15923+ addr = PAGE_ALIGN(addr);
15924+ if (pax_task_size - len >= addr) {
15925+ vma = find_vma(mm, addr);
15926+ if (check_heap_stack_gap(vma, addr, len))
15927+ return addr;
15928+ }
15929+ }
15930+
15931+ /* check if free_area_cache is useful for us */
15932+ if (len <= mm->cached_hole_size) {
15933+ mm->cached_hole_size = 0;
15934+ mm->free_area_cache = mm->mmap_base;
15935+ }
15936+
15937+ /* either no address requested or can't fit in requested address hole */
15938+ addr = mm->free_area_cache;
15939+
15940+ /* make sure it can fit in the remaining address space */
15941+ if (addr > len) {
15942+ vma = find_vma(mm, addr-len);
15943+ if (check_heap_stack_gap(vma, addr - len, len))
15944+ /* remember the address as a hint for next time */
15945+ return (mm->free_area_cache = addr-len);
15946+ }
15947+
15948+ if (mm->mmap_base < len)
15949+ goto bottomup;
15950+
15951+ addr = mm->mmap_base-len;
15952+
15953+ do {
15954+ /*
15955+ * Lookup failure means no vma is above this address,
15956+ * else if new region fits below vma->vm_start,
15957+ * return with success:
15958+ */
15959+ vma = find_vma(mm, addr);
15960+ if (check_heap_stack_gap(vma, addr, len))
15961+ /* remember the address as a hint for next time */
15962+ return (mm->free_area_cache = addr);
15963+
15964+ /* remember the largest hole we saw so far */
15965+ if (addr + mm->cached_hole_size < vma->vm_start)
15966+ mm->cached_hole_size = vma->vm_start - addr;
15967+
15968+ /* try just below the current vma->vm_start */
15969+ addr = skip_heap_stack_gap(vma, len);
15970+ } while (!IS_ERR_VALUE(addr));
15971+
15972+bottomup:
15973+ /*
15974+ * A failed mmap() very likely causes application failure,
15975+ * so fall back to the bottom-up function here. This scenario
15976+ * can happen with large stack limits and large mmap()
15977+ * allocations.
15978+ */
15979+
15980+#ifdef CONFIG_PAX_SEGMEXEC
15981+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
15982+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
15983+ else
15984+#endif
15985+
15986+ mm->mmap_base = TASK_UNMAPPED_BASE;
15987+
15988+#ifdef CONFIG_PAX_RANDMMAP
15989+ if (mm->pax_flags & MF_PAX_RANDMMAP)
15990+ mm->mmap_base += mm->delta_mmap;
15991+#endif
15992+
15993+ mm->free_area_cache = mm->mmap_base;
15994+ mm->cached_hole_size = ~0UL;
15995+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
15996+ /*
15997+ * Restore the topdown base:
15998+ */
15999+ mm->mmap_base = base;
16000+ mm->free_area_cache = base;
16001+ mm->cached_hole_size = ~0UL;
16002+
16003+ return addr;
16004 }
16005diff -urNp linux-3.1.1/arch/x86/kernel/sys_x86_64.c linux-3.1.1/arch/x86/kernel/sys_x86_64.c
16006--- linux-3.1.1/arch/x86/kernel/sys_x86_64.c 2011-11-11 15:19:27.000000000 -0500
16007+++ linux-3.1.1/arch/x86/kernel/sys_x86_64.c 2011-11-16 18:39:07.000000000 -0500
16008@@ -32,8 +32,8 @@ out:
16009 return error;
16010 }
16011
16012-static void find_start_end(unsigned long flags, unsigned long *begin,
16013- unsigned long *end)
16014+static void find_start_end(struct mm_struct *mm, unsigned long flags,
16015+ unsigned long *begin, unsigned long *end)
16016 {
16017 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
16018 unsigned long new_begin;
16019@@ -52,7 +52,7 @@ static void find_start_end(unsigned long
16020 *begin = new_begin;
16021 }
16022 } else {
16023- *begin = TASK_UNMAPPED_BASE;
16024+ *begin = mm->mmap_base;
16025 *end = TASK_SIZE;
16026 }
16027 }
16028@@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
16029 if (flags & MAP_FIXED)
16030 return addr;
16031
16032- find_start_end(flags, &begin, &end);
16033+ find_start_end(mm, flags, &begin, &end);
16034
16035 if (len > end)
16036 return -ENOMEM;
16037
16038+#ifdef CONFIG_PAX_RANDMMAP
16039+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16040+#endif
16041+
16042 if (addr) {
16043 addr = PAGE_ALIGN(addr);
16044 vma = find_vma(mm, addr);
16045- if (end - len >= addr &&
16046- (!vma || addr + len <= vma->vm_start))
16047+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
16048 return addr;
16049 }
16050 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
16051@@ -106,7 +109,7 @@ full_search:
16052 }
16053 return -ENOMEM;
16054 }
16055- if (!vma || addr + len <= vma->vm_start) {
16056+ if (check_heap_stack_gap(vma, addr, len)) {
16057 /*
16058 * Remember the place where we stopped the search:
16059 */
16060@@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
16061 {
16062 struct vm_area_struct *vma;
16063 struct mm_struct *mm = current->mm;
16064- unsigned long addr = addr0;
16065+ unsigned long base = mm->mmap_base, addr = addr0;
16066
16067 /* requested length too big for entire address space */
16068 if (len > TASK_SIZE)
16069@@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
16070 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
16071 goto bottomup;
16072
16073+#ifdef CONFIG_PAX_RANDMMAP
16074+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16075+#endif
16076+
16077 /* requesting a specific address */
16078 if (addr) {
16079 addr = PAGE_ALIGN(addr);
16080- vma = find_vma(mm, addr);
16081- if (TASK_SIZE - len >= addr &&
16082- (!vma || addr + len <= vma->vm_start))
16083- return addr;
16084+ if (TASK_SIZE - len >= addr) {
16085+ vma = find_vma(mm, addr);
16086+ if (check_heap_stack_gap(vma, addr, len))
16087+ return addr;
16088+ }
16089 }
16090
16091 /* check if free_area_cache is useful for us */
16092@@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
16093 /* make sure it can fit in the remaining address space */
16094 if (addr > len) {
16095 vma = find_vma(mm, addr-len);
16096- if (!vma || addr <= vma->vm_start)
16097+ if (check_heap_stack_gap(vma, addr - len, len))
16098 /* remember the address as a hint for next time */
16099 return mm->free_area_cache = addr-len;
16100 }
16101@@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
16102 * return with success:
16103 */
16104 vma = find_vma(mm, addr);
16105- if (!vma || addr+len <= vma->vm_start)
16106+ if (check_heap_stack_gap(vma, addr, len))
16107 /* remember the address as a hint for next time */
16108 return mm->free_area_cache = addr;
16109
16110@@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
16111 mm->cached_hole_size = vma->vm_start - addr;
16112
16113 /* try just below the current vma->vm_start */
16114- addr = vma->vm_start-len;
16115- } while (len < vma->vm_start);
16116+ addr = skip_heap_stack_gap(vma, len);
16117+ } while (!IS_ERR_VALUE(addr));
16118
16119 bottomup:
16120 /*
16121@@ -198,13 +206,21 @@ bottomup:
16122 * can happen with large stack limits and large mmap()
16123 * allocations.
16124 */
16125+ mm->mmap_base = TASK_UNMAPPED_BASE;
16126+
16127+#ifdef CONFIG_PAX_RANDMMAP
16128+ if (mm->pax_flags & MF_PAX_RANDMMAP)
16129+ mm->mmap_base += mm->delta_mmap;
16130+#endif
16131+
16132+ mm->free_area_cache = mm->mmap_base;
16133 mm->cached_hole_size = ~0UL;
16134- mm->free_area_cache = TASK_UNMAPPED_BASE;
16135 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
16136 /*
16137 * Restore the topdown base:
16138 */
16139- mm->free_area_cache = mm->mmap_base;
16140+ mm->mmap_base = base;
16141+ mm->free_area_cache = base;
16142 mm->cached_hole_size = ~0UL;
16143
16144 return addr;
16145diff -urNp linux-3.1.1/arch/x86/kernel/tboot.c linux-3.1.1/arch/x86/kernel/tboot.c
16146--- linux-3.1.1/arch/x86/kernel/tboot.c 2011-11-11 15:19:27.000000000 -0500
16147+++ linux-3.1.1/arch/x86/kernel/tboot.c 2011-11-16 18:39:07.000000000 -0500
16148@@ -218,7 +218,7 @@ static int tboot_setup_sleep(void)
16149
16150 void tboot_shutdown(u32 shutdown_type)
16151 {
16152- void (*shutdown)(void);
16153+ void (* __noreturn shutdown)(void);
16154
16155 if (!tboot_enabled())
16156 return;
16157@@ -240,7 +240,7 @@ void tboot_shutdown(u32 shutdown_type)
16158
16159 switch_to_tboot_pt();
16160
16161- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
16162+ shutdown = (void *)tboot->shutdown_entry;
16163 shutdown();
16164
16165 /* should not reach here */
16166@@ -297,7 +297,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
16167 tboot_shutdown(acpi_shutdown_map[sleep_state]);
16168 }
16169
16170-static atomic_t ap_wfs_count;
16171+static atomic_unchecked_t ap_wfs_count;
16172
16173 static int tboot_wait_for_aps(int num_aps)
16174 {
16175@@ -321,9 +321,9 @@ static int __cpuinit tboot_cpu_callback(
16176 {
16177 switch (action) {
16178 case CPU_DYING:
16179- atomic_inc(&ap_wfs_count);
16180+ atomic_inc_unchecked(&ap_wfs_count);
16181 if (num_online_cpus() == 1)
16182- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
16183+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
16184 return NOTIFY_BAD;
16185 break;
16186 }
16187@@ -342,7 +342,7 @@ static __init int tboot_late_init(void)
16188
16189 tboot_create_trampoline();
16190
16191- atomic_set(&ap_wfs_count, 0);
16192+ atomic_set_unchecked(&ap_wfs_count, 0);
16193 register_hotcpu_notifier(&tboot_cpu_notifier);
16194 return 0;
16195 }
16196diff -urNp linux-3.1.1/arch/x86/kernel/time.c linux-3.1.1/arch/x86/kernel/time.c
16197--- linux-3.1.1/arch/x86/kernel/time.c 2011-11-11 15:19:27.000000000 -0500
16198+++ linux-3.1.1/arch/x86/kernel/time.c 2011-11-16 18:39:07.000000000 -0500
16199@@ -30,9 +30,9 @@ unsigned long profile_pc(struct pt_regs
16200 {
16201 unsigned long pc = instruction_pointer(regs);
16202
16203- if (!user_mode_vm(regs) && in_lock_functions(pc)) {
16204+ if (!user_mode(regs) && in_lock_functions(pc)) {
16205 #ifdef CONFIG_FRAME_POINTER
16206- return *(unsigned long *)(regs->bp + sizeof(long));
16207+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
16208 #else
16209 unsigned long *sp =
16210 (unsigned long *)kernel_stack_pointer(regs);
16211@@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
16212 * or above a saved flags. Eflags has bits 22-31 zero,
16213 * kernel addresses don't.
16214 */
16215+
16216+#ifdef CONFIG_PAX_KERNEXEC
16217+ return ktla_ktva(sp[0]);
16218+#else
16219 if (sp[0] >> 22)
16220 return sp[0];
16221 if (sp[1] >> 22)
16222 return sp[1];
16223 #endif
16224+
16225+#endif
16226 }
16227 return pc;
16228 }
16229diff -urNp linux-3.1.1/arch/x86/kernel/tls.c linux-3.1.1/arch/x86/kernel/tls.c
16230--- linux-3.1.1/arch/x86/kernel/tls.c 2011-11-11 15:19:27.000000000 -0500
16231+++ linux-3.1.1/arch/x86/kernel/tls.c 2011-11-16 18:39:07.000000000 -0500
16232@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
16233 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
16234 return -EINVAL;
16235
16236+#ifdef CONFIG_PAX_SEGMEXEC
16237+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
16238+ return -EINVAL;
16239+#endif
16240+
16241 set_tls_desc(p, idx, &info, 1);
16242
16243 return 0;
16244diff -urNp linux-3.1.1/arch/x86/kernel/trampoline_32.S linux-3.1.1/arch/x86/kernel/trampoline_32.S
16245--- linux-3.1.1/arch/x86/kernel/trampoline_32.S 2011-11-11 15:19:27.000000000 -0500
16246+++ linux-3.1.1/arch/x86/kernel/trampoline_32.S 2011-11-16 18:39:07.000000000 -0500
16247@@ -32,6 +32,12 @@
16248 #include <asm/segment.h>
16249 #include <asm/page_types.h>
16250
16251+#ifdef CONFIG_PAX_KERNEXEC
16252+#define ta(X) (X)
16253+#else
16254+#define ta(X) ((X) - __PAGE_OFFSET)
16255+#endif
16256+
16257 #ifdef CONFIG_SMP
16258
16259 .section ".x86_trampoline","a"
16260@@ -62,7 +68,7 @@ r_base = .
16261 inc %ax # protected mode (PE) bit
16262 lmsw %ax # into protected mode
16263 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
16264- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
16265+ ljmpl $__BOOT_CS, $ta(startup_32_smp)
16266
16267 # These need to be in the same 64K segment as the above;
16268 # hence we don't use the boot_gdt_descr defined in head.S
16269diff -urNp linux-3.1.1/arch/x86/kernel/trampoline_64.S linux-3.1.1/arch/x86/kernel/trampoline_64.S
16270--- linux-3.1.1/arch/x86/kernel/trampoline_64.S 2011-11-11 15:19:27.000000000 -0500
16271+++ linux-3.1.1/arch/x86/kernel/trampoline_64.S 2011-11-16 18:39:07.000000000 -0500
16272@@ -90,7 +90,7 @@ startup_32:
16273 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
16274 movl %eax, %ds
16275
16276- movl $X86_CR4_PAE, %eax
16277+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16278 movl %eax, %cr4 # Enable PAE mode
16279
16280 # Setup trampoline 4 level pagetables
16281@@ -138,7 +138,7 @@ tidt:
16282 # so the kernel can live anywhere
16283 .balign 4
16284 tgdt:
16285- .short tgdt_end - tgdt # gdt limit
16286+ .short tgdt_end - tgdt - 1 # gdt limit
16287 .long tgdt - r_base
16288 .short 0
16289 .quad 0x00cf9b000000ffff # __KERNEL32_CS
16290diff -urNp linux-3.1.1/arch/x86/kernel/traps.c linux-3.1.1/arch/x86/kernel/traps.c
16291--- linux-3.1.1/arch/x86/kernel/traps.c 2011-11-11 15:19:27.000000000 -0500
16292+++ linux-3.1.1/arch/x86/kernel/traps.c 2011-11-16 18:39:07.000000000 -0500
16293@@ -70,12 +70,6 @@ asmlinkage int system_call(void);
16294
16295 /* Do we ignore FPU interrupts ? */
16296 char ignore_fpu_irq;
16297-
16298-/*
16299- * The IDT has to be page-aligned to simplify the Pentium
16300- * F0 0F bug workaround.
16301- */
16302-gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
16303 #endif
16304
16305 DECLARE_BITMAP(used_vectors, NR_VECTORS);
16306@@ -117,13 +111,13 @@ static inline void preempt_conditional_c
16307 }
16308
16309 static void __kprobes
16310-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
16311+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
16312 long error_code, siginfo_t *info)
16313 {
16314 struct task_struct *tsk = current;
16315
16316 #ifdef CONFIG_X86_32
16317- if (regs->flags & X86_VM_MASK) {
16318+ if (v8086_mode(regs)) {
16319 /*
16320 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
16321 * On nmi (interrupt 2), do_trap should not be called.
16322@@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
16323 }
16324 #endif
16325
16326- if (!user_mode(regs))
16327+ if (!user_mode_novm(regs))
16328 goto kernel_trap;
16329
16330 #ifdef CONFIG_X86_32
16331@@ -157,7 +151,7 @@ trap_signal:
16332 printk_ratelimit()) {
16333 printk(KERN_INFO
16334 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
16335- tsk->comm, tsk->pid, str,
16336+ tsk->comm, task_pid_nr(tsk), str,
16337 regs->ip, regs->sp, error_code);
16338 print_vma_addr(" in ", regs->ip);
16339 printk("\n");
16340@@ -174,8 +168,20 @@ kernel_trap:
16341 if (!fixup_exception(regs)) {
16342 tsk->thread.error_code = error_code;
16343 tsk->thread.trap_no = trapnr;
16344+
16345+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16346+ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
16347+ str = "PAX: suspicious stack segment fault";
16348+#endif
16349+
16350 die(str, regs, error_code);
16351 }
16352+
16353+#ifdef CONFIG_PAX_REFCOUNT
16354+ if (trapnr == 4)
16355+ pax_report_refcount_overflow(regs);
16356+#endif
16357+
16358 return;
16359
16360 #ifdef CONFIG_X86_32
16361@@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
16362 conditional_sti(regs);
16363
16364 #ifdef CONFIG_X86_32
16365- if (regs->flags & X86_VM_MASK)
16366+ if (v8086_mode(regs))
16367 goto gp_in_vm86;
16368 #endif
16369
16370 tsk = current;
16371- if (!user_mode(regs))
16372+ if (!user_mode_novm(regs))
16373 goto gp_in_kernel;
16374
16375+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16376+ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
16377+ struct mm_struct *mm = tsk->mm;
16378+ unsigned long limit;
16379+
16380+ down_write(&mm->mmap_sem);
16381+ limit = mm->context.user_cs_limit;
16382+ if (limit < TASK_SIZE) {
16383+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
16384+ up_write(&mm->mmap_sem);
16385+ return;
16386+ }
16387+ up_write(&mm->mmap_sem);
16388+ }
16389+#endif
16390+
16391 tsk->thread.error_code = error_code;
16392 tsk->thread.trap_no = 13;
16393
16394@@ -304,6 +326,13 @@ gp_in_kernel:
16395 if (notify_die(DIE_GPF, "general protection fault", regs,
16396 error_code, 13, SIGSEGV) == NOTIFY_STOP)
16397 return;
16398+
16399+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16400+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
16401+ die("PAX: suspicious general protection fault", regs, error_code);
16402+ else
16403+#endif
16404+
16405 die("general protection fault", regs, error_code);
16406 }
16407
16408@@ -433,6 +462,17 @@ static notrace __kprobes void default_do
16409 dotraplinkage notrace __kprobes void
16410 do_nmi(struct pt_regs *regs, long error_code)
16411 {
16412+
16413+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16414+ if (!user_mode(regs)) {
16415+ unsigned long cs = regs->cs & 0xFFFF;
16416+ unsigned long ip = ktva_ktla(regs->ip);
16417+
16418+ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
16419+ regs->ip = ip;
16420+ }
16421+#endif
16422+
16423 nmi_enter();
16424
16425 inc_irq_stat(__nmi_count);
16426@@ -569,7 +609,7 @@ dotraplinkage void __kprobes do_debug(st
16427 /* It's safe to allow irq's after DR6 has been saved */
16428 preempt_conditional_sti(regs);
16429
16430- if (regs->flags & X86_VM_MASK) {
16431+ if (v8086_mode(regs)) {
16432 handle_vm86_trap((struct kernel_vm86_regs *) regs,
16433 error_code, 1);
16434 preempt_conditional_cli(regs);
16435@@ -583,7 +623,7 @@ dotraplinkage void __kprobes do_debug(st
16436 * We already checked v86 mode above, so we can check for kernel mode
16437 * by just checking the CPL of CS.
16438 */
16439- if ((dr6 & DR_STEP) && !user_mode(regs)) {
16440+ if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
16441 tsk->thread.debugreg6 &= ~DR_STEP;
16442 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
16443 regs->flags &= ~X86_EFLAGS_TF;
16444@@ -612,7 +652,7 @@ void math_error(struct pt_regs *regs, in
16445 return;
16446 conditional_sti(regs);
16447
16448- if (!user_mode_vm(regs))
16449+ if (!user_mode(regs))
16450 {
16451 if (!fixup_exception(regs)) {
16452 task->thread.error_code = error_code;
16453@@ -723,7 +763,7 @@ asmlinkage void __attribute__((weak)) sm
16454 void __math_state_restore(void)
16455 {
16456 struct thread_info *thread = current_thread_info();
16457- struct task_struct *tsk = thread->task;
16458+ struct task_struct *tsk = current;
16459
16460 /*
16461 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
16462@@ -750,8 +790,7 @@ void __math_state_restore(void)
16463 */
16464 asmlinkage void math_state_restore(void)
16465 {
16466- struct thread_info *thread = current_thread_info();
16467- struct task_struct *tsk = thread->task;
16468+ struct task_struct *tsk = current;
16469
16470 if (!tsk_used_math(tsk)) {
16471 local_irq_enable();
16472diff -urNp linux-3.1.1/arch/x86/kernel/verify_cpu.S linux-3.1.1/arch/x86/kernel/verify_cpu.S
16473--- linux-3.1.1/arch/x86/kernel/verify_cpu.S 2011-11-11 15:19:27.000000000 -0500
16474+++ linux-3.1.1/arch/x86/kernel/verify_cpu.S 2011-11-16 18:40:08.000000000 -0500
16475@@ -20,6 +20,7 @@
16476 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
16477 * arch/x86/kernel/trampoline_64.S: secondary processor verification
16478 * arch/x86/kernel/head_32.S: processor startup
16479+ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
16480 *
16481 * verify_cpu, returns the status of longmode and SSE in register %eax.
16482 * 0: Success 1: Failure
16483diff -urNp linux-3.1.1/arch/x86/kernel/vm86_32.c linux-3.1.1/arch/x86/kernel/vm86_32.c
16484--- linux-3.1.1/arch/x86/kernel/vm86_32.c 2011-11-11 15:19:27.000000000 -0500
16485+++ linux-3.1.1/arch/x86/kernel/vm86_32.c 2011-11-16 18:40:08.000000000 -0500
16486@@ -41,6 +41,7 @@
16487 #include <linux/ptrace.h>
16488 #include <linux/audit.h>
16489 #include <linux/stddef.h>
16490+#include <linux/grsecurity.h>
16491
16492 #include <asm/uaccess.h>
16493 #include <asm/io.h>
16494@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
16495 do_exit(SIGSEGV);
16496 }
16497
16498- tss = &per_cpu(init_tss, get_cpu());
16499+ tss = init_tss + get_cpu();
16500 current->thread.sp0 = current->thread.saved_sp0;
16501 current->thread.sysenter_cs = __KERNEL_CS;
16502 load_sp0(tss, &current->thread);
16503@@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
16504 struct task_struct *tsk;
16505 int tmp, ret = -EPERM;
16506
16507+#ifdef CONFIG_GRKERNSEC_VM86
16508+ if (!capable(CAP_SYS_RAWIO)) {
16509+ gr_handle_vm86();
16510+ goto out;
16511+ }
16512+#endif
16513+
16514 tsk = current;
16515 if (tsk->thread.saved_sp0)
16516 goto out;
16517@@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
16518 int tmp, ret;
16519 struct vm86plus_struct __user *v86;
16520
16521+#ifdef CONFIG_GRKERNSEC_VM86
16522+ if (!capable(CAP_SYS_RAWIO)) {
16523+ gr_handle_vm86();
16524+ ret = -EPERM;
16525+ goto out;
16526+ }
16527+#endif
16528+
16529 tsk = current;
16530 switch (cmd) {
16531 case VM86_REQUEST_IRQ:
16532@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
16533 tsk->thread.saved_fs = info->regs32->fs;
16534 tsk->thread.saved_gs = get_user_gs(info->regs32);
16535
16536- tss = &per_cpu(init_tss, get_cpu());
16537+ tss = init_tss + get_cpu();
16538 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
16539 if (cpu_has_sep)
16540 tsk->thread.sysenter_cs = 0;
16541@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
16542 goto cannot_handle;
16543 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
16544 goto cannot_handle;
16545- intr_ptr = (unsigned long __user *) (i << 2);
16546+ intr_ptr = (__force unsigned long __user *) (i << 2);
16547 if (get_user(segoffs, intr_ptr))
16548 goto cannot_handle;
16549 if ((segoffs >> 16) == BIOSSEG)
16550diff -urNp linux-3.1.1/arch/x86/kernel/vmlinux.lds.S linux-3.1.1/arch/x86/kernel/vmlinux.lds.S
16551--- linux-3.1.1/arch/x86/kernel/vmlinux.lds.S 2011-11-11 15:19:27.000000000 -0500
16552+++ linux-3.1.1/arch/x86/kernel/vmlinux.lds.S 2011-11-16 18:39:07.000000000 -0500
16553@@ -26,6 +26,13 @@
16554 #include <asm/page_types.h>
16555 #include <asm/cache.h>
16556 #include <asm/boot.h>
16557+#include <asm/segment.h>
16558+
16559+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16560+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
16561+#else
16562+#define __KERNEL_TEXT_OFFSET 0
16563+#endif
16564
16565 #undef i386 /* in case the preprocessor is a 32bit one */
16566
16567@@ -69,30 +76,43 @@ jiffies_64 = jiffies;
16568
16569 PHDRS {
16570 text PT_LOAD FLAGS(5); /* R_E */
16571+#ifdef CONFIG_X86_32
16572+ module PT_LOAD FLAGS(5); /* R_E */
16573+#endif
16574+#ifdef CONFIG_XEN
16575+ rodata PT_LOAD FLAGS(5); /* R_E */
16576+#else
16577+ rodata PT_LOAD FLAGS(4); /* R__ */
16578+#endif
16579 data PT_LOAD FLAGS(6); /* RW_ */
16580-#ifdef CONFIG_X86_64
16581+ init.begin PT_LOAD FLAGS(6); /* RW_ */
16582 #ifdef CONFIG_SMP
16583 percpu PT_LOAD FLAGS(6); /* RW_ */
16584 #endif
16585+ text.init PT_LOAD FLAGS(5); /* R_E */
16586+ text.exit PT_LOAD FLAGS(5); /* R_E */
16587 init PT_LOAD FLAGS(7); /* RWE */
16588-#endif
16589 note PT_NOTE FLAGS(0); /* ___ */
16590 }
16591
16592 SECTIONS
16593 {
16594 #ifdef CONFIG_X86_32
16595- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
16596- phys_startup_32 = startup_32 - LOAD_OFFSET;
16597+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
16598 #else
16599- . = __START_KERNEL;
16600- phys_startup_64 = startup_64 - LOAD_OFFSET;
16601+ . = __START_KERNEL;
16602 #endif
16603
16604 /* Text and read-only data */
16605- .text : AT(ADDR(.text) - LOAD_OFFSET) {
16606- _text = .;
16607+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16608 /* bootstrapping code */
16609+#ifdef CONFIG_X86_32
16610+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16611+#else
16612+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16613+#endif
16614+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
16615+ _text = .;
16616 HEAD_TEXT
16617 #ifdef CONFIG_X86_32
16618 . = ALIGN(PAGE_SIZE);
16619@@ -108,13 +128,47 @@ SECTIONS
16620 IRQENTRY_TEXT
16621 *(.fixup)
16622 *(.gnu.warning)
16623- /* End of text section */
16624- _etext = .;
16625 } :text = 0x9090
16626
16627- NOTES :text :note
16628+ . += __KERNEL_TEXT_OFFSET;
16629+
16630+#ifdef CONFIG_X86_32
16631+ . = ALIGN(PAGE_SIZE);
16632+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
16633+
16634+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
16635+ MODULES_EXEC_VADDR = .;
16636+ BYTE(0)
16637+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
16638+ . = ALIGN(HPAGE_SIZE);
16639+ MODULES_EXEC_END = . - 1;
16640+#endif
16641+
16642+ } :module
16643+#endif
16644+
16645+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
16646+ /* End of text section */
16647+ _etext = . - __KERNEL_TEXT_OFFSET;
16648+ }
16649+
16650+#ifdef CONFIG_X86_32
16651+ . = ALIGN(PAGE_SIZE);
16652+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
16653+ *(.idt)
16654+ . = ALIGN(PAGE_SIZE);
16655+ *(.empty_zero_page)
16656+ *(.initial_pg_fixmap)
16657+ *(.initial_pg_pmd)
16658+ *(.initial_page_table)
16659+ *(.swapper_pg_dir)
16660+ } :rodata
16661+#endif
16662+
16663+ . = ALIGN(PAGE_SIZE);
16664+ NOTES :rodata :note
16665
16666- EXCEPTION_TABLE(16) :text = 0x9090
16667+ EXCEPTION_TABLE(16) :rodata
16668
16669 #if defined(CONFIG_DEBUG_RODATA)
16670 /* .text should occupy whole number of pages */
16671@@ -126,16 +180,20 @@ SECTIONS
16672
16673 /* Data */
16674 .data : AT(ADDR(.data) - LOAD_OFFSET) {
16675+
16676+#ifdef CONFIG_PAX_KERNEXEC
16677+ . = ALIGN(HPAGE_SIZE);
16678+#else
16679+ . = ALIGN(PAGE_SIZE);
16680+#endif
16681+
16682 /* Start of data section */
16683 _sdata = .;
16684
16685 /* init_task */
16686 INIT_TASK_DATA(THREAD_SIZE)
16687
16688-#ifdef CONFIG_X86_32
16689- /* 32 bit has nosave before _edata */
16690 NOSAVE_DATA
16691-#endif
16692
16693 PAGE_ALIGNED_DATA(PAGE_SIZE)
16694
16695@@ -176,12 +234,19 @@ SECTIONS
16696 #endif /* CONFIG_X86_64 */
16697
16698 /* Init code and data - will be freed after init */
16699- . = ALIGN(PAGE_SIZE);
16700 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
16701+ BYTE(0)
16702+
16703+#ifdef CONFIG_PAX_KERNEXEC
16704+ . = ALIGN(HPAGE_SIZE);
16705+#else
16706+ . = ALIGN(PAGE_SIZE);
16707+#endif
16708+
16709 __init_begin = .; /* paired with __init_end */
16710- }
16711+ } :init.begin
16712
16713-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
16714+#ifdef CONFIG_SMP
16715 /*
16716 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
16717 * output PHDR, so the next output section - .init.text - should
16718@@ -190,12 +255,27 @@ SECTIONS
16719 PERCPU_VADDR(INTERNODE_CACHE_BYTES, 0, :percpu)
16720 #endif
16721
16722- INIT_TEXT_SECTION(PAGE_SIZE)
16723-#ifdef CONFIG_X86_64
16724- :init
16725-#endif
16726+ . = ALIGN(PAGE_SIZE);
16727+ init_begin = .;
16728+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
16729+ VMLINUX_SYMBOL(_sinittext) = .;
16730+ INIT_TEXT
16731+ VMLINUX_SYMBOL(_einittext) = .;
16732+ . = ALIGN(PAGE_SIZE);
16733+ } :text.init
16734
16735- INIT_DATA_SECTION(16)
16736+ /*
16737+ * .exit.text is discard at runtime, not link time, to deal with
16738+ * references from .altinstructions and .eh_frame
16739+ */
16740+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
16741+ EXIT_TEXT
16742+ . = ALIGN(16);
16743+ } :text.exit
16744+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
16745+
16746+ . = ALIGN(PAGE_SIZE);
16747+ INIT_DATA_SECTION(16) :init
16748
16749 /*
16750 * Code and data for a variety of lowlevel trampolines, to be
16751@@ -269,19 +349,12 @@ SECTIONS
16752 }
16753
16754 . = ALIGN(8);
16755- /*
16756- * .exit.text is discard at runtime, not link time, to deal with
16757- * references from .altinstructions and .eh_frame
16758- */
16759- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
16760- EXIT_TEXT
16761- }
16762
16763 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
16764 EXIT_DATA
16765 }
16766
16767-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
16768+#ifndef CONFIG_SMP
16769 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
16770 #endif
16771
16772@@ -300,16 +373,10 @@ SECTIONS
16773 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
16774 __smp_locks = .;
16775 *(.smp_locks)
16776- . = ALIGN(PAGE_SIZE);
16777 __smp_locks_end = .;
16778+ . = ALIGN(PAGE_SIZE);
16779 }
16780
16781-#ifdef CONFIG_X86_64
16782- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
16783- NOSAVE_DATA
16784- }
16785-#endif
16786-
16787 /* BSS */
16788 . = ALIGN(PAGE_SIZE);
16789 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
16790@@ -325,6 +392,7 @@ SECTIONS
16791 __brk_base = .;
16792 . += 64 * 1024; /* 64k alignment slop space */
16793 *(.brk_reservation) /* areas brk users have reserved */
16794+ . = ALIGN(HPAGE_SIZE);
16795 __brk_limit = .;
16796 }
16797
16798@@ -351,13 +419,12 @@ SECTIONS
16799 * for the boot processor.
16800 */
16801 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
16802-INIT_PER_CPU(gdt_page);
16803 INIT_PER_CPU(irq_stack_union);
16804
16805 /*
16806 * Build-time check on the image size:
16807 */
16808-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
16809+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
16810 "kernel image bigger than KERNEL_IMAGE_SIZE");
16811
16812 #ifdef CONFIG_SMP
16813diff -urNp linux-3.1.1/arch/x86/kernel/vsyscall_64.c linux-3.1.1/arch/x86/kernel/vsyscall_64.c
16814--- linux-3.1.1/arch/x86/kernel/vsyscall_64.c 2011-11-11 15:19:27.000000000 -0500
16815+++ linux-3.1.1/arch/x86/kernel/vsyscall_64.c 2011-11-16 18:39:07.000000000 -0500
16816@@ -56,15 +56,13 @@ DEFINE_VVAR(struct vsyscall_gtod_data, v
16817 .lock = __SEQLOCK_UNLOCKED(__vsyscall_gtod_data.lock),
16818 };
16819
16820-static enum { EMULATE, NATIVE, NONE } vsyscall_mode = NATIVE;
16821+static enum { EMULATE, NONE } vsyscall_mode = EMULATE;
16822
16823 static int __init vsyscall_setup(char *str)
16824 {
16825 if (str) {
16826 if (!strcmp("emulate", str))
16827 vsyscall_mode = EMULATE;
16828- else if (!strcmp("native", str))
16829- vsyscall_mode = NATIVE;
16830 else if (!strcmp("none", str))
16831 vsyscall_mode = NONE;
16832 else
16833@@ -177,7 +175,7 @@ bool emulate_vsyscall(struct pt_regs *re
16834
16835 tsk = current;
16836 if (seccomp_mode(&tsk->seccomp))
16837- do_exit(SIGKILL);
16838+ do_group_exit(SIGKILL);
16839
16840 switch (vsyscall_nr) {
16841 case 0:
16842@@ -219,8 +217,7 @@ bool emulate_vsyscall(struct pt_regs *re
16843 return true;
16844
16845 sigsegv:
16846- force_sig(SIGSEGV, current);
16847- return true;
16848+ do_group_exit(SIGKILL);
16849 }
16850
16851 /*
16852@@ -273,10 +270,7 @@ void __init map_vsyscall(void)
16853 extern char __vvar_page;
16854 unsigned long physaddr_vvar_page = __pa_symbol(&__vvar_page);
16855
16856- __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall,
16857- vsyscall_mode == NATIVE
16858- ? PAGE_KERNEL_VSYSCALL
16859- : PAGE_KERNEL_VVAR);
16860+ __set_fixmap(VSYSCALL_FIRST_PAGE, physaddr_vsyscall, PAGE_KERNEL_VVAR);
16861 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_FIRST_PAGE) !=
16862 (unsigned long)VSYSCALL_START);
16863
16864diff -urNp linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c
16865--- linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c 2011-11-11 15:19:27.000000000 -0500
16866+++ linux-3.1.1/arch/x86/kernel/x8664_ksyms_64.c 2011-11-16 18:39:07.000000000 -0500
16867@@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
16868 EXPORT_SYMBOL(copy_user_generic_string);
16869 EXPORT_SYMBOL(copy_user_generic_unrolled);
16870 EXPORT_SYMBOL(__copy_user_nocache);
16871-EXPORT_SYMBOL(_copy_from_user);
16872-EXPORT_SYMBOL(_copy_to_user);
16873
16874 EXPORT_SYMBOL(copy_page);
16875 EXPORT_SYMBOL(clear_page);
16876diff -urNp linux-3.1.1/arch/x86/kernel/xsave.c linux-3.1.1/arch/x86/kernel/xsave.c
16877--- linux-3.1.1/arch/x86/kernel/xsave.c 2011-11-11 15:19:27.000000000 -0500
16878+++ linux-3.1.1/arch/x86/kernel/xsave.c 2011-11-16 18:39:07.000000000 -0500
16879@@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
16880 fx_sw_user->xstate_size > fx_sw_user->extended_size)
16881 return -EINVAL;
16882
16883- err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
16884+ err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
16885 fx_sw_user->extended_size -
16886 FP_XSTATE_MAGIC2_SIZE));
16887 if (err)
16888@@ -267,7 +267,7 @@ fx_only:
16889 * the other extended state.
16890 */
16891 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
16892- return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
16893+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
16894 }
16895
16896 /*
16897@@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
16898 if (use_xsave())
16899 err = restore_user_xstate(buf);
16900 else
16901- err = fxrstor_checking((__force struct i387_fxsave_struct *)
16902+ err = fxrstor_checking((struct i387_fxsave_struct __force_kernel *)
16903 buf);
16904 if (unlikely(err)) {
16905 /*
16906diff -urNp linux-3.1.1/arch/x86/kvm/emulate.c linux-3.1.1/arch/x86/kvm/emulate.c
16907--- linux-3.1.1/arch/x86/kvm/emulate.c 2011-11-11 15:19:27.000000000 -0500
16908+++ linux-3.1.1/arch/x86/kvm/emulate.c 2011-11-16 18:39:07.000000000 -0500
16909@@ -96,7 +96,7 @@
16910 #define Src2ImmByte (2<<29)
16911 #define Src2One (3<<29)
16912 #define Src2Imm (4<<29)
16913-#define Src2Mask (7<<29)
16914+#define Src2Mask (7U<<29)
16915
16916 #define X2(x...) x, x
16917 #define X3(x...) X2(x), x
16918@@ -207,6 +207,7 @@ struct gprefix {
16919
16920 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
16921 do { \
16922+ unsigned long _tmp; \
16923 __asm__ __volatile__ ( \
16924 _PRE_EFLAGS("0", "4", "2") \
16925 _op _suffix " %"_x"3,%1; " \
16926@@ -220,8 +221,6 @@ struct gprefix {
16927 /* Raw emulation: instruction has two explicit operands. */
16928 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
16929 do { \
16930- unsigned long _tmp; \
16931- \
16932 switch ((_dst).bytes) { \
16933 case 2: \
16934 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
16935@@ -237,7 +236,6 @@ struct gprefix {
16936
16937 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
16938 do { \
16939- unsigned long _tmp; \
16940 switch ((_dst).bytes) { \
16941 case 1: \
16942 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
16943diff -urNp linux-3.1.1/arch/x86/kvm/lapic.c linux-3.1.1/arch/x86/kvm/lapic.c
16944--- linux-3.1.1/arch/x86/kvm/lapic.c 2011-11-11 15:19:27.000000000 -0500
16945+++ linux-3.1.1/arch/x86/kvm/lapic.c 2011-11-16 18:39:07.000000000 -0500
16946@@ -53,7 +53,7 @@
16947 #define APIC_BUS_CYCLE_NS 1
16948
16949 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
16950-#define apic_debug(fmt, arg...)
16951+#define apic_debug(fmt, arg...) do {} while (0)
16952
16953 #define APIC_LVT_NUM 6
16954 /* 14 is the version for Xeon and Pentium 8.4.8*/
16955diff -urNp linux-3.1.1/arch/x86/kvm/mmu.c linux-3.1.1/arch/x86/kvm/mmu.c
16956--- linux-3.1.1/arch/x86/kvm/mmu.c 2011-11-11 15:19:27.000000000 -0500
16957+++ linux-3.1.1/arch/x86/kvm/mmu.c 2011-11-16 18:39:07.000000000 -0500
16958@@ -3552,7 +3552,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16959
16960 pgprintk("%s: gpa %llx bytes %d\n", __func__, gpa, bytes);
16961
16962- invlpg_counter = atomic_read(&vcpu->kvm->arch.invlpg_counter);
16963+ invlpg_counter = atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter);
16964
16965 /*
16966 * Assume that the pte write on a page table of the same type
16967@@ -3584,7 +3584,7 @@ void kvm_mmu_pte_write(struct kvm_vcpu *
16968 }
16969
16970 spin_lock(&vcpu->kvm->mmu_lock);
16971- if (atomic_read(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16972+ if (atomic_read_unchecked(&vcpu->kvm->arch.invlpg_counter) != invlpg_counter)
16973 gentry = 0;
16974 kvm_mmu_free_some_pages(vcpu);
16975 ++vcpu->kvm->stat.mmu_pte_write;
16976diff -urNp linux-3.1.1/arch/x86/kvm/paging_tmpl.h linux-3.1.1/arch/x86/kvm/paging_tmpl.h
16977--- linux-3.1.1/arch/x86/kvm/paging_tmpl.h 2011-11-11 15:19:27.000000000 -0500
16978+++ linux-3.1.1/arch/x86/kvm/paging_tmpl.h 2011-11-16 19:40:44.000000000 -0500
16979@@ -197,7 +197,7 @@ retry_walk:
16980 if (unlikely(kvm_is_error_hva(host_addr)))
16981 goto error;
16982
16983- ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
16984+ ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
16985 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte))))
16986 goto error;
16987
16988@@ -575,6 +575,8 @@ static int FNAME(page_fault)(struct kvm_
16989 unsigned long mmu_seq;
16990 bool map_writable;
16991
16992+ pax_track_stack();
16993+
16994 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
16995
16996 if (unlikely(error_code & PFERR_RSVD_MASK))
16997@@ -701,7 +703,7 @@ static void FNAME(invlpg)(struct kvm_vcp
16998 if (need_flush)
16999 kvm_flush_remote_tlbs(vcpu->kvm);
17000
17001- atomic_inc(&vcpu->kvm->arch.invlpg_counter);
17002+ atomic_inc_unchecked(&vcpu->kvm->arch.invlpg_counter);
17003
17004 spin_unlock(&vcpu->kvm->mmu_lock);
17005
17006diff -urNp linux-3.1.1/arch/x86/kvm/svm.c linux-3.1.1/arch/x86/kvm/svm.c
17007--- linux-3.1.1/arch/x86/kvm/svm.c 2011-11-11 15:19:27.000000000 -0500
17008+++ linux-3.1.1/arch/x86/kvm/svm.c 2011-11-16 18:39:07.000000000 -0500
17009@@ -3381,7 +3381,11 @@ static void reload_tss(struct kvm_vcpu *
17010 int cpu = raw_smp_processor_id();
17011
17012 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
17013+
17014+ pax_open_kernel();
17015 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
17016+ pax_close_kernel();
17017+
17018 load_TR_desc();
17019 }
17020
17021@@ -3759,6 +3763,10 @@ static void svm_vcpu_run(struct kvm_vcpu
17022 #endif
17023 #endif
17024
17025+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17026+ __set_fs(current_thread_info()->addr_limit);
17027+#endif
17028+
17029 reload_tss(vcpu);
17030
17031 local_irq_disable();
17032diff -urNp linux-3.1.1/arch/x86/kvm/vmx.c linux-3.1.1/arch/x86/kvm/vmx.c
17033--- linux-3.1.1/arch/x86/kvm/vmx.c 2011-11-11 15:19:27.000000000 -0500
17034+++ linux-3.1.1/arch/x86/kvm/vmx.c 2011-11-16 18:39:07.000000000 -0500
17035@@ -1251,7 +1251,11 @@ static void reload_tss(void)
17036 struct desc_struct *descs;
17037
17038 descs = (void *)gdt->address;
17039+
17040+ pax_open_kernel();
17041 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
17042+ pax_close_kernel();
17043+
17044 load_TR_desc();
17045 }
17046
17047@@ -2520,8 +2524,11 @@ static __init int hardware_setup(void)
17048 if (!cpu_has_vmx_flexpriority())
17049 flexpriority_enabled = 0;
17050
17051- if (!cpu_has_vmx_tpr_shadow())
17052- kvm_x86_ops->update_cr8_intercept = NULL;
17053+ if (!cpu_has_vmx_tpr_shadow()) {
17054+ pax_open_kernel();
17055+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
17056+ pax_close_kernel();
17057+ }
17058
17059 if (enable_ept && !cpu_has_vmx_ept_2m_page())
17060 kvm_disable_largepages();
17061@@ -3535,7 +3542,7 @@ static void vmx_set_constant_host_state(
17062 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
17063
17064 asm("mov $.Lkvm_vmx_return, %0" : "=r"(tmpl));
17065- vmcs_writel(HOST_RIP, tmpl); /* 22.2.5 */
17066+ vmcs_writel(HOST_RIP, ktla_ktva(tmpl)); /* 22.2.5 */
17067
17068 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
17069 vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
17070@@ -6021,6 +6028,12 @@ static void __noclone vmx_vcpu_run(struc
17071 "jmp .Lkvm_vmx_return \n\t"
17072 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
17073 ".Lkvm_vmx_return: "
17074+
17075+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17076+ "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
17077+ ".Lkvm_vmx_return2: "
17078+#endif
17079+
17080 /* Save guest registers, load host registers, keep flags */
17081 "mov %0, %c[wordsize](%%"R"sp) \n\t"
17082 "pop %0 \n\t"
17083@@ -6069,6 +6082,11 @@ static void __noclone vmx_vcpu_run(struc
17084 #endif
17085 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
17086 [wordsize]"i"(sizeof(ulong))
17087+
17088+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17089+ ,[cs]"i"(__KERNEL_CS)
17090+#endif
17091+
17092 : "cc", "memory"
17093 , R"ax", R"bx", R"di", R"si"
17094 #ifdef CONFIG_X86_64
17095@@ -6097,7 +6115,16 @@ static void __noclone vmx_vcpu_run(struc
17096 }
17097 }
17098
17099- asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
17100+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
17101+
17102+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17103+ loadsegment(fs, __KERNEL_PERCPU);
17104+#endif
17105+
17106+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17107+ __set_fs(current_thread_info()->addr_limit);
17108+#endif
17109+
17110 vmx->loaded_vmcs->launched = 1;
17111
17112 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
17113diff -urNp linux-3.1.1/arch/x86/kvm/x86.c linux-3.1.1/arch/x86/kvm/x86.c
17114--- linux-3.1.1/arch/x86/kvm/x86.c 2011-11-11 15:19:27.000000000 -0500
17115+++ linux-3.1.1/arch/x86/kvm/x86.c 2011-11-16 18:39:07.000000000 -0500
17116@@ -1334,8 +1334,8 @@ static int xen_hvm_config(struct kvm_vcp
17117 {
17118 struct kvm *kvm = vcpu->kvm;
17119 int lm = is_long_mode(vcpu);
17120- u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
17121- : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
17122+ u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
17123+ : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
17124 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
17125 : kvm->arch.xen_hvm_config.blob_size_32;
17126 u32 page_num = data & ~PAGE_MASK;
17127@@ -2137,6 +2137,8 @@ long kvm_arch_dev_ioctl(struct file *fil
17128 if (n < msr_list.nmsrs)
17129 goto out;
17130 r = -EFAULT;
17131+ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
17132+ goto out;
17133 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
17134 num_msrs_to_save * sizeof(u32)))
17135 goto out;
17136@@ -2312,15 +2314,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
17137 struct kvm_cpuid2 *cpuid,
17138 struct kvm_cpuid_entry2 __user *entries)
17139 {
17140- int r;
17141+ int r, i;
17142
17143 r = -E2BIG;
17144 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
17145 goto out;
17146 r = -EFAULT;
17147- if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
17148- cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17149+ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17150 goto out;
17151+ for (i = 0; i < cpuid->nent; ++i) {
17152+ struct kvm_cpuid_entry2 cpuid_entry;
17153+ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
17154+ goto out;
17155+ vcpu->arch.cpuid_entries[i] = cpuid_entry;
17156+ }
17157 vcpu->arch.cpuid_nent = cpuid->nent;
17158 kvm_apic_set_version(vcpu);
17159 kvm_x86_ops->cpuid_update(vcpu);
17160@@ -2335,15 +2342,19 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
17161 struct kvm_cpuid2 *cpuid,
17162 struct kvm_cpuid_entry2 __user *entries)
17163 {
17164- int r;
17165+ int r, i;
17166
17167 r = -E2BIG;
17168 if (cpuid->nent < vcpu->arch.cpuid_nent)
17169 goto out;
17170 r = -EFAULT;
17171- if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
17172- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17173+ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17174 goto out;
17175+ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
17176+ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
17177+ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
17178+ goto out;
17179+ }
17180 return 0;
17181
17182 out:
17183@@ -2718,7 +2729,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
17184 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
17185 struct kvm_interrupt *irq)
17186 {
17187- if (irq->irq < 0 || irq->irq >= 256)
17188+ if (irq->irq >= 256)
17189 return -EINVAL;
17190 if (irqchip_in_kernel(vcpu->kvm))
17191 return -ENXIO;
17192@@ -5089,7 +5100,7 @@ static void kvm_set_mmio_spte_mask(void)
17193 kvm_mmu_set_mmio_spte_mask(mask);
17194 }
17195
17196-int kvm_arch_init(void *opaque)
17197+int kvm_arch_init(const void *opaque)
17198 {
17199 int r;
17200 struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
17201diff -urNp linux-3.1.1/arch/x86/lguest/boot.c linux-3.1.1/arch/x86/lguest/boot.c
17202--- linux-3.1.1/arch/x86/lguest/boot.c 2011-11-11 15:19:27.000000000 -0500
17203+++ linux-3.1.1/arch/x86/lguest/boot.c 2011-11-16 18:39:07.000000000 -0500
17204@@ -1184,9 +1184,10 @@ static __init int early_put_chars(u32 vt
17205 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
17206 * Launcher to reboot us.
17207 */
17208-static void lguest_restart(char *reason)
17209+static __noreturn void lguest_restart(char *reason)
17210 {
17211 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
17212+ BUG();
17213 }
17214
17215 /*G:050
17216diff -urNp linux-3.1.1/arch/x86/lib/atomic64_32.c linux-3.1.1/arch/x86/lib/atomic64_32.c
17217--- linux-3.1.1/arch/x86/lib/atomic64_32.c 2011-11-11 15:19:27.000000000 -0500
17218+++ linux-3.1.1/arch/x86/lib/atomic64_32.c 2011-11-16 18:39:07.000000000 -0500
17219@@ -8,18 +8,30 @@
17220
17221 long long atomic64_read_cx8(long long, const atomic64_t *v);
17222 EXPORT_SYMBOL(atomic64_read_cx8);
17223+long long atomic64_read_unchecked_cx8(long long, const atomic64_unchecked_t *v);
17224+EXPORT_SYMBOL(atomic64_read_unchecked_cx8);
17225 long long atomic64_set_cx8(long long, const atomic64_t *v);
17226 EXPORT_SYMBOL(atomic64_set_cx8);
17227+long long atomic64_set_unchecked_cx8(long long, const atomic64_unchecked_t *v);
17228+EXPORT_SYMBOL(atomic64_set_unchecked_cx8);
17229 long long atomic64_xchg_cx8(long long, unsigned high);
17230 EXPORT_SYMBOL(atomic64_xchg_cx8);
17231 long long atomic64_add_return_cx8(long long a, atomic64_t *v);
17232 EXPORT_SYMBOL(atomic64_add_return_cx8);
17233+long long atomic64_add_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17234+EXPORT_SYMBOL(atomic64_add_return_unchecked_cx8);
17235 long long atomic64_sub_return_cx8(long long a, atomic64_t *v);
17236 EXPORT_SYMBOL(atomic64_sub_return_cx8);
17237+long long atomic64_sub_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17238+EXPORT_SYMBOL(atomic64_sub_return_unchecked_cx8);
17239 long long atomic64_inc_return_cx8(long long a, atomic64_t *v);
17240 EXPORT_SYMBOL(atomic64_inc_return_cx8);
17241+long long atomic64_inc_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17242+EXPORT_SYMBOL(atomic64_inc_return_unchecked_cx8);
17243 long long atomic64_dec_return_cx8(long long a, atomic64_t *v);
17244 EXPORT_SYMBOL(atomic64_dec_return_cx8);
17245+long long atomic64_dec_return_unchecked_cx8(long long a, atomic64_unchecked_t *v);
17246+EXPORT_SYMBOL(atomic64_dec_return_unchecked_cx8);
17247 long long atomic64_dec_if_positive_cx8(atomic64_t *v);
17248 EXPORT_SYMBOL(atomic64_dec_if_positive_cx8);
17249 int atomic64_inc_not_zero_cx8(atomic64_t *v);
17250@@ -30,26 +42,46 @@ EXPORT_SYMBOL(atomic64_add_unless_cx8);
17251 #ifndef CONFIG_X86_CMPXCHG64
17252 long long atomic64_read_386(long long, const atomic64_t *v);
17253 EXPORT_SYMBOL(atomic64_read_386);
17254+long long atomic64_read_unchecked_386(long long, const atomic64_unchecked_t *v);
17255+EXPORT_SYMBOL(atomic64_read_unchecked_386);
17256 long long atomic64_set_386(long long, const atomic64_t *v);
17257 EXPORT_SYMBOL(atomic64_set_386);
17258+long long atomic64_set_unchecked_386(long long, const atomic64_unchecked_t *v);
17259+EXPORT_SYMBOL(atomic64_set_unchecked_386);
17260 long long atomic64_xchg_386(long long, unsigned high);
17261 EXPORT_SYMBOL(atomic64_xchg_386);
17262 long long atomic64_add_return_386(long long a, atomic64_t *v);
17263 EXPORT_SYMBOL(atomic64_add_return_386);
17264+long long atomic64_add_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17265+EXPORT_SYMBOL(atomic64_add_return_unchecked_386);
17266 long long atomic64_sub_return_386(long long a, atomic64_t *v);
17267 EXPORT_SYMBOL(atomic64_sub_return_386);
17268+long long atomic64_sub_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17269+EXPORT_SYMBOL(atomic64_sub_return_unchecked_386);
17270 long long atomic64_inc_return_386(long long a, atomic64_t *v);
17271 EXPORT_SYMBOL(atomic64_inc_return_386);
17272+long long atomic64_inc_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17273+EXPORT_SYMBOL(atomic64_inc_return_unchecked_386);
17274 long long atomic64_dec_return_386(long long a, atomic64_t *v);
17275 EXPORT_SYMBOL(atomic64_dec_return_386);
17276+long long atomic64_dec_return_unchecked_386(long long a, atomic64_unchecked_t *v);
17277+EXPORT_SYMBOL(atomic64_dec_return_unchecked_386);
17278 long long atomic64_add_386(long long a, atomic64_t *v);
17279 EXPORT_SYMBOL(atomic64_add_386);
17280+long long atomic64_add_unchecked_386(long long a, atomic64_unchecked_t *v);
17281+EXPORT_SYMBOL(atomic64_add_unchecked_386);
17282 long long atomic64_sub_386(long long a, atomic64_t *v);
17283 EXPORT_SYMBOL(atomic64_sub_386);
17284+long long atomic64_sub_unchecked_386(long long a, atomic64_unchecked_t *v);
17285+EXPORT_SYMBOL(atomic64_sub_unchecked_386);
17286 long long atomic64_inc_386(long long a, atomic64_t *v);
17287 EXPORT_SYMBOL(atomic64_inc_386);
17288+long long atomic64_inc_unchecked_386(long long a, atomic64_unchecked_t *v);
17289+EXPORT_SYMBOL(atomic64_inc_unchecked_386);
17290 long long atomic64_dec_386(long long a, atomic64_t *v);
17291 EXPORT_SYMBOL(atomic64_dec_386);
17292+long long atomic64_dec_unchecked_386(long long a, atomic64_unchecked_t *v);
17293+EXPORT_SYMBOL(atomic64_dec_unchecked_386);
17294 long long atomic64_dec_if_positive_386(atomic64_t *v);
17295 EXPORT_SYMBOL(atomic64_dec_if_positive_386);
17296 int atomic64_inc_not_zero_386(atomic64_t *v);
17297diff -urNp linux-3.1.1/arch/x86/lib/atomic64_386_32.S linux-3.1.1/arch/x86/lib/atomic64_386_32.S
17298--- linux-3.1.1/arch/x86/lib/atomic64_386_32.S 2011-11-11 15:19:27.000000000 -0500
17299+++ linux-3.1.1/arch/x86/lib/atomic64_386_32.S 2011-11-16 18:39:07.000000000 -0500
17300@@ -48,6 +48,10 @@ BEGIN(read)
17301 movl (v), %eax
17302 movl 4(v), %edx
17303 RET_ENDP
17304+BEGIN(read_unchecked)
17305+ movl (v), %eax
17306+ movl 4(v), %edx
17307+RET_ENDP
17308 #undef v
17309
17310 #define v %esi
17311@@ -55,6 +59,10 @@ BEGIN(set)
17312 movl %ebx, (v)
17313 movl %ecx, 4(v)
17314 RET_ENDP
17315+BEGIN(set_unchecked)
17316+ movl %ebx, (v)
17317+ movl %ecx, 4(v)
17318+RET_ENDP
17319 #undef v
17320
17321 #define v %esi
17322@@ -70,6 +78,20 @@ RET_ENDP
17323 BEGIN(add)
17324 addl %eax, (v)
17325 adcl %edx, 4(v)
17326+
17327+#ifdef CONFIG_PAX_REFCOUNT
17328+ jno 0f
17329+ subl %eax, (v)
17330+ sbbl %edx, 4(v)
17331+ int $4
17332+0:
17333+ _ASM_EXTABLE(0b, 0b)
17334+#endif
17335+
17336+RET_ENDP
17337+BEGIN(add_unchecked)
17338+ addl %eax, (v)
17339+ adcl %edx, 4(v)
17340 RET_ENDP
17341 #undef v
17342
17343@@ -77,6 +99,24 @@ RET_ENDP
17344 BEGIN(add_return)
17345 addl (v), %eax
17346 adcl 4(v), %edx
17347+
17348+#ifdef CONFIG_PAX_REFCOUNT
17349+ into
17350+1234:
17351+ _ASM_EXTABLE(1234b, 2f)
17352+#endif
17353+
17354+ movl %eax, (v)
17355+ movl %edx, 4(v)
17356+
17357+#ifdef CONFIG_PAX_REFCOUNT
17358+2:
17359+#endif
17360+
17361+RET_ENDP
17362+BEGIN(add_return_unchecked)
17363+ addl (v), %eax
17364+ adcl 4(v), %edx
17365 movl %eax, (v)
17366 movl %edx, 4(v)
17367 RET_ENDP
17368@@ -86,6 +126,20 @@ RET_ENDP
17369 BEGIN(sub)
17370 subl %eax, (v)
17371 sbbl %edx, 4(v)
17372+
17373+#ifdef CONFIG_PAX_REFCOUNT
17374+ jno 0f
17375+ addl %eax, (v)
17376+ adcl %edx, 4(v)
17377+ int $4
17378+0:
17379+ _ASM_EXTABLE(0b, 0b)
17380+#endif
17381+
17382+RET_ENDP
17383+BEGIN(sub_unchecked)
17384+ subl %eax, (v)
17385+ sbbl %edx, 4(v)
17386 RET_ENDP
17387 #undef v
17388
17389@@ -96,6 +150,27 @@ BEGIN(sub_return)
17390 sbbl $0, %edx
17391 addl (v), %eax
17392 adcl 4(v), %edx
17393+
17394+#ifdef CONFIG_PAX_REFCOUNT
17395+ into
17396+1234:
17397+ _ASM_EXTABLE(1234b, 2f)
17398+#endif
17399+
17400+ movl %eax, (v)
17401+ movl %edx, 4(v)
17402+
17403+#ifdef CONFIG_PAX_REFCOUNT
17404+2:
17405+#endif
17406+
17407+RET_ENDP
17408+BEGIN(sub_return_unchecked)
17409+ negl %edx
17410+ negl %eax
17411+ sbbl $0, %edx
17412+ addl (v), %eax
17413+ adcl 4(v), %edx
17414 movl %eax, (v)
17415 movl %edx, 4(v)
17416 RET_ENDP
17417@@ -105,6 +180,20 @@ RET_ENDP
17418 BEGIN(inc)
17419 addl $1, (v)
17420 adcl $0, 4(v)
17421+
17422+#ifdef CONFIG_PAX_REFCOUNT
17423+ jno 0f
17424+ subl $1, (v)
17425+ sbbl $0, 4(v)
17426+ int $4
17427+0:
17428+ _ASM_EXTABLE(0b, 0b)
17429+#endif
17430+
17431+RET_ENDP
17432+BEGIN(inc_unchecked)
17433+ addl $1, (v)
17434+ adcl $0, 4(v)
17435 RET_ENDP
17436 #undef v
17437
17438@@ -114,6 +203,26 @@ BEGIN(inc_return)
17439 movl 4(v), %edx
17440 addl $1, %eax
17441 adcl $0, %edx
17442+
17443+#ifdef CONFIG_PAX_REFCOUNT
17444+ into
17445+1234:
17446+ _ASM_EXTABLE(1234b, 2f)
17447+#endif
17448+
17449+ movl %eax, (v)
17450+ movl %edx, 4(v)
17451+
17452+#ifdef CONFIG_PAX_REFCOUNT
17453+2:
17454+#endif
17455+
17456+RET_ENDP
17457+BEGIN(inc_return_unchecked)
17458+ movl (v), %eax
17459+ movl 4(v), %edx
17460+ addl $1, %eax
17461+ adcl $0, %edx
17462 movl %eax, (v)
17463 movl %edx, 4(v)
17464 RET_ENDP
17465@@ -123,6 +232,20 @@ RET_ENDP
17466 BEGIN(dec)
17467 subl $1, (v)
17468 sbbl $0, 4(v)
17469+
17470+#ifdef CONFIG_PAX_REFCOUNT
17471+ jno 0f
17472+ addl $1, (v)
17473+ adcl $0, 4(v)
17474+ int $4
17475+0:
17476+ _ASM_EXTABLE(0b, 0b)
17477+#endif
17478+
17479+RET_ENDP
17480+BEGIN(dec_unchecked)
17481+ subl $1, (v)
17482+ sbbl $0, 4(v)
17483 RET_ENDP
17484 #undef v
17485
17486@@ -132,6 +255,26 @@ BEGIN(dec_return)
17487 movl 4(v), %edx
17488 subl $1, %eax
17489 sbbl $0, %edx
17490+
17491+#ifdef CONFIG_PAX_REFCOUNT
17492+ into
17493+1234:
17494+ _ASM_EXTABLE(1234b, 2f)
17495+#endif
17496+
17497+ movl %eax, (v)
17498+ movl %edx, 4(v)
17499+
17500+#ifdef CONFIG_PAX_REFCOUNT
17501+2:
17502+#endif
17503+
17504+RET_ENDP
17505+BEGIN(dec_return_unchecked)
17506+ movl (v), %eax
17507+ movl 4(v), %edx
17508+ subl $1, %eax
17509+ sbbl $0, %edx
17510 movl %eax, (v)
17511 movl %edx, 4(v)
17512 RET_ENDP
17513@@ -143,6 +286,13 @@ BEGIN(add_unless)
17514 adcl %edx, %edi
17515 addl (v), %eax
17516 adcl 4(v), %edx
17517+
17518+#ifdef CONFIG_PAX_REFCOUNT
17519+ into
17520+1234:
17521+ _ASM_EXTABLE(1234b, 2f)
17522+#endif
17523+
17524 cmpl %eax, %esi
17525 je 3f
17526 1:
17527@@ -168,6 +318,13 @@ BEGIN(inc_not_zero)
17528 1:
17529 addl $1, %eax
17530 adcl $0, %edx
17531+
17532+#ifdef CONFIG_PAX_REFCOUNT
17533+ into
17534+1234:
17535+ _ASM_EXTABLE(1234b, 2f)
17536+#endif
17537+
17538 movl %eax, (v)
17539 movl %edx, 4(v)
17540 movl $1, %eax
17541@@ -186,6 +343,13 @@ BEGIN(dec_if_positive)
17542 movl 4(v), %edx
17543 subl $1, %eax
17544 sbbl $0, %edx
17545+
17546+#ifdef CONFIG_PAX_REFCOUNT
17547+ into
17548+1234:
17549+ _ASM_EXTABLE(1234b, 1f)
17550+#endif
17551+
17552 js 1f
17553 movl %eax, (v)
17554 movl %edx, 4(v)
17555diff -urNp linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S
17556--- linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S 2011-11-11 15:19:27.000000000 -0500
17557+++ linux-3.1.1/arch/x86/lib/atomic64_cx8_32.S 2011-11-16 18:39:07.000000000 -0500
17558@@ -35,10 +35,20 @@ ENTRY(atomic64_read_cx8)
17559 CFI_STARTPROC
17560
17561 read64 %ecx
17562+ pax_force_retaddr
17563 ret
17564 CFI_ENDPROC
17565 ENDPROC(atomic64_read_cx8)
17566
17567+ENTRY(atomic64_read_unchecked_cx8)
17568+ CFI_STARTPROC
17569+
17570+ read64 %ecx
17571+ pax_force_retaddr
17572+ ret
17573+ CFI_ENDPROC
17574+ENDPROC(atomic64_read_unchecked_cx8)
17575+
17576 ENTRY(atomic64_set_cx8)
17577 CFI_STARTPROC
17578
17579@@ -48,10 +58,25 @@ ENTRY(atomic64_set_cx8)
17580 cmpxchg8b (%esi)
17581 jne 1b
17582
17583+ pax_force_retaddr
17584 ret
17585 CFI_ENDPROC
17586 ENDPROC(atomic64_set_cx8)
17587
17588+ENTRY(atomic64_set_unchecked_cx8)
17589+ CFI_STARTPROC
17590+
17591+1:
17592+/* we don't need LOCK_PREFIX since aligned 64-bit writes
17593+ * are atomic on 586 and newer */
17594+ cmpxchg8b (%esi)
17595+ jne 1b
17596+
17597+ pax_force_retaddr
17598+ ret
17599+ CFI_ENDPROC
17600+ENDPROC(atomic64_set_unchecked_cx8)
17601+
17602 ENTRY(atomic64_xchg_cx8)
17603 CFI_STARTPROC
17604
17605@@ -62,12 +87,13 @@ ENTRY(atomic64_xchg_cx8)
17606 cmpxchg8b (%esi)
17607 jne 1b
17608
17609+ pax_force_retaddr
17610 ret
17611 CFI_ENDPROC
17612 ENDPROC(atomic64_xchg_cx8)
17613
17614-.macro addsub_return func ins insc
17615-ENTRY(atomic64_\func\()_return_cx8)
17616+.macro addsub_return func ins insc unchecked=""
17617+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17618 CFI_STARTPROC
17619 SAVE ebp
17620 SAVE ebx
17621@@ -84,27 +110,44 @@ ENTRY(atomic64_\func\()_return_cx8)
17622 movl %edx, %ecx
17623 \ins\()l %esi, %ebx
17624 \insc\()l %edi, %ecx
17625+
17626+.ifb \unchecked
17627+#ifdef CONFIG_PAX_REFCOUNT
17628+ into
17629+2:
17630+ _ASM_EXTABLE(2b, 3f)
17631+#endif
17632+.endif
17633+
17634 LOCK_PREFIX
17635 cmpxchg8b (%ebp)
17636 jne 1b
17637-
17638-10:
17639 movl %ebx, %eax
17640 movl %ecx, %edx
17641+
17642+.ifb \unchecked
17643+#ifdef CONFIG_PAX_REFCOUNT
17644+3:
17645+#endif
17646+.endif
17647+
17648 RESTORE edi
17649 RESTORE esi
17650 RESTORE ebx
17651 RESTORE ebp
17652+ pax_force_retaddr
17653 ret
17654 CFI_ENDPROC
17655-ENDPROC(atomic64_\func\()_return_cx8)
17656+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17657 .endm
17658
17659 addsub_return add add adc
17660 addsub_return sub sub sbb
17661+addsub_return add add adc _unchecked
17662+addsub_return sub sub sbb _unchecked
17663
17664-.macro incdec_return func ins insc
17665-ENTRY(atomic64_\func\()_return_cx8)
17666+.macro incdec_return func ins insc unchecked
17667+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
17668 CFI_STARTPROC
17669 SAVE ebx
17670
17671@@ -114,21 +157,39 @@ ENTRY(atomic64_\func\()_return_cx8)
17672 movl %edx, %ecx
17673 \ins\()l $1, %ebx
17674 \insc\()l $0, %ecx
17675+
17676+.ifb \unchecked
17677+#ifdef CONFIG_PAX_REFCOUNT
17678+ into
17679+2:
17680+ _ASM_EXTABLE(2b, 3f)
17681+#endif
17682+.endif
17683+
17684 LOCK_PREFIX
17685 cmpxchg8b (%esi)
17686 jne 1b
17687
17688-10:
17689 movl %ebx, %eax
17690 movl %ecx, %edx
17691+
17692+.ifb \unchecked
17693+#ifdef CONFIG_PAX_REFCOUNT
17694+3:
17695+#endif
17696+.endif
17697+
17698 RESTORE ebx
17699+ pax_force_retaddr
17700 ret
17701 CFI_ENDPROC
17702-ENDPROC(atomic64_\func\()_return_cx8)
17703+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
17704 .endm
17705
17706 incdec_return inc add adc
17707 incdec_return dec sub sbb
17708+incdec_return inc add adc _unchecked
17709+incdec_return dec sub sbb _unchecked
17710
17711 ENTRY(atomic64_dec_if_positive_cx8)
17712 CFI_STARTPROC
17713@@ -140,6 +201,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
17714 movl %edx, %ecx
17715 subl $1, %ebx
17716 sbb $0, %ecx
17717+
17718+#ifdef CONFIG_PAX_REFCOUNT
17719+ into
17720+1234:
17721+ _ASM_EXTABLE(1234b, 2f)
17722+#endif
17723+
17724 js 2f
17725 LOCK_PREFIX
17726 cmpxchg8b (%esi)
17727@@ -149,6 +217,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
17728 movl %ebx, %eax
17729 movl %ecx, %edx
17730 RESTORE ebx
17731+ pax_force_retaddr
17732 ret
17733 CFI_ENDPROC
17734 ENDPROC(atomic64_dec_if_positive_cx8)
17735@@ -174,6 +243,13 @@ ENTRY(atomic64_add_unless_cx8)
17736 movl %edx, %ecx
17737 addl %esi, %ebx
17738 adcl %edi, %ecx
17739+
17740+#ifdef CONFIG_PAX_REFCOUNT
17741+ into
17742+1234:
17743+ _ASM_EXTABLE(1234b, 3f)
17744+#endif
17745+
17746 LOCK_PREFIX
17747 cmpxchg8b (%ebp)
17748 jne 1b
17749@@ -184,6 +260,7 @@ ENTRY(atomic64_add_unless_cx8)
17750 CFI_ADJUST_CFA_OFFSET -8
17751 RESTORE ebx
17752 RESTORE ebp
17753+ pax_force_retaddr
17754 ret
17755 4:
17756 cmpl %edx, 4(%esp)
17757@@ -206,6 +283,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
17758 movl %edx, %ecx
17759 addl $1, %ebx
17760 adcl $0, %ecx
17761+
17762+#ifdef CONFIG_PAX_REFCOUNT
17763+ into
17764+1234:
17765+ _ASM_EXTABLE(1234b, 3f)
17766+#endif
17767+
17768 LOCK_PREFIX
17769 cmpxchg8b (%esi)
17770 jne 1b
17771@@ -213,6 +297,7 @@ ENTRY(atomic64_inc_not_zero_cx8)
17772 movl $1, %eax
17773 3:
17774 RESTORE ebx
17775+ pax_force_retaddr
17776 ret
17777 4:
17778 testl %edx, %edx
17779diff -urNp linux-3.1.1/arch/x86/lib/checksum_32.S linux-3.1.1/arch/x86/lib/checksum_32.S
17780--- linux-3.1.1/arch/x86/lib/checksum_32.S 2011-11-11 15:19:27.000000000 -0500
17781+++ linux-3.1.1/arch/x86/lib/checksum_32.S 2011-11-16 18:39:07.000000000 -0500
17782@@ -28,7 +28,8 @@
17783 #include <linux/linkage.h>
17784 #include <asm/dwarf2.h>
17785 #include <asm/errno.h>
17786-
17787+#include <asm/segment.h>
17788+
17789 /*
17790 * computes a partial checksum, e.g. for TCP/UDP fragments
17791 */
17792@@ -296,9 +297,24 @@ unsigned int csum_partial_copy_generic (
17793
17794 #define ARGBASE 16
17795 #define FP 12
17796-
17797-ENTRY(csum_partial_copy_generic)
17798+
17799+ENTRY(csum_partial_copy_generic_to_user)
17800 CFI_STARTPROC
17801+
17802+#ifdef CONFIG_PAX_MEMORY_UDEREF
17803+ pushl_cfi %gs
17804+ popl_cfi %es
17805+ jmp csum_partial_copy_generic
17806+#endif
17807+
17808+ENTRY(csum_partial_copy_generic_from_user)
17809+
17810+#ifdef CONFIG_PAX_MEMORY_UDEREF
17811+ pushl_cfi %gs
17812+ popl_cfi %ds
17813+#endif
17814+
17815+ENTRY(csum_partial_copy_generic)
17816 subl $4,%esp
17817 CFI_ADJUST_CFA_OFFSET 4
17818 pushl_cfi %edi
17819@@ -320,7 +336,7 @@ ENTRY(csum_partial_copy_generic)
17820 jmp 4f
17821 SRC(1: movw (%esi), %bx )
17822 addl $2, %esi
17823-DST( movw %bx, (%edi) )
17824+DST( movw %bx, %es:(%edi) )
17825 addl $2, %edi
17826 addw %bx, %ax
17827 adcl $0, %eax
17828@@ -332,30 +348,30 @@ DST( movw %bx, (%edi) )
17829 SRC(1: movl (%esi), %ebx )
17830 SRC( movl 4(%esi), %edx )
17831 adcl %ebx, %eax
17832-DST( movl %ebx, (%edi) )
17833+DST( movl %ebx, %es:(%edi) )
17834 adcl %edx, %eax
17835-DST( movl %edx, 4(%edi) )
17836+DST( movl %edx, %es:4(%edi) )
17837
17838 SRC( movl 8(%esi), %ebx )
17839 SRC( movl 12(%esi), %edx )
17840 adcl %ebx, %eax
17841-DST( movl %ebx, 8(%edi) )
17842+DST( movl %ebx, %es:8(%edi) )
17843 adcl %edx, %eax
17844-DST( movl %edx, 12(%edi) )
17845+DST( movl %edx, %es:12(%edi) )
17846
17847 SRC( movl 16(%esi), %ebx )
17848 SRC( movl 20(%esi), %edx )
17849 adcl %ebx, %eax
17850-DST( movl %ebx, 16(%edi) )
17851+DST( movl %ebx, %es:16(%edi) )
17852 adcl %edx, %eax
17853-DST( movl %edx, 20(%edi) )
17854+DST( movl %edx, %es:20(%edi) )
17855
17856 SRC( movl 24(%esi), %ebx )
17857 SRC( movl 28(%esi), %edx )
17858 adcl %ebx, %eax
17859-DST( movl %ebx, 24(%edi) )
17860+DST( movl %ebx, %es:24(%edi) )
17861 adcl %edx, %eax
17862-DST( movl %edx, 28(%edi) )
17863+DST( movl %edx, %es:28(%edi) )
17864
17865 lea 32(%esi), %esi
17866 lea 32(%edi), %edi
17867@@ -369,7 +385,7 @@ DST( movl %edx, 28(%edi) )
17868 shrl $2, %edx # This clears CF
17869 SRC(3: movl (%esi), %ebx )
17870 adcl %ebx, %eax
17871-DST( movl %ebx, (%edi) )
17872+DST( movl %ebx, %es:(%edi) )
17873 lea 4(%esi), %esi
17874 lea 4(%edi), %edi
17875 dec %edx
17876@@ -381,12 +397,12 @@ DST( movl %ebx, (%edi) )
17877 jb 5f
17878 SRC( movw (%esi), %cx )
17879 leal 2(%esi), %esi
17880-DST( movw %cx, (%edi) )
17881+DST( movw %cx, %es:(%edi) )
17882 leal 2(%edi), %edi
17883 je 6f
17884 shll $16,%ecx
17885 SRC(5: movb (%esi), %cl )
17886-DST( movb %cl, (%edi) )
17887+DST( movb %cl, %es:(%edi) )
17888 6: addl %ecx, %eax
17889 adcl $0, %eax
17890 7:
17891@@ -397,7 +413,7 @@ DST( movb %cl, (%edi) )
17892
17893 6001:
17894 movl ARGBASE+20(%esp), %ebx # src_err_ptr
17895- movl $-EFAULT, (%ebx)
17896+ movl $-EFAULT, %ss:(%ebx)
17897
17898 # zero the complete destination - computing the rest
17899 # is too much work
17900@@ -410,11 +426,15 @@ DST( movb %cl, (%edi) )
17901
17902 6002:
17903 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
17904- movl $-EFAULT,(%ebx)
17905+ movl $-EFAULT,%ss:(%ebx)
17906 jmp 5000b
17907
17908 .previous
17909
17910+ pushl_cfi %ss
17911+ popl_cfi %ds
17912+ pushl_cfi %ss
17913+ popl_cfi %es
17914 popl_cfi %ebx
17915 CFI_RESTORE ebx
17916 popl_cfi %esi
17917@@ -424,26 +444,43 @@ DST( movb %cl, (%edi) )
17918 popl_cfi %ecx # equivalent to addl $4,%esp
17919 ret
17920 CFI_ENDPROC
17921-ENDPROC(csum_partial_copy_generic)
17922+ENDPROC(csum_partial_copy_generic_to_user)
17923
17924 #else
17925
17926 /* Version for PentiumII/PPro */
17927
17928 #define ROUND1(x) \
17929+ nop; nop; nop; \
17930 SRC(movl x(%esi), %ebx ) ; \
17931 addl %ebx, %eax ; \
17932- DST(movl %ebx, x(%edi) ) ;
17933+ DST(movl %ebx, %es:x(%edi)) ;
17934
17935 #define ROUND(x) \
17936+ nop; nop; nop; \
17937 SRC(movl x(%esi), %ebx ) ; \
17938 adcl %ebx, %eax ; \
17939- DST(movl %ebx, x(%edi) ) ;
17940+ DST(movl %ebx, %es:x(%edi)) ;
17941
17942 #define ARGBASE 12
17943-
17944-ENTRY(csum_partial_copy_generic)
17945+
17946+ENTRY(csum_partial_copy_generic_to_user)
17947 CFI_STARTPROC
17948+
17949+#ifdef CONFIG_PAX_MEMORY_UDEREF
17950+ pushl_cfi %gs
17951+ popl_cfi %es
17952+ jmp csum_partial_copy_generic
17953+#endif
17954+
17955+ENTRY(csum_partial_copy_generic_from_user)
17956+
17957+#ifdef CONFIG_PAX_MEMORY_UDEREF
17958+ pushl_cfi %gs
17959+ popl_cfi %ds
17960+#endif
17961+
17962+ENTRY(csum_partial_copy_generic)
17963 pushl_cfi %ebx
17964 CFI_REL_OFFSET ebx, 0
17965 pushl_cfi %edi
17966@@ -464,7 +501,7 @@ ENTRY(csum_partial_copy_generic)
17967 subl %ebx, %edi
17968 lea -1(%esi),%edx
17969 andl $-32,%edx
17970- lea 3f(%ebx,%ebx), %ebx
17971+ lea 3f(%ebx,%ebx,2), %ebx
17972 testl %esi, %esi
17973 jmp *%ebx
17974 1: addl $64,%esi
17975@@ -485,19 +522,19 @@ ENTRY(csum_partial_copy_generic)
17976 jb 5f
17977 SRC( movw (%esi), %dx )
17978 leal 2(%esi), %esi
17979-DST( movw %dx, (%edi) )
17980+DST( movw %dx, %es:(%edi) )
17981 leal 2(%edi), %edi
17982 je 6f
17983 shll $16,%edx
17984 5:
17985 SRC( movb (%esi), %dl )
17986-DST( movb %dl, (%edi) )
17987+DST( movb %dl, %es:(%edi) )
17988 6: addl %edx, %eax
17989 adcl $0, %eax
17990 7:
17991 .section .fixup, "ax"
17992 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
17993- movl $-EFAULT, (%ebx)
17994+ movl $-EFAULT, %ss:(%ebx)
17995 # zero the complete destination (computing the rest is too much work)
17996 movl ARGBASE+8(%esp),%edi # dst
17997 movl ARGBASE+12(%esp),%ecx # len
17998@@ -505,10 +542,17 @@ DST( movb %dl, (%edi) )
17999 rep; stosb
18000 jmp 7b
18001 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
18002- movl $-EFAULT, (%ebx)
18003+ movl $-EFAULT, %ss:(%ebx)
18004 jmp 7b
18005 .previous
18006
18007+#ifdef CONFIG_PAX_MEMORY_UDEREF
18008+ pushl_cfi %ss
18009+ popl_cfi %ds
18010+ pushl_cfi %ss
18011+ popl_cfi %es
18012+#endif
18013+
18014 popl_cfi %esi
18015 CFI_RESTORE esi
18016 popl_cfi %edi
18017@@ -517,7 +561,7 @@ DST( movb %dl, (%edi) )
18018 CFI_RESTORE ebx
18019 ret
18020 CFI_ENDPROC
18021-ENDPROC(csum_partial_copy_generic)
18022+ENDPROC(csum_partial_copy_generic_to_user)
18023
18024 #undef ROUND
18025 #undef ROUND1
18026diff -urNp linux-3.1.1/arch/x86/lib/clear_page_64.S linux-3.1.1/arch/x86/lib/clear_page_64.S
18027--- linux-3.1.1/arch/x86/lib/clear_page_64.S 2011-11-11 15:19:27.000000000 -0500
18028+++ linux-3.1.1/arch/x86/lib/clear_page_64.S 2011-11-16 18:39:07.000000000 -0500
18029@@ -11,6 +11,7 @@ ENTRY(clear_page_c)
18030 movl $4096/8,%ecx
18031 xorl %eax,%eax
18032 rep stosq
18033+ pax_force_retaddr
18034 ret
18035 CFI_ENDPROC
18036 ENDPROC(clear_page_c)
18037@@ -20,6 +21,7 @@ ENTRY(clear_page_c_e)
18038 movl $4096,%ecx
18039 xorl %eax,%eax
18040 rep stosb
18041+ pax_force_retaddr
18042 ret
18043 CFI_ENDPROC
18044 ENDPROC(clear_page_c_e)
18045@@ -43,6 +45,7 @@ ENTRY(clear_page)
18046 leaq 64(%rdi),%rdi
18047 jnz .Lloop
18048 nop
18049+ pax_force_retaddr
18050 ret
18051 CFI_ENDPROC
18052 .Lclear_page_end:
18053@@ -58,7 +61,7 @@ ENDPROC(clear_page)
18054
18055 #include <asm/cpufeature.h>
18056
18057- .section .altinstr_replacement,"ax"
18058+ .section .altinstr_replacement,"a"
18059 1: .byte 0xeb /* jmp <disp8> */
18060 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
18061 2: .byte 0xeb /* jmp <disp8> */
18062diff -urNp linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S
18063--- linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S 2011-11-11 15:19:27.000000000 -0500
18064+++ linux-3.1.1/arch/x86/lib/cmpxchg16b_emu.S 2011-11-16 18:39:07.000000000 -0500
18065@@ -53,11 +53,13 @@ this_cpu_cmpxchg16b_emu:
18066
18067 popf
18068 mov $1, %al
18069+ pax_force_retaddr
18070 ret
18071
18072 not_same:
18073 popf
18074 xor %al,%al
18075+ pax_force_retaddr
18076 ret
18077
18078 CFI_ENDPROC
18079diff -urNp linux-3.1.1/arch/x86/lib/copy_page_64.S linux-3.1.1/arch/x86/lib/copy_page_64.S
18080--- linux-3.1.1/arch/x86/lib/copy_page_64.S 2011-11-11 15:19:27.000000000 -0500
18081+++ linux-3.1.1/arch/x86/lib/copy_page_64.S 2011-11-16 18:39:07.000000000 -0500
18082@@ -9,6 +9,7 @@ copy_page_c:
18083 CFI_STARTPROC
18084 movl $4096/8,%ecx
18085 rep movsq
18086+ pax_force_retaddr
18087 ret
18088 CFI_ENDPROC
18089 ENDPROC(copy_page_c)
18090@@ -95,6 +96,7 @@ ENTRY(copy_page)
18091 CFI_RESTORE r13
18092 addq $3*8,%rsp
18093 CFI_ADJUST_CFA_OFFSET -3*8
18094+ pax_force_retaddr
18095 ret
18096 .Lcopy_page_end:
18097 CFI_ENDPROC
18098@@ -105,7 +107,7 @@ ENDPROC(copy_page)
18099
18100 #include <asm/cpufeature.h>
18101
18102- .section .altinstr_replacement,"ax"
18103+ .section .altinstr_replacement,"a"
18104 1: .byte 0xeb /* jmp <disp8> */
18105 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
18106 2:
18107diff -urNp linux-3.1.1/arch/x86/lib/copy_user_64.S linux-3.1.1/arch/x86/lib/copy_user_64.S
18108--- linux-3.1.1/arch/x86/lib/copy_user_64.S 2011-11-11 15:19:27.000000000 -0500
18109+++ linux-3.1.1/arch/x86/lib/copy_user_64.S 2011-11-16 18:39:07.000000000 -0500
18110@@ -16,6 +16,7 @@
18111 #include <asm/thread_info.h>
18112 #include <asm/cpufeature.h>
18113 #include <asm/alternative-asm.h>
18114+#include <asm/pgtable.h>
18115
18116 /*
18117 * By placing feature2 after feature1 in altinstructions section, we logically
18118@@ -29,7 +30,7 @@
18119 .byte 0xe9 /* 32bit jump */
18120 .long \orig-1f /* by default jump to orig */
18121 1:
18122- .section .altinstr_replacement,"ax"
18123+ .section .altinstr_replacement,"a"
18124 2: .byte 0xe9 /* near jump with 32bit immediate */
18125 .long \alt1-1b /* offset */ /* or alternatively to alt1 */
18126 3: .byte 0xe9 /* near jump with 32bit immediate */
18127@@ -71,47 +72,20 @@
18128 #endif
18129 .endm
18130
18131-/* Standard copy_to_user with segment limit checking */
18132-ENTRY(_copy_to_user)
18133- CFI_STARTPROC
18134- GET_THREAD_INFO(%rax)
18135- movq %rdi,%rcx
18136- addq %rdx,%rcx
18137- jc bad_to_user
18138- cmpq TI_addr_limit(%rax),%rcx
18139- ja bad_to_user
18140- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
18141- copy_user_generic_unrolled,copy_user_generic_string, \
18142- copy_user_enhanced_fast_string
18143- CFI_ENDPROC
18144-ENDPROC(_copy_to_user)
18145-
18146-/* Standard copy_from_user with segment limit checking */
18147-ENTRY(_copy_from_user)
18148- CFI_STARTPROC
18149- GET_THREAD_INFO(%rax)
18150- movq %rsi,%rcx
18151- addq %rdx,%rcx
18152- jc bad_from_user
18153- cmpq TI_addr_limit(%rax),%rcx
18154- ja bad_from_user
18155- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,X86_FEATURE_ERMS, \
18156- copy_user_generic_unrolled,copy_user_generic_string, \
18157- copy_user_enhanced_fast_string
18158- CFI_ENDPROC
18159-ENDPROC(_copy_from_user)
18160-
18161 .section .fixup,"ax"
18162 /* must zero dest */
18163 ENTRY(bad_from_user)
18164 bad_from_user:
18165 CFI_STARTPROC
18166+ testl %edx,%edx
18167+ js bad_to_user
18168 movl %edx,%ecx
18169 xorl %eax,%eax
18170 rep
18171 stosb
18172 bad_to_user:
18173 movl %edx,%eax
18174+ pax_force_retaddr
18175 ret
18176 CFI_ENDPROC
18177 ENDPROC(bad_from_user)
18178@@ -179,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
18179 decl %ecx
18180 jnz 21b
18181 23: xor %eax,%eax
18182+ pax_force_retaddr
18183 ret
18184
18185 .section .fixup,"ax"
18186@@ -251,6 +226,7 @@ ENTRY(copy_user_generic_string)
18187 3: rep
18188 movsb
18189 4: xorl %eax,%eax
18190+ pax_force_retaddr
18191 ret
18192
18193 .section .fixup,"ax"
18194@@ -287,6 +263,7 @@ ENTRY(copy_user_enhanced_fast_string)
18195 1: rep
18196 movsb
18197 2: xorl %eax,%eax
18198+ pax_force_retaddr
18199 ret
18200
18201 .section .fixup,"ax"
18202diff -urNp linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S
18203--- linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S 2011-11-11 15:19:27.000000000 -0500
18204+++ linux-3.1.1/arch/x86/lib/copy_user_nocache_64.S 2011-11-16 18:39:07.000000000 -0500
18205@@ -8,12 +8,14 @@
18206
18207 #include <linux/linkage.h>
18208 #include <asm/dwarf2.h>
18209+#include <asm/alternative-asm.h>
18210
18211 #define FIX_ALIGNMENT 1
18212
18213 #include <asm/current.h>
18214 #include <asm/asm-offsets.h>
18215 #include <asm/thread_info.h>
18216+#include <asm/pgtable.h>
18217
18218 .macro ALIGN_DESTINATION
18219 #ifdef FIX_ALIGNMENT
18220@@ -50,6 +52,15 @@
18221 */
18222 ENTRY(__copy_user_nocache)
18223 CFI_STARTPROC
18224+
18225+#ifdef CONFIG_PAX_MEMORY_UDEREF
18226+ mov $PAX_USER_SHADOW_BASE,%rcx
18227+ cmp %rcx,%rsi
18228+ jae 1f
18229+ add %rcx,%rsi
18230+1:
18231+#endif
18232+
18233 cmpl $8,%edx
18234 jb 20f /* less then 8 bytes, go to byte copy loop */
18235 ALIGN_DESTINATION
18236@@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
18237 jnz 21b
18238 23: xorl %eax,%eax
18239 sfence
18240+ pax_force_retaddr
18241 ret
18242
18243 .section .fixup,"ax"
18244diff -urNp linux-3.1.1/arch/x86/lib/csum-copy_64.S linux-3.1.1/arch/x86/lib/csum-copy_64.S
18245--- linux-3.1.1/arch/x86/lib/csum-copy_64.S 2011-11-11 15:19:27.000000000 -0500
18246+++ linux-3.1.1/arch/x86/lib/csum-copy_64.S 2011-11-16 18:39:07.000000000 -0500
18247@@ -8,6 +8,7 @@
18248 #include <linux/linkage.h>
18249 #include <asm/dwarf2.h>
18250 #include <asm/errno.h>
18251+#include <asm/alternative-asm.h>
18252
18253 /*
18254 * Checksum copy with exception handling.
18255@@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
18256 CFI_RESTORE rbp
18257 addq $7*8, %rsp
18258 CFI_ADJUST_CFA_OFFSET -7*8
18259+ pax_force_retaddr
18260 ret
18261 CFI_RESTORE_STATE
18262
18263diff -urNp linux-3.1.1/arch/x86/lib/csum-wrappers_64.c linux-3.1.1/arch/x86/lib/csum-wrappers_64.c
18264--- linux-3.1.1/arch/x86/lib/csum-wrappers_64.c 2011-11-11 15:19:27.000000000 -0500
18265+++ linux-3.1.1/arch/x86/lib/csum-wrappers_64.c 2011-11-16 18:39:07.000000000 -0500
18266@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
18267 len -= 2;
18268 }
18269 }
18270- isum = csum_partial_copy_generic((__force const void *)src,
18271+
18272+#ifdef CONFIG_PAX_MEMORY_UDEREF
18273+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
18274+ src += PAX_USER_SHADOW_BASE;
18275+#endif
18276+
18277+ isum = csum_partial_copy_generic((const void __force_kernel *)src,
18278 dst, len, isum, errp, NULL);
18279 if (unlikely(*errp))
18280 goto out_err;
18281@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
18282 }
18283
18284 *errp = 0;
18285- return csum_partial_copy_generic(src, (void __force *)dst,
18286+
18287+#ifdef CONFIG_PAX_MEMORY_UDEREF
18288+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
18289+ dst += PAX_USER_SHADOW_BASE;
18290+#endif
18291+
18292+ return csum_partial_copy_generic(src, (void __force_kernel *)dst,
18293 len, isum, NULL, errp);
18294 }
18295 EXPORT_SYMBOL(csum_partial_copy_to_user);
18296diff -urNp linux-3.1.1/arch/x86/lib/getuser.S linux-3.1.1/arch/x86/lib/getuser.S
18297--- linux-3.1.1/arch/x86/lib/getuser.S 2011-11-11 15:19:27.000000000 -0500
18298+++ linux-3.1.1/arch/x86/lib/getuser.S 2011-11-16 18:39:07.000000000 -0500
18299@@ -33,15 +33,38 @@
18300 #include <asm/asm-offsets.h>
18301 #include <asm/thread_info.h>
18302 #include <asm/asm.h>
18303+#include <asm/segment.h>
18304+#include <asm/pgtable.h>
18305+#include <asm/alternative-asm.h>
18306+
18307+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18308+#define __copyuser_seg gs;
18309+#else
18310+#define __copyuser_seg
18311+#endif
18312
18313 .text
18314 ENTRY(__get_user_1)
18315 CFI_STARTPROC
18316+
18317+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18318 GET_THREAD_INFO(%_ASM_DX)
18319 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18320 jae bad_get_user
18321-1: movzb (%_ASM_AX),%edx
18322+
18323+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18324+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18325+ cmp %_ASM_DX,%_ASM_AX
18326+ jae 1234f
18327+ add %_ASM_DX,%_ASM_AX
18328+1234:
18329+#endif
18330+
18331+#endif
18332+
18333+1: __copyuser_seg movzb (%_ASM_AX),%edx
18334 xor %eax,%eax
18335+ pax_force_retaddr
18336 ret
18337 CFI_ENDPROC
18338 ENDPROC(__get_user_1)
18339@@ -49,12 +72,26 @@ ENDPROC(__get_user_1)
18340 ENTRY(__get_user_2)
18341 CFI_STARTPROC
18342 add $1,%_ASM_AX
18343+
18344+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18345 jc bad_get_user
18346 GET_THREAD_INFO(%_ASM_DX)
18347 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18348 jae bad_get_user
18349-2: movzwl -1(%_ASM_AX),%edx
18350+
18351+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18352+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18353+ cmp %_ASM_DX,%_ASM_AX
18354+ jae 1234f
18355+ add %_ASM_DX,%_ASM_AX
18356+1234:
18357+#endif
18358+
18359+#endif
18360+
18361+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
18362 xor %eax,%eax
18363+ pax_force_retaddr
18364 ret
18365 CFI_ENDPROC
18366 ENDPROC(__get_user_2)
18367@@ -62,12 +99,26 @@ ENDPROC(__get_user_2)
18368 ENTRY(__get_user_4)
18369 CFI_STARTPROC
18370 add $3,%_ASM_AX
18371+
18372+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18373 jc bad_get_user
18374 GET_THREAD_INFO(%_ASM_DX)
18375 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18376 jae bad_get_user
18377-3: mov -3(%_ASM_AX),%edx
18378+
18379+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18380+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18381+ cmp %_ASM_DX,%_ASM_AX
18382+ jae 1234f
18383+ add %_ASM_DX,%_ASM_AX
18384+1234:
18385+#endif
18386+
18387+#endif
18388+
18389+3: __copyuser_seg mov -3(%_ASM_AX),%edx
18390 xor %eax,%eax
18391+ pax_force_retaddr
18392 ret
18393 CFI_ENDPROC
18394 ENDPROC(__get_user_4)
18395@@ -80,8 +131,18 @@ ENTRY(__get_user_8)
18396 GET_THREAD_INFO(%_ASM_DX)
18397 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18398 jae bad_get_user
18399+
18400+#ifdef CONFIG_PAX_MEMORY_UDEREF
18401+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18402+ cmp %_ASM_DX,%_ASM_AX
18403+ jae 1234f
18404+ add %_ASM_DX,%_ASM_AX
18405+1234:
18406+#endif
18407+
18408 4: movq -7(%_ASM_AX),%_ASM_DX
18409 xor %eax,%eax
18410+ pax_force_retaddr
18411 ret
18412 CFI_ENDPROC
18413 ENDPROC(__get_user_8)
18414@@ -91,6 +152,7 @@ bad_get_user:
18415 CFI_STARTPROC
18416 xor %edx,%edx
18417 mov $(-EFAULT),%_ASM_AX
18418+ pax_force_retaddr
18419 ret
18420 CFI_ENDPROC
18421 END(bad_get_user)
18422diff -urNp linux-3.1.1/arch/x86/lib/insn.c linux-3.1.1/arch/x86/lib/insn.c
18423--- linux-3.1.1/arch/x86/lib/insn.c 2011-11-11 15:19:27.000000000 -0500
18424+++ linux-3.1.1/arch/x86/lib/insn.c 2011-11-16 18:39:07.000000000 -0500
18425@@ -21,6 +21,11 @@
18426 #include <linux/string.h>
18427 #include <asm/inat.h>
18428 #include <asm/insn.h>
18429+#ifdef __KERNEL__
18430+#include <asm/pgtable_types.h>
18431+#else
18432+#define ktla_ktva(addr) addr
18433+#endif
18434
18435 #define get_next(t, insn) \
18436 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
18437@@ -40,8 +45,8 @@
18438 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
18439 {
18440 memset(insn, 0, sizeof(*insn));
18441- insn->kaddr = kaddr;
18442- insn->next_byte = kaddr;
18443+ insn->kaddr = ktla_ktva(kaddr);
18444+ insn->next_byte = ktla_ktva(kaddr);
18445 insn->x86_64 = x86_64 ? 1 : 0;
18446 insn->opnd_bytes = 4;
18447 if (x86_64)
18448diff -urNp linux-3.1.1/arch/x86/lib/iomap_copy_64.S linux-3.1.1/arch/x86/lib/iomap_copy_64.S
18449--- linux-3.1.1/arch/x86/lib/iomap_copy_64.S 2011-11-11 15:19:27.000000000 -0500
18450+++ linux-3.1.1/arch/x86/lib/iomap_copy_64.S 2011-11-16 18:39:07.000000000 -0500
18451@@ -17,6 +17,7 @@
18452
18453 #include <linux/linkage.h>
18454 #include <asm/dwarf2.h>
18455+#include <asm/alternative-asm.h>
18456
18457 /*
18458 * override generic version in lib/iomap_copy.c
18459@@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
18460 CFI_STARTPROC
18461 movl %edx,%ecx
18462 rep movsd
18463+ pax_force_retaddr
18464 ret
18465 CFI_ENDPROC
18466 ENDPROC(__iowrite32_copy)
18467diff -urNp linux-3.1.1/arch/x86/lib/memcpy_64.S linux-3.1.1/arch/x86/lib/memcpy_64.S
18468--- linux-3.1.1/arch/x86/lib/memcpy_64.S 2011-11-11 15:19:27.000000000 -0500
18469+++ linux-3.1.1/arch/x86/lib/memcpy_64.S 2011-11-16 18:39:07.000000000 -0500
18470@@ -34,6 +34,7 @@
18471 rep movsq
18472 movl %edx, %ecx
18473 rep movsb
18474+ pax_force_retaddr
18475 ret
18476 .Lmemcpy_e:
18477 .previous
18478@@ -51,6 +52,7 @@
18479
18480 movl %edx, %ecx
18481 rep movsb
18482+ pax_force_retaddr
18483 ret
18484 .Lmemcpy_e_e:
18485 .previous
18486@@ -141,6 +143,7 @@ ENTRY(memcpy)
18487 movq %r9, 1*8(%rdi)
18488 movq %r10, -2*8(%rdi, %rdx)
18489 movq %r11, -1*8(%rdi, %rdx)
18490+ pax_force_retaddr
18491 retq
18492 .p2align 4
18493 .Lless_16bytes:
18494@@ -153,6 +156,7 @@ ENTRY(memcpy)
18495 movq -1*8(%rsi, %rdx), %r9
18496 movq %r8, 0*8(%rdi)
18497 movq %r9, -1*8(%rdi, %rdx)
18498+ pax_force_retaddr
18499 retq
18500 .p2align 4
18501 .Lless_8bytes:
18502@@ -166,6 +170,7 @@ ENTRY(memcpy)
18503 movl -4(%rsi, %rdx), %r8d
18504 movl %ecx, (%rdi)
18505 movl %r8d, -4(%rdi, %rdx)
18506+ pax_force_retaddr
18507 retq
18508 .p2align 4
18509 .Lless_3bytes:
18510@@ -183,6 +188,7 @@ ENTRY(memcpy)
18511 jnz .Lloop_1
18512
18513 .Lend:
18514+ pax_force_retaddr
18515 retq
18516 CFI_ENDPROC
18517 ENDPROC(memcpy)
18518diff -urNp linux-3.1.1/arch/x86/lib/memmove_64.S linux-3.1.1/arch/x86/lib/memmove_64.S
18519--- linux-3.1.1/arch/x86/lib/memmove_64.S 2011-11-11 15:19:27.000000000 -0500
18520+++ linux-3.1.1/arch/x86/lib/memmove_64.S 2011-11-16 18:39:07.000000000 -0500
18521@@ -202,6 +202,7 @@ ENTRY(memmove)
18522 movb (%rsi), %r11b
18523 movb %r11b, (%rdi)
18524 13:
18525+ pax_force_retaddr
18526 retq
18527 CFI_ENDPROC
18528
18529@@ -210,6 +211,7 @@ ENTRY(memmove)
18530 /* Forward moving data. */
18531 movq %rdx, %rcx
18532 rep movsb
18533+ pax_force_retaddr
18534 retq
18535 .Lmemmove_end_forward_efs:
18536 .previous
18537diff -urNp linux-3.1.1/arch/x86/lib/memset_64.S linux-3.1.1/arch/x86/lib/memset_64.S
18538--- linux-3.1.1/arch/x86/lib/memset_64.S 2011-11-11 15:19:27.000000000 -0500
18539+++ linux-3.1.1/arch/x86/lib/memset_64.S 2011-11-16 18:39:07.000000000 -0500
18540@@ -31,6 +31,7 @@
18541 movl %r8d,%ecx
18542 rep stosb
18543 movq %r9,%rax
18544+ pax_force_retaddr
18545 ret
18546 .Lmemset_e:
18547 .previous
18548@@ -53,6 +54,7 @@
18549 movl %edx,%ecx
18550 rep stosb
18551 movq %r9,%rax
18552+ pax_force_retaddr
18553 ret
18554 .Lmemset_e_e:
18555 .previous
18556@@ -121,6 +123,7 @@ ENTRY(__memset)
18557
18558 .Lende:
18559 movq %r10,%rax
18560+ pax_force_retaddr
18561 ret
18562
18563 CFI_RESTORE_STATE
18564diff -urNp linux-3.1.1/arch/x86/lib/mmx_32.c linux-3.1.1/arch/x86/lib/mmx_32.c
18565--- linux-3.1.1/arch/x86/lib/mmx_32.c 2011-11-11 15:19:27.000000000 -0500
18566+++ linux-3.1.1/arch/x86/lib/mmx_32.c 2011-11-16 18:39:07.000000000 -0500
18567@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
18568 {
18569 void *p;
18570 int i;
18571+ unsigned long cr0;
18572
18573 if (unlikely(in_interrupt()))
18574 return __memcpy(to, from, len);
18575@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
18576 kernel_fpu_begin();
18577
18578 __asm__ __volatile__ (
18579- "1: prefetch (%0)\n" /* This set is 28 bytes */
18580- " prefetch 64(%0)\n"
18581- " prefetch 128(%0)\n"
18582- " prefetch 192(%0)\n"
18583- " prefetch 256(%0)\n"
18584+ "1: prefetch (%1)\n" /* This set is 28 bytes */
18585+ " prefetch 64(%1)\n"
18586+ " prefetch 128(%1)\n"
18587+ " prefetch 192(%1)\n"
18588+ " prefetch 256(%1)\n"
18589 "2: \n"
18590 ".section .fixup, \"ax\"\n"
18591- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18592+ "3: \n"
18593+
18594+#ifdef CONFIG_PAX_KERNEXEC
18595+ " movl %%cr0, %0\n"
18596+ " movl %0, %%eax\n"
18597+ " andl $0xFFFEFFFF, %%eax\n"
18598+ " movl %%eax, %%cr0\n"
18599+#endif
18600+
18601+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18602+
18603+#ifdef CONFIG_PAX_KERNEXEC
18604+ " movl %0, %%cr0\n"
18605+#endif
18606+
18607 " jmp 2b\n"
18608 ".previous\n"
18609 _ASM_EXTABLE(1b, 3b)
18610- : : "r" (from));
18611+ : "=&r" (cr0) : "r" (from) : "ax");
18612
18613 for ( ; i > 5; i--) {
18614 __asm__ __volatile__ (
18615- "1: prefetch 320(%0)\n"
18616- "2: movq (%0), %%mm0\n"
18617- " movq 8(%0), %%mm1\n"
18618- " movq 16(%0), %%mm2\n"
18619- " movq 24(%0), %%mm3\n"
18620- " movq %%mm0, (%1)\n"
18621- " movq %%mm1, 8(%1)\n"
18622- " movq %%mm2, 16(%1)\n"
18623- " movq %%mm3, 24(%1)\n"
18624- " movq 32(%0), %%mm0\n"
18625- " movq 40(%0), %%mm1\n"
18626- " movq 48(%0), %%mm2\n"
18627- " movq 56(%0), %%mm3\n"
18628- " movq %%mm0, 32(%1)\n"
18629- " movq %%mm1, 40(%1)\n"
18630- " movq %%mm2, 48(%1)\n"
18631- " movq %%mm3, 56(%1)\n"
18632+ "1: prefetch 320(%1)\n"
18633+ "2: movq (%1), %%mm0\n"
18634+ " movq 8(%1), %%mm1\n"
18635+ " movq 16(%1), %%mm2\n"
18636+ " movq 24(%1), %%mm3\n"
18637+ " movq %%mm0, (%2)\n"
18638+ " movq %%mm1, 8(%2)\n"
18639+ " movq %%mm2, 16(%2)\n"
18640+ " movq %%mm3, 24(%2)\n"
18641+ " movq 32(%1), %%mm0\n"
18642+ " movq 40(%1), %%mm1\n"
18643+ " movq 48(%1), %%mm2\n"
18644+ " movq 56(%1), %%mm3\n"
18645+ " movq %%mm0, 32(%2)\n"
18646+ " movq %%mm1, 40(%2)\n"
18647+ " movq %%mm2, 48(%2)\n"
18648+ " movq %%mm3, 56(%2)\n"
18649 ".section .fixup, \"ax\"\n"
18650- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18651+ "3:\n"
18652+
18653+#ifdef CONFIG_PAX_KERNEXEC
18654+ " movl %%cr0, %0\n"
18655+ " movl %0, %%eax\n"
18656+ " andl $0xFFFEFFFF, %%eax\n"
18657+ " movl %%eax, %%cr0\n"
18658+#endif
18659+
18660+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18661+
18662+#ifdef CONFIG_PAX_KERNEXEC
18663+ " movl %0, %%cr0\n"
18664+#endif
18665+
18666 " jmp 2b\n"
18667 ".previous\n"
18668 _ASM_EXTABLE(1b, 3b)
18669- : : "r" (from), "r" (to) : "memory");
18670+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18671
18672 from += 64;
18673 to += 64;
18674@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
18675 static void fast_copy_page(void *to, void *from)
18676 {
18677 int i;
18678+ unsigned long cr0;
18679
18680 kernel_fpu_begin();
18681
18682@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
18683 * but that is for later. -AV
18684 */
18685 __asm__ __volatile__(
18686- "1: prefetch (%0)\n"
18687- " prefetch 64(%0)\n"
18688- " prefetch 128(%0)\n"
18689- " prefetch 192(%0)\n"
18690- " prefetch 256(%0)\n"
18691+ "1: prefetch (%1)\n"
18692+ " prefetch 64(%1)\n"
18693+ " prefetch 128(%1)\n"
18694+ " prefetch 192(%1)\n"
18695+ " prefetch 256(%1)\n"
18696 "2: \n"
18697 ".section .fixup, \"ax\"\n"
18698- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18699+ "3: \n"
18700+
18701+#ifdef CONFIG_PAX_KERNEXEC
18702+ " movl %%cr0, %0\n"
18703+ " movl %0, %%eax\n"
18704+ " andl $0xFFFEFFFF, %%eax\n"
18705+ " movl %%eax, %%cr0\n"
18706+#endif
18707+
18708+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18709+
18710+#ifdef CONFIG_PAX_KERNEXEC
18711+ " movl %0, %%cr0\n"
18712+#endif
18713+
18714 " jmp 2b\n"
18715 ".previous\n"
18716- _ASM_EXTABLE(1b, 3b) : : "r" (from));
18717+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18718
18719 for (i = 0; i < (4096-320)/64; i++) {
18720 __asm__ __volatile__ (
18721- "1: prefetch 320(%0)\n"
18722- "2: movq (%0), %%mm0\n"
18723- " movntq %%mm0, (%1)\n"
18724- " movq 8(%0), %%mm1\n"
18725- " movntq %%mm1, 8(%1)\n"
18726- " movq 16(%0), %%mm2\n"
18727- " movntq %%mm2, 16(%1)\n"
18728- " movq 24(%0), %%mm3\n"
18729- " movntq %%mm3, 24(%1)\n"
18730- " movq 32(%0), %%mm4\n"
18731- " movntq %%mm4, 32(%1)\n"
18732- " movq 40(%0), %%mm5\n"
18733- " movntq %%mm5, 40(%1)\n"
18734- " movq 48(%0), %%mm6\n"
18735- " movntq %%mm6, 48(%1)\n"
18736- " movq 56(%0), %%mm7\n"
18737- " movntq %%mm7, 56(%1)\n"
18738+ "1: prefetch 320(%1)\n"
18739+ "2: movq (%1), %%mm0\n"
18740+ " movntq %%mm0, (%2)\n"
18741+ " movq 8(%1), %%mm1\n"
18742+ " movntq %%mm1, 8(%2)\n"
18743+ " movq 16(%1), %%mm2\n"
18744+ " movntq %%mm2, 16(%2)\n"
18745+ " movq 24(%1), %%mm3\n"
18746+ " movntq %%mm3, 24(%2)\n"
18747+ " movq 32(%1), %%mm4\n"
18748+ " movntq %%mm4, 32(%2)\n"
18749+ " movq 40(%1), %%mm5\n"
18750+ " movntq %%mm5, 40(%2)\n"
18751+ " movq 48(%1), %%mm6\n"
18752+ " movntq %%mm6, 48(%2)\n"
18753+ " movq 56(%1), %%mm7\n"
18754+ " movntq %%mm7, 56(%2)\n"
18755 ".section .fixup, \"ax\"\n"
18756- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18757+ "3:\n"
18758+
18759+#ifdef CONFIG_PAX_KERNEXEC
18760+ " movl %%cr0, %0\n"
18761+ " movl %0, %%eax\n"
18762+ " andl $0xFFFEFFFF, %%eax\n"
18763+ " movl %%eax, %%cr0\n"
18764+#endif
18765+
18766+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18767+
18768+#ifdef CONFIG_PAX_KERNEXEC
18769+ " movl %0, %%cr0\n"
18770+#endif
18771+
18772 " jmp 2b\n"
18773 ".previous\n"
18774- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
18775+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18776
18777 from += 64;
18778 to += 64;
18779@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
18780 static void fast_copy_page(void *to, void *from)
18781 {
18782 int i;
18783+ unsigned long cr0;
18784
18785 kernel_fpu_begin();
18786
18787 __asm__ __volatile__ (
18788- "1: prefetch (%0)\n"
18789- " prefetch 64(%0)\n"
18790- " prefetch 128(%0)\n"
18791- " prefetch 192(%0)\n"
18792- " prefetch 256(%0)\n"
18793+ "1: prefetch (%1)\n"
18794+ " prefetch 64(%1)\n"
18795+ " prefetch 128(%1)\n"
18796+ " prefetch 192(%1)\n"
18797+ " prefetch 256(%1)\n"
18798 "2: \n"
18799 ".section .fixup, \"ax\"\n"
18800- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18801+ "3: \n"
18802+
18803+#ifdef CONFIG_PAX_KERNEXEC
18804+ " movl %%cr0, %0\n"
18805+ " movl %0, %%eax\n"
18806+ " andl $0xFFFEFFFF, %%eax\n"
18807+ " movl %%eax, %%cr0\n"
18808+#endif
18809+
18810+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18811+
18812+#ifdef CONFIG_PAX_KERNEXEC
18813+ " movl %0, %%cr0\n"
18814+#endif
18815+
18816 " jmp 2b\n"
18817 ".previous\n"
18818- _ASM_EXTABLE(1b, 3b) : : "r" (from));
18819+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18820
18821 for (i = 0; i < 4096/64; i++) {
18822 __asm__ __volatile__ (
18823- "1: prefetch 320(%0)\n"
18824- "2: movq (%0), %%mm0\n"
18825- " movq 8(%0), %%mm1\n"
18826- " movq 16(%0), %%mm2\n"
18827- " movq 24(%0), %%mm3\n"
18828- " movq %%mm0, (%1)\n"
18829- " movq %%mm1, 8(%1)\n"
18830- " movq %%mm2, 16(%1)\n"
18831- " movq %%mm3, 24(%1)\n"
18832- " movq 32(%0), %%mm0\n"
18833- " movq 40(%0), %%mm1\n"
18834- " movq 48(%0), %%mm2\n"
18835- " movq 56(%0), %%mm3\n"
18836- " movq %%mm0, 32(%1)\n"
18837- " movq %%mm1, 40(%1)\n"
18838- " movq %%mm2, 48(%1)\n"
18839- " movq %%mm3, 56(%1)\n"
18840+ "1: prefetch 320(%1)\n"
18841+ "2: movq (%1), %%mm0\n"
18842+ " movq 8(%1), %%mm1\n"
18843+ " movq 16(%1), %%mm2\n"
18844+ " movq 24(%1), %%mm3\n"
18845+ " movq %%mm0, (%2)\n"
18846+ " movq %%mm1, 8(%2)\n"
18847+ " movq %%mm2, 16(%2)\n"
18848+ " movq %%mm3, 24(%2)\n"
18849+ " movq 32(%1), %%mm0\n"
18850+ " movq 40(%1), %%mm1\n"
18851+ " movq 48(%1), %%mm2\n"
18852+ " movq 56(%1), %%mm3\n"
18853+ " movq %%mm0, 32(%2)\n"
18854+ " movq %%mm1, 40(%2)\n"
18855+ " movq %%mm2, 48(%2)\n"
18856+ " movq %%mm3, 56(%2)\n"
18857 ".section .fixup, \"ax\"\n"
18858- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18859+ "3:\n"
18860+
18861+#ifdef CONFIG_PAX_KERNEXEC
18862+ " movl %%cr0, %0\n"
18863+ " movl %0, %%eax\n"
18864+ " andl $0xFFFEFFFF, %%eax\n"
18865+ " movl %%eax, %%cr0\n"
18866+#endif
18867+
18868+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18869+
18870+#ifdef CONFIG_PAX_KERNEXEC
18871+ " movl %0, %%cr0\n"
18872+#endif
18873+
18874 " jmp 2b\n"
18875 ".previous\n"
18876 _ASM_EXTABLE(1b, 3b)
18877- : : "r" (from), "r" (to) : "memory");
18878+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18879
18880 from += 64;
18881 to += 64;
18882diff -urNp linux-3.1.1/arch/x86/lib/msr-reg.S linux-3.1.1/arch/x86/lib/msr-reg.S
18883--- linux-3.1.1/arch/x86/lib/msr-reg.S 2011-11-11 15:19:27.000000000 -0500
18884+++ linux-3.1.1/arch/x86/lib/msr-reg.S 2011-11-16 18:39:07.000000000 -0500
18885@@ -3,6 +3,7 @@
18886 #include <asm/dwarf2.h>
18887 #include <asm/asm.h>
18888 #include <asm/msr.h>
18889+#include <asm/alternative-asm.h>
18890
18891 #ifdef CONFIG_X86_64
18892 /*
18893@@ -37,6 +38,7 @@ ENTRY(native_\op\()_safe_regs)
18894 movl %edi, 28(%r10)
18895 popq_cfi %rbp
18896 popq_cfi %rbx
18897+ pax_force_retaddr
18898 ret
18899 3:
18900 CFI_RESTORE_STATE
18901diff -urNp linux-3.1.1/arch/x86/lib/putuser.S linux-3.1.1/arch/x86/lib/putuser.S
18902--- linux-3.1.1/arch/x86/lib/putuser.S 2011-11-11 15:19:27.000000000 -0500
18903+++ linux-3.1.1/arch/x86/lib/putuser.S 2011-11-16 18:39:07.000000000 -0500
18904@@ -15,7 +15,9 @@
18905 #include <asm/thread_info.h>
18906 #include <asm/errno.h>
18907 #include <asm/asm.h>
18908-
18909+#include <asm/segment.h>
18910+#include <asm/pgtable.h>
18911+#include <asm/alternative-asm.h>
18912
18913 /*
18914 * __put_user_X
18915@@ -29,52 +31,119 @@
18916 * as they get called from within inline assembly.
18917 */
18918
18919-#define ENTER CFI_STARTPROC ; \
18920- GET_THREAD_INFO(%_ASM_BX)
18921-#define EXIT ret ; \
18922+#define ENTER CFI_STARTPROC
18923+#define EXIT pax_force_retaddr; ret ; \
18924 CFI_ENDPROC
18925
18926+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18927+#define _DEST %_ASM_CX,%_ASM_BX
18928+#else
18929+#define _DEST %_ASM_CX
18930+#endif
18931+
18932+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18933+#define __copyuser_seg gs;
18934+#else
18935+#define __copyuser_seg
18936+#endif
18937+
18938 .text
18939 ENTRY(__put_user_1)
18940 ENTER
18941+
18942+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18943+ GET_THREAD_INFO(%_ASM_BX)
18944 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
18945 jae bad_put_user
18946-1: movb %al,(%_ASM_CX)
18947+
18948+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18949+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18950+ cmp %_ASM_BX,%_ASM_CX
18951+ jb 1234f
18952+ xor %ebx,%ebx
18953+1234:
18954+#endif
18955+
18956+#endif
18957+
18958+1: __copyuser_seg movb %al,(_DEST)
18959 xor %eax,%eax
18960 EXIT
18961 ENDPROC(__put_user_1)
18962
18963 ENTRY(__put_user_2)
18964 ENTER
18965+
18966+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18967+ GET_THREAD_INFO(%_ASM_BX)
18968 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18969 sub $1,%_ASM_BX
18970 cmp %_ASM_BX,%_ASM_CX
18971 jae bad_put_user
18972-2: movw %ax,(%_ASM_CX)
18973+
18974+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18975+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
18976+ cmp %_ASM_BX,%_ASM_CX
18977+ jb 1234f
18978+ xor %ebx,%ebx
18979+1234:
18980+#endif
18981+
18982+#endif
18983+
18984+2: __copyuser_seg movw %ax,(_DEST)
18985 xor %eax,%eax
18986 EXIT
18987 ENDPROC(__put_user_2)
18988
18989 ENTRY(__put_user_4)
18990 ENTER
18991+
18992+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18993+ GET_THREAD_INFO(%_ASM_BX)
18994 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
18995 sub $3,%_ASM_BX
18996 cmp %_ASM_BX,%_ASM_CX
18997 jae bad_put_user
18998-3: movl %eax,(%_ASM_CX)
18999+
19000+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19001+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19002+ cmp %_ASM_BX,%_ASM_CX
19003+ jb 1234f
19004+ xor %ebx,%ebx
19005+1234:
19006+#endif
19007+
19008+#endif
19009+
19010+3: __copyuser_seg movl %eax,(_DEST)
19011 xor %eax,%eax
19012 EXIT
19013 ENDPROC(__put_user_4)
19014
19015 ENTRY(__put_user_8)
19016 ENTER
19017+
19018+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19019+ GET_THREAD_INFO(%_ASM_BX)
19020 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19021 sub $7,%_ASM_BX
19022 cmp %_ASM_BX,%_ASM_CX
19023 jae bad_put_user
19024-4: mov %_ASM_AX,(%_ASM_CX)
19025+
19026+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19027+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19028+ cmp %_ASM_BX,%_ASM_CX
19029+ jb 1234f
19030+ xor %ebx,%ebx
19031+1234:
19032+#endif
19033+
19034+#endif
19035+
19036+4: __copyuser_seg mov %_ASM_AX,(_DEST)
19037 #ifdef CONFIG_X86_32
19038-5: movl %edx,4(%_ASM_CX)
19039+5: __copyuser_seg movl %edx,4(_DEST)
19040 #endif
19041 xor %eax,%eax
19042 EXIT
19043diff -urNp linux-3.1.1/arch/x86/lib/rwlock.S linux-3.1.1/arch/x86/lib/rwlock.S
19044--- linux-3.1.1/arch/x86/lib/rwlock.S 2011-11-11 15:19:27.000000000 -0500
19045+++ linux-3.1.1/arch/x86/lib/rwlock.S 2011-11-16 18:39:07.000000000 -0500
19046@@ -23,6 +23,7 @@ ENTRY(__write_lock_failed)
19047 WRITE_LOCK_SUB($RW_LOCK_BIAS) (%__lock_ptr)
19048 jnz 0b
19049 ENDFRAME
19050+ pax_force_retaddr
19051 ret
19052 CFI_ENDPROC
19053 END(__write_lock_failed)
19054@@ -39,6 +40,7 @@ ENTRY(__read_lock_failed)
19055 READ_LOCK_SIZE(dec) (%__lock_ptr)
19056 js 0b
19057 ENDFRAME
19058+ pax_force_retaddr
19059 ret
19060 CFI_ENDPROC
19061 END(__read_lock_failed)
19062diff -urNp linux-3.1.1/arch/x86/lib/rwsem.S linux-3.1.1/arch/x86/lib/rwsem.S
19063--- linux-3.1.1/arch/x86/lib/rwsem.S 2011-11-11 15:19:27.000000000 -0500
19064+++ linux-3.1.1/arch/x86/lib/rwsem.S 2011-11-16 18:39:07.000000000 -0500
19065@@ -94,6 +94,7 @@ ENTRY(call_rwsem_down_read_failed)
19066 __ASM_SIZE(pop,_cfi) %__ASM_REG(dx)
19067 CFI_RESTORE __ASM_REG(dx)
19068 restore_common_regs
19069+ pax_force_retaddr
19070 ret
19071 CFI_ENDPROC
19072 ENDPROC(call_rwsem_down_read_failed)
19073@@ -104,6 +105,7 @@ ENTRY(call_rwsem_down_write_failed)
19074 movq %rax,%rdi
19075 call rwsem_down_write_failed
19076 restore_common_regs
19077+ pax_force_retaddr
19078 ret
19079 CFI_ENDPROC
19080 ENDPROC(call_rwsem_down_write_failed)
19081@@ -117,7 +119,8 @@ ENTRY(call_rwsem_wake)
19082 movq %rax,%rdi
19083 call rwsem_wake
19084 restore_common_regs
19085-1: ret
19086+1: pax_force_retaddr
19087+ ret
19088 CFI_ENDPROC
19089 ENDPROC(call_rwsem_wake)
19090
19091@@ -131,6 +134,7 @@ ENTRY(call_rwsem_downgrade_wake)
19092 __ASM_SIZE(pop,_cfi) %__ASM_REG(dx)
19093 CFI_RESTORE __ASM_REG(dx)
19094 restore_common_regs
19095+ pax_force_retaddr
19096 ret
19097 CFI_ENDPROC
19098 ENDPROC(call_rwsem_downgrade_wake)
19099diff -urNp linux-3.1.1/arch/x86/lib/thunk_64.S linux-3.1.1/arch/x86/lib/thunk_64.S
19100--- linux-3.1.1/arch/x86/lib/thunk_64.S 2011-11-11 15:19:27.000000000 -0500
19101+++ linux-3.1.1/arch/x86/lib/thunk_64.S 2011-11-16 18:39:07.000000000 -0500
19102@@ -8,6 +8,7 @@
19103 #include <linux/linkage.h>
19104 #include <asm/dwarf2.h>
19105 #include <asm/calling.h>
19106+#include <asm/alternative-asm.h>
19107
19108 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
19109 .macro THUNK name, func, put_ret_addr_in_rdi=0
19110@@ -41,5 +42,6 @@
19111 SAVE_ARGS
19112 restore:
19113 RESTORE_ARGS
19114+ pax_force_retaddr
19115 ret
19116 CFI_ENDPROC
19117diff -urNp linux-3.1.1/arch/x86/lib/usercopy_32.c linux-3.1.1/arch/x86/lib/usercopy_32.c
19118--- linux-3.1.1/arch/x86/lib/usercopy_32.c 2011-11-11 15:19:27.000000000 -0500
19119+++ linux-3.1.1/arch/x86/lib/usercopy_32.c 2011-11-16 18:39:07.000000000 -0500
19120@@ -43,7 +43,7 @@ do { \
19121 __asm__ __volatile__( \
19122 " testl %1,%1\n" \
19123 " jz 2f\n" \
19124- "0: lodsb\n" \
19125+ "0: "__copyuser_seg"lodsb\n" \
19126 " stosb\n" \
19127 " testb %%al,%%al\n" \
19128 " jz 1f\n" \
19129@@ -128,10 +128,12 @@ do { \
19130 int __d0; \
19131 might_fault(); \
19132 __asm__ __volatile__( \
19133+ __COPYUSER_SET_ES \
19134 "0: rep; stosl\n" \
19135 " movl %2,%0\n" \
19136 "1: rep; stosb\n" \
19137 "2:\n" \
19138+ __COPYUSER_RESTORE_ES \
19139 ".section .fixup,\"ax\"\n" \
19140 "3: lea 0(%2,%0,4),%0\n" \
19141 " jmp 2b\n" \
19142@@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
19143 might_fault();
19144
19145 __asm__ __volatile__(
19146+ __COPYUSER_SET_ES
19147 " testl %0, %0\n"
19148 " jz 3f\n"
19149 " andl %0,%%ecx\n"
19150@@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
19151 " subl %%ecx,%0\n"
19152 " addl %0,%%eax\n"
19153 "1:\n"
19154+ __COPYUSER_RESTORE_ES
19155 ".section .fixup,\"ax\"\n"
19156 "2: xorl %%eax,%%eax\n"
19157 " jmp 1b\n"
19158@@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
19159
19160 #ifdef CONFIG_X86_INTEL_USERCOPY
19161 static unsigned long
19162-__copy_user_intel(void __user *to, const void *from, unsigned long size)
19163+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
19164 {
19165 int d0, d1;
19166 __asm__ __volatile__(
19167@@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
19168 " .align 2,0x90\n"
19169 "3: movl 0(%4), %%eax\n"
19170 "4: movl 4(%4), %%edx\n"
19171- "5: movl %%eax, 0(%3)\n"
19172- "6: movl %%edx, 4(%3)\n"
19173+ "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
19174+ "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
19175 "7: movl 8(%4), %%eax\n"
19176 "8: movl 12(%4),%%edx\n"
19177- "9: movl %%eax, 8(%3)\n"
19178- "10: movl %%edx, 12(%3)\n"
19179+ "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
19180+ "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
19181 "11: movl 16(%4), %%eax\n"
19182 "12: movl 20(%4), %%edx\n"
19183- "13: movl %%eax, 16(%3)\n"
19184- "14: movl %%edx, 20(%3)\n"
19185+ "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
19186+ "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
19187 "15: movl 24(%4), %%eax\n"
19188 "16: movl 28(%4), %%edx\n"
19189- "17: movl %%eax, 24(%3)\n"
19190- "18: movl %%edx, 28(%3)\n"
19191+ "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
19192+ "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
19193 "19: movl 32(%4), %%eax\n"
19194 "20: movl 36(%4), %%edx\n"
19195- "21: movl %%eax, 32(%3)\n"
19196- "22: movl %%edx, 36(%3)\n"
19197+ "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
19198+ "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
19199 "23: movl 40(%4), %%eax\n"
19200 "24: movl 44(%4), %%edx\n"
19201- "25: movl %%eax, 40(%3)\n"
19202- "26: movl %%edx, 44(%3)\n"
19203+ "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
19204+ "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
19205 "27: movl 48(%4), %%eax\n"
19206 "28: movl 52(%4), %%edx\n"
19207- "29: movl %%eax, 48(%3)\n"
19208- "30: movl %%edx, 52(%3)\n"
19209+ "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
19210+ "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
19211 "31: movl 56(%4), %%eax\n"
19212 "32: movl 60(%4), %%edx\n"
19213- "33: movl %%eax, 56(%3)\n"
19214- "34: movl %%edx, 60(%3)\n"
19215+ "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
19216+ "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
19217 " addl $-64, %0\n"
19218 " addl $64, %4\n"
19219 " addl $64, %3\n"
19220@@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
19221 " shrl $2, %0\n"
19222 " andl $3, %%eax\n"
19223 " cld\n"
19224+ __COPYUSER_SET_ES
19225 "99: rep; movsl\n"
19226 "36: movl %%eax, %0\n"
19227 "37: rep; movsb\n"
19228 "100:\n"
19229+ __COPYUSER_RESTORE_ES
19230+ ".section .fixup,\"ax\"\n"
19231+ "101: lea 0(%%eax,%0,4),%0\n"
19232+ " jmp 100b\n"
19233+ ".previous\n"
19234+ ".section __ex_table,\"a\"\n"
19235+ " .align 4\n"
19236+ " .long 1b,100b\n"
19237+ " .long 2b,100b\n"
19238+ " .long 3b,100b\n"
19239+ " .long 4b,100b\n"
19240+ " .long 5b,100b\n"
19241+ " .long 6b,100b\n"
19242+ " .long 7b,100b\n"
19243+ " .long 8b,100b\n"
19244+ " .long 9b,100b\n"
19245+ " .long 10b,100b\n"
19246+ " .long 11b,100b\n"
19247+ " .long 12b,100b\n"
19248+ " .long 13b,100b\n"
19249+ " .long 14b,100b\n"
19250+ " .long 15b,100b\n"
19251+ " .long 16b,100b\n"
19252+ " .long 17b,100b\n"
19253+ " .long 18b,100b\n"
19254+ " .long 19b,100b\n"
19255+ " .long 20b,100b\n"
19256+ " .long 21b,100b\n"
19257+ " .long 22b,100b\n"
19258+ " .long 23b,100b\n"
19259+ " .long 24b,100b\n"
19260+ " .long 25b,100b\n"
19261+ " .long 26b,100b\n"
19262+ " .long 27b,100b\n"
19263+ " .long 28b,100b\n"
19264+ " .long 29b,100b\n"
19265+ " .long 30b,100b\n"
19266+ " .long 31b,100b\n"
19267+ " .long 32b,100b\n"
19268+ " .long 33b,100b\n"
19269+ " .long 34b,100b\n"
19270+ " .long 35b,100b\n"
19271+ " .long 36b,100b\n"
19272+ " .long 37b,100b\n"
19273+ " .long 99b,101b\n"
19274+ ".previous"
19275+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
19276+ : "1"(to), "2"(from), "0"(size)
19277+ : "eax", "edx", "memory");
19278+ return size;
19279+}
19280+
19281+static unsigned long
19282+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
19283+{
19284+ int d0, d1;
19285+ __asm__ __volatile__(
19286+ " .align 2,0x90\n"
19287+ "1: "__copyuser_seg" movl 32(%4), %%eax\n"
19288+ " cmpl $67, %0\n"
19289+ " jbe 3f\n"
19290+ "2: "__copyuser_seg" movl 64(%4), %%eax\n"
19291+ " .align 2,0x90\n"
19292+ "3: "__copyuser_seg" movl 0(%4), %%eax\n"
19293+ "4: "__copyuser_seg" movl 4(%4), %%edx\n"
19294+ "5: movl %%eax, 0(%3)\n"
19295+ "6: movl %%edx, 4(%3)\n"
19296+ "7: "__copyuser_seg" movl 8(%4), %%eax\n"
19297+ "8: "__copyuser_seg" movl 12(%4),%%edx\n"
19298+ "9: movl %%eax, 8(%3)\n"
19299+ "10: movl %%edx, 12(%3)\n"
19300+ "11: "__copyuser_seg" movl 16(%4), %%eax\n"
19301+ "12: "__copyuser_seg" movl 20(%4), %%edx\n"
19302+ "13: movl %%eax, 16(%3)\n"
19303+ "14: movl %%edx, 20(%3)\n"
19304+ "15: "__copyuser_seg" movl 24(%4), %%eax\n"
19305+ "16: "__copyuser_seg" movl 28(%4), %%edx\n"
19306+ "17: movl %%eax, 24(%3)\n"
19307+ "18: movl %%edx, 28(%3)\n"
19308+ "19: "__copyuser_seg" movl 32(%4), %%eax\n"
19309+ "20: "__copyuser_seg" movl 36(%4), %%edx\n"
19310+ "21: movl %%eax, 32(%3)\n"
19311+ "22: movl %%edx, 36(%3)\n"
19312+ "23: "__copyuser_seg" movl 40(%4), %%eax\n"
19313+ "24: "__copyuser_seg" movl 44(%4), %%edx\n"
19314+ "25: movl %%eax, 40(%3)\n"
19315+ "26: movl %%edx, 44(%3)\n"
19316+ "27: "__copyuser_seg" movl 48(%4), %%eax\n"
19317+ "28: "__copyuser_seg" movl 52(%4), %%edx\n"
19318+ "29: movl %%eax, 48(%3)\n"
19319+ "30: movl %%edx, 52(%3)\n"
19320+ "31: "__copyuser_seg" movl 56(%4), %%eax\n"
19321+ "32: "__copyuser_seg" movl 60(%4), %%edx\n"
19322+ "33: movl %%eax, 56(%3)\n"
19323+ "34: movl %%edx, 60(%3)\n"
19324+ " addl $-64, %0\n"
19325+ " addl $64, %4\n"
19326+ " addl $64, %3\n"
19327+ " cmpl $63, %0\n"
19328+ " ja 1b\n"
19329+ "35: movl %0, %%eax\n"
19330+ " shrl $2, %0\n"
19331+ " andl $3, %%eax\n"
19332+ " cld\n"
19333+ "99: rep; "__copyuser_seg" movsl\n"
19334+ "36: movl %%eax, %0\n"
19335+ "37: rep; "__copyuser_seg" movsb\n"
19336+ "100:\n"
19337 ".section .fixup,\"ax\"\n"
19338 "101: lea 0(%%eax,%0,4),%0\n"
19339 " jmp 100b\n"
19340@@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
19341 int d0, d1;
19342 __asm__ __volatile__(
19343 " .align 2,0x90\n"
19344- "0: movl 32(%4), %%eax\n"
19345+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19346 " cmpl $67, %0\n"
19347 " jbe 2f\n"
19348- "1: movl 64(%4), %%eax\n"
19349+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19350 " .align 2,0x90\n"
19351- "2: movl 0(%4), %%eax\n"
19352- "21: movl 4(%4), %%edx\n"
19353+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19354+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19355 " movl %%eax, 0(%3)\n"
19356 " movl %%edx, 4(%3)\n"
19357- "3: movl 8(%4), %%eax\n"
19358- "31: movl 12(%4),%%edx\n"
19359+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19360+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19361 " movl %%eax, 8(%3)\n"
19362 " movl %%edx, 12(%3)\n"
19363- "4: movl 16(%4), %%eax\n"
19364- "41: movl 20(%4), %%edx\n"
19365+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19366+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19367 " movl %%eax, 16(%3)\n"
19368 " movl %%edx, 20(%3)\n"
19369- "10: movl 24(%4), %%eax\n"
19370- "51: movl 28(%4), %%edx\n"
19371+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19372+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19373 " movl %%eax, 24(%3)\n"
19374 " movl %%edx, 28(%3)\n"
19375- "11: movl 32(%4), %%eax\n"
19376- "61: movl 36(%4), %%edx\n"
19377+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19378+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19379 " movl %%eax, 32(%3)\n"
19380 " movl %%edx, 36(%3)\n"
19381- "12: movl 40(%4), %%eax\n"
19382- "71: movl 44(%4), %%edx\n"
19383+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19384+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19385 " movl %%eax, 40(%3)\n"
19386 " movl %%edx, 44(%3)\n"
19387- "13: movl 48(%4), %%eax\n"
19388- "81: movl 52(%4), %%edx\n"
19389+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19390+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19391 " movl %%eax, 48(%3)\n"
19392 " movl %%edx, 52(%3)\n"
19393- "14: movl 56(%4), %%eax\n"
19394- "91: movl 60(%4), %%edx\n"
19395+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19396+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19397 " movl %%eax, 56(%3)\n"
19398 " movl %%edx, 60(%3)\n"
19399 " addl $-64, %0\n"
19400@@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
19401 " shrl $2, %0\n"
19402 " andl $3, %%eax\n"
19403 " cld\n"
19404- "6: rep; movsl\n"
19405+ "6: rep; "__copyuser_seg" movsl\n"
19406 " movl %%eax,%0\n"
19407- "7: rep; movsb\n"
19408+ "7: rep; "__copyuser_seg" movsb\n"
19409 "8:\n"
19410 ".section .fixup,\"ax\"\n"
19411 "9: lea 0(%%eax,%0,4),%0\n"
19412@@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
19413
19414 __asm__ __volatile__(
19415 " .align 2,0x90\n"
19416- "0: movl 32(%4), %%eax\n"
19417+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19418 " cmpl $67, %0\n"
19419 " jbe 2f\n"
19420- "1: movl 64(%4), %%eax\n"
19421+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19422 " .align 2,0x90\n"
19423- "2: movl 0(%4), %%eax\n"
19424- "21: movl 4(%4), %%edx\n"
19425+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19426+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19427 " movnti %%eax, 0(%3)\n"
19428 " movnti %%edx, 4(%3)\n"
19429- "3: movl 8(%4), %%eax\n"
19430- "31: movl 12(%4),%%edx\n"
19431+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19432+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19433 " movnti %%eax, 8(%3)\n"
19434 " movnti %%edx, 12(%3)\n"
19435- "4: movl 16(%4), %%eax\n"
19436- "41: movl 20(%4), %%edx\n"
19437+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19438+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19439 " movnti %%eax, 16(%3)\n"
19440 " movnti %%edx, 20(%3)\n"
19441- "10: movl 24(%4), %%eax\n"
19442- "51: movl 28(%4), %%edx\n"
19443+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19444+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19445 " movnti %%eax, 24(%3)\n"
19446 " movnti %%edx, 28(%3)\n"
19447- "11: movl 32(%4), %%eax\n"
19448- "61: movl 36(%4), %%edx\n"
19449+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19450+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19451 " movnti %%eax, 32(%3)\n"
19452 " movnti %%edx, 36(%3)\n"
19453- "12: movl 40(%4), %%eax\n"
19454- "71: movl 44(%4), %%edx\n"
19455+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19456+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19457 " movnti %%eax, 40(%3)\n"
19458 " movnti %%edx, 44(%3)\n"
19459- "13: movl 48(%4), %%eax\n"
19460- "81: movl 52(%4), %%edx\n"
19461+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19462+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19463 " movnti %%eax, 48(%3)\n"
19464 " movnti %%edx, 52(%3)\n"
19465- "14: movl 56(%4), %%eax\n"
19466- "91: movl 60(%4), %%edx\n"
19467+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19468+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19469 " movnti %%eax, 56(%3)\n"
19470 " movnti %%edx, 60(%3)\n"
19471 " addl $-64, %0\n"
19472@@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
19473 " shrl $2, %0\n"
19474 " andl $3, %%eax\n"
19475 " cld\n"
19476- "6: rep; movsl\n"
19477+ "6: rep; "__copyuser_seg" movsl\n"
19478 " movl %%eax,%0\n"
19479- "7: rep; movsb\n"
19480+ "7: rep; "__copyuser_seg" movsb\n"
19481 "8:\n"
19482 ".section .fixup,\"ax\"\n"
19483 "9: lea 0(%%eax,%0,4),%0\n"
19484@@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
19485
19486 __asm__ __volatile__(
19487 " .align 2,0x90\n"
19488- "0: movl 32(%4), %%eax\n"
19489+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19490 " cmpl $67, %0\n"
19491 " jbe 2f\n"
19492- "1: movl 64(%4), %%eax\n"
19493+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19494 " .align 2,0x90\n"
19495- "2: movl 0(%4), %%eax\n"
19496- "21: movl 4(%4), %%edx\n"
19497+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19498+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19499 " movnti %%eax, 0(%3)\n"
19500 " movnti %%edx, 4(%3)\n"
19501- "3: movl 8(%4), %%eax\n"
19502- "31: movl 12(%4),%%edx\n"
19503+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19504+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19505 " movnti %%eax, 8(%3)\n"
19506 " movnti %%edx, 12(%3)\n"
19507- "4: movl 16(%4), %%eax\n"
19508- "41: movl 20(%4), %%edx\n"
19509+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19510+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19511 " movnti %%eax, 16(%3)\n"
19512 " movnti %%edx, 20(%3)\n"
19513- "10: movl 24(%4), %%eax\n"
19514- "51: movl 28(%4), %%edx\n"
19515+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19516+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19517 " movnti %%eax, 24(%3)\n"
19518 " movnti %%edx, 28(%3)\n"
19519- "11: movl 32(%4), %%eax\n"
19520- "61: movl 36(%4), %%edx\n"
19521+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19522+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19523 " movnti %%eax, 32(%3)\n"
19524 " movnti %%edx, 36(%3)\n"
19525- "12: movl 40(%4), %%eax\n"
19526- "71: movl 44(%4), %%edx\n"
19527+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19528+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19529 " movnti %%eax, 40(%3)\n"
19530 " movnti %%edx, 44(%3)\n"
19531- "13: movl 48(%4), %%eax\n"
19532- "81: movl 52(%4), %%edx\n"
19533+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19534+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19535 " movnti %%eax, 48(%3)\n"
19536 " movnti %%edx, 52(%3)\n"
19537- "14: movl 56(%4), %%eax\n"
19538- "91: movl 60(%4), %%edx\n"
19539+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19540+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19541 " movnti %%eax, 56(%3)\n"
19542 " movnti %%edx, 60(%3)\n"
19543 " addl $-64, %0\n"
19544@@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
19545 " shrl $2, %0\n"
19546 " andl $3, %%eax\n"
19547 " cld\n"
19548- "6: rep; movsl\n"
19549+ "6: rep; "__copyuser_seg" movsl\n"
19550 " movl %%eax,%0\n"
19551- "7: rep; movsb\n"
19552+ "7: rep; "__copyuser_seg" movsb\n"
19553 "8:\n"
19554 ".section .fixup,\"ax\"\n"
19555 "9: lea 0(%%eax,%0,4),%0\n"
19556@@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
19557 */
19558 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
19559 unsigned long size);
19560-unsigned long __copy_user_intel(void __user *to, const void *from,
19561+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
19562+ unsigned long size);
19563+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
19564 unsigned long size);
19565 unsigned long __copy_user_zeroing_intel_nocache(void *to,
19566 const void __user *from, unsigned long size);
19567 #endif /* CONFIG_X86_INTEL_USERCOPY */
19568
19569 /* Generic arbitrary sized copy. */
19570-#define __copy_user(to, from, size) \
19571+#define __copy_user(to, from, size, prefix, set, restore) \
19572 do { \
19573 int __d0, __d1, __d2; \
19574 __asm__ __volatile__( \
19575+ set \
19576 " cmp $7,%0\n" \
19577 " jbe 1f\n" \
19578 " movl %1,%0\n" \
19579 " negl %0\n" \
19580 " andl $7,%0\n" \
19581 " subl %0,%3\n" \
19582- "4: rep; movsb\n" \
19583+ "4: rep; "prefix"movsb\n" \
19584 " movl %3,%0\n" \
19585 " shrl $2,%0\n" \
19586 " andl $3,%3\n" \
19587 " .align 2,0x90\n" \
19588- "0: rep; movsl\n" \
19589+ "0: rep; "prefix"movsl\n" \
19590 " movl %3,%0\n" \
19591- "1: rep; movsb\n" \
19592+ "1: rep; "prefix"movsb\n" \
19593 "2:\n" \
19594+ restore \
19595 ".section .fixup,\"ax\"\n" \
19596 "5: addl %3,%0\n" \
19597 " jmp 2b\n" \
19598@@ -682,14 +799,14 @@ do { \
19599 " negl %0\n" \
19600 " andl $7,%0\n" \
19601 " subl %0,%3\n" \
19602- "4: rep; movsb\n" \
19603+ "4: rep; "__copyuser_seg"movsb\n" \
19604 " movl %3,%0\n" \
19605 " shrl $2,%0\n" \
19606 " andl $3,%3\n" \
19607 " .align 2,0x90\n" \
19608- "0: rep; movsl\n" \
19609+ "0: rep; "__copyuser_seg"movsl\n" \
19610 " movl %3,%0\n" \
19611- "1: rep; movsb\n" \
19612+ "1: rep; "__copyuser_seg"movsb\n" \
19613 "2:\n" \
19614 ".section .fixup,\"ax\"\n" \
19615 "5: addl %3,%0\n" \
19616@@ -775,9 +892,9 @@ survive:
19617 }
19618 #endif
19619 if (movsl_is_ok(to, from, n))
19620- __copy_user(to, from, n);
19621+ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
19622 else
19623- n = __copy_user_intel(to, from, n);
19624+ n = __generic_copy_to_user_intel(to, from, n);
19625 return n;
19626 }
19627 EXPORT_SYMBOL(__copy_to_user_ll);
19628@@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
19629 unsigned long n)
19630 {
19631 if (movsl_is_ok(to, from, n))
19632- __copy_user(to, from, n);
19633+ __copy_user(to, from, n, __copyuser_seg, "", "");
19634 else
19635- n = __copy_user_intel((void __user *)to,
19636- (const void *)from, n);
19637+ n = __generic_copy_from_user_intel(to, from, n);
19638 return n;
19639 }
19640 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
19641@@ -827,65 +943,50 @@ unsigned long __copy_from_user_ll_nocach
19642 if (n > 64 && cpu_has_xmm2)
19643 n = __copy_user_intel_nocache(to, from, n);
19644 else
19645- __copy_user(to, from, n);
19646+ __copy_user(to, from, n, __copyuser_seg, "", "");
19647 #else
19648- __copy_user(to, from, n);
19649+ __copy_user(to, from, n, __copyuser_seg, "", "");
19650 #endif
19651 return n;
19652 }
19653 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
19654
19655-/**
19656- * copy_to_user: - Copy a block of data into user space.
19657- * @to: Destination address, in user space.
19658- * @from: Source address, in kernel space.
19659- * @n: Number of bytes to copy.
19660- *
19661- * Context: User context only. This function may sleep.
19662- *
19663- * Copy data from kernel space to user space.
19664- *
19665- * Returns number of bytes that could not be copied.
19666- * On success, this will be zero.
19667- */
19668-unsigned long
19669-copy_to_user(void __user *to, const void *from, unsigned long n)
19670+void copy_from_user_overflow(void)
19671 {
19672- if (access_ok(VERIFY_WRITE, to, n))
19673- n = __copy_to_user(to, from, n);
19674- return n;
19675+ WARN(1, "Buffer overflow detected!\n");
19676 }
19677-EXPORT_SYMBOL(copy_to_user);
19678+EXPORT_SYMBOL(copy_from_user_overflow);
19679
19680-/**
19681- * copy_from_user: - Copy a block of data from user space.
19682- * @to: Destination address, in kernel space.
19683- * @from: Source address, in user space.
19684- * @n: Number of bytes to copy.
19685- *
19686- * Context: User context only. This function may sleep.
19687- *
19688- * Copy data from user space to kernel space.
19689- *
19690- * Returns number of bytes that could not be copied.
19691- * On success, this will be zero.
19692- *
19693- * If some data could not be copied, this function will pad the copied
19694- * data to the requested size using zero bytes.
19695- */
19696-unsigned long
19697-_copy_from_user(void *to, const void __user *from, unsigned long n)
19698+void copy_to_user_overflow(void)
19699 {
19700- if (access_ok(VERIFY_READ, from, n))
19701- n = __copy_from_user(to, from, n);
19702- else
19703- memset(to, 0, n);
19704- return n;
19705+ WARN(1, "Buffer overflow detected!\n");
19706 }
19707-EXPORT_SYMBOL(_copy_from_user);
19708+EXPORT_SYMBOL(copy_to_user_overflow);
19709
19710-void copy_from_user_overflow(void)
19711+#ifdef CONFIG_PAX_MEMORY_UDEREF
19712+void __set_fs(mm_segment_t x)
19713 {
19714- WARN(1, "Buffer overflow detected!\n");
19715+ switch (x.seg) {
19716+ case 0:
19717+ loadsegment(gs, 0);
19718+ break;
19719+ case TASK_SIZE_MAX:
19720+ loadsegment(gs, __USER_DS);
19721+ break;
19722+ case -1UL:
19723+ loadsegment(gs, __KERNEL_DS);
19724+ break;
19725+ default:
19726+ BUG();
19727+ }
19728+ return;
19729 }
19730-EXPORT_SYMBOL(copy_from_user_overflow);
19731+EXPORT_SYMBOL(__set_fs);
19732+
19733+void set_fs(mm_segment_t x)
19734+{
19735+ current_thread_info()->addr_limit = x;
19736+ __set_fs(x);
19737+}
19738+EXPORT_SYMBOL(set_fs);
19739+#endif
19740diff -urNp linux-3.1.1/arch/x86/lib/usercopy_64.c linux-3.1.1/arch/x86/lib/usercopy_64.c
19741--- linux-3.1.1/arch/x86/lib/usercopy_64.c 2011-11-11 15:19:27.000000000 -0500
19742+++ linux-3.1.1/arch/x86/lib/usercopy_64.c 2011-11-16 18:39:07.000000000 -0500
19743@@ -42,6 +42,12 @@ long
19744 __strncpy_from_user(char *dst, const char __user *src, long count)
19745 {
19746 long res;
19747+
19748+#ifdef CONFIG_PAX_MEMORY_UDEREF
19749+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19750+ src += PAX_USER_SHADOW_BASE;
19751+#endif
19752+
19753 __do_strncpy_from_user(dst, src, count, res);
19754 return res;
19755 }
19756@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
19757 {
19758 long __d0;
19759 might_fault();
19760+
19761+#ifdef CONFIG_PAX_MEMORY_UDEREF
19762+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
19763+ addr += PAX_USER_SHADOW_BASE;
19764+#endif
19765+
19766 /* no memory constraint because it doesn't change any memory gcc knows
19767 about */
19768 asm volatile(
19769@@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
19770
19771 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
19772 {
19773- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19774- return copy_user_generic((__force void *)to, (__force void *)from, len);
19775- }
19776- return len;
19777+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19778+
19779+#ifdef CONFIG_PAX_MEMORY_UDEREF
19780+ if ((unsigned long)to < PAX_USER_SHADOW_BASE)
19781+ to += PAX_USER_SHADOW_BASE;
19782+ if ((unsigned long)from < PAX_USER_SHADOW_BASE)
19783+ from += PAX_USER_SHADOW_BASE;
19784+#endif
19785+
19786+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
19787+ }
19788+ return len;
19789 }
19790 EXPORT_SYMBOL(copy_in_user);
19791
19792@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
19793 * it is not necessary to optimize tail handling.
19794 */
19795 unsigned long
19796-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
19797+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
19798 {
19799 char c;
19800 unsigned zero_len;
19801diff -urNp linux-3.1.1/arch/x86/Makefile linux-3.1.1/arch/x86/Makefile
19802--- linux-3.1.1/arch/x86/Makefile 2011-11-11 15:19:27.000000000 -0500
19803+++ linux-3.1.1/arch/x86/Makefile 2011-11-17 18:30:30.000000000 -0500
19804@@ -46,6 +46,7 @@ else
19805 UTS_MACHINE := x86_64
19806 CHECKFLAGS += -D__x86_64__ -m64
19807
19808+ biarch := $(call cc-option,-m64)
19809 KBUILD_AFLAGS += -m64
19810 KBUILD_CFLAGS += -m64
19811
19812@@ -195,3 +196,12 @@ define archhelp
19813 echo ' FDARGS="..." arguments for the booted kernel'
19814 echo ' FDINITRD=file initrd for the booted kernel'
19815 endef
19816+
19817+define OLD_LD
19818+
19819+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
19820+*** Please upgrade your binutils to 2.18 or newer
19821+endef
19822+
19823+archprepare:
19824+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
19825diff -urNp linux-3.1.1/arch/x86/mm/extable.c linux-3.1.1/arch/x86/mm/extable.c
19826--- linux-3.1.1/arch/x86/mm/extable.c 2011-11-11 15:19:27.000000000 -0500
19827+++ linux-3.1.1/arch/x86/mm/extable.c 2011-11-16 18:39:07.000000000 -0500
19828@@ -8,7 +8,7 @@ int fixup_exception(struct pt_regs *regs
19829 const struct exception_table_entry *fixup;
19830
19831 #ifdef CONFIG_PNPBIOS
19832- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
19833+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
19834 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
19835 extern u32 pnp_bios_is_utter_crap;
19836 pnp_bios_is_utter_crap = 1;
19837diff -urNp linux-3.1.1/arch/x86/mm/fault.c linux-3.1.1/arch/x86/mm/fault.c
19838--- linux-3.1.1/arch/x86/mm/fault.c 2011-11-11 15:19:27.000000000 -0500
19839+++ linux-3.1.1/arch/x86/mm/fault.c 2011-11-16 20:43:50.000000000 -0500
19840@@ -13,11 +13,18 @@
19841 #include <linux/perf_event.h> /* perf_sw_event */
19842 #include <linux/hugetlb.h> /* hstate_index_to_shift */
19843 #include <linux/prefetch.h> /* prefetchw */
19844+#include <linux/unistd.h>
19845+#include <linux/compiler.h>
19846
19847 #include <asm/traps.h> /* dotraplinkage, ... */
19848 #include <asm/pgalloc.h> /* pgd_*(), ... */
19849 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
19850 #include <asm/vsyscall.h>
19851+#include <asm/tlbflush.h>
19852+
19853+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19854+#include <asm/stacktrace.h>
19855+#endif
19856
19857 /*
19858 * Page fault error code bits:
19859@@ -55,7 +62,7 @@ static inline int __kprobes notify_page_
19860 int ret = 0;
19861
19862 /* kprobe_running() needs smp_processor_id() */
19863- if (kprobes_built_in() && !user_mode_vm(regs)) {
19864+ if (kprobes_built_in() && !user_mode(regs)) {
19865 preempt_disable();
19866 if (kprobe_running() && kprobe_fault_handler(regs, 14))
19867 ret = 1;
19868@@ -116,7 +123,10 @@ check_prefetch_opcode(struct pt_regs *re
19869 return !instr_lo || (instr_lo>>1) == 1;
19870 case 0x00:
19871 /* Prefetch instruction is 0x0F0D or 0x0F18 */
19872- if (probe_kernel_address(instr, opcode))
19873+ if (user_mode(regs)) {
19874+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19875+ return 0;
19876+ } else if (probe_kernel_address(instr, opcode))
19877 return 0;
19878
19879 *prefetch = (instr_lo == 0xF) &&
19880@@ -150,7 +160,10 @@ is_prefetch(struct pt_regs *regs, unsign
19881 while (instr < max_instr) {
19882 unsigned char opcode;
19883
19884- if (probe_kernel_address(instr, opcode))
19885+ if (user_mode(regs)) {
19886+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
19887+ break;
19888+ } else if (probe_kernel_address(instr, opcode))
19889 break;
19890
19891 instr++;
19892@@ -181,6 +194,34 @@ force_sig_info_fault(int si_signo, int s
19893 force_sig_info(si_signo, &info, tsk);
19894 }
19895
19896+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19897+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
19898+#endif
19899+
19900+#ifdef CONFIG_PAX_EMUTRAMP
19901+static int pax_handle_fetch_fault(struct pt_regs *regs);
19902+#endif
19903+
19904+#ifdef CONFIG_PAX_PAGEEXEC
19905+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
19906+{
19907+ pgd_t *pgd;
19908+ pud_t *pud;
19909+ pmd_t *pmd;
19910+
19911+ pgd = pgd_offset(mm, address);
19912+ if (!pgd_present(*pgd))
19913+ return NULL;
19914+ pud = pud_offset(pgd, address);
19915+ if (!pud_present(*pud))
19916+ return NULL;
19917+ pmd = pmd_offset(pud, address);
19918+ if (!pmd_present(*pmd))
19919+ return NULL;
19920+ return pmd;
19921+}
19922+#endif
19923+
19924 DEFINE_SPINLOCK(pgd_lock);
19925 LIST_HEAD(pgd_list);
19926
19927@@ -231,10 +272,22 @@ void vmalloc_sync_all(void)
19928 for (address = VMALLOC_START & PMD_MASK;
19929 address >= TASK_SIZE && address < FIXADDR_TOP;
19930 address += PMD_SIZE) {
19931+
19932+#ifdef CONFIG_PAX_PER_CPU_PGD
19933+ unsigned long cpu;
19934+#else
19935 struct page *page;
19936+#endif
19937
19938 spin_lock(&pgd_lock);
19939+
19940+#ifdef CONFIG_PAX_PER_CPU_PGD
19941+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19942+ pgd_t *pgd = get_cpu_pgd(cpu);
19943+ pmd_t *ret;
19944+#else
19945 list_for_each_entry(page, &pgd_list, lru) {
19946+ pgd_t *pgd = page_address(page);
19947 spinlock_t *pgt_lock;
19948 pmd_t *ret;
19949
19950@@ -242,8 +295,13 @@ void vmalloc_sync_all(void)
19951 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
19952
19953 spin_lock(pgt_lock);
19954- ret = vmalloc_sync_one(page_address(page), address);
19955+#endif
19956+
19957+ ret = vmalloc_sync_one(pgd, address);
19958+
19959+#ifndef CONFIG_PAX_PER_CPU_PGD
19960 spin_unlock(pgt_lock);
19961+#endif
19962
19963 if (!ret)
19964 break;
19965@@ -277,6 +335,11 @@ static noinline __kprobes int vmalloc_fa
19966 * an interrupt in the middle of a task switch..
19967 */
19968 pgd_paddr = read_cr3();
19969+
19970+#ifdef CONFIG_PAX_PER_CPU_PGD
19971+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
19972+#endif
19973+
19974 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
19975 if (!pmd_k)
19976 return -1;
19977@@ -372,7 +435,14 @@ static noinline __kprobes int vmalloc_fa
19978 * happen within a race in page table update. In the later
19979 * case just flush:
19980 */
19981+
19982+#ifdef CONFIG_PAX_PER_CPU_PGD
19983+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
19984+ pgd = pgd_offset_cpu(smp_processor_id(), address);
19985+#else
19986 pgd = pgd_offset(current->active_mm, address);
19987+#endif
19988+
19989 pgd_ref = pgd_offset_k(address);
19990 if (pgd_none(*pgd_ref))
19991 return -1;
19992@@ -534,7 +604,7 @@ static int is_errata93(struct pt_regs *r
19993 static int is_errata100(struct pt_regs *regs, unsigned long address)
19994 {
19995 #ifdef CONFIG_X86_64
19996- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
19997+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
19998 return 1;
19999 #endif
20000 return 0;
20001@@ -561,7 +631,7 @@ static int is_f00f_bug(struct pt_regs *r
20002 }
20003
20004 static const char nx_warning[] = KERN_CRIT
20005-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
20006+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
20007
20008 static void
20009 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
20010@@ -570,14 +640,25 @@ show_fault_oops(struct pt_regs *regs, un
20011 if (!oops_may_print())
20012 return;
20013
20014- if (error_code & PF_INSTR) {
20015+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
20016 unsigned int level;
20017
20018 pte_t *pte = lookup_address(address, &level);
20019
20020 if (pte && pte_present(*pte) && !pte_exec(*pte))
20021- printk(nx_warning, current_uid());
20022+ printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
20023+ }
20024+
20025+#ifdef CONFIG_PAX_KERNEXEC
20026+ if (init_mm.start_code <= address && address < init_mm.end_code) {
20027+ if (current->signal->curr_ip)
20028+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20029+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
20030+ else
20031+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20032+ current->comm, task_pid_nr(current), current_uid(), current_euid());
20033 }
20034+#endif
20035
20036 printk(KERN_ALERT "BUG: unable to handle kernel ");
20037 if (address < PAGE_SIZE)
20038@@ -733,6 +814,21 @@ __bad_area_nosemaphore(struct pt_regs *r
20039 }
20040 #endif
20041
20042+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20043+ if (pax_is_fetch_fault(regs, error_code, address)) {
20044+
20045+#ifdef CONFIG_PAX_EMUTRAMP
20046+ switch (pax_handle_fetch_fault(regs)) {
20047+ case 2:
20048+ return;
20049+ }
20050+#endif
20051+
20052+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
20053+ do_group_exit(SIGKILL);
20054+ }
20055+#endif
20056+
20057 if (unlikely(show_unhandled_signals))
20058 show_signal_msg(regs, error_code, address, tsk);
20059
20060@@ -829,7 +925,7 @@ do_sigbus(struct pt_regs *regs, unsigned
20061 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
20062 printk(KERN_ERR
20063 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
20064- tsk->comm, tsk->pid, address);
20065+ tsk->comm, task_pid_nr(tsk), address);
20066 code = BUS_MCEERR_AR;
20067 }
20068 #endif
20069@@ -884,6 +980,99 @@ static int spurious_fault_check(unsigned
20070 return 1;
20071 }
20072
20073+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20074+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
20075+{
20076+ pte_t *pte;
20077+ pmd_t *pmd;
20078+ spinlock_t *ptl;
20079+ unsigned char pte_mask;
20080+
20081+ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
20082+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
20083+ return 0;
20084+
20085+ /* PaX: it's our fault, let's handle it if we can */
20086+
20087+ /* PaX: take a look at read faults before acquiring any locks */
20088+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
20089+ /* instruction fetch attempt from a protected page in user mode */
20090+ up_read(&mm->mmap_sem);
20091+
20092+#ifdef CONFIG_PAX_EMUTRAMP
20093+ switch (pax_handle_fetch_fault(regs)) {
20094+ case 2:
20095+ return 1;
20096+ }
20097+#endif
20098+
20099+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
20100+ do_group_exit(SIGKILL);
20101+ }
20102+
20103+ pmd = pax_get_pmd(mm, address);
20104+ if (unlikely(!pmd))
20105+ return 0;
20106+
20107+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
20108+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
20109+ pte_unmap_unlock(pte, ptl);
20110+ return 0;
20111+ }
20112+
20113+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
20114+ /* write attempt to a protected page in user mode */
20115+ pte_unmap_unlock(pte, ptl);
20116+ return 0;
20117+ }
20118+
20119+#ifdef CONFIG_SMP
20120+ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
20121+#else
20122+ if (likely(address > get_limit(regs->cs)))
20123+#endif
20124+ {
20125+ set_pte(pte, pte_mkread(*pte));
20126+ __flush_tlb_one(address);
20127+ pte_unmap_unlock(pte, ptl);
20128+ up_read(&mm->mmap_sem);
20129+ return 1;
20130+ }
20131+
20132+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
20133+
20134+ /*
20135+ * PaX: fill DTLB with user rights and retry
20136+ */
20137+ __asm__ __volatile__ (
20138+ "orb %2,(%1)\n"
20139+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
20140+/*
20141+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
20142+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
20143+ * page fault when examined during a TLB load attempt. this is true not only
20144+ * for PTEs holding a non-present entry but also present entries that will
20145+ * raise a page fault (such as those set up by PaX, or the copy-on-write
20146+ * mechanism). in effect it means that we do *not* need to flush the TLBs
20147+ * for our target pages since their PTEs are simply not in the TLBs at all.
20148+
20149+ * the best thing in omitting it is that we gain around 15-20% speed in the
20150+ * fast path of the page fault handler and can get rid of tracing since we
20151+ * can no longer flush unintended entries.
20152+ */
20153+ "invlpg (%0)\n"
20154+#endif
20155+ __copyuser_seg"testb $0,(%0)\n"
20156+ "xorb %3,(%1)\n"
20157+ :
20158+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
20159+ : "memory", "cc");
20160+ pte_unmap_unlock(pte, ptl);
20161+ up_read(&mm->mmap_sem);
20162+ return 1;
20163+}
20164+#endif
20165+
20166 /*
20167 * Handle a spurious fault caused by a stale TLB entry.
20168 *
20169@@ -956,6 +1145,9 @@ int show_unhandled_signals = 1;
20170 static inline int
20171 access_error(unsigned long error_code, struct vm_area_struct *vma)
20172 {
20173+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
20174+ return 1;
20175+
20176 if (error_code & PF_WRITE) {
20177 /* write, present and write, not present: */
20178 if (unlikely(!(vma->vm_flags & VM_WRITE)))
20179@@ -989,19 +1181,33 @@ do_page_fault(struct pt_regs *regs, unsi
20180 {
20181 struct vm_area_struct *vma;
20182 struct task_struct *tsk;
20183- unsigned long address;
20184 struct mm_struct *mm;
20185 int fault;
20186 int write = error_code & PF_WRITE;
20187 unsigned int flags = FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE |
20188 (write ? FAULT_FLAG_WRITE : 0);
20189
20190+ /* Get the faulting address: */
20191+ unsigned long address = read_cr2();
20192+
20193+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20194+ if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
20195+ if (!search_exception_tables(regs->ip)) {
20196+ bad_area_nosemaphore(regs, error_code, address);
20197+ return;
20198+ }
20199+ if (address < PAX_USER_SHADOW_BASE) {
20200+ printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
20201+ printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
20202+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
20203+ } else
20204+ address -= PAX_USER_SHADOW_BASE;
20205+ }
20206+#endif
20207+
20208 tsk = current;
20209 mm = tsk->mm;
20210
20211- /* Get the faulting address: */
20212- address = read_cr2();
20213-
20214 /*
20215 * Detect and handle instructions that would cause a page fault for
20216 * both a tracked kernel page and a userspace page.
20217@@ -1061,7 +1267,7 @@ do_page_fault(struct pt_regs *regs, unsi
20218 * User-mode registers count as a user access even for any
20219 * potential system fault or CPU buglet:
20220 */
20221- if (user_mode_vm(regs)) {
20222+ if (user_mode(regs)) {
20223 local_irq_enable();
20224 error_code |= PF_USER;
20225 } else {
20226@@ -1116,6 +1322,11 @@ retry:
20227 might_sleep();
20228 }
20229
20230+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20231+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
20232+ return;
20233+#endif
20234+
20235 vma = find_vma(mm, address);
20236 if (unlikely(!vma)) {
20237 bad_area(regs, error_code, address);
20238@@ -1127,18 +1338,24 @@ retry:
20239 bad_area(regs, error_code, address);
20240 return;
20241 }
20242- if (error_code & PF_USER) {
20243- /*
20244- * Accessing the stack below %sp is always a bug.
20245- * The large cushion allows instructions like enter
20246- * and pusha to work. ("enter $65535, $31" pushes
20247- * 32 pointers and then decrements %sp by 65535.)
20248- */
20249- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
20250- bad_area(regs, error_code, address);
20251- return;
20252- }
20253+ /*
20254+ * Accessing the stack below %sp is always a bug.
20255+ * The large cushion allows instructions like enter
20256+ * and pusha to work. ("enter $65535, $31" pushes
20257+ * 32 pointers and then decrements %sp by 65535.)
20258+ */
20259+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
20260+ bad_area(regs, error_code, address);
20261+ return;
20262 }
20263+
20264+#ifdef CONFIG_PAX_SEGMEXEC
20265+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
20266+ bad_area(regs, error_code, address);
20267+ return;
20268+ }
20269+#endif
20270+
20271 if (unlikely(expand_stack(vma, address))) {
20272 bad_area(regs, error_code, address);
20273 return;
20274@@ -1193,3 +1410,240 @@ good_area:
20275
20276 up_read(&mm->mmap_sem);
20277 }
20278+
20279+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20280+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
20281+{
20282+ struct mm_struct *mm = current->mm;
20283+ unsigned long ip = regs->ip;
20284+
20285+ if (v8086_mode(regs))
20286+ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
20287+
20288+#ifdef CONFIG_PAX_PAGEEXEC
20289+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
20290+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
20291+ return true;
20292+ if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
20293+ return true;
20294+ return false;
20295+ }
20296+#endif
20297+
20298+#ifdef CONFIG_PAX_SEGMEXEC
20299+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
20300+ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
20301+ return true;
20302+ return false;
20303+ }
20304+#endif
20305+
20306+ return false;
20307+}
20308+#endif
20309+
20310+#ifdef CONFIG_PAX_EMUTRAMP
20311+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
20312+{
20313+ int err;
20314+
20315+ do { /* PaX: gcc trampoline emulation #1 */
20316+ unsigned char mov1, mov2;
20317+ unsigned short jmp;
20318+ unsigned int addr1, addr2;
20319+
20320+#ifdef CONFIG_X86_64
20321+ if ((regs->ip + 11) >> 32)
20322+ break;
20323+#endif
20324+
20325+ err = get_user(mov1, (unsigned char __user *)regs->ip);
20326+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20327+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
20328+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20329+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
20330+
20331+ if (err)
20332+ break;
20333+
20334+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
20335+ regs->cx = addr1;
20336+ regs->ax = addr2;
20337+ regs->ip = addr2;
20338+ return 2;
20339+ }
20340+ } while (0);
20341+
20342+ do { /* PaX: gcc trampoline emulation #2 */
20343+ unsigned char mov, jmp;
20344+ unsigned int addr1, addr2;
20345+
20346+#ifdef CONFIG_X86_64
20347+ if ((regs->ip + 9) >> 32)
20348+ break;
20349+#endif
20350+
20351+ err = get_user(mov, (unsigned char __user *)regs->ip);
20352+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20353+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
20354+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20355+
20356+ if (err)
20357+ break;
20358+
20359+ if (mov == 0xB9 && jmp == 0xE9) {
20360+ regs->cx = addr1;
20361+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
20362+ return 2;
20363+ }
20364+ } while (0);
20365+
20366+ return 1; /* PaX in action */
20367+}
20368+
20369+#ifdef CONFIG_X86_64
20370+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
20371+{
20372+ int err;
20373+
20374+ do { /* PaX: gcc trampoline emulation #1 */
20375+ unsigned short mov1, mov2, jmp1;
20376+ unsigned char jmp2;
20377+ unsigned int addr1;
20378+ unsigned long addr2;
20379+
20380+ err = get_user(mov1, (unsigned short __user *)regs->ip);
20381+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
20382+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
20383+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
20384+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
20385+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
20386+
20387+ if (err)
20388+ break;
20389+
20390+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20391+ regs->r11 = addr1;
20392+ regs->r10 = addr2;
20393+ regs->ip = addr1;
20394+ return 2;
20395+ }
20396+ } while (0);
20397+
20398+ do { /* PaX: gcc trampoline emulation #2 */
20399+ unsigned short mov1, mov2, jmp1;
20400+ unsigned char jmp2;
20401+ unsigned long addr1, addr2;
20402+
20403+ err = get_user(mov1, (unsigned short __user *)regs->ip);
20404+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
20405+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
20406+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
20407+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
20408+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
20409+
20410+ if (err)
20411+ break;
20412+
20413+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20414+ regs->r11 = addr1;
20415+ regs->r10 = addr2;
20416+ regs->ip = addr1;
20417+ return 2;
20418+ }
20419+ } while (0);
20420+
20421+ return 1; /* PaX in action */
20422+}
20423+#endif
20424+
20425+/*
20426+ * PaX: decide what to do with offenders (regs->ip = fault address)
20427+ *
20428+ * returns 1 when task should be killed
20429+ * 2 when gcc trampoline was detected
20430+ */
20431+static int pax_handle_fetch_fault(struct pt_regs *regs)
20432+{
20433+ if (v8086_mode(regs))
20434+ return 1;
20435+
20436+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
20437+ return 1;
20438+
20439+#ifdef CONFIG_X86_32
20440+ return pax_handle_fetch_fault_32(regs);
20441+#else
20442+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
20443+ return pax_handle_fetch_fault_32(regs);
20444+ else
20445+ return pax_handle_fetch_fault_64(regs);
20446+#endif
20447+}
20448+#endif
20449+
20450+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20451+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
20452+{
20453+ long i;
20454+
20455+ printk(KERN_ERR "PAX: bytes at PC: ");
20456+ for (i = 0; i < 20; i++) {
20457+ unsigned char c;
20458+ if (get_user(c, (unsigned char __force_user *)pc+i))
20459+ printk(KERN_CONT "?? ");
20460+ else
20461+ printk(KERN_CONT "%02x ", c);
20462+ }
20463+ printk("\n");
20464+
20465+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
20466+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
20467+ unsigned long c;
20468+ if (get_user(c, (unsigned long __force_user *)sp+i)) {
20469+#ifdef CONFIG_X86_32
20470+ printk(KERN_CONT "???????? ");
20471+#else
20472+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
20473+ printk(KERN_CONT "???????? ???????? ");
20474+ else
20475+ printk(KERN_CONT "???????????????? ");
20476+#endif
20477+ } else {
20478+#ifdef CONFIG_X86_64
20479+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
20480+ printk(KERN_CONT "%08x ", (unsigned int)c);
20481+ printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
20482+ } else
20483+#endif
20484+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
20485+ }
20486+ }
20487+ printk("\n");
20488+}
20489+#endif
20490+
20491+/**
20492+ * probe_kernel_write(): safely attempt to write to a location
20493+ * @dst: address to write to
20494+ * @src: pointer to the data that shall be written
20495+ * @size: size of the data chunk
20496+ *
20497+ * Safely write to address @dst from the buffer at @src. If a kernel fault
20498+ * happens, handle that and return -EFAULT.
20499+ */
20500+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
20501+{
20502+ long ret;
20503+ mm_segment_t old_fs = get_fs();
20504+
20505+ set_fs(KERNEL_DS);
20506+ pagefault_disable();
20507+ pax_open_kernel();
20508+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
20509+ pax_close_kernel();
20510+ pagefault_enable();
20511+ set_fs(old_fs);
20512+
20513+ return ret ? -EFAULT : 0;
20514+}
20515diff -urNp linux-3.1.1/arch/x86/mm/gup.c linux-3.1.1/arch/x86/mm/gup.c
20516--- linux-3.1.1/arch/x86/mm/gup.c 2011-11-11 15:19:27.000000000 -0500
20517+++ linux-3.1.1/arch/x86/mm/gup.c 2011-11-16 18:39:07.000000000 -0500
20518@@ -253,7 +253,7 @@ int __get_user_pages_fast(unsigned long
20519 addr = start;
20520 len = (unsigned long) nr_pages << PAGE_SHIFT;
20521 end = start + len;
20522- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20523+ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20524 (void __user *)start, len)))
20525 return 0;
20526
20527diff -urNp linux-3.1.1/arch/x86/mm/highmem_32.c linux-3.1.1/arch/x86/mm/highmem_32.c
20528--- linux-3.1.1/arch/x86/mm/highmem_32.c 2011-11-11 15:19:27.000000000 -0500
20529+++ linux-3.1.1/arch/x86/mm/highmem_32.c 2011-11-16 18:39:07.000000000 -0500
20530@@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
20531 idx = type + KM_TYPE_NR*smp_processor_id();
20532 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
20533 BUG_ON(!pte_none(*(kmap_pte-idx)));
20534+
20535+ pax_open_kernel();
20536 set_pte(kmap_pte-idx, mk_pte(page, prot));
20537+ pax_close_kernel();
20538
20539 return (void *)vaddr;
20540 }
20541diff -urNp linux-3.1.1/arch/x86/mm/hugetlbpage.c linux-3.1.1/arch/x86/mm/hugetlbpage.c
20542--- linux-3.1.1/arch/x86/mm/hugetlbpage.c 2011-11-11 15:19:27.000000000 -0500
20543+++ linux-3.1.1/arch/x86/mm/hugetlbpage.c 2011-11-16 18:39:07.000000000 -0500
20544@@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
20545 struct hstate *h = hstate_file(file);
20546 struct mm_struct *mm = current->mm;
20547 struct vm_area_struct *vma;
20548- unsigned long start_addr;
20549+ unsigned long start_addr, pax_task_size = TASK_SIZE;
20550+
20551+#ifdef CONFIG_PAX_SEGMEXEC
20552+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
20553+ pax_task_size = SEGMEXEC_TASK_SIZE;
20554+#endif
20555+
20556+ pax_task_size -= PAGE_SIZE;
20557
20558 if (len > mm->cached_hole_size) {
20559- start_addr = mm->free_area_cache;
20560+ start_addr = mm->free_area_cache;
20561 } else {
20562- start_addr = TASK_UNMAPPED_BASE;
20563- mm->cached_hole_size = 0;
20564+ start_addr = mm->mmap_base;
20565+ mm->cached_hole_size = 0;
20566 }
20567
20568 full_search:
20569@@ -280,26 +287,27 @@ full_search:
20570
20571 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
20572 /* At this point: (!vma || addr < vma->vm_end). */
20573- if (TASK_SIZE - len < addr) {
20574+ if (pax_task_size - len < addr) {
20575 /*
20576 * Start a new search - just in case we missed
20577 * some holes.
20578 */
20579- if (start_addr != TASK_UNMAPPED_BASE) {
20580- start_addr = TASK_UNMAPPED_BASE;
20581+ if (start_addr != mm->mmap_base) {
20582+ start_addr = mm->mmap_base;
20583 mm->cached_hole_size = 0;
20584 goto full_search;
20585 }
20586 return -ENOMEM;
20587 }
20588- if (!vma || addr + len <= vma->vm_start) {
20589- mm->free_area_cache = addr + len;
20590- return addr;
20591- }
20592+ if (check_heap_stack_gap(vma, addr, len))
20593+ break;
20594 if (addr + mm->cached_hole_size < vma->vm_start)
20595 mm->cached_hole_size = vma->vm_start - addr;
20596 addr = ALIGN(vma->vm_end, huge_page_size(h));
20597 }
20598+
20599+ mm->free_area_cache = addr + len;
20600+ return addr;
20601 }
20602
20603 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
20604@@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
20605 {
20606 struct hstate *h = hstate_file(file);
20607 struct mm_struct *mm = current->mm;
20608- struct vm_area_struct *vma, *prev_vma;
20609- unsigned long base = mm->mmap_base, addr = addr0;
20610+ struct vm_area_struct *vma;
20611+ unsigned long base = mm->mmap_base, addr;
20612 unsigned long largest_hole = mm->cached_hole_size;
20613- int first_time = 1;
20614
20615 /* don't allow allocations above current base */
20616 if (mm->free_area_cache > base)
20617@@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
20618 largest_hole = 0;
20619 mm->free_area_cache = base;
20620 }
20621-try_again:
20622+
20623 /* make sure it can fit in the remaining address space */
20624 if (mm->free_area_cache < len)
20625 goto fail;
20626
20627 /* either no address requested or can't fit in requested address hole */
20628- addr = (mm->free_area_cache - len) & huge_page_mask(h);
20629+ addr = (mm->free_area_cache - len);
20630 do {
20631+ addr &= huge_page_mask(h);
20632+ vma = find_vma(mm, addr);
20633 /*
20634 * Lookup failure means no vma is above this address,
20635 * i.e. return with success:
20636- */
20637- if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
20638- return addr;
20639-
20640- /*
20641 * new region fits between prev_vma->vm_end and
20642 * vma->vm_start, use it:
20643 */
20644- if (addr + len <= vma->vm_start &&
20645- (!prev_vma || (addr >= prev_vma->vm_end))) {
20646+ if (check_heap_stack_gap(vma, addr, len)) {
20647 /* remember the address as a hint for next time */
20648- mm->cached_hole_size = largest_hole;
20649- return (mm->free_area_cache = addr);
20650- } else {
20651- /* pull free_area_cache down to the first hole */
20652- if (mm->free_area_cache == vma->vm_end) {
20653- mm->free_area_cache = vma->vm_start;
20654- mm->cached_hole_size = largest_hole;
20655- }
20656+ mm->cached_hole_size = largest_hole;
20657+ return (mm->free_area_cache = addr);
20658+ }
20659+ /* pull free_area_cache down to the first hole */
20660+ if (mm->free_area_cache == vma->vm_end) {
20661+ mm->free_area_cache = vma->vm_start;
20662+ mm->cached_hole_size = largest_hole;
20663 }
20664
20665 /* remember the largest hole we saw so far */
20666 if (addr + largest_hole < vma->vm_start)
20667- largest_hole = vma->vm_start - addr;
20668+ largest_hole = vma->vm_start - addr;
20669
20670 /* try just below the current vma->vm_start */
20671- addr = (vma->vm_start - len) & huge_page_mask(h);
20672- } while (len <= vma->vm_start);
20673+ addr = skip_heap_stack_gap(vma, len);
20674+ } while (!IS_ERR_VALUE(addr));
20675
20676 fail:
20677 /*
20678- * if hint left us with no space for the requested
20679- * mapping then try again:
20680- */
20681- if (first_time) {
20682- mm->free_area_cache = base;
20683- largest_hole = 0;
20684- first_time = 0;
20685- goto try_again;
20686- }
20687- /*
20688 * A failed mmap() very likely causes application failure,
20689 * so fall back to the bottom-up function here. This scenario
20690 * can happen with large stack limits and large mmap()
20691 * allocations.
20692 */
20693- mm->free_area_cache = TASK_UNMAPPED_BASE;
20694+
20695+#ifdef CONFIG_PAX_SEGMEXEC
20696+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
20697+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
20698+ else
20699+#endif
20700+
20701+ mm->mmap_base = TASK_UNMAPPED_BASE;
20702+
20703+#ifdef CONFIG_PAX_RANDMMAP
20704+ if (mm->pax_flags & MF_PAX_RANDMMAP)
20705+ mm->mmap_base += mm->delta_mmap;
20706+#endif
20707+
20708+ mm->free_area_cache = mm->mmap_base;
20709 mm->cached_hole_size = ~0UL;
20710 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
20711 len, pgoff, flags);
20712@@ -386,6 +392,7 @@ fail:
20713 /*
20714 * Restore the topdown base:
20715 */
20716+ mm->mmap_base = base;
20717 mm->free_area_cache = base;
20718 mm->cached_hole_size = ~0UL;
20719
20720@@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
20721 struct hstate *h = hstate_file(file);
20722 struct mm_struct *mm = current->mm;
20723 struct vm_area_struct *vma;
20724+ unsigned long pax_task_size = TASK_SIZE;
20725
20726 if (len & ~huge_page_mask(h))
20727 return -EINVAL;
20728- if (len > TASK_SIZE)
20729+
20730+#ifdef CONFIG_PAX_SEGMEXEC
20731+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
20732+ pax_task_size = SEGMEXEC_TASK_SIZE;
20733+#endif
20734+
20735+ pax_task_size -= PAGE_SIZE;
20736+
20737+ if (len > pax_task_size)
20738 return -ENOMEM;
20739
20740 if (flags & MAP_FIXED) {
20741@@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
20742 if (addr) {
20743 addr = ALIGN(addr, huge_page_size(h));
20744 vma = find_vma(mm, addr);
20745- if (TASK_SIZE - len >= addr &&
20746- (!vma || addr + len <= vma->vm_start))
20747+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
20748 return addr;
20749 }
20750 if (mm->get_unmapped_area == arch_get_unmapped_area)
20751diff -urNp linux-3.1.1/arch/x86/mm/init_32.c linux-3.1.1/arch/x86/mm/init_32.c
20752--- linux-3.1.1/arch/x86/mm/init_32.c 2011-11-11 15:19:27.000000000 -0500
20753+++ linux-3.1.1/arch/x86/mm/init_32.c 2011-11-16 18:39:07.000000000 -0500
20754@@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
20755 }
20756
20757 /*
20758- * Creates a middle page table and puts a pointer to it in the
20759- * given global directory entry. This only returns the gd entry
20760- * in non-PAE compilation mode, since the middle layer is folded.
20761- */
20762-static pmd_t * __init one_md_table_init(pgd_t *pgd)
20763-{
20764- pud_t *pud;
20765- pmd_t *pmd_table;
20766-
20767-#ifdef CONFIG_X86_PAE
20768- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
20769- if (after_bootmem)
20770- pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
20771- else
20772- pmd_table = (pmd_t *)alloc_low_page();
20773- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
20774- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
20775- pud = pud_offset(pgd, 0);
20776- BUG_ON(pmd_table != pmd_offset(pud, 0));
20777-
20778- return pmd_table;
20779- }
20780-#endif
20781- pud = pud_offset(pgd, 0);
20782- pmd_table = pmd_offset(pud, 0);
20783-
20784- return pmd_table;
20785-}
20786-
20787-/*
20788 * Create a page table and place a pointer to it in a middle page
20789 * directory entry:
20790 */
20791@@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
20792 page_table = (pte_t *)alloc_low_page();
20793
20794 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
20795+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20796+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
20797+#else
20798 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
20799+#endif
20800 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
20801 }
20802
20803 return pte_offset_kernel(pmd, 0);
20804 }
20805
20806+static pmd_t * __init one_md_table_init(pgd_t *pgd)
20807+{
20808+ pud_t *pud;
20809+ pmd_t *pmd_table;
20810+
20811+ pud = pud_offset(pgd, 0);
20812+ pmd_table = pmd_offset(pud, 0);
20813+
20814+ return pmd_table;
20815+}
20816+
20817 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
20818 {
20819 int pgd_idx = pgd_index(vaddr);
20820@@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
20821 int pgd_idx, pmd_idx;
20822 unsigned long vaddr;
20823 pgd_t *pgd;
20824+ pud_t *pud;
20825 pmd_t *pmd;
20826 pte_t *pte = NULL;
20827
20828@@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
20829 pgd = pgd_base + pgd_idx;
20830
20831 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
20832- pmd = one_md_table_init(pgd);
20833- pmd = pmd + pmd_index(vaddr);
20834+ pud = pud_offset(pgd, vaddr);
20835+ pmd = pmd_offset(pud, vaddr);
20836+
20837+#ifdef CONFIG_X86_PAE
20838+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20839+#endif
20840+
20841 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
20842 pmd++, pmd_idx++) {
20843 pte = page_table_kmap_check(one_page_table_init(pmd),
20844@@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
20845 }
20846 }
20847
20848-static inline int is_kernel_text(unsigned long addr)
20849+static inline int is_kernel_text(unsigned long start, unsigned long end)
20850 {
20851- if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
20852- return 1;
20853- return 0;
20854+ if ((start > ktla_ktva((unsigned long)_etext) ||
20855+ end <= ktla_ktva((unsigned long)_stext)) &&
20856+ (start > ktla_ktva((unsigned long)_einittext) ||
20857+ end <= ktla_ktva((unsigned long)_sinittext)) &&
20858+
20859+#ifdef CONFIG_ACPI_SLEEP
20860+ (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
20861+#endif
20862+
20863+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
20864+ return 0;
20865+ return 1;
20866 }
20867
20868 /*
20869@@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
20870 unsigned long last_map_addr = end;
20871 unsigned long start_pfn, end_pfn;
20872 pgd_t *pgd_base = swapper_pg_dir;
20873- int pgd_idx, pmd_idx, pte_ofs;
20874+ unsigned int pgd_idx, pmd_idx, pte_ofs;
20875 unsigned long pfn;
20876 pgd_t *pgd;
20877+ pud_t *pud;
20878 pmd_t *pmd;
20879 pte_t *pte;
20880 unsigned pages_2m, pages_4k;
20881@@ -281,8 +282,13 @@ repeat:
20882 pfn = start_pfn;
20883 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20884 pgd = pgd_base + pgd_idx;
20885- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
20886- pmd = one_md_table_init(pgd);
20887+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
20888+ pud = pud_offset(pgd, 0);
20889+ pmd = pmd_offset(pud, 0);
20890+
20891+#ifdef CONFIG_X86_PAE
20892+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20893+#endif
20894
20895 if (pfn >= end_pfn)
20896 continue;
20897@@ -294,14 +300,13 @@ repeat:
20898 #endif
20899 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
20900 pmd++, pmd_idx++) {
20901- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
20902+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
20903
20904 /*
20905 * Map with big pages if possible, otherwise
20906 * create normal page tables:
20907 */
20908 if (use_pse) {
20909- unsigned int addr2;
20910 pgprot_t prot = PAGE_KERNEL_LARGE;
20911 /*
20912 * first pass will use the same initial
20913@@ -311,11 +316,7 @@ repeat:
20914 __pgprot(PTE_IDENT_ATTR |
20915 _PAGE_PSE);
20916
20917- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
20918- PAGE_OFFSET + PAGE_SIZE-1;
20919-
20920- if (is_kernel_text(addr) ||
20921- is_kernel_text(addr2))
20922+ if (is_kernel_text(address, address + PMD_SIZE))
20923 prot = PAGE_KERNEL_LARGE_EXEC;
20924
20925 pages_2m++;
20926@@ -332,7 +333,7 @@ repeat:
20927 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20928 pte += pte_ofs;
20929 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
20930- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
20931+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
20932 pgprot_t prot = PAGE_KERNEL;
20933 /*
20934 * first pass will use the same initial
20935@@ -340,7 +341,7 @@ repeat:
20936 */
20937 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
20938
20939- if (is_kernel_text(addr))
20940+ if (is_kernel_text(address, address + PAGE_SIZE))
20941 prot = PAGE_KERNEL_EXEC;
20942
20943 pages_4k++;
20944@@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
20945
20946 pud = pud_offset(pgd, va);
20947 pmd = pmd_offset(pud, va);
20948- if (!pmd_present(*pmd))
20949+ if (!pmd_present(*pmd) || pmd_huge(*pmd))
20950 break;
20951
20952 pte = pte_offset_kernel(pmd, va);
20953@@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
20954
20955 static void __init pagetable_init(void)
20956 {
20957- pgd_t *pgd_base = swapper_pg_dir;
20958-
20959- permanent_kmaps_init(pgd_base);
20960+ permanent_kmaps_init(swapper_pg_dir);
20961 }
20962
20963-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20964+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
20965 EXPORT_SYMBOL_GPL(__supported_pte_mask);
20966
20967 /* user-defined highmem size */
20968@@ -757,6 +756,12 @@ void __init mem_init(void)
20969
20970 pci_iommu_alloc();
20971
20972+#ifdef CONFIG_PAX_PER_CPU_PGD
20973+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
20974+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
20975+ KERNEL_PGD_PTRS);
20976+#endif
20977+
20978 #ifdef CONFIG_FLATMEM
20979 BUG_ON(!mem_map);
20980 #endif
20981@@ -774,7 +779,7 @@ void __init mem_init(void)
20982 set_highmem_pages_init();
20983
20984 codesize = (unsigned long) &_etext - (unsigned long) &_text;
20985- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
20986+ datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
20987 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
20988
20989 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
20990@@ -815,10 +820,10 @@ void __init mem_init(void)
20991 ((unsigned long)&__init_end -
20992 (unsigned long)&__init_begin) >> 10,
20993
20994- (unsigned long)&_etext, (unsigned long)&_edata,
20995- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
20996+ (unsigned long)&_sdata, (unsigned long)&_edata,
20997+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
20998
20999- (unsigned long)&_text, (unsigned long)&_etext,
21000+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
21001 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
21002
21003 /*
21004@@ -896,6 +901,7 @@ void set_kernel_text_rw(void)
21005 if (!kernel_set_to_readonly)
21006 return;
21007
21008+ start = ktla_ktva(start);
21009 pr_debug("Set kernel text: %lx - %lx for read write\n",
21010 start, start+size);
21011
21012@@ -910,6 +916,7 @@ void set_kernel_text_ro(void)
21013 if (!kernel_set_to_readonly)
21014 return;
21015
21016+ start = ktla_ktva(start);
21017 pr_debug("Set kernel text: %lx - %lx for read only\n",
21018 start, start+size);
21019
21020@@ -938,6 +945,7 @@ void mark_rodata_ro(void)
21021 unsigned long start = PFN_ALIGN(_text);
21022 unsigned long size = PFN_ALIGN(_etext) - start;
21023
21024+ start = ktla_ktva(start);
21025 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
21026 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
21027 size >> 10);
21028diff -urNp linux-3.1.1/arch/x86/mm/init_64.c linux-3.1.1/arch/x86/mm/init_64.c
21029--- linux-3.1.1/arch/x86/mm/init_64.c 2011-11-11 15:19:27.000000000 -0500
21030+++ linux-3.1.1/arch/x86/mm/init_64.c 2011-11-16 18:39:07.000000000 -0500
21031@@ -75,7 +75,7 @@ early_param("gbpages", parse_direct_gbpa
21032 * around without checking the pgd every time.
21033 */
21034
21035-pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
21036+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
21037 EXPORT_SYMBOL_GPL(__supported_pte_mask);
21038
21039 int force_personality32;
21040@@ -108,12 +108,22 @@ void sync_global_pgds(unsigned long star
21041
21042 for (address = start; address <= end; address += PGDIR_SIZE) {
21043 const pgd_t *pgd_ref = pgd_offset_k(address);
21044+
21045+#ifdef CONFIG_PAX_PER_CPU_PGD
21046+ unsigned long cpu;
21047+#else
21048 struct page *page;
21049+#endif
21050
21051 if (pgd_none(*pgd_ref))
21052 continue;
21053
21054 spin_lock(&pgd_lock);
21055+
21056+#ifdef CONFIG_PAX_PER_CPU_PGD
21057+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21058+ pgd_t *pgd = pgd_offset_cpu(cpu, address);
21059+#else
21060 list_for_each_entry(page, &pgd_list, lru) {
21061 pgd_t *pgd;
21062 spinlock_t *pgt_lock;
21063@@ -122,6 +132,7 @@ void sync_global_pgds(unsigned long star
21064 /* the pgt_lock only for Xen */
21065 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
21066 spin_lock(pgt_lock);
21067+#endif
21068
21069 if (pgd_none(*pgd))
21070 set_pgd(pgd, *pgd_ref);
21071@@ -129,7 +140,10 @@ void sync_global_pgds(unsigned long star
21072 BUG_ON(pgd_page_vaddr(*pgd)
21073 != pgd_page_vaddr(*pgd_ref));
21074
21075+#ifndef CONFIG_PAX_PER_CPU_PGD
21076 spin_unlock(pgt_lock);
21077+#endif
21078+
21079 }
21080 spin_unlock(&pgd_lock);
21081 }
21082@@ -203,7 +217,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
21083 pmd = fill_pmd(pud, vaddr);
21084 pte = fill_pte(pmd, vaddr);
21085
21086+ pax_open_kernel();
21087 set_pte(pte, new_pte);
21088+ pax_close_kernel();
21089
21090 /*
21091 * It's enough to flush this one mapping.
21092@@ -262,14 +278,12 @@ static void __init __init_extra_mapping(
21093 pgd = pgd_offset_k((unsigned long)__va(phys));
21094 if (pgd_none(*pgd)) {
21095 pud = (pud_t *) spp_getpage();
21096- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
21097- _PAGE_USER));
21098+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
21099 }
21100 pud = pud_offset(pgd, (unsigned long)__va(phys));
21101 if (pud_none(*pud)) {
21102 pmd = (pmd_t *) spp_getpage();
21103- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
21104- _PAGE_USER));
21105+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
21106 }
21107 pmd = pmd_offset(pud, phys);
21108 BUG_ON(!pmd_none(*pmd));
21109@@ -330,7 +344,7 @@ static __ref void *alloc_low_page(unsign
21110 if (pfn >= pgt_buf_top)
21111 panic("alloc_low_page: ran out of memory");
21112
21113- adr = early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
21114+ adr = (void __force_kernel *)early_memremap(pfn * PAGE_SIZE, PAGE_SIZE);
21115 clear_page(adr);
21116 *phys = pfn * PAGE_SIZE;
21117 return adr;
21118@@ -346,7 +360,7 @@ static __ref void *map_low_page(void *vi
21119
21120 phys = __pa(virt);
21121 left = phys & (PAGE_SIZE - 1);
21122- adr = early_memremap(phys & PAGE_MASK, PAGE_SIZE);
21123+ adr = (void __force_kernel *)early_memremap(phys & PAGE_MASK, PAGE_SIZE);
21124 adr = (void *)(((unsigned long)adr) | left);
21125
21126 return adr;
21127@@ -693,6 +707,12 @@ void __init mem_init(void)
21128
21129 pci_iommu_alloc();
21130
21131+#ifdef CONFIG_PAX_PER_CPU_PGD
21132+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
21133+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21134+ KERNEL_PGD_PTRS);
21135+#endif
21136+
21137 /* clear_bss() already clear the empty_zero_page */
21138
21139 reservedpages = 0;
21140@@ -853,8 +873,8 @@ int kern_addr_valid(unsigned long addr)
21141 static struct vm_area_struct gate_vma = {
21142 .vm_start = VSYSCALL_START,
21143 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
21144- .vm_page_prot = PAGE_READONLY_EXEC,
21145- .vm_flags = VM_READ | VM_EXEC
21146+ .vm_page_prot = PAGE_READONLY,
21147+ .vm_flags = VM_READ
21148 };
21149
21150 struct vm_area_struct *get_gate_vma(struct mm_struct *mm)
21151@@ -888,7 +908,7 @@ int in_gate_area_no_mm(unsigned long add
21152
21153 const char *arch_vma_name(struct vm_area_struct *vma)
21154 {
21155- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
21156+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
21157 return "[vdso]";
21158 if (vma == &gate_vma)
21159 return "[vsyscall]";
21160diff -urNp linux-3.1.1/arch/x86/mm/init.c linux-3.1.1/arch/x86/mm/init.c
21161--- linux-3.1.1/arch/x86/mm/init.c 2011-11-11 15:19:27.000000000 -0500
21162+++ linux-3.1.1/arch/x86/mm/init.c 2011-11-17 18:31:28.000000000 -0500
21163@@ -31,7 +31,7 @@ int direct_gbpages
21164 static void __init find_early_table_space(unsigned long end, int use_pse,
21165 int use_gbpages)
21166 {
21167- unsigned long puds, pmds, ptes, tables, start = 0, good_end = end;
21168+ unsigned long puds, pmds, ptes, tables, start = 0x100000, good_end = end;
21169 phys_addr_t base;
21170
21171 puds = (end + PUD_SIZE - 1) >> PUD_SHIFT;
21172@@ -312,8 +312,29 @@ unsigned long __init_refok init_memory_m
21173 */
21174 int devmem_is_allowed(unsigned long pagenr)
21175 {
21176- if (pagenr <= 256)
21177+#ifdef CONFIG_GRKERNSEC_KMEM
21178+ /* allow BDA */
21179+ if (!pagenr)
21180+ return 1;
21181+ /* allow EBDA */
21182+ if ((0x9f000 >> PAGE_SHIFT) == pagenr)
21183+ return 1;
21184+#else
21185+ if (!pagenr)
21186+ return 1;
21187+#ifdef CONFIG_VM86
21188+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
21189+ return 1;
21190+#endif
21191+#endif
21192+
21193+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
21194 return 1;
21195+#ifdef CONFIG_GRKERNSEC_KMEM
21196+ /* throw out everything else below 1MB */
21197+ if (pagenr <= 256)
21198+ return 0;
21199+#endif
21200 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
21201 return 0;
21202 if (!page_is_ram(pagenr))
21203@@ -372,6 +393,86 @@ void free_init_pages(char *what, unsigne
21204
21205 void free_initmem(void)
21206 {
21207+
21208+#ifdef CONFIG_PAX_KERNEXEC
21209+#ifdef CONFIG_X86_32
21210+ /* PaX: limit KERNEL_CS to actual size */
21211+ unsigned long addr, limit;
21212+ struct desc_struct d;
21213+ int cpu;
21214+
21215+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
21216+ limit = (limit - 1UL) >> PAGE_SHIFT;
21217+
21218+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
21219+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
21220+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
21221+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
21222+ }
21223+
21224+ /* PaX: make KERNEL_CS read-only */
21225+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
21226+ if (!paravirt_enabled())
21227+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
21228+/*
21229+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
21230+ pgd = pgd_offset_k(addr);
21231+ pud = pud_offset(pgd, addr);
21232+ pmd = pmd_offset(pud, addr);
21233+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21234+ }
21235+*/
21236+#ifdef CONFIG_X86_PAE
21237+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
21238+/*
21239+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
21240+ pgd = pgd_offset_k(addr);
21241+ pud = pud_offset(pgd, addr);
21242+ pmd = pmd_offset(pud, addr);
21243+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21244+ }
21245+*/
21246+#endif
21247+
21248+#ifdef CONFIG_MODULES
21249+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
21250+#endif
21251+
21252+#else
21253+ pgd_t *pgd;
21254+ pud_t *pud;
21255+ pmd_t *pmd;
21256+ unsigned long addr, end;
21257+
21258+ /* PaX: make kernel code/rodata read-only, rest non-executable */
21259+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
21260+ pgd = pgd_offset_k(addr);
21261+ pud = pud_offset(pgd, addr);
21262+ pmd = pmd_offset(pud, addr);
21263+ if (!pmd_present(*pmd))
21264+ continue;
21265+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
21266+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21267+ else
21268+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21269+ }
21270+
21271+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
21272+ end = addr + KERNEL_IMAGE_SIZE;
21273+ for (; addr < end; addr += PMD_SIZE) {
21274+ pgd = pgd_offset_k(addr);
21275+ pud = pud_offset(pgd, addr);
21276+ pmd = pmd_offset(pud, addr);
21277+ if (!pmd_present(*pmd))
21278+ continue;
21279+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
21280+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21281+ }
21282+#endif
21283+
21284+ flush_tlb_all();
21285+#endif
21286+
21287 free_init_pages("unused kernel memory",
21288 (unsigned long)(&__init_begin),
21289 (unsigned long)(&__init_end));
21290diff -urNp linux-3.1.1/arch/x86/mm/iomap_32.c linux-3.1.1/arch/x86/mm/iomap_32.c
21291--- linux-3.1.1/arch/x86/mm/iomap_32.c 2011-11-11 15:19:27.000000000 -0500
21292+++ linux-3.1.1/arch/x86/mm/iomap_32.c 2011-11-16 18:39:07.000000000 -0500
21293@@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
21294 type = kmap_atomic_idx_push();
21295 idx = type + KM_TYPE_NR * smp_processor_id();
21296 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21297+
21298+ pax_open_kernel();
21299 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
21300+ pax_close_kernel();
21301+
21302 arch_flush_lazy_mmu_mode();
21303
21304 return (void *)vaddr;
21305diff -urNp linux-3.1.1/arch/x86/mm/ioremap.c linux-3.1.1/arch/x86/mm/ioremap.c
21306--- linux-3.1.1/arch/x86/mm/ioremap.c 2011-11-11 15:19:27.000000000 -0500
21307+++ linux-3.1.1/arch/x86/mm/ioremap.c 2011-11-16 18:39:07.000000000 -0500
21308@@ -97,7 +97,7 @@ static void __iomem *__ioremap_caller(re
21309 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
21310 int is_ram = page_is_ram(pfn);
21311
21312- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
21313+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
21314 return NULL;
21315 WARN_ON_ONCE(is_ram);
21316 }
21317@@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
21318 early_param("early_ioremap_debug", early_ioremap_debug_setup);
21319
21320 static __initdata int after_paging_init;
21321-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
21322+static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
21323
21324 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
21325 {
21326@@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
21327 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
21328
21329 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
21330- memset(bm_pte, 0, sizeof(bm_pte));
21331- pmd_populate_kernel(&init_mm, pmd, bm_pte);
21332+ pmd_populate_user(&init_mm, pmd, bm_pte);
21333
21334 /*
21335 * The boot-ioremap range spans multiple pmds, for which
21336diff -urNp linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c
21337--- linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-11 15:19:27.000000000 -0500
21338+++ linux-3.1.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-16 18:39:07.000000000 -0500
21339@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
21340 * memory (e.g. tracked pages)? For now, we need this to avoid
21341 * invoking kmemcheck for PnP BIOS calls.
21342 */
21343- if (regs->flags & X86_VM_MASK)
21344+ if (v8086_mode(regs))
21345 return false;
21346- if (regs->cs != __KERNEL_CS)
21347+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
21348 return false;
21349
21350 pte = kmemcheck_pte_lookup(address);
21351diff -urNp linux-3.1.1/arch/x86/mm/mmap.c linux-3.1.1/arch/x86/mm/mmap.c
21352--- linux-3.1.1/arch/x86/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
21353+++ linux-3.1.1/arch/x86/mm/mmap.c 2011-11-16 18:39:07.000000000 -0500
21354@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
21355 * Leave an at least ~128 MB hole with possible stack randomization.
21356 */
21357 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
21358-#define MAX_GAP (TASK_SIZE/6*5)
21359+#define MAX_GAP (pax_task_size/6*5)
21360
21361 /*
21362 * True on X86_32 or when emulating IA32 on X86_64
21363@@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
21364 return rnd << PAGE_SHIFT;
21365 }
21366
21367-static unsigned long mmap_base(void)
21368+static unsigned long mmap_base(struct mm_struct *mm)
21369 {
21370 unsigned long gap = rlimit(RLIMIT_STACK);
21371+ unsigned long pax_task_size = TASK_SIZE;
21372+
21373+#ifdef CONFIG_PAX_SEGMEXEC
21374+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
21375+ pax_task_size = SEGMEXEC_TASK_SIZE;
21376+#endif
21377
21378 if (gap < MIN_GAP)
21379 gap = MIN_GAP;
21380 else if (gap > MAX_GAP)
21381 gap = MAX_GAP;
21382
21383- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
21384+ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
21385 }
21386
21387 /*
21388 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
21389 * does, but not when emulating X86_32
21390 */
21391-static unsigned long mmap_legacy_base(void)
21392+static unsigned long mmap_legacy_base(struct mm_struct *mm)
21393 {
21394- if (mmap_is_ia32())
21395+ if (mmap_is_ia32()) {
21396+
21397+#ifdef CONFIG_PAX_SEGMEXEC
21398+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
21399+ return SEGMEXEC_TASK_UNMAPPED_BASE;
21400+ else
21401+#endif
21402+
21403 return TASK_UNMAPPED_BASE;
21404- else
21405+ } else
21406 return TASK_UNMAPPED_BASE + mmap_rnd();
21407 }
21408
21409@@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
21410 void arch_pick_mmap_layout(struct mm_struct *mm)
21411 {
21412 if (mmap_is_legacy()) {
21413- mm->mmap_base = mmap_legacy_base();
21414+ mm->mmap_base = mmap_legacy_base(mm);
21415+
21416+#ifdef CONFIG_PAX_RANDMMAP
21417+ if (mm->pax_flags & MF_PAX_RANDMMAP)
21418+ mm->mmap_base += mm->delta_mmap;
21419+#endif
21420+
21421 mm->get_unmapped_area = arch_get_unmapped_area;
21422 mm->unmap_area = arch_unmap_area;
21423 } else {
21424- mm->mmap_base = mmap_base();
21425+ mm->mmap_base = mmap_base(mm);
21426+
21427+#ifdef CONFIG_PAX_RANDMMAP
21428+ if (mm->pax_flags & MF_PAX_RANDMMAP)
21429+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
21430+#endif
21431+
21432 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
21433 mm->unmap_area = arch_unmap_area_topdown;
21434 }
21435diff -urNp linux-3.1.1/arch/x86/mm/mmio-mod.c linux-3.1.1/arch/x86/mm/mmio-mod.c
21436--- linux-3.1.1/arch/x86/mm/mmio-mod.c 2011-11-11 15:19:27.000000000 -0500
21437+++ linux-3.1.1/arch/x86/mm/mmio-mod.c 2011-11-16 18:39:07.000000000 -0500
21438@@ -195,7 +195,7 @@ static void pre(struct kmmio_probe *p, s
21439 break;
21440 default:
21441 {
21442- unsigned char *ip = (unsigned char *)instptr;
21443+ unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
21444 my_trace->opcode = MMIO_UNKNOWN_OP;
21445 my_trace->width = 0;
21446 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
21447@@ -235,7 +235,7 @@ static void post(struct kmmio_probe *p,
21448 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
21449 void __iomem *addr)
21450 {
21451- static atomic_t next_id;
21452+ static atomic_unchecked_t next_id;
21453 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
21454 /* These are page-unaligned. */
21455 struct mmiotrace_map map = {
21456@@ -259,7 +259,7 @@ static void ioremap_trace_core(resource_
21457 .private = trace
21458 },
21459 .phys = offset,
21460- .id = atomic_inc_return(&next_id)
21461+ .id = atomic_inc_return_unchecked(&next_id)
21462 };
21463 map.map_id = trace->id;
21464
21465diff -urNp linux-3.1.1/arch/x86/mm/pageattr.c linux-3.1.1/arch/x86/mm/pageattr.c
21466--- linux-3.1.1/arch/x86/mm/pageattr.c 2011-11-11 15:19:27.000000000 -0500
21467+++ linux-3.1.1/arch/x86/mm/pageattr.c 2011-11-16 18:39:07.000000000 -0500
21468@@ -261,7 +261,7 @@ static inline pgprot_t static_protection
21469 */
21470 #ifdef CONFIG_PCI_BIOS
21471 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
21472- pgprot_val(forbidden) |= _PAGE_NX;
21473+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21474 #endif
21475
21476 /*
21477@@ -269,9 +269,10 @@ static inline pgprot_t static_protection
21478 * Does not cover __inittext since that is gone later on. On
21479 * 64bit we do not enforce !NX on the low mapping
21480 */
21481- if (within(address, (unsigned long)_text, (unsigned long)_etext))
21482- pgprot_val(forbidden) |= _PAGE_NX;
21483+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
21484+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21485
21486+#ifdef CONFIG_DEBUG_RODATA
21487 /*
21488 * The .rodata section needs to be read-only. Using the pfn
21489 * catches all aliases.
21490@@ -279,6 +280,7 @@ static inline pgprot_t static_protection
21491 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
21492 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
21493 pgprot_val(forbidden) |= _PAGE_RW;
21494+#endif
21495
21496 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
21497 /*
21498@@ -317,6 +319,13 @@ static inline pgprot_t static_protection
21499 }
21500 #endif
21501
21502+#ifdef CONFIG_PAX_KERNEXEC
21503+ if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
21504+ pgprot_val(forbidden) |= _PAGE_RW;
21505+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21506+ }
21507+#endif
21508+
21509 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
21510
21511 return prot;
21512@@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
21513 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
21514 {
21515 /* change init_mm */
21516+ pax_open_kernel();
21517 set_pte_atomic(kpte, pte);
21518+
21519 #ifdef CONFIG_X86_32
21520 if (!SHARED_KERNEL_PMD) {
21521+
21522+#ifdef CONFIG_PAX_PER_CPU_PGD
21523+ unsigned long cpu;
21524+#else
21525 struct page *page;
21526+#endif
21527
21528+#ifdef CONFIG_PAX_PER_CPU_PGD
21529+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21530+ pgd_t *pgd = get_cpu_pgd(cpu);
21531+#else
21532 list_for_each_entry(page, &pgd_list, lru) {
21533- pgd_t *pgd;
21534+ pgd_t *pgd = (pgd_t *)page_address(page);
21535+#endif
21536+
21537 pud_t *pud;
21538 pmd_t *pmd;
21539
21540- pgd = (pgd_t *)page_address(page) + pgd_index(address);
21541+ pgd += pgd_index(address);
21542 pud = pud_offset(pgd, address);
21543 pmd = pmd_offset(pud, address);
21544 set_pte_atomic((pte_t *)pmd, pte);
21545 }
21546 }
21547 #endif
21548+ pax_close_kernel();
21549 }
21550
21551 static int
21552diff -urNp linux-3.1.1/arch/x86/mm/pageattr-test.c linux-3.1.1/arch/x86/mm/pageattr-test.c
21553--- linux-3.1.1/arch/x86/mm/pageattr-test.c 2011-11-11 15:19:27.000000000 -0500
21554+++ linux-3.1.1/arch/x86/mm/pageattr-test.c 2011-11-16 18:39:07.000000000 -0500
21555@@ -36,7 +36,7 @@ enum {
21556
21557 static int pte_testbit(pte_t pte)
21558 {
21559- return pte_flags(pte) & _PAGE_UNUSED1;
21560+ return pte_flags(pte) & _PAGE_CPA_TEST;
21561 }
21562
21563 struct split_state {
21564diff -urNp linux-3.1.1/arch/x86/mm/pat.c linux-3.1.1/arch/x86/mm/pat.c
21565--- linux-3.1.1/arch/x86/mm/pat.c 2011-11-11 15:19:27.000000000 -0500
21566+++ linux-3.1.1/arch/x86/mm/pat.c 2011-11-16 18:39:07.000000000 -0500
21567@@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
21568
21569 if (!entry) {
21570 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
21571- current->comm, current->pid, start, end);
21572+ current->comm, task_pid_nr(current), start, end);
21573 return -EINVAL;
21574 }
21575
21576@@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
21577 while (cursor < to) {
21578 if (!devmem_is_allowed(pfn)) {
21579 printk(KERN_INFO
21580- "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
21581- current->comm, from, to);
21582+ "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
21583+ current->comm, from, to, cursor);
21584 return 0;
21585 }
21586 cursor += PAGE_SIZE;
21587@@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
21588 printk(KERN_INFO
21589 "%s:%d ioremap_change_attr failed %s "
21590 "for %Lx-%Lx\n",
21591- current->comm, current->pid,
21592+ current->comm, task_pid_nr(current),
21593 cattr_name(flags),
21594 base, (unsigned long long)(base + size));
21595 return -EINVAL;
21596@@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
21597 if (want_flags != flags) {
21598 printk(KERN_WARNING
21599 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
21600- current->comm, current->pid,
21601+ current->comm, task_pid_nr(current),
21602 cattr_name(want_flags),
21603 (unsigned long long)paddr,
21604 (unsigned long long)(paddr + size),
21605@@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
21606 free_memtype(paddr, paddr + size);
21607 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
21608 " for %Lx-%Lx, got %s\n",
21609- current->comm, current->pid,
21610+ current->comm, task_pid_nr(current),
21611 cattr_name(want_flags),
21612 (unsigned long long)paddr,
21613 (unsigned long long)(paddr + size),
21614diff -urNp linux-3.1.1/arch/x86/mm/pf_in.c linux-3.1.1/arch/x86/mm/pf_in.c
21615--- linux-3.1.1/arch/x86/mm/pf_in.c 2011-11-11 15:19:27.000000000 -0500
21616+++ linux-3.1.1/arch/x86/mm/pf_in.c 2011-11-16 18:39:07.000000000 -0500
21617@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
21618 int i;
21619 enum reason_type rv = OTHERS;
21620
21621- p = (unsigned char *)ins_addr;
21622+ p = (unsigned char *)ktla_ktva(ins_addr);
21623 p += skip_prefix(p, &prf);
21624 p += get_opcode(p, &opcode);
21625
21626@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
21627 struct prefix_bits prf;
21628 int i;
21629
21630- p = (unsigned char *)ins_addr;
21631+ p = (unsigned char *)ktla_ktva(ins_addr);
21632 p += skip_prefix(p, &prf);
21633 p += get_opcode(p, &opcode);
21634
21635@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
21636 struct prefix_bits prf;
21637 int i;
21638
21639- p = (unsigned char *)ins_addr;
21640+ p = (unsigned char *)ktla_ktva(ins_addr);
21641 p += skip_prefix(p, &prf);
21642 p += get_opcode(p, &opcode);
21643
21644@@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned l
21645 struct prefix_bits prf;
21646 int i;
21647
21648- p = (unsigned char *)ins_addr;
21649+ p = (unsigned char *)ktla_ktva(ins_addr);
21650 p += skip_prefix(p, &prf);
21651 p += get_opcode(p, &opcode);
21652 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
21653@@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned l
21654 struct prefix_bits prf;
21655 int i;
21656
21657- p = (unsigned char *)ins_addr;
21658+ p = (unsigned char *)ktla_ktva(ins_addr);
21659 p += skip_prefix(p, &prf);
21660 p += get_opcode(p, &opcode);
21661 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
21662diff -urNp linux-3.1.1/arch/x86/mm/pgtable_32.c linux-3.1.1/arch/x86/mm/pgtable_32.c
21663--- linux-3.1.1/arch/x86/mm/pgtable_32.c 2011-11-11 15:19:27.000000000 -0500
21664+++ linux-3.1.1/arch/x86/mm/pgtable_32.c 2011-11-16 18:39:07.000000000 -0500
21665@@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
21666 return;
21667 }
21668 pte = pte_offset_kernel(pmd, vaddr);
21669+
21670+ pax_open_kernel();
21671 if (pte_val(pteval))
21672 set_pte_at(&init_mm, vaddr, pte, pteval);
21673 else
21674 pte_clear(&init_mm, vaddr, pte);
21675+ pax_close_kernel();
21676
21677 /*
21678 * It's enough to flush this one mapping.
21679diff -urNp linux-3.1.1/arch/x86/mm/pgtable.c linux-3.1.1/arch/x86/mm/pgtable.c
21680--- linux-3.1.1/arch/x86/mm/pgtable.c 2011-11-11 15:19:27.000000000 -0500
21681+++ linux-3.1.1/arch/x86/mm/pgtable.c 2011-11-16 18:39:07.000000000 -0500
21682@@ -84,10 +84,52 @@ static inline void pgd_list_del(pgd_t *p
21683 list_del(&page->lru);
21684 }
21685
21686-#define UNSHARED_PTRS_PER_PGD \
21687- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21688+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21689+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
21690
21691+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21692+{
21693+ while (count--)
21694+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
21695+}
21696+#endif
21697+
21698+#ifdef CONFIG_PAX_PER_CPU_PGD
21699+void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21700+{
21701+ while (count--)
21702+
21703+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21704+ *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
21705+#else
21706+ *dst++ = *src++;
21707+#endif
21708
21709+}
21710+#endif
21711+
21712+#ifdef CONFIG_X86_64
21713+#define pxd_t pud_t
21714+#define pyd_t pgd_t
21715+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
21716+#define pxd_free(mm, pud) pud_free((mm), (pud))
21717+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
21718+#define pyd_offset(mm ,address) pgd_offset((mm), (address))
21719+#define PYD_SIZE PGDIR_SIZE
21720+#else
21721+#define pxd_t pmd_t
21722+#define pyd_t pud_t
21723+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
21724+#define pxd_free(mm, pud) pmd_free((mm), (pud))
21725+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
21726+#define pyd_offset(mm ,address) pud_offset((mm), (address))
21727+#define PYD_SIZE PUD_SIZE
21728+#endif
21729+
21730+#ifdef CONFIG_PAX_PER_CPU_PGD
21731+static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
21732+static inline void pgd_dtor(pgd_t *pgd) {}
21733+#else
21734 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
21735 {
21736 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
21737@@ -128,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
21738 pgd_list_del(pgd);
21739 spin_unlock(&pgd_lock);
21740 }
21741+#endif
21742
21743 /*
21744 * List of all pgd's needed for non-PAE so it can invalidate entries
21745@@ -140,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
21746 * -- wli
21747 */
21748
21749-#ifdef CONFIG_X86_PAE
21750+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
21751 /*
21752 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
21753 * updating the top-level pagetable entries to guarantee the
21754@@ -152,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
21755 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
21756 * and initialize the kernel pmds here.
21757 */
21758-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
21759+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21760
21761 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
21762 {
21763@@ -170,36 +213,38 @@ void pud_populate(struct mm_struct *mm,
21764 */
21765 flush_tlb_mm(mm);
21766 }
21767+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
21768+#define PREALLOCATED_PXDS USER_PGD_PTRS
21769 #else /* !CONFIG_X86_PAE */
21770
21771 /* No need to prepopulate any pagetable entries in non-PAE modes. */
21772-#define PREALLOCATED_PMDS 0
21773+#define PREALLOCATED_PXDS 0
21774
21775 #endif /* CONFIG_X86_PAE */
21776
21777-static void free_pmds(pmd_t *pmds[])
21778+static void free_pxds(pxd_t *pxds[])
21779 {
21780 int i;
21781
21782- for(i = 0; i < PREALLOCATED_PMDS; i++)
21783- if (pmds[i])
21784- free_page((unsigned long)pmds[i]);
21785+ for(i = 0; i < PREALLOCATED_PXDS; i++)
21786+ if (pxds[i])
21787+ free_page((unsigned long)pxds[i]);
21788 }
21789
21790-static int preallocate_pmds(pmd_t *pmds[])
21791+static int preallocate_pxds(pxd_t *pxds[])
21792 {
21793 int i;
21794 bool failed = false;
21795
21796- for(i = 0; i < PREALLOCATED_PMDS; i++) {
21797- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
21798- if (pmd == NULL)
21799+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
21800+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
21801+ if (pxd == NULL)
21802 failed = true;
21803- pmds[i] = pmd;
21804+ pxds[i] = pxd;
21805 }
21806
21807 if (failed) {
21808- free_pmds(pmds);
21809+ free_pxds(pxds);
21810 return -ENOMEM;
21811 }
21812
21813@@ -212,51 +257,55 @@ static int preallocate_pmds(pmd_t *pmds[
21814 * preallocate which never got a corresponding vma will need to be
21815 * freed manually.
21816 */
21817-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
21818+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
21819 {
21820 int i;
21821
21822- for(i = 0; i < PREALLOCATED_PMDS; i++) {
21823+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
21824 pgd_t pgd = pgdp[i];
21825
21826 if (pgd_val(pgd) != 0) {
21827- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
21828+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
21829
21830- pgdp[i] = native_make_pgd(0);
21831+ set_pgd(pgdp + i, native_make_pgd(0));
21832
21833- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
21834- pmd_free(mm, pmd);
21835+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
21836+ pxd_free(mm, pxd);
21837 }
21838 }
21839 }
21840
21841-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
21842+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
21843 {
21844- pud_t *pud;
21845+ pyd_t *pyd;
21846 unsigned long addr;
21847 int i;
21848
21849- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
21850+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
21851 return;
21852
21853- pud = pud_offset(pgd, 0);
21854+#ifdef CONFIG_X86_64
21855+ pyd = pyd_offset(mm, 0L);
21856+#else
21857+ pyd = pyd_offset(pgd, 0L);
21858+#endif
21859
21860- for (addr = i = 0; i < PREALLOCATED_PMDS;
21861- i++, pud++, addr += PUD_SIZE) {
21862- pmd_t *pmd = pmds[i];
21863+ for (addr = i = 0; i < PREALLOCATED_PXDS;
21864+ i++, pyd++, addr += PYD_SIZE) {
21865+ pxd_t *pxd = pxds[i];
21866
21867 if (i >= KERNEL_PGD_BOUNDARY)
21868- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21869- sizeof(pmd_t) * PTRS_PER_PMD);
21870+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21871+ sizeof(pxd_t) * PTRS_PER_PMD);
21872
21873- pud_populate(mm, pud, pmd);
21874+ pyd_populate(mm, pyd, pxd);
21875 }
21876 }
21877
21878 pgd_t *pgd_alloc(struct mm_struct *mm)
21879 {
21880 pgd_t *pgd;
21881- pmd_t *pmds[PREALLOCATED_PMDS];
21882+ pxd_t *pxds[PREALLOCATED_PXDS];
21883
21884 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
21885
21886@@ -265,11 +314,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21887
21888 mm->pgd = pgd;
21889
21890- if (preallocate_pmds(pmds) != 0)
21891+ if (preallocate_pxds(pxds) != 0)
21892 goto out_free_pgd;
21893
21894 if (paravirt_pgd_alloc(mm) != 0)
21895- goto out_free_pmds;
21896+ goto out_free_pxds;
21897
21898 /*
21899 * Make sure that pre-populating the pmds is atomic with
21900@@ -279,14 +328,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21901 spin_lock(&pgd_lock);
21902
21903 pgd_ctor(mm, pgd);
21904- pgd_prepopulate_pmd(mm, pgd, pmds);
21905+ pgd_prepopulate_pxd(mm, pgd, pxds);
21906
21907 spin_unlock(&pgd_lock);
21908
21909 return pgd;
21910
21911-out_free_pmds:
21912- free_pmds(pmds);
21913+out_free_pxds:
21914+ free_pxds(pxds);
21915 out_free_pgd:
21916 free_page((unsigned long)pgd);
21917 out:
21918@@ -295,7 +344,7 @@ out:
21919
21920 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
21921 {
21922- pgd_mop_up_pmds(mm, pgd);
21923+ pgd_mop_up_pxds(mm, pgd);
21924 pgd_dtor(pgd);
21925 paravirt_pgd_free(mm, pgd);
21926 free_page((unsigned long)pgd);
21927diff -urNp linux-3.1.1/arch/x86/mm/setup_nx.c linux-3.1.1/arch/x86/mm/setup_nx.c
21928--- linux-3.1.1/arch/x86/mm/setup_nx.c 2011-11-11 15:19:27.000000000 -0500
21929+++ linux-3.1.1/arch/x86/mm/setup_nx.c 2011-11-16 18:39:07.000000000 -0500
21930@@ -5,8 +5,10 @@
21931 #include <asm/pgtable.h>
21932 #include <asm/proto.h>
21933
21934+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21935 static int disable_nx __cpuinitdata;
21936
21937+#ifndef CONFIG_PAX_PAGEEXEC
21938 /*
21939 * noexec = on|off
21940 *
21941@@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
21942 return 0;
21943 }
21944 early_param("noexec", noexec_setup);
21945+#endif
21946+
21947+#endif
21948
21949 void __cpuinit x86_configure_nx(void)
21950 {
21951+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21952 if (cpu_has_nx && !disable_nx)
21953 __supported_pte_mask |= _PAGE_NX;
21954 else
21955+#endif
21956 __supported_pte_mask &= ~_PAGE_NX;
21957 }
21958
21959diff -urNp linux-3.1.1/arch/x86/mm/tlb.c linux-3.1.1/arch/x86/mm/tlb.c
21960--- linux-3.1.1/arch/x86/mm/tlb.c 2011-11-11 15:19:27.000000000 -0500
21961+++ linux-3.1.1/arch/x86/mm/tlb.c 2011-11-16 18:39:07.000000000 -0500
21962@@ -65,7 +65,11 @@ void leave_mm(int cpu)
21963 BUG();
21964 cpumask_clear_cpu(cpu,
21965 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
21966+
21967+#ifndef CONFIG_PAX_PER_CPU_PGD
21968 load_cr3(swapper_pg_dir);
21969+#endif
21970+
21971 }
21972 EXPORT_SYMBOL_GPL(leave_mm);
21973
21974diff -urNp linux-3.1.1/arch/x86/net/bpf_jit_comp.c linux-3.1.1/arch/x86/net/bpf_jit_comp.c
21975--- linux-3.1.1/arch/x86/net/bpf_jit_comp.c 2011-11-11 15:19:27.000000000 -0500
21976+++ linux-3.1.1/arch/x86/net/bpf_jit_comp.c 2011-11-18 17:57:33.000000000 -0500
21977@@ -586,10 +586,12 @@ cond_branch: f_offset = addrs[i + filt
21978 if (unlikely(proglen + ilen > oldproglen)) {
21979 pr_err("bpb_jit_compile fatal error\n");
21980 kfree(addrs);
21981- module_free(NULL, image);
21982+ module_free_exec(NULL, image);
21983 return;
21984 }
21985+ pax_open_kernel();
21986 memcpy(image + proglen, temp, ilen);
21987+ pax_close_kernel();
21988 }
21989 proglen += ilen;
21990 addrs[i] = proglen;
21991@@ -609,7 +611,7 @@ cond_branch: f_offset = addrs[i + filt
21992 break;
21993 }
21994 if (proglen == oldproglen) {
21995- image = module_alloc(max_t(unsigned int,
21996+ image = module_alloc_exec(max_t(unsigned int,
21997 proglen,
21998 sizeof(struct work_struct)));
21999 if (!image)
22000@@ -637,11 +639,11 @@ out:
22001
22002 static void jit_free_defer(struct work_struct *arg)
22003 {
22004- module_free(NULL, arg);
22005+ module_free_exec(NULL, arg);
22006 }
22007
22008 /* run from softirq, we must use a work_struct to call
22009- * module_free() from process context
22010+ * module_free_exec() from process context
22011 */
22012 void bpf_jit_free(struct sk_filter *fp)
22013 {
22014diff -urNp linux-3.1.1/arch/x86/net/bpf_jit.S linux-3.1.1/arch/x86/net/bpf_jit.S
22015--- linux-3.1.1/arch/x86/net/bpf_jit.S 2011-11-11 15:19:27.000000000 -0500
22016+++ linux-3.1.1/arch/x86/net/bpf_jit.S 2011-11-16 18:39:07.000000000 -0500
22017@@ -9,6 +9,7 @@
22018 */
22019 #include <linux/linkage.h>
22020 #include <asm/dwarf2.h>
22021+#include <asm/alternative-asm.h>
22022
22023 /*
22024 * Calling convention :
22025@@ -35,6 +36,7 @@ sk_load_word:
22026 jle bpf_slow_path_word
22027 mov (SKBDATA,%rsi),%eax
22028 bswap %eax /* ntohl() */
22029+ pax_force_retaddr
22030 ret
22031
22032
22033@@ -53,6 +55,7 @@ sk_load_half:
22034 jle bpf_slow_path_half
22035 movzwl (SKBDATA,%rsi),%eax
22036 rol $8,%ax # ntohs()
22037+ pax_force_retaddr
22038 ret
22039
22040 sk_load_byte_ind:
22041@@ -66,6 +69,7 @@ sk_load_byte:
22042 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
22043 jle bpf_slow_path_byte
22044 movzbl (SKBDATA,%rsi),%eax
22045+ pax_force_retaddr
22046 ret
22047
22048 /**
22049@@ -82,6 +86,7 @@ ENTRY(sk_load_byte_msh)
22050 movzbl (SKBDATA,%rsi),%ebx
22051 and $15,%bl
22052 shl $2,%bl
22053+ pax_force_retaddr
22054 ret
22055 CFI_ENDPROC
22056 ENDPROC(sk_load_byte_msh)
22057@@ -91,6 +96,7 @@ bpf_error:
22058 xor %eax,%eax
22059 mov -8(%rbp),%rbx
22060 leaveq
22061+ pax_force_retaddr
22062 ret
22063
22064 /* rsi contains offset and can be scratched */
22065@@ -113,6 +119,7 @@ bpf_slow_path_word:
22066 js bpf_error
22067 mov -12(%rbp),%eax
22068 bswap %eax
22069+ pax_force_retaddr
22070 ret
22071
22072 bpf_slow_path_half:
22073@@ -121,12 +128,14 @@ bpf_slow_path_half:
22074 mov -12(%rbp),%ax
22075 rol $8,%ax
22076 movzwl %ax,%eax
22077+ pax_force_retaddr
22078 ret
22079
22080 bpf_slow_path_byte:
22081 bpf_slow_path_common(1)
22082 js bpf_error
22083 movzbl -12(%rbp),%eax
22084+ pax_force_retaddr
22085 ret
22086
22087 bpf_slow_path_byte_msh:
22088@@ -137,4 +146,5 @@ bpf_slow_path_byte_msh:
22089 and $15,%al
22090 shl $2,%al
22091 xchg %eax,%ebx
22092+ pax_force_retaddr
22093 ret
22094diff -urNp linux-3.1.1/arch/x86/oprofile/backtrace.c linux-3.1.1/arch/x86/oprofile/backtrace.c
22095--- linux-3.1.1/arch/x86/oprofile/backtrace.c 2011-11-11 15:19:27.000000000 -0500
22096+++ linux-3.1.1/arch/x86/oprofile/backtrace.c 2011-11-16 18:39:07.000000000 -0500
22097@@ -46,11 +46,11 @@ dump_user_backtrace_32(struct stack_fram
22098 struct stack_frame_ia32 *fp;
22099 unsigned long bytes;
22100
22101- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
22102+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
22103 if (bytes != sizeof(bufhead))
22104 return NULL;
22105
22106- fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
22107+ fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
22108
22109 oprofile_add_trace(bufhead[0].return_address);
22110
22111@@ -92,7 +92,7 @@ static struct stack_frame *dump_user_bac
22112 struct stack_frame bufhead[2];
22113 unsigned long bytes;
22114
22115- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
22116+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
22117 if (bytes != sizeof(bufhead))
22118 return NULL;
22119
22120@@ -111,7 +111,7 @@ x86_backtrace(struct pt_regs * const reg
22121 {
22122 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
22123
22124- if (!user_mode_vm(regs)) {
22125+ if (!user_mode(regs)) {
22126 unsigned long stack = kernel_stack_pointer(regs);
22127 if (depth)
22128 dump_trace(NULL, regs, (unsigned long *)stack, 0,
22129diff -urNp linux-3.1.1/arch/x86/pci/mrst.c linux-3.1.1/arch/x86/pci/mrst.c
22130--- linux-3.1.1/arch/x86/pci/mrst.c 2011-11-11 15:19:27.000000000 -0500
22131+++ linux-3.1.1/arch/x86/pci/mrst.c 2011-11-16 18:39:07.000000000 -0500
22132@@ -234,7 +234,9 @@ int __init pci_mrst_init(void)
22133 printk(KERN_INFO "Moorestown platform detected, using MRST PCI ops\n");
22134 pci_mmcfg_late_init();
22135 pcibios_enable_irq = mrst_pci_irq_enable;
22136- pci_root_ops = pci_mrst_ops;
22137+ pax_open_kernel();
22138+ memcpy((void *)&pci_root_ops, &pci_mrst_ops, sizeof(pci_mrst_ops));
22139+ pax_close_kernel();
22140 /* Continue with standard init */
22141 return 1;
22142 }
22143diff -urNp linux-3.1.1/arch/x86/pci/pcbios.c linux-3.1.1/arch/x86/pci/pcbios.c
22144--- linux-3.1.1/arch/x86/pci/pcbios.c 2011-11-11 15:19:27.000000000 -0500
22145+++ linux-3.1.1/arch/x86/pci/pcbios.c 2011-11-16 18:39:07.000000000 -0500
22146@@ -79,50 +79,93 @@ union bios32 {
22147 static struct {
22148 unsigned long address;
22149 unsigned short segment;
22150-} bios32_indirect = { 0, __KERNEL_CS };
22151+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
22152
22153 /*
22154 * Returns the entry point for the given service, NULL on error
22155 */
22156
22157-static unsigned long bios32_service(unsigned long service)
22158+static unsigned long __devinit bios32_service(unsigned long service)
22159 {
22160 unsigned char return_code; /* %al */
22161 unsigned long address; /* %ebx */
22162 unsigned long length; /* %ecx */
22163 unsigned long entry; /* %edx */
22164 unsigned long flags;
22165+ struct desc_struct d, *gdt;
22166
22167 local_irq_save(flags);
22168- __asm__("lcall *(%%edi); cld"
22169+
22170+ gdt = get_cpu_gdt_table(smp_processor_id());
22171+
22172+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
22173+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22174+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
22175+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22176+
22177+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
22178 : "=a" (return_code),
22179 "=b" (address),
22180 "=c" (length),
22181 "=d" (entry)
22182 : "0" (service),
22183 "1" (0),
22184- "D" (&bios32_indirect));
22185+ "D" (&bios32_indirect),
22186+ "r"(__PCIBIOS_DS)
22187+ : "memory");
22188+
22189+ pax_open_kernel();
22190+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
22191+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
22192+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
22193+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
22194+ pax_close_kernel();
22195+
22196 local_irq_restore(flags);
22197
22198 switch (return_code) {
22199- case 0:
22200- return address + entry;
22201- case 0x80: /* Not present */
22202- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22203- return 0;
22204- default: /* Shouldn't happen */
22205- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22206- service, return_code);
22207+ case 0: {
22208+ int cpu;
22209+ unsigned char flags;
22210+
22211+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
22212+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
22213+ printk(KERN_WARNING "bios32_service: not valid\n");
22214 return 0;
22215+ }
22216+ address = address + PAGE_OFFSET;
22217+ length += 16UL; /* some BIOSs underreport this... */
22218+ flags = 4;
22219+ if (length >= 64*1024*1024) {
22220+ length >>= PAGE_SHIFT;
22221+ flags |= 8;
22222+ }
22223+
22224+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
22225+ gdt = get_cpu_gdt_table(cpu);
22226+ pack_descriptor(&d, address, length, 0x9b, flags);
22227+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22228+ pack_descriptor(&d, address, length, 0x93, flags);
22229+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22230+ }
22231+ return entry;
22232+ }
22233+ case 0x80: /* Not present */
22234+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22235+ return 0;
22236+ default: /* Shouldn't happen */
22237+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22238+ service, return_code);
22239+ return 0;
22240 }
22241 }
22242
22243 static struct {
22244 unsigned long address;
22245 unsigned short segment;
22246-} pci_indirect = { 0, __KERNEL_CS };
22247+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
22248
22249-static int pci_bios_present;
22250+static int pci_bios_present __read_only;
22251
22252 static int __devinit check_pcibios(void)
22253 {
22254@@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
22255 unsigned long flags, pcibios_entry;
22256
22257 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
22258- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
22259+ pci_indirect.address = pcibios_entry;
22260
22261 local_irq_save(flags);
22262- __asm__(
22263- "lcall *(%%edi); cld\n\t"
22264+ __asm__("movw %w6, %%ds\n\t"
22265+ "lcall *%%ss:(%%edi); cld\n\t"
22266+ "push %%ss\n\t"
22267+ "pop %%ds\n\t"
22268 "jc 1f\n\t"
22269 "xor %%ah, %%ah\n"
22270 "1:"
22271@@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
22272 "=b" (ebx),
22273 "=c" (ecx)
22274 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
22275- "D" (&pci_indirect)
22276+ "D" (&pci_indirect),
22277+ "r" (__PCIBIOS_DS)
22278 : "memory");
22279 local_irq_restore(flags);
22280
22281@@ -189,7 +235,10 @@ static int pci_bios_read(unsigned int se
22282
22283 switch (len) {
22284 case 1:
22285- __asm__("lcall *(%%esi); cld\n\t"
22286+ __asm__("movw %w6, %%ds\n\t"
22287+ "lcall *%%ss:(%%esi); cld\n\t"
22288+ "push %%ss\n\t"
22289+ "pop %%ds\n\t"
22290 "jc 1f\n\t"
22291 "xor %%ah, %%ah\n"
22292 "1:"
22293@@ -198,7 +247,8 @@ static int pci_bios_read(unsigned int se
22294 : "1" (PCIBIOS_READ_CONFIG_BYTE),
22295 "b" (bx),
22296 "D" ((long)reg),
22297- "S" (&pci_indirect));
22298+ "S" (&pci_indirect),
22299+ "r" (__PCIBIOS_DS));
22300 /*
22301 * Zero-extend the result beyond 8 bits, do not trust the
22302 * BIOS having done it:
22303@@ -206,7 +256,10 @@ static int pci_bios_read(unsigned int se
22304 *value &= 0xff;
22305 break;
22306 case 2:
22307- __asm__("lcall *(%%esi); cld\n\t"
22308+ __asm__("movw %w6, %%ds\n\t"
22309+ "lcall *%%ss:(%%esi); cld\n\t"
22310+ "push %%ss\n\t"
22311+ "pop %%ds\n\t"
22312 "jc 1f\n\t"
22313 "xor %%ah, %%ah\n"
22314 "1:"
22315@@ -215,7 +268,8 @@ static int pci_bios_read(unsigned int se
22316 : "1" (PCIBIOS_READ_CONFIG_WORD),
22317 "b" (bx),
22318 "D" ((long)reg),
22319- "S" (&pci_indirect));
22320+ "S" (&pci_indirect),
22321+ "r" (__PCIBIOS_DS));
22322 /*
22323 * Zero-extend the result beyond 16 bits, do not trust the
22324 * BIOS having done it:
22325@@ -223,7 +277,10 @@ static int pci_bios_read(unsigned int se
22326 *value &= 0xffff;
22327 break;
22328 case 4:
22329- __asm__("lcall *(%%esi); cld\n\t"
22330+ __asm__("movw %w6, %%ds\n\t"
22331+ "lcall *%%ss:(%%esi); cld\n\t"
22332+ "push %%ss\n\t"
22333+ "pop %%ds\n\t"
22334 "jc 1f\n\t"
22335 "xor %%ah, %%ah\n"
22336 "1:"
22337@@ -232,7 +289,8 @@ static int pci_bios_read(unsigned int se
22338 : "1" (PCIBIOS_READ_CONFIG_DWORD),
22339 "b" (bx),
22340 "D" ((long)reg),
22341- "S" (&pci_indirect));
22342+ "S" (&pci_indirect),
22343+ "r" (__PCIBIOS_DS));
22344 break;
22345 }
22346
22347@@ -256,7 +314,10 @@ static int pci_bios_write(unsigned int s
22348
22349 switch (len) {
22350 case 1:
22351- __asm__("lcall *(%%esi); cld\n\t"
22352+ __asm__("movw %w6, %%ds\n\t"
22353+ "lcall *%%ss:(%%esi); cld\n\t"
22354+ "push %%ss\n\t"
22355+ "pop %%ds\n\t"
22356 "jc 1f\n\t"
22357 "xor %%ah, %%ah\n"
22358 "1:"
22359@@ -265,10 +326,14 @@ static int pci_bios_write(unsigned int s
22360 "c" (value),
22361 "b" (bx),
22362 "D" ((long)reg),
22363- "S" (&pci_indirect));
22364+ "S" (&pci_indirect),
22365+ "r" (__PCIBIOS_DS));
22366 break;
22367 case 2:
22368- __asm__("lcall *(%%esi); cld\n\t"
22369+ __asm__("movw %w6, %%ds\n\t"
22370+ "lcall *%%ss:(%%esi); cld\n\t"
22371+ "push %%ss\n\t"
22372+ "pop %%ds\n\t"
22373 "jc 1f\n\t"
22374 "xor %%ah, %%ah\n"
22375 "1:"
22376@@ -277,10 +342,14 @@ static int pci_bios_write(unsigned int s
22377 "c" (value),
22378 "b" (bx),
22379 "D" ((long)reg),
22380- "S" (&pci_indirect));
22381+ "S" (&pci_indirect),
22382+ "r" (__PCIBIOS_DS));
22383 break;
22384 case 4:
22385- __asm__("lcall *(%%esi); cld\n\t"
22386+ __asm__("movw %w6, %%ds\n\t"
22387+ "lcall *%%ss:(%%esi); cld\n\t"
22388+ "push %%ss\n\t"
22389+ "pop %%ds\n\t"
22390 "jc 1f\n\t"
22391 "xor %%ah, %%ah\n"
22392 "1:"
22393@@ -289,7 +358,8 @@ static int pci_bios_write(unsigned int s
22394 "c" (value),
22395 "b" (bx),
22396 "D" ((long)reg),
22397- "S" (&pci_indirect));
22398+ "S" (&pci_indirect),
22399+ "r" (__PCIBIOS_DS));
22400 break;
22401 }
22402
22403@@ -394,10 +464,13 @@ struct irq_routing_table * pcibios_get_i
22404
22405 DBG("PCI: Fetching IRQ routing table... ");
22406 __asm__("push %%es\n\t"
22407+ "movw %w8, %%ds\n\t"
22408 "push %%ds\n\t"
22409 "pop %%es\n\t"
22410- "lcall *(%%esi); cld\n\t"
22411+ "lcall *%%ss:(%%esi); cld\n\t"
22412 "pop %%es\n\t"
22413+ "push %%ss\n\t"
22414+ "pop %%ds\n"
22415 "jc 1f\n\t"
22416 "xor %%ah, %%ah\n"
22417 "1:"
22418@@ -408,7 +481,8 @@ struct irq_routing_table * pcibios_get_i
22419 "1" (0),
22420 "D" ((long) &opt),
22421 "S" (&pci_indirect),
22422- "m" (opt)
22423+ "m" (opt),
22424+ "r" (__PCIBIOS_DS)
22425 : "memory");
22426 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
22427 if (ret & 0xff00)
22428@@ -432,7 +506,10 @@ int pcibios_set_irq_routing(struct pci_d
22429 {
22430 int ret;
22431
22432- __asm__("lcall *(%%esi); cld\n\t"
22433+ __asm__("movw %w5, %%ds\n\t"
22434+ "lcall *%%ss:(%%esi); cld\n\t"
22435+ "push %%ss\n\t"
22436+ "pop %%ds\n"
22437 "jc 1f\n\t"
22438 "xor %%ah, %%ah\n"
22439 "1:"
22440@@ -440,7 +517,8 @@ int pcibios_set_irq_routing(struct pci_d
22441 : "0" (PCIBIOS_SET_PCI_HW_INT),
22442 "b" ((dev->bus->number << 8) | dev->devfn),
22443 "c" ((irq << 8) | (pin + 10)),
22444- "S" (&pci_indirect));
22445+ "S" (&pci_indirect),
22446+ "r" (__PCIBIOS_DS));
22447 return !(ret & 0xff00);
22448 }
22449 EXPORT_SYMBOL(pcibios_set_irq_routing);
22450diff -urNp linux-3.1.1/arch/x86/platform/efi/efi_32.c linux-3.1.1/arch/x86/platform/efi/efi_32.c
22451--- linux-3.1.1/arch/x86/platform/efi/efi_32.c 2011-11-11 15:19:27.000000000 -0500
22452+++ linux-3.1.1/arch/x86/platform/efi/efi_32.c 2011-11-16 18:39:07.000000000 -0500
22453@@ -38,70 +38,56 @@
22454 */
22455
22456 static unsigned long efi_rt_eflags;
22457-static pgd_t efi_bak_pg_dir_pointer[2];
22458+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
22459
22460-void efi_call_phys_prelog(void)
22461+void __init efi_call_phys_prelog(void)
22462 {
22463- unsigned long cr4;
22464- unsigned long temp;
22465 struct desc_ptr gdt_descr;
22466
22467- local_irq_save(efi_rt_eflags);
22468+#ifdef CONFIG_PAX_KERNEXEC
22469+ struct desc_struct d;
22470+#endif
22471
22472- /*
22473- * If I don't have PAE, I should just duplicate two entries in page
22474- * directory. If I have PAE, I just need to duplicate one entry in
22475- * page directory.
22476- */
22477- cr4 = read_cr4_safe();
22478+ local_irq_save(efi_rt_eflags);
22479
22480- if (cr4 & X86_CR4_PAE) {
22481- efi_bak_pg_dir_pointer[0].pgd =
22482- swapper_pg_dir[pgd_index(0)].pgd;
22483- swapper_pg_dir[0].pgd =
22484- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22485- } else {
22486- efi_bak_pg_dir_pointer[0].pgd =
22487- swapper_pg_dir[pgd_index(0)].pgd;
22488- efi_bak_pg_dir_pointer[1].pgd =
22489- swapper_pg_dir[pgd_index(0x400000)].pgd;
22490- swapper_pg_dir[pgd_index(0)].pgd =
22491- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
22492- temp = PAGE_OFFSET + 0x400000;
22493- swapper_pg_dir[pgd_index(0x400000)].pgd =
22494- swapper_pg_dir[pgd_index(temp)].pgd;
22495- }
22496+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
22497+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22498+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
22499
22500 /*
22501 * After the lock is released, the original page table is restored.
22502 */
22503 __flush_tlb_all();
22504
22505+#ifdef CONFIG_PAX_KERNEXEC
22506+ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
22507+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22508+ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
22509+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22510+#endif
22511+
22512 gdt_descr.address = __pa(get_cpu_gdt_table(0));
22513 gdt_descr.size = GDT_SIZE - 1;
22514 load_gdt(&gdt_descr);
22515 }
22516
22517-void efi_call_phys_epilog(void)
22518+void __init efi_call_phys_epilog(void)
22519 {
22520- unsigned long cr4;
22521 struct desc_ptr gdt_descr;
22522
22523+#ifdef CONFIG_PAX_KERNEXEC
22524+ struct desc_struct d;
22525+
22526+ memset(&d, 0, sizeof d);
22527+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
22528+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
22529+#endif
22530+
22531 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
22532 gdt_descr.size = GDT_SIZE - 1;
22533 load_gdt(&gdt_descr);
22534
22535- cr4 = read_cr4_safe();
22536-
22537- if (cr4 & X86_CR4_PAE) {
22538- swapper_pg_dir[pgd_index(0)].pgd =
22539- efi_bak_pg_dir_pointer[0].pgd;
22540- } else {
22541- swapper_pg_dir[pgd_index(0)].pgd =
22542- efi_bak_pg_dir_pointer[0].pgd;
22543- swapper_pg_dir[pgd_index(0x400000)].pgd =
22544- efi_bak_pg_dir_pointer[1].pgd;
22545- }
22546+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
22547
22548 /*
22549 * After the lock is released, the original page table is restored.
22550diff -urNp linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S
22551--- linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S 2011-11-11 15:19:27.000000000 -0500
22552+++ linux-3.1.1/arch/x86/platform/efi/efi_stub_32.S 2011-11-16 18:39:07.000000000 -0500
22553@@ -6,7 +6,9 @@
22554 */
22555
22556 #include <linux/linkage.h>
22557+#include <linux/init.h>
22558 #include <asm/page_types.h>
22559+#include <asm/segment.h>
22560
22561 /*
22562 * efi_call_phys(void *, ...) is a function with variable parameters.
22563@@ -20,7 +22,7 @@
22564 * service functions will comply with gcc calling convention, too.
22565 */
22566
22567-.text
22568+__INIT
22569 ENTRY(efi_call_phys)
22570 /*
22571 * 0. The function can only be called in Linux kernel. So CS has been
22572@@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
22573 * The mapping of lower virtual memory has been created in prelog and
22574 * epilog.
22575 */
22576- movl $1f, %edx
22577- subl $__PAGE_OFFSET, %edx
22578- jmp *%edx
22579+ movl $(__KERNEXEC_EFI_DS), %edx
22580+ mov %edx, %ds
22581+ mov %edx, %es
22582+ mov %edx, %ss
22583+ ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
22584 1:
22585
22586 /*
22587@@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
22588 * parameter 2, ..., param n. To make things easy, we save the return
22589 * address of efi_call_phys in a global variable.
22590 */
22591- popl %edx
22592- movl %edx, saved_return_addr
22593- /* get the function pointer into ECX*/
22594- popl %ecx
22595- movl %ecx, efi_rt_function_ptr
22596- movl $2f, %edx
22597- subl $__PAGE_OFFSET, %edx
22598- pushl %edx
22599+ popl (saved_return_addr)
22600+ popl (efi_rt_function_ptr)
22601
22602 /*
22603 * 3. Clear PG bit in %CR0.
22604@@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
22605 /*
22606 * 5. Call the physical function.
22607 */
22608- jmp *%ecx
22609+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
22610
22611-2:
22612 /*
22613 * 6. After EFI runtime service returns, control will return to
22614 * following instruction. We'd better readjust stack pointer first.
22615@@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
22616 movl %cr0, %edx
22617 orl $0x80000000, %edx
22618 movl %edx, %cr0
22619- jmp 1f
22620-1:
22621+
22622 /*
22623 * 8. Now restore the virtual mode from flat mode by
22624 * adding EIP with PAGE_OFFSET.
22625 */
22626- movl $1f, %edx
22627- jmp *%edx
22628+ ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
22629 1:
22630+ movl $(__KERNEL_DS), %edx
22631+ mov %edx, %ds
22632+ mov %edx, %es
22633+ mov %edx, %ss
22634
22635 /*
22636 * 9. Balance the stack. And because EAX contain the return value,
22637 * we'd better not clobber it.
22638 */
22639- leal efi_rt_function_ptr, %edx
22640- movl (%edx), %ecx
22641- pushl %ecx
22642+ pushl (efi_rt_function_ptr)
22643
22644 /*
22645- * 10. Push the saved return address onto the stack and return.
22646+ * 10. Return to the saved return address.
22647 */
22648- leal saved_return_addr, %edx
22649- movl (%edx), %ecx
22650- pushl %ecx
22651- ret
22652+ jmpl *(saved_return_addr)
22653 ENDPROC(efi_call_phys)
22654 .previous
22655
22656-.data
22657+__INITDATA
22658 saved_return_addr:
22659 .long 0
22660 efi_rt_function_ptr:
22661diff -urNp linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S
22662--- linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S 2011-11-11 15:19:27.000000000 -0500
22663+++ linux-3.1.1/arch/x86/platform/efi/efi_stub_64.S 2011-11-16 18:39:07.000000000 -0500
22664@@ -7,6 +7,7 @@
22665 */
22666
22667 #include <linux/linkage.h>
22668+#include <asm/alternative-asm.h>
22669
22670 #define SAVE_XMM \
22671 mov %rsp, %rax; \
22672@@ -40,6 +41,7 @@ ENTRY(efi_call0)
22673 call *%rdi
22674 addq $32, %rsp
22675 RESTORE_XMM
22676+ pax_force_retaddr
22677 ret
22678 ENDPROC(efi_call0)
22679
22680@@ -50,6 +52,7 @@ ENTRY(efi_call1)
22681 call *%rdi
22682 addq $32, %rsp
22683 RESTORE_XMM
22684+ pax_force_retaddr
22685 ret
22686 ENDPROC(efi_call1)
22687
22688@@ -60,6 +63,7 @@ ENTRY(efi_call2)
22689 call *%rdi
22690 addq $32, %rsp
22691 RESTORE_XMM
22692+ pax_force_retaddr
22693 ret
22694 ENDPROC(efi_call2)
22695
22696@@ -71,6 +75,7 @@ ENTRY(efi_call3)
22697 call *%rdi
22698 addq $32, %rsp
22699 RESTORE_XMM
22700+ pax_force_retaddr
22701 ret
22702 ENDPROC(efi_call3)
22703
22704@@ -83,6 +88,7 @@ ENTRY(efi_call4)
22705 call *%rdi
22706 addq $32, %rsp
22707 RESTORE_XMM
22708+ pax_force_retaddr
22709 ret
22710 ENDPROC(efi_call4)
22711
22712@@ -96,6 +102,7 @@ ENTRY(efi_call5)
22713 call *%rdi
22714 addq $48, %rsp
22715 RESTORE_XMM
22716+ pax_force_retaddr
22717 ret
22718 ENDPROC(efi_call5)
22719
22720@@ -112,5 +119,6 @@ ENTRY(efi_call6)
22721 call *%rdi
22722 addq $48, %rsp
22723 RESTORE_XMM
22724+ pax_force_retaddr
22725 ret
22726 ENDPROC(efi_call6)
22727diff -urNp linux-3.1.1/arch/x86/platform/mrst/mrst.c linux-3.1.1/arch/x86/platform/mrst/mrst.c
22728--- linux-3.1.1/arch/x86/platform/mrst/mrst.c 2011-11-11 15:19:27.000000000 -0500
22729+++ linux-3.1.1/arch/x86/platform/mrst/mrst.c 2011-11-16 18:39:07.000000000 -0500
22730@@ -239,14 +239,16 @@ static int mrst_i8042_detect(void)
22731 }
22732
22733 /* Reboot and power off are handled by the SCU on a MID device */
22734-static void mrst_power_off(void)
22735+static __noreturn void mrst_power_off(void)
22736 {
22737 intel_scu_ipc_simple_command(0xf1, 1);
22738+ BUG();
22739 }
22740
22741-static void mrst_reboot(void)
22742+static __noreturn void mrst_reboot(void)
22743 {
22744 intel_scu_ipc_simple_command(0xf1, 0);
22745+ BUG();
22746 }
22747
22748 /*
22749diff -urNp linux-3.1.1/arch/x86/platform/uv/tlb_uv.c linux-3.1.1/arch/x86/platform/uv/tlb_uv.c
22750--- linux-3.1.1/arch/x86/platform/uv/tlb_uv.c 2011-11-11 15:19:27.000000000 -0500
22751+++ linux-3.1.1/arch/x86/platform/uv/tlb_uv.c 2011-11-16 19:39:11.000000000 -0500
22752@@ -377,6 +377,8 @@ static void reset_with_ipi(struct pnmask
22753 struct bau_control *smaster = bcp->socket_master;
22754 struct reset_args reset_args;
22755
22756+ pax_track_stack();
22757+
22758 reset_args.sender = sender;
22759 cpus_clear(*mask);
22760 /* find a single cpu for each uvhub in this distribution mask */
22761diff -urNp linux-3.1.1/arch/x86/power/cpu.c linux-3.1.1/arch/x86/power/cpu.c
22762--- linux-3.1.1/arch/x86/power/cpu.c 2011-11-11 15:19:27.000000000 -0500
22763+++ linux-3.1.1/arch/x86/power/cpu.c 2011-11-16 18:39:07.000000000 -0500
22764@@ -130,7 +130,7 @@ static void do_fpu_end(void)
22765 static void fix_processor_context(void)
22766 {
22767 int cpu = smp_processor_id();
22768- struct tss_struct *t = &per_cpu(init_tss, cpu);
22769+ struct tss_struct *t = init_tss + cpu;
22770
22771 set_tss_desc(cpu, t); /*
22772 * This just modifies memory; should not be
22773@@ -140,7 +140,9 @@ static void fix_processor_context(void)
22774 */
22775
22776 #ifdef CONFIG_X86_64
22777+ pax_open_kernel();
22778 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
22779+ pax_close_kernel();
22780
22781 syscall_init(); /* This sets MSR_*STAR and related */
22782 #endif
22783diff -urNp linux-3.1.1/arch/x86/vdso/Makefile linux-3.1.1/arch/x86/vdso/Makefile
22784--- linux-3.1.1/arch/x86/vdso/Makefile 2011-11-11 15:19:27.000000000 -0500
22785+++ linux-3.1.1/arch/x86/vdso/Makefile 2011-11-16 18:39:07.000000000 -0500
22786@@ -137,7 +137,7 @@ quiet_cmd_vdso = VDSO $@
22787 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
22788 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
22789
22790-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22791+VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22792 GCOV_PROFILE := n
22793
22794 #
22795diff -urNp linux-3.1.1/arch/x86/vdso/vdso32-setup.c linux-3.1.1/arch/x86/vdso/vdso32-setup.c
22796--- linux-3.1.1/arch/x86/vdso/vdso32-setup.c 2011-11-11 15:19:27.000000000 -0500
22797+++ linux-3.1.1/arch/x86/vdso/vdso32-setup.c 2011-11-16 18:39:07.000000000 -0500
22798@@ -25,6 +25,7 @@
22799 #include <asm/tlbflush.h>
22800 #include <asm/vdso.h>
22801 #include <asm/proto.h>
22802+#include <asm/mman.h>
22803
22804 enum {
22805 VDSO_DISABLED = 0,
22806@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
22807 void enable_sep_cpu(void)
22808 {
22809 int cpu = get_cpu();
22810- struct tss_struct *tss = &per_cpu(init_tss, cpu);
22811+ struct tss_struct *tss = init_tss + cpu;
22812
22813 if (!boot_cpu_has(X86_FEATURE_SEP)) {
22814 put_cpu();
22815@@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
22816 gate_vma.vm_start = FIXADDR_USER_START;
22817 gate_vma.vm_end = FIXADDR_USER_END;
22818 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
22819- gate_vma.vm_page_prot = __P101;
22820+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
22821 /*
22822 * Make sure the vDSO gets into every core dump.
22823 * Dumping its contents makes post-mortem fully interpretable later
22824@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
22825 if (compat)
22826 addr = VDSO_HIGH_BASE;
22827 else {
22828- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
22829+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
22830 if (IS_ERR_VALUE(addr)) {
22831 ret = addr;
22832 goto up_fail;
22833 }
22834 }
22835
22836- current->mm->context.vdso = (void *)addr;
22837+ current->mm->context.vdso = addr;
22838
22839 if (compat_uses_vma || !compat) {
22840 /*
22841@@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
22842 }
22843
22844 current_thread_info()->sysenter_return =
22845- VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22846+ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22847
22848 up_fail:
22849 if (ret)
22850- current->mm->context.vdso = NULL;
22851+ current->mm->context.vdso = 0;
22852
22853 up_write(&mm->mmap_sem);
22854
22855@@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
22856
22857 const char *arch_vma_name(struct vm_area_struct *vma)
22858 {
22859- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22860+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22861 return "[vdso]";
22862+
22863+#ifdef CONFIG_PAX_SEGMEXEC
22864+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
22865+ return "[vdso]";
22866+#endif
22867+
22868 return NULL;
22869 }
22870
22871@@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
22872 * Check to see if the corresponding task was created in compat vdso
22873 * mode.
22874 */
22875- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
22876+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
22877 return &gate_vma;
22878 return NULL;
22879 }
22880diff -urNp linux-3.1.1/arch/x86/vdso/vma.c linux-3.1.1/arch/x86/vdso/vma.c
22881--- linux-3.1.1/arch/x86/vdso/vma.c 2011-11-11 15:19:27.000000000 -0500
22882+++ linux-3.1.1/arch/x86/vdso/vma.c 2011-11-16 18:39:07.000000000 -0500
22883@@ -16,8 +16,6 @@
22884 #include <asm/vdso.h>
22885 #include <asm/page.h>
22886
22887-unsigned int __read_mostly vdso_enabled = 1;
22888-
22889 extern char vdso_start[], vdso_end[];
22890 extern unsigned short vdso_sync_cpuid;
22891
22892@@ -97,13 +95,15 @@ static unsigned long vdso_addr(unsigned
22893 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
22894 {
22895 struct mm_struct *mm = current->mm;
22896- unsigned long addr;
22897+ unsigned long addr = 0;
22898 int ret;
22899
22900- if (!vdso_enabled)
22901- return 0;
22902-
22903 down_write(&mm->mmap_sem);
22904+
22905+#ifdef CONFIG_PAX_RANDMMAP
22906+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
22907+#endif
22908+
22909 addr = vdso_addr(mm->start_stack, vdso_size);
22910 addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
22911 if (IS_ERR_VALUE(addr)) {
22912@@ -111,26 +111,18 @@ int arch_setup_additional_pages(struct l
22913 goto up_fail;
22914 }
22915
22916- current->mm->context.vdso = (void *)addr;
22917+ mm->context.vdso = addr;
22918
22919 ret = install_special_mapping(mm, addr, vdso_size,
22920 VM_READ|VM_EXEC|
22921 VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC|
22922 VM_ALWAYSDUMP,
22923 vdso_pages);
22924- if (ret) {
22925- current->mm->context.vdso = NULL;
22926- goto up_fail;
22927- }
22928+
22929+ if (ret)
22930+ mm->context.vdso = 0;
22931
22932 up_fail:
22933 up_write(&mm->mmap_sem);
22934 return ret;
22935 }
22936-
22937-static __init int vdso_setup(char *s)
22938-{
22939- vdso_enabled = simple_strtoul(s, NULL, 0);
22940- return 0;
22941-}
22942-__setup("vdso=", vdso_setup);
22943diff -urNp linux-3.1.1/arch/x86/xen/enlighten.c linux-3.1.1/arch/x86/xen/enlighten.c
22944--- linux-3.1.1/arch/x86/xen/enlighten.c 2011-11-11 15:19:27.000000000 -0500
22945+++ linux-3.1.1/arch/x86/xen/enlighten.c 2011-11-16 18:39:07.000000000 -0500
22946@@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
22947
22948 struct shared_info xen_dummy_shared_info;
22949
22950-void *xen_initial_gdt;
22951-
22952 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
22953 __read_mostly int xen_have_vector_callback;
22954 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
22955@@ -1028,7 +1026,7 @@ static const struct pv_apic_ops xen_apic
22956 #endif
22957 };
22958
22959-static void xen_reboot(int reason)
22960+static __noreturn void xen_reboot(int reason)
22961 {
22962 struct sched_shutdown r = { .reason = reason };
22963
22964@@ -1036,17 +1034,17 @@ static void xen_reboot(int reason)
22965 BUG();
22966 }
22967
22968-static void xen_restart(char *msg)
22969+static __noreturn void xen_restart(char *msg)
22970 {
22971 xen_reboot(SHUTDOWN_reboot);
22972 }
22973
22974-static void xen_emergency_restart(void)
22975+static __noreturn void xen_emergency_restart(void)
22976 {
22977 xen_reboot(SHUTDOWN_reboot);
22978 }
22979
22980-static void xen_machine_halt(void)
22981+static __noreturn void xen_machine_halt(void)
22982 {
22983 xen_reboot(SHUTDOWN_poweroff);
22984 }
22985@@ -1152,7 +1150,17 @@ asmlinkage void __init xen_start_kernel(
22986 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
22987
22988 /* Work out if we support NX */
22989- x86_configure_nx();
22990+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22991+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
22992+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
22993+ unsigned l, h;
22994+
22995+ __supported_pte_mask |= _PAGE_NX;
22996+ rdmsr(MSR_EFER, l, h);
22997+ l |= EFER_NX;
22998+ wrmsr(MSR_EFER, l, h);
22999+ }
23000+#endif
23001
23002 xen_setup_features();
23003
23004@@ -1183,13 +1191,6 @@ asmlinkage void __init xen_start_kernel(
23005
23006 machine_ops = xen_machine_ops;
23007
23008- /*
23009- * The only reliable way to retain the initial address of the
23010- * percpu gdt_page is to remember it here, so we can go and
23011- * mark it RW later, when the initial percpu area is freed.
23012- */
23013- xen_initial_gdt = &per_cpu(gdt_page, 0);
23014-
23015 xen_smp_init();
23016
23017 #ifdef CONFIG_ACPI_NUMA
23018diff -urNp linux-3.1.1/arch/x86/xen/mmu.c linux-3.1.1/arch/x86/xen/mmu.c
23019--- linux-3.1.1/arch/x86/xen/mmu.c 2011-11-11 15:19:27.000000000 -0500
23020+++ linux-3.1.1/arch/x86/xen/mmu.c 2011-11-16 18:39:07.000000000 -0500
23021@@ -1768,6 +1768,8 @@ pgd_t * __init xen_setup_kernel_pagetabl
23022 convert_pfn_mfn(init_level4_pgt);
23023 convert_pfn_mfn(level3_ident_pgt);
23024 convert_pfn_mfn(level3_kernel_pgt);
23025+ convert_pfn_mfn(level3_vmalloc_pgt);
23026+ convert_pfn_mfn(level3_vmemmap_pgt);
23027
23028 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
23029 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
23030@@ -1786,7 +1788,10 @@ pgd_t * __init xen_setup_kernel_pagetabl
23031 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
23032 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
23033 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
23034+ set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
23035+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
23036 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
23037+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
23038 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
23039 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
23040
23041@@ -2000,6 +2005,7 @@ static void __init xen_post_allocator_in
23042 pv_mmu_ops.set_pud = xen_set_pud;
23043 #if PAGETABLE_LEVELS == 4
23044 pv_mmu_ops.set_pgd = xen_set_pgd;
23045+ pv_mmu_ops.set_pgd_batched = xen_set_pgd;
23046 #endif
23047
23048 /* This will work as long as patching hasn't happened yet
23049@@ -2081,6 +2087,7 @@ static const struct pv_mmu_ops xen_mmu_o
23050 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
23051 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
23052 .set_pgd = xen_set_pgd_hyper,
23053+ .set_pgd_batched = xen_set_pgd_hyper,
23054
23055 .alloc_pud = xen_alloc_pmd_init,
23056 .release_pud = xen_release_pmd_init,
23057diff -urNp linux-3.1.1/arch/x86/xen/smp.c linux-3.1.1/arch/x86/xen/smp.c
23058--- linux-3.1.1/arch/x86/xen/smp.c 2011-11-11 15:19:27.000000000 -0500
23059+++ linux-3.1.1/arch/x86/xen/smp.c 2011-11-16 18:39:07.000000000 -0500
23060@@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
23061 {
23062 BUG_ON(smp_processor_id() != 0);
23063 native_smp_prepare_boot_cpu();
23064-
23065- /* We've switched to the "real" per-cpu gdt, so make sure the
23066- old memory can be recycled */
23067- make_lowmem_page_readwrite(xen_initial_gdt);
23068-
23069 xen_filter_cpu_maps();
23070 xen_setup_vcpu_info_placement();
23071 }
23072@@ -275,12 +270,12 @@ cpu_initialize_context(unsigned int cpu,
23073 gdt = get_cpu_gdt_table(cpu);
23074
23075 ctxt->flags = VGCF_IN_KERNEL;
23076- ctxt->user_regs.ds = __USER_DS;
23077- ctxt->user_regs.es = __USER_DS;
23078+ ctxt->user_regs.ds = __KERNEL_DS;
23079+ ctxt->user_regs.es = __KERNEL_DS;
23080 ctxt->user_regs.ss = __KERNEL_DS;
23081 #ifdef CONFIG_X86_32
23082 ctxt->user_regs.fs = __KERNEL_PERCPU;
23083- ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
23084+ savesegment(gs, ctxt->user_regs.gs);
23085 #else
23086 ctxt->gs_base_kernel = per_cpu_offset(cpu);
23087 #endif
23088@@ -331,13 +326,12 @@ static int __cpuinit xen_cpu_up(unsigned
23089 int rc;
23090
23091 per_cpu(current_task, cpu) = idle;
23092+ per_cpu(current_tinfo, cpu) = &idle->tinfo;
23093 #ifdef CONFIG_X86_32
23094 irq_ctx_init(cpu);
23095 #else
23096 clear_tsk_thread_flag(idle, TIF_FORK);
23097- per_cpu(kernel_stack, cpu) =
23098- (unsigned long)task_stack_page(idle) -
23099- KERNEL_STACK_OFFSET + THREAD_SIZE;
23100+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
23101 #endif
23102 xen_setup_runstate_info(cpu);
23103 xen_setup_timer(cpu);
23104diff -urNp linux-3.1.1/arch/x86/xen/xen-asm_32.S linux-3.1.1/arch/x86/xen/xen-asm_32.S
23105--- linux-3.1.1/arch/x86/xen/xen-asm_32.S 2011-11-11 15:19:27.000000000 -0500
23106+++ linux-3.1.1/arch/x86/xen/xen-asm_32.S 2011-11-16 18:39:07.000000000 -0500
23107@@ -83,14 +83,14 @@ ENTRY(xen_iret)
23108 ESP_OFFSET=4 # bytes pushed onto stack
23109
23110 /*
23111- * Store vcpu_info pointer for easy access. Do it this way to
23112- * avoid having to reload %fs
23113+ * Store vcpu_info pointer for easy access.
23114 */
23115 #ifdef CONFIG_SMP
23116- GET_THREAD_INFO(%eax)
23117- movl TI_cpu(%eax), %eax
23118- movl __per_cpu_offset(,%eax,4), %eax
23119- mov xen_vcpu(%eax), %eax
23120+ push %fs
23121+ mov $(__KERNEL_PERCPU), %eax
23122+ mov %eax, %fs
23123+ mov PER_CPU_VAR(xen_vcpu), %eax
23124+ pop %fs
23125 #else
23126 movl xen_vcpu, %eax
23127 #endif
23128diff -urNp linux-3.1.1/arch/x86/xen/xen-head.S linux-3.1.1/arch/x86/xen/xen-head.S
23129--- linux-3.1.1/arch/x86/xen/xen-head.S 2011-11-11 15:19:27.000000000 -0500
23130+++ linux-3.1.1/arch/x86/xen/xen-head.S 2011-11-16 18:39:07.000000000 -0500
23131@@ -19,6 +19,17 @@ ENTRY(startup_xen)
23132 #ifdef CONFIG_X86_32
23133 mov %esi,xen_start_info
23134 mov $init_thread_union+THREAD_SIZE,%esp
23135+#ifdef CONFIG_SMP
23136+ movl $cpu_gdt_table,%edi
23137+ movl $__per_cpu_load,%eax
23138+ movw %ax,__KERNEL_PERCPU + 2(%edi)
23139+ rorl $16,%eax
23140+ movb %al,__KERNEL_PERCPU + 4(%edi)
23141+ movb %ah,__KERNEL_PERCPU + 7(%edi)
23142+ movl $__per_cpu_end - 1,%eax
23143+ subl $__per_cpu_start,%eax
23144+ movw %ax,__KERNEL_PERCPU + 0(%edi)
23145+#endif
23146 #else
23147 mov %rsi,xen_start_info
23148 mov $init_thread_union+THREAD_SIZE,%rsp
23149diff -urNp linux-3.1.1/arch/x86/xen/xen-ops.h linux-3.1.1/arch/x86/xen/xen-ops.h
23150--- linux-3.1.1/arch/x86/xen/xen-ops.h 2011-11-11 15:19:27.000000000 -0500
23151+++ linux-3.1.1/arch/x86/xen/xen-ops.h 2011-11-16 18:39:07.000000000 -0500
23152@@ -10,8 +10,6 @@
23153 extern const char xen_hypervisor_callback[];
23154 extern const char xen_failsafe_callback[];
23155
23156-extern void *xen_initial_gdt;
23157-
23158 struct trap_info;
23159 void xen_copy_trap_info(struct trap_info *traps);
23160
23161diff -urNp linux-3.1.1/block/blk-iopoll.c linux-3.1.1/block/blk-iopoll.c
23162--- linux-3.1.1/block/blk-iopoll.c 2011-11-11 15:19:27.000000000 -0500
23163+++ linux-3.1.1/block/blk-iopoll.c 2011-11-16 18:39:07.000000000 -0500
23164@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
23165 }
23166 EXPORT_SYMBOL(blk_iopoll_complete);
23167
23168-static void blk_iopoll_softirq(struct softirq_action *h)
23169+static void blk_iopoll_softirq(void)
23170 {
23171 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
23172 int rearm = 0, budget = blk_iopoll_budget;
23173diff -urNp linux-3.1.1/block/blk-map.c linux-3.1.1/block/blk-map.c
23174--- linux-3.1.1/block/blk-map.c 2011-11-11 15:19:27.000000000 -0500
23175+++ linux-3.1.1/block/blk-map.c 2011-11-16 18:39:07.000000000 -0500
23176@@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
23177 if (!len || !kbuf)
23178 return -EINVAL;
23179
23180- do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
23181+ do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
23182 if (do_copy)
23183 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
23184 else
23185diff -urNp linux-3.1.1/block/blk-softirq.c linux-3.1.1/block/blk-softirq.c
23186--- linux-3.1.1/block/blk-softirq.c 2011-11-11 15:19:27.000000000 -0500
23187+++ linux-3.1.1/block/blk-softirq.c 2011-11-16 18:39:07.000000000 -0500
23188@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
23189 * Softirq action handler - move entries to local list and loop over them
23190 * while passing them to the queue registered handler.
23191 */
23192-static void blk_done_softirq(struct softirq_action *h)
23193+static void blk_done_softirq(void)
23194 {
23195 struct list_head *cpu_list, local_list;
23196
23197diff -urNp linux-3.1.1/block/bsg.c linux-3.1.1/block/bsg.c
23198--- linux-3.1.1/block/bsg.c 2011-11-11 15:19:27.000000000 -0500
23199+++ linux-3.1.1/block/bsg.c 2011-11-16 18:39:07.000000000 -0500
23200@@ -176,16 +176,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
23201 struct sg_io_v4 *hdr, struct bsg_device *bd,
23202 fmode_t has_write_perm)
23203 {
23204+ unsigned char tmpcmd[sizeof(rq->__cmd)];
23205+ unsigned char *cmdptr;
23206+
23207 if (hdr->request_len > BLK_MAX_CDB) {
23208 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
23209 if (!rq->cmd)
23210 return -ENOMEM;
23211- }
23212+ cmdptr = rq->cmd;
23213+ } else
23214+ cmdptr = tmpcmd;
23215
23216- if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request,
23217+ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
23218 hdr->request_len))
23219 return -EFAULT;
23220
23221+ if (cmdptr != rq->cmd)
23222+ memcpy(rq->cmd, cmdptr, hdr->request_len);
23223+
23224 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
23225 if (blk_verify_command(rq->cmd, has_write_perm))
23226 return -EPERM;
23227diff -urNp linux-3.1.1/block/compat_ioctl.c linux-3.1.1/block/compat_ioctl.c
23228--- linux-3.1.1/block/compat_ioctl.c 2011-11-11 15:19:27.000000000 -0500
23229+++ linux-3.1.1/block/compat_ioctl.c 2011-11-16 18:39:07.000000000 -0500
23230@@ -340,7 +340,7 @@ static int compat_fd_ioctl(struct block_
23231 err |= __get_user(f->spec1, &uf->spec1);
23232 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
23233 err |= __get_user(name, &uf->name);
23234- f->name = compat_ptr(name);
23235+ f->name = (void __force_kernel *)compat_ptr(name);
23236 if (err) {
23237 err = -EFAULT;
23238 goto out;
23239diff -urNp linux-3.1.1/block/scsi_ioctl.c linux-3.1.1/block/scsi_ioctl.c
23240--- linux-3.1.1/block/scsi_ioctl.c 2011-11-11 15:19:27.000000000 -0500
23241+++ linux-3.1.1/block/scsi_ioctl.c 2011-11-16 18:39:07.000000000 -0500
23242@@ -222,8 +222,20 @@ EXPORT_SYMBOL(blk_verify_command);
23243 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
23244 struct sg_io_hdr *hdr, fmode_t mode)
23245 {
23246- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
23247+ unsigned char tmpcmd[sizeof(rq->__cmd)];
23248+ unsigned char *cmdptr;
23249+
23250+ if (rq->cmd != rq->__cmd)
23251+ cmdptr = rq->cmd;
23252+ else
23253+ cmdptr = tmpcmd;
23254+
23255+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
23256 return -EFAULT;
23257+
23258+ if (cmdptr != rq->cmd)
23259+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
23260+
23261 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
23262 return -EPERM;
23263
23264@@ -432,6 +444,8 @@ int sg_scsi_ioctl(struct request_queue *
23265 int err;
23266 unsigned int in_len, out_len, bytes, opcode, cmdlen;
23267 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
23268+ unsigned char tmpcmd[sizeof(rq->__cmd)];
23269+ unsigned char *cmdptr;
23270
23271 if (!sic)
23272 return -EINVAL;
23273@@ -465,9 +479,18 @@ int sg_scsi_ioctl(struct request_queue *
23274 */
23275 err = -EFAULT;
23276 rq->cmd_len = cmdlen;
23277- if (copy_from_user(rq->cmd, sic->data, cmdlen))
23278+
23279+ if (rq->cmd != rq->__cmd)
23280+ cmdptr = rq->cmd;
23281+ else
23282+ cmdptr = tmpcmd;
23283+
23284+ if (copy_from_user(cmdptr, sic->data, cmdlen))
23285 goto error;
23286
23287+ if (rq->cmd != cmdptr)
23288+ memcpy(rq->cmd, cmdptr, cmdlen);
23289+
23290 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
23291 goto error;
23292
23293diff -urNp linux-3.1.1/crypto/cryptd.c linux-3.1.1/crypto/cryptd.c
23294--- linux-3.1.1/crypto/cryptd.c 2011-11-11 15:19:27.000000000 -0500
23295+++ linux-3.1.1/crypto/cryptd.c 2011-11-16 18:39:07.000000000 -0500
23296@@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
23297
23298 struct cryptd_blkcipher_request_ctx {
23299 crypto_completion_t complete;
23300-};
23301+} __no_const;
23302
23303 struct cryptd_hash_ctx {
23304 struct crypto_shash *child;
23305@@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
23306
23307 struct cryptd_aead_request_ctx {
23308 crypto_completion_t complete;
23309-};
23310+} __no_const;
23311
23312 static void cryptd_queue_worker(struct work_struct *work);
23313
23314diff -urNp linux-3.1.1/crypto/serpent.c linux-3.1.1/crypto/serpent.c
23315--- linux-3.1.1/crypto/serpent.c 2011-11-11 15:19:27.000000000 -0500
23316+++ linux-3.1.1/crypto/serpent.c 2011-11-16 18:40:10.000000000 -0500
23317@@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
23318 u32 r0,r1,r2,r3,r4;
23319 int i;
23320
23321+ pax_track_stack();
23322+
23323 /* Copy key, add padding */
23324
23325 for (i = 0; i < keylen; ++i)
23326diff -urNp linux-3.1.1/Documentation/dontdiff linux-3.1.1/Documentation/dontdiff
23327--- linux-3.1.1/Documentation/dontdiff 2011-11-11 15:19:27.000000000 -0500
23328+++ linux-3.1.1/Documentation/dontdiff 2011-11-16 18:39:07.000000000 -0500
23329@@ -5,6 +5,7 @@
23330 *.cis
23331 *.cpio
23332 *.csp
23333+*.dbg
23334 *.dsp
23335 *.dvi
23336 *.elf
23337@@ -48,9 +49,11 @@
23338 *.tab.h
23339 *.tex
23340 *.ver
23341+*.vim
23342 *.xml
23343 *.xz
23344 *_MODULES
23345+*_reg_safe.h
23346 *_vga16.c
23347 *~
23348 \#*#
23349@@ -70,6 +73,7 @@ Kerntypes
23350 Module.markers
23351 Module.symvers
23352 PENDING
23353+PERF*
23354 SCCS
23355 System.map*
23356 TAGS
23357@@ -93,19 +97,24 @@ bounds.h
23358 bsetup
23359 btfixupprep
23360 build
23361+builtin-policy.h
23362 bvmlinux
23363 bzImage*
23364 capability_names.h
23365 capflags.c
23366 classlist.h*
23367+clut_vga16.c
23368+common-cmds.h
23369 comp*.log
23370 compile.h*
23371 conf
23372 config
23373 config-*
23374 config_data.h*
23375+config.c
23376 config.mak
23377 config.mak.autogen
23378+config.tmp
23379 conmakehash
23380 consolemap_deftbl.c*
23381 cpustr.h
23382@@ -119,6 +128,7 @@ dslm
23383 elf2ecoff
23384 elfconfig.h*
23385 evergreen_reg_safe.h
23386+exception_policy.conf
23387 fixdep
23388 flask.h
23389 fore200e_mkfirm
23390@@ -126,12 +136,14 @@ fore200e_pca_fw.c*
23391 gconf
23392 gconf.glade.h
23393 gen-devlist
23394+gen-kdb_cmds.c
23395 gen_crc32table
23396 gen_init_cpio
23397 generated
23398 genheaders
23399 genksyms
23400 *_gray256.c
23401+hash
23402 hpet_example
23403 hugepage-mmap
23404 hugepage-shm
23405@@ -146,7 +158,7 @@ int32.c
23406 int4.c
23407 int8.c
23408 kallsyms
23409-kconfig
23410+kern_constants.h
23411 keywords.c
23412 ksym.c*
23413 ksym.h*
23414@@ -154,7 +166,6 @@ kxgettext
23415 lkc_defs.h
23416 lex.c
23417 lex.*.c
23418-linux
23419 logo_*.c
23420 logo_*_clut224.c
23421 logo_*_mono.c
23422@@ -166,7 +177,6 @@ machtypes.h
23423 map
23424 map_hugetlb
23425 maui_boot.h
23426-media
23427 mconf
23428 miboot*
23429 mk_elfconfig
23430@@ -174,6 +184,7 @@ mkboot
23431 mkbugboot
23432 mkcpustr
23433 mkdep
23434+mkpiggy
23435 mkprep
23436 mkregtable
23437 mktables
23438@@ -209,6 +220,7 @@ r300_reg_safe.h
23439 r420_reg_safe.h
23440 r600_reg_safe.h
23441 recordmcount
23442+regdb.c
23443 relocs
23444 rlim_names.h
23445 rn50_reg_safe.h
23446@@ -219,6 +231,7 @@ setup
23447 setup.bin
23448 setup.elf
23449 sImage
23450+slabinfo
23451 sm_tbl*
23452 split-include
23453 syscalltab.h
23454@@ -229,6 +242,7 @@ tftpboot.img
23455 timeconst.h
23456 times.h*
23457 trix_boot.h
23458+user_constants.h
23459 utsrelease.h*
23460 vdso-syms.lds
23461 vdso.lds
23462@@ -246,7 +260,9 @@ vmlinux
23463 vmlinux-*
23464 vmlinux.aout
23465 vmlinux.bin.all
23466+vmlinux.bin.bz2
23467 vmlinux.lds
23468+vmlinux.relocs
23469 vmlinuz
23470 voffset.h
23471 vsyscall.lds
23472@@ -254,9 +270,11 @@ vsyscall_32.lds
23473 wanxlfw.inc
23474 uImage
23475 unifdef
23476+utsrelease.h
23477 wakeup.bin
23478 wakeup.elf
23479 wakeup.lds
23480 zImage*
23481 zconf.hash.c
23482+zconf.lex.c
23483 zoffset.h
23484diff -urNp linux-3.1.1/Documentation/kernel-parameters.txt linux-3.1.1/Documentation/kernel-parameters.txt
23485--- linux-3.1.1/Documentation/kernel-parameters.txt 2011-11-11 15:19:27.000000000 -0500
23486+++ linux-3.1.1/Documentation/kernel-parameters.txt 2011-11-16 18:39:07.000000000 -0500
23487@@ -1898,6 +1898,13 @@ bytes respectively. Such letter suffixes
23488 the specified number of seconds. This is to be used if
23489 your oopses keep scrolling off the screen.
23490
23491+ pax_nouderef [X86] disables UDEREF. Most likely needed under certain
23492+ virtualization environments that don't cope well with the
23493+ expand down segment used by UDEREF on X86-32 or the frequent
23494+ page table updates on X86-64.
23495+
23496+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
23497+
23498 pcbit= [HW,ISDN]
23499
23500 pcd. [PARIDE]
23501diff -urNp linux-3.1.1/drivers/acpi/apei/cper.c linux-3.1.1/drivers/acpi/apei/cper.c
23502--- linux-3.1.1/drivers/acpi/apei/cper.c 2011-11-11 15:19:27.000000000 -0500
23503+++ linux-3.1.1/drivers/acpi/apei/cper.c 2011-11-16 18:39:07.000000000 -0500
23504@@ -38,12 +38,12 @@
23505 */
23506 u64 cper_next_record_id(void)
23507 {
23508- static atomic64_t seq;
23509+ static atomic64_unchecked_t seq;
23510
23511- if (!atomic64_read(&seq))
23512- atomic64_set(&seq, ((u64)get_seconds()) << 32);
23513+ if (!atomic64_read_unchecked(&seq))
23514+ atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
23515
23516- return atomic64_inc_return(&seq);
23517+ return atomic64_inc_return_unchecked(&seq);
23518 }
23519 EXPORT_SYMBOL_GPL(cper_next_record_id);
23520
23521diff -urNp linux-3.1.1/drivers/acpi/ec_sys.c linux-3.1.1/drivers/acpi/ec_sys.c
23522--- linux-3.1.1/drivers/acpi/ec_sys.c 2011-11-11 15:19:27.000000000 -0500
23523+++ linux-3.1.1/drivers/acpi/ec_sys.c 2011-11-16 18:39:07.000000000 -0500
23524@@ -11,6 +11,7 @@
23525 #include <linux/kernel.h>
23526 #include <linux/acpi.h>
23527 #include <linux/debugfs.h>
23528+#include <asm/uaccess.h>
23529 #include "internal.h"
23530
23531 MODULE_AUTHOR("Thomas Renninger <trenn@suse.de>");
23532@@ -39,7 +40,7 @@ static ssize_t acpi_ec_read_io(struct fi
23533 * struct acpi_ec *ec = ((struct seq_file *)f->private_data)->private;
23534 */
23535 unsigned int size = EC_SPACE_SIZE;
23536- u8 *data = (u8 *) buf;
23537+ u8 data;
23538 loff_t init_off = *off;
23539 int err = 0;
23540
23541@@ -52,9 +53,11 @@ static ssize_t acpi_ec_read_io(struct fi
23542 size = count;
23543
23544 while (size) {
23545- err = ec_read(*off, &data[*off - init_off]);
23546+ err = ec_read(*off, &data);
23547 if (err)
23548 return err;
23549+ if (put_user(data, &buf[*off - init_off]))
23550+ return -EFAULT;
23551 *off += 1;
23552 size--;
23553 }
23554@@ -70,7 +73,6 @@ static ssize_t acpi_ec_write_io(struct f
23555
23556 unsigned int size = count;
23557 loff_t init_off = *off;
23558- u8 *data = (u8 *) buf;
23559 int err = 0;
23560
23561 if (*off >= EC_SPACE_SIZE)
23562@@ -81,7 +83,9 @@ static ssize_t acpi_ec_write_io(struct f
23563 }
23564
23565 while (size) {
23566- u8 byte_write = data[*off - init_off];
23567+ u8 byte_write;
23568+ if (get_user(byte_write, &buf[*off - init_off]))
23569+ return -EFAULT;
23570 err = ec_write(*off, byte_write);
23571 if (err)
23572 return err;
23573diff -urNp linux-3.1.1/drivers/acpi/proc.c linux-3.1.1/drivers/acpi/proc.c
23574--- linux-3.1.1/drivers/acpi/proc.c 2011-11-11 15:19:27.000000000 -0500
23575+++ linux-3.1.1/drivers/acpi/proc.c 2011-11-16 18:39:07.000000000 -0500
23576@@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
23577 size_t count, loff_t * ppos)
23578 {
23579 struct list_head *node, *next;
23580- char strbuf[5];
23581- char str[5] = "";
23582- unsigned int len = count;
23583-
23584- if (len > 4)
23585- len = 4;
23586- if (len < 0)
23587- return -EFAULT;
23588+ char strbuf[5] = {0};
23589
23590- if (copy_from_user(strbuf, buffer, len))
23591+ if (count > 4)
23592+ count = 4;
23593+ if (copy_from_user(strbuf, buffer, count))
23594 return -EFAULT;
23595- strbuf[len] = '\0';
23596- sscanf(strbuf, "%s", str);
23597+ strbuf[count] = '\0';
23598
23599 mutex_lock(&acpi_device_lock);
23600 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
23601@@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
23602 if (!dev->wakeup.flags.valid)
23603 continue;
23604
23605- if (!strncmp(dev->pnp.bus_id, str, 4)) {
23606+ if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
23607 if (device_can_wakeup(&dev->dev)) {
23608 bool enable = !device_may_wakeup(&dev->dev);
23609 device_set_wakeup_enable(&dev->dev, enable);
23610diff -urNp linux-3.1.1/drivers/acpi/processor_driver.c linux-3.1.1/drivers/acpi/processor_driver.c
23611--- linux-3.1.1/drivers/acpi/processor_driver.c 2011-11-11 15:19:27.000000000 -0500
23612+++ linux-3.1.1/drivers/acpi/processor_driver.c 2011-11-16 18:39:07.000000000 -0500
23613@@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
23614 return 0;
23615 #endif
23616
23617- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
23618+ BUG_ON(pr->id >= nr_cpu_ids);
23619
23620 /*
23621 * Buggy BIOS check
23622diff -urNp linux-3.1.1/drivers/ata/libata-core.c linux-3.1.1/drivers/ata/libata-core.c
23623--- linux-3.1.1/drivers/ata/libata-core.c 2011-11-11 15:19:27.000000000 -0500
23624+++ linux-3.1.1/drivers/ata/libata-core.c 2011-11-16 18:39:07.000000000 -0500
23625@@ -4733,7 +4733,7 @@ void ata_qc_free(struct ata_queued_cmd *
23626 struct ata_port *ap;
23627 unsigned int tag;
23628
23629- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23630+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23631 ap = qc->ap;
23632
23633 qc->flags = 0;
23634@@ -4749,7 +4749,7 @@ void __ata_qc_complete(struct ata_queued
23635 struct ata_port *ap;
23636 struct ata_link *link;
23637
23638- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23639+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23640 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
23641 ap = qc->ap;
23642 link = qc->dev->link;
23643@@ -5754,6 +5754,7 @@ static void ata_finalize_port_ops(struct
23644 return;
23645
23646 spin_lock(&lock);
23647+ pax_open_kernel();
23648
23649 for (cur = ops->inherits; cur; cur = cur->inherits) {
23650 void **inherit = (void **)cur;
23651@@ -5767,8 +5768,9 @@ static void ata_finalize_port_ops(struct
23652 if (IS_ERR(*pp))
23653 *pp = NULL;
23654
23655- ops->inherits = NULL;
23656+ *(struct ata_port_operations **)&ops->inherits = NULL;
23657
23658+ pax_close_kernel();
23659 spin_unlock(&lock);
23660 }
23661
23662diff -urNp linux-3.1.1/drivers/ata/libata-eh.c linux-3.1.1/drivers/ata/libata-eh.c
23663--- linux-3.1.1/drivers/ata/libata-eh.c 2011-11-11 15:19:27.000000000 -0500
23664+++ linux-3.1.1/drivers/ata/libata-eh.c 2011-11-16 18:40:10.000000000 -0500
23665@@ -2515,6 +2515,8 @@ void ata_eh_report(struct ata_port *ap)
23666 {
23667 struct ata_link *link;
23668
23669+ pax_track_stack();
23670+
23671 ata_for_each_link(link, ap, HOST_FIRST)
23672 ata_eh_link_report(link);
23673 }
23674diff -urNp linux-3.1.1/drivers/ata/pata_arasan_cf.c linux-3.1.1/drivers/ata/pata_arasan_cf.c
23675--- linux-3.1.1/drivers/ata/pata_arasan_cf.c 2011-11-11 15:19:27.000000000 -0500
23676+++ linux-3.1.1/drivers/ata/pata_arasan_cf.c 2011-11-16 18:39:07.000000000 -0500
23677@@ -862,7 +862,9 @@ static int __devinit arasan_cf_probe(str
23678 /* Handle platform specific quirks */
23679 if (pdata->quirk) {
23680 if (pdata->quirk & CF_BROKEN_PIO) {
23681- ap->ops->set_piomode = NULL;
23682+ pax_open_kernel();
23683+ *(void **)&ap->ops->set_piomode = NULL;
23684+ pax_close_kernel();
23685 ap->pio_mask = 0;
23686 }
23687 if (pdata->quirk & CF_BROKEN_MWDMA)
23688diff -urNp linux-3.1.1/drivers/atm/adummy.c linux-3.1.1/drivers/atm/adummy.c
23689--- linux-3.1.1/drivers/atm/adummy.c 2011-11-11 15:19:27.000000000 -0500
23690+++ linux-3.1.1/drivers/atm/adummy.c 2011-11-16 18:39:07.000000000 -0500
23691@@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
23692 vcc->pop(vcc, skb);
23693 else
23694 dev_kfree_skb_any(skb);
23695- atomic_inc(&vcc->stats->tx);
23696+ atomic_inc_unchecked(&vcc->stats->tx);
23697
23698 return 0;
23699 }
23700diff -urNp linux-3.1.1/drivers/atm/ambassador.c linux-3.1.1/drivers/atm/ambassador.c
23701--- linux-3.1.1/drivers/atm/ambassador.c 2011-11-11 15:19:27.000000000 -0500
23702+++ linux-3.1.1/drivers/atm/ambassador.c 2011-11-16 18:39:07.000000000 -0500
23703@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
23704 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
23705
23706 // VC layer stats
23707- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23708+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23709
23710 // free the descriptor
23711 kfree (tx_descr);
23712@@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
23713 dump_skb ("<<<", vc, skb);
23714
23715 // VC layer stats
23716- atomic_inc(&atm_vcc->stats->rx);
23717+ atomic_inc_unchecked(&atm_vcc->stats->rx);
23718 __net_timestamp(skb);
23719 // end of our responsibility
23720 atm_vcc->push (atm_vcc, skb);
23721@@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
23722 } else {
23723 PRINTK (KERN_INFO, "dropped over-size frame");
23724 // should we count this?
23725- atomic_inc(&atm_vcc->stats->rx_drop);
23726+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23727 }
23728
23729 } else {
23730@@ -1338,7 +1338,7 @@ static int amb_send (struct atm_vcc * at
23731 }
23732
23733 if (check_area (skb->data, skb->len)) {
23734- atomic_inc(&atm_vcc->stats->tx_err);
23735+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
23736 return -ENOMEM; // ?
23737 }
23738
23739diff -urNp linux-3.1.1/drivers/atm/atmtcp.c linux-3.1.1/drivers/atm/atmtcp.c
23740--- linux-3.1.1/drivers/atm/atmtcp.c 2011-11-11 15:19:27.000000000 -0500
23741+++ linux-3.1.1/drivers/atm/atmtcp.c 2011-11-16 18:39:07.000000000 -0500
23742@@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
23743 if (vcc->pop) vcc->pop(vcc,skb);
23744 else dev_kfree_skb(skb);
23745 if (dev_data) return 0;
23746- atomic_inc(&vcc->stats->tx_err);
23747+ atomic_inc_unchecked(&vcc->stats->tx_err);
23748 return -ENOLINK;
23749 }
23750 size = skb->len+sizeof(struct atmtcp_hdr);
23751@@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
23752 if (!new_skb) {
23753 if (vcc->pop) vcc->pop(vcc,skb);
23754 else dev_kfree_skb(skb);
23755- atomic_inc(&vcc->stats->tx_err);
23756+ atomic_inc_unchecked(&vcc->stats->tx_err);
23757 return -ENOBUFS;
23758 }
23759 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
23760@@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
23761 if (vcc->pop) vcc->pop(vcc,skb);
23762 else dev_kfree_skb(skb);
23763 out_vcc->push(out_vcc,new_skb);
23764- atomic_inc(&vcc->stats->tx);
23765- atomic_inc(&out_vcc->stats->rx);
23766+ atomic_inc_unchecked(&vcc->stats->tx);
23767+ atomic_inc_unchecked(&out_vcc->stats->rx);
23768 return 0;
23769 }
23770
23771@@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
23772 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
23773 read_unlock(&vcc_sklist_lock);
23774 if (!out_vcc) {
23775- atomic_inc(&vcc->stats->tx_err);
23776+ atomic_inc_unchecked(&vcc->stats->tx_err);
23777 goto done;
23778 }
23779 skb_pull(skb,sizeof(struct atmtcp_hdr));
23780@@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
23781 __net_timestamp(new_skb);
23782 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
23783 out_vcc->push(out_vcc,new_skb);
23784- atomic_inc(&vcc->stats->tx);
23785- atomic_inc(&out_vcc->stats->rx);
23786+ atomic_inc_unchecked(&vcc->stats->tx);
23787+ atomic_inc_unchecked(&out_vcc->stats->rx);
23788 done:
23789 if (vcc->pop) vcc->pop(vcc,skb);
23790 else dev_kfree_skb(skb);
23791diff -urNp linux-3.1.1/drivers/atm/eni.c linux-3.1.1/drivers/atm/eni.c
23792--- linux-3.1.1/drivers/atm/eni.c 2011-11-11 15:19:27.000000000 -0500
23793+++ linux-3.1.1/drivers/atm/eni.c 2011-11-16 18:39:07.000000000 -0500
23794@@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
23795 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
23796 vcc->dev->number);
23797 length = 0;
23798- atomic_inc(&vcc->stats->rx_err);
23799+ atomic_inc_unchecked(&vcc->stats->rx_err);
23800 }
23801 else {
23802 length = ATM_CELL_SIZE-1; /* no HEC */
23803@@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23804 size);
23805 }
23806 eff = length = 0;
23807- atomic_inc(&vcc->stats->rx_err);
23808+ atomic_inc_unchecked(&vcc->stats->rx_err);
23809 }
23810 else {
23811 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
23812@@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
23813 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
23814 vcc->dev->number,vcc->vci,length,size << 2,descr);
23815 length = eff = 0;
23816- atomic_inc(&vcc->stats->rx_err);
23817+ atomic_inc_unchecked(&vcc->stats->rx_err);
23818 }
23819 }
23820 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
23821@@ -771,7 +771,7 @@ rx_dequeued++;
23822 vcc->push(vcc,skb);
23823 pushed++;
23824 }
23825- atomic_inc(&vcc->stats->rx);
23826+ atomic_inc_unchecked(&vcc->stats->rx);
23827 }
23828 wake_up(&eni_dev->rx_wait);
23829 }
23830@@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
23831 PCI_DMA_TODEVICE);
23832 if (vcc->pop) vcc->pop(vcc,skb);
23833 else dev_kfree_skb_irq(skb);
23834- atomic_inc(&vcc->stats->tx);
23835+ atomic_inc_unchecked(&vcc->stats->tx);
23836 wake_up(&eni_dev->tx_wait);
23837 dma_complete++;
23838 }
23839@@ -1568,7 +1568,7 @@ tx_complete++;
23840 /*--------------------------------- entries ---------------------------------*/
23841
23842
23843-static const char *media_name[] __devinitdata = {
23844+static const char *media_name[] __devinitconst = {
23845 "MMF", "SMF", "MMF", "03?", /* 0- 3 */
23846 "UTP", "05?", "06?", "07?", /* 4- 7 */
23847 "TAXI","09?", "10?", "11?", /* 8-11 */
23848diff -urNp linux-3.1.1/drivers/atm/firestream.c linux-3.1.1/drivers/atm/firestream.c
23849--- linux-3.1.1/drivers/atm/firestream.c 2011-11-11 15:19:27.000000000 -0500
23850+++ linux-3.1.1/drivers/atm/firestream.c 2011-11-16 18:39:07.000000000 -0500
23851@@ -750,7 +750,7 @@ static void process_txdone_queue (struct
23852 }
23853 }
23854
23855- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23856+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23857
23858 fs_dprintk (FS_DEBUG_TXMEM, "i");
23859 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
23860@@ -817,7 +817,7 @@ static void process_incoming (struct fs_
23861 #endif
23862 skb_put (skb, qe->p1 & 0xffff);
23863 ATM_SKB(skb)->vcc = atm_vcc;
23864- atomic_inc(&atm_vcc->stats->rx);
23865+ atomic_inc_unchecked(&atm_vcc->stats->rx);
23866 __net_timestamp(skb);
23867 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23868 atm_vcc->push (atm_vcc, skb);
23869@@ -838,12 +838,12 @@ static void process_incoming (struct fs_
23870 kfree (pe);
23871 }
23872 if (atm_vcc)
23873- atomic_inc(&atm_vcc->stats->rx_drop);
23874+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23875 break;
23876 case 0x1f: /* Reassembly abort: no buffers. */
23877 /* Silently increment error counter. */
23878 if (atm_vcc)
23879- atomic_inc(&atm_vcc->stats->rx_drop);
23880+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23881 break;
23882 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23883 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23884diff -urNp linux-3.1.1/drivers/atm/fore200e.c linux-3.1.1/drivers/atm/fore200e.c
23885--- linux-3.1.1/drivers/atm/fore200e.c 2011-11-11 15:19:27.000000000 -0500
23886+++ linux-3.1.1/drivers/atm/fore200e.c 2011-11-16 18:39:07.000000000 -0500
23887@@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23888 #endif
23889 /* check error condition */
23890 if (*entry->status & STATUS_ERROR)
23891- atomic_inc(&vcc->stats->tx_err);
23892+ atomic_inc_unchecked(&vcc->stats->tx_err);
23893 else
23894- atomic_inc(&vcc->stats->tx);
23895+ atomic_inc_unchecked(&vcc->stats->tx);
23896 }
23897 }
23898
23899@@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23900 if (skb == NULL) {
23901 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23902
23903- atomic_inc(&vcc->stats->rx_drop);
23904+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23905 return -ENOMEM;
23906 }
23907
23908@@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23909
23910 dev_kfree_skb_any(skb);
23911
23912- atomic_inc(&vcc->stats->rx_drop);
23913+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23914 return -ENOMEM;
23915 }
23916
23917 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23918
23919 vcc->push(vcc, skb);
23920- atomic_inc(&vcc->stats->rx);
23921+ atomic_inc_unchecked(&vcc->stats->rx);
23922
23923 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23924
23925@@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23926 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23927 fore200e->atm_dev->number,
23928 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23929- atomic_inc(&vcc->stats->rx_err);
23930+ atomic_inc_unchecked(&vcc->stats->rx_err);
23931 }
23932 }
23933
23934@@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23935 goto retry_here;
23936 }
23937
23938- atomic_inc(&vcc->stats->tx_err);
23939+ atomic_inc_unchecked(&vcc->stats->tx_err);
23940
23941 fore200e->tx_sat++;
23942 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23943diff -urNp linux-3.1.1/drivers/atm/he.c linux-3.1.1/drivers/atm/he.c
23944--- linux-3.1.1/drivers/atm/he.c 2011-11-11 15:19:27.000000000 -0500
23945+++ linux-3.1.1/drivers/atm/he.c 2011-11-16 18:39:07.000000000 -0500
23946@@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23947
23948 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23949 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23950- atomic_inc(&vcc->stats->rx_drop);
23951+ atomic_inc_unchecked(&vcc->stats->rx_drop);
23952 goto return_host_buffers;
23953 }
23954
23955@@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23956 RBRQ_LEN_ERR(he_dev->rbrq_head)
23957 ? "LEN_ERR" : "",
23958 vcc->vpi, vcc->vci);
23959- atomic_inc(&vcc->stats->rx_err);
23960+ atomic_inc_unchecked(&vcc->stats->rx_err);
23961 goto return_host_buffers;
23962 }
23963
23964@@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23965 vcc->push(vcc, skb);
23966 spin_lock(&he_dev->global_lock);
23967
23968- atomic_inc(&vcc->stats->rx);
23969+ atomic_inc_unchecked(&vcc->stats->rx);
23970
23971 return_host_buffers:
23972 ++pdus_assembled;
23973@@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23974 tpd->vcc->pop(tpd->vcc, tpd->skb);
23975 else
23976 dev_kfree_skb_any(tpd->skb);
23977- atomic_inc(&tpd->vcc->stats->tx_err);
23978+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23979 }
23980 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23981 return;
23982@@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23983 vcc->pop(vcc, skb);
23984 else
23985 dev_kfree_skb_any(skb);
23986- atomic_inc(&vcc->stats->tx_err);
23987+ atomic_inc_unchecked(&vcc->stats->tx_err);
23988 return -EINVAL;
23989 }
23990
23991@@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23992 vcc->pop(vcc, skb);
23993 else
23994 dev_kfree_skb_any(skb);
23995- atomic_inc(&vcc->stats->tx_err);
23996+ atomic_inc_unchecked(&vcc->stats->tx_err);
23997 return -EINVAL;
23998 }
23999 #endif
24000@@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24001 vcc->pop(vcc, skb);
24002 else
24003 dev_kfree_skb_any(skb);
24004- atomic_inc(&vcc->stats->tx_err);
24005+ atomic_inc_unchecked(&vcc->stats->tx_err);
24006 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24007 return -ENOMEM;
24008 }
24009@@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24010 vcc->pop(vcc, skb);
24011 else
24012 dev_kfree_skb_any(skb);
24013- atomic_inc(&vcc->stats->tx_err);
24014+ atomic_inc_unchecked(&vcc->stats->tx_err);
24015 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24016 return -ENOMEM;
24017 }
24018@@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
24019 __enqueue_tpd(he_dev, tpd, cid);
24020 spin_unlock_irqrestore(&he_dev->global_lock, flags);
24021
24022- atomic_inc(&vcc->stats->tx);
24023+ atomic_inc_unchecked(&vcc->stats->tx);
24024
24025 return 0;
24026 }
24027diff -urNp linux-3.1.1/drivers/atm/horizon.c linux-3.1.1/drivers/atm/horizon.c
24028--- linux-3.1.1/drivers/atm/horizon.c 2011-11-11 15:19:27.000000000 -0500
24029+++ linux-3.1.1/drivers/atm/horizon.c 2011-11-16 18:39:07.000000000 -0500
24030@@ -1035,7 +1035,7 @@ static void rx_schedule (hrz_dev * dev,
24031 {
24032 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
24033 // VC layer stats
24034- atomic_inc(&vcc->stats->rx);
24035+ atomic_inc_unchecked(&vcc->stats->rx);
24036 __net_timestamp(skb);
24037 // end of our responsibility
24038 vcc->push (vcc, skb);
24039@@ -1187,7 +1187,7 @@ static void tx_schedule (hrz_dev * const
24040 dev->tx_iovec = NULL;
24041
24042 // VC layer stats
24043- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
24044+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
24045
24046 // free the skb
24047 hrz_kfree_skb (skb);
24048diff -urNp linux-3.1.1/drivers/atm/idt77252.c linux-3.1.1/drivers/atm/idt77252.c
24049--- linux-3.1.1/drivers/atm/idt77252.c 2011-11-11 15:19:27.000000000 -0500
24050+++ linux-3.1.1/drivers/atm/idt77252.c 2011-11-16 18:39:07.000000000 -0500
24051@@ -812,7 +812,7 @@ drain_scq(struct idt77252_dev *card, str
24052 else
24053 dev_kfree_skb(skb);
24054
24055- atomic_inc(&vcc->stats->tx);
24056+ atomic_inc_unchecked(&vcc->stats->tx);
24057 }
24058
24059 atomic_dec(&scq->used);
24060@@ -1075,13 +1075,13 @@ dequeue_rx(struct idt77252_dev *card, st
24061 if ((sb = dev_alloc_skb(64)) == NULL) {
24062 printk("%s: Can't allocate buffers for aal0.\n",
24063 card->name);
24064- atomic_add(i, &vcc->stats->rx_drop);
24065+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
24066 break;
24067 }
24068 if (!atm_charge(vcc, sb->truesize)) {
24069 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
24070 card->name);
24071- atomic_add(i - 1, &vcc->stats->rx_drop);
24072+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
24073 dev_kfree_skb(sb);
24074 break;
24075 }
24076@@ -1098,7 +1098,7 @@ dequeue_rx(struct idt77252_dev *card, st
24077 ATM_SKB(sb)->vcc = vcc;
24078 __net_timestamp(sb);
24079 vcc->push(vcc, sb);
24080- atomic_inc(&vcc->stats->rx);
24081+ atomic_inc_unchecked(&vcc->stats->rx);
24082
24083 cell += ATM_CELL_PAYLOAD;
24084 }
24085@@ -1135,13 +1135,13 @@ dequeue_rx(struct idt77252_dev *card, st
24086 "(CDC: %08x)\n",
24087 card->name, len, rpp->len, readl(SAR_REG_CDC));
24088 recycle_rx_pool_skb(card, rpp);
24089- atomic_inc(&vcc->stats->rx_err);
24090+ atomic_inc_unchecked(&vcc->stats->rx_err);
24091 return;
24092 }
24093 if (stat & SAR_RSQE_CRC) {
24094 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
24095 recycle_rx_pool_skb(card, rpp);
24096- atomic_inc(&vcc->stats->rx_err);
24097+ atomic_inc_unchecked(&vcc->stats->rx_err);
24098 return;
24099 }
24100 if (skb_queue_len(&rpp->queue) > 1) {
24101@@ -1152,7 +1152,7 @@ dequeue_rx(struct idt77252_dev *card, st
24102 RXPRINTK("%s: Can't alloc RX skb.\n",
24103 card->name);
24104 recycle_rx_pool_skb(card, rpp);
24105- atomic_inc(&vcc->stats->rx_err);
24106+ atomic_inc_unchecked(&vcc->stats->rx_err);
24107 return;
24108 }
24109 if (!atm_charge(vcc, skb->truesize)) {
24110@@ -1171,7 +1171,7 @@ dequeue_rx(struct idt77252_dev *card, st
24111 __net_timestamp(skb);
24112
24113 vcc->push(vcc, skb);
24114- atomic_inc(&vcc->stats->rx);
24115+ atomic_inc_unchecked(&vcc->stats->rx);
24116
24117 return;
24118 }
24119@@ -1193,7 +1193,7 @@ dequeue_rx(struct idt77252_dev *card, st
24120 __net_timestamp(skb);
24121
24122 vcc->push(vcc, skb);
24123- atomic_inc(&vcc->stats->rx);
24124+ atomic_inc_unchecked(&vcc->stats->rx);
24125
24126 if (skb->truesize > SAR_FB_SIZE_3)
24127 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
24128@@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
24129 if (vcc->qos.aal != ATM_AAL0) {
24130 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
24131 card->name, vpi, vci);
24132- atomic_inc(&vcc->stats->rx_drop);
24133+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24134 goto drop;
24135 }
24136
24137 if ((sb = dev_alloc_skb(64)) == NULL) {
24138 printk("%s: Can't allocate buffers for AAL0.\n",
24139 card->name);
24140- atomic_inc(&vcc->stats->rx_err);
24141+ atomic_inc_unchecked(&vcc->stats->rx_err);
24142 goto drop;
24143 }
24144
24145@@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
24146 ATM_SKB(sb)->vcc = vcc;
24147 __net_timestamp(sb);
24148 vcc->push(vcc, sb);
24149- atomic_inc(&vcc->stats->rx);
24150+ atomic_inc_unchecked(&vcc->stats->rx);
24151
24152 drop:
24153 skb_pull(queue, 64);
24154@@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24155
24156 if (vc == NULL) {
24157 printk("%s: NULL connection in send().\n", card->name);
24158- atomic_inc(&vcc->stats->tx_err);
24159+ atomic_inc_unchecked(&vcc->stats->tx_err);
24160 dev_kfree_skb(skb);
24161 return -EINVAL;
24162 }
24163 if (!test_bit(VCF_TX, &vc->flags)) {
24164 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
24165- atomic_inc(&vcc->stats->tx_err);
24166+ atomic_inc_unchecked(&vcc->stats->tx_err);
24167 dev_kfree_skb(skb);
24168 return -EINVAL;
24169 }
24170@@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24171 break;
24172 default:
24173 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
24174- atomic_inc(&vcc->stats->tx_err);
24175+ atomic_inc_unchecked(&vcc->stats->tx_err);
24176 dev_kfree_skb(skb);
24177 return -EINVAL;
24178 }
24179
24180 if (skb_shinfo(skb)->nr_frags != 0) {
24181 printk("%s: No scatter-gather yet.\n", card->name);
24182- atomic_inc(&vcc->stats->tx_err);
24183+ atomic_inc_unchecked(&vcc->stats->tx_err);
24184 dev_kfree_skb(skb);
24185 return -EINVAL;
24186 }
24187@@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
24188
24189 err = queue_skb(card, vc, skb, oam);
24190 if (err) {
24191- atomic_inc(&vcc->stats->tx_err);
24192+ atomic_inc_unchecked(&vcc->stats->tx_err);
24193 dev_kfree_skb(skb);
24194 return err;
24195 }
24196@@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
24197 skb = dev_alloc_skb(64);
24198 if (!skb) {
24199 printk("%s: Out of memory in send_oam().\n", card->name);
24200- atomic_inc(&vcc->stats->tx_err);
24201+ atomic_inc_unchecked(&vcc->stats->tx_err);
24202 return -ENOMEM;
24203 }
24204 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
24205diff -urNp linux-3.1.1/drivers/atm/iphase.c linux-3.1.1/drivers/atm/iphase.c
24206--- linux-3.1.1/drivers/atm/iphase.c 2011-11-11 15:19:27.000000000 -0500
24207+++ linux-3.1.1/drivers/atm/iphase.c 2011-11-16 18:39:07.000000000 -0500
24208@@ -1121,7 +1121,7 @@ static int rx_pkt(struct atm_dev *dev)
24209 status = (u_short) (buf_desc_ptr->desc_mode);
24210 if (status & (RX_CER | RX_PTE | RX_OFL))
24211 {
24212- atomic_inc(&vcc->stats->rx_err);
24213+ atomic_inc_unchecked(&vcc->stats->rx_err);
24214 IF_ERR(printk("IA: bad packet, dropping it");)
24215 if (status & RX_CER) {
24216 IF_ERR(printk(" cause: packet CRC error\n");)
24217@@ -1144,7 +1144,7 @@ static int rx_pkt(struct atm_dev *dev)
24218 len = dma_addr - buf_addr;
24219 if (len > iadev->rx_buf_sz) {
24220 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
24221- atomic_inc(&vcc->stats->rx_err);
24222+ atomic_inc_unchecked(&vcc->stats->rx_err);
24223 goto out_free_desc;
24224 }
24225
24226@@ -1294,7 +1294,7 @@ static void rx_dle_intr(struct atm_dev *
24227 ia_vcc = INPH_IA_VCC(vcc);
24228 if (ia_vcc == NULL)
24229 {
24230- atomic_inc(&vcc->stats->rx_err);
24231+ atomic_inc_unchecked(&vcc->stats->rx_err);
24232 dev_kfree_skb_any(skb);
24233 atm_return(vcc, atm_guess_pdu2truesize(len));
24234 goto INCR_DLE;
24235@@ -1306,7 +1306,7 @@ static void rx_dle_intr(struct atm_dev *
24236 if ((length > iadev->rx_buf_sz) || (length >
24237 (skb->len - sizeof(struct cpcs_trailer))))
24238 {
24239- atomic_inc(&vcc->stats->rx_err);
24240+ atomic_inc_unchecked(&vcc->stats->rx_err);
24241 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
24242 length, skb->len);)
24243 dev_kfree_skb_any(skb);
24244@@ -1322,7 +1322,7 @@ static void rx_dle_intr(struct atm_dev *
24245
24246 IF_RX(printk("rx_dle_intr: skb push");)
24247 vcc->push(vcc,skb);
24248- atomic_inc(&vcc->stats->rx);
24249+ atomic_inc_unchecked(&vcc->stats->rx);
24250 iadev->rx_pkt_cnt++;
24251 }
24252 INCR_DLE:
24253@@ -2802,15 +2802,15 @@ static int ia_ioctl(struct atm_dev *dev,
24254 {
24255 struct k_sonet_stats *stats;
24256 stats = &PRIV(_ia_dev[board])->sonet_stats;
24257- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
24258- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
24259- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
24260- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
24261- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
24262- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
24263- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
24264- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
24265- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
24266+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
24267+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
24268+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
24269+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
24270+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
24271+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
24272+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
24273+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
24274+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
24275 }
24276 ia_cmds.status = 0;
24277 break;
24278@@ -2915,7 +2915,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
24279 if ((desc == 0) || (desc > iadev->num_tx_desc))
24280 {
24281 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
24282- atomic_inc(&vcc->stats->tx);
24283+ atomic_inc_unchecked(&vcc->stats->tx);
24284 if (vcc->pop)
24285 vcc->pop(vcc, skb);
24286 else
24287@@ -3020,14 +3020,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
24288 ATM_DESC(skb) = vcc->vci;
24289 skb_queue_tail(&iadev->tx_dma_q, skb);
24290
24291- atomic_inc(&vcc->stats->tx);
24292+ atomic_inc_unchecked(&vcc->stats->tx);
24293 iadev->tx_pkt_cnt++;
24294 /* Increment transaction counter */
24295 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
24296
24297 #if 0
24298 /* add flow control logic */
24299- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
24300+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
24301 if (iavcc->vc_desc_cnt > 10) {
24302 vcc->tx_quota = vcc->tx_quota * 3 / 4;
24303 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
24304diff -urNp linux-3.1.1/drivers/atm/lanai.c linux-3.1.1/drivers/atm/lanai.c
24305--- linux-3.1.1/drivers/atm/lanai.c 2011-11-11 15:19:27.000000000 -0500
24306+++ linux-3.1.1/drivers/atm/lanai.c 2011-11-16 18:39:07.000000000 -0500
24307@@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
24308 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
24309 lanai_endtx(lanai, lvcc);
24310 lanai_free_skb(lvcc->tx.atmvcc, skb);
24311- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
24312+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
24313 }
24314
24315 /* Try to fill the buffer - don't call unless there is backlog */
24316@@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
24317 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
24318 __net_timestamp(skb);
24319 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
24320- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
24321+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
24322 out:
24323 lvcc->rx.buf.ptr = end;
24324 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
24325@@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
24326 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
24327 "vcc %d\n", lanai->number, (unsigned int) s, vci);
24328 lanai->stats.service_rxnotaal5++;
24329- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24330+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24331 return 0;
24332 }
24333 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
24334@@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
24335 int bytes;
24336 read_unlock(&vcc_sklist_lock);
24337 DPRINTK("got trashed rx pdu on vci %d\n", vci);
24338- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24339+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24340 lvcc->stats.x.aal5.service_trash++;
24341 bytes = (SERVICE_GET_END(s) * 16) -
24342 (((unsigned long) lvcc->rx.buf.ptr) -
24343@@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
24344 }
24345 if (s & SERVICE_STREAM) {
24346 read_unlock(&vcc_sklist_lock);
24347- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24348+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24349 lvcc->stats.x.aal5.service_stream++;
24350 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
24351 "PDU on VCI %d!\n", lanai->number, vci);
24352@@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
24353 return 0;
24354 }
24355 DPRINTK("got rx crc error on vci %d\n", vci);
24356- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
24357+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
24358 lvcc->stats.x.aal5.service_rxcrc++;
24359 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
24360 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
24361diff -urNp linux-3.1.1/drivers/atm/nicstar.c linux-3.1.1/drivers/atm/nicstar.c
24362--- linux-3.1.1/drivers/atm/nicstar.c 2011-11-11 15:19:27.000000000 -0500
24363+++ linux-3.1.1/drivers/atm/nicstar.c 2011-11-16 18:39:07.000000000 -0500
24364@@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
24365 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
24366 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
24367 card->index);
24368- atomic_inc(&vcc->stats->tx_err);
24369+ atomic_inc_unchecked(&vcc->stats->tx_err);
24370 dev_kfree_skb_any(skb);
24371 return -EINVAL;
24372 }
24373@@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
24374 if (!vc->tx) {
24375 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
24376 card->index);
24377- atomic_inc(&vcc->stats->tx_err);
24378+ atomic_inc_unchecked(&vcc->stats->tx_err);
24379 dev_kfree_skb_any(skb);
24380 return -EINVAL;
24381 }
24382@@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
24383 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
24384 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
24385 card->index);
24386- atomic_inc(&vcc->stats->tx_err);
24387+ atomic_inc_unchecked(&vcc->stats->tx_err);
24388 dev_kfree_skb_any(skb);
24389 return -EINVAL;
24390 }
24391
24392 if (skb_shinfo(skb)->nr_frags != 0) {
24393 printk("nicstar%d: No scatter-gather yet.\n", card->index);
24394- atomic_inc(&vcc->stats->tx_err);
24395+ atomic_inc_unchecked(&vcc->stats->tx_err);
24396 dev_kfree_skb_any(skb);
24397 return -EINVAL;
24398 }
24399@@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
24400 }
24401
24402 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
24403- atomic_inc(&vcc->stats->tx_err);
24404+ atomic_inc_unchecked(&vcc->stats->tx_err);
24405 dev_kfree_skb_any(skb);
24406 return -EIO;
24407 }
24408- atomic_inc(&vcc->stats->tx);
24409+ atomic_inc_unchecked(&vcc->stats->tx);
24410
24411 return 0;
24412 }
24413@@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
24414 printk
24415 ("nicstar%d: Can't allocate buffers for aal0.\n",
24416 card->index);
24417- atomic_add(i, &vcc->stats->rx_drop);
24418+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
24419 break;
24420 }
24421 if (!atm_charge(vcc, sb->truesize)) {
24422 RXPRINTK
24423 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
24424 card->index);
24425- atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24426+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
24427 dev_kfree_skb_any(sb);
24428 break;
24429 }
24430@@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
24431 ATM_SKB(sb)->vcc = vcc;
24432 __net_timestamp(sb);
24433 vcc->push(vcc, sb);
24434- atomic_inc(&vcc->stats->rx);
24435+ atomic_inc_unchecked(&vcc->stats->rx);
24436 cell += ATM_CELL_PAYLOAD;
24437 }
24438
24439@@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
24440 if (iovb == NULL) {
24441 printk("nicstar%d: Out of iovec buffers.\n",
24442 card->index);
24443- atomic_inc(&vcc->stats->rx_drop);
24444+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24445 recycle_rx_buf(card, skb);
24446 return;
24447 }
24448@@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
24449 small or large buffer itself. */
24450 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
24451 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
24452- atomic_inc(&vcc->stats->rx_err);
24453+ atomic_inc_unchecked(&vcc->stats->rx_err);
24454 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24455 NS_MAX_IOVECS);
24456 NS_PRV_IOVCNT(iovb) = 0;
24457@@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
24458 ("nicstar%d: Expected a small buffer, and this is not one.\n",
24459 card->index);
24460 which_list(card, skb);
24461- atomic_inc(&vcc->stats->rx_err);
24462+ atomic_inc_unchecked(&vcc->stats->rx_err);
24463 recycle_rx_buf(card, skb);
24464 vc->rx_iov = NULL;
24465 recycle_iov_buf(card, iovb);
24466@@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
24467 ("nicstar%d: Expected a large buffer, and this is not one.\n",
24468 card->index);
24469 which_list(card, skb);
24470- atomic_inc(&vcc->stats->rx_err);
24471+ atomic_inc_unchecked(&vcc->stats->rx_err);
24472 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24473 NS_PRV_IOVCNT(iovb));
24474 vc->rx_iov = NULL;
24475@@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
24476 printk(" - PDU size mismatch.\n");
24477 else
24478 printk(".\n");
24479- atomic_inc(&vcc->stats->rx_err);
24480+ atomic_inc_unchecked(&vcc->stats->rx_err);
24481 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
24482 NS_PRV_IOVCNT(iovb));
24483 vc->rx_iov = NULL;
24484@@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
24485 /* skb points to a small buffer */
24486 if (!atm_charge(vcc, skb->truesize)) {
24487 push_rxbufs(card, skb);
24488- atomic_inc(&vcc->stats->rx_drop);
24489+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24490 } else {
24491 skb_put(skb, len);
24492 dequeue_sm_buf(card, skb);
24493@@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
24494 ATM_SKB(skb)->vcc = vcc;
24495 __net_timestamp(skb);
24496 vcc->push(vcc, skb);
24497- atomic_inc(&vcc->stats->rx);
24498+ atomic_inc_unchecked(&vcc->stats->rx);
24499 }
24500 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
24501 struct sk_buff *sb;
24502@@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
24503 if (len <= NS_SMBUFSIZE) {
24504 if (!atm_charge(vcc, sb->truesize)) {
24505 push_rxbufs(card, sb);
24506- atomic_inc(&vcc->stats->rx_drop);
24507+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24508 } else {
24509 skb_put(sb, len);
24510 dequeue_sm_buf(card, sb);
24511@@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
24512 ATM_SKB(sb)->vcc = vcc;
24513 __net_timestamp(sb);
24514 vcc->push(vcc, sb);
24515- atomic_inc(&vcc->stats->rx);
24516+ atomic_inc_unchecked(&vcc->stats->rx);
24517 }
24518
24519 push_rxbufs(card, skb);
24520@@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
24521
24522 if (!atm_charge(vcc, skb->truesize)) {
24523 push_rxbufs(card, skb);
24524- atomic_inc(&vcc->stats->rx_drop);
24525+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24526 } else {
24527 dequeue_lg_buf(card, skb);
24528 #ifdef NS_USE_DESTRUCTORS
24529@@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
24530 ATM_SKB(skb)->vcc = vcc;
24531 __net_timestamp(skb);
24532 vcc->push(vcc, skb);
24533- atomic_inc(&vcc->stats->rx);
24534+ atomic_inc_unchecked(&vcc->stats->rx);
24535 }
24536
24537 push_rxbufs(card, sb);
24538@@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
24539 printk
24540 ("nicstar%d: Out of huge buffers.\n",
24541 card->index);
24542- atomic_inc(&vcc->stats->rx_drop);
24543+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24544 recycle_iovec_rx_bufs(card,
24545 (struct iovec *)
24546 iovb->data,
24547@@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
24548 card->hbpool.count++;
24549 } else
24550 dev_kfree_skb_any(hb);
24551- atomic_inc(&vcc->stats->rx_drop);
24552+ atomic_inc_unchecked(&vcc->stats->rx_drop);
24553 } else {
24554 /* Copy the small buffer to the huge buffer */
24555 sb = (struct sk_buff *)iov->iov_base;
24556@@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
24557 #endif /* NS_USE_DESTRUCTORS */
24558 __net_timestamp(hb);
24559 vcc->push(vcc, hb);
24560- atomic_inc(&vcc->stats->rx);
24561+ atomic_inc_unchecked(&vcc->stats->rx);
24562 }
24563 }
24564
24565diff -urNp linux-3.1.1/drivers/atm/solos-pci.c linux-3.1.1/drivers/atm/solos-pci.c
24566--- linux-3.1.1/drivers/atm/solos-pci.c 2011-11-11 15:19:27.000000000 -0500
24567+++ linux-3.1.1/drivers/atm/solos-pci.c 2011-11-16 18:40:10.000000000 -0500
24568@@ -714,7 +714,7 @@ void solos_bh(unsigned long card_arg)
24569 }
24570 atm_charge(vcc, skb->truesize);
24571 vcc->push(vcc, skb);
24572- atomic_inc(&vcc->stats->rx);
24573+ atomic_inc_unchecked(&vcc->stats->rx);
24574 break;
24575
24576 case PKT_STATUS:
24577@@ -899,6 +899,8 @@ static int print_buffer(struct sk_buff *
24578 char msg[500];
24579 char item[10];
24580
24581+ pax_track_stack();
24582+
24583 len = buf->len;
24584 for (i = 0; i < len; i++){
24585 if(i % 8 == 0)
24586@@ -1008,7 +1010,7 @@ static uint32_t fpga_tx(struct solos_car
24587 vcc = SKB_CB(oldskb)->vcc;
24588
24589 if (vcc) {
24590- atomic_inc(&vcc->stats->tx);
24591+ atomic_inc_unchecked(&vcc->stats->tx);
24592 solos_pop(vcc, oldskb);
24593 } else
24594 dev_kfree_skb_irq(oldskb);
24595diff -urNp linux-3.1.1/drivers/atm/suni.c linux-3.1.1/drivers/atm/suni.c
24596--- linux-3.1.1/drivers/atm/suni.c 2011-11-11 15:19:27.000000000 -0500
24597+++ linux-3.1.1/drivers/atm/suni.c 2011-11-16 18:39:07.000000000 -0500
24598@@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
24599
24600
24601 #define ADD_LIMITED(s,v) \
24602- atomic_add((v),&stats->s); \
24603- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
24604+ atomic_add_unchecked((v),&stats->s); \
24605+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
24606
24607
24608 static void suni_hz(unsigned long from_timer)
24609diff -urNp linux-3.1.1/drivers/atm/uPD98402.c linux-3.1.1/drivers/atm/uPD98402.c
24610--- linux-3.1.1/drivers/atm/uPD98402.c 2011-11-11 15:19:27.000000000 -0500
24611+++ linux-3.1.1/drivers/atm/uPD98402.c 2011-11-16 18:39:07.000000000 -0500
24612@@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
24613 struct sonet_stats tmp;
24614 int error = 0;
24615
24616- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24617+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
24618 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
24619 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
24620 if (zero && !error) {
24621@@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
24622
24623
24624 #define ADD_LIMITED(s,v) \
24625- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
24626- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
24627- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24628+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
24629+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
24630+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
24631
24632
24633 static void stat_event(struct atm_dev *dev)
24634@@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
24635 if (reason & uPD98402_INT_PFM) stat_event(dev);
24636 if (reason & uPD98402_INT_PCO) {
24637 (void) GET(PCOCR); /* clear interrupt cause */
24638- atomic_add(GET(HECCT),
24639+ atomic_add_unchecked(GET(HECCT),
24640 &PRIV(dev)->sonet_stats.uncorr_hcs);
24641 }
24642 if ((reason & uPD98402_INT_RFO) &&
24643@@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
24644 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
24645 uPD98402_INT_LOS),PIMR); /* enable them */
24646 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
24647- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24648- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
24649- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
24650+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
24651+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
24652+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
24653 return 0;
24654 }
24655
24656diff -urNp linux-3.1.1/drivers/atm/zatm.c linux-3.1.1/drivers/atm/zatm.c
24657--- linux-3.1.1/drivers/atm/zatm.c 2011-11-11 15:19:27.000000000 -0500
24658+++ linux-3.1.1/drivers/atm/zatm.c 2011-11-16 18:39:07.000000000 -0500
24659@@ -460,7 +460,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24660 }
24661 if (!size) {
24662 dev_kfree_skb_irq(skb);
24663- if (vcc) atomic_inc(&vcc->stats->rx_err);
24664+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
24665 continue;
24666 }
24667 if (!atm_charge(vcc,skb->truesize)) {
24668@@ -470,7 +470,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
24669 skb->len = size;
24670 ATM_SKB(skb)->vcc = vcc;
24671 vcc->push(vcc,skb);
24672- atomic_inc(&vcc->stats->rx);
24673+ atomic_inc_unchecked(&vcc->stats->rx);
24674 }
24675 zout(pos & 0xffff,MTA(mbx));
24676 #if 0 /* probably a stupid idea */
24677@@ -734,7 +734,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
24678 skb_queue_head(&zatm_vcc->backlog,skb);
24679 break;
24680 }
24681- atomic_inc(&vcc->stats->tx);
24682+ atomic_inc_unchecked(&vcc->stats->tx);
24683 wake_up(&zatm_vcc->tx_wait);
24684 }
24685
24686diff -urNp linux-3.1.1/drivers/base/devtmpfs.c linux-3.1.1/drivers/base/devtmpfs.c
24687--- linux-3.1.1/drivers/base/devtmpfs.c 2011-11-11 15:19:27.000000000 -0500
24688+++ linux-3.1.1/drivers/base/devtmpfs.c 2011-11-16 18:39:07.000000000 -0500
24689@@ -368,7 +368,7 @@ int devtmpfs_mount(const char *mntdir)
24690 if (!thread)
24691 return 0;
24692
24693- err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
24694+ err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
24695 if (err)
24696 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
24697 else
24698diff -urNp linux-3.1.1/drivers/base/power/wakeup.c linux-3.1.1/drivers/base/power/wakeup.c
24699--- linux-3.1.1/drivers/base/power/wakeup.c 2011-11-11 15:19:27.000000000 -0500
24700+++ linux-3.1.1/drivers/base/power/wakeup.c 2011-11-16 18:39:07.000000000 -0500
24701@@ -29,14 +29,14 @@ bool events_check_enabled;
24702 * They need to be modified together atomically, so it's better to use one
24703 * atomic variable to hold them both.
24704 */
24705-static atomic_t combined_event_count = ATOMIC_INIT(0);
24706+static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
24707
24708 #define IN_PROGRESS_BITS (sizeof(int) * 4)
24709 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
24710
24711 static void split_counters(unsigned int *cnt, unsigned int *inpr)
24712 {
24713- unsigned int comb = atomic_read(&combined_event_count);
24714+ unsigned int comb = atomic_read_unchecked(&combined_event_count);
24715
24716 *cnt = (comb >> IN_PROGRESS_BITS);
24717 *inpr = comb & MAX_IN_PROGRESS;
24718@@ -350,7 +350,7 @@ static void wakeup_source_activate(struc
24719 ws->last_time = ktime_get();
24720
24721 /* Increment the counter of events in progress. */
24722- atomic_inc(&combined_event_count);
24723+ atomic_inc_unchecked(&combined_event_count);
24724 }
24725
24726 /**
24727@@ -440,7 +440,7 @@ static void wakeup_source_deactivate(str
24728 * Increment the counter of registered wakeup events and decrement the
24729 * couter of wakeup events in progress simultaneously.
24730 */
24731- atomic_add(MAX_IN_PROGRESS, &combined_event_count);
24732+ atomic_add_unchecked(MAX_IN_PROGRESS, &combined_event_count);
24733 }
24734
24735 /**
24736diff -urNp linux-3.1.1/drivers/block/cciss.c linux-3.1.1/drivers/block/cciss.c
24737--- linux-3.1.1/drivers/block/cciss.c 2011-11-11 15:19:27.000000000 -0500
24738+++ linux-3.1.1/drivers/block/cciss.c 2011-11-16 18:40:10.000000000 -0500
24739@@ -1179,6 +1179,8 @@ static int cciss_ioctl32_passthru(struct
24740 int err;
24741 u32 cp;
24742
24743+ memset(&arg64, 0, sizeof(arg64));
24744+
24745 err = 0;
24746 err |=
24747 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
24748@@ -2986,7 +2988,7 @@ static void start_io(ctlr_info_t *h)
24749 while (!list_empty(&h->reqQ)) {
24750 c = list_entry(h->reqQ.next, CommandList_struct, list);
24751 /* can't do anything if fifo is full */
24752- if ((h->access.fifo_full(h))) {
24753+ if ((h->access->fifo_full(h))) {
24754 dev_warn(&h->pdev->dev, "fifo full\n");
24755 break;
24756 }
24757@@ -2996,7 +2998,7 @@ static void start_io(ctlr_info_t *h)
24758 h->Qdepth--;
24759
24760 /* Tell the controller execute command */
24761- h->access.submit_command(h, c);
24762+ h->access->submit_command(h, c);
24763
24764 /* Put job onto the completed Q */
24765 addQ(&h->cmpQ, c);
24766@@ -3422,17 +3424,17 @@ startio:
24767
24768 static inline unsigned long get_next_completion(ctlr_info_t *h)
24769 {
24770- return h->access.command_completed(h);
24771+ return h->access->command_completed(h);
24772 }
24773
24774 static inline int interrupt_pending(ctlr_info_t *h)
24775 {
24776- return h->access.intr_pending(h);
24777+ return h->access->intr_pending(h);
24778 }
24779
24780 static inline long interrupt_not_for_us(ctlr_info_t *h)
24781 {
24782- return ((h->access.intr_pending(h) == 0) ||
24783+ return ((h->access->intr_pending(h) == 0) ||
24784 (h->interrupts_enabled == 0));
24785 }
24786
24787@@ -3465,7 +3467,7 @@ static inline u32 next_command(ctlr_info
24788 u32 a;
24789
24790 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
24791- return h->access.command_completed(h);
24792+ return h->access->command_completed(h);
24793
24794 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
24795 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
24796@@ -4020,7 +4022,7 @@ static void __devinit cciss_put_controll
24797 trans_support & CFGTBL_Trans_use_short_tags);
24798
24799 /* Change the access methods to the performant access methods */
24800- h->access = SA5_performant_access;
24801+ h->access = &SA5_performant_access;
24802 h->transMethod = CFGTBL_Trans_Performant;
24803
24804 return;
24805@@ -4292,7 +4294,7 @@ static int __devinit cciss_pci_init(ctlr
24806 if (prod_index < 0)
24807 return -ENODEV;
24808 h->product_name = products[prod_index].product_name;
24809- h->access = *(products[prod_index].access);
24810+ h->access = products[prod_index].access;
24811
24812 if (cciss_board_disabled(h)) {
24813 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
24814@@ -5009,7 +5011,7 @@ reinit_after_soft_reset:
24815 }
24816
24817 /* make sure the board interrupts are off */
24818- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24819+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24820 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
24821 if (rc)
24822 goto clean2;
24823@@ -5061,7 +5063,7 @@ reinit_after_soft_reset:
24824 * fake ones to scoop up any residual completions.
24825 */
24826 spin_lock_irqsave(&h->lock, flags);
24827- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24828+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24829 spin_unlock_irqrestore(&h->lock, flags);
24830 free_irq(h->intr[PERF_MODE_INT], h);
24831 rc = cciss_request_irq(h, cciss_msix_discard_completions,
24832@@ -5081,9 +5083,9 @@ reinit_after_soft_reset:
24833 dev_info(&h->pdev->dev, "Board READY.\n");
24834 dev_info(&h->pdev->dev,
24835 "Waiting for stale completions to drain.\n");
24836- h->access.set_intr_mask(h, CCISS_INTR_ON);
24837+ h->access->set_intr_mask(h, CCISS_INTR_ON);
24838 msleep(10000);
24839- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24840+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24841
24842 rc = controller_reset_failed(h->cfgtable);
24843 if (rc)
24844@@ -5106,7 +5108,7 @@ reinit_after_soft_reset:
24845 cciss_scsi_setup(h);
24846
24847 /* Turn the interrupts on so we can service requests */
24848- h->access.set_intr_mask(h, CCISS_INTR_ON);
24849+ h->access->set_intr_mask(h, CCISS_INTR_ON);
24850
24851 /* Get the firmware version */
24852 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
24853@@ -5178,7 +5180,7 @@ static void cciss_shutdown(struct pci_de
24854 kfree(flush_buf);
24855 if (return_code != IO_OK)
24856 dev_warn(&h->pdev->dev, "Error flushing cache\n");
24857- h->access.set_intr_mask(h, CCISS_INTR_OFF);
24858+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
24859 free_irq(h->intr[PERF_MODE_INT], h);
24860 }
24861
24862diff -urNp linux-3.1.1/drivers/block/cciss.h linux-3.1.1/drivers/block/cciss.h
24863--- linux-3.1.1/drivers/block/cciss.h 2011-11-11 15:19:27.000000000 -0500
24864+++ linux-3.1.1/drivers/block/cciss.h 2011-11-16 18:39:07.000000000 -0500
24865@@ -100,7 +100,7 @@ struct ctlr_info
24866 /* information about each logical volume */
24867 drive_info_struct *drv[CISS_MAX_LUN];
24868
24869- struct access_method access;
24870+ struct access_method *access;
24871
24872 /* queue and queue Info */
24873 struct list_head reqQ;
24874diff -urNp linux-3.1.1/drivers/block/cpqarray.c linux-3.1.1/drivers/block/cpqarray.c
24875--- linux-3.1.1/drivers/block/cpqarray.c 2011-11-11 15:19:27.000000000 -0500
24876+++ linux-3.1.1/drivers/block/cpqarray.c 2011-11-16 18:40:10.000000000 -0500
24877@@ -404,7 +404,7 @@ static int __devinit cpqarray_register_c
24878 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
24879 goto Enomem4;
24880 }
24881- hba[i]->access.set_intr_mask(hba[i], 0);
24882+ hba[i]->access->set_intr_mask(hba[i], 0);
24883 if (request_irq(hba[i]->intr, do_ida_intr,
24884 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
24885 {
24886@@ -459,7 +459,7 @@ static int __devinit cpqarray_register_c
24887 add_timer(&hba[i]->timer);
24888
24889 /* Enable IRQ now that spinlock and rate limit timer are set up */
24890- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24891+ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
24892
24893 for(j=0; j<NWD; j++) {
24894 struct gendisk *disk = ida_gendisk[i][j];
24895@@ -694,7 +694,7 @@ DBGINFO(
24896 for(i=0; i<NR_PRODUCTS; i++) {
24897 if (board_id == products[i].board_id) {
24898 c->product_name = products[i].product_name;
24899- c->access = *(products[i].access);
24900+ c->access = products[i].access;
24901 break;
24902 }
24903 }
24904@@ -792,7 +792,7 @@ static int __devinit cpqarray_eisa_detec
24905 hba[ctlr]->intr = intr;
24906 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
24907 hba[ctlr]->product_name = products[j].product_name;
24908- hba[ctlr]->access = *(products[j].access);
24909+ hba[ctlr]->access = products[j].access;
24910 hba[ctlr]->ctlr = ctlr;
24911 hba[ctlr]->board_id = board_id;
24912 hba[ctlr]->pci_dev = NULL; /* not PCI */
24913@@ -911,6 +911,8 @@ static void do_ida_request(struct reques
24914 struct scatterlist tmp_sg[SG_MAX];
24915 int i, dir, seg;
24916
24917+ pax_track_stack();
24918+
24919 queue_next:
24920 creq = blk_peek_request(q);
24921 if (!creq)
24922@@ -980,7 +982,7 @@ static void start_io(ctlr_info_t *h)
24923
24924 while((c = h->reqQ) != NULL) {
24925 /* Can't do anything if we're busy */
24926- if (h->access.fifo_full(h) == 0)
24927+ if (h->access->fifo_full(h) == 0)
24928 return;
24929
24930 /* Get the first entry from the request Q */
24931@@ -988,7 +990,7 @@ static void start_io(ctlr_info_t *h)
24932 h->Qdepth--;
24933
24934 /* Tell the controller to do our bidding */
24935- h->access.submit_command(h, c);
24936+ h->access->submit_command(h, c);
24937
24938 /* Get onto the completion Q */
24939 addQ(&h->cmpQ, c);
24940@@ -1050,7 +1052,7 @@ static irqreturn_t do_ida_intr(int irq,
24941 unsigned long flags;
24942 __u32 a,a1;
24943
24944- istat = h->access.intr_pending(h);
24945+ istat = h->access->intr_pending(h);
24946 /* Is this interrupt for us? */
24947 if (istat == 0)
24948 return IRQ_NONE;
24949@@ -1061,7 +1063,7 @@ static irqreturn_t do_ida_intr(int irq,
24950 */
24951 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
24952 if (istat & FIFO_NOT_EMPTY) {
24953- while((a = h->access.command_completed(h))) {
24954+ while((a = h->access->command_completed(h))) {
24955 a1 = a; a &= ~3;
24956 if ((c = h->cmpQ) == NULL)
24957 {
24958@@ -1449,11 +1451,11 @@ static int sendcmd(
24959 /*
24960 * Disable interrupt
24961 */
24962- info_p->access.set_intr_mask(info_p, 0);
24963+ info_p->access->set_intr_mask(info_p, 0);
24964 /* Make sure there is room in the command FIFO */
24965 /* Actually it should be completely empty at this time. */
24966 for (i = 200000; i > 0; i--) {
24967- temp = info_p->access.fifo_full(info_p);
24968+ temp = info_p->access->fifo_full(info_p);
24969 if (temp != 0) {
24970 break;
24971 }
24972@@ -1466,7 +1468,7 @@ DBG(
24973 /*
24974 * Send the cmd
24975 */
24976- info_p->access.submit_command(info_p, c);
24977+ info_p->access->submit_command(info_p, c);
24978 complete = pollcomplete(ctlr);
24979
24980 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
24981@@ -1549,9 +1551,9 @@ static int revalidate_allvol(ctlr_info_t
24982 * we check the new geometry. Then turn interrupts back on when
24983 * we're done.
24984 */
24985- host->access.set_intr_mask(host, 0);
24986+ host->access->set_intr_mask(host, 0);
24987 getgeometry(ctlr);
24988- host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
24989+ host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
24990
24991 for(i=0; i<NWD; i++) {
24992 struct gendisk *disk = ida_gendisk[ctlr][i];
24993@@ -1591,7 +1593,7 @@ static int pollcomplete(int ctlr)
24994 /* Wait (up to 2 seconds) for a command to complete */
24995
24996 for (i = 200000; i > 0; i--) {
24997- done = hba[ctlr]->access.command_completed(hba[ctlr]);
24998+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
24999 if (done == 0) {
25000 udelay(10); /* a short fixed delay */
25001 } else
25002diff -urNp linux-3.1.1/drivers/block/cpqarray.h linux-3.1.1/drivers/block/cpqarray.h
25003--- linux-3.1.1/drivers/block/cpqarray.h 2011-11-11 15:19:27.000000000 -0500
25004+++ linux-3.1.1/drivers/block/cpqarray.h 2011-11-16 18:39:07.000000000 -0500
25005@@ -99,7 +99,7 @@ struct ctlr_info {
25006 drv_info_t drv[NWD];
25007 struct proc_dir_entry *proc;
25008
25009- struct access_method access;
25010+ struct access_method *access;
25011
25012 cmdlist_t *reqQ;
25013 cmdlist_t *cmpQ;
25014diff -urNp linux-3.1.1/drivers/block/DAC960.c linux-3.1.1/drivers/block/DAC960.c
25015--- linux-3.1.1/drivers/block/DAC960.c 2011-11-11 15:19:27.000000000 -0500
25016+++ linux-3.1.1/drivers/block/DAC960.c 2011-11-16 18:40:10.000000000 -0500
25017@@ -1980,6 +1980,8 @@ static bool DAC960_V1_ReadDeviceConfigur
25018 unsigned long flags;
25019 int Channel, TargetID;
25020
25021+ pax_track_stack();
25022+
25023 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
25024 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
25025 sizeof(DAC960_SCSI_Inquiry_T) +
25026diff -urNp linux-3.1.1/drivers/block/drbd/drbd_int.h linux-3.1.1/drivers/block/drbd/drbd_int.h
25027--- linux-3.1.1/drivers/block/drbd/drbd_int.h 2011-11-11 15:19:27.000000000 -0500
25028+++ linux-3.1.1/drivers/block/drbd/drbd_int.h 2011-11-16 18:39:07.000000000 -0500
25029@@ -737,7 +737,7 @@ struct drbd_request;
25030 struct drbd_epoch {
25031 struct list_head list;
25032 unsigned int barrier_nr;
25033- atomic_t epoch_size; /* increased on every request added. */
25034+ atomic_unchecked_t epoch_size; /* increased on every request added. */
25035 atomic_t active; /* increased on every req. added, and dec on every finished. */
25036 unsigned long flags;
25037 };
25038@@ -1109,7 +1109,7 @@ struct drbd_conf {
25039 void *int_dig_in;
25040 void *int_dig_vv;
25041 wait_queue_head_t seq_wait;
25042- atomic_t packet_seq;
25043+ atomic_unchecked_t packet_seq;
25044 unsigned int peer_seq;
25045 spinlock_t peer_seq_lock;
25046 unsigned int minor;
25047@@ -1618,30 +1618,30 @@ static inline int drbd_setsockopt(struct
25048
25049 static inline void drbd_tcp_cork(struct socket *sock)
25050 {
25051- int __user val = 1;
25052+ int val = 1;
25053 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
25054- (char __user *)&val, sizeof(val));
25055+ (char __force_user *)&val, sizeof(val));
25056 }
25057
25058 static inline void drbd_tcp_uncork(struct socket *sock)
25059 {
25060- int __user val = 0;
25061+ int val = 0;
25062 (void) drbd_setsockopt(sock, SOL_TCP, TCP_CORK,
25063- (char __user *)&val, sizeof(val));
25064+ (char __force_user *)&val, sizeof(val));
25065 }
25066
25067 static inline void drbd_tcp_nodelay(struct socket *sock)
25068 {
25069- int __user val = 1;
25070+ int val = 1;
25071 (void) drbd_setsockopt(sock, SOL_TCP, TCP_NODELAY,
25072- (char __user *)&val, sizeof(val));
25073+ (char __force_user *)&val, sizeof(val));
25074 }
25075
25076 static inline void drbd_tcp_quickack(struct socket *sock)
25077 {
25078- int __user val = 2;
25079+ int val = 2;
25080 (void) drbd_setsockopt(sock, SOL_TCP, TCP_QUICKACK,
25081- (char __user *)&val, sizeof(val));
25082+ (char __force_user *)&val, sizeof(val));
25083 }
25084
25085 void drbd_bump_write_ordering(struct drbd_conf *mdev, enum write_ordering_e wo);
25086diff -urNp linux-3.1.1/drivers/block/drbd/drbd_main.c linux-3.1.1/drivers/block/drbd/drbd_main.c
25087--- linux-3.1.1/drivers/block/drbd/drbd_main.c 2011-11-11 15:19:27.000000000 -0500
25088+++ linux-3.1.1/drivers/block/drbd/drbd_main.c 2011-11-16 18:39:07.000000000 -0500
25089@@ -2397,7 +2397,7 @@ static int _drbd_send_ack(struct drbd_co
25090 p.sector = sector;
25091 p.block_id = block_id;
25092 p.blksize = blksize;
25093- p.seq_num = cpu_to_be32(atomic_add_return(1, &mdev->packet_seq));
25094+ p.seq_num = cpu_to_be32(atomic_add_return_unchecked(1, &mdev->packet_seq));
25095
25096 if (!mdev->meta.socket || mdev->state.conn < C_CONNECTED)
25097 return false;
25098@@ -2696,7 +2696,7 @@ int drbd_send_dblock(struct drbd_conf *m
25099 p.sector = cpu_to_be64(req->sector);
25100 p.block_id = (unsigned long)req;
25101 p.seq_num = cpu_to_be32(req->seq_num =
25102- atomic_add_return(1, &mdev->packet_seq));
25103+ atomic_add_return_unchecked(1, &mdev->packet_seq));
25104
25105 dp_flags = bio_flags_to_wire(mdev, req->master_bio->bi_rw);
25106
25107@@ -2981,7 +2981,7 @@ void drbd_init_set_defaults(struct drbd_
25108 atomic_set(&mdev->unacked_cnt, 0);
25109 atomic_set(&mdev->local_cnt, 0);
25110 atomic_set(&mdev->net_cnt, 0);
25111- atomic_set(&mdev->packet_seq, 0);
25112+ atomic_set_unchecked(&mdev->packet_seq, 0);
25113 atomic_set(&mdev->pp_in_use, 0);
25114 atomic_set(&mdev->pp_in_use_by_net, 0);
25115 atomic_set(&mdev->rs_sect_in, 0);
25116@@ -3063,8 +3063,8 @@ void drbd_mdev_cleanup(struct drbd_conf
25117 mdev->receiver.t_state);
25118
25119 /* no need to lock it, I'm the only thread alive */
25120- if (atomic_read(&mdev->current_epoch->epoch_size) != 0)
25121- dev_err(DEV, "epoch_size:%d\n", atomic_read(&mdev->current_epoch->epoch_size));
25122+ if (atomic_read_unchecked(&mdev->current_epoch->epoch_size) != 0)
25123+ dev_err(DEV, "epoch_size:%d\n", atomic_read_unchecked(&mdev->current_epoch->epoch_size));
25124 mdev->al_writ_cnt =
25125 mdev->bm_writ_cnt =
25126 mdev->read_cnt =
25127diff -urNp linux-3.1.1/drivers/block/drbd/drbd_nl.c linux-3.1.1/drivers/block/drbd/drbd_nl.c
25128--- linux-3.1.1/drivers/block/drbd/drbd_nl.c 2011-11-11 15:19:27.000000000 -0500
25129+++ linux-3.1.1/drivers/block/drbd/drbd_nl.c 2011-11-16 18:39:07.000000000 -0500
25130@@ -2359,7 +2359,7 @@ static void drbd_connector_callback(stru
25131 module_put(THIS_MODULE);
25132 }
25133
25134-static atomic_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25135+static atomic_unchecked_t drbd_nl_seq = ATOMIC_INIT(2); /* two. */
25136
25137 static unsigned short *
25138 __tl_add_blob(unsigned short *tl, enum drbd_tags tag, const void *data,
25139@@ -2430,7 +2430,7 @@ void drbd_bcast_state(struct drbd_conf *
25140 cn_reply->id.idx = CN_IDX_DRBD;
25141 cn_reply->id.val = CN_VAL_DRBD;
25142
25143- cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25144+ cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25145 cn_reply->ack = 0; /* not used here. */
25146 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25147 (int)((char *)tl - (char *)reply->tag_list);
25148@@ -2462,7 +2462,7 @@ void drbd_bcast_ev_helper(struct drbd_co
25149 cn_reply->id.idx = CN_IDX_DRBD;
25150 cn_reply->id.val = CN_VAL_DRBD;
25151
25152- cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25153+ cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25154 cn_reply->ack = 0; /* not used here. */
25155 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25156 (int)((char *)tl - (char *)reply->tag_list);
25157@@ -2540,7 +2540,7 @@ void drbd_bcast_ee(struct drbd_conf *mde
25158 cn_reply->id.idx = CN_IDX_DRBD;
25159 cn_reply->id.val = CN_VAL_DRBD;
25160
25161- cn_reply->seq = atomic_add_return(1,&drbd_nl_seq);
25162+ cn_reply->seq = atomic_add_return_unchecked(1,&drbd_nl_seq);
25163 cn_reply->ack = 0; // not used here.
25164 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25165 (int)((char*)tl - (char*)reply->tag_list);
25166@@ -2579,7 +2579,7 @@ void drbd_bcast_sync_progress(struct drb
25167 cn_reply->id.idx = CN_IDX_DRBD;
25168 cn_reply->id.val = CN_VAL_DRBD;
25169
25170- cn_reply->seq = atomic_add_return(1, &drbd_nl_seq);
25171+ cn_reply->seq = atomic_add_return_unchecked(1, &drbd_nl_seq);
25172 cn_reply->ack = 0; /* not used here. */
25173 cn_reply->len = sizeof(struct drbd_nl_cfg_reply) +
25174 (int)((char *)tl - (char *)reply->tag_list);
25175diff -urNp linux-3.1.1/drivers/block/drbd/drbd_receiver.c linux-3.1.1/drivers/block/drbd/drbd_receiver.c
25176--- linux-3.1.1/drivers/block/drbd/drbd_receiver.c 2011-11-11 15:19:27.000000000 -0500
25177+++ linux-3.1.1/drivers/block/drbd/drbd_receiver.c 2011-11-16 18:39:07.000000000 -0500
25178@@ -894,7 +894,7 @@ retry:
25179 sock->sk->sk_sndtimeo = mdev->net_conf->timeout*HZ/10;
25180 sock->sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
25181
25182- atomic_set(&mdev->packet_seq, 0);
25183+ atomic_set_unchecked(&mdev->packet_seq, 0);
25184 mdev->peer_seq = 0;
25185
25186 drbd_thread_start(&mdev->asender);
25187@@ -985,7 +985,7 @@ static enum finish_epoch drbd_may_finish
25188 do {
25189 next_epoch = NULL;
25190
25191- epoch_size = atomic_read(&epoch->epoch_size);
25192+ epoch_size = atomic_read_unchecked(&epoch->epoch_size);
25193
25194 switch (ev & ~EV_CLEANUP) {
25195 case EV_PUT:
25196@@ -1020,7 +1020,7 @@ static enum finish_epoch drbd_may_finish
25197 rv = FE_DESTROYED;
25198 } else {
25199 epoch->flags = 0;
25200- atomic_set(&epoch->epoch_size, 0);
25201+ atomic_set_unchecked(&epoch->epoch_size, 0);
25202 /* atomic_set(&epoch->active, 0); is already zero */
25203 if (rv == FE_STILL_LIVE)
25204 rv = FE_RECYCLED;
25205@@ -1191,14 +1191,14 @@ static int receive_Barrier(struct drbd_c
25206 drbd_wait_ee_list_empty(mdev, &mdev->active_ee);
25207 drbd_flush(mdev);
25208
25209- if (atomic_read(&mdev->current_epoch->epoch_size)) {
25210+ if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25211 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
25212 if (epoch)
25213 break;
25214 }
25215
25216 epoch = mdev->current_epoch;
25217- wait_event(mdev->ee_wait, atomic_read(&epoch->epoch_size) == 0);
25218+ wait_event(mdev->ee_wait, atomic_read_unchecked(&epoch->epoch_size) == 0);
25219
25220 D_ASSERT(atomic_read(&epoch->active) == 0);
25221 D_ASSERT(epoch->flags == 0);
25222@@ -1210,11 +1210,11 @@ static int receive_Barrier(struct drbd_c
25223 }
25224
25225 epoch->flags = 0;
25226- atomic_set(&epoch->epoch_size, 0);
25227+ atomic_set_unchecked(&epoch->epoch_size, 0);
25228 atomic_set(&epoch->active, 0);
25229
25230 spin_lock(&mdev->epoch_lock);
25231- if (atomic_read(&mdev->current_epoch->epoch_size)) {
25232+ if (atomic_read_unchecked(&mdev->current_epoch->epoch_size)) {
25233 list_add(&epoch->list, &mdev->current_epoch->list);
25234 mdev->current_epoch = epoch;
25235 mdev->epochs++;
25236@@ -1663,7 +1663,7 @@ static int receive_Data(struct drbd_conf
25237 spin_unlock(&mdev->peer_seq_lock);
25238
25239 drbd_send_ack_dp(mdev, P_NEG_ACK, p, data_size);
25240- atomic_inc(&mdev->current_epoch->epoch_size);
25241+ atomic_inc_unchecked(&mdev->current_epoch->epoch_size);
25242 return drbd_drain_block(mdev, data_size);
25243 }
25244
25245@@ -1689,7 +1689,7 @@ static int receive_Data(struct drbd_conf
25246
25247 spin_lock(&mdev->epoch_lock);
25248 e->epoch = mdev->current_epoch;
25249- atomic_inc(&e->epoch->epoch_size);
25250+ atomic_inc_unchecked(&e->epoch->epoch_size);
25251 atomic_inc(&e->epoch->active);
25252 spin_unlock(&mdev->epoch_lock);
25253
25254@@ -3885,7 +3885,7 @@ static void drbd_disconnect(struct drbd_
25255 D_ASSERT(list_empty(&mdev->done_ee));
25256
25257 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
25258- atomic_set(&mdev->current_epoch->epoch_size, 0);
25259+ atomic_set_unchecked(&mdev->current_epoch->epoch_size, 0);
25260 D_ASSERT(list_empty(&mdev->current_epoch->list));
25261 }
25262
25263diff -urNp linux-3.1.1/drivers/block/loop.c linux-3.1.1/drivers/block/loop.c
25264--- linux-3.1.1/drivers/block/loop.c 2011-11-11 15:19:27.000000000 -0500
25265+++ linux-3.1.1/drivers/block/loop.c 2011-11-16 18:39:07.000000000 -0500
25266@@ -283,7 +283,7 @@ static int __do_lo_send_write(struct fil
25267 mm_segment_t old_fs = get_fs();
25268
25269 set_fs(get_ds());
25270- bw = file->f_op->write(file, buf, len, &pos);
25271+ bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
25272 set_fs(old_fs);
25273 if (likely(bw == len))
25274 return 0;
25275diff -urNp linux-3.1.1/drivers/block/nbd.c linux-3.1.1/drivers/block/nbd.c
25276--- linux-3.1.1/drivers/block/nbd.c 2011-11-11 15:19:27.000000000 -0500
25277+++ linux-3.1.1/drivers/block/nbd.c 2011-11-16 18:40:10.000000000 -0500
25278@@ -157,6 +157,8 @@ static int sock_xmit(struct nbd_device *
25279 struct kvec iov;
25280 sigset_t blocked, oldset;
25281
25282+ pax_track_stack();
25283+
25284 if (unlikely(!sock)) {
25285 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
25286 lo->disk->disk_name, (send ? "send" : "recv"));
25287@@ -572,6 +574,8 @@ static void do_nbd_request(struct reques
25288 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
25289 unsigned int cmd, unsigned long arg)
25290 {
25291+ pax_track_stack();
25292+
25293 switch (cmd) {
25294 case NBD_DISCONNECT: {
25295 struct request sreq;
25296diff -urNp linux-3.1.1/drivers/char/agp/frontend.c linux-3.1.1/drivers/char/agp/frontend.c
25297--- linux-3.1.1/drivers/char/agp/frontend.c 2011-11-11 15:19:27.000000000 -0500
25298+++ linux-3.1.1/drivers/char/agp/frontend.c 2011-11-16 18:39:07.000000000 -0500
25299@@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
25300 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
25301 return -EFAULT;
25302
25303- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
25304+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
25305 return -EFAULT;
25306
25307 client = agp_find_client_by_pid(reserve.pid);
25308diff -urNp linux-3.1.1/drivers/char/briq_panel.c linux-3.1.1/drivers/char/briq_panel.c
25309--- linux-3.1.1/drivers/char/briq_panel.c 2011-11-11 15:19:27.000000000 -0500
25310+++ linux-3.1.1/drivers/char/briq_panel.c 2011-11-16 18:40:10.000000000 -0500
25311@@ -9,6 +9,7 @@
25312 #include <linux/types.h>
25313 #include <linux/errno.h>
25314 #include <linux/tty.h>
25315+#include <linux/mutex.h>
25316 #include <linux/timer.h>
25317 #include <linux/kernel.h>
25318 #include <linux/wait.h>
25319@@ -34,6 +35,7 @@ static int vfd_is_open;
25320 static unsigned char vfd[40];
25321 static int vfd_cursor;
25322 static unsigned char ledpb, led;
25323+static DEFINE_MUTEX(vfd_mutex);
25324
25325 static void update_vfd(void)
25326 {
25327@@ -140,12 +142,15 @@ static ssize_t briq_panel_write(struct f
25328 if (!vfd_is_open)
25329 return -EBUSY;
25330
25331+ mutex_lock(&vfd_mutex);
25332 for (;;) {
25333 char c;
25334 if (!indx)
25335 break;
25336- if (get_user(c, buf))
25337+ if (get_user(c, buf)) {
25338+ mutex_unlock(&vfd_mutex);
25339 return -EFAULT;
25340+ }
25341 if (esc) {
25342 set_led(c);
25343 esc = 0;
25344@@ -175,6 +180,7 @@ static ssize_t briq_panel_write(struct f
25345 buf++;
25346 }
25347 update_vfd();
25348+ mutex_unlock(&vfd_mutex);
25349
25350 return len;
25351 }
25352diff -urNp linux-3.1.1/drivers/char/genrtc.c linux-3.1.1/drivers/char/genrtc.c
25353--- linux-3.1.1/drivers/char/genrtc.c 2011-11-11 15:19:27.000000000 -0500
25354+++ linux-3.1.1/drivers/char/genrtc.c 2011-11-16 18:40:10.000000000 -0500
25355@@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *fi
25356 switch (cmd) {
25357
25358 case RTC_PLL_GET:
25359+ memset(&pll, 0, sizeof(pll));
25360 if (get_rtc_pll(&pll))
25361 return -EINVAL;
25362 else
25363diff -urNp linux-3.1.1/drivers/char/hpet.c linux-3.1.1/drivers/char/hpet.c
25364--- linux-3.1.1/drivers/char/hpet.c 2011-11-11 15:19:27.000000000 -0500
25365+++ linux-3.1.1/drivers/char/hpet.c 2011-11-16 18:39:07.000000000 -0500
25366@@ -572,7 +572,7 @@ static inline unsigned long hpet_time_di
25367 }
25368
25369 static int
25370-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
25371+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
25372 struct hpet_info *info)
25373 {
25374 struct hpet_timer __iomem *timer;
25375diff -urNp linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c
25376--- linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c 2011-11-11 15:19:27.000000000 -0500
25377+++ linux-3.1.1/drivers/char/ipmi/ipmi_msghandler.c 2011-11-16 18:40:10.000000000 -0500
25378@@ -415,7 +415,7 @@ struct ipmi_smi {
25379 struct proc_dir_entry *proc_dir;
25380 char proc_dir_name[10];
25381
25382- atomic_t stats[IPMI_NUM_STATS];
25383+ atomic_unchecked_t stats[IPMI_NUM_STATS];
25384
25385 /*
25386 * run_to_completion duplicate of smb_info, smi_info
25387@@ -448,9 +448,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
25388
25389
25390 #define ipmi_inc_stat(intf, stat) \
25391- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
25392+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
25393 #define ipmi_get_stat(intf, stat) \
25394- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
25395+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
25396
25397 static int is_lan_addr(struct ipmi_addr *addr)
25398 {
25399@@ -2868,7 +2868,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
25400 INIT_LIST_HEAD(&intf->cmd_rcvrs);
25401 init_waitqueue_head(&intf->waitq);
25402 for (i = 0; i < IPMI_NUM_STATS; i++)
25403- atomic_set(&intf->stats[i], 0);
25404+ atomic_set_unchecked(&intf->stats[i], 0);
25405
25406 intf->proc_dir = NULL;
25407
25408@@ -4220,6 +4220,8 @@ static void send_panic_events(char *str)
25409 struct ipmi_smi_msg smi_msg;
25410 struct ipmi_recv_msg recv_msg;
25411
25412+ pax_track_stack();
25413+
25414 si = (struct ipmi_system_interface_addr *) &addr;
25415 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
25416 si->channel = IPMI_BMC_CHANNEL;
25417diff -urNp linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c
25418--- linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c 2011-11-11 15:19:27.000000000 -0500
25419+++ linux-3.1.1/drivers/char/ipmi/ipmi_si_intf.c 2011-11-16 18:39:07.000000000 -0500
25420@@ -277,7 +277,7 @@ struct smi_info {
25421 unsigned char slave_addr;
25422
25423 /* Counters and things for the proc filesystem. */
25424- atomic_t stats[SI_NUM_STATS];
25425+ atomic_unchecked_t stats[SI_NUM_STATS];
25426
25427 struct task_struct *thread;
25428
25429@@ -286,9 +286,9 @@ struct smi_info {
25430 };
25431
25432 #define smi_inc_stat(smi, stat) \
25433- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
25434+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
25435 #define smi_get_stat(smi, stat) \
25436- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
25437+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
25438
25439 #define SI_MAX_PARMS 4
25440
25441@@ -3230,7 +3230,7 @@ static int try_smi_init(struct smi_info
25442 atomic_set(&new_smi->req_events, 0);
25443 new_smi->run_to_completion = 0;
25444 for (i = 0; i < SI_NUM_STATS; i++)
25445- atomic_set(&new_smi->stats[i], 0);
25446+ atomic_set_unchecked(&new_smi->stats[i], 0);
25447
25448 new_smi->interrupt_disabled = 1;
25449 atomic_set(&new_smi->stop_operation, 0);
25450diff -urNp linux-3.1.1/drivers/char/Kconfig linux-3.1.1/drivers/char/Kconfig
25451--- linux-3.1.1/drivers/char/Kconfig 2011-11-11 15:19:27.000000000 -0500
25452+++ linux-3.1.1/drivers/char/Kconfig 2011-11-16 18:40:10.000000000 -0500
25453@@ -8,7 +8,8 @@ source "drivers/tty/Kconfig"
25454
25455 config DEVKMEM
25456 bool "/dev/kmem virtual device support"
25457- default y
25458+ default n
25459+ depends on !GRKERNSEC_KMEM
25460 help
25461 Say Y here if you want to support the /dev/kmem device. The
25462 /dev/kmem device is rarely used, but can be used for certain
25463@@ -596,6 +597,7 @@ config DEVPORT
25464 bool
25465 depends on !M68K
25466 depends on ISA || PCI
25467+ depends on !GRKERNSEC_KMEM
25468 default y
25469
25470 source "drivers/s390/char/Kconfig"
25471diff -urNp linux-3.1.1/drivers/char/mbcs.c linux-3.1.1/drivers/char/mbcs.c
25472--- linux-3.1.1/drivers/char/mbcs.c 2011-11-11 15:19:27.000000000 -0500
25473+++ linux-3.1.1/drivers/char/mbcs.c 2011-11-16 18:39:07.000000000 -0500
25474@@ -800,7 +800,7 @@ static int mbcs_remove(struct cx_dev *de
25475 return 0;
25476 }
25477
25478-static const struct cx_device_id __devinitdata mbcs_id_table[] = {
25479+static const struct cx_device_id __devinitconst mbcs_id_table[] = {
25480 {
25481 .part_num = MBCS_PART_NUM,
25482 .mfg_num = MBCS_MFG_NUM,
25483diff -urNp linux-3.1.1/drivers/char/mem.c linux-3.1.1/drivers/char/mem.c
25484--- linux-3.1.1/drivers/char/mem.c 2011-11-11 15:19:27.000000000 -0500
25485+++ linux-3.1.1/drivers/char/mem.c 2011-11-17 18:31:56.000000000 -0500
25486@@ -18,6 +18,7 @@
25487 #include <linux/raw.h>
25488 #include <linux/tty.h>
25489 #include <linux/capability.h>
25490+#include <linux/security.h>
25491 #include <linux/ptrace.h>
25492 #include <linux/device.h>
25493 #include <linux/highmem.h>
25494@@ -34,6 +35,10 @@
25495 # include <linux/efi.h>
25496 #endif
25497
25498+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25499+extern const struct file_operations grsec_fops;
25500+#endif
25501+
25502 static inline unsigned long size_inside_page(unsigned long start,
25503 unsigned long size)
25504 {
25505@@ -65,9 +70,13 @@ static inline int range_is_allowed(unsig
25506
25507 while (cursor < to) {
25508 if (!devmem_is_allowed(pfn)) {
25509+#ifdef CONFIG_GRKERNSEC_KMEM
25510+ gr_handle_mem_readwrite(from, to);
25511+#else
25512 printk(KERN_INFO
25513 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
25514 current->comm, from, to);
25515+#endif
25516 return 0;
25517 }
25518 cursor += PAGE_SIZE;
25519@@ -75,6 +84,11 @@ static inline int range_is_allowed(unsig
25520 }
25521 return 1;
25522 }
25523+#elif defined(CONFIG_GRKERNSEC_KMEM)
25524+static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25525+{
25526+ return 0;
25527+}
25528 #else
25529 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
25530 {
25531@@ -117,6 +131,7 @@ static ssize_t read_mem(struct file *fil
25532
25533 while (count > 0) {
25534 unsigned long remaining;
25535+ char *temp;
25536
25537 sz = size_inside_page(p, count);
25538
25539@@ -132,7 +147,23 @@ static ssize_t read_mem(struct file *fil
25540 if (!ptr)
25541 return -EFAULT;
25542
25543- remaining = copy_to_user(buf, ptr, sz);
25544+#ifdef CONFIG_PAX_USERCOPY
25545+ temp = kmalloc(sz, GFP_KERNEL);
25546+ if (!temp) {
25547+ unxlate_dev_mem_ptr(p, ptr);
25548+ return -ENOMEM;
25549+ }
25550+ memcpy(temp, ptr, sz);
25551+#else
25552+ temp = ptr;
25553+#endif
25554+
25555+ remaining = copy_to_user(buf, temp, sz);
25556+
25557+#ifdef CONFIG_PAX_USERCOPY
25558+ kfree(temp);
25559+#endif
25560+
25561 unxlate_dev_mem_ptr(p, ptr);
25562 if (remaining)
25563 return -EFAULT;
25564@@ -395,9 +426,8 @@ static ssize_t read_kmem(struct file *fi
25565 size_t count, loff_t *ppos)
25566 {
25567 unsigned long p = *ppos;
25568- ssize_t low_count, read, sz;
25569+ ssize_t low_count, read, sz, err = 0;
25570 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
25571- int err = 0;
25572
25573 read = 0;
25574 if (p < (unsigned long) high_memory) {
25575@@ -419,6 +449,8 @@ static ssize_t read_kmem(struct file *fi
25576 }
25577 #endif
25578 while (low_count > 0) {
25579+ char *temp;
25580+
25581 sz = size_inside_page(p, low_count);
25582
25583 /*
25584@@ -428,7 +460,22 @@ static ssize_t read_kmem(struct file *fi
25585 */
25586 kbuf = xlate_dev_kmem_ptr((char *)p);
25587
25588- if (copy_to_user(buf, kbuf, sz))
25589+#ifdef CONFIG_PAX_USERCOPY
25590+ temp = kmalloc(sz, GFP_KERNEL);
25591+ if (!temp)
25592+ return -ENOMEM;
25593+ memcpy(temp, kbuf, sz);
25594+#else
25595+ temp = kbuf;
25596+#endif
25597+
25598+ err = copy_to_user(buf, temp, sz);
25599+
25600+#ifdef CONFIG_PAX_USERCOPY
25601+ kfree(temp);
25602+#endif
25603+
25604+ if (err)
25605 return -EFAULT;
25606 buf += sz;
25607 p += sz;
25608@@ -866,6 +913,9 @@ static const struct memdev {
25609 #ifdef CONFIG_CRASH_DUMP
25610 [12] = { "oldmem", 0, &oldmem_fops, NULL },
25611 #endif
25612+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
25613+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
25614+#endif
25615 };
25616
25617 static int memory_open(struct inode *inode, struct file *filp)
25618diff -urNp linux-3.1.1/drivers/char/nvram.c linux-3.1.1/drivers/char/nvram.c
25619--- linux-3.1.1/drivers/char/nvram.c 2011-11-11 15:19:27.000000000 -0500
25620+++ linux-3.1.1/drivers/char/nvram.c 2011-11-16 18:39:07.000000000 -0500
25621@@ -248,7 +248,7 @@ static ssize_t nvram_read(struct file *f
25622
25623 spin_unlock_irq(&rtc_lock);
25624
25625- if (copy_to_user(buf, contents, tmp - contents))
25626+ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
25627 return -EFAULT;
25628
25629 *ppos = i;
25630diff -urNp linux-3.1.1/drivers/char/random.c linux-3.1.1/drivers/char/random.c
25631--- linux-3.1.1/drivers/char/random.c 2011-11-11 15:19:27.000000000 -0500
25632+++ linux-3.1.1/drivers/char/random.c 2011-11-16 18:40:10.000000000 -0500
25633@@ -261,8 +261,13 @@
25634 /*
25635 * Configuration information
25636 */
25637+#ifdef CONFIG_GRKERNSEC_RANDNET
25638+#define INPUT_POOL_WORDS 512
25639+#define OUTPUT_POOL_WORDS 128
25640+#else
25641 #define INPUT_POOL_WORDS 128
25642 #define OUTPUT_POOL_WORDS 32
25643+#endif
25644 #define SEC_XFER_SIZE 512
25645 #define EXTRACT_SIZE 10
25646
25647@@ -300,10 +305,17 @@ static struct poolinfo {
25648 int poolwords;
25649 int tap1, tap2, tap3, tap4, tap5;
25650 } poolinfo_table[] = {
25651+#ifdef CONFIG_GRKERNSEC_RANDNET
25652+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
25653+ { 512, 411, 308, 208, 104, 1 },
25654+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
25655+ { 128, 103, 76, 51, 25, 1 },
25656+#else
25657 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
25658 { 128, 103, 76, 51, 25, 1 },
25659 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
25660 { 32, 26, 20, 14, 7, 1 },
25661+#endif
25662 #if 0
25663 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
25664 { 2048, 1638, 1231, 819, 411, 1 },
25665@@ -909,7 +921,7 @@ static ssize_t extract_entropy_user(stru
25666
25667 extract_buf(r, tmp);
25668 i = min_t(int, nbytes, EXTRACT_SIZE);
25669- if (copy_to_user(buf, tmp, i)) {
25670+ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
25671 ret = -EFAULT;
25672 break;
25673 }
25674@@ -1214,7 +1226,7 @@ EXPORT_SYMBOL(generate_random_uuid);
25675 #include <linux/sysctl.h>
25676
25677 static int min_read_thresh = 8, min_write_thresh;
25678-static int max_read_thresh = INPUT_POOL_WORDS * 32;
25679+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
25680 static int max_write_thresh = INPUT_POOL_WORDS * 32;
25681 static char sysctl_bootid[16];
25682
25683diff -urNp linux-3.1.1/drivers/char/sonypi.c linux-3.1.1/drivers/char/sonypi.c
25684--- linux-3.1.1/drivers/char/sonypi.c 2011-11-11 15:19:27.000000000 -0500
25685+++ linux-3.1.1/drivers/char/sonypi.c 2011-11-16 18:39:07.000000000 -0500
25686@@ -55,6 +55,7 @@
25687 #include <asm/uaccess.h>
25688 #include <asm/io.h>
25689 #include <asm/system.h>
25690+#include <asm/local.h>
25691
25692 #include <linux/sonypi.h>
25693
25694@@ -491,7 +492,7 @@ static struct sonypi_device {
25695 spinlock_t fifo_lock;
25696 wait_queue_head_t fifo_proc_list;
25697 struct fasync_struct *fifo_async;
25698- int open_count;
25699+ local_t open_count;
25700 int model;
25701 struct input_dev *input_jog_dev;
25702 struct input_dev *input_key_dev;
25703@@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
25704 static int sonypi_misc_release(struct inode *inode, struct file *file)
25705 {
25706 mutex_lock(&sonypi_device.lock);
25707- sonypi_device.open_count--;
25708+ local_dec(&sonypi_device.open_count);
25709 mutex_unlock(&sonypi_device.lock);
25710 return 0;
25711 }
25712@@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
25713 {
25714 mutex_lock(&sonypi_device.lock);
25715 /* Flush input queue on first open */
25716- if (!sonypi_device.open_count)
25717+ if (!local_read(&sonypi_device.open_count))
25718 kfifo_reset(&sonypi_device.fifo);
25719- sonypi_device.open_count++;
25720+ local_inc(&sonypi_device.open_count);
25721 mutex_unlock(&sonypi_device.lock);
25722
25723 return 0;
25724diff -urNp linux-3.1.1/drivers/char/tpm/tpm_bios.c linux-3.1.1/drivers/char/tpm/tpm_bios.c
25725--- linux-3.1.1/drivers/char/tpm/tpm_bios.c 2011-11-11 15:19:27.000000000 -0500
25726+++ linux-3.1.1/drivers/char/tpm/tpm_bios.c 2011-11-16 18:39:07.000000000 -0500
25727@@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
25728 event = addr;
25729
25730 if ((event->event_type == 0 && event->event_size == 0) ||
25731- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
25732+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
25733 return NULL;
25734
25735 return addr;
25736@@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
25737 return NULL;
25738
25739 if ((event->event_type == 0 && event->event_size == 0) ||
25740- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
25741+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
25742 return NULL;
25743
25744 (*pos)++;
25745@@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
25746 int i;
25747
25748 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
25749- seq_putc(m, data[i]);
25750+ if (!seq_putc(m, data[i]))
25751+ return -EFAULT;
25752
25753 return 0;
25754 }
25755@@ -410,8 +411,13 @@ static int read_log(struct tpm_bios_log
25756 log->bios_event_log_end = log->bios_event_log + len;
25757
25758 virt = acpi_os_map_memory(start, len);
25759+ if (!virt) {
25760+ kfree(log->bios_event_log);
25761+ log->bios_event_log = NULL;
25762+ return -EFAULT;
25763+ }
25764
25765- memcpy(log->bios_event_log, virt, len);
25766+ memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
25767
25768 acpi_os_unmap_memory(virt, len);
25769 return 0;
25770diff -urNp linux-3.1.1/drivers/char/tpm/tpm.c linux-3.1.1/drivers/char/tpm/tpm.c
25771--- linux-3.1.1/drivers/char/tpm/tpm.c 2011-11-11 15:19:27.000000000 -0500
25772+++ linux-3.1.1/drivers/char/tpm/tpm.c 2011-11-16 18:40:10.000000000 -0500
25773@@ -414,7 +414,7 @@ static ssize_t tpm_transmit(struct tpm_c
25774 chip->vendor.req_complete_val)
25775 goto out_recv;
25776
25777- if ((status == chip->vendor.req_canceled)) {
25778+ if (status == chip->vendor.req_canceled) {
25779 dev_err(chip->dev, "Operation Canceled\n");
25780 rc = -ECANCELED;
25781 goto out;
25782@@ -862,6 +862,8 @@ ssize_t tpm_show_pubek(struct device *de
25783
25784 struct tpm_chip *chip = dev_get_drvdata(dev);
25785
25786+ pax_track_stack();
25787+
25788 tpm_cmd.header.in = tpm_readpubek_header;
25789 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
25790 "attempting to read the PUBEK");
25791diff -urNp linux-3.1.1/drivers/char/virtio_console.c linux-3.1.1/drivers/char/virtio_console.c
25792--- linux-3.1.1/drivers/char/virtio_console.c 2011-11-11 15:19:27.000000000 -0500
25793+++ linux-3.1.1/drivers/char/virtio_console.c 2011-11-16 18:39:07.000000000 -0500
25794@@ -555,7 +555,7 @@ static ssize_t fill_readbuf(struct port
25795 if (to_user) {
25796 ssize_t ret;
25797
25798- ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
25799+ ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
25800 if (ret)
25801 return -EFAULT;
25802 } else {
25803@@ -654,7 +654,7 @@ static ssize_t port_fops_read(struct fil
25804 if (!port_has_data(port) && !port->host_connected)
25805 return 0;
25806
25807- return fill_readbuf(port, ubuf, count, true);
25808+ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
25809 }
25810
25811 static ssize_t port_fops_write(struct file *filp, const char __user *ubuf,
25812diff -urNp linux-3.1.1/drivers/crypto/hifn_795x.c linux-3.1.1/drivers/crypto/hifn_795x.c
25813--- linux-3.1.1/drivers/crypto/hifn_795x.c 2011-11-11 15:19:27.000000000 -0500
25814+++ linux-3.1.1/drivers/crypto/hifn_795x.c 2011-11-16 18:40:10.000000000 -0500
25815@@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
25816 0xCA, 0x34, 0x2B, 0x2E};
25817 struct scatterlist sg;
25818
25819+ pax_track_stack();
25820+
25821 memset(src, 0, sizeof(src));
25822 memset(ctx.key, 0, sizeof(ctx.key));
25823
25824diff -urNp linux-3.1.1/drivers/crypto/padlock-aes.c linux-3.1.1/drivers/crypto/padlock-aes.c
25825--- linux-3.1.1/drivers/crypto/padlock-aes.c 2011-11-11 15:19:27.000000000 -0500
25826+++ linux-3.1.1/drivers/crypto/padlock-aes.c 2011-11-16 18:40:10.000000000 -0500
25827@@ -109,6 +109,8 @@ static int aes_set_key(struct crypto_tfm
25828 struct crypto_aes_ctx gen_aes;
25829 int cpu;
25830
25831+ pax_track_stack();
25832+
25833 if (key_len % 8) {
25834 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
25835 return -EINVAL;
25836diff -urNp linux-3.1.1/drivers/edac/amd64_edac.c linux-3.1.1/drivers/edac/amd64_edac.c
25837--- linux-3.1.1/drivers/edac/amd64_edac.c 2011-11-11 15:19:27.000000000 -0500
25838+++ linux-3.1.1/drivers/edac/amd64_edac.c 2011-11-16 18:39:07.000000000 -0500
25839@@ -2670,7 +2670,7 @@ static void __devexit amd64_remove_one_i
25840 * PCI core identifies what devices are on a system during boot, and then
25841 * inquiry this table to see if this driver is for a given device found.
25842 */
25843-static const struct pci_device_id amd64_pci_table[] __devinitdata = {
25844+static const struct pci_device_id amd64_pci_table[] __devinitconst = {
25845 {
25846 .vendor = PCI_VENDOR_ID_AMD,
25847 .device = PCI_DEVICE_ID_AMD_K8_NB_MEMCTL,
25848diff -urNp linux-3.1.1/drivers/edac/amd76x_edac.c linux-3.1.1/drivers/edac/amd76x_edac.c
25849--- linux-3.1.1/drivers/edac/amd76x_edac.c 2011-11-11 15:19:27.000000000 -0500
25850+++ linux-3.1.1/drivers/edac/amd76x_edac.c 2011-11-16 18:39:07.000000000 -0500
25851@@ -321,7 +321,7 @@ static void __devexit amd76x_remove_one(
25852 edac_mc_free(mci);
25853 }
25854
25855-static const struct pci_device_id amd76x_pci_tbl[] __devinitdata = {
25856+static const struct pci_device_id amd76x_pci_tbl[] __devinitconst = {
25857 {
25858 PCI_VEND_DEV(AMD, FE_GATE_700C), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25859 AMD762},
25860diff -urNp linux-3.1.1/drivers/edac/e752x_edac.c linux-3.1.1/drivers/edac/e752x_edac.c
25861--- linux-3.1.1/drivers/edac/e752x_edac.c 2011-11-11 15:19:27.000000000 -0500
25862+++ linux-3.1.1/drivers/edac/e752x_edac.c 2011-11-16 18:39:07.000000000 -0500
25863@@ -1380,7 +1380,7 @@ static void __devexit e752x_remove_one(s
25864 edac_mc_free(mci);
25865 }
25866
25867-static const struct pci_device_id e752x_pci_tbl[] __devinitdata = {
25868+static const struct pci_device_id e752x_pci_tbl[] __devinitconst = {
25869 {
25870 PCI_VEND_DEV(INTEL, 7520_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25871 E7520},
25872diff -urNp linux-3.1.1/drivers/edac/e7xxx_edac.c linux-3.1.1/drivers/edac/e7xxx_edac.c
25873--- linux-3.1.1/drivers/edac/e7xxx_edac.c 2011-11-11 15:19:27.000000000 -0500
25874+++ linux-3.1.1/drivers/edac/e7xxx_edac.c 2011-11-16 18:39:07.000000000 -0500
25875@@ -525,7 +525,7 @@ static void __devexit e7xxx_remove_one(s
25876 edac_mc_free(mci);
25877 }
25878
25879-static const struct pci_device_id e7xxx_pci_tbl[] __devinitdata = {
25880+static const struct pci_device_id e7xxx_pci_tbl[] __devinitconst = {
25881 {
25882 PCI_VEND_DEV(INTEL, 7205_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25883 E7205},
25884diff -urNp linux-3.1.1/drivers/edac/edac_pci_sysfs.c linux-3.1.1/drivers/edac/edac_pci_sysfs.c
25885--- linux-3.1.1/drivers/edac/edac_pci_sysfs.c 2011-11-11 15:19:27.000000000 -0500
25886+++ linux-3.1.1/drivers/edac/edac_pci_sysfs.c 2011-11-16 18:39:07.000000000 -0500
25887@@ -26,8 +26,8 @@ static int edac_pci_log_pe = 1; /* log
25888 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
25889 static int edac_pci_poll_msec = 1000; /* one second workq period */
25890
25891-static atomic_t pci_parity_count = ATOMIC_INIT(0);
25892-static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
25893+static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
25894+static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
25895
25896 static struct kobject *edac_pci_top_main_kobj;
25897 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
25898@@ -582,7 +582,7 @@ static void edac_pci_dev_parity_test(str
25899 edac_printk(KERN_CRIT, EDAC_PCI,
25900 "Signaled System Error on %s\n",
25901 pci_name(dev));
25902- atomic_inc(&pci_nonparity_count);
25903+ atomic_inc_unchecked(&pci_nonparity_count);
25904 }
25905
25906 if (status & (PCI_STATUS_PARITY)) {
25907@@ -590,7 +590,7 @@ static void edac_pci_dev_parity_test(str
25908 "Master Data Parity Error on %s\n",
25909 pci_name(dev));
25910
25911- atomic_inc(&pci_parity_count);
25912+ atomic_inc_unchecked(&pci_parity_count);
25913 }
25914
25915 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25916@@ -598,7 +598,7 @@ static void edac_pci_dev_parity_test(str
25917 "Detected Parity Error on %s\n",
25918 pci_name(dev));
25919
25920- atomic_inc(&pci_parity_count);
25921+ atomic_inc_unchecked(&pci_parity_count);
25922 }
25923 }
25924
25925@@ -619,7 +619,7 @@ static void edac_pci_dev_parity_test(str
25926 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
25927 "Signaled System Error on %s\n",
25928 pci_name(dev));
25929- atomic_inc(&pci_nonparity_count);
25930+ atomic_inc_unchecked(&pci_nonparity_count);
25931 }
25932
25933 if (status & (PCI_STATUS_PARITY)) {
25934@@ -627,7 +627,7 @@ static void edac_pci_dev_parity_test(str
25935 "Master Data Parity Error on "
25936 "%s\n", pci_name(dev));
25937
25938- atomic_inc(&pci_parity_count);
25939+ atomic_inc_unchecked(&pci_parity_count);
25940 }
25941
25942 if (status & (PCI_STATUS_DETECTED_PARITY)) {
25943@@ -635,7 +635,7 @@ static void edac_pci_dev_parity_test(str
25944 "Detected Parity Error on %s\n",
25945 pci_name(dev));
25946
25947- atomic_inc(&pci_parity_count);
25948+ atomic_inc_unchecked(&pci_parity_count);
25949 }
25950 }
25951 }
25952@@ -677,7 +677,7 @@ void edac_pci_do_parity_check(void)
25953 if (!check_pci_errors)
25954 return;
25955
25956- before_count = atomic_read(&pci_parity_count);
25957+ before_count = atomic_read_unchecked(&pci_parity_count);
25958
25959 /* scan all PCI devices looking for a Parity Error on devices and
25960 * bridges.
25961@@ -689,7 +689,7 @@ void edac_pci_do_parity_check(void)
25962 /* Only if operator has selected panic on PCI Error */
25963 if (edac_pci_get_panic_on_pe()) {
25964 /* If the count is different 'after' from 'before' */
25965- if (before_count != atomic_read(&pci_parity_count))
25966+ if (before_count != atomic_read_unchecked(&pci_parity_count))
25967 panic("EDAC: PCI Parity Error");
25968 }
25969 }
25970diff -urNp linux-3.1.1/drivers/edac/i3000_edac.c linux-3.1.1/drivers/edac/i3000_edac.c
25971--- linux-3.1.1/drivers/edac/i3000_edac.c 2011-11-11 15:19:27.000000000 -0500
25972+++ linux-3.1.1/drivers/edac/i3000_edac.c 2011-11-16 18:39:07.000000000 -0500
25973@@ -470,7 +470,7 @@ static void __devexit i3000_remove_one(s
25974 edac_mc_free(mci);
25975 }
25976
25977-static const struct pci_device_id i3000_pci_tbl[] __devinitdata = {
25978+static const struct pci_device_id i3000_pci_tbl[] __devinitconst = {
25979 {
25980 PCI_VEND_DEV(INTEL, 3000_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25981 I3000},
25982diff -urNp linux-3.1.1/drivers/edac/i3200_edac.c linux-3.1.1/drivers/edac/i3200_edac.c
25983--- linux-3.1.1/drivers/edac/i3200_edac.c 2011-11-11 15:19:27.000000000 -0500
25984+++ linux-3.1.1/drivers/edac/i3200_edac.c 2011-11-16 18:39:07.000000000 -0500
25985@@ -456,7 +456,7 @@ static void __devexit i3200_remove_one(s
25986 edac_mc_free(mci);
25987 }
25988
25989-static const struct pci_device_id i3200_pci_tbl[] __devinitdata = {
25990+static const struct pci_device_id i3200_pci_tbl[] __devinitconst = {
25991 {
25992 PCI_VEND_DEV(INTEL, 3200_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
25993 I3200},
25994diff -urNp linux-3.1.1/drivers/edac/i5000_edac.c linux-3.1.1/drivers/edac/i5000_edac.c
25995--- linux-3.1.1/drivers/edac/i5000_edac.c 2011-11-11 15:19:27.000000000 -0500
25996+++ linux-3.1.1/drivers/edac/i5000_edac.c 2011-11-16 18:39:07.000000000 -0500
25997@@ -1516,7 +1516,7 @@ static void __devexit i5000_remove_one(s
25998 *
25999 * The "E500P" device is the first device supported.
26000 */
26001-static const struct pci_device_id i5000_pci_tbl[] __devinitdata = {
26002+static const struct pci_device_id i5000_pci_tbl[] __devinitconst = {
26003 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I5000_DEV16),
26004 .driver_data = I5000P},
26005
26006diff -urNp linux-3.1.1/drivers/edac/i5100_edac.c linux-3.1.1/drivers/edac/i5100_edac.c
26007--- linux-3.1.1/drivers/edac/i5100_edac.c 2011-11-11 15:19:27.000000000 -0500
26008+++ linux-3.1.1/drivers/edac/i5100_edac.c 2011-11-16 18:39:07.000000000 -0500
26009@@ -1051,7 +1051,7 @@ static void __devexit i5100_remove_one(s
26010 edac_mc_free(mci);
26011 }
26012
26013-static const struct pci_device_id i5100_pci_tbl[] __devinitdata = {
26014+static const struct pci_device_id i5100_pci_tbl[] __devinitconst = {
26015 /* Device 16, Function 0, Channel 0 Memory Map, Error Flag/Mask, ... */
26016 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5100_16) },
26017 { 0, }
26018diff -urNp linux-3.1.1/drivers/edac/i5400_edac.c linux-3.1.1/drivers/edac/i5400_edac.c
26019--- linux-3.1.1/drivers/edac/i5400_edac.c 2011-11-11 15:19:27.000000000 -0500
26020+++ linux-3.1.1/drivers/edac/i5400_edac.c 2011-11-16 18:39:07.000000000 -0500
26021@@ -1383,7 +1383,7 @@ static void __devexit i5400_remove_one(s
26022 *
26023 * The "E500P" device is the first device supported.
26024 */
26025-static const struct pci_device_id i5400_pci_tbl[] __devinitdata = {
26026+static const struct pci_device_id i5400_pci_tbl[] __devinitconst = {
26027 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5400_ERR)},
26028 {0,} /* 0 terminated list. */
26029 };
26030diff -urNp linux-3.1.1/drivers/edac/i7300_edac.c linux-3.1.1/drivers/edac/i7300_edac.c
26031--- linux-3.1.1/drivers/edac/i7300_edac.c 2011-11-11 15:19:27.000000000 -0500
26032+++ linux-3.1.1/drivers/edac/i7300_edac.c 2011-11-16 18:39:07.000000000 -0500
26033@@ -1191,7 +1191,7 @@ static void __devexit i7300_remove_one(s
26034 *
26035 * Has only 8086:360c PCI ID
26036 */
26037-static const struct pci_device_id i7300_pci_tbl[] __devinitdata = {
26038+static const struct pci_device_id i7300_pci_tbl[] __devinitconst = {
26039 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I7300_MCH_ERR)},
26040 {0,} /* 0 terminated list. */
26041 };
26042diff -urNp linux-3.1.1/drivers/edac/i7core_edac.c linux-3.1.1/drivers/edac/i7core_edac.c
26043--- linux-3.1.1/drivers/edac/i7core_edac.c 2011-11-11 15:19:27.000000000 -0500
26044+++ linux-3.1.1/drivers/edac/i7core_edac.c 2011-11-16 18:39:07.000000000 -0500
26045@@ -359,7 +359,7 @@ static const struct pci_id_table pci_dev
26046 /*
26047 * pci_device_id table for which devices we are looking for
26048 */
26049-static const struct pci_device_id i7core_pci_tbl[] __devinitdata = {
26050+static const struct pci_device_id i7core_pci_tbl[] __devinitconst = {
26051 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_X58_HUB_MGMT)},
26052 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_LYNNFIELD_QPI_LINK0)},
26053 {0,} /* 0 terminated list. */
26054diff -urNp linux-3.1.1/drivers/edac/i82443bxgx_edac.c linux-3.1.1/drivers/edac/i82443bxgx_edac.c
26055--- linux-3.1.1/drivers/edac/i82443bxgx_edac.c 2011-11-11 15:19:27.000000000 -0500
26056+++ linux-3.1.1/drivers/edac/i82443bxgx_edac.c 2011-11-16 18:39:07.000000000 -0500
26057@@ -380,7 +380,7 @@ static void __devexit i82443bxgx_edacmc_
26058
26059 EXPORT_SYMBOL_GPL(i82443bxgx_edacmc_remove_one);
26060
26061-static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitdata = {
26062+static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitconst = {
26063 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_0)},
26064 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_2)},
26065 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0)},
26066diff -urNp linux-3.1.1/drivers/edac/i82860_edac.c linux-3.1.1/drivers/edac/i82860_edac.c
26067--- linux-3.1.1/drivers/edac/i82860_edac.c 2011-11-11 15:19:27.000000000 -0500
26068+++ linux-3.1.1/drivers/edac/i82860_edac.c 2011-11-16 18:39:07.000000000 -0500
26069@@ -270,7 +270,7 @@ static void __devexit i82860_remove_one(
26070 edac_mc_free(mci);
26071 }
26072
26073-static const struct pci_device_id i82860_pci_tbl[] __devinitdata = {
26074+static const struct pci_device_id i82860_pci_tbl[] __devinitconst = {
26075 {
26076 PCI_VEND_DEV(INTEL, 82860_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26077 I82860},
26078diff -urNp linux-3.1.1/drivers/edac/i82875p_edac.c linux-3.1.1/drivers/edac/i82875p_edac.c
26079--- linux-3.1.1/drivers/edac/i82875p_edac.c 2011-11-11 15:19:27.000000000 -0500
26080+++ linux-3.1.1/drivers/edac/i82875p_edac.c 2011-11-16 18:39:07.000000000 -0500
26081@@ -511,7 +511,7 @@ static void __devexit i82875p_remove_one
26082 edac_mc_free(mci);
26083 }
26084
26085-static const struct pci_device_id i82875p_pci_tbl[] __devinitdata = {
26086+static const struct pci_device_id i82875p_pci_tbl[] __devinitconst = {
26087 {
26088 PCI_VEND_DEV(INTEL, 82875_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26089 I82875P},
26090diff -urNp linux-3.1.1/drivers/edac/i82975x_edac.c linux-3.1.1/drivers/edac/i82975x_edac.c
26091--- linux-3.1.1/drivers/edac/i82975x_edac.c 2011-11-11 15:19:27.000000000 -0500
26092+++ linux-3.1.1/drivers/edac/i82975x_edac.c 2011-11-16 18:39:07.000000000 -0500
26093@@ -604,7 +604,7 @@ static void __devexit i82975x_remove_one
26094 edac_mc_free(mci);
26095 }
26096
26097-static const struct pci_device_id i82975x_pci_tbl[] __devinitdata = {
26098+static const struct pci_device_id i82975x_pci_tbl[] __devinitconst = {
26099 {
26100 PCI_VEND_DEV(INTEL, 82975_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26101 I82975X
26102diff -urNp linux-3.1.1/drivers/edac/mce_amd.h linux-3.1.1/drivers/edac/mce_amd.h
26103--- linux-3.1.1/drivers/edac/mce_amd.h 2011-11-11 15:19:27.000000000 -0500
26104+++ linux-3.1.1/drivers/edac/mce_amd.h 2011-11-16 18:39:07.000000000 -0500
26105@@ -83,7 +83,7 @@ struct amd_decoder_ops {
26106 bool (*dc_mce)(u16, u8);
26107 bool (*ic_mce)(u16, u8);
26108 bool (*nb_mce)(u16, u8);
26109-};
26110+} __no_const;
26111
26112 void amd_report_gart_errors(bool);
26113 void amd_register_ecc_decoder(void (*f)(int, struct mce *, u32));
26114diff -urNp linux-3.1.1/drivers/edac/r82600_edac.c linux-3.1.1/drivers/edac/r82600_edac.c
26115--- linux-3.1.1/drivers/edac/r82600_edac.c 2011-11-11 15:19:27.000000000 -0500
26116+++ linux-3.1.1/drivers/edac/r82600_edac.c 2011-11-16 18:39:07.000000000 -0500
26117@@ -373,7 +373,7 @@ static void __devexit r82600_remove_one(
26118 edac_mc_free(mci);
26119 }
26120
26121-static const struct pci_device_id r82600_pci_tbl[] __devinitdata = {
26122+static const struct pci_device_id r82600_pci_tbl[] __devinitconst = {
26123 {
26124 PCI_DEVICE(PCI_VENDOR_ID_RADISYS, R82600_BRIDGE_ID)
26125 },
26126diff -urNp linux-3.1.1/drivers/edac/x38_edac.c linux-3.1.1/drivers/edac/x38_edac.c
26127--- linux-3.1.1/drivers/edac/x38_edac.c 2011-11-11 15:19:27.000000000 -0500
26128+++ linux-3.1.1/drivers/edac/x38_edac.c 2011-11-16 18:39:07.000000000 -0500
26129@@ -440,7 +440,7 @@ static void __devexit x38_remove_one(str
26130 edac_mc_free(mci);
26131 }
26132
26133-static const struct pci_device_id x38_pci_tbl[] __devinitdata = {
26134+static const struct pci_device_id x38_pci_tbl[] __devinitconst = {
26135 {
26136 PCI_VEND_DEV(INTEL, X38_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
26137 X38},
26138diff -urNp linux-3.1.1/drivers/firewire/core-card.c linux-3.1.1/drivers/firewire/core-card.c
26139--- linux-3.1.1/drivers/firewire/core-card.c 2011-11-11 15:19:27.000000000 -0500
26140+++ linux-3.1.1/drivers/firewire/core-card.c 2011-11-16 18:39:07.000000000 -0500
26141@@ -657,7 +657,7 @@ void fw_card_release(struct kref *kref)
26142
26143 void fw_core_remove_card(struct fw_card *card)
26144 {
26145- struct fw_card_driver dummy_driver = dummy_driver_template;
26146+ fw_card_driver_no_const dummy_driver = dummy_driver_template;
26147
26148 card->driver->update_phy_reg(card, 4,
26149 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
26150diff -urNp linux-3.1.1/drivers/firewire/core-cdev.c linux-3.1.1/drivers/firewire/core-cdev.c
26151--- linux-3.1.1/drivers/firewire/core-cdev.c 2011-11-11 15:19:27.000000000 -0500
26152+++ linux-3.1.1/drivers/firewire/core-cdev.c 2011-11-16 18:39:07.000000000 -0500
26153@@ -1331,8 +1331,7 @@ static int init_iso_resource(struct clie
26154 int ret;
26155
26156 if ((request->channels == 0 && request->bandwidth == 0) ||
26157- request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
26158- request->bandwidth < 0)
26159+ request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
26160 return -EINVAL;
26161
26162 r = kmalloc(sizeof(*r), GFP_KERNEL);
26163diff -urNp linux-3.1.1/drivers/firewire/core.h linux-3.1.1/drivers/firewire/core.h
26164--- linux-3.1.1/drivers/firewire/core.h 2011-11-11 15:19:27.000000000 -0500
26165+++ linux-3.1.1/drivers/firewire/core.h 2011-11-16 18:39:07.000000000 -0500
26166@@ -101,6 +101,7 @@ struct fw_card_driver {
26167
26168 int (*stop_iso)(struct fw_iso_context *ctx);
26169 };
26170+typedef struct fw_card_driver __no_const fw_card_driver_no_const;
26171
26172 void fw_card_initialize(struct fw_card *card,
26173 const struct fw_card_driver *driver, struct device *device);
26174diff -urNp linux-3.1.1/drivers/firewire/core-transaction.c linux-3.1.1/drivers/firewire/core-transaction.c
26175--- linux-3.1.1/drivers/firewire/core-transaction.c 2011-11-11 15:19:27.000000000 -0500
26176+++ linux-3.1.1/drivers/firewire/core-transaction.c 2011-11-16 18:40:10.000000000 -0500
26177@@ -37,6 +37,7 @@
26178 #include <linux/timer.h>
26179 #include <linux/types.h>
26180 #include <linux/workqueue.h>
26181+#include <linux/sched.h>
26182
26183 #include <asm/byteorder.h>
26184
26185@@ -422,6 +423,8 @@ int fw_run_transaction(struct fw_card *c
26186 struct transaction_callback_data d;
26187 struct fw_transaction t;
26188
26189+ pax_track_stack();
26190+
26191 init_timer_on_stack(&t.split_timeout_timer);
26192 init_completion(&d.done);
26193 d.payload = payload;
26194diff -urNp linux-3.1.1/drivers/firmware/dmi_scan.c linux-3.1.1/drivers/firmware/dmi_scan.c
26195--- linux-3.1.1/drivers/firmware/dmi_scan.c 2011-11-11 15:19:27.000000000 -0500
26196+++ linux-3.1.1/drivers/firmware/dmi_scan.c 2011-11-16 18:39:07.000000000 -0500
26197@@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
26198 }
26199 }
26200 else {
26201- /*
26202- * no iounmap() for that ioremap(); it would be a no-op, but
26203- * it's so early in setup that sucker gets confused into doing
26204- * what it shouldn't if we actually call it.
26205- */
26206 p = dmi_ioremap(0xF0000, 0x10000);
26207 if (p == NULL)
26208 goto error;
26209@@ -725,7 +720,7 @@ int dmi_walk(void (*decode)(const struct
26210 if (buf == NULL)
26211 return -1;
26212
26213- dmi_table(buf, dmi_len, dmi_num, decode, private_data);
26214+ dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
26215
26216 iounmap(buf);
26217 return 0;
26218diff -urNp linux-3.1.1/drivers/gpio/gpio-vr41xx.c linux-3.1.1/drivers/gpio/gpio-vr41xx.c
26219--- linux-3.1.1/drivers/gpio/gpio-vr41xx.c 2011-11-11 15:19:27.000000000 -0500
26220+++ linux-3.1.1/drivers/gpio/gpio-vr41xx.c 2011-11-16 18:39:07.000000000 -0500
26221@@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
26222 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
26223 maskl, pendl, maskh, pendh);
26224
26225- atomic_inc(&irq_err_count);
26226+ atomic_inc_unchecked(&irq_err_count);
26227
26228 return -EINVAL;
26229 }
26230diff -urNp linux-3.1.1/drivers/gpu/drm/drm_crtc.c linux-3.1.1/drivers/gpu/drm/drm_crtc.c
26231--- linux-3.1.1/drivers/gpu/drm/drm_crtc.c 2011-11-11 15:19:27.000000000 -0500
26232+++ linux-3.1.1/drivers/gpu/drm/drm_crtc.c 2011-11-16 18:39:07.000000000 -0500
26233@@ -1374,7 +1374,7 @@ int drm_mode_getconnector(struct drm_dev
26234 */
26235 if ((out_resp->count_modes >= mode_count) && mode_count) {
26236 copied = 0;
26237- mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
26238+ mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
26239 list_for_each_entry(mode, &connector->modes, head) {
26240 drm_crtc_convert_to_umode(&u_mode, mode);
26241 if (copy_to_user(mode_ptr + copied,
26242@@ -1389,8 +1389,8 @@ int drm_mode_getconnector(struct drm_dev
26243
26244 if ((out_resp->count_props >= props_count) && props_count) {
26245 copied = 0;
26246- prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
26247- prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
26248+ prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
26249+ prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
26250 for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
26251 if (connector->property_ids[i] != 0) {
26252 if (put_user(connector->property_ids[i],
26253@@ -1412,7 +1412,7 @@ int drm_mode_getconnector(struct drm_dev
26254
26255 if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
26256 copied = 0;
26257- encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
26258+ encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
26259 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
26260 if (connector->encoder_ids[i] != 0) {
26261 if (put_user(connector->encoder_ids[i],
26262@@ -1571,7 +1571,7 @@ int drm_mode_setcrtc(struct drm_device *
26263 }
26264
26265 for (i = 0; i < crtc_req->count_connectors; i++) {
26266- set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
26267+ set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
26268 if (get_user(out_id, &set_connectors_ptr[i])) {
26269 ret = -EFAULT;
26270 goto out;
26271@@ -1852,7 +1852,7 @@ int drm_mode_dirtyfb_ioctl(struct drm_de
26272 fb = obj_to_fb(obj);
26273
26274 num_clips = r->num_clips;
26275- clips_ptr = (struct drm_clip_rect *)(unsigned long)r->clips_ptr;
26276+ clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
26277
26278 if (!num_clips != !clips_ptr) {
26279 ret = -EINVAL;
26280@@ -2272,7 +2272,7 @@ int drm_mode_getproperty_ioctl(struct dr
26281 out_resp->flags = property->flags;
26282
26283 if ((out_resp->count_values >= value_count) && value_count) {
26284- values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
26285+ values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
26286 for (i = 0; i < value_count; i++) {
26287 if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
26288 ret = -EFAULT;
26289@@ -2285,7 +2285,7 @@ int drm_mode_getproperty_ioctl(struct dr
26290 if (property->flags & DRM_MODE_PROP_ENUM) {
26291 if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
26292 copied = 0;
26293- enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
26294+ enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
26295 list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
26296
26297 if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
26298@@ -2308,7 +2308,7 @@ int drm_mode_getproperty_ioctl(struct dr
26299 if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
26300 copied = 0;
26301 blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
26302- blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
26303+ blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
26304
26305 list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
26306 if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
26307@@ -2369,7 +2369,7 @@ int drm_mode_getblob_ioctl(struct drm_de
26308 struct drm_mode_get_blob *out_resp = data;
26309 struct drm_property_blob *blob;
26310 int ret = 0;
26311- void *blob_ptr;
26312+ void __user *blob_ptr;
26313
26314 if (!drm_core_check_feature(dev, DRIVER_MODESET))
26315 return -EINVAL;
26316@@ -2383,7 +2383,7 @@ int drm_mode_getblob_ioctl(struct drm_de
26317 blob = obj_to_blob(obj);
26318
26319 if (out_resp->length == blob->length) {
26320- blob_ptr = (void *)(unsigned long)out_resp->data;
26321+ blob_ptr = (void __user *)(unsigned long)out_resp->data;
26322 if (copy_to_user(blob_ptr, blob->data, blob->length)){
26323 ret = -EFAULT;
26324 goto done;
26325diff -urNp linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c
26326--- linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c 2011-11-11 15:19:27.000000000 -0500
26327+++ linux-3.1.1/drivers/gpu/drm/drm_crtc_helper.c 2011-11-16 18:40:10.000000000 -0500
26328@@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
26329 struct drm_crtc *tmp;
26330 int crtc_mask = 1;
26331
26332- WARN(!crtc, "checking null crtc?\n");
26333+ BUG_ON(!crtc);
26334
26335 dev = crtc->dev;
26336
26337@@ -343,6 +343,8 @@ bool drm_crtc_helper_set_mode(struct drm
26338 struct drm_encoder *encoder;
26339 bool ret = true;
26340
26341+ pax_track_stack();
26342+
26343 crtc->enabled = drm_helper_crtc_in_use(crtc);
26344 if (!crtc->enabled)
26345 return true;
26346diff -urNp linux-3.1.1/drivers/gpu/drm/drm_drv.c linux-3.1.1/drivers/gpu/drm/drm_drv.c
26347--- linux-3.1.1/drivers/gpu/drm/drm_drv.c 2011-11-11 15:19:27.000000000 -0500
26348+++ linux-3.1.1/drivers/gpu/drm/drm_drv.c 2011-11-16 18:39:07.000000000 -0500
26349@@ -307,7 +307,7 @@ module_exit(drm_core_exit);
26350 /**
26351 * Copy and IOCTL return string to user space
26352 */
26353-static int drm_copy_field(char *buf, size_t *buf_len, const char *value)
26354+static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
26355 {
26356 int len;
26357
26358@@ -386,7 +386,7 @@ long drm_ioctl(struct file *filp,
26359
26360 dev = file_priv->minor->dev;
26361 atomic_inc(&dev->ioctl_count);
26362- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
26363+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
26364 ++file_priv->ioctl_count;
26365
26366 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
26367diff -urNp linux-3.1.1/drivers/gpu/drm/drm_fops.c linux-3.1.1/drivers/gpu/drm/drm_fops.c
26368--- linux-3.1.1/drivers/gpu/drm/drm_fops.c 2011-11-11 15:19:27.000000000 -0500
26369+++ linux-3.1.1/drivers/gpu/drm/drm_fops.c 2011-11-16 18:39:07.000000000 -0500
26370@@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
26371 }
26372
26373 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
26374- atomic_set(&dev->counts[i], 0);
26375+ atomic_set_unchecked(&dev->counts[i], 0);
26376
26377 dev->sigdata.lock = NULL;
26378
26379@@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
26380
26381 retcode = drm_open_helper(inode, filp, dev);
26382 if (!retcode) {
26383- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
26384- if (!dev->open_count++)
26385+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
26386+ if (local_inc_return(&dev->open_count) == 1)
26387 retcode = drm_setup(dev);
26388 }
26389 if (!retcode) {
26390@@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
26391
26392 mutex_lock(&drm_global_mutex);
26393
26394- DRM_DEBUG("open_count = %d\n", dev->open_count);
26395+ DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
26396
26397 if (dev->driver->preclose)
26398 dev->driver->preclose(dev, file_priv);
26399@@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
26400 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
26401 task_pid_nr(current),
26402 (long)old_encode_dev(file_priv->minor->device),
26403- dev->open_count);
26404+ local_read(&dev->open_count));
26405
26406 /* if the master has gone away we can't do anything with the lock */
26407 if (file_priv->minor->master)
26408@@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
26409 * End inline drm_release
26410 */
26411
26412- atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
26413- if (!--dev->open_count) {
26414+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
26415+ if (local_dec_and_test(&dev->open_count)) {
26416 if (atomic_read(&dev->ioctl_count)) {
26417 DRM_ERROR("Device busy: %d\n",
26418 atomic_read(&dev->ioctl_count));
26419diff -urNp linux-3.1.1/drivers/gpu/drm/drm_global.c linux-3.1.1/drivers/gpu/drm/drm_global.c
26420--- linux-3.1.1/drivers/gpu/drm/drm_global.c 2011-11-11 15:19:27.000000000 -0500
26421+++ linux-3.1.1/drivers/gpu/drm/drm_global.c 2011-11-16 18:39:07.000000000 -0500
26422@@ -36,7 +36,7 @@
26423 struct drm_global_item {
26424 struct mutex mutex;
26425 void *object;
26426- int refcount;
26427+ atomic_t refcount;
26428 };
26429
26430 static struct drm_global_item glob[DRM_GLOBAL_NUM];
26431@@ -49,7 +49,7 @@ void drm_global_init(void)
26432 struct drm_global_item *item = &glob[i];
26433 mutex_init(&item->mutex);
26434 item->object = NULL;
26435- item->refcount = 0;
26436+ atomic_set(&item->refcount, 0);
26437 }
26438 }
26439
26440@@ -59,7 +59,7 @@ void drm_global_release(void)
26441 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
26442 struct drm_global_item *item = &glob[i];
26443 BUG_ON(item->object != NULL);
26444- BUG_ON(item->refcount != 0);
26445+ BUG_ON(atomic_read(&item->refcount) != 0);
26446 }
26447 }
26448
26449@@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
26450 void *object;
26451
26452 mutex_lock(&item->mutex);
26453- if (item->refcount == 0) {
26454+ if (atomic_read(&item->refcount) == 0) {
26455 item->object = kzalloc(ref->size, GFP_KERNEL);
26456 if (unlikely(item->object == NULL)) {
26457 ret = -ENOMEM;
26458@@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
26459 goto out_err;
26460
26461 }
26462- ++item->refcount;
26463+ atomic_inc(&item->refcount);
26464 ref->object = item->object;
26465 object = item->object;
26466 mutex_unlock(&item->mutex);
26467@@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
26468 struct drm_global_item *item = &glob[ref->global_type];
26469
26470 mutex_lock(&item->mutex);
26471- BUG_ON(item->refcount == 0);
26472+ BUG_ON(atomic_read(&item->refcount) == 0);
26473 BUG_ON(ref->object != item->object);
26474- if (--item->refcount == 0) {
26475+ if (atomic_dec_and_test(&item->refcount)) {
26476 ref->release(ref);
26477 item->object = NULL;
26478 }
26479diff -urNp linux-3.1.1/drivers/gpu/drm/drm_info.c linux-3.1.1/drivers/gpu/drm/drm_info.c
26480--- linux-3.1.1/drivers/gpu/drm/drm_info.c 2011-11-11 15:19:27.000000000 -0500
26481+++ linux-3.1.1/drivers/gpu/drm/drm_info.c 2011-11-16 18:40:10.000000000 -0500
26482@@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
26483 struct drm_local_map *map;
26484 struct drm_map_list *r_list;
26485
26486- /* Hardcoded from _DRM_FRAME_BUFFER,
26487- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
26488- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
26489- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
26490+ static const char * const types[] = {
26491+ [_DRM_FRAME_BUFFER] = "FB",
26492+ [_DRM_REGISTERS] = "REG",
26493+ [_DRM_SHM] = "SHM",
26494+ [_DRM_AGP] = "AGP",
26495+ [_DRM_SCATTER_GATHER] = "SG",
26496+ [_DRM_CONSISTENT] = "PCI",
26497+ [_DRM_GEM] = "GEM" };
26498 const char *type;
26499 int i;
26500
26501@@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
26502 map = r_list->map;
26503 if (!map)
26504 continue;
26505- if (map->type < 0 || map->type > 5)
26506+ if (map->type >= ARRAY_SIZE(types))
26507 type = "??";
26508 else
26509 type = types[map->type];
26510@@ -290,7 +294,11 @@ int drm_vma_info(struct seq_file *m, voi
26511 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
26512 vma->vm_flags & VM_LOCKED ? 'l' : '-',
26513 vma->vm_flags & VM_IO ? 'i' : '-',
26514+#ifdef CONFIG_GRKERNSEC_HIDESYM
26515+ 0);
26516+#else
26517 vma->vm_pgoff);
26518+#endif
26519
26520 #if defined(__i386__)
26521 pgprot = pgprot_val(vma->vm_page_prot);
26522diff -urNp linux-3.1.1/drivers/gpu/drm/drm_ioc32.c linux-3.1.1/drivers/gpu/drm/drm_ioc32.c
26523--- linux-3.1.1/drivers/gpu/drm/drm_ioc32.c 2011-11-11 15:19:27.000000000 -0500
26524+++ linux-3.1.1/drivers/gpu/drm/drm_ioc32.c 2011-11-16 18:39:07.000000000 -0500
26525@@ -455,7 +455,7 @@ static int compat_drm_infobufs(struct fi
26526 request = compat_alloc_user_space(nbytes);
26527 if (!access_ok(VERIFY_WRITE, request, nbytes))
26528 return -EFAULT;
26529- list = (struct drm_buf_desc *) (request + 1);
26530+ list = (struct drm_buf_desc __user *) (request + 1);
26531
26532 if (__put_user(count, &request->count)
26533 || __put_user(list, &request->list))
26534@@ -516,7 +516,7 @@ static int compat_drm_mapbufs(struct fil
26535 request = compat_alloc_user_space(nbytes);
26536 if (!access_ok(VERIFY_WRITE, request, nbytes))
26537 return -EFAULT;
26538- list = (struct drm_buf_pub *) (request + 1);
26539+ list = (struct drm_buf_pub __user *) (request + 1);
26540
26541 if (__put_user(count, &request->count)
26542 || __put_user(list, &request->list))
26543diff -urNp linux-3.1.1/drivers/gpu/drm/drm_ioctl.c linux-3.1.1/drivers/gpu/drm/drm_ioctl.c
26544--- linux-3.1.1/drivers/gpu/drm/drm_ioctl.c 2011-11-11 15:19:27.000000000 -0500
26545+++ linux-3.1.1/drivers/gpu/drm/drm_ioctl.c 2011-11-16 18:39:07.000000000 -0500
26546@@ -256,7 +256,7 @@ int drm_getstats(struct drm_device *dev,
26547 stats->data[i].value =
26548 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
26549 else
26550- stats->data[i].value = atomic_read(&dev->counts[i]);
26551+ stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
26552 stats->data[i].type = dev->types[i];
26553 }
26554
26555diff -urNp linux-3.1.1/drivers/gpu/drm/drm_lock.c linux-3.1.1/drivers/gpu/drm/drm_lock.c
26556--- linux-3.1.1/drivers/gpu/drm/drm_lock.c 2011-11-11 15:19:27.000000000 -0500
26557+++ linux-3.1.1/drivers/gpu/drm/drm_lock.c 2011-11-16 18:39:07.000000000 -0500
26558@@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
26559 if (drm_lock_take(&master->lock, lock->context)) {
26560 master->lock.file_priv = file_priv;
26561 master->lock.lock_time = jiffies;
26562- atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
26563+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
26564 break; /* Got lock */
26565 }
26566
26567@@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
26568 return -EINVAL;
26569 }
26570
26571- atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
26572+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
26573
26574 if (drm_lock_free(&master->lock, lock->context)) {
26575 /* FIXME: Should really bail out here. */
26576diff -urNp linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c
26577--- linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c 2011-11-11 15:19:27.000000000 -0500
26578+++ linux-3.1.1/drivers/gpu/drm/i810/i810_dma.c 2011-11-16 18:39:07.000000000 -0500
26579@@ -950,8 +950,8 @@ static int i810_dma_vertex(struct drm_de
26580 dma->buflist[vertex->idx],
26581 vertex->discard, vertex->used);
26582
26583- atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26584- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26585+ atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
26586+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26587 sarea_priv->last_enqueue = dev_priv->counter - 1;
26588 sarea_priv->last_dispatch = (int)hw_status[5];
26589
26590@@ -1111,8 +1111,8 @@ static int i810_dma_mc(struct drm_device
26591 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
26592 mc->last_render);
26593
26594- atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26595- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
26596+ atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
26597+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
26598 sarea_priv->last_enqueue = dev_priv->counter - 1;
26599 sarea_priv->last_dispatch = (int)hw_status[5];
26600
26601diff -urNp linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h
26602--- linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h 2011-11-11 15:19:27.000000000 -0500
26603+++ linux-3.1.1/drivers/gpu/drm/i810/i810_drv.h 2011-11-16 18:39:07.000000000 -0500
26604@@ -108,8 +108,8 @@ typedef struct drm_i810_private {
26605 int page_flipping;
26606
26607 wait_queue_head_t irq_queue;
26608- atomic_t irq_received;
26609- atomic_t irq_emitted;
26610+ atomic_unchecked_t irq_received;
26611+ atomic_unchecked_t irq_emitted;
26612
26613 int front_offset;
26614 } drm_i810_private_t;
26615diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c
26616--- linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-11 15:19:27.000000000 -0500
26617+++ linux-3.1.1/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-16 18:39:07.000000000 -0500
26618@@ -497,7 +497,7 @@ static int i915_interrupt_info(struct se
26619 I915_READ(GTIMR));
26620 }
26621 seq_printf(m, "Interrupts received: %d\n",
26622- atomic_read(&dev_priv->irq_received));
26623+ atomic_read_unchecked(&dev_priv->irq_received));
26624 for (i = 0; i < I915_NUM_RINGS; i++) {
26625 if (IS_GEN6(dev) || IS_GEN7(dev)) {
26626 seq_printf(m, "Graphics Interrupt mask (%s): %08x\n",
26627@@ -1185,7 +1185,7 @@ static int i915_opregion(struct seq_file
26628 return ret;
26629
26630 if (opregion->header)
26631- seq_write(m, opregion->header, OPREGION_SIZE);
26632+ seq_write(m, (const void __force_kernel *)opregion->header, OPREGION_SIZE);
26633
26634 mutex_unlock(&dev->struct_mutex);
26635
26636diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c
26637--- linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c 2011-11-11 15:19:27.000000000 -0500
26638+++ linux-3.1.1/drivers/gpu/drm/i915/i915_dma.c 2011-11-16 18:39:07.000000000 -0500
26639@@ -1171,7 +1171,7 @@ static bool i915_switcheroo_can_switch(s
26640 bool can_switch;
26641
26642 spin_lock(&dev->count_lock);
26643- can_switch = (dev->open_count == 0);
26644+ can_switch = (local_read(&dev->open_count) == 0);
26645 spin_unlock(&dev->count_lock);
26646 return can_switch;
26647 }
26648diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h
26649--- linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h 2011-11-11 15:19:27.000000000 -0500
26650+++ linux-3.1.1/drivers/gpu/drm/i915/i915_drv.h 2011-11-16 18:39:07.000000000 -0500
26651@@ -222,7 +222,7 @@ struct drm_i915_display_funcs {
26652 /* render clock increase/decrease */
26653 /* display clock increase/decrease */
26654 /* pll clock increase/decrease */
26655-};
26656+} __no_const;
26657
26658 struct intel_device_info {
26659 u8 gen;
26660@@ -305,7 +305,7 @@ typedef struct drm_i915_private {
26661 int current_page;
26662 int page_flipping;
26663
26664- atomic_t irq_received;
26665+ atomic_unchecked_t irq_received;
26666
26667 /* protects the irq masks */
26668 spinlock_t irq_lock;
26669@@ -882,7 +882,7 @@ struct drm_i915_gem_object {
26670 * will be page flipped away on the next vblank. When it
26671 * reaches 0, dev_priv->pending_flip_queue will be woken up.
26672 */
26673- atomic_t pending_flip;
26674+ atomic_unchecked_t pending_flip;
26675 };
26676
26677 #define to_intel_bo(x) container_of(x, struct drm_i915_gem_object, base)
26678@@ -1262,7 +1262,7 @@ extern int intel_setup_gmbus(struct drm_
26679 extern void intel_teardown_gmbus(struct drm_device *dev);
26680 extern void intel_gmbus_set_speed(struct i2c_adapter *adapter, int speed);
26681 extern void intel_gmbus_force_bit(struct i2c_adapter *adapter, bool force_bit);
26682-extern inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26683+static inline bool intel_gmbus_is_forced_bit(struct i2c_adapter *adapter)
26684 {
26685 return container_of(adapter, struct intel_gmbus, adapter)->force_bit;
26686 }
26687diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c
26688--- linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-11-11 15:19:27.000000000 -0500
26689+++ linux-3.1.1/drivers/gpu/drm/i915/i915_gem_execbuffer.c 2011-11-16 18:39:07.000000000 -0500
26690@@ -188,7 +188,7 @@ i915_gem_object_set_to_gpu_domain(struct
26691 i915_gem_clflush_object(obj);
26692
26693 if (obj->base.pending_write_domain)
26694- cd->flips |= atomic_read(&obj->pending_flip);
26695+ cd->flips |= atomic_read_unchecked(&obj->pending_flip);
26696
26697 /* The actual obj->write_domain will be updated with
26698 * pending_write_domain after we emit the accumulated flush for all
26699diff -urNp linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c
26700--- linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c 2011-11-11 15:19:27.000000000 -0500
26701+++ linux-3.1.1/drivers/gpu/drm/i915/i915_irq.c 2011-11-16 18:39:07.000000000 -0500
26702@@ -475,7 +475,7 @@ static irqreturn_t ivybridge_irq_handler
26703 u32 de_iir, gt_iir, de_ier, pch_iir, pm_iir;
26704 struct drm_i915_master_private *master_priv;
26705
26706- atomic_inc(&dev_priv->irq_received);
26707+ atomic_inc_unchecked(&dev_priv->irq_received);
26708
26709 /* disable master interrupt before clearing iir */
26710 de_ier = I915_READ(DEIER);
26711@@ -565,7 +565,7 @@ static irqreturn_t ironlake_irq_handler(
26712 struct drm_i915_master_private *master_priv;
26713 u32 bsd_usr_interrupt = GT_BSD_USER_INTERRUPT;
26714
26715- atomic_inc(&dev_priv->irq_received);
26716+ atomic_inc_unchecked(&dev_priv->irq_received);
26717
26718 if (IS_GEN6(dev))
26719 bsd_usr_interrupt = GT_GEN6_BSD_USER_INTERRUPT;
26720@@ -1228,7 +1228,7 @@ static irqreturn_t i915_driver_irq_handl
26721 int ret = IRQ_NONE, pipe;
26722 bool blc_event = false;
26723
26724- atomic_inc(&dev_priv->irq_received);
26725+ atomic_inc_unchecked(&dev_priv->irq_received);
26726
26727 iir = I915_READ(IIR);
26728
26729@@ -1740,7 +1740,7 @@ static void ironlake_irq_preinstall(stru
26730 {
26731 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26732
26733- atomic_set(&dev_priv->irq_received, 0);
26734+ atomic_set_unchecked(&dev_priv->irq_received, 0);
26735
26736 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26737 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26738@@ -1904,7 +1904,7 @@ static void i915_driver_irq_preinstall(s
26739 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
26740 int pipe;
26741
26742- atomic_set(&dev_priv->irq_received, 0);
26743+ atomic_set_unchecked(&dev_priv->irq_received, 0);
26744
26745 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
26746 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
26747diff -urNp linux-3.1.1/drivers/gpu/drm/i915/intel_display.c linux-3.1.1/drivers/gpu/drm/i915/intel_display.c
26748--- linux-3.1.1/drivers/gpu/drm/i915/intel_display.c 2011-11-11 15:19:27.000000000 -0500
26749+++ linux-3.1.1/drivers/gpu/drm/i915/intel_display.c 2011-11-16 18:39:07.000000000 -0500
26750@@ -2205,7 +2205,7 @@ intel_pipe_set_base(struct drm_crtc *crt
26751
26752 wait_event(dev_priv->pending_flip_queue,
26753 atomic_read(&dev_priv->mm.wedged) ||
26754- atomic_read(&obj->pending_flip) == 0);
26755+ atomic_read_unchecked(&obj->pending_flip) == 0);
26756
26757 /* Big Hammer, we also need to ensure that any pending
26758 * MI_WAIT_FOR_EVENT inside a user batch buffer on the
26759@@ -2824,7 +2824,7 @@ static void intel_crtc_wait_for_pending_
26760 obj = to_intel_framebuffer(crtc->fb)->obj;
26761 dev_priv = crtc->dev->dev_private;
26762 wait_event(dev_priv->pending_flip_queue,
26763- atomic_read(&obj->pending_flip) == 0);
26764+ atomic_read_unchecked(&obj->pending_flip) == 0);
26765 }
26766
26767 static bool intel_crtc_driving_pch(struct drm_crtc *crtc)
26768@@ -6644,7 +6644,7 @@ static void do_intel_finish_page_flip(st
26769
26770 atomic_clear_mask(1 << intel_crtc->plane,
26771 &obj->pending_flip.counter);
26772- if (atomic_read(&obj->pending_flip) == 0)
26773+ if (atomic_read_unchecked(&obj->pending_flip) == 0)
26774 wake_up(&dev_priv->pending_flip_queue);
26775
26776 schedule_work(&work->work);
26777@@ -6933,7 +6933,7 @@ static int intel_crtc_page_flip(struct d
26778 /* Block clients from rendering to the new back buffer until
26779 * the flip occurs and the object is no longer visible.
26780 */
26781- atomic_add(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26782+ atomic_add_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26783
26784 ret = dev_priv->display.queue_flip(dev, crtc, fb, obj);
26785 if (ret)
26786@@ -6947,7 +6947,7 @@ static int intel_crtc_page_flip(struct d
26787 return 0;
26788
26789 cleanup_pending:
26790- atomic_sub(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26791+ atomic_sub_unchecked(1 << intel_crtc->plane, &work->old_fb_obj->pending_flip);
26792 cleanup_objs:
26793 drm_gem_object_unreference(&work->old_fb_obj->base);
26794 drm_gem_object_unreference(&obj->base);
26795diff -urNp linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h
26796--- linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h 2011-11-11 15:19:27.000000000 -0500
26797+++ linux-3.1.1/drivers/gpu/drm/mga/mga_drv.h 2011-11-16 18:39:07.000000000 -0500
26798@@ -120,9 +120,9 @@ typedef struct drm_mga_private {
26799 u32 clear_cmd;
26800 u32 maccess;
26801
26802- atomic_t vbl_received; /**< Number of vblanks received. */
26803+ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
26804 wait_queue_head_t fence_queue;
26805- atomic_t last_fence_retired;
26806+ atomic_unchecked_t last_fence_retired;
26807 u32 next_fence_to_post;
26808
26809 unsigned int fb_cpp;
26810diff -urNp linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c
26811--- linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c 2011-11-11 15:19:27.000000000 -0500
26812+++ linux-3.1.1/drivers/gpu/drm/mga/mga_irq.c 2011-11-16 18:39:07.000000000 -0500
26813@@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
26814 if (crtc != 0)
26815 return 0;
26816
26817- return atomic_read(&dev_priv->vbl_received);
26818+ return atomic_read_unchecked(&dev_priv->vbl_received);
26819 }
26820
26821
26822@@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26823 /* VBLANK interrupt */
26824 if (status & MGA_VLINEPEN) {
26825 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
26826- atomic_inc(&dev_priv->vbl_received);
26827+ atomic_inc_unchecked(&dev_priv->vbl_received);
26828 drm_handle_vblank(dev, 0);
26829 handled = 1;
26830 }
26831@@ -79,7 +79,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
26832 if ((prim_start & ~0x03) != (prim_end & ~0x03))
26833 MGA_WRITE(MGA_PRIMEND, prim_end);
26834
26835- atomic_inc(&dev_priv->last_fence_retired);
26836+ atomic_inc_unchecked(&dev_priv->last_fence_retired);
26837 DRM_WAKEUP(&dev_priv->fence_queue);
26838 handled = 1;
26839 }
26840@@ -130,7 +130,7 @@ int mga_driver_fence_wait(struct drm_dev
26841 * using fences.
26842 */
26843 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
26844- (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
26845+ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
26846 - *sequence) <= (1 << 23)));
26847
26848 *sequence = cur_fence;
26849diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c
26850--- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-11-11 15:19:27.000000000 -0500
26851+++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_bios.c 2011-11-16 18:39:07.000000000 -0500
26852@@ -201,7 +201,7 @@ struct methods {
26853 const char desc[8];
26854 void (*loadbios)(struct drm_device *, uint8_t *);
26855 const bool rw;
26856-};
26857+} __do_const;
26858
26859 static struct methods shadow_methods[] = {
26860 { "PRAMIN", load_vbios_pramin, true },
26861@@ -5489,7 +5489,7 @@ parse_bit_displayport_tbl_entry(struct d
26862 struct bit_table {
26863 const char id;
26864 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
26865-};
26866+} __no_const;
26867
26868 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
26869
26870diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h
26871--- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-11-11 15:19:27.000000000 -0500
26872+++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_drv.h 2011-11-16 18:39:07.000000000 -0500
26873@@ -238,7 +238,7 @@ struct nouveau_channel {
26874 struct list_head pending;
26875 uint32_t sequence;
26876 uint32_t sequence_ack;
26877- atomic_t last_sequence_irq;
26878+ atomic_unchecked_t last_sequence_irq;
26879 struct nouveau_vma vma;
26880 } fence;
26881
26882@@ -319,7 +319,7 @@ struct nouveau_exec_engine {
26883 u32 handle, u16 class);
26884 void (*set_tile_region)(struct drm_device *dev, int i);
26885 void (*tlb_flush)(struct drm_device *, int engine);
26886-};
26887+} __no_const;
26888
26889 struct nouveau_instmem_engine {
26890 void *priv;
26891@@ -341,13 +341,13 @@ struct nouveau_instmem_engine {
26892 struct nouveau_mc_engine {
26893 int (*init)(struct drm_device *dev);
26894 void (*takedown)(struct drm_device *dev);
26895-};
26896+} __no_const;
26897
26898 struct nouveau_timer_engine {
26899 int (*init)(struct drm_device *dev);
26900 void (*takedown)(struct drm_device *dev);
26901 uint64_t (*read)(struct drm_device *dev);
26902-};
26903+} __no_const;
26904
26905 struct nouveau_fb_engine {
26906 int num_tiles;
26907@@ -513,7 +513,7 @@ struct nouveau_vram_engine {
26908 void (*put)(struct drm_device *, struct nouveau_mem **);
26909
26910 bool (*flags_valid)(struct drm_device *, u32 tile_flags);
26911-};
26912+} __no_const;
26913
26914 struct nouveau_engine {
26915 struct nouveau_instmem_engine instmem;
26916@@ -660,7 +660,7 @@ struct drm_nouveau_private {
26917 struct drm_global_reference mem_global_ref;
26918 struct ttm_bo_global_ref bo_global_ref;
26919 struct ttm_bo_device bdev;
26920- atomic_t validate_sequence;
26921+ atomic_unchecked_t validate_sequence;
26922 } ttm;
26923
26924 struct {
26925diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c
26926--- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-11-11 15:19:27.000000000 -0500
26927+++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_fence.c 2011-11-16 18:39:07.000000000 -0500
26928@@ -85,7 +85,7 @@ nouveau_fence_update(struct nouveau_chan
26929 if (USE_REFCNT(dev))
26930 sequence = nvchan_rd32(chan, 0x48);
26931 else
26932- sequence = atomic_read(&chan->fence.last_sequence_irq);
26933+ sequence = atomic_read_unchecked(&chan->fence.last_sequence_irq);
26934
26935 if (chan->fence.sequence_ack == sequence)
26936 goto out;
26937@@ -541,7 +541,7 @@ nouveau_fence_channel_init(struct nouvea
26938
26939 INIT_LIST_HEAD(&chan->fence.pending);
26940 spin_lock_init(&chan->fence.lock);
26941- atomic_set(&chan->fence.last_sequence_irq, 0);
26942+ atomic_set_unchecked(&chan->fence.last_sequence_irq, 0);
26943 return 0;
26944 }
26945
26946diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c
26947--- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-11-11 15:19:27.000000000 -0500
26948+++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_gem.c 2011-11-16 18:39:07.000000000 -0500
26949@@ -314,7 +314,7 @@ validate_init(struct nouveau_channel *ch
26950 int trycnt = 0;
26951 int ret, i;
26952
26953- sequence = atomic_add_return(1, &dev_priv->ttm.validate_sequence);
26954+ sequence = atomic_add_return_unchecked(1, &dev_priv->ttm.validate_sequence);
26955 retry:
26956 if (++trycnt > 100000) {
26957 NV_ERROR(dev, "%s failed and gave up.\n", __func__);
26958diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c
26959--- linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-11-11 15:19:27.000000000 -0500
26960+++ linux-3.1.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-11-16 18:39:07.000000000 -0500
26961@@ -496,7 +496,7 @@ static bool nouveau_switcheroo_can_switc
26962 bool can_switch;
26963
26964 spin_lock(&dev->count_lock);
26965- can_switch = (dev->open_count == 0);
26966+ can_switch = (local_read(&dev->open_count) == 0);
26967 spin_unlock(&dev->count_lock);
26968 return can_switch;
26969 }
26970diff -urNp linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c
26971--- linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c 2011-11-11 15:19:27.000000000 -0500
26972+++ linux-3.1.1/drivers/gpu/drm/nouveau/nv04_graph.c 2011-11-16 18:39:07.000000000 -0500
26973@@ -554,7 +554,7 @@ static int
26974 nv04_graph_mthd_set_ref(struct nouveau_channel *chan,
26975 u32 class, u32 mthd, u32 data)
26976 {
26977- atomic_set(&chan->fence.last_sequence_irq, data);
26978+ atomic_set_unchecked(&chan->fence.last_sequence_irq, data);
26979 return 0;
26980 }
26981
26982diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c
26983--- linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c 2011-11-11 15:19:27.000000000 -0500
26984+++ linux-3.1.1/drivers/gpu/drm/r128/r128_cce.c 2011-11-16 18:39:07.000000000 -0500
26985@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
26986
26987 /* GH: Simple idle check.
26988 */
26989- atomic_set(&dev_priv->idle_count, 0);
26990+ atomic_set_unchecked(&dev_priv->idle_count, 0);
26991
26992 /* We don't support anything other than bus-mastering ring mode,
26993 * but the ring can be in either AGP or PCI space for the ring
26994diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h
26995--- linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h 2011-11-11 15:19:27.000000000 -0500
26996+++ linux-3.1.1/drivers/gpu/drm/r128/r128_drv.h 2011-11-16 18:39:07.000000000 -0500
26997@@ -90,14 +90,14 @@ typedef struct drm_r128_private {
26998 int is_pci;
26999 unsigned long cce_buffers_offset;
27000
27001- atomic_t idle_count;
27002+ atomic_unchecked_t idle_count;
27003
27004 int page_flipping;
27005 int current_page;
27006 u32 crtc_offset;
27007 u32 crtc_offset_cntl;
27008
27009- atomic_t vbl_received;
27010+ atomic_unchecked_t vbl_received;
27011
27012 u32 color_fmt;
27013 unsigned int front_offset;
27014diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c
27015--- linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c 2011-11-11 15:19:27.000000000 -0500
27016+++ linux-3.1.1/drivers/gpu/drm/r128/r128_irq.c 2011-11-16 18:39:07.000000000 -0500
27017@@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
27018 if (crtc != 0)
27019 return 0;
27020
27021- return atomic_read(&dev_priv->vbl_received);
27022+ return atomic_read_unchecked(&dev_priv->vbl_received);
27023 }
27024
27025 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
27026@@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
27027 /* VBLANK interrupt */
27028 if (status & R128_CRTC_VBLANK_INT) {
27029 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
27030- atomic_inc(&dev_priv->vbl_received);
27031+ atomic_inc_unchecked(&dev_priv->vbl_received);
27032 drm_handle_vblank(dev, 0);
27033 return IRQ_HANDLED;
27034 }
27035diff -urNp linux-3.1.1/drivers/gpu/drm/r128/r128_state.c linux-3.1.1/drivers/gpu/drm/r128/r128_state.c
27036--- linux-3.1.1/drivers/gpu/drm/r128/r128_state.c 2011-11-11 15:19:27.000000000 -0500
27037+++ linux-3.1.1/drivers/gpu/drm/r128/r128_state.c 2011-11-16 18:39:07.000000000 -0500
27038@@ -321,10 +321,10 @@ static void r128_clear_box(drm_r128_priv
27039
27040 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
27041 {
27042- if (atomic_read(&dev_priv->idle_count) == 0)
27043+ if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
27044 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
27045 else
27046- atomic_set(&dev_priv->idle_count, 0);
27047+ atomic_set_unchecked(&dev_priv->idle_count, 0);
27048 }
27049
27050 #endif
27051diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/atom.c linux-3.1.1/drivers/gpu/drm/radeon/atom.c
27052--- linux-3.1.1/drivers/gpu/drm/radeon/atom.c 2011-11-11 15:19:27.000000000 -0500
27053+++ linux-3.1.1/drivers/gpu/drm/radeon/atom.c 2011-11-16 19:09:42.000000000 -0500
27054@@ -1254,6 +1254,8 @@ struct atom_context *atom_parse(struct c
27055 char name[512];
27056 int i;
27057
27058+ pax_track_stack();
27059+
27060 if (!ctx)
27061 return NULL;
27062
27063diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c
27064--- linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c 2011-11-11 15:19:27.000000000 -0500
27065+++ linux-3.1.1/drivers/gpu/drm/radeon/mkregtable.c 2011-11-16 18:39:07.000000000 -0500
27066@@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
27067 regex_t mask_rex;
27068 regmatch_t match[4];
27069 char buf[1024];
27070- size_t end;
27071+ long end;
27072 int len;
27073 int done = 0;
27074 int r;
27075 unsigned o;
27076 struct offset *offset;
27077 char last_reg_s[10];
27078- int last_reg;
27079+ unsigned long last_reg;
27080
27081 if (regcomp
27082 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
27083diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c
27084--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-11 15:19:27.000000000 -0500
27085+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-16 18:40:10.000000000 -0500
27086@@ -545,6 +545,8 @@ bool radeon_get_atom_connector_info_from
27087 struct radeon_gpio_rec gpio;
27088 struct radeon_hpd hpd;
27089
27090+ pax_track_stack();
27091+
27092 if (!atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset))
27093 return false;
27094
27095diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c
27096--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c 2011-11-11 15:19:27.000000000 -0500
27097+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_device.c 2011-11-16 18:39:07.000000000 -0500
27098@@ -684,7 +684,7 @@ static bool radeon_switcheroo_can_switch
27099 bool can_switch;
27100
27101 spin_lock(&dev->count_lock);
27102- can_switch = (dev->open_count == 0);
27103+ can_switch = (local_read(&dev->open_count) == 0);
27104 spin_unlock(&dev->count_lock);
27105 return can_switch;
27106 }
27107diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c
27108--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c 2011-11-11 15:19:27.000000000 -0500
27109+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_display.c 2011-11-16 18:40:10.000000000 -0500
27110@@ -925,6 +925,8 @@ void radeon_compute_pll_legacy(struct ra
27111 uint32_t post_div;
27112 u32 pll_out_min, pll_out_max;
27113
27114+ pax_track_stack();
27115+
27116 DRM_DEBUG_KMS("PLL freq %llu %u %u\n", freq, pll->min_ref_div, pll->max_ref_div);
27117 freq = freq * 1000;
27118
27119diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h
27120--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-11 15:19:27.000000000 -0500
27121+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-16 18:39:07.000000000 -0500
27122@@ -255,7 +255,7 @@ typedef struct drm_radeon_private {
27123
27124 /* SW interrupt */
27125 wait_queue_head_t swi_queue;
27126- atomic_t swi_emitted;
27127+ atomic_unchecked_t swi_emitted;
27128 int vblank_crtc;
27129 uint32_t irq_enable_reg;
27130 uint32_t r500_disp_irq_reg;
27131diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c
27132--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-11 15:19:27.000000000 -0500
27133+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-16 18:39:07.000000000 -0500
27134@@ -78,7 +78,7 @@ int radeon_fence_emit(struct radeon_devi
27135 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
27136 return 0;
27137 }
27138- fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
27139+ fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
27140 if (!rdev->cp.ready)
27141 /* FIXME: cp is not running assume everythings is done right
27142 * away
27143@@ -373,7 +373,7 @@ int radeon_fence_driver_init(struct rade
27144 return r;
27145 }
27146 radeon_fence_write(rdev, 0);
27147- atomic_set(&rdev->fence_drv.seq, 0);
27148+ atomic_set_unchecked(&rdev->fence_drv.seq, 0);
27149 INIT_LIST_HEAD(&rdev->fence_drv.created);
27150 INIT_LIST_HEAD(&rdev->fence_drv.emited);
27151 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
27152diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon.h linux-3.1.1/drivers/gpu/drm/radeon/radeon.h
27153--- linux-3.1.1/drivers/gpu/drm/radeon/radeon.h 2011-11-11 15:19:27.000000000 -0500
27154+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon.h 2011-11-16 18:39:07.000000000 -0500
27155@@ -192,7 +192,7 @@ extern int sumo_get_temp(struct radeon_d
27156 */
27157 struct radeon_fence_driver {
27158 uint32_t scratch_reg;
27159- atomic_t seq;
27160+ atomic_unchecked_t seq;
27161 uint32_t last_seq;
27162 unsigned long last_jiffies;
27163 unsigned long last_timeout;
27164@@ -962,7 +962,7 @@ struct radeon_asic {
27165 void (*pre_page_flip)(struct radeon_device *rdev, int crtc);
27166 u32 (*page_flip)(struct radeon_device *rdev, int crtc, u64 crtc_base);
27167 void (*post_page_flip)(struct radeon_device *rdev, int crtc);
27168-};
27169+} __no_const;
27170
27171 /*
27172 * Asic structures
27173diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c
27174--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-11 15:19:27.000000000 -0500
27175+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-16 18:39:07.000000000 -0500
27176@@ -359,7 +359,7 @@ static int compat_radeon_cp_setparam(str
27177 request = compat_alloc_user_space(sizeof(*request));
27178 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
27179 || __put_user(req32.param, &request->param)
27180- || __put_user((void __user *)(unsigned long)req32.value,
27181+ || __put_user((unsigned long)req32.value,
27182 &request->value))
27183 return -EFAULT;
27184
27185diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c
27186--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-11 15:19:27.000000000 -0500
27187+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-16 18:39:07.000000000 -0500
27188@@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
27189 unsigned int ret;
27190 RING_LOCALS;
27191
27192- atomic_inc(&dev_priv->swi_emitted);
27193- ret = atomic_read(&dev_priv->swi_emitted);
27194+ atomic_inc_unchecked(&dev_priv->swi_emitted);
27195+ ret = atomic_read_unchecked(&dev_priv->swi_emitted);
27196
27197 BEGIN_RING(4);
27198 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
27199@@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
27200 drm_radeon_private_t *dev_priv =
27201 (drm_radeon_private_t *) dev->dev_private;
27202
27203- atomic_set(&dev_priv->swi_emitted, 0);
27204+ atomic_set_unchecked(&dev_priv->swi_emitted, 0);
27205 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
27206
27207 dev->max_vblank_count = 0x001fffff;
27208diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c
27209--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c 2011-11-11 15:19:27.000000000 -0500
27210+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_state.c 2011-11-16 18:39:07.000000000 -0500
27211@@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
27212 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
27213 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
27214
27215- if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27216+ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
27217 sarea_priv->nbox * sizeof(depth_boxes[0])))
27218 return -EFAULT;
27219
27220@@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
27221 {
27222 drm_radeon_private_t *dev_priv = dev->dev_private;
27223 drm_radeon_getparam_t *param = data;
27224- int value;
27225+ int value = 0;
27226
27227 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
27228
27229diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c
27230--- linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-11 15:19:27.000000000 -0500
27231+++ linux-3.1.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-16 18:39:07.000000000 -0500
27232@@ -672,8 +672,10 @@ int radeon_mmap(struct file *filp, struc
27233 }
27234 if (unlikely(ttm_vm_ops == NULL)) {
27235 ttm_vm_ops = vma->vm_ops;
27236- radeon_ttm_vm_ops = *ttm_vm_ops;
27237- radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
27238+ pax_open_kernel();
27239+ memcpy((void *)&radeon_ttm_vm_ops, ttm_vm_ops, sizeof(radeon_ttm_vm_ops));
27240+ *(void **)&radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
27241+ pax_close_kernel();
27242 }
27243 vma->vm_ops = &radeon_ttm_vm_ops;
27244 return 0;
27245diff -urNp linux-3.1.1/drivers/gpu/drm/radeon/rs690.c linux-3.1.1/drivers/gpu/drm/radeon/rs690.c
27246--- linux-3.1.1/drivers/gpu/drm/radeon/rs690.c 2011-11-11 15:19:27.000000000 -0500
27247+++ linux-3.1.1/drivers/gpu/drm/radeon/rs690.c 2011-11-16 18:39:07.000000000 -0500
27248@@ -304,9 +304,11 @@ void rs690_crtc_bandwidth_compute(struct
27249 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
27250 rdev->pm.sideport_bandwidth.full)
27251 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
27252- read_delay_latency.full = dfixed_const(370 * 800 * 1000);
27253+ read_delay_latency.full = dfixed_const(800 * 1000);
27254 read_delay_latency.full = dfixed_div(read_delay_latency,
27255 rdev->pm.igp_sideport_mclk);
27256+ a.full = dfixed_const(370);
27257+ read_delay_latency.full = dfixed_mul(read_delay_latency, a);
27258 } else {
27259 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
27260 rdev->pm.k8_bandwidth.full)
27261diff -urNp linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c
27262--- linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-11-11 15:19:27.000000000 -0500
27263+++ linux-3.1.1/drivers/gpu/drm/ttm/ttm_page_alloc.c 2011-11-16 18:39:07.000000000 -0500
27264@@ -398,9 +398,9 @@ static int ttm_pool_get_num_unused_pages
27265 static int ttm_pool_mm_shrink(struct shrinker *shrink,
27266 struct shrink_control *sc)
27267 {
27268- static atomic_t start_pool = ATOMIC_INIT(0);
27269+ static atomic_unchecked_t start_pool = ATOMIC_INIT(0);
27270 unsigned i;
27271- unsigned pool_offset = atomic_add_return(1, &start_pool);
27272+ unsigned pool_offset = atomic_add_return_unchecked(1, &start_pool);
27273 struct ttm_page_pool *pool;
27274 int shrink_pages = sc->nr_to_scan;
27275
27276diff -urNp linux-3.1.1/drivers/gpu/drm/via/via_drv.h linux-3.1.1/drivers/gpu/drm/via/via_drv.h
27277--- linux-3.1.1/drivers/gpu/drm/via/via_drv.h 2011-11-11 15:19:27.000000000 -0500
27278+++ linux-3.1.1/drivers/gpu/drm/via/via_drv.h 2011-11-16 18:39:07.000000000 -0500
27279@@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
27280 typedef uint32_t maskarray_t[5];
27281
27282 typedef struct drm_via_irq {
27283- atomic_t irq_received;
27284+ atomic_unchecked_t irq_received;
27285 uint32_t pending_mask;
27286 uint32_t enable_mask;
27287 wait_queue_head_t irq_queue;
27288@@ -75,7 +75,7 @@ typedef struct drm_via_private {
27289 struct timeval last_vblank;
27290 int last_vblank_valid;
27291 unsigned usec_per_vblank;
27292- atomic_t vbl_received;
27293+ atomic_unchecked_t vbl_received;
27294 drm_via_state_t hc_state;
27295 char pci_buf[VIA_PCI_BUF_SIZE];
27296 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
27297diff -urNp linux-3.1.1/drivers/gpu/drm/via/via_irq.c linux-3.1.1/drivers/gpu/drm/via/via_irq.c
27298--- linux-3.1.1/drivers/gpu/drm/via/via_irq.c 2011-11-11 15:19:27.000000000 -0500
27299+++ linux-3.1.1/drivers/gpu/drm/via/via_irq.c 2011-11-16 18:39:07.000000000 -0500
27300@@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
27301 if (crtc != 0)
27302 return 0;
27303
27304- return atomic_read(&dev_priv->vbl_received);
27305+ return atomic_read_unchecked(&dev_priv->vbl_received);
27306 }
27307
27308 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
27309@@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
27310
27311 status = VIA_READ(VIA_REG_INTERRUPT);
27312 if (status & VIA_IRQ_VBLANK_PENDING) {
27313- atomic_inc(&dev_priv->vbl_received);
27314- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
27315+ atomic_inc_unchecked(&dev_priv->vbl_received);
27316+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
27317 do_gettimeofday(&cur_vblank);
27318 if (dev_priv->last_vblank_valid) {
27319 dev_priv->usec_per_vblank =
27320@@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27321 dev_priv->last_vblank = cur_vblank;
27322 dev_priv->last_vblank_valid = 1;
27323 }
27324- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
27325+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
27326 DRM_DEBUG("US per vblank is: %u\n",
27327 dev_priv->usec_per_vblank);
27328 }
27329@@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
27330
27331 for (i = 0; i < dev_priv->num_irqs; ++i) {
27332 if (status & cur_irq->pending_mask) {
27333- atomic_inc(&cur_irq->irq_received);
27334+ atomic_inc_unchecked(&cur_irq->irq_received);
27335 DRM_WAKEUP(&cur_irq->irq_queue);
27336 handled = 1;
27337 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
27338@@ -243,11 +243,11 @@ via_driver_irq_wait(struct drm_device *d
27339 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27340 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
27341 masks[irq][4]));
27342- cur_irq_sequence = atomic_read(&cur_irq->irq_received);
27343+ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
27344 } else {
27345 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
27346 (((cur_irq_sequence =
27347- atomic_read(&cur_irq->irq_received)) -
27348+ atomic_read_unchecked(&cur_irq->irq_received)) -
27349 *sequence) <= (1 << 23)));
27350 }
27351 *sequence = cur_irq_sequence;
27352@@ -285,7 +285,7 @@ void via_driver_irq_preinstall(struct dr
27353 }
27354
27355 for (i = 0; i < dev_priv->num_irqs; ++i) {
27356- atomic_set(&cur_irq->irq_received, 0);
27357+ atomic_set_unchecked(&cur_irq->irq_received, 0);
27358 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
27359 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
27360 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
27361@@ -367,7 +367,7 @@ int via_wait_irq(struct drm_device *dev,
27362 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
27363 case VIA_IRQ_RELATIVE:
27364 irqwait->request.sequence +=
27365- atomic_read(&cur_irq->irq_received);
27366+ atomic_read_unchecked(&cur_irq->irq_received);
27367 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
27368 case VIA_IRQ_ABSOLUTE:
27369 break;
27370diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
27371--- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-11-11 15:19:27.000000000 -0500
27372+++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h 2011-11-16 18:39:07.000000000 -0500
27373@@ -240,7 +240,7 @@ struct vmw_private {
27374 * Fencing and IRQs.
27375 */
27376
27377- atomic_t fence_seq;
27378+ atomic_unchecked_t fence_seq;
27379 wait_queue_head_t fence_queue;
27380 wait_queue_head_t fifo_queue;
27381 atomic_t fence_queue_waiters;
27382diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
27383--- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-11-11 15:19:27.000000000 -0500
27384+++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c 2011-11-16 18:39:07.000000000 -0500
27385@@ -610,7 +610,7 @@ int vmw_execbuf_ioctl(struct drm_device
27386 struct drm_vmw_fence_rep fence_rep;
27387 struct drm_vmw_fence_rep __user *user_fence_rep;
27388 int ret;
27389- void *user_cmd;
27390+ void __user *user_cmd;
27391 void *cmd;
27392 uint32_t sequence;
27393 struct vmw_sw_context *sw_context = &dev_priv->ctx;
27394diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
27395--- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-11-11 15:19:27.000000000 -0500
27396+++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c 2011-11-16 18:39:07.000000000 -0500
27397@@ -151,7 +151,7 @@ int vmw_wait_lag(struct vmw_private *dev
27398 while (!vmw_lag_lt(queue, us)) {
27399 spin_lock(&queue->lock);
27400 if (list_empty(&queue->head))
27401- sequence = atomic_read(&dev_priv->fence_seq);
27402+ sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27403 else {
27404 fence = list_first_entry(&queue->head,
27405 struct vmw_fence, head);
27406diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
27407--- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-11-11 15:19:27.000000000 -0500
27408+++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c 2011-11-16 18:39:07.000000000 -0500
27409@@ -137,7 +137,7 @@ int vmw_fifo_init(struct vmw_private *de
27410 (unsigned int) min,
27411 (unsigned int) fifo->capabilities);
27412
27413- atomic_set(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27414+ atomic_set_unchecked(&dev_priv->fence_seq, dev_priv->last_read_sequence);
27415 iowrite32(dev_priv->last_read_sequence, fifo_mem + SVGA_FIFO_FENCE);
27416 vmw_fence_queue_init(&fifo->fence_queue);
27417 return vmw_fifo_send_fence(dev_priv, &dummy);
27418@@ -356,7 +356,7 @@ void *vmw_fifo_reserve(struct vmw_privat
27419 if (reserveable)
27420 iowrite32(bytes, fifo_mem +
27421 SVGA_FIFO_RESERVED);
27422- return fifo_mem + (next_cmd >> 2);
27423+ return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
27424 } else {
27425 need_bounce = true;
27426 }
27427@@ -476,7 +476,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27428
27429 fm = vmw_fifo_reserve(dev_priv, bytes);
27430 if (unlikely(fm == NULL)) {
27431- *sequence = atomic_read(&dev_priv->fence_seq);
27432+ *sequence = atomic_read_unchecked(&dev_priv->fence_seq);
27433 ret = -ENOMEM;
27434 (void)vmw_fallback_wait(dev_priv, false, true, *sequence,
27435 false, 3*HZ);
27436@@ -484,7 +484,7 @@ int vmw_fifo_send_fence(struct vmw_priva
27437 }
27438
27439 do {
27440- *sequence = atomic_add_return(1, &dev_priv->fence_seq);
27441+ *sequence = atomic_add_return_unchecked(1, &dev_priv->fence_seq);
27442 } while (*sequence == 0);
27443
27444 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
27445diff -urNp linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
27446--- linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-11-11 15:19:27.000000000 -0500
27447+++ linux-3.1.1/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c 2011-11-16 18:39:07.000000000 -0500
27448@@ -100,7 +100,7 @@ bool vmw_fence_signaled(struct vmw_priva
27449 * emitted. Then the fence is stale and signaled.
27450 */
27451
27452- ret = ((atomic_read(&dev_priv->fence_seq) - sequence)
27453+ ret = ((atomic_read_unchecked(&dev_priv->fence_seq) - sequence)
27454 > VMW_FENCE_WRAP);
27455
27456 return ret;
27457@@ -131,7 +131,7 @@ int vmw_fallback_wait(struct vmw_private
27458
27459 if (fifo_idle)
27460 down_read(&fifo_state->rwsem);
27461- signal_seq = atomic_read(&dev_priv->fence_seq);
27462+ signal_seq = atomic_read_unchecked(&dev_priv->fence_seq);
27463 ret = 0;
27464
27465 for (;;) {
27466diff -urNp linux-3.1.1/drivers/hid/hid-core.c linux-3.1.1/drivers/hid/hid-core.c
27467--- linux-3.1.1/drivers/hid/hid-core.c 2011-11-11 15:19:27.000000000 -0500
27468+++ linux-3.1.1/drivers/hid/hid-core.c 2011-11-16 18:39:07.000000000 -0500
27469@@ -1951,7 +1951,7 @@ static bool hid_ignore(struct hid_device
27470
27471 int hid_add_device(struct hid_device *hdev)
27472 {
27473- static atomic_t id = ATOMIC_INIT(0);
27474+ static atomic_unchecked_t id = ATOMIC_INIT(0);
27475 int ret;
27476
27477 if (WARN_ON(hdev->status & HID_STAT_ADDED))
27478@@ -1966,7 +1966,7 @@ int hid_add_device(struct hid_device *hd
27479 /* XXX hack, any other cleaner solution after the driver core
27480 * is converted to allow more than 20 bytes as the device name? */
27481 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
27482- hdev->vendor, hdev->product, atomic_inc_return(&id));
27483+ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
27484
27485 hid_debug_register(hdev, dev_name(&hdev->dev));
27486 ret = device_add(&hdev->dev);
27487diff -urNp linux-3.1.1/drivers/hid/usbhid/hiddev.c linux-3.1.1/drivers/hid/usbhid/hiddev.c
27488--- linux-3.1.1/drivers/hid/usbhid/hiddev.c 2011-11-11 15:19:27.000000000 -0500
27489+++ linux-3.1.1/drivers/hid/usbhid/hiddev.c 2011-11-16 18:39:07.000000000 -0500
27490@@ -624,7 +624,7 @@ static long hiddev_ioctl(struct file *fi
27491 break;
27492
27493 case HIDIOCAPPLICATION:
27494- if (arg < 0 || arg >= hid->maxapplication)
27495+ if (arg >= hid->maxapplication)
27496 break;
27497
27498 for (i = 0; i < hid->maxcollection; i++)
27499diff -urNp linux-3.1.1/drivers/hwmon/acpi_power_meter.c linux-3.1.1/drivers/hwmon/acpi_power_meter.c
27500--- linux-3.1.1/drivers/hwmon/acpi_power_meter.c 2011-11-11 15:19:27.000000000 -0500
27501+++ linux-3.1.1/drivers/hwmon/acpi_power_meter.c 2011-11-16 18:39:07.000000000 -0500
27502@@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
27503 return res;
27504
27505 temp /= 1000;
27506- if (temp < 0)
27507- return -EINVAL;
27508
27509 mutex_lock(&resource->lock);
27510 resource->trip[attr->index - 7] = temp;
27511diff -urNp linux-3.1.1/drivers/hwmon/sht15.c linux-3.1.1/drivers/hwmon/sht15.c
27512--- linux-3.1.1/drivers/hwmon/sht15.c 2011-11-11 15:19:27.000000000 -0500
27513+++ linux-3.1.1/drivers/hwmon/sht15.c 2011-11-16 18:39:07.000000000 -0500
27514@@ -166,7 +166,7 @@ struct sht15_data {
27515 int supply_uV;
27516 bool supply_uV_valid;
27517 struct work_struct update_supply_work;
27518- atomic_t interrupt_handled;
27519+ atomic_unchecked_t interrupt_handled;
27520 };
27521
27522 /**
27523@@ -509,13 +509,13 @@ static int sht15_measurement(struct sht1
27524 return ret;
27525
27526 gpio_direction_input(data->pdata->gpio_data);
27527- atomic_set(&data->interrupt_handled, 0);
27528+ atomic_set_unchecked(&data->interrupt_handled, 0);
27529
27530 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27531 if (gpio_get_value(data->pdata->gpio_data) == 0) {
27532 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
27533 /* Only relevant if the interrupt hasn't occurred. */
27534- if (!atomic_read(&data->interrupt_handled))
27535+ if (!atomic_read_unchecked(&data->interrupt_handled))
27536 schedule_work(&data->read_work);
27537 }
27538 ret = wait_event_timeout(data->wait_queue,
27539@@ -782,7 +782,7 @@ static irqreturn_t sht15_interrupt_fired
27540
27541 /* First disable the interrupt */
27542 disable_irq_nosync(irq);
27543- atomic_inc(&data->interrupt_handled);
27544+ atomic_inc_unchecked(&data->interrupt_handled);
27545 /* Then schedule a reading work struct */
27546 if (data->state != SHT15_READING_NOTHING)
27547 schedule_work(&data->read_work);
27548@@ -804,11 +804,11 @@ static void sht15_bh_read_data(struct wo
27549 * If not, then start the interrupt again - care here as could
27550 * have gone low in meantime so verify it hasn't!
27551 */
27552- atomic_set(&data->interrupt_handled, 0);
27553+ atomic_set_unchecked(&data->interrupt_handled, 0);
27554 enable_irq(gpio_to_irq(data->pdata->gpio_data));
27555 /* If still not occurred or another handler has been scheduled */
27556 if (gpio_get_value(data->pdata->gpio_data)
27557- || atomic_read(&data->interrupt_handled))
27558+ || atomic_read_unchecked(&data->interrupt_handled))
27559 return;
27560 }
27561
27562diff -urNp linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c
27563--- linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-11 15:19:27.000000000 -0500
27564+++ linux-3.1.1/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-16 18:39:07.000000000 -0500
27565@@ -43,7 +43,7 @@
27566 extern struct i2c_adapter amd756_smbus;
27567
27568 static struct i2c_adapter *s4882_adapter;
27569-static struct i2c_algorithm *s4882_algo;
27570+static i2c_algorithm_no_const *s4882_algo;
27571
27572 /* Wrapper access functions for multiplexed SMBus */
27573 static DEFINE_MUTEX(amd756_lock);
27574diff -urNp linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c
27575--- linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-11 15:19:27.000000000 -0500
27576+++ linux-3.1.1/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-16 18:39:07.000000000 -0500
27577@@ -41,7 +41,7 @@
27578 extern struct i2c_adapter *nforce2_smbus;
27579
27580 static struct i2c_adapter *s4985_adapter;
27581-static struct i2c_algorithm *s4985_algo;
27582+static i2c_algorithm_no_const *s4985_algo;
27583
27584 /* Wrapper access functions for multiplexed SMBus */
27585 static DEFINE_MUTEX(nforce2_lock);
27586diff -urNp linux-3.1.1/drivers/i2c/i2c-mux.c linux-3.1.1/drivers/i2c/i2c-mux.c
27587--- linux-3.1.1/drivers/i2c/i2c-mux.c 2011-11-11 15:19:27.000000000 -0500
27588+++ linux-3.1.1/drivers/i2c/i2c-mux.c 2011-11-16 18:39:07.000000000 -0500
27589@@ -28,7 +28,7 @@
27590 /* multiplexer per channel data */
27591 struct i2c_mux_priv {
27592 struct i2c_adapter adap;
27593- struct i2c_algorithm algo;
27594+ i2c_algorithm_no_const algo;
27595
27596 struct i2c_adapter *parent;
27597 void *mux_dev; /* the mux chip/device */
27598diff -urNp linux-3.1.1/drivers/ide/aec62xx.c linux-3.1.1/drivers/ide/aec62xx.c
27599--- linux-3.1.1/drivers/ide/aec62xx.c 2011-11-11 15:19:27.000000000 -0500
27600+++ linux-3.1.1/drivers/ide/aec62xx.c 2011-11-16 18:39:07.000000000 -0500
27601@@ -181,7 +181,7 @@ static const struct ide_port_ops atp86x_
27602 .cable_detect = atp86x_cable_detect,
27603 };
27604
27605-static const struct ide_port_info aec62xx_chipsets[] __devinitdata = {
27606+static const struct ide_port_info aec62xx_chipsets[] __devinitconst = {
27607 { /* 0: AEC6210 */
27608 .name = DRV_NAME,
27609 .init_chipset = init_chipset_aec62xx,
27610diff -urNp linux-3.1.1/drivers/ide/alim15x3.c linux-3.1.1/drivers/ide/alim15x3.c
27611--- linux-3.1.1/drivers/ide/alim15x3.c 2011-11-11 15:19:27.000000000 -0500
27612+++ linux-3.1.1/drivers/ide/alim15x3.c 2011-11-16 18:39:07.000000000 -0500
27613@@ -512,7 +512,7 @@ static const struct ide_dma_ops ali_dma_
27614 .dma_sff_read_status = ide_dma_sff_read_status,
27615 };
27616
27617-static const struct ide_port_info ali15x3_chipset __devinitdata = {
27618+static const struct ide_port_info ali15x3_chipset __devinitconst = {
27619 .name = DRV_NAME,
27620 .init_chipset = init_chipset_ali15x3,
27621 .init_hwif = init_hwif_ali15x3,
27622diff -urNp linux-3.1.1/drivers/ide/amd74xx.c linux-3.1.1/drivers/ide/amd74xx.c
27623--- linux-3.1.1/drivers/ide/amd74xx.c 2011-11-11 15:19:27.000000000 -0500
27624+++ linux-3.1.1/drivers/ide/amd74xx.c 2011-11-16 18:39:07.000000000 -0500
27625@@ -223,7 +223,7 @@ static const struct ide_port_ops amd_por
27626 .udma_mask = udma, \
27627 }
27628
27629-static const struct ide_port_info amd74xx_chipsets[] __devinitdata = {
27630+static const struct ide_port_info amd74xx_chipsets[] __devinitconst = {
27631 /* 0: AMD7401 */ DECLARE_AMD_DEV(0x00, ATA_UDMA2),
27632 /* 1: AMD7409 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA4),
27633 /* 2: AMD7411/7441 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA5),
27634diff -urNp linux-3.1.1/drivers/ide/atiixp.c linux-3.1.1/drivers/ide/atiixp.c
27635--- linux-3.1.1/drivers/ide/atiixp.c 2011-11-11 15:19:27.000000000 -0500
27636+++ linux-3.1.1/drivers/ide/atiixp.c 2011-11-16 18:39:07.000000000 -0500
27637@@ -139,7 +139,7 @@ static const struct ide_port_ops atiixp_
27638 .cable_detect = atiixp_cable_detect,
27639 };
27640
27641-static const struct ide_port_info atiixp_pci_info[] __devinitdata = {
27642+static const struct ide_port_info atiixp_pci_info[] __devinitconst = {
27643 { /* 0: IXP200/300/400/700 */
27644 .name = DRV_NAME,
27645 .enablebits = {{0x48,0x01,0x00}, {0x48,0x08,0x00}},
27646diff -urNp linux-3.1.1/drivers/ide/cmd64x.c linux-3.1.1/drivers/ide/cmd64x.c
27647--- linux-3.1.1/drivers/ide/cmd64x.c 2011-11-11 15:19:27.000000000 -0500
27648+++ linux-3.1.1/drivers/ide/cmd64x.c 2011-11-16 18:39:07.000000000 -0500
27649@@ -327,7 +327,7 @@ static const struct ide_dma_ops cmd646_r
27650 .dma_sff_read_status = ide_dma_sff_read_status,
27651 };
27652
27653-static const struct ide_port_info cmd64x_chipsets[] __devinitdata = {
27654+static const struct ide_port_info cmd64x_chipsets[] __devinitconst = {
27655 { /* 0: CMD643 */
27656 .name = DRV_NAME,
27657 .init_chipset = init_chipset_cmd64x,
27658diff -urNp linux-3.1.1/drivers/ide/cs5520.c linux-3.1.1/drivers/ide/cs5520.c
27659--- linux-3.1.1/drivers/ide/cs5520.c 2011-11-11 15:19:27.000000000 -0500
27660+++ linux-3.1.1/drivers/ide/cs5520.c 2011-11-16 18:39:07.000000000 -0500
27661@@ -94,7 +94,7 @@ static const struct ide_port_ops cs5520_
27662 .set_dma_mode = cs5520_set_dma_mode,
27663 };
27664
27665-static const struct ide_port_info cyrix_chipset __devinitdata = {
27666+static const struct ide_port_info cyrix_chipset __devinitconst = {
27667 .name = DRV_NAME,
27668 .enablebits = { { 0x60, 0x01, 0x01 }, { 0x60, 0x02, 0x02 } },
27669 .port_ops = &cs5520_port_ops,
27670diff -urNp linux-3.1.1/drivers/ide/cs5530.c linux-3.1.1/drivers/ide/cs5530.c
27671--- linux-3.1.1/drivers/ide/cs5530.c 2011-11-11 15:19:27.000000000 -0500
27672+++ linux-3.1.1/drivers/ide/cs5530.c 2011-11-16 18:39:07.000000000 -0500
27673@@ -245,7 +245,7 @@ static const struct ide_port_ops cs5530_
27674 .udma_filter = cs5530_udma_filter,
27675 };
27676
27677-static const struct ide_port_info cs5530_chipset __devinitdata = {
27678+static const struct ide_port_info cs5530_chipset __devinitconst = {
27679 .name = DRV_NAME,
27680 .init_chipset = init_chipset_cs5530,
27681 .init_hwif = init_hwif_cs5530,
27682diff -urNp linux-3.1.1/drivers/ide/cs5535.c linux-3.1.1/drivers/ide/cs5535.c
27683--- linux-3.1.1/drivers/ide/cs5535.c 2011-11-11 15:19:27.000000000 -0500
27684+++ linux-3.1.1/drivers/ide/cs5535.c 2011-11-16 18:39:07.000000000 -0500
27685@@ -170,7 +170,7 @@ static const struct ide_port_ops cs5535_
27686 .cable_detect = cs5535_cable_detect,
27687 };
27688
27689-static const struct ide_port_info cs5535_chipset __devinitdata = {
27690+static const struct ide_port_info cs5535_chipset __devinitconst = {
27691 .name = DRV_NAME,
27692 .port_ops = &cs5535_port_ops,
27693 .host_flags = IDE_HFLAG_SINGLE | IDE_HFLAG_POST_SET_MODE,
27694diff -urNp linux-3.1.1/drivers/ide/cy82c693.c linux-3.1.1/drivers/ide/cy82c693.c
27695--- linux-3.1.1/drivers/ide/cy82c693.c 2011-11-11 15:19:27.000000000 -0500
27696+++ linux-3.1.1/drivers/ide/cy82c693.c 2011-11-16 18:39:07.000000000 -0500
27697@@ -163,7 +163,7 @@ static const struct ide_port_ops cy82c69
27698 .set_dma_mode = cy82c693_set_dma_mode,
27699 };
27700
27701-static const struct ide_port_info cy82c693_chipset __devinitdata = {
27702+static const struct ide_port_info cy82c693_chipset __devinitconst = {
27703 .name = DRV_NAME,
27704 .init_iops = init_iops_cy82c693,
27705 .port_ops = &cy82c693_port_ops,
27706diff -urNp linux-3.1.1/drivers/ide/hpt366.c linux-3.1.1/drivers/ide/hpt366.c
27707--- linux-3.1.1/drivers/ide/hpt366.c 2011-11-11 15:19:27.000000000 -0500
27708+++ linux-3.1.1/drivers/ide/hpt366.c 2011-11-16 18:39:07.000000000 -0500
27709@@ -443,7 +443,7 @@ static struct hpt_timings hpt37x_timings
27710 }
27711 };
27712
27713-static const struct hpt_info hpt36x __devinitdata = {
27714+static const struct hpt_info hpt36x __devinitconst = {
27715 .chip_name = "HPT36x",
27716 .chip_type = HPT36x,
27717 .udma_mask = HPT366_ALLOW_ATA66_3 ? (HPT366_ALLOW_ATA66_4 ? ATA_UDMA4 : ATA_UDMA3) : ATA_UDMA2,
27718@@ -451,7 +451,7 @@ static const struct hpt_info hpt36x __de
27719 .timings = &hpt36x_timings
27720 };
27721
27722-static const struct hpt_info hpt370 __devinitdata = {
27723+static const struct hpt_info hpt370 __devinitconst = {
27724 .chip_name = "HPT370",
27725 .chip_type = HPT370,
27726 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27727@@ -459,7 +459,7 @@ static const struct hpt_info hpt370 __de
27728 .timings = &hpt37x_timings
27729 };
27730
27731-static const struct hpt_info hpt370a __devinitdata = {
27732+static const struct hpt_info hpt370a __devinitconst = {
27733 .chip_name = "HPT370A",
27734 .chip_type = HPT370A,
27735 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
27736@@ -467,7 +467,7 @@ static const struct hpt_info hpt370a __d
27737 .timings = &hpt37x_timings
27738 };
27739
27740-static const struct hpt_info hpt374 __devinitdata = {
27741+static const struct hpt_info hpt374 __devinitconst = {
27742 .chip_name = "HPT374",
27743 .chip_type = HPT374,
27744 .udma_mask = ATA_UDMA5,
27745@@ -475,7 +475,7 @@ static const struct hpt_info hpt374 __de
27746 .timings = &hpt37x_timings
27747 };
27748
27749-static const struct hpt_info hpt372 __devinitdata = {
27750+static const struct hpt_info hpt372 __devinitconst = {
27751 .chip_name = "HPT372",
27752 .chip_type = HPT372,
27753 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27754@@ -483,7 +483,7 @@ static const struct hpt_info hpt372 __de
27755 .timings = &hpt37x_timings
27756 };
27757
27758-static const struct hpt_info hpt372a __devinitdata = {
27759+static const struct hpt_info hpt372a __devinitconst = {
27760 .chip_name = "HPT372A",
27761 .chip_type = HPT372A,
27762 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27763@@ -491,7 +491,7 @@ static const struct hpt_info hpt372a __d
27764 .timings = &hpt37x_timings
27765 };
27766
27767-static const struct hpt_info hpt302 __devinitdata = {
27768+static const struct hpt_info hpt302 __devinitconst = {
27769 .chip_name = "HPT302",
27770 .chip_type = HPT302,
27771 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27772@@ -499,7 +499,7 @@ static const struct hpt_info hpt302 __de
27773 .timings = &hpt37x_timings
27774 };
27775
27776-static const struct hpt_info hpt371 __devinitdata = {
27777+static const struct hpt_info hpt371 __devinitconst = {
27778 .chip_name = "HPT371",
27779 .chip_type = HPT371,
27780 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27781@@ -507,7 +507,7 @@ static const struct hpt_info hpt371 __de
27782 .timings = &hpt37x_timings
27783 };
27784
27785-static const struct hpt_info hpt372n __devinitdata = {
27786+static const struct hpt_info hpt372n __devinitconst = {
27787 .chip_name = "HPT372N",
27788 .chip_type = HPT372N,
27789 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27790@@ -515,7 +515,7 @@ static const struct hpt_info hpt372n __d
27791 .timings = &hpt37x_timings
27792 };
27793
27794-static const struct hpt_info hpt302n __devinitdata = {
27795+static const struct hpt_info hpt302n __devinitconst = {
27796 .chip_name = "HPT302N",
27797 .chip_type = HPT302N,
27798 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27799@@ -523,7 +523,7 @@ static const struct hpt_info hpt302n __d
27800 .timings = &hpt37x_timings
27801 };
27802
27803-static const struct hpt_info hpt371n __devinitdata = {
27804+static const struct hpt_info hpt371n __devinitconst = {
27805 .chip_name = "HPT371N",
27806 .chip_type = HPT371N,
27807 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
27808@@ -1361,7 +1361,7 @@ static const struct ide_dma_ops hpt36x_d
27809 .dma_sff_read_status = ide_dma_sff_read_status,
27810 };
27811
27812-static const struct ide_port_info hpt366_chipsets[] __devinitdata = {
27813+static const struct ide_port_info hpt366_chipsets[] __devinitconst = {
27814 { /* 0: HPT36x */
27815 .name = DRV_NAME,
27816 .init_chipset = init_chipset_hpt366,
27817diff -urNp linux-3.1.1/drivers/ide/ide-cd.c linux-3.1.1/drivers/ide/ide-cd.c
27818--- linux-3.1.1/drivers/ide/ide-cd.c 2011-11-11 15:19:27.000000000 -0500
27819+++ linux-3.1.1/drivers/ide/ide-cd.c 2011-11-16 18:39:07.000000000 -0500
27820@@ -769,7 +769,7 @@ static void cdrom_do_block_pc(ide_drive_
27821 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
27822 if ((unsigned long)buf & alignment
27823 || blk_rq_bytes(rq) & q->dma_pad_mask
27824- || object_is_on_stack(buf))
27825+ || object_starts_on_stack(buf))
27826 drive->dma = 0;
27827 }
27828 }
27829diff -urNp linux-3.1.1/drivers/ide/ide-floppy.c linux-3.1.1/drivers/ide/ide-floppy.c
27830--- linux-3.1.1/drivers/ide/ide-floppy.c 2011-11-11 15:19:27.000000000 -0500
27831+++ linux-3.1.1/drivers/ide/ide-floppy.c 2011-11-16 18:40:10.000000000 -0500
27832@@ -379,6 +379,8 @@ static int ide_floppy_get_capacity(ide_d
27833 u8 pc_buf[256], header_len, desc_cnt;
27834 int i, rc = 1, blocks, length;
27835
27836+ pax_track_stack();
27837+
27838 ide_debug_log(IDE_DBG_FUNC, "enter");
27839
27840 drive->bios_cyl = 0;
27841diff -urNp linux-3.1.1/drivers/ide/ide-pci-generic.c linux-3.1.1/drivers/ide/ide-pci-generic.c
27842--- linux-3.1.1/drivers/ide/ide-pci-generic.c 2011-11-11 15:19:27.000000000 -0500
27843+++ linux-3.1.1/drivers/ide/ide-pci-generic.c 2011-11-16 18:39:07.000000000 -0500
27844@@ -53,7 +53,7 @@ static const struct ide_port_ops netcell
27845 .udma_mask = ATA_UDMA6, \
27846 }
27847
27848-static const struct ide_port_info generic_chipsets[] __devinitdata = {
27849+static const struct ide_port_info generic_chipsets[] __devinitconst = {
27850 /* 0: Unknown */
27851 DECLARE_GENERIC_PCI_DEV(0),
27852
27853diff -urNp linux-3.1.1/drivers/ide/it8172.c linux-3.1.1/drivers/ide/it8172.c
27854--- linux-3.1.1/drivers/ide/it8172.c 2011-11-11 15:19:27.000000000 -0500
27855+++ linux-3.1.1/drivers/ide/it8172.c 2011-11-16 18:39:07.000000000 -0500
27856@@ -115,7 +115,7 @@ static const struct ide_port_ops it8172_
27857 .set_dma_mode = it8172_set_dma_mode,
27858 };
27859
27860-static const struct ide_port_info it8172_port_info __devinitdata = {
27861+static const struct ide_port_info it8172_port_info __devinitconst = {
27862 .name = DRV_NAME,
27863 .port_ops = &it8172_port_ops,
27864 .enablebits = { {0x41, 0x80, 0x80}, {0x00, 0x00, 0x00} },
27865diff -urNp linux-3.1.1/drivers/ide/it8213.c linux-3.1.1/drivers/ide/it8213.c
27866--- linux-3.1.1/drivers/ide/it8213.c 2011-11-11 15:19:27.000000000 -0500
27867+++ linux-3.1.1/drivers/ide/it8213.c 2011-11-16 18:39:07.000000000 -0500
27868@@ -156,7 +156,7 @@ static const struct ide_port_ops it8213_
27869 .cable_detect = it8213_cable_detect,
27870 };
27871
27872-static const struct ide_port_info it8213_chipset __devinitdata = {
27873+static const struct ide_port_info it8213_chipset __devinitconst = {
27874 .name = DRV_NAME,
27875 .enablebits = { {0x41, 0x80, 0x80} },
27876 .port_ops = &it8213_port_ops,
27877diff -urNp linux-3.1.1/drivers/ide/it821x.c linux-3.1.1/drivers/ide/it821x.c
27878--- linux-3.1.1/drivers/ide/it821x.c 2011-11-11 15:19:27.000000000 -0500
27879+++ linux-3.1.1/drivers/ide/it821x.c 2011-11-16 18:39:07.000000000 -0500
27880@@ -630,7 +630,7 @@ static const struct ide_port_ops it821x_
27881 .cable_detect = it821x_cable_detect,
27882 };
27883
27884-static const struct ide_port_info it821x_chipset __devinitdata = {
27885+static const struct ide_port_info it821x_chipset __devinitconst = {
27886 .name = DRV_NAME,
27887 .init_chipset = init_chipset_it821x,
27888 .init_hwif = init_hwif_it821x,
27889diff -urNp linux-3.1.1/drivers/ide/jmicron.c linux-3.1.1/drivers/ide/jmicron.c
27890--- linux-3.1.1/drivers/ide/jmicron.c 2011-11-11 15:19:27.000000000 -0500
27891+++ linux-3.1.1/drivers/ide/jmicron.c 2011-11-16 18:39:07.000000000 -0500
27892@@ -102,7 +102,7 @@ static const struct ide_port_ops jmicron
27893 .cable_detect = jmicron_cable_detect,
27894 };
27895
27896-static const struct ide_port_info jmicron_chipset __devinitdata = {
27897+static const struct ide_port_info jmicron_chipset __devinitconst = {
27898 .name = DRV_NAME,
27899 .enablebits = { { 0x40, 0x01, 0x01 }, { 0x40, 0x10, 0x10 } },
27900 .port_ops = &jmicron_port_ops,
27901diff -urNp linux-3.1.1/drivers/ide/ns87415.c linux-3.1.1/drivers/ide/ns87415.c
27902--- linux-3.1.1/drivers/ide/ns87415.c 2011-11-11 15:19:27.000000000 -0500
27903+++ linux-3.1.1/drivers/ide/ns87415.c 2011-11-16 18:39:07.000000000 -0500
27904@@ -293,7 +293,7 @@ static const struct ide_dma_ops ns87415_
27905 .dma_sff_read_status = superio_dma_sff_read_status,
27906 };
27907
27908-static const struct ide_port_info ns87415_chipset __devinitdata = {
27909+static const struct ide_port_info ns87415_chipset __devinitconst = {
27910 .name = DRV_NAME,
27911 .init_hwif = init_hwif_ns87415,
27912 .tp_ops = &ns87415_tp_ops,
27913diff -urNp linux-3.1.1/drivers/ide/opti621.c linux-3.1.1/drivers/ide/opti621.c
27914--- linux-3.1.1/drivers/ide/opti621.c 2011-11-11 15:19:27.000000000 -0500
27915+++ linux-3.1.1/drivers/ide/opti621.c 2011-11-16 18:39:07.000000000 -0500
27916@@ -131,7 +131,7 @@ static const struct ide_port_ops opti621
27917 .set_pio_mode = opti621_set_pio_mode,
27918 };
27919
27920-static const struct ide_port_info opti621_chipset __devinitdata = {
27921+static const struct ide_port_info opti621_chipset __devinitconst = {
27922 .name = DRV_NAME,
27923 .enablebits = { {0x45, 0x80, 0x00}, {0x40, 0x08, 0x00} },
27924 .port_ops = &opti621_port_ops,
27925diff -urNp linux-3.1.1/drivers/ide/pdc202xx_new.c linux-3.1.1/drivers/ide/pdc202xx_new.c
27926--- linux-3.1.1/drivers/ide/pdc202xx_new.c 2011-11-11 15:19:27.000000000 -0500
27927+++ linux-3.1.1/drivers/ide/pdc202xx_new.c 2011-11-16 18:39:07.000000000 -0500
27928@@ -465,7 +465,7 @@ static const struct ide_port_ops pdcnew_
27929 .udma_mask = udma, \
27930 }
27931
27932-static const struct ide_port_info pdcnew_chipsets[] __devinitdata = {
27933+static const struct ide_port_info pdcnew_chipsets[] __devinitconst = {
27934 /* 0: PDC202{68,70} */ DECLARE_PDCNEW_DEV(ATA_UDMA5),
27935 /* 1: PDC202{69,71,75,76,77} */ DECLARE_PDCNEW_DEV(ATA_UDMA6),
27936 };
27937diff -urNp linux-3.1.1/drivers/ide/pdc202xx_old.c linux-3.1.1/drivers/ide/pdc202xx_old.c
27938--- linux-3.1.1/drivers/ide/pdc202xx_old.c 2011-11-11 15:19:27.000000000 -0500
27939+++ linux-3.1.1/drivers/ide/pdc202xx_old.c 2011-11-16 18:39:07.000000000 -0500
27940@@ -270,7 +270,7 @@ static const struct ide_dma_ops pdc2026x
27941 .max_sectors = sectors, \
27942 }
27943
27944-static const struct ide_port_info pdc202xx_chipsets[] __devinitdata = {
27945+static const struct ide_port_info pdc202xx_chipsets[] __devinitconst = {
27946 { /* 0: PDC20246 */
27947 .name = DRV_NAME,
27948 .init_chipset = init_chipset_pdc202xx,
27949diff -urNp linux-3.1.1/drivers/ide/piix.c linux-3.1.1/drivers/ide/piix.c
27950--- linux-3.1.1/drivers/ide/piix.c 2011-11-11 15:19:27.000000000 -0500
27951+++ linux-3.1.1/drivers/ide/piix.c 2011-11-16 18:39:07.000000000 -0500
27952@@ -344,7 +344,7 @@ static const struct ide_port_ops ich_por
27953 .udma_mask = udma, \
27954 }
27955
27956-static const struct ide_port_info piix_pci_info[] __devinitdata = {
27957+static const struct ide_port_info piix_pci_info[] __devinitconst = {
27958 /* 0: MPIIX */
27959 { /*
27960 * MPIIX actually has only a single IDE channel mapped to
27961diff -urNp linux-3.1.1/drivers/ide/rz1000.c linux-3.1.1/drivers/ide/rz1000.c
27962--- linux-3.1.1/drivers/ide/rz1000.c 2011-11-11 15:19:27.000000000 -0500
27963+++ linux-3.1.1/drivers/ide/rz1000.c 2011-11-16 18:39:07.000000000 -0500
27964@@ -38,7 +38,7 @@ static int __devinit rz1000_disable_read
27965 }
27966 }
27967
27968-static const struct ide_port_info rz1000_chipset __devinitdata = {
27969+static const struct ide_port_info rz1000_chipset __devinitconst = {
27970 .name = DRV_NAME,
27971 .host_flags = IDE_HFLAG_NO_DMA,
27972 };
27973diff -urNp linux-3.1.1/drivers/ide/sc1200.c linux-3.1.1/drivers/ide/sc1200.c
27974--- linux-3.1.1/drivers/ide/sc1200.c 2011-11-11 15:19:27.000000000 -0500
27975+++ linux-3.1.1/drivers/ide/sc1200.c 2011-11-16 18:39:07.000000000 -0500
27976@@ -291,7 +291,7 @@ static const struct ide_dma_ops sc1200_d
27977 .dma_sff_read_status = ide_dma_sff_read_status,
27978 };
27979
27980-static const struct ide_port_info sc1200_chipset __devinitdata = {
27981+static const struct ide_port_info sc1200_chipset __devinitconst = {
27982 .name = DRV_NAME,
27983 .port_ops = &sc1200_port_ops,
27984 .dma_ops = &sc1200_dma_ops,
27985diff -urNp linux-3.1.1/drivers/ide/scc_pata.c linux-3.1.1/drivers/ide/scc_pata.c
27986--- linux-3.1.1/drivers/ide/scc_pata.c 2011-11-11 15:19:27.000000000 -0500
27987+++ linux-3.1.1/drivers/ide/scc_pata.c 2011-11-16 18:39:07.000000000 -0500
27988@@ -811,7 +811,7 @@ static const struct ide_dma_ops scc_dma_
27989 .dma_sff_read_status = scc_dma_sff_read_status,
27990 };
27991
27992-static const struct ide_port_info scc_chipset __devinitdata = {
27993+static const struct ide_port_info scc_chipset __devinitconst = {
27994 .name = "sccIDE",
27995 .init_iops = init_iops_scc,
27996 .init_dma = scc_init_dma,
27997diff -urNp linux-3.1.1/drivers/ide/serverworks.c linux-3.1.1/drivers/ide/serverworks.c
27998--- linux-3.1.1/drivers/ide/serverworks.c 2011-11-11 15:19:27.000000000 -0500
27999+++ linux-3.1.1/drivers/ide/serverworks.c 2011-11-16 18:39:07.000000000 -0500
28000@@ -337,7 +337,7 @@ static const struct ide_port_ops svwks_p
28001 .cable_detect = svwks_cable_detect,
28002 };
28003
28004-static const struct ide_port_info serverworks_chipsets[] __devinitdata = {
28005+static const struct ide_port_info serverworks_chipsets[] __devinitconst = {
28006 { /* 0: OSB4 */
28007 .name = DRV_NAME,
28008 .init_chipset = init_chipset_svwks,
28009diff -urNp linux-3.1.1/drivers/ide/setup-pci.c linux-3.1.1/drivers/ide/setup-pci.c
28010--- linux-3.1.1/drivers/ide/setup-pci.c 2011-11-11 15:19:27.000000000 -0500
28011+++ linux-3.1.1/drivers/ide/setup-pci.c 2011-11-16 18:40:10.000000000 -0500
28012@@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
28013 int ret, i, n_ports = dev2 ? 4 : 2;
28014 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
28015
28016+ pax_track_stack();
28017+
28018 for (i = 0; i < n_ports / 2; i++) {
28019 ret = ide_setup_pci_controller(pdev[i], d, !i);
28020 if (ret < 0)
28021diff -urNp linux-3.1.1/drivers/ide/siimage.c linux-3.1.1/drivers/ide/siimage.c
28022--- linux-3.1.1/drivers/ide/siimage.c 2011-11-11 15:19:27.000000000 -0500
28023+++ linux-3.1.1/drivers/ide/siimage.c 2011-11-16 18:39:07.000000000 -0500
28024@@ -719,7 +719,7 @@ static const struct ide_dma_ops sil_dma_
28025 .udma_mask = ATA_UDMA6, \
28026 }
28027
28028-static const struct ide_port_info siimage_chipsets[] __devinitdata = {
28029+static const struct ide_port_info siimage_chipsets[] __devinitconst = {
28030 /* 0: SiI680 */ DECLARE_SII_DEV(&sil_pata_port_ops),
28031 /* 1: SiI3112 */ DECLARE_SII_DEV(&sil_sata_port_ops)
28032 };
28033diff -urNp linux-3.1.1/drivers/ide/sis5513.c linux-3.1.1/drivers/ide/sis5513.c
28034--- linux-3.1.1/drivers/ide/sis5513.c 2011-11-11 15:19:27.000000000 -0500
28035+++ linux-3.1.1/drivers/ide/sis5513.c 2011-11-16 18:39:07.000000000 -0500
28036@@ -563,7 +563,7 @@ static const struct ide_port_ops sis_ata
28037 .cable_detect = sis_cable_detect,
28038 };
28039
28040-static const struct ide_port_info sis5513_chipset __devinitdata = {
28041+static const struct ide_port_info sis5513_chipset __devinitconst = {
28042 .name = DRV_NAME,
28043 .init_chipset = init_chipset_sis5513,
28044 .enablebits = { {0x4a, 0x02, 0x02}, {0x4a, 0x04, 0x04} },
28045diff -urNp linux-3.1.1/drivers/ide/sl82c105.c linux-3.1.1/drivers/ide/sl82c105.c
28046--- linux-3.1.1/drivers/ide/sl82c105.c 2011-11-11 15:19:27.000000000 -0500
28047+++ linux-3.1.1/drivers/ide/sl82c105.c 2011-11-16 18:39:07.000000000 -0500
28048@@ -299,7 +299,7 @@ static const struct ide_dma_ops sl82c105
28049 .dma_sff_read_status = ide_dma_sff_read_status,
28050 };
28051
28052-static const struct ide_port_info sl82c105_chipset __devinitdata = {
28053+static const struct ide_port_info sl82c105_chipset __devinitconst = {
28054 .name = DRV_NAME,
28055 .init_chipset = init_chipset_sl82c105,
28056 .enablebits = {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
28057diff -urNp linux-3.1.1/drivers/ide/slc90e66.c linux-3.1.1/drivers/ide/slc90e66.c
28058--- linux-3.1.1/drivers/ide/slc90e66.c 2011-11-11 15:19:27.000000000 -0500
28059+++ linux-3.1.1/drivers/ide/slc90e66.c 2011-11-16 18:39:07.000000000 -0500
28060@@ -132,7 +132,7 @@ static const struct ide_port_ops slc90e6
28061 .cable_detect = slc90e66_cable_detect,
28062 };
28063
28064-static const struct ide_port_info slc90e66_chipset __devinitdata = {
28065+static const struct ide_port_info slc90e66_chipset __devinitconst = {
28066 .name = DRV_NAME,
28067 .enablebits = { {0x41, 0x80, 0x80}, {0x43, 0x80, 0x80} },
28068 .port_ops = &slc90e66_port_ops,
28069diff -urNp linux-3.1.1/drivers/ide/tc86c001.c linux-3.1.1/drivers/ide/tc86c001.c
28070--- linux-3.1.1/drivers/ide/tc86c001.c 2011-11-11 15:19:27.000000000 -0500
28071+++ linux-3.1.1/drivers/ide/tc86c001.c 2011-11-16 18:39:07.000000000 -0500
28072@@ -191,7 +191,7 @@ static const struct ide_dma_ops tc86c001
28073 .dma_sff_read_status = ide_dma_sff_read_status,
28074 };
28075
28076-static const struct ide_port_info tc86c001_chipset __devinitdata = {
28077+static const struct ide_port_info tc86c001_chipset __devinitconst = {
28078 .name = DRV_NAME,
28079 .init_hwif = init_hwif_tc86c001,
28080 .port_ops = &tc86c001_port_ops,
28081diff -urNp linux-3.1.1/drivers/ide/triflex.c linux-3.1.1/drivers/ide/triflex.c
28082--- linux-3.1.1/drivers/ide/triflex.c 2011-11-11 15:19:27.000000000 -0500
28083+++ linux-3.1.1/drivers/ide/triflex.c 2011-11-16 18:39:07.000000000 -0500
28084@@ -92,7 +92,7 @@ static const struct ide_port_ops triflex
28085 .set_dma_mode = triflex_set_mode,
28086 };
28087
28088-static const struct ide_port_info triflex_device __devinitdata = {
28089+static const struct ide_port_info triflex_device __devinitconst = {
28090 .name = DRV_NAME,
28091 .enablebits = {{0x80, 0x01, 0x01}, {0x80, 0x02, 0x02}},
28092 .port_ops = &triflex_port_ops,
28093diff -urNp linux-3.1.1/drivers/ide/trm290.c linux-3.1.1/drivers/ide/trm290.c
28094--- linux-3.1.1/drivers/ide/trm290.c 2011-11-11 15:19:27.000000000 -0500
28095+++ linux-3.1.1/drivers/ide/trm290.c 2011-11-16 18:39:07.000000000 -0500
28096@@ -324,7 +324,7 @@ static struct ide_dma_ops trm290_dma_ops
28097 .dma_check = trm290_dma_check,
28098 };
28099
28100-static const struct ide_port_info trm290_chipset __devinitdata = {
28101+static const struct ide_port_info trm290_chipset __devinitconst = {
28102 .name = DRV_NAME,
28103 .init_hwif = init_hwif_trm290,
28104 .tp_ops = &trm290_tp_ops,
28105diff -urNp linux-3.1.1/drivers/ide/via82cxxx.c linux-3.1.1/drivers/ide/via82cxxx.c
28106--- linux-3.1.1/drivers/ide/via82cxxx.c 2011-11-11 15:19:27.000000000 -0500
28107+++ linux-3.1.1/drivers/ide/via82cxxx.c 2011-11-16 18:39:07.000000000 -0500
28108@@ -403,7 +403,7 @@ static const struct ide_port_ops via_por
28109 .cable_detect = via82cxxx_cable_detect,
28110 };
28111
28112-static const struct ide_port_info via82cxxx_chipset __devinitdata = {
28113+static const struct ide_port_info via82cxxx_chipset __devinitconst = {
28114 .name = DRV_NAME,
28115 .init_chipset = init_chipset_via82cxxx,
28116 .enablebits = { { 0x40, 0x02, 0x02 }, { 0x40, 0x01, 0x01 } },
28117diff -urNp linux-3.1.1/drivers/infiniband/core/cm.c linux-3.1.1/drivers/infiniband/core/cm.c
28118--- linux-3.1.1/drivers/infiniband/core/cm.c 2011-11-11 15:19:27.000000000 -0500
28119+++ linux-3.1.1/drivers/infiniband/core/cm.c 2011-11-16 18:39:07.000000000 -0500
28120@@ -113,7 +113,7 @@ static char const counter_group_names[CM
28121
28122 struct cm_counter_group {
28123 struct kobject obj;
28124- atomic_long_t counter[CM_ATTR_COUNT];
28125+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
28126 };
28127
28128 struct cm_counter_attribute {
28129@@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
28130 struct ib_mad_send_buf *msg = NULL;
28131 int ret;
28132
28133- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28134+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28135 counter[CM_REQ_COUNTER]);
28136
28137 /* Quick state check to discard duplicate REQs. */
28138@@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
28139 if (!cm_id_priv)
28140 return;
28141
28142- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28143+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28144 counter[CM_REP_COUNTER]);
28145 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
28146 if (ret)
28147@@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
28148 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
28149 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
28150 spin_unlock_irq(&cm_id_priv->lock);
28151- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28152+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28153 counter[CM_RTU_COUNTER]);
28154 goto out;
28155 }
28156@@ -2115,7 +2115,7 @@ static int cm_dreq_handler(struct cm_wor
28157 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
28158 dreq_msg->local_comm_id);
28159 if (!cm_id_priv) {
28160- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28161+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28162 counter[CM_DREQ_COUNTER]);
28163 cm_issue_drep(work->port, work->mad_recv_wc);
28164 return -EINVAL;
28165@@ -2140,7 +2140,7 @@ static int cm_dreq_handler(struct cm_wor
28166 case IB_CM_MRA_REP_RCVD:
28167 break;
28168 case IB_CM_TIMEWAIT:
28169- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28170+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28171 counter[CM_DREQ_COUNTER]);
28172 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28173 goto unlock;
28174@@ -2154,7 +2154,7 @@ static int cm_dreq_handler(struct cm_wor
28175 cm_free_msg(msg);
28176 goto deref;
28177 case IB_CM_DREQ_RCVD:
28178- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28179+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28180 counter[CM_DREQ_COUNTER]);
28181 goto unlock;
28182 default:
28183@@ -2521,7 +2521,7 @@ static int cm_mra_handler(struct cm_work
28184 ib_modify_mad(cm_id_priv->av.port->mad_agent,
28185 cm_id_priv->msg, timeout)) {
28186 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
28187- atomic_long_inc(&work->port->
28188+ atomic_long_inc_unchecked(&work->port->
28189 counter_group[CM_RECV_DUPLICATES].
28190 counter[CM_MRA_COUNTER]);
28191 goto out;
28192@@ -2530,7 +2530,7 @@ static int cm_mra_handler(struct cm_work
28193 break;
28194 case IB_CM_MRA_REQ_RCVD:
28195 case IB_CM_MRA_REP_RCVD:
28196- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28197+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28198 counter[CM_MRA_COUNTER]);
28199 /* fall through */
28200 default:
28201@@ -2692,7 +2692,7 @@ static int cm_lap_handler(struct cm_work
28202 case IB_CM_LAP_IDLE:
28203 break;
28204 case IB_CM_MRA_LAP_SENT:
28205- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28206+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28207 counter[CM_LAP_COUNTER]);
28208 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
28209 goto unlock;
28210@@ -2708,7 +2708,7 @@ static int cm_lap_handler(struct cm_work
28211 cm_free_msg(msg);
28212 goto deref;
28213 case IB_CM_LAP_RCVD:
28214- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28215+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28216 counter[CM_LAP_COUNTER]);
28217 goto unlock;
28218 default:
28219@@ -2992,7 +2992,7 @@ static int cm_sidr_req_handler(struct cm
28220 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
28221 if (cur_cm_id_priv) {
28222 spin_unlock_irq(&cm.lock);
28223- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
28224+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
28225 counter[CM_SIDR_REQ_COUNTER]);
28226 goto out; /* Duplicate message. */
28227 }
28228@@ -3204,10 +3204,10 @@ static void cm_send_handler(struct ib_ma
28229 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
28230 msg->retries = 1;
28231
28232- atomic_long_add(1 + msg->retries,
28233+ atomic_long_add_unchecked(1 + msg->retries,
28234 &port->counter_group[CM_XMIT].counter[attr_index]);
28235 if (msg->retries)
28236- atomic_long_add(msg->retries,
28237+ atomic_long_add_unchecked(msg->retries,
28238 &port->counter_group[CM_XMIT_RETRIES].
28239 counter[attr_index]);
28240
28241@@ -3417,7 +3417,7 @@ static void cm_recv_handler(struct ib_ma
28242 }
28243
28244 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
28245- atomic_long_inc(&port->counter_group[CM_RECV].
28246+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
28247 counter[attr_id - CM_ATTR_ID_OFFSET]);
28248
28249 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
28250@@ -3615,7 +3615,7 @@ static ssize_t cm_show_counter(struct ko
28251 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
28252
28253 return sprintf(buf, "%ld\n",
28254- atomic_long_read(&group->counter[cm_attr->index]));
28255+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
28256 }
28257
28258 static const struct sysfs_ops cm_counter_ops = {
28259diff -urNp linux-3.1.1/drivers/infiniband/core/fmr_pool.c linux-3.1.1/drivers/infiniband/core/fmr_pool.c
28260--- linux-3.1.1/drivers/infiniband/core/fmr_pool.c 2011-11-11 15:19:27.000000000 -0500
28261+++ linux-3.1.1/drivers/infiniband/core/fmr_pool.c 2011-11-16 18:39:07.000000000 -0500
28262@@ -97,8 +97,8 @@ struct ib_fmr_pool {
28263
28264 struct task_struct *thread;
28265
28266- atomic_t req_ser;
28267- atomic_t flush_ser;
28268+ atomic_unchecked_t req_ser;
28269+ atomic_unchecked_t flush_ser;
28270
28271 wait_queue_head_t force_wait;
28272 };
28273@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
28274 struct ib_fmr_pool *pool = pool_ptr;
28275
28276 do {
28277- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
28278+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
28279 ib_fmr_batch_release(pool);
28280
28281- atomic_inc(&pool->flush_ser);
28282+ atomic_inc_unchecked(&pool->flush_ser);
28283 wake_up_interruptible(&pool->force_wait);
28284
28285 if (pool->flush_function)
28286@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
28287 }
28288
28289 set_current_state(TASK_INTERRUPTIBLE);
28290- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
28291+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
28292 !kthread_should_stop())
28293 schedule();
28294 __set_current_state(TASK_RUNNING);
28295@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
28296 pool->dirty_watermark = params->dirty_watermark;
28297 pool->dirty_len = 0;
28298 spin_lock_init(&pool->pool_lock);
28299- atomic_set(&pool->req_ser, 0);
28300- atomic_set(&pool->flush_ser, 0);
28301+ atomic_set_unchecked(&pool->req_ser, 0);
28302+ atomic_set_unchecked(&pool->flush_ser, 0);
28303 init_waitqueue_head(&pool->force_wait);
28304
28305 pool->thread = kthread_run(ib_fmr_cleanup_thread,
28306@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
28307 }
28308 spin_unlock_irq(&pool->pool_lock);
28309
28310- serial = atomic_inc_return(&pool->req_ser);
28311+ serial = atomic_inc_return_unchecked(&pool->req_ser);
28312 wake_up_process(pool->thread);
28313
28314 if (wait_event_interruptible(pool->force_wait,
28315- atomic_read(&pool->flush_ser) - serial >= 0))
28316+ atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
28317 return -EINTR;
28318
28319 return 0;
28320@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
28321 } else {
28322 list_add_tail(&fmr->list, &pool->dirty_list);
28323 if (++pool->dirty_len >= pool->dirty_watermark) {
28324- atomic_inc(&pool->req_ser);
28325+ atomic_inc_unchecked(&pool->req_ser);
28326 wake_up_process(pool->thread);
28327 }
28328 }
28329diff -urNp linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c
28330--- linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c 2011-11-11 15:19:27.000000000 -0500
28331+++ linux-3.1.1/drivers/infiniband/hw/cxgb4/mem.c 2011-11-16 18:39:07.000000000 -0500
28332@@ -122,7 +122,7 @@ static int write_tpt_entry(struct c4iw_r
28333 int err;
28334 struct fw_ri_tpte tpt;
28335 u32 stag_idx;
28336- static atomic_t key;
28337+ static atomic_unchecked_t key;
28338
28339 if (c4iw_fatal_error(rdev))
28340 return -EIO;
28341@@ -135,7 +135,7 @@ static int write_tpt_entry(struct c4iw_r
28342 &rdev->resource.tpt_fifo_lock);
28343 if (!stag_idx)
28344 return -ENOMEM;
28345- *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
28346+ *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
28347 }
28348 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
28349 __func__, stag_state, type, pdid, stag_idx);
28350diff -urNp linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c
28351--- linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-11 15:19:27.000000000 -0500
28352+++ linux-3.1.1/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-16 18:40:10.000000000 -0500
28353@@ -113,6 +113,8 @@ static ssize_t atomic_counters_read(stru
28354 struct infinipath_counters counters;
28355 struct ipath_devdata *dd;
28356
28357+ pax_track_stack();
28358+
28359 dd = file->f_path.dentry->d_inode->i_private;
28360 dd->ipath_f_read_counters(dd, &counters);
28361
28362diff -urNp linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c
28363--- linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c 2011-11-11 15:19:27.000000000 -0500
28364+++ linux-3.1.1/drivers/infiniband/hw/ipath/ipath_rc.c 2011-11-16 18:39:07.000000000 -0500
28365@@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28366 struct ib_atomic_eth *ateth;
28367 struct ipath_ack_entry *e;
28368 u64 vaddr;
28369- atomic64_t *maddr;
28370+ atomic64_unchecked_t *maddr;
28371 u64 sdata;
28372 u32 rkey;
28373 u8 next;
28374@@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *de
28375 IB_ACCESS_REMOTE_ATOMIC)))
28376 goto nack_acc_unlck;
28377 /* Perform atomic OP and save result. */
28378- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28379+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28380 sdata = be64_to_cpu(ateth->swap_data);
28381 e = &qp->s_ack_queue[qp->r_head_ack_queue];
28382 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
28383- (u64) atomic64_add_return(sdata, maddr) - sdata :
28384+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28385 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28386 be64_to_cpu(ateth->compare_data),
28387 sdata);
28388diff -urNp linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c
28389--- linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-11-11 15:19:27.000000000 -0500
28390+++ linux-3.1.1/drivers/infiniband/hw/ipath/ipath_ruc.c 2011-11-16 18:39:07.000000000 -0500
28391@@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ip
28392 unsigned long flags;
28393 struct ib_wc wc;
28394 u64 sdata;
28395- atomic64_t *maddr;
28396+ atomic64_unchecked_t *maddr;
28397 enum ib_wc_status send_status;
28398
28399 /*
28400@@ -382,11 +382,11 @@ again:
28401 IB_ACCESS_REMOTE_ATOMIC)))
28402 goto acc_err;
28403 /* Perform atomic OP and save result. */
28404- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
28405+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
28406 sdata = wqe->wr.wr.atomic.compare_add;
28407 *(u64 *) sqp->s_sge.sge.vaddr =
28408 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
28409- (u64) atomic64_add_return(sdata, maddr) - sdata :
28410+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
28411 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
28412 sdata, wqe->wr.wr.atomic.swap);
28413 goto send_comp;
28414diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes.c linux-3.1.1/drivers/infiniband/hw/nes/nes.c
28415--- linux-3.1.1/drivers/infiniband/hw/nes/nes.c 2011-11-11 15:19:27.000000000 -0500
28416+++ linux-3.1.1/drivers/infiniband/hw/nes/nes.c 2011-11-16 18:39:07.000000000 -0500
28417@@ -103,7 +103,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
28418 LIST_HEAD(nes_adapter_list);
28419 static LIST_HEAD(nes_dev_list);
28420
28421-atomic_t qps_destroyed;
28422+atomic_unchecked_t qps_destroyed;
28423
28424 static unsigned int ee_flsh_adapter;
28425 static unsigned int sysfs_nonidx_addr;
28426@@ -275,7 +275,7 @@ static void nes_cqp_rem_ref_callback(str
28427 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
28428 struct nes_adapter *nesadapter = nesdev->nesadapter;
28429
28430- atomic_inc(&qps_destroyed);
28431+ atomic_inc_unchecked(&qps_destroyed);
28432
28433 /* Free the control structures */
28434
28435diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c
28436--- linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c 2011-11-11 15:19:27.000000000 -0500
28437+++ linux-3.1.1/drivers/infiniband/hw/nes/nes_cm.c 2011-11-16 18:39:07.000000000 -0500
28438@@ -68,14 +68,14 @@ u32 cm_packets_dropped;
28439 u32 cm_packets_retrans;
28440 u32 cm_packets_created;
28441 u32 cm_packets_received;
28442-atomic_t cm_listens_created;
28443-atomic_t cm_listens_destroyed;
28444+atomic_unchecked_t cm_listens_created;
28445+atomic_unchecked_t cm_listens_destroyed;
28446 u32 cm_backlog_drops;
28447-atomic_t cm_loopbacks;
28448-atomic_t cm_nodes_created;
28449-atomic_t cm_nodes_destroyed;
28450-atomic_t cm_accel_dropped_pkts;
28451-atomic_t cm_resets_recvd;
28452+atomic_unchecked_t cm_loopbacks;
28453+atomic_unchecked_t cm_nodes_created;
28454+atomic_unchecked_t cm_nodes_destroyed;
28455+atomic_unchecked_t cm_accel_dropped_pkts;
28456+atomic_unchecked_t cm_resets_recvd;
28457
28458 static inline int mini_cm_accelerated(struct nes_cm_core *,
28459 struct nes_cm_node *);
28460@@ -151,13 +151,13 @@ static struct nes_cm_ops nes_cm_api = {
28461
28462 static struct nes_cm_core *g_cm_core;
28463
28464-atomic_t cm_connects;
28465-atomic_t cm_accepts;
28466-atomic_t cm_disconnects;
28467-atomic_t cm_closes;
28468-atomic_t cm_connecteds;
28469-atomic_t cm_connect_reqs;
28470-atomic_t cm_rejects;
28471+atomic_unchecked_t cm_connects;
28472+atomic_unchecked_t cm_accepts;
28473+atomic_unchecked_t cm_disconnects;
28474+atomic_unchecked_t cm_closes;
28475+atomic_unchecked_t cm_connecteds;
28476+atomic_unchecked_t cm_connect_reqs;
28477+atomic_unchecked_t cm_rejects;
28478
28479
28480 /**
28481@@ -1045,7 +1045,7 @@ static int mini_cm_dec_refcnt_listen(str
28482 kfree(listener);
28483 listener = NULL;
28484 ret = 0;
28485- atomic_inc(&cm_listens_destroyed);
28486+ atomic_inc_unchecked(&cm_listens_destroyed);
28487 } else {
28488 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
28489 }
28490@@ -1240,7 +1240,7 @@ static struct nes_cm_node *make_cm_node(
28491 cm_node->rem_mac);
28492
28493 add_hte_node(cm_core, cm_node);
28494- atomic_inc(&cm_nodes_created);
28495+ atomic_inc_unchecked(&cm_nodes_created);
28496
28497 return cm_node;
28498 }
28499@@ -1298,7 +1298,7 @@ static int rem_ref_cm_node(struct nes_cm
28500 }
28501
28502 atomic_dec(&cm_core->node_cnt);
28503- atomic_inc(&cm_nodes_destroyed);
28504+ atomic_inc_unchecked(&cm_nodes_destroyed);
28505 nesqp = cm_node->nesqp;
28506 if (nesqp) {
28507 nesqp->cm_node = NULL;
28508@@ -1365,7 +1365,7 @@ static int process_options(struct nes_cm
28509
28510 static void drop_packet(struct sk_buff *skb)
28511 {
28512- atomic_inc(&cm_accel_dropped_pkts);
28513+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
28514 dev_kfree_skb_any(skb);
28515 }
28516
28517@@ -1428,7 +1428,7 @@ static void handle_rst_pkt(struct nes_cm
28518 {
28519
28520 int reset = 0; /* whether to send reset in case of err.. */
28521- atomic_inc(&cm_resets_recvd);
28522+ atomic_inc_unchecked(&cm_resets_recvd);
28523 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
28524 " refcnt=%d\n", cm_node, cm_node->state,
28525 atomic_read(&cm_node->ref_count));
28526@@ -2057,7 +2057,7 @@ static struct nes_cm_node *mini_cm_conne
28527 rem_ref_cm_node(cm_node->cm_core, cm_node);
28528 return NULL;
28529 }
28530- atomic_inc(&cm_loopbacks);
28531+ atomic_inc_unchecked(&cm_loopbacks);
28532 loopbackremotenode->loopbackpartner = cm_node;
28533 loopbackremotenode->tcp_cntxt.rcv_wscale =
28534 NES_CM_DEFAULT_RCV_WND_SCALE;
28535@@ -2332,7 +2332,7 @@ static int mini_cm_recv_pkt(struct nes_c
28536 add_ref_cm_node(cm_node);
28537 } else if (cm_node->state == NES_CM_STATE_TSA) {
28538 rem_ref_cm_node(cm_core, cm_node);
28539- atomic_inc(&cm_accel_dropped_pkts);
28540+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
28541 dev_kfree_skb_any(skb);
28542 break;
28543 }
28544@@ -2638,7 +2638,7 @@ static int nes_cm_disconn_true(struct ne
28545
28546 if ((cm_id) && (cm_id->event_handler)) {
28547 if (issue_disconn) {
28548- atomic_inc(&cm_disconnects);
28549+ atomic_inc_unchecked(&cm_disconnects);
28550 cm_event.event = IW_CM_EVENT_DISCONNECT;
28551 cm_event.status = disconn_status;
28552 cm_event.local_addr = cm_id->local_addr;
28553@@ -2660,7 +2660,7 @@ static int nes_cm_disconn_true(struct ne
28554 }
28555
28556 if (issue_close) {
28557- atomic_inc(&cm_closes);
28558+ atomic_inc_unchecked(&cm_closes);
28559 nes_disconnect(nesqp, 1);
28560
28561 cm_id->provider_data = nesqp;
28562@@ -2791,7 +2791,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
28563
28564 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
28565 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
28566- atomic_inc(&cm_accepts);
28567+ atomic_inc_unchecked(&cm_accepts);
28568
28569 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
28570 netdev_refcnt_read(nesvnic->netdev));
28571@@ -3001,7 +3001,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
28572
28573 struct nes_cm_core *cm_core;
28574
28575- atomic_inc(&cm_rejects);
28576+ atomic_inc_unchecked(&cm_rejects);
28577 cm_node = (struct nes_cm_node *) cm_id->provider_data;
28578 loopback = cm_node->loopbackpartner;
28579 cm_core = cm_node->cm_core;
28580@@ -3067,7 +3067,7 @@ int nes_connect(struct iw_cm_id *cm_id,
28581 ntohl(cm_id->local_addr.sin_addr.s_addr),
28582 ntohs(cm_id->local_addr.sin_port));
28583
28584- atomic_inc(&cm_connects);
28585+ atomic_inc_unchecked(&cm_connects);
28586 nesqp->active_conn = 1;
28587
28588 /* cache the cm_id in the qp */
28589@@ -3173,7 +3173,7 @@ int nes_create_listen(struct iw_cm_id *c
28590 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
28591 return err;
28592 }
28593- atomic_inc(&cm_listens_created);
28594+ atomic_inc_unchecked(&cm_listens_created);
28595 }
28596
28597 cm_id->add_ref(cm_id);
28598@@ -3278,7 +3278,7 @@ static void cm_event_connected(struct ne
28599 if (nesqp->destroyed) {
28600 return;
28601 }
28602- atomic_inc(&cm_connecteds);
28603+ atomic_inc_unchecked(&cm_connecteds);
28604 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
28605 " local port 0x%04X. jiffies = %lu.\n",
28606 nesqp->hwqp.qp_id,
28607@@ -3493,7 +3493,7 @@ static void cm_event_reset(struct nes_cm
28608
28609 cm_id->add_ref(cm_id);
28610 ret = cm_id->event_handler(cm_id, &cm_event);
28611- atomic_inc(&cm_closes);
28612+ atomic_inc_unchecked(&cm_closes);
28613 cm_event.event = IW_CM_EVENT_CLOSE;
28614 cm_event.status = 0;
28615 cm_event.provider_data = cm_id->provider_data;
28616@@ -3529,7 +3529,7 @@ static void cm_event_mpa_req(struct nes_
28617 return;
28618 cm_id = cm_node->cm_id;
28619
28620- atomic_inc(&cm_connect_reqs);
28621+ atomic_inc_unchecked(&cm_connect_reqs);
28622 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28623 cm_node, cm_id, jiffies);
28624
28625@@ -3567,7 +3567,7 @@ static void cm_event_mpa_reject(struct n
28626 return;
28627 cm_id = cm_node->cm_id;
28628
28629- atomic_inc(&cm_connect_reqs);
28630+ atomic_inc_unchecked(&cm_connect_reqs);
28631 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
28632 cm_node, cm_id, jiffies);
28633
28634diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes.h linux-3.1.1/drivers/infiniband/hw/nes/nes.h
28635--- linux-3.1.1/drivers/infiniband/hw/nes/nes.h 2011-11-11 15:19:27.000000000 -0500
28636+++ linux-3.1.1/drivers/infiniband/hw/nes/nes.h 2011-11-16 18:39:07.000000000 -0500
28637@@ -175,17 +175,17 @@ extern unsigned int nes_debug_level;
28638 extern unsigned int wqm_quanta;
28639 extern struct list_head nes_adapter_list;
28640
28641-extern atomic_t cm_connects;
28642-extern atomic_t cm_accepts;
28643-extern atomic_t cm_disconnects;
28644-extern atomic_t cm_closes;
28645-extern atomic_t cm_connecteds;
28646-extern atomic_t cm_connect_reqs;
28647-extern atomic_t cm_rejects;
28648-extern atomic_t mod_qp_timouts;
28649-extern atomic_t qps_created;
28650-extern atomic_t qps_destroyed;
28651-extern atomic_t sw_qps_destroyed;
28652+extern atomic_unchecked_t cm_connects;
28653+extern atomic_unchecked_t cm_accepts;
28654+extern atomic_unchecked_t cm_disconnects;
28655+extern atomic_unchecked_t cm_closes;
28656+extern atomic_unchecked_t cm_connecteds;
28657+extern atomic_unchecked_t cm_connect_reqs;
28658+extern atomic_unchecked_t cm_rejects;
28659+extern atomic_unchecked_t mod_qp_timouts;
28660+extern atomic_unchecked_t qps_created;
28661+extern atomic_unchecked_t qps_destroyed;
28662+extern atomic_unchecked_t sw_qps_destroyed;
28663 extern u32 mh_detected;
28664 extern u32 mh_pauses_sent;
28665 extern u32 cm_packets_sent;
28666@@ -194,14 +194,14 @@ extern u32 cm_packets_created;
28667 extern u32 cm_packets_received;
28668 extern u32 cm_packets_dropped;
28669 extern u32 cm_packets_retrans;
28670-extern atomic_t cm_listens_created;
28671-extern atomic_t cm_listens_destroyed;
28672+extern atomic_unchecked_t cm_listens_created;
28673+extern atomic_unchecked_t cm_listens_destroyed;
28674 extern u32 cm_backlog_drops;
28675-extern atomic_t cm_loopbacks;
28676-extern atomic_t cm_nodes_created;
28677-extern atomic_t cm_nodes_destroyed;
28678-extern atomic_t cm_accel_dropped_pkts;
28679-extern atomic_t cm_resets_recvd;
28680+extern atomic_unchecked_t cm_loopbacks;
28681+extern atomic_unchecked_t cm_nodes_created;
28682+extern atomic_unchecked_t cm_nodes_destroyed;
28683+extern atomic_unchecked_t cm_accel_dropped_pkts;
28684+extern atomic_unchecked_t cm_resets_recvd;
28685
28686 extern u32 int_mod_timer_init;
28687 extern u32 int_mod_cq_depth_256;
28688diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c
28689--- linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c 2011-11-11 15:19:27.000000000 -0500
28690+++ linux-3.1.1/drivers/infiniband/hw/nes/nes_nic.c 2011-11-16 18:39:07.000000000 -0500
28691@@ -1274,31 +1274,31 @@ static void nes_netdev_get_ethtool_stats
28692 target_stat_values[++index] = mh_detected;
28693 target_stat_values[++index] = mh_pauses_sent;
28694 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
28695- target_stat_values[++index] = atomic_read(&cm_connects);
28696- target_stat_values[++index] = atomic_read(&cm_accepts);
28697- target_stat_values[++index] = atomic_read(&cm_disconnects);
28698- target_stat_values[++index] = atomic_read(&cm_connecteds);
28699- target_stat_values[++index] = atomic_read(&cm_connect_reqs);
28700- target_stat_values[++index] = atomic_read(&cm_rejects);
28701- target_stat_values[++index] = atomic_read(&mod_qp_timouts);
28702- target_stat_values[++index] = atomic_read(&qps_created);
28703- target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
28704- target_stat_values[++index] = atomic_read(&qps_destroyed);
28705- target_stat_values[++index] = atomic_read(&cm_closes);
28706+ target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
28707+ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
28708+ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
28709+ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
28710+ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
28711+ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
28712+ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
28713+ target_stat_values[++index] = atomic_read_unchecked(&qps_created);
28714+ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
28715+ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
28716+ target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
28717 target_stat_values[++index] = cm_packets_sent;
28718 target_stat_values[++index] = cm_packets_bounced;
28719 target_stat_values[++index] = cm_packets_created;
28720 target_stat_values[++index] = cm_packets_received;
28721 target_stat_values[++index] = cm_packets_dropped;
28722 target_stat_values[++index] = cm_packets_retrans;
28723- target_stat_values[++index] = atomic_read(&cm_listens_created);
28724- target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
28725+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
28726+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
28727 target_stat_values[++index] = cm_backlog_drops;
28728- target_stat_values[++index] = atomic_read(&cm_loopbacks);
28729- target_stat_values[++index] = atomic_read(&cm_nodes_created);
28730- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
28731- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
28732- target_stat_values[++index] = atomic_read(&cm_resets_recvd);
28733+ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
28734+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
28735+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
28736+ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
28737+ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
28738 target_stat_values[++index] = nesadapter->free_4kpbl;
28739 target_stat_values[++index] = nesadapter->free_256pbl;
28740 target_stat_values[++index] = int_mod_timer_init;
28741diff -urNp linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c
28742--- linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-11 15:19:27.000000000 -0500
28743+++ linux-3.1.1/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-16 18:39:07.000000000 -0500
28744@@ -46,9 +46,9 @@
28745
28746 #include <rdma/ib_umem.h>
28747
28748-atomic_t mod_qp_timouts;
28749-atomic_t qps_created;
28750-atomic_t sw_qps_destroyed;
28751+atomic_unchecked_t mod_qp_timouts;
28752+atomic_unchecked_t qps_created;
28753+atomic_unchecked_t sw_qps_destroyed;
28754
28755 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
28756
28757@@ -1131,7 +1131,7 @@ static struct ib_qp *nes_create_qp(struc
28758 if (init_attr->create_flags)
28759 return ERR_PTR(-EINVAL);
28760
28761- atomic_inc(&qps_created);
28762+ atomic_inc_unchecked(&qps_created);
28763 switch (init_attr->qp_type) {
28764 case IB_QPT_RC:
28765 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
28766@@ -1460,7 +1460,7 @@ static int nes_destroy_qp(struct ib_qp *
28767 struct iw_cm_event cm_event;
28768 int ret;
28769
28770- atomic_inc(&sw_qps_destroyed);
28771+ atomic_inc_unchecked(&sw_qps_destroyed);
28772 nesqp->destroyed = 1;
28773
28774 /* Blow away the connection if it exists. */
28775diff -urNp linux-3.1.1/drivers/infiniband/hw/qib/qib.h linux-3.1.1/drivers/infiniband/hw/qib/qib.h
28776--- linux-3.1.1/drivers/infiniband/hw/qib/qib.h 2011-11-11 15:19:27.000000000 -0500
28777+++ linux-3.1.1/drivers/infiniband/hw/qib/qib.h 2011-11-16 18:39:07.000000000 -0500
28778@@ -51,6 +51,7 @@
28779 #include <linux/completion.h>
28780 #include <linux/kref.h>
28781 #include <linux/sched.h>
28782+#include <linux/slab.h>
28783
28784 #include "qib_common.h"
28785 #include "qib_verbs.h"
28786diff -urNp linux-3.1.1/drivers/input/gameport/gameport.c linux-3.1.1/drivers/input/gameport/gameport.c
28787--- linux-3.1.1/drivers/input/gameport/gameport.c 2011-11-11 15:19:27.000000000 -0500
28788+++ linux-3.1.1/drivers/input/gameport/gameport.c 2011-11-16 18:39:07.000000000 -0500
28789@@ -488,14 +488,14 @@ EXPORT_SYMBOL(gameport_set_phys);
28790 */
28791 static void gameport_init_port(struct gameport *gameport)
28792 {
28793- static atomic_t gameport_no = ATOMIC_INIT(0);
28794+ static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
28795
28796 __module_get(THIS_MODULE);
28797
28798 mutex_init(&gameport->drv_mutex);
28799 device_initialize(&gameport->dev);
28800 dev_set_name(&gameport->dev, "gameport%lu",
28801- (unsigned long)atomic_inc_return(&gameport_no) - 1);
28802+ (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
28803 gameport->dev.bus = &gameport_bus;
28804 gameport->dev.release = gameport_release_port;
28805 if (gameport->parent)
28806diff -urNp linux-3.1.1/drivers/input/input.c linux-3.1.1/drivers/input/input.c
28807--- linux-3.1.1/drivers/input/input.c 2011-11-11 15:19:27.000000000 -0500
28808+++ linux-3.1.1/drivers/input/input.c 2011-11-16 18:39:07.000000000 -0500
28809@@ -1814,7 +1814,7 @@ static void input_cleanse_bitmasks(struc
28810 */
28811 int input_register_device(struct input_dev *dev)
28812 {
28813- static atomic_t input_no = ATOMIC_INIT(0);
28814+ static atomic_unchecked_t input_no = ATOMIC_INIT(0);
28815 struct input_handler *handler;
28816 const char *path;
28817 int error;
28818@@ -1851,7 +1851,7 @@ int input_register_device(struct input_d
28819 dev->setkeycode = input_default_setkeycode;
28820
28821 dev_set_name(&dev->dev, "input%ld",
28822- (unsigned long) atomic_inc_return(&input_no) - 1);
28823+ (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
28824
28825 error = device_add(&dev->dev);
28826 if (error)
28827diff -urNp linux-3.1.1/drivers/input/joystick/sidewinder.c linux-3.1.1/drivers/input/joystick/sidewinder.c
28828--- linux-3.1.1/drivers/input/joystick/sidewinder.c 2011-11-11 15:19:27.000000000 -0500
28829+++ linux-3.1.1/drivers/input/joystick/sidewinder.c 2011-11-16 18:40:10.000000000 -0500
28830@@ -30,6 +30,7 @@
28831 #include <linux/kernel.h>
28832 #include <linux/module.h>
28833 #include <linux/slab.h>
28834+#include <linux/sched.h>
28835 #include <linux/init.h>
28836 #include <linux/input.h>
28837 #include <linux/gameport.h>
28838@@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
28839 unsigned char buf[SW_LENGTH];
28840 int i;
28841
28842+ pax_track_stack();
28843+
28844 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
28845
28846 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
28847diff -urNp linux-3.1.1/drivers/input/joystick/xpad.c linux-3.1.1/drivers/input/joystick/xpad.c
28848--- linux-3.1.1/drivers/input/joystick/xpad.c 2011-11-11 15:19:27.000000000 -0500
28849+++ linux-3.1.1/drivers/input/joystick/xpad.c 2011-11-16 18:39:07.000000000 -0500
28850@@ -710,7 +710,7 @@ static void xpad_led_set(struct led_clas
28851
28852 static int xpad_led_probe(struct usb_xpad *xpad)
28853 {
28854- static atomic_t led_seq = ATOMIC_INIT(0);
28855+ static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
28856 long led_no;
28857 struct xpad_led *led;
28858 struct led_classdev *led_cdev;
28859@@ -723,7 +723,7 @@ static int xpad_led_probe(struct usb_xpa
28860 if (!led)
28861 return -ENOMEM;
28862
28863- led_no = (long)atomic_inc_return(&led_seq) - 1;
28864+ led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
28865
28866 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
28867 led->xpad = xpad;
28868diff -urNp linux-3.1.1/drivers/input/mousedev.c linux-3.1.1/drivers/input/mousedev.c
28869--- linux-3.1.1/drivers/input/mousedev.c 2011-11-11 15:19:27.000000000 -0500
28870+++ linux-3.1.1/drivers/input/mousedev.c 2011-11-16 18:39:07.000000000 -0500
28871@@ -763,7 +763,7 @@ static ssize_t mousedev_read(struct file
28872
28873 spin_unlock_irq(&client->packet_lock);
28874
28875- if (copy_to_user(buffer, data, count))
28876+ if (count > sizeof(data) || copy_to_user(buffer, data, count))
28877 return -EFAULT;
28878
28879 return count;
28880diff -urNp linux-3.1.1/drivers/input/serio/serio.c linux-3.1.1/drivers/input/serio/serio.c
28881--- linux-3.1.1/drivers/input/serio/serio.c 2011-11-11 15:19:27.000000000 -0500
28882+++ linux-3.1.1/drivers/input/serio/serio.c 2011-11-16 18:39:07.000000000 -0500
28883@@ -497,7 +497,7 @@ static void serio_release_port(struct de
28884 */
28885 static void serio_init_port(struct serio *serio)
28886 {
28887- static atomic_t serio_no = ATOMIC_INIT(0);
28888+ static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
28889
28890 __module_get(THIS_MODULE);
28891
28892@@ -508,7 +508,7 @@ static void serio_init_port(struct serio
28893 mutex_init(&serio->drv_mutex);
28894 device_initialize(&serio->dev);
28895 dev_set_name(&serio->dev, "serio%ld",
28896- (long)atomic_inc_return(&serio_no) - 1);
28897+ (long)atomic_inc_return_unchecked(&serio_no) - 1);
28898 serio->dev.bus = &serio_bus;
28899 serio->dev.release = serio_release_port;
28900 serio->dev.groups = serio_device_attr_groups;
28901diff -urNp linux-3.1.1/drivers/isdn/capi/capi.c linux-3.1.1/drivers/isdn/capi/capi.c
28902--- linux-3.1.1/drivers/isdn/capi/capi.c 2011-11-11 15:19:27.000000000 -0500
28903+++ linux-3.1.1/drivers/isdn/capi/capi.c 2011-11-16 18:39:07.000000000 -0500
28904@@ -83,8 +83,8 @@ struct capiminor {
28905
28906 struct capi20_appl *ap;
28907 u32 ncci;
28908- atomic_t datahandle;
28909- atomic_t msgid;
28910+ atomic_unchecked_t datahandle;
28911+ atomic_unchecked_t msgid;
28912
28913 struct tty_port port;
28914 int ttyinstop;
28915@@ -397,7 +397,7 @@ gen_data_b3_resp_for(struct capiminor *m
28916 capimsg_setu16(s, 2, mp->ap->applid);
28917 capimsg_setu8 (s, 4, CAPI_DATA_B3);
28918 capimsg_setu8 (s, 5, CAPI_RESP);
28919- capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
28920+ capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
28921 capimsg_setu32(s, 8, mp->ncci);
28922 capimsg_setu16(s, 12, datahandle);
28923 }
28924@@ -518,14 +518,14 @@ static void handle_minor_send(struct cap
28925 mp->outbytes -= len;
28926 spin_unlock_bh(&mp->outlock);
28927
28928- datahandle = atomic_inc_return(&mp->datahandle);
28929+ datahandle = atomic_inc_return_unchecked(&mp->datahandle);
28930 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
28931 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28932 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
28933 capimsg_setu16(skb->data, 2, mp->ap->applid);
28934 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
28935 capimsg_setu8 (skb->data, 5, CAPI_REQ);
28936- capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
28937+ capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
28938 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
28939 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
28940 capimsg_setu16(skb->data, 16, len); /* Data length */
28941diff -urNp linux-3.1.1/drivers/isdn/gigaset/common.c linux-3.1.1/drivers/isdn/gigaset/common.c
28942--- linux-3.1.1/drivers/isdn/gigaset/common.c 2011-11-11 15:19:27.000000000 -0500
28943+++ linux-3.1.1/drivers/isdn/gigaset/common.c 2011-11-16 18:39:07.000000000 -0500
28944@@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
28945 cs->commands_pending = 0;
28946 cs->cur_at_seq = 0;
28947 cs->gotfwver = -1;
28948- cs->open_count = 0;
28949+ local_set(&cs->open_count, 0);
28950 cs->dev = NULL;
28951 cs->tty = NULL;
28952 cs->tty_dev = NULL;
28953diff -urNp linux-3.1.1/drivers/isdn/gigaset/gigaset.h linux-3.1.1/drivers/isdn/gigaset/gigaset.h
28954--- linux-3.1.1/drivers/isdn/gigaset/gigaset.h 2011-11-11 15:19:27.000000000 -0500
28955+++ linux-3.1.1/drivers/isdn/gigaset/gigaset.h 2011-11-16 18:39:07.000000000 -0500
28956@@ -35,6 +35,7 @@
28957 #include <linux/tty_driver.h>
28958 #include <linux/list.h>
28959 #include <linux/atomic.h>
28960+#include <asm/local.h>
28961
28962 #define GIG_VERSION {0, 5, 0, 0}
28963 #define GIG_COMPAT {0, 4, 0, 0}
28964@@ -433,7 +434,7 @@ struct cardstate {
28965 spinlock_t cmdlock;
28966 unsigned curlen, cmdbytes;
28967
28968- unsigned open_count;
28969+ local_t open_count;
28970 struct tty_struct *tty;
28971 struct tasklet_struct if_wake_tasklet;
28972 unsigned control_state;
28973diff -urNp linux-3.1.1/drivers/isdn/gigaset/interface.c linux-3.1.1/drivers/isdn/gigaset/interface.c
28974--- linux-3.1.1/drivers/isdn/gigaset/interface.c 2011-11-11 15:19:27.000000000 -0500
28975+++ linux-3.1.1/drivers/isdn/gigaset/interface.c 2011-11-16 18:39:07.000000000 -0500
28976@@ -162,9 +162,7 @@ static int if_open(struct tty_struct *tt
28977 }
28978 tty->driver_data = cs;
28979
28980- ++cs->open_count;
28981-
28982- if (cs->open_count == 1) {
28983+ if (local_inc_return(&cs->open_count) == 1) {
28984 spin_lock_irqsave(&cs->lock, flags);
28985 cs->tty = tty;
28986 spin_unlock_irqrestore(&cs->lock, flags);
28987@@ -192,10 +190,10 @@ static void if_close(struct tty_struct *
28988
28989 if (!cs->connected)
28990 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
28991- else if (!cs->open_count)
28992+ else if (!local_read(&cs->open_count))
28993 dev_warn(cs->dev, "%s: device not opened\n", __func__);
28994 else {
28995- if (!--cs->open_count) {
28996+ if (!local_dec_return(&cs->open_count)) {
28997 spin_lock_irqsave(&cs->lock, flags);
28998 cs->tty = NULL;
28999 spin_unlock_irqrestore(&cs->lock, flags);
29000@@ -230,7 +228,7 @@ static int if_ioctl(struct tty_struct *t
29001 if (!cs->connected) {
29002 gig_dbg(DEBUG_IF, "not connected");
29003 retval = -ENODEV;
29004- } else if (!cs->open_count)
29005+ } else if (!local_read(&cs->open_count))
29006 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29007 else {
29008 retval = 0;
29009@@ -360,7 +358,7 @@ static int if_write(struct tty_struct *t
29010 retval = -ENODEV;
29011 goto done;
29012 }
29013- if (!cs->open_count) {
29014+ if (!local_read(&cs->open_count)) {
29015 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29016 retval = -ENODEV;
29017 goto done;
29018@@ -413,7 +411,7 @@ static int if_write_room(struct tty_stru
29019 if (!cs->connected) {
29020 gig_dbg(DEBUG_IF, "not connected");
29021 retval = -ENODEV;
29022- } else if (!cs->open_count)
29023+ } else if (!local_read(&cs->open_count))
29024 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29025 else if (cs->mstate != MS_LOCKED) {
29026 dev_warn(cs->dev, "can't write to unlocked device\n");
29027@@ -443,7 +441,7 @@ static int if_chars_in_buffer(struct tty
29028
29029 if (!cs->connected)
29030 gig_dbg(DEBUG_IF, "not connected");
29031- else if (!cs->open_count)
29032+ else if (!local_read(&cs->open_count))
29033 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29034 else if (cs->mstate != MS_LOCKED)
29035 dev_warn(cs->dev, "can't write to unlocked device\n");
29036@@ -471,7 +469,7 @@ static void if_throttle(struct tty_struc
29037
29038 if (!cs->connected)
29039 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29040- else if (!cs->open_count)
29041+ else if (!local_read(&cs->open_count))
29042 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29043 else
29044 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29045@@ -495,7 +493,7 @@ static void if_unthrottle(struct tty_str
29046
29047 if (!cs->connected)
29048 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29049- else if (!cs->open_count)
29050+ else if (!local_read(&cs->open_count))
29051 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29052 else
29053 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
29054@@ -526,7 +524,7 @@ static void if_set_termios(struct tty_st
29055 goto out;
29056 }
29057
29058- if (!cs->open_count) {
29059+ if (!local_read(&cs->open_count)) {
29060 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29061 goto out;
29062 }
29063diff -urNp linux-3.1.1/drivers/isdn/hardware/avm/b1.c linux-3.1.1/drivers/isdn/hardware/avm/b1.c
29064--- linux-3.1.1/drivers/isdn/hardware/avm/b1.c 2011-11-11 15:19:27.000000000 -0500
29065+++ linux-3.1.1/drivers/isdn/hardware/avm/b1.c 2011-11-16 18:39:07.000000000 -0500
29066@@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
29067 }
29068 if (left) {
29069 if (t4file->user) {
29070- if (copy_from_user(buf, dp, left))
29071+ if (left > sizeof buf || copy_from_user(buf, dp, left))
29072 return -EFAULT;
29073 } else {
29074 memcpy(buf, dp, left);
29075@@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
29076 }
29077 if (left) {
29078 if (config->user) {
29079- if (copy_from_user(buf, dp, left))
29080+ if (left > sizeof buf || copy_from_user(buf, dp, left))
29081 return -EFAULT;
29082 } else {
29083 memcpy(buf, dp, left);
29084diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c
29085--- linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-11 15:19:27.000000000 -0500
29086+++ linux-3.1.1/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-16 18:40:10.000000000 -0500
29087@@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
29088 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
29089 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
29090
29091+ pax_track_stack();
29092
29093 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
29094 {
29095diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c
29096--- linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c 2011-11-11 15:19:27.000000000 -0500
29097+++ linux-3.1.1/drivers/isdn/hardware/eicon/capifunc.c 2011-11-16 18:40:10.000000000 -0500
29098@@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
29099 IDI_SYNC_REQ req;
29100 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29101
29102+ pax_track_stack();
29103+
29104 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29105
29106 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29107diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c
29108--- linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-11 15:19:27.000000000 -0500
29109+++ linux-3.1.1/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-16 18:40:10.000000000 -0500
29110@@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
29111 IDI_SYNC_REQ req;
29112 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29113
29114+ pax_track_stack();
29115+
29116 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29117
29118 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29119diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c
29120--- linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-11 15:19:27.000000000 -0500
29121+++ linux-3.1.1/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-16 18:40:10.000000000 -0500
29122@@ -160,6 +160,8 @@ static int DIVA_INIT_FUNCTION connect_di
29123 IDI_SYNC_REQ req;
29124 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29125
29126+ pax_track_stack();
29127+
29128 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29129
29130 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29131diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h
29132--- linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h 2011-11-11 15:19:27.000000000 -0500
29133+++ linux-3.1.1/drivers/isdn/hardware/eicon/divasync.h 2011-11-16 18:39:07.000000000 -0500
29134@@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
29135 } diva_didd_add_adapter_t;
29136 typedef struct _diva_didd_remove_adapter {
29137 IDI_CALL p_request;
29138-} diva_didd_remove_adapter_t;
29139+} __no_const diva_didd_remove_adapter_t;
29140 typedef struct _diva_didd_read_adapter_array {
29141 void * buffer;
29142 dword length;
29143diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c
29144--- linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c 2011-11-11 15:19:27.000000000 -0500
29145+++ linux-3.1.1/drivers/isdn/hardware/eicon/idifunc.c 2011-11-16 18:40:10.000000000 -0500
29146@@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
29147 IDI_SYNC_REQ req;
29148 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29149
29150+ pax_track_stack();
29151+
29152 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29153
29154 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29155diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/message.c linux-3.1.1/drivers/isdn/hardware/eicon/message.c
29156--- linux-3.1.1/drivers/isdn/hardware/eicon/message.c 2011-11-11 15:19:27.000000000 -0500
29157+++ linux-3.1.1/drivers/isdn/hardware/eicon/message.c 2011-11-16 18:40:10.000000000 -0500
29158@@ -4886,6 +4886,8 @@ static void sig_ind(PLCI *plci)
29159 dword d;
29160 word w;
29161
29162+ pax_track_stack();
29163+
29164 a = plci->adapter;
29165 Id = ((word)plci->Id<<8)|a->Id;
29166 PUT_WORD(&SS_Ind[4],0x0000);
29167@@ -7480,6 +7482,8 @@ static word add_b1(PLCI *plci, API_PARSE
29168 word j, n, w;
29169 dword d;
29170
29171+ pax_track_stack();
29172+
29173
29174 for(i=0;i<8;i++) bp_parms[i].length = 0;
29175 for(i=0;i<2;i++) global_config[i].length = 0;
29176@@ -7954,6 +7958,8 @@ static word add_b23(PLCI *plci, API_PARS
29177 const byte llc3[] = {4,3,2,2,6,6,0};
29178 const byte header[] = {0,2,3,3,0,0,0};
29179
29180+ pax_track_stack();
29181+
29182 for(i=0;i<8;i++) bp_parms[i].length = 0;
29183 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
29184 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
29185@@ -14741,6 +14747,8 @@ static void group_optimization(DIVA_CAPI
29186 word appl_number_group_type[MAX_APPL];
29187 PLCI *auxplci;
29188
29189+ pax_track_stack();
29190+
29191 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
29192
29193 if(!a->group_optimization_enabled)
29194diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c
29195--- linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-11 15:19:27.000000000 -0500
29196+++ linux-3.1.1/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-16 18:40:10.000000000 -0500
29197@@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
29198 IDI_SYNC_REQ req;
29199 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
29200
29201+ pax_track_stack();
29202+
29203 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
29204
29205 for (x = 0; x < MAX_DESCRIPTORS; x++) {
29206diff -urNp linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h
29207--- linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-11 15:19:27.000000000 -0500
29208+++ linux-3.1.1/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-16 18:39:07.000000000 -0500
29209@@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
29210 typedef struct _diva_os_idi_adapter_interface {
29211 diva_init_card_proc_t cleanup_adapter_proc;
29212 diva_cmd_card_proc_t cmd_proc;
29213-} diva_os_idi_adapter_interface_t;
29214+} __no_const diva_os_idi_adapter_interface_t;
29215
29216 typedef struct _diva_os_xdi_adapter {
29217 struct list_head link;
29218diff -urNp linux-3.1.1/drivers/isdn/i4l/isdn_common.c linux-3.1.1/drivers/isdn/i4l/isdn_common.c
29219--- linux-3.1.1/drivers/isdn/i4l/isdn_common.c 2011-11-11 15:19:27.000000000 -0500
29220+++ linux-3.1.1/drivers/isdn/i4l/isdn_common.c 2011-11-16 18:40:10.000000000 -0500
29221@@ -1286,6 +1286,8 @@ isdn_ioctl(struct file *file, uint cmd,
29222 } iocpar;
29223 void __user *argp = (void __user *)arg;
29224
29225+ pax_track_stack();
29226+
29227 #define name iocpar.name
29228 #define bname iocpar.bname
29229 #define iocts iocpar.iocts
29230diff -urNp linux-3.1.1/drivers/isdn/icn/icn.c linux-3.1.1/drivers/isdn/icn/icn.c
29231--- linux-3.1.1/drivers/isdn/icn/icn.c 2011-11-11 15:19:27.000000000 -0500
29232+++ linux-3.1.1/drivers/isdn/icn/icn.c 2011-11-16 18:39:07.000000000 -0500
29233@@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
29234 if (count > len)
29235 count = len;
29236 if (user) {
29237- if (copy_from_user(msg, buf, count))
29238+ if (count > sizeof msg || copy_from_user(msg, buf, count))
29239 return -EFAULT;
29240 } else
29241 memcpy(msg, buf, count);
29242diff -urNp linux-3.1.1/drivers/lguest/core.c linux-3.1.1/drivers/lguest/core.c
29243--- linux-3.1.1/drivers/lguest/core.c 2011-11-11 15:19:27.000000000 -0500
29244+++ linux-3.1.1/drivers/lguest/core.c 2011-11-16 18:39:07.000000000 -0500
29245@@ -92,9 +92,17 @@ static __init int map_switcher(void)
29246 * it's worked so far. The end address needs +1 because __get_vm_area
29247 * allocates an extra guard page, so we need space for that.
29248 */
29249+
29250+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29251+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29252+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
29253+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29254+#else
29255 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
29256 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
29257 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
29258+#endif
29259+
29260 if (!switcher_vma) {
29261 err = -ENOMEM;
29262 printk("lguest: could not map switcher pages high\n");
29263@@ -119,7 +127,7 @@ static __init int map_switcher(void)
29264 * Now the Switcher is mapped at the right address, we can't fail!
29265 * Copy in the compiled-in Switcher code (from x86/switcher_32.S).
29266 */
29267- memcpy(switcher_vma->addr, start_switcher_text,
29268+ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
29269 end_switcher_text - start_switcher_text);
29270
29271 printk(KERN_INFO "lguest: mapped switcher at %p\n",
29272diff -urNp linux-3.1.1/drivers/lguest/x86/core.c linux-3.1.1/drivers/lguest/x86/core.c
29273--- linux-3.1.1/drivers/lguest/x86/core.c 2011-11-11 15:19:27.000000000 -0500
29274+++ linux-3.1.1/drivers/lguest/x86/core.c 2011-11-16 18:39:07.000000000 -0500
29275@@ -59,7 +59,7 @@ static struct {
29276 /* Offset from where switcher.S was compiled to where we've copied it */
29277 static unsigned long switcher_offset(void)
29278 {
29279- return SWITCHER_ADDR - (unsigned long)start_switcher_text;
29280+ return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
29281 }
29282
29283 /* This cpu's struct lguest_pages. */
29284@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
29285 * These copies are pretty cheap, so we do them unconditionally: */
29286 /* Save the current Host top-level page directory.
29287 */
29288+
29289+#ifdef CONFIG_PAX_PER_CPU_PGD
29290+ pages->state.host_cr3 = read_cr3();
29291+#else
29292 pages->state.host_cr3 = __pa(current->mm->pgd);
29293+#endif
29294+
29295 /*
29296 * Set up the Guest's page tables to see this CPU's pages (and no
29297 * other CPU's pages).
29298@@ -472,7 +478,7 @@ void __init lguest_arch_host_init(void)
29299 * compiled-in switcher code and the high-mapped copy we just made.
29300 */
29301 for (i = 0; i < IDT_ENTRIES; i++)
29302- default_idt_entries[i] += switcher_offset();
29303+ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
29304
29305 /*
29306 * Set up the Switcher's per-cpu areas.
29307@@ -555,7 +561,7 @@ void __init lguest_arch_host_init(void)
29308 * it will be undisturbed when we switch. To change %cs and jump we
29309 * need this structure to feed to Intel's "lcall" instruction.
29310 */
29311- lguest_entry.offset = (long)switch_to_guest + switcher_offset();
29312+ lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
29313 lguest_entry.segment = LGUEST_CS;
29314
29315 /*
29316diff -urNp linux-3.1.1/drivers/lguest/x86/switcher_32.S linux-3.1.1/drivers/lguest/x86/switcher_32.S
29317--- linux-3.1.1/drivers/lguest/x86/switcher_32.S 2011-11-11 15:19:27.000000000 -0500
29318+++ linux-3.1.1/drivers/lguest/x86/switcher_32.S 2011-11-16 18:39:07.000000000 -0500
29319@@ -87,6 +87,7 @@
29320 #include <asm/page.h>
29321 #include <asm/segment.h>
29322 #include <asm/lguest.h>
29323+#include <asm/processor-flags.h>
29324
29325 // We mark the start of the code to copy
29326 // It's placed in .text tho it's never run here
29327@@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
29328 // Changes type when we load it: damn Intel!
29329 // For after we switch over our page tables
29330 // That entry will be read-only: we'd crash.
29331+
29332+#ifdef CONFIG_PAX_KERNEXEC
29333+ mov %cr0, %edx
29334+ xor $X86_CR0_WP, %edx
29335+ mov %edx, %cr0
29336+#endif
29337+
29338 movl $(GDT_ENTRY_TSS*8), %edx
29339 ltr %dx
29340
29341@@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
29342 // Let's clear it again for our return.
29343 // The GDT descriptor of the Host
29344 // Points to the table after two "size" bytes
29345- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
29346+ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
29347 // Clear "used" from type field (byte 5, bit 2)
29348- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
29349+ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
29350+
29351+#ifdef CONFIG_PAX_KERNEXEC
29352+ mov %cr0, %eax
29353+ xor $X86_CR0_WP, %eax
29354+ mov %eax, %cr0
29355+#endif
29356
29357 // Once our page table's switched, the Guest is live!
29358 // The Host fades as we run this final step.
29359@@ -295,13 +309,12 @@ deliver_to_host:
29360 // I consulted gcc, and it gave
29361 // These instructions, which I gladly credit:
29362 leal (%edx,%ebx,8), %eax
29363- movzwl (%eax),%edx
29364- movl 4(%eax), %eax
29365- xorw %ax, %ax
29366- orl %eax, %edx
29367+ movl 4(%eax), %edx
29368+ movw (%eax), %dx
29369 // Now the address of the handler's in %edx
29370 // We call it now: its "iret" drops us home.
29371- jmp *%edx
29372+ ljmp $__KERNEL_CS, $1f
29373+1: jmp *%edx
29374
29375 // Every interrupt can come to us here
29376 // But we must truly tell each apart.
29377diff -urNp linux-3.1.1/drivers/macintosh/macio_asic.c linux-3.1.1/drivers/macintosh/macio_asic.c
29378--- linux-3.1.1/drivers/macintosh/macio_asic.c 2011-11-11 15:19:27.000000000 -0500
29379+++ linux-3.1.1/drivers/macintosh/macio_asic.c 2011-11-16 18:39:07.000000000 -0500
29380@@ -748,7 +748,7 @@ static void __devexit macio_pci_remove(s
29381 * MacIO is matched against any Apple ID, it's probe() function
29382 * will then decide wether it applies or not
29383 */
29384-static const struct pci_device_id __devinitdata pci_ids [] = { {
29385+static const struct pci_device_id __devinitconst pci_ids [] = { {
29386 .vendor = PCI_VENDOR_ID_APPLE,
29387 .device = PCI_ANY_ID,
29388 .subvendor = PCI_ANY_ID,
29389diff -urNp linux-3.1.1/drivers/md/dm.c linux-3.1.1/drivers/md/dm.c
29390--- linux-3.1.1/drivers/md/dm.c 2011-11-11 15:19:27.000000000 -0500
29391+++ linux-3.1.1/drivers/md/dm.c 2011-11-16 18:39:07.000000000 -0500
29392@@ -165,9 +165,9 @@ struct mapped_device {
29393 /*
29394 * Event handling.
29395 */
29396- atomic_t event_nr;
29397+ atomic_unchecked_t event_nr;
29398 wait_queue_head_t eventq;
29399- atomic_t uevent_seq;
29400+ atomic_unchecked_t uevent_seq;
29401 struct list_head uevent_list;
29402 spinlock_t uevent_lock; /* Protect access to uevent_list */
29403
29404@@ -1843,8 +1843,8 @@ static struct mapped_device *alloc_dev(i
29405 rwlock_init(&md->map_lock);
29406 atomic_set(&md->holders, 1);
29407 atomic_set(&md->open_count, 0);
29408- atomic_set(&md->event_nr, 0);
29409- atomic_set(&md->uevent_seq, 0);
29410+ atomic_set_unchecked(&md->event_nr, 0);
29411+ atomic_set_unchecked(&md->uevent_seq, 0);
29412 INIT_LIST_HEAD(&md->uevent_list);
29413 spin_lock_init(&md->uevent_lock);
29414
29415@@ -1978,7 +1978,7 @@ static void event_callback(void *context
29416
29417 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
29418
29419- atomic_inc(&md->event_nr);
29420+ atomic_inc_unchecked(&md->event_nr);
29421 wake_up(&md->eventq);
29422 }
29423
29424@@ -2614,18 +2614,18 @@ int dm_kobject_uevent(struct mapped_devi
29425
29426 uint32_t dm_next_uevent_seq(struct mapped_device *md)
29427 {
29428- return atomic_add_return(1, &md->uevent_seq);
29429+ return atomic_add_return_unchecked(1, &md->uevent_seq);
29430 }
29431
29432 uint32_t dm_get_event_nr(struct mapped_device *md)
29433 {
29434- return atomic_read(&md->event_nr);
29435+ return atomic_read_unchecked(&md->event_nr);
29436 }
29437
29438 int dm_wait_event(struct mapped_device *md, int event_nr)
29439 {
29440 return wait_event_interruptible(md->eventq,
29441- (event_nr != atomic_read(&md->event_nr)));
29442+ (event_nr != atomic_read_unchecked(&md->event_nr)));
29443 }
29444
29445 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
29446diff -urNp linux-3.1.1/drivers/md/dm-ioctl.c linux-3.1.1/drivers/md/dm-ioctl.c
29447--- linux-3.1.1/drivers/md/dm-ioctl.c 2011-11-11 15:19:27.000000000 -0500
29448+++ linux-3.1.1/drivers/md/dm-ioctl.c 2011-11-16 18:39:07.000000000 -0500
29449@@ -1578,7 +1578,7 @@ static int validate_params(uint cmd, str
29450 cmd == DM_LIST_VERSIONS_CMD)
29451 return 0;
29452
29453- if ((cmd == DM_DEV_CREATE_CMD)) {
29454+ if (cmd == DM_DEV_CREATE_CMD) {
29455 if (!*param->name) {
29456 DMWARN("name not supplied when creating device");
29457 return -EINVAL;
29458diff -urNp linux-3.1.1/drivers/md/dm-raid1.c linux-3.1.1/drivers/md/dm-raid1.c
29459--- linux-3.1.1/drivers/md/dm-raid1.c 2011-11-11 15:19:27.000000000 -0500
29460+++ linux-3.1.1/drivers/md/dm-raid1.c 2011-11-16 18:39:07.000000000 -0500
29461@@ -40,7 +40,7 @@ enum dm_raid1_error {
29462
29463 struct mirror {
29464 struct mirror_set *ms;
29465- atomic_t error_count;
29466+ atomic_unchecked_t error_count;
29467 unsigned long error_type;
29468 struct dm_dev *dev;
29469 sector_t offset;
29470@@ -185,7 +185,7 @@ static struct mirror *get_valid_mirror(s
29471 struct mirror *m;
29472
29473 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
29474- if (!atomic_read(&m->error_count))
29475+ if (!atomic_read_unchecked(&m->error_count))
29476 return m;
29477
29478 return NULL;
29479@@ -217,7 +217,7 @@ static void fail_mirror(struct mirror *m
29480 * simple way to tell if a device has encountered
29481 * errors.
29482 */
29483- atomic_inc(&m->error_count);
29484+ atomic_inc_unchecked(&m->error_count);
29485
29486 if (test_and_set_bit(error_type, &m->error_type))
29487 return;
29488@@ -408,7 +408,7 @@ static struct mirror *choose_mirror(stru
29489 struct mirror *m = get_default_mirror(ms);
29490
29491 do {
29492- if (likely(!atomic_read(&m->error_count)))
29493+ if (likely(!atomic_read_unchecked(&m->error_count)))
29494 return m;
29495
29496 if (m-- == ms->mirror)
29497@@ -422,7 +422,7 @@ static int default_ok(struct mirror *m)
29498 {
29499 struct mirror *default_mirror = get_default_mirror(m->ms);
29500
29501- return !atomic_read(&default_mirror->error_count);
29502+ return !atomic_read_unchecked(&default_mirror->error_count);
29503 }
29504
29505 static int mirror_available(struct mirror_set *ms, struct bio *bio)
29506@@ -559,7 +559,7 @@ static void do_reads(struct mirror_set *
29507 */
29508 if (likely(region_in_sync(ms, region, 1)))
29509 m = choose_mirror(ms, bio->bi_sector);
29510- else if (m && atomic_read(&m->error_count))
29511+ else if (m && atomic_read_unchecked(&m->error_count))
29512 m = NULL;
29513
29514 if (likely(m))
29515@@ -937,7 +937,7 @@ static int get_mirror(struct mirror_set
29516 }
29517
29518 ms->mirror[mirror].ms = ms;
29519- atomic_set(&(ms->mirror[mirror].error_count), 0);
29520+ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
29521 ms->mirror[mirror].error_type = 0;
29522 ms->mirror[mirror].offset = offset;
29523
29524@@ -1347,7 +1347,7 @@ static void mirror_resume(struct dm_targ
29525 */
29526 static char device_status_char(struct mirror *m)
29527 {
29528- if (!atomic_read(&(m->error_count)))
29529+ if (!atomic_read_unchecked(&(m->error_count)))
29530 return 'A';
29531
29532 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
29533diff -urNp linux-3.1.1/drivers/md/dm-stripe.c linux-3.1.1/drivers/md/dm-stripe.c
29534--- linux-3.1.1/drivers/md/dm-stripe.c 2011-11-11 15:19:27.000000000 -0500
29535+++ linux-3.1.1/drivers/md/dm-stripe.c 2011-11-16 18:39:07.000000000 -0500
29536@@ -20,7 +20,7 @@ struct stripe {
29537 struct dm_dev *dev;
29538 sector_t physical_start;
29539
29540- atomic_t error_count;
29541+ atomic_unchecked_t error_count;
29542 };
29543
29544 struct stripe_c {
29545@@ -192,7 +192,7 @@ static int stripe_ctr(struct dm_target *
29546 kfree(sc);
29547 return r;
29548 }
29549- atomic_set(&(sc->stripe[i].error_count), 0);
29550+ atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
29551 }
29552
29553 ti->private = sc;
29554@@ -314,7 +314,7 @@ static int stripe_status(struct dm_targe
29555 DMEMIT("%d ", sc->stripes);
29556 for (i = 0; i < sc->stripes; i++) {
29557 DMEMIT("%s ", sc->stripe[i].dev->name);
29558- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
29559+ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
29560 'D' : 'A';
29561 }
29562 buffer[i] = '\0';
29563@@ -361,8 +361,8 @@ static int stripe_end_io(struct dm_targe
29564 */
29565 for (i = 0; i < sc->stripes; i++)
29566 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
29567- atomic_inc(&(sc->stripe[i].error_count));
29568- if (atomic_read(&(sc->stripe[i].error_count)) <
29569+ atomic_inc_unchecked(&(sc->stripe[i].error_count));
29570+ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
29571 DM_IO_ERROR_THRESHOLD)
29572 schedule_work(&sc->trigger_event);
29573 }
29574diff -urNp linux-3.1.1/drivers/md/dm-table.c linux-3.1.1/drivers/md/dm-table.c
29575--- linux-3.1.1/drivers/md/dm-table.c 2011-11-11 15:19:27.000000000 -0500
29576+++ linux-3.1.1/drivers/md/dm-table.c 2011-11-16 18:39:07.000000000 -0500
29577@@ -389,7 +389,7 @@ static int device_area_is_invalid(struct
29578 if (!dev_size)
29579 return 0;
29580
29581- if ((start >= dev_size) || (start + len > dev_size)) {
29582+ if ((start >= dev_size) || (len > dev_size - start)) {
29583 DMWARN("%s: %s too small for target: "
29584 "start=%llu, len=%llu, dev_size=%llu",
29585 dm_device_name(ti->table->md), bdevname(bdev, b),
29586diff -urNp linux-3.1.1/drivers/md/md.c linux-3.1.1/drivers/md/md.c
29587--- linux-3.1.1/drivers/md/md.c 2011-11-11 15:19:27.000000000 -0500
29588+++ linux-3.1.1/drivers/md/md.c 2011-11-16 18:39:07.000000000 -0500
29589@@ -280,10 +280,10 @@ EXPORT_SYMBOL_GPL(md_trim_bio);
29590 * start build, activate spare
29591 */
29592 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
29593-static atomic_t md_event_count;
29594+static atomic_unchecked_t md_event_count;
29595 void md_new_event(mddev_t *mddev)
29596 {
29597- atomic_inc(&md_event_count);
29598+ atomic_inc_unchecked(&md_event_count);
29599 wake_up(&md_event_waiters);
29600 }
29601 EXPORT_SYMBOL_GPL(md_new_event);
29602@@ -293,7 +293,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
29603 */
29604 static void md_new_event_inintr(mddev_t *mddev)
29605 {
29606- atomic_inc(&md_event_count);
29607+ atomic_inc_unchecked(&md_event_count);
29608 wake_up(&md_event_waiters);
29609 }
29610
29611@@ -1531,7 +1531,7 @@ static int super_1_load(mdk_rdev_t *rdev
29612
29613 rdev->preferred_minor = 0xffff;
29614 rdev->data_offset = le64_to_cpu(sb->data_offset);
29615- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29616+ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
29617
29618 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
29619 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
29620@@ -1748,7 +1748,7 @@ static void super_1_sync(mddev_t *mddev,
29621 else
29622 sb->resync_offset = cpu_to_le64(0);
29623
29624- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
29625+ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
29626
29627 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
29628 sb->size = cpu_to_le64(mddev->dev_sectors);
29629@@ -2643,7 +2643,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
29630 static ssize_t
29631 errors_show(mdk_rdev_t *rdev, char *page)
29632 {
29633- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
29634+ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
29635 }
29636
29637 static ssize_t
29638@@ -2652,7 +2652,7 @@ errors_store(mdk_rdev_t *rdev, const cha
29639 char *e;
29640 unsigned long n = simple_strtoul(buf, &e, 10);
29641 if (*buf && (*e == 0 || *e == '\n')) {
29642- atomic_set(&rdev->corrected_errors, n);
29643+ atomic_set_unchecked(&rdev->corrected_errors, n);
29644 return len;
29645 }
29646 return -EINVAL;
29647@@ -3042,8 +3042,8 @@ int md_rdev_init(mdk_rdev_t *rdev)
29648 rdev->sb_loaded = 0;
29649 rdev->bb_page = NULL;
29650 atomic_set(&rdev->nr_pending, 0);
29651- atomic_set(&rdev->read_errors, 0);
29652- atomic_set(&rdev->corrected_errors, 0);
29653+ atomic_set_unchecked(&rdev->read_errors, 0);
29654+ atomic_set_unchecked(&rdev->corrected_errors, 0);
29655
29656 INIT_LIST_HEAD(&rdev->same_set);
29657 init_waitqueue_head(&rdev->blocked_wait);
29658@@ -6667,7 +6667,7 @@ static int md_seq_show(struct seq_file *
29659
29660 spin_unlock(&pers_lock);
29661 seq_printf(seq, "\n");
29662- seq->poll_event = atomic_read(&md_event_count);
29663+ seq->poll_event = atomic_read_unchecked(&md_event_count);
29664 return 0;
29665 }
29666 if (v == (void*)2) {
29667@@ -6756,7 +6756,7 @@ static int md_seq_show(struct seq_file *
29668 chunk_kb ? "KB" : "B");
29669 if (bitmap->file) {
29670 seq_printf(seq, ", file: ");
29671- seq_path(seq, &bitmap->file->f_path, " \t\n");
29672+ seq_path(seq, &bitmap->file->f_path, " \t\n\\");
29673 }
29674
29675 seq_printf(seq, "\n");
29676@@ -6787,7 +6787,7 @@ static int md_seq_open(struct inode *ino
29677 return error;
29678
29679 seq = file->private_data;
29680- seq->poll_event = atomic_read(&md_event_count);
29681+ seq->poll_event = atomic_read_unchecked(&md_event_count);
29682 return error;
29683 }
29684
29685@@ -6801,7 +6801,7 @@ static unsigned int mdstat_poll(struct f
29686 /* always allow read */
29687 mask = POLLIN | POLLRDNORM;
29688
29689- if (seq->poll_event != atomic_read(&md_event_count))
29690+ if (seq->poll_event != atomic_read_unchecked(&md_event_count))
29691 mask |= POLLERR | POLLPRI;
29692 return mask;
29693 }
29694@@ -6845,7 +6845,7 @@ static int is_mddev_idle(mddev_t *mddev,
29695 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
29696 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
29697 (int)part_stat_read(&disk->part0, sectors[1]) -
29698- atomic_read(&disk->sync_io);
29699+ atomic_read_unchecked(&disk->sync_io);
29700 /* sync IO will cause sync_io to increase before the disk_stats
29701 * as sync_io is counted when a request starts, and
29702 * disk_stats is counted when it completes.
29703diff -urNp linux-3.1.1/drivers/md/md.h linux-3.1.1/drivers/md/md.h
29704--- linux-3.1.1/drivers/md/md.h 2011-11-11 15:19:27.000000000 -0500
29705+++ linux-3.1.1/drivers/md/md.h 2011-11-16 18:39:07.000000000 -0500
29706@@ -124,13 +124,13 @@ struct mdk_rdev_s
29707 * only maintained for arrays that
29708 * support hot removal
29709 */
29710- atomic_t read_errors; /* number of consecutive read errors that
29711+ atomic_unchecked_t read_errors; /* number of consecutive read errors that
29712 * we have tried to ignore.
29713 */
29714 struct timespec last_read_error; /* monotonic time since our
29715 * last read error
29716 */
29717- atomic_t corrected_errors; /* number of corrected read errors,
29718+ atomic_unchecked_t corrected_errors; /* number of corrected read errors,
29719 * for reporting to userspace and storing
29720 * in superblock.
29721 */
29722@@ -415,7 +415,7 @@ static inline void rdev_dec_pending(mdk_
29723
29724 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
29725 {
29726- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29727+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
29728 }
29729
29730 struct mdk_personality
29731diff -urNp linux-3.1.1/drivers/md/raid10.c linux-3.1.1/drivers/md/raid10.c
29732--- linux-3.1.1/drivers/md/raid10.c 2011-11-11 15:19:27.000000000 -0500
29733+++ linux-3.1.1/drivers/md/raid10.c 2011-11-16 18:39:07.000000000 -0500
29734@@ -1423,7 +1423,7 @@ static void end_sync_read(struct bio *bi
29735 /* The write handler will notice the lack of
29736 * R10BIO_Uptodate and record any errors etc
29737 */
29738- atomic_add(r10_bio->sectors,
29739+ atomic_add_unchecked(r10_bio->sectors,
29740 &conf->mirrors[d].rdev->corrected_errors);
29741
29742 /* for reconstruct, we always reschedule after a read.
29743@@ -1723,7 +1723,7 @@ static void check_decay_read_errors(mdde
29744 {
29745 struct timespec cur_time_mon;
29746 unsigned long hours_since_last;
29747- unsigned int read_errors = atomic_read(&rdev->read_errors);
29748+ unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
29749
29750 ktime_get_ts(&cur_time_mon);
29751
29752@@ -1745,9 +1745,9 @@ static void check_decay_read_errors(mdde
29753 * overflowing the shift of read_errors by hours_since_last.
29754 */
29755 if (hours_since_last >= 8 * sizeof(read_errors))
29756- atomic_set(&rdev->read_errors, 0);
29757+ atomic_set_unchecked(&rdev->read_errors, 0);
29758 else
29759- atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
29760+ atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
29761 }
29762
29763 static int r10_sync_page_io(mdk_rdev_t *rdev, sector_t sector,
29764@@ -1797,8 +1797,8 @@ static void fix_read_error(conf_t *conf,
29765 return;
29766
29767 check_decay_read_errors(mddev, rdev);
29768- atomic_inc(&rdev->read_errors);
29769- if (atomic_read(&rdev->read_errors) > max_read_errors) {
29770+ atomic_inc_unchecked(&rdev->read_errors);
29771+ if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
29772 char b[BDEVNAME_SIZE];
29773 bdevname(rdev->bdev, b);
29774
29775@@ -1806,7 +1806,7 @@ static void fix_read_error(conf_t *conf,
29776 "md/raid10:%s: %s: Raid device exceeded "
29777 "read_error threshold [cur %d:max %d]\n",
29778 mdname(mddev), b,
29779- atomic_read(&rdev->read_errors), max_read_errors);
29780+ atomic_read_unchecked(&rdev->read_errors), max_read_errors);
29781 printk(KERN_NOTICE
29782 "md/raid10:%s: %s: Failing raid device\n",
29783 mdname(mddev), b);
29784@@ -1951,7 +1951,7 @@ static void fix_read_error(conf_t *conf,
29785 (unsigned long long)(
29786 sect + rdev->data_offset),
29787 bdevname(rdev->bdev, b));
29788- atomic_add(s, &rdev->corrected_errors);
29789+ atomic_add_unchecked(s, &rdev->corrected_errors);
29790 }
29791
29792 rdev_dec_pending(rdev, mddev);
29793diff -urNp linux-3.1.1/drivers/md/raid1.c linux-3.1.1/drivers/md/raid1.c
29794--- linux-3.1.1/drivers/md/raid1.c 2011-11-11 15:19:27.000000000 -0500
29795+++ linux-3.1.1/drivers/md/raid1.c 2011-11-16 18:39:07.000000000 -0500
29796@@ -1541,7 +1541,7 @@ static int fix_sync_read_error(r1bio_t *
29797 if (r1_sync_page_io(rdev, sect, s,
29798 bio->bi_io_vec[idx].bv_page,
29799 READ) != 0)
29800- atomic_add(s, &rdev->corrected_errors);
29801+ atomic_add_unchecked(s, &rdev->corrected_errors);
29802 }
29803 sectors -= s;
29804 sect += s;
29805@@ -1754,7 +1754,7 @@ static void fix_read_error(conf_t *conf,
29806 test_bit(In_sync, &rdev->flags)) {
29807 if (r1_sync_page_io(rdev, sect, s,
29808 conf->tmppage, READ)) {
29809- atomic_add(s, &rdev->corrected_errors);
29810+ atomic_add_unchecked(s, &rdev->corrected_errors);
29811 printk(KERN_INFO
29812 "md/raid1:%s: read error corrected "
29813 "(%d sectors at %llu on %s)\n",
29814diff -urNp linux-3.1.1/drivers/md/raid5.c linux-3.1.1/drivers/md/raid5.c
29815--- linux-3.1.1/drivers/md/raid5.c 2011-11-11 15:19:27.000000000 -0500
29816+++ linux-3.1.1/drivers/md/raid5.c 2011-11-16 18:40:10.000000000 -0500
29817@@ -1616,19 +1616,19 @@ static void raid5_end_read_request(struc
29818 (unsigned long long)(sh->sector
29819 + rdev->data_offset),
29820 bdevname(rdev->bdev, b));
29821- atomic_add(STRIPE_SECTORS, &rdev->corrected_errors);
29822+ atomic_add_unchecked(STRIPE_SECTORS, &rdev->corrected_errors);
29823 clear_bit(R5_ReadError, &sh->dev[i].flags);
29824 clear_bit(R5_ReWrite, &sh->dev[i].flags);
29825 }
29826- if (atomic_read(&conf->disks[i].rdev->read_errors))
29827- atomic_set(&conf->disks[i].rdev->read_errors, 0);
29828+ if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
29829+ atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
29830 } else {
29831 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
29832 int retry = 0;
29833 rdev = conf->disks[i].rdev;
29834
29835 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
29836- atomic_inc(&rdev->read_errors);
29837+ atomic_inc_unchecked(&rdev->read_errors);
29838 if (conf->mddev->degraded >= conf->max_degraded)
29839 printk_ratelimited(
29840 KERN_WARNING
29841@@ -1648,7 +1648,7 @@ static void raid5_end_read_request(struc
29842 (unsigned long long)(sh->sector
29843 + rdev->data_offset),
29844 bdn);
29845- else if (atomic_read(&rdev->read_errors)
29846+ else if (atomic_read_unchecked(&rdev->read_errors)
29847 > conf->max_nr_stripes)
29848 printk(KERN_WARNING
29849 "md/raid:%s: Too many read errors, failing device %s.\n",
29850@@ -1978,6 +1978,7 @@ static sector_t compute_blocknr(struct s
29851 sector_t r_sector;
29852 struct stripe_head sh2;
29853
29854+ pax_track_stack();
29855
29856 chunk_offset = sector_div(new_sector, sectors_per_chunk);
29857 stripe = new_sector;
29858diff -urNp linux-3.1.1/drivers/media/common/saa7146_hlp.c linux-3.1.1/drivers/media/common/saa7146_hlp.c
29859--- linux-3.1.1/drivers/media/common/saa7146_hlp.c 2011-11-11 15:19:27.000000000 -0500
29860+++ linux-3.1.1/drivers/media/common/saa7146_hlp.c 2011-11-16 18:40:10.000000000 -0500
29861@@ -353,6 +353,8 @@ static void calculate_clipping_registers
29862
29863 int x[32], y[32], w[32], h[32];
29864
29865+ pax_track_stack();
29866+
29867 /* clear out memory */
29868 memset(&line_list[0], 0x00, sizeof(u32)*32);
29869 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
29870diff -urNp linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c
29871--- linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c 2011-11-11 15:19:27.000000000 -0500
29872+++ linux-3.1.1/drivers/media/dvb/ddbridge/ddbridge-core.c 2011-11-16 18:39:07.000000000 -0500
29873@@ -1675,7 +1675,7 @@ static struct ddb_info ddb_v6 = {
29874 .subvendor = _subvend, .subdevice = _subdev, \
29875 .driver_data = (unsigned long)&_driverdata }
29876
29877-static const struct pci_device_id ddb_id_tbl[] __devinitdata = {
29878+static const struct pci_device_id ddb_id_tbl[] __devinitconst = {
29879 DDB_ID(DDVID, 0x0002, DDVID, 0x0001, ddb_octopus),
29880 DDB_ID(DDVID, 0x0003, DDVID, 0x0001, ddb_octopus),
29881 DDB_ID(DDVID, 0x0003, DDVID, 0x0002, ddb_octopus_le),
29882diff -urNp linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
29883--- linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-11 15:19:27.000000000 -0500
29884+++ linux-3.1.1/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-16 18:40:10.000000000 -0500
29885@@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
29886 u8 buf[HOST_LINK_BUF_SIZE];
29887 int i;
29888
29889+ pax_track_stack();
29890+
29891 dprintk("%s\n", __func__);
29892
29893 /* check if we have space for a link buf in the rx_buffer */
29894@@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
29895 unsigned long timeout;
29896 int written;
29897
29898+ pax_track_stack();
29899+
29900 dprintk("%s\n", __func__);
29901
29902 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
29903diff -urNp linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h
29904--- linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-11 15:19:27.000000000 -0500
29905+++ linux-3.1.1/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-17 18:34:32.000000000 -0500
29906@@ -73,7 +73,7 @@ struct dvb_demux_feed {
29907 union {
29908 dmx_ts_cb ts;
29909 dmx_section_cb sec;
29910- } cb;
29911+ } __no_const cb;
29912
29913 struct dvb_demux *demux;
29914 void *priv;
29915diff -urNp linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c
29916--- linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-11 15:19:27.000000000 -0500
29917+++ linux-3.1.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-16 18:39:07.000000000 -0500
29918@@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
29919 const struct dvb_device *template, void *priv, int type)
29920 {
29921 struct dvb_device *dvbdev;
29922- struct file_operations *dvbdevfops;
29923+ file_operations_no_const *dvbdevfops;
29924 struct device *clsdev;
29925 int minor;
29926 int id;
29927diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c
29928--- linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-11 15:19:27.000000000 -0500
29929+++ linux-3.1.1/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-16 18:39:07.000000000 -0500
29930@@ -1059,7 +1059,7 @@ static struct dib0070_config dib7070p_di
29931 struct dib0700_adapter_state {
29932 int (*set_param_save) (struct dvb_frontend *,
29933 struct dvb_frontend_parameters *);
29934-};
29935+} __no_const;
29936
29937 static int dib7070_set_param_override(struct dvb_frontend *fe,
29938 struct dvb_frontend_parameters *fep)
29939diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c
29940--- linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-11 15:19:27.000000000 -0500
29941+++ linux-3.1.1/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-16 18:40:10.000000000 -0500
29942@@ -478,6 +478,8 @@ int dib0700_download_firmware(struct usb
29943 if (!buf)
29944 return -ENOMEM;
29945
29946+ pax_track_stack();
29947+
29948 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
29949 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",
29950 hx.addr, hx.len, hx.chk);
29951diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c
29952--- linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c 2011-11-11 15:19:27.000000000 -0500
29953+++ linux-3.1.1/drivers/media/dvb/dvb-usb/dw2102.c 2011-11-16 18:39:07.000000000 -0500
29954@@ -95,7 +95,7 @@ struct su3000_state {
29955
29956 struct s6x0_state {
29957 int (*old_set_voltage)(struct dvb_frontend *f, fe_sec_voltage_t v);
29958-};
29959+} __no_const;
29960
29961 /* debug */
29962 static int dvb_usb_dw2102_debug;
29963diff -urNp linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c
29964--- linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c 2011-11-11 15:19:27.000000000 -0500
29965+++ linux-3.1.1/drivers/media/dvb/dvb-usb/lmedm04.c 2011-11-16 18:40:10.000000000 -0500
29966@@ -742,6 +742,7 @@ static int lme2510_download_firmware(str
29967 usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
29968 0x06, 0x80, 0x0200, 0x00, data, 0x0109, 1000);
29969
29970+ pax_track_stack();
29971
29972 data[0] = 0x8a;
29973 len_in = 1;
29974@@ -764,6 +765,8 @@ static void lme_coldreset(struct usb_dev
29975 int ret = 0, len_in;
29976 u8 data[512] = {0};
29977
29978+ pax_track_stack();
29979+
29980 data[0] = 0x0a;
29981 len_in = 1;
29982 info("FRM Firmware Cold Reset");
29983diff -urNp linux-3.1.1/drivers/media/dvb/frontends/dib3000.h linux-3.1.1/drivers/media/dvb/frontends/dib3000.h
29984--- linux-3.1.1/drivers/media/dvb/frontends/dib3000.h 2011-11-11 15:19:27.000000000 -0500
29985+++ linux-3.1.1/drivers/media/dvb/frontends/dib3000.h 2011-11-17 18:38:05.000000000 -0500
29986@@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
29987 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
29988 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
29989 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
29990-};
29991+} __no_const;
29992
29993 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
29994 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
29995diff -urNp linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c
29996--- linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c 2011-11-11 15:19:27.000000000 -0500
29997+++ linux-3.1.1/drivers/media/dvb/frontends/mb86a16.c 2011-11-16 18:40:10.000000000 -0500
29998@@ -1060,6 +1060,8 @@ static int mb86a16_set_fe(struct mb86a16
29999 int ret = -1;
30000 int sync;
30001
30002+ pax_track_stack();
30003+
30004 dprintk(verbose, MB86A16_INFO, 1, "freq=%d Mhz, symbrt=%d Ksps", state->frequency, state->srate);
30005
30006 fcp = 3000;
30007diff -urNp linux-3.1.1/drivers/media/dvb/frontends/or51211.c linux-3.1.1/drivers/media/dvb/frontends/or51211.c
30008--- linux-3.1.1/drivers/media/dvb/frontends/or51211.c 2011-11-11 15:19:27.000000000 -0500
30009+++ linux-3.1.1/drivers/media/dvb/frontends/or51211.c 2011-11-16 18:40:10.000000000 -0500
30010@@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
30011 u8 tudata[585];
30012 int i;
30013
30014+ pax_track_stack();
30015+
30016 dprintk("Firmware is %zd bytes\n",fw->size);
30017
30018 /* Get eprom data */
30019diff -urNp linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c
30020--- linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c 2011-11-11 15:19:27.000000000 -0500
30021+++ linux-3.1.1/drivers/media/dvb/ngene/ngene-cards.c 2011-11-16 18:39:07.000000000 -0500
30022@@ -477,7 +477,7 @@ static struct ngene_info ngene_info_m780
30023
30024 /****************************************************************************/
30025
30026-static const struct pci_device_id ngene_id_tbl[] __devinitdata = {
30027+static const struct pci_device_id ngene_id_tbl[] __devinitconst = {
30028 NGENE_ID(0x18c3, 0xabc3, ngene_info_cineS2),
30029 NGENE_ID(0x18c3, 0xabc4, ngene_info_cineS2),
30030 NGENE_ID(0x18c3, 0xdb01, ngene_info_satixS2),
30031diff -urNp linux-3.1.1/drivers/media/radio/radio-cadet.c linux-3.1.1/drivers/media/radio/radio-cadet.c
30032--- linux-3.1.1/drivers/media/radio/radio-cadet.c 2011-11-11 15:19:27.000000000 -0500
30033+++ linux-3.1.1/drivers/media/radio/radio-cadet.c 2011-11-16 18:39:07.000000000 -0500
30034@@ -326,6 +326,8 @@ static ssize_t cadet_read(struct file *f
30035 unsigned char readbuf[RDS_BUFFER];
30036 int i = 0;
30037
30038+ if (count > RDS_BUFFER)
30039+ return -EFAULT;
30040 mutex_lock(&dev->lock);
30041 if (dev->rdsstat == 0) {
30042 dev->rdsstat = 1;
30043diff -urNp linux-3.1.1/drivers/media/video/au0828/au0828.h linux-3.1.1/drivers/media/video/au0828/au0828.h
30044--- linux-3.1.1/drivers/media/video/au0828/au0828.h 2011-11-11 15:19:27.000000000 -0500
30045+++ linux-3.1.1/drivers/media/video/au0828/au0828.h 2011-11-16 18:39:07.000000000 -0500
30046@@ -191,7 +191,7 @@ struct au0828_dev {
30047
30048 /* I2C */
30049 struct i2c_adapter i2c_adap;
30050- struct i2c_algorithm i2c_algo;
30051+ i2c_algorithm_no_const i2c_algo;
30052 struct i2c_client i2c_client;
30053 u32 i2c_rc;
30054
30055diff -urNp linux-3.1.1/drivers/media/video/cx18/cx18-driver.c linux-3.1.1/drivers/media/video/cx18/cx18-driver.c
30056--- linux-3.1.1/drivers/media/video/cx18/cx18-driver.c 2011-11-11 15:19:27.000000000 -0500
30057+++ linux-3.1.1/drivers/media/video/cx18/cx18-driver.c 2011-11-16 18:40:10.000000000 -0500
30058@@ -327,6 +327,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
30059 struct i2c_client c;
30060 u8 eedata[256];
30061
30062+ pax_track_stack();
30063+
30064 memset(&c, 0, sizeof(c));
30065 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
30066 c.adapter = &cx->i2c_adap[0];
30067diff -urNp linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c
30068--- linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c 2011-11-11 15:19:27.000000000 -0500
30069+++ linux-3.1.1/drivers/media/video/cx23885/cx23885-input.c 2011-11-16 18:40:10.000000000 -0500
30070@@ -53,6 +53,8 @@ static void cx23885_input_process_measur
30071 bool handle = false;
30072 struct ir_raw_event ir_core_event[64];
30073
30074+ pax_track_stack();
30075+
30076 do {
30077 num = 0;
30078 v4l2_subdev_call(dev->sd_ir, ir, rx_read, (u8 *) ir_core_event,
30079diff -urNp linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c
30080--- linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c 2011-11-11 15:19:27.000000000 -0500
30081+++ linux-3.1.1/drivers/media/video/cx88/cx88-alsa.c 2011-11-16 18:39:07.000000000 -0500
30082@@ -766,7 +766,7 @@ static struct snd_kcontrol_new snd_cx88_
30083 * Only boards with eeprom and byte 1 at eeprom=1 have it
30084 */
30085
30086-static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitdata = {
30087+static const struct pci_device_id const cx88_audio_pci_tbl[] __devinitconst = {
30088 {0x14f1,0x8801,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
30089 {0x14f1,0x8811,PCI_ANY_ID,PCI_ANY_ID,0,0,0},
30090 {0, }
30091diff -urNp linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
30092--- linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-11 15:19:27.000000000 -0500
30093+++ linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-16 18:40:10.000000000 -0500
30094@@ -120,6 +120,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
30095 u8 *eeprom;
30096 struct tveeprom tvdata;
30097
30098+ pax_track_stack();
30099+
30100 memset(&tvdata,0,sizeof(tvdata));
30101
30102 eeprom = pvr2_eeprom_fetch(hdw);
30103diff -urNp linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h
30104--- linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-11 15:19:27.000000000 -0500
30105+++ linux-3.1.1/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-16 18:39:07.000000000 -0500
30106@@ -196,7 +196,7 @@ struct pvr2_hdw {
30107
30108 /* I2C stuff */
30109 struct i2c_adapter i2c_adap;
30110- struct i2c_algorithm i2c_algo;
30111+ i2c_algorithm_no_const i2c_algo;
30112 pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
30113 int i2c_cx25840_hack_state;
30114 int i2c_linked;
30115diff -urNp linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c
30116--- linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c 2011-11-11 15:19:27.000000000 -0500
30117+++ linux-3.1.1/drivers/media/video/saa7134/saa6752hs.c 2011-11-16 18:40:10.000000000 -0500
30118@@ -682,6 +682,8 @@ static int saa6752hs_init(struct v4l2_su
30119 unsigned char localPAT[256];
30120 unsigned char localPMT[256];
30121
30122+ pax_track_stack();
30123+
30124 /* Set video format - must be done first as it resets other settings */
30125 set_reg8(client, 0x41, h->video_format);
30126
30127diff -urNp linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c
30128--- linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-11 15:19:27.000000000 -0500
30129+++ linux-3.1.1/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-16 18:40:10.000000000 -0500
30130@@ -88,6 +88,8 @@ int saa7164_irq_dequeue(struct saa7164_d
30131 u8 tmp[512];
30132 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30133
30134+ pax_track_stack();
30135+
30136 /* While any outstand message on the bus exists... */
30137 do {
30138
30139@@ -141,6 +143,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
30140 u8 tmp[512];
30141 dprintk(DBGLVL_CMD, "%s()\n", __func__);
30142
30143+ pax_track_stack();
30144+
30145 while (loop) {
30146
30147 struct tmComResInfo tRsp = { 0, 0, 0, 0, 0, 0 };
30148diff -urNp linux-3.1.1/drivers/media/video/timblogiw.c linux-3.1.1/drivers/media/video/timblogiw.c
30149--- linux-3.1.1/drivers/media/video/timblogiw.c 2011-11-11 15:19:27.000000000 -0500
30150+++ linux-3.1.1/drivers/media/video/timblogiw.c 2011-11-17 18:36:32.000000000 -0500
30151@@ -744,7 +744,7 @@ static int timblogiw_mmap(struct file *f
30152
30153 /* Platform device functions */
30154
30155-static __devinitconst struct v4l2_ioctl_ops timblogiw_ioctl_ops = {
30156+static __devinitconst v4l2_ioctl_ops_no_const timblogiw_ioctl_ops = {
30157 .vidioc_querycap = timblogiw_querycap,
30158 .vidioc_enum_fmt_vid_cap = timblogiw_enum_fmt,
30159 .vidioc_g_fmt_vid_cap = timblogiw_g_fmt,
30160@@ -766,7 +766,7 @@ static __devinitconst struct v4l2_ioctl_
30161 .vidioc_enum_framesizes = timblogiw_enum_framesizes,
30162 };
30163
30164-static __devinitconst struct v4l2_file_operations timblogiw_fops = {
30165+static __devinitconst v4l2_file_operations_no_const timblogiw_fops = {
30166 .owner = THIS_MODULE,
30167 .open = timblogiw_open,
30168 .release = timblogiw_close,
30169diff -urNp linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c
30170--- linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c 2011-11-11 15:19:27.000000000 -0500
30171+++ linux-3.1.1/drivers/media/video/usbvision/usbvision-core.c 2011-11-16 18:40:10.000000000 -0500
30172@@ -707,6 +707,8 @@ static enum parse_state usbvision_parse_
30173 unsigned char rv, gv, bv;
30174 static unsigned char *Y, *U, *V;
30175
30176+ pax_track_stack();
30177+
30178 frame = usbvision->cur_frame;
30179 image_size = frame->frmwidth * frame->frmheight;
30180 if ((frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
30181diff -urNp linux-3.1.1/drivers/media/video/videobuf-dma-sg.c linux-3.1.1/drivers/media/video/videobuf-dma-sg.c
30182--- linux-3.1.1/drivers/media/video/videobuf-dma-sg.c 2011-11-11 15:19:27.000000000 -0500
30183+++ linux-3.1.1/drivers/media/video/videobuf-dma-sg.c 2011-11-16 18:40:10.000000000 -0500
30184@@ -607,6 +607,8 @@ void *videobuf_sg_alloc(size_t size)
30185 {
30186 struct videobuf_queue q;
30187
30188+ pax_track_stack();
30189+
30190 /* Required to make generic handler to call __videobuf_alloc */
30191 q.int_ops = &sg_ops;
30192
30193diff -urNp linux-3.1.1/drivers/message/fusion/mptbase.c linux-3.1.1/drivers/message/fusion/mptbase.c
30194--- linux-3.1.1/drivers/message/fusion/mptbase.c 2011-11-11 15:19:27.000000000 -0500
30195+++ linux-3.1.1/drivers/message/fusion/mptbase.c 2011-11-16 18:40:10.000000000 -0500
30196@@ -6681,8 +6681,13 @@ static int mpt_iocinfo_proc_show(struct
30197 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
30198 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
30199
30200+#ifdef CONFIG_GRKERNSEC_HIDESYM
30201+ seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
30202+#else
30203 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
30204 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
30205+#endif
30206+
30207 /*
30208 * Rounding UP to nearest 4-kB boundary here...
30209 */
30210diff -urNp linux-3.1.1/drivers/message/fusion/mptsas.c linux-3.1.1/drivers/message/fusion/mptsas.c
30211--- linux-3.1.1/drivers/message/fusion/mptsas.c 2011-11-11 15:19:27.000000000 -0500
30212+++ linux-3.1.1/drivers/message/fusion/mptsas.c 2011-11-16 18:39:07.000000000 -0500
30213@@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
30214 return 0;
30215 }
30216
30217+static inline void
30218+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30219+{
30220+ if (phy_info->port_details) {
30221+ phy_info->port_details->rphy = rphy;
30222+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30223+ ioc->name, rphy));
30224+ }
30225+
30226+ if (rphy) {
30227+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30228+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30229+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30230+ ioc->name, rphy, rphy->dev.release));
30231+ }
30232+}
30233+
30234 /* no mutex */
30235 static void
30236 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
30237@@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
30238 return NULL;
30239 }
30240
30241-static inline void
30242-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
30243-{
30244- if (phy_info->port_details) {
30245- phy_info->port_details->rphy = rphy;
30246- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
30247- ioc->name, rphy));
30248- }
30249-
30250- if (rphy) {
30251- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
30252- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
30253- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
30254- ioc->name, rphy, rphy->dev.release));
30255- }
30256-}
30257-
30258 static inline struct sas_port *
30259 mptsas_get_port(struct mptsas_phyinfo *phy_info)
30260 {
30261diff -urNp linux-3.1.1/drivers/message/fusion/mptscsih.c linux-3.1.1/drivers/message/fusion/mptscsih.c
30262--- linux-3.1.1/drivers/message/fusion/mptscsih.c 2011-11-11 15:19:27.000000000 -0500
30263+++ linux-3.1.1/drivers/message/fusion/mptscsih.c 2011-11-16 18:39:07.000000000 -0500
30264@@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
30265
30266 h = shost_priv(SChost);
30267
30268- if (h) {
30269- if (h->info_kbuf == NULL)
30270- if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30271- return h->info_kbuf;
30272- h->info_kbuf[0] = '\0';
30273+ if (!h)
30274+ return NULL;
30275
30276- mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30277- h->info_kbuf[size-1] = '\0';
30278- }
30279+ if (h->info_kbuf == NULL)
30280+ if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
30281+ return h->info_kbuf;
30282+ h->info_kbuf[0] = '\0';
30283+
30284+ mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
30285+ h->info_kbuf[size-1] = '\0';
30286
30287 return h->info_kbuf;
30288 }
30289diff -urNp linux-3.1.1/drivers/message/i2o/i2o_config.c linux-3.1.1/drivers/message/i2o/i2o_config.c
30290--- linux-3.1.1/drivers/message/i2o/i2o_config.c 2011-11-11 15:19:27.000000000 -0500
30291+++ linux-3.1.1/drivers/message/i2o/i2o_config.c 2011-11-16 18:40:10.000000000 -0500
30292@@ -781,6 +781,8 @@ static int i2o_cfg_passthru(unsigned lon
30293 struct i2o_message *msg;
30294 unsigned int iop;
30295
30296+ pax_track_stack();
30297+
30298 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
30299 return -EFAULT;
30300
30301diff -urNp linux-3.1.1/drivers/message/i2o/i2o_proc.c linux-3.1.1/drivers/message/i2o/i2o_proc.c
30302--- linux-3.1.1/drivers/message/i2o/i2o_proc.c 2011-11-11 15:19:27.000000000 -0500
30303+++ linux-3.1.1/drivers/message/i2o/i2o_proc.c 2011-11-16 18:39:07.000000000 -0500
30304@@ -255,13 +255,6 @@ static char *scsi_devices[] = {
30305 "Array Controller Device"
30306 };
30307
30308-static char *chtostr(u8 * chars, int n)
30309-{
30310- char tmp[256];
30311- tmp[0] = 0;
30312- return strncat(tmp, (char *)chars, n);
30313-}
30314-
30315 static int i2o_report_query_status(struct seq_file *seq, int block_status,
30316 char *group)
30317 {
30318@@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
30319
30320 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
30321 seq_printf(seq, "%-#8x", ddm_table.module_id);
30322- seq_printf(seq, "%-29s",
30323- chtostr(ddm_table.module_name_version, 28));
30324+ seq_printf(seq, "%-.28s", ddm_table.module_name_version);
30325 seq_printf(seq, "%9d ", ddm_table.data_size);
30326 seq_printf(seq, "%8d", ddm_table.code_size);
30327
30328@@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
30329
30330 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
30331 seq_printf(seq, "%-#8x", dst->module_id);
30332- seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
30333- seq_printf(seq, "%-9s", chtostr(dst->date, 8));
30334+ seq_printf(seq, "%-.28s", dst->module_name_version);
30335+ seq_printf(seq, "%-.8s", dst->date);
30336 seq_printf(seq, "%8d ", dst->module_size);
30337 seq_printf(seq, "%8d ", dst->mpb_size);
30338 seq_printf(seq, "0x%04x", dst->module_flags);
30339@@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
30340 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
30341 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
30342 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
30343- seq_printf(seq, "Vendor info : %s\n",
30344- chtostr((u8 *) (work32 + 2), 16));
30345- seq_printf(seq, "Product info : %s\n",
30346- chtostr((u8 *) (work32 + 6), 16));
30347- seq_printf(seq, "Description : %s\n",
30348- chtostr((u8 *) (work32 + 10), 16));
30349- seq_printf(seq, "Product rev. : %s\n",
30350- chtostr((u8 *) (work32 + 14), 8));
30351+ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
30352+ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
30353+ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
30354+ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
30355
30356 seq_printf(seq, "Serial number : ");
30357 print_serial_number(seq, (u8 *) (work32 + 16),
30358@@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
30359 }
30360
30361 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
30362- seq_printf(seq, "Module name : %s\n",
30363- chtostr(result.module_name, 24));
30364- seq_printf(seq, "Module revision : %s\n",
30365- chtostr(result.module_rev, 8));
30366+ seq_printf(seq, "Module name : %.24s\n", result.module_name);
30367+ seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
30368
30369 seq_printf(seq, "Serial number : ");
30370 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
30371@@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
30372 return 0;
30373 }
30374
30375- seq_printf(seq, "Device name : %s\n",
30376- chtostr(result.device_name, 64));
30377- seq_printf(seq, "Service name : %s\n",
30378- chtostr(result.service_name, 64));
30379- seq_printf(seq, "Physical name : %s\n",
30380- chtostr(result.physical_location, 64));
30381- seq_printf(seq, "Instance number : %s\n",
30382- chtostr(result.instance_number, 4));
30383+ seq_printf(seq, "Device name : %.64s\n", result.device_name);
30384+ seq_printf(seq, "Service name : %.64s\n", result.service_name);
30385+ seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
30386+ seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
30387
30388 return 0;
30389 }
30390diff -urNp linux-3.1.1/drivers/message/i2o/iop.c linux-3.1.1/drivers/message/i2o/iop.c
30391--- linux-3.1.1/drivers/message/i2o/iop.c 2011-11-11 15:19:27.000000000 -0500
30392+++ linux-3.1.1/drivers/message/i2o/iop.c 2011-11-16 18:39:07.000000000 -0500
30393@@ -111,10 +111,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
30394
30395 spin_lock_irqsave(&c->context_list_lock, flags);
30396
30397- if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
30398- atomic_inc(&c->context_list_counter);
30399+ if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
30400+ atomic_inc_unchecked(&c->context_list_counter);
30401
30402- entry->context = atomic_read(&c->context_list_counter);
30403+ entry->context = atomic_read_unchecked(&c->context_list_counter);
30404
30405 list_add(&entry->list, &c->context_list);
30406
30407@@ -1077,7 +1077,7 @@ struct i2o_controller *i2o_iop_alloc(voi
30408
30409 #if BITS_PER_LONG == 64
30410 spin_lock_init(&c->context_list_lock);
30411- atomic_set(&c->context_list_counter, 0);
30412+ atomic_set_unchecked(&c->context_list_counter, 0);
30413 INIT_LIST_HEAD(&c->context_list);
30414 #endif
30415
30416diff -urNp linux-3.1.1/drivers/mfd/ab3100-core.c linux-3.1.1/drivers/mfd/ab3100-core.c
30417--- linux-3.1.1/drivers/mfd/ab3100-core.c 2011-11-11 15:19:27.000000000 -0500
30418+++ linux-3.1.1/drivers/mfd/ab3100-core.c 2011-11-16 18:39:07.000000000 -0500
30419@@ -809,7 +809,7 @@ struct ab_family_id {
30420 char *name;
30421 };
30422
30423-static const struct ab_family_id ids[] __devinitdata = {
30424+static const struct ab_family_id ids[] __devinitconst = {
30425 /* AB3100 */
30426 {
30427 .id = 0xc0,
30428diff -urNp linux-3.1.1/drivers/mfd/abx500-core.c linux-3.1.1/drivers/mfd/abx500-core.c
30429--- linux-3.1.1/drivers/mfd/abx500-core.c 2011-11-11 15:19:27.000000000 -0500
30430+++ linux-3.1.1/drivers/mfd/abx500-core.c 2011-11-16 18:39:07.000000000 -0500
30431@@ -14,7 +14,7 @@ static LIST_HEAD(abx500_list);
30432
30433 struct abx500_device_entry {
30434 struct list_head list;
30435- struct abx500_ops ops;
30436+ abx500_ops_no_const ops;
30437 struct device *dev;
30438 };
30439
30440diff -urNp linux-3.1.1/drivers/mfd/janz-cmodio.c linux-3.1.1/drivers/mfd/janz-cmodio.c
30441--- linux-3.1.1/drivers/mfd/janz-cmodio.c 2011-11-11 15:19:27.000000000 -0500
30442+++ linux-3.1.1/drivers/mfd/janz-cmodio.c 2011-11-16 18:39:07.000000000 -0500
30443@@ -13,6 +13,7 @@
30444
30445 #include <linux/kernel.h>
30446 #include <linux/module.h>
30447+#include <linux/slab.h>
30448 #include <linux/init.h>
30449 #include <linux/pci.h>
30450 #include <linux/interrupt.h>
30451diff -urNp linux-3.1.1/drivers/mfd/wm8350-i2c.c linux-3.1.1/drivers/mfd/wm8350-i2c.c
30452--- linux-3.1.1/drivers/mfd/wm8350-i2c.c 2011-11-11 15:19:27.000000000 -0500
30453+++ linux-3.1.1/drivers/mfd/wm8350-i2c.c 2011-11-16 18:40:10.000000000 -0500
30454@@ -44,6 +44,8 @@ static int wm8350_i2c_write_device(struc
30455 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
30456 int ret;
30457
30458+ pax_track_stack();
30459+
30460 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
30461 return -EINVAL;
30462
30463diff -urNp linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c
30464--- linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c 2011-11-11 15:19:27.000000000 -0500
30465+++ linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.c 2011-11-16 18:39:07.000000000 -0500
30466@@ -437,7 +437,7 @@ static irqreturn_t lis302dl_interrupt(in
30467 * the lid is closed. This leads to interrupts as soon as a little move
30468 * is done.
30469 */
30470- atomic_inc(&lis3_dev.count);
30471+ atomic_inc_unchecked(&lis3_dev.count);
30472
30473 wake_up_interruptible(&lis3_dev.misc_wait);
30474 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
30475@@ -520,7 +520,7 @@ static int lis3lv02d_misc_open(struct in
30476 if (lis3_dev.pm_dev)
30477 pm_runtime_get_sync(lis3_dev.pm_dev);
30478
30479- atomic_set(&lis3_dev.count, 0);
30480+ atomic_set_unchecked(&lis3_dev.count, 0);
30481 return 0;
30482 }
30483
30484@@ -547,7 +547,7 @@ static ssize_t lis3lv02d_misc_read(struc
30485 add_wait_queue(&lis3_dev.misc_wait, &wait);
30486 while (true) {
30487 set_current_state(TASK_INTERRUPTIBLE);
30488- data = atomic_xchg(&lis3_dev.count, 0);
30489+ data = atomic_xchg_unchecked(&lis3_dev.count, 0);
30490 if (data)
30491 break;
30492
30493@@ -585,7 +585,7 @@ out:
30494 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
30495 {
30496 poll_wait(file, &lis3_dev.misc_wait, wait);
30497- if (atomic_read(&lis3_dev.count))
30498+ if (atomic_read_unchecked(&lis3_dev.count))
30499 return POLLIN | POLLRDNORM;
30500 return 0;
30501 }
30502diff -urNp linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h
30503--- linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h 2011-11-11 15:19:27.000000000 -0500
30504+++ linux-3.1.1/drivers/misc/lis3lv02d/lis3lv02d.h 2011-11-16 18:39:07.000000000 -0500
30505@@ -265,7 +265,7 @@ struct lis3lv02d {
30506 struct input_polled_dev *idev; /* input device */
30507 struct platform_device *pdev; /* platform device */
30508 struct regulator_bulk_data regulators[2];
30509- atomic_t count; /* interrupt count after last read */
30510+ atomic_unchecked_t count; /* interrupt count after last read */
30511 union axis_conversion ac; /* hw -> logical axis */
30512 int mapped_btns[3];
30513
30514diff -urNp linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c
30515--- linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c 2011-11-11 15:19:27.000000000 -0500
30516+++ linux-3.1.1/drivers/misc/sgi-gru/gruhandles.c 2011-11-16 18:39:07.000000000 -0500
30517@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
30518 unsigned long nsec;
30519
30520 nsec = CLKS2NSEC(clks);
30521- atomic_long_inc(&mcs_op_statistics[op].count);
30522- atomic_long_add(nsec, &mcs_op_statistics[op].total);
30523+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
30524+ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
30525 if (mcs_op_statistics[op].max < nsec)
30526 mcs_op_statistics[op].max = nsec;
30527 }
30528diff -urNp linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c
30529--- linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c 2011-11-11 15:19:27.000000000 -0500
30530+++ linux-3.1.1/drivers/misc/sgi-gru/gruprocfs.c 2011-11-16 18:39:07.000000000 -0500
30531@@ -32,9 +32,9 @@
30532
30533 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
30534
30535-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
30536+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
30537 {
30538- unsigned long val = atomic_long_read(v);
30539+ unsigned long val = atomic_long_read_unchecked(v);
30540
30541 seq_printf(s, "%16lu %s\n", val, id);
30542 }
30543@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
30544
30545 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
30546 for (op = 0; op < mcsop_last; op++) {
30547- count = atomic_long_read(&mcs_op_statistics[op].count);
30548- total = atomic_long_read(&mcs_op_statistics[op].total);
30549+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
30550+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
30551 max = mcs_op_statistics[op].max;
30552 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
30553 count ? total / count : 0, max);
30554diff -urNp linux-3.1.1/drivers/misc/sgi-gru/grutables.h linux-3.1.1/drivers/misc/sgi-gru/grutables.h
30555--- linux-3.1.1/drivers/misc/sgi-gru/grutables.h 2011-11-11 15:19:27.000000000 -0500
30556+++ linux-3.1.1/drivers/misc/sgi-gru/grutables.h 2011-11-16 18:39:07.000000000 -0500
30557@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
30558 * GRU statistics.
30559 */
30560 struct gru_stats_s {
30561- atomic_long_t vdata_alloc;
30562- atomic_long_t vdata_free;
30563- atomic_long_t gts_alloc;
30564- atomic_long_t gts_free;
30565- atomic_long_t gms_alloc;
30566- atomic_long_t gms_free;
30567- atomic_long_t gts_double_allocate;
30568- atomic_long_t assign_context;
30569- atomic_long_t assign_context_failed;
30570- atomic_long_t free_context;
30571- atomic_long_t load_user_context;
30572- atomic_long_t load_kernel_context;
30573- atomic_long_t lock_kernel_context;
30574- atomic_long_t unlock_kernel_context;
30575- atomic_long_t steal_user_context;
30576- atomic_long_t steal_kernel_context;
30577- atomic_long_t steal_context_failed;
30578- atomic_long_t nopfn;
30579- atomic_long_t asid_new;
30580- atomic_long_t asid_next;
30581- atomic_long_t asid_wrap;
30582- atomic_long_t asid_reuse;
30583- atomic_long_t intr;
30584- atomic_long_t intr_cbr;
30585- atomic_long_t intr_tfh;
30586- atomic_long_t intr_spurious;
30587- atomic_long_t intr_mm_lock_failed;
30588- atomic_long_t call_os;
30589- atomic_long_t call_os_wait_queue;
30590- atomic_long_t user_flush_tlb;
30591- atomic_long_t user_unload_context;
30592- atomic_long_t user_exception;
30593- atomic_long_t set_context_option;
30594- atomic_long_t check_context_retarget_intr;
30595- atomic_long_t check_context_unload;
30596- atomic_long_t tlb_dropin;
30597- atomic_long_t tlb_preload_page;
30598- atomic_long_t tlb_dropin_fail_no_asid;
30599- atomic_long_t tlb_dropin_fail_upm;
30600- atomic_long_t tlb_dropin_fail_invalid;
30601- atomic_long_t tlb_dropin_fail_range_active;
30602- atomic_long_t tlb_dropin_fail_idle;
30603- atomic_long_t tlb_dropin_fail_fmm;
30604- atomic_long_t tlb_dropin_fail_no_exception;
30605- atomic_long_t tfh_stale_on_fault;
30606- atomic_long_t mmu_invalidate_range;
30607- atomic_long_t mmu_invalidate_page;
30608- atomic_long_t flush_tlb;
30609- atomic_long_t flush_tlb_gru;
30610- atomic_long_t flush_tlb_gru_tgh;
30611- atomic_long_t flush_tlb_gru_zero_asid;
30612-
30613- atomic_long_t copy_gpa;
30614- atomic_long_t read_gpa;
30615-
30616- atomic_long_t mesq_receive;
30617- atomic_long_t mesq_receive_none;
30618- atomic_long_t mesq_send;
30619- atomic_long_t mesq_send_failed;
30620- atomic_long_t mesq_noop;
30621- atomic_long_t mesq_send_unexpected_error;
30622- atomic_long_t mesq_send_lb_overflow;
30623- atomic_long_t mesq_send_qlimit_reached;
30624- atomic_long_t mesq_send_amo_nacked;
30625- atomic_long_t mesq_send_put_nacked;
30626- atomic_long_t mesq_page_overflow;
30627- atomic_long_t mesq_qf_locked;
30628- atomic_long_t mesq_qf_noop_not_full;
30629- atomic_long_t mesq_qf_switch_head_failed;
30630- atomic_long_t mesq_qf_unexpected_error;
30631- atomic_long_t mesq_noop_unexpected_error;
30632- atomic_long_t mesq_noop_lb_overflow;
30633- atomic_long_t mesq_noop_qlimit_reached;
30634- atomic_long_t mesq_noop_amo_nacked;
30635- atomic_long_t mesq_noop_put_nacked;
30636- atomic_long_t mesq_noop_page_overflow;
30637+ atomic_long_unchecked_t vdata_alloc;
30638+ atomic_long_unchecked_t vdata_free;
30639+ atomic_long_unchecked_t gts_alloc;
30640+ atomic_long_unchecked_t gts_free;
30641+ atomic_long_unchecked_t gms_alloc;
30642+ atomic_long_unchecked_t gms_free;
30643+ atomic_long_unchecked_t gts_double_allocate;
30644+ atomic_long_unchecked_t assign_context;
30645+ atomic_long_unchecked_t assign_context_failed;
30646+ atomic_long_unchecked_t free_context;
30647+ atomic_long_unchecked_t load_user_context;
30648+ atomic_long_unchecked_t load_kernel_context;
30649+ atomic_long_unchecked_t lock_kernel_context;
30650+ atomic_long_unchecked_t unlock_kernel_context;
30651+ atomic_long_unchecked_t steal_user_context;
30652+ atomic_long_unchecked_t steal_kernel_context;
30653+ atomic_long_unchecked_t steal_context_failed;
30654+ atomic_long_unchecked_t nopfn;
30655+ atomic_long_unchecked_t asid_new;
30656+ atomic_long_unchecked_t asid_next;
30657+ atomic_long_unchecked_t asid_wrap;
30658+ atomic_long_unchecked_t asid_reuse;
30659+ atomic_long_unchecked_t intr;
30660+ atomic_long_unchecked_t intr_cbr;
30661+ atomic_long_unchecked_t intr_tfh;
30662+ atomic_long_unchecked_t intr_spurious;
30663+ atomic_long_unchecked_t intr_mm_lock_failed;
30664+ atomic_long_unchecked_t call_os;
30665+ atomic_long_unchecked_t call_os_wait_queue;
30666+ atomic_long_unchecked_t user_flush_tlb;
30667+ atomic_long_unchecked_t user_unload_context;
30668+ atomic_long_unchecked_t user_exception;
30669+ atomic_long_unchecked_t set_context_option;
30670+ atomic_long_unchecked_t check_context_retarget_intr;
30671+ atomic_long_unchecked_t check_context_unload;
30672+ atomic_long_unchecked_t tlb_dropin;
30673+ atomic_long_unchecked_t tlb_preload_page;
30674+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
30675+ atomic_long_unchecked_t tlb_dropin_fail_upm;
30676+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
30677+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
30678+ atomic_long_unchecked_t tlb_dropin_fail_idle;
30679+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
30680+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
30681+ atomic_long_unchecked_t tfh_stale_on_fault;
30682+ atomic_long_unchecked_t mmu_invalidate_range;
30683+ atomic_long_unchecked_t mmu_invalidate_page;
30684+ atomic_long_unchecked_t flush_tlb;
30685+ atomic_long_unchecked_t flush_tlb_gru;
30686+ atomic_long_unchecked_t flush_tlb_gru_tgh;
30687+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
30688+
30689+ atomic_long_unchecked_t copy_gpa;
30690+ atomic_long_unchecked_t read_gpa;
30691+
30692+ atomic_long_unchecked_t mesq_receive;
30693+ atomic_long_unchecked_t mesq_receive_none;
30694+ atomic_long_unchecked_t mesq_send;
30695+ atomic_long_unchecked_t mesq_send_failed;
30696+ atomic_long_unchecked_t mesq_noop;
30697+ atomic_long_unchecked_t mesq_send_unexpected_error;
30698+ atomic_long_unchecked_t mesq_send_lb_overflow;
30699+ atomic_long_unchecked_t mesq_send_qlimit_reached;
30700+ atomic_long_unchecked_t mesq_send_amo_nacked;
30701+ atomic_long_unchecked_t mesq_send_put_nacked;
30702+ atomic_long_unchecked_t mesq_page_overflow;
30703+ atomic_long_unchecked_t mesq_qf_locked;
30704+ atomic_long_unchecked_t mesq_qf_noop_not_full;
30705+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
30706+ atomic_long_unchecked_t mesq_qf_unexpected_error;
30707+ atomic_long_unchecked_t mesq_noop_unexpected_error;
30708+ atomic_long_unchecked_t mesq_noop_lb_overflow;
30709+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
30710+ atomic_long_unchecked_t mesq_noop_amo_nacked;
30711+ atomic_long_unchecked_t mesq_noop_put_nacked;
30712+ atomic_long_unchecked_t mesq_noop_page_overflow;
30713
30714 };
30715
30716@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
30717 tghop_invalidate, mcsop_last};
30718
30719 struct mcs_op_statistic {
30720- atomic_long_t count;
30721- atomic_long_t total;
30722+ atomic_long_unchecked_t count;
30723+ atomic_long_unchecked_t total;
30724 unsigned long max;
30725 };
30726
30727@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
30728
30729 #define STAT(id) do { \
30730 if (gru_options & OPT_STATS) \
30731- atomic_long_inc(&gru_stats.id); \
30732+ atomic_long_inc_unchecked(&gru_stats.id); \
30733 } while (0)
30734
30735 #ifdef CONFIG_SGI_GRU_DEBUG
30736diff -urNp linux-3.1.1/drivers/misc/sgi-xp/xpc.h linux-3.1.1/drivers/misc/sgi-xp/xpc.h
30737--- linux-3.1.1/drivers/misc/sgi-xp/xpc.h 2011-11-11 15:19:27.000000000 -0500
30738+++ linux-3.1.1/drivers/misc/sgi-xp/xpc.h 2011-11-16 18:39:07.000000000 -0500
30739@@ -835,6 +835,7 @@ struct xpc_arch_operations {
30740 void (*received_payload) (struct xpc_channel *, void *);
30741 void (*notify_senders_of_disconnect) (struct xpc_channel *);
30742 };
30743+typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
30744
30745 /* struct xpc_partition act_state values (for XPC HB) */
30746
30747@@ -876,7 +877,7 @@ extern struct xpc_registration xpc_regis
30748 /* found in xpc_main.c */
30749 extern struct device *xpc_part;
30750 extern struct device *xpc_chan;
30751-extern struct xpc_arch_operations xpc_arch_ops;
30752+extern xpc_arch_operations_no_const xpc_arch_ops;
30753 extern int xpc_disengage_timelimit;
30754 extern int xpc_disengage_timedout;
30755 extern int xpc_activate_IRQ_rcvd;
30756diff -urNp linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c
30757--- linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c 2011-11-11 15:19:27.000000000 -0500
30758+++ linux-3.1.1/drivers/misc/sgi-xp/xpc_main.c 2011-11-16 18:39:07.000000000 -0500
30759@@ -162,7 +162,7 @@ static struct notifier_block xpc_die_not
30760 .notifier_call = xpc_system_die,
30761 };
30762
30763-struct xpc_arch_operations xpc_arch_ops;
30764+xpc_arch_operations_no_const xpc_arch_ops;
30765
30766 /*
30767 * Timer function to enforce the timelimit on the partition disengage.
30768diff -urNp linux-3.1.1/drivers/misc/sgi-xp/xp.h linux-3.1.1/drivers/misc/sgi-xp/xp.h
30769--- linux-3.1.1/drivers/misc/sgi-xp/xp.h 2011-11-11 15:19:27.000000000 -0500
30770+++ linux-3.1.1/drivers/misc/sgi-xp/xp.h 2011-11-16 18:39:07.000000000 -0500
30771@@ -289,7 +289,7 @@ struct xpc_interface {
30772 xpc_notify_func, void *);
30773 void (*received) (short, int, void *);
30774 enum xp_retval (*partid_to_nasids) (short, void *);
30775-};
30776+} __no_const;
30777
30778 extern struct xpc_interface xpc_interface;
30779
30780diff -urNp linux-3.1.1/drivers/mmc/host/sdhci-pci.c linux-3.1.1/drivers/mmc/host/sdhci-pci.c
30781--- linux-3.1.1/drivers/mmc/host/sdhci-pci.c 2011-11-11 15:19:27.000000000 -0500
30782+++ linux-3.1.1/drivers/mmc/host/sdhci-pci.c 2011-11-16 18:39:07.000000000 -0500
30783@@ -542,7 +542,7 @@ static const struct sdhci_pci_fixes sdhc
30784 .probe = via_probe,
30785 };
30786
30787-static const struct pci_device_id pci_ids[] __devinitdata = {
30788+static const struct pci_device_id pci_ids[] __devinitconst = {
30789 {
30790 .vendor = PCI_VENDOR_ID_RICOH,
30791 .device = PCI_DEVICE_ID_RICOH_R5C822,
30792diff -urNp linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c
30793--- linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-11 15:19:27.000000000 -0500
30794+++ linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-16 18:40:10.000000000 -0500
30795@@ -757,6 +757,8 @@ static int chip_ready (struct map_info *
30796 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
30797 unsigned long timeo = jiffies + HZ;
30798
30799+ pax_track_stack();
30800+
30801 /* Prevent setting state FL_SYNCING for chip in suspended state. */
30802 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
30803 goto sleep;
30804@@ -1653,6 +1655,8 @@ static int __xipram do_write_buffer(stru
30805 unsigned long initial_adr;
30806 int initial_len = len;
30807
30808+ pax_track_stack();
30809+
30810 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
30811 adr += chip->start;
30812 initial_adr = adr;
30813@@ -1871,6 +1875,8 @@ static int __xipram do_erase_oneblock(st
30814 int retries = 3;
30815 int ret;
30816
30817+ pax_track_stack();
30818+
30819 adr += chip->start;
30820
30821 retry:
30822diff -urNp linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c
30823--- linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-11 15:19:27.000000000 -0500
30824+++ linux-3.1.1/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-16 18:40:10.000000000 -0500
30825@@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
30826 unsigned long cmd_addr;
30827 struct cfi_private *cfi = map->fldrv_priv;
30828
30829+ pax_track_stack();
30830+
30831 adr += chip->start;
30832
30833 /* Ensure cmd read/writes are aligned. */
30834@@ -429,6 +431,8 @@ static inline int do_write_buffer(struct
30835 DECLARE_WAITQUEUE(wait, current);
30836 int wbufsize, z;
30837
30838+ pax_track_stack();
30839+
30840 /* M58LW064A requires bus alignment for buffer wriets -- saw */
30841 if (adr & (map_bankwidth(map)-1))
30842 return -EINVAL;
30843@@ -743,6 +747,8 @@ static inline int do_erase_oneblock(stru
30844 DECLARE_WAITQUEUE(wait, current);
30845 int ret = 0;
30846
30847+ pax_track_stack();
30848+
30849 adr += chip->start;
30850
30851 /* Let's determine this according to the interleave only once */
30852@@ -1048,6 +1054,8 @@ static inline int do_lock_oneblock(struc
30853 unsigned long timeo = jiffies + HZ;
30854 DECLARE_WAITQUEUE(wait, current);
30855
30856+ pax_track_stack();
30857+
30858 adr += chip->start;
30859
30860 /* Let's determine this according to the interleave only once */
30861@@ -1197,6 +1205,8 @@ static inline int do_unlock_oneblock(str
30862 unsigned long timeo = jiffies + HZ;
30863 DECLARE_WAITQUEUE(wait, current);
30864
30865+ pax_track_stack();
30866+
30867 adr += chip->start;
30868
30869 /* Let's determine this according to the interleave only once */
30870diff -urNp linux-3.1.1/drivers/mtd/devices/doc2000.c linux-3.1.1/drivers/mtd/devices/doc2000.c
30871--- linux-3.1.1/drivers/mtd/devices/doc2000.c 2011-11-11 15:19:27.000000000 -0500
30872+++ linux-3.1.1/drivers/mtd/devices/doc2000.c 2011-11-16 18:39:07.000000000 -0500
30873@@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
30874
30875 /* The ECC will not be calculated correctly if less than 512 is written */
30876 /* DBB-
30877- if (len != 0x200 && eccbuf)
30878+ if (len != 0x200)
30879 printk(KERN_WARNING
30880 "ECC needs a full sector write (adr: %lx size %lx)\n",
30881 (long) to, (long) len);
30882diff -urNp linux-3.1.1/drivers/mtd/devices/doc2001.c linux-3.1.1/drivers/mtd/devices/doc2001.c
30883--- linux-3.1.1/drivers/mtd/devices/doc2001.c 2011-11-11 15:19:27.000000000 -0500
30884+++ linux-3.1.1/drivers/mtd/devices/doc2001.c 2011-11-16 18:39:07.000000000 -0500
30885@@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
30886 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
30887
30888 /* Don't allow read past end of device */
30889- if (from >= this->totlen)
30890+ if (from >= this->totlen || !len)
30891 return -EINVAL;
30892
30893 /* Don't allow a single read to cross a 512-byte block boundary */
30894diff -urNp linux-3.1.1/drivers/mtd/ftl.c linux-3.1.1/drivers/mtd/ftl.c
30895--- linux-3.1.1/drivers/mtd/ftl.c 2011-11-11 15:19:27.000000000 -0500
30896+++ linux-3.1.1/drivers/mtd/ftl.c 2011-11-16 18:40:10.000000000 -0500
30897@@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
30898 loff_t offset;
30899 uint16_t srcunitswap = cpu_to_le16(srcunit);
30900
30901+ pax_track_stack();
30902+
30903 eun = &part->EUNInfo[srcunit];
30904 xfer = &part->XferInfo[xferunit];
30905 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
30906diff -urNp linux-3.1.1/drivers/mtd/inftlcore.c linux-3.1.1/drivers/mtd/inftlcore.c
30907--- linux-3.1.1/drivers/mtd/inftlcore.c 2011-11-11 15:19:27.000000000 -0500
30908+++ linux-3.1.1/drivers/mtd/inftlcore.c 2011-11-16 18:40:10.000000000 -0500
30909@@ -259,6 +259,8 @@ static u16 INFTL_foldchain(struct INFTLr
30910 struct inftl_oob oob;
30911 size_t retlen;
30912
30913+ pax_track_stack();
30914+
30915 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
30916 "pending=%d)\n", inftl, thisVUC, pendingblock);
30917
30918diff -urNp linux-3.1.1/drivers/mtd/inftlmount.c linux-3.1.1/drivers/mtd/inftlmount.c
30919--- linux-3.1.1/drivers/mtd/inftlmount.c 2011-11-11 15:19:27.000000000 -0500
30920+++ linux-3.1.1/drivers/mtd/inftlmount.c 2011-11-16 18:40:10.000000000 -0500
30921@@ -53,6 +53,8 @@ static int find_boot_record(struct INFTL
30922 struct INFTLPartition *ip;
30923 size_t retlen;
30924
30925+ pax_track_stack();
30926+
30927 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
30928
30929 /*
30930diff -urNp linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c
30931--- linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c 2011-11-11 15:19:27.000000000 -0500
30932+++ linux-3.1.1/drivers/mtd/lpddr/qinfo_probe.c 2011-11-16 18:40:10.000000000 -0500
30933@@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
30934 {
30935 map_word pfow_val[4];
30936
30937+ pax_track_stack();
30938+
30939 /* Check identification string */
30940 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
30941 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
30942diff -urNp linux-3.1.1/drivers/mtd/mtdchar.c linux-3.1.1/drivers/mtd/mtdchar.c
30943--- linux-3.1.1/drivers/mtd/mtdchar.c 2011-11-11 15:19:27.000000000 -0500
30944+++ linux-3.1.1/drivers/mtd/mtdchar.c 2011-11-16 18:40:10.000000000 -0500
30945@@ -554,6 +554,8 @@ static int mtd_ioctl(struct file *file,
30946 u_long size;
30947 struct mtd_info_user info;
30948
30949+ pax_track_stack();
30950+
30951 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
30952
30953 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
30954diff -urNp linux-3.1.1/drivers/mtd/nand/denali.c linux-3.1.1/drivers/mtd/nand/denali.c
30955--- linux-3.1.1/drivers/mtd/nand/denali.c 2011-11-11 15:19:27.000000000 -0500
30956+++ linux-3.1.1/drivers/mtd/nand/denali.c 2011-11-16 18:39:07.000000000 -0500
30957@@ -26,6 +26,7 @@
30958 #include <linux/pci.h>
30959 #include <linux/mtd/mtd.h>
30960 #include <linux/module.h>
30961+#include <linux/slab.h>
30962
30963 #include "denali.h"
30964
30965diff -urNp linux-3.1.1/drivers/mtd/nftlcore.c linux-3.1.1/drivers/mtd/nftlcore.c
30966--- linux-3.1.1/drivers/mtd/nftlcore.c 2011-11-11 15:19:27.000000000 -0500
30967+++ linux-3.1.1/drivers/mtd/nftlcore.c 2011-11-16 18:40:10.000000000 -0500
30968@@ -264,6 +264,8 @@ static u16 NFTL_foldchain (struct NFTLre
30969 int inplace = 1;
30970 size_t retlen;
30971
30972+ pax_track_stack();
30973+
30974 memset(BlockMap, 0xff, sizeof(BlockMap));
30975 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
30976
30977diff -urNp linux-3.1.1/drivers/mtd/nftlmount.c linux-3.1.1/drivers/mtd/nftlmount.c
30978--- linux-3.1.1/drivers/mtd/nftlmount.c 2011-11-11 15:19:27.000000000 -0500
30979+++ linux-3.1.1/drivers/mtd/nftlmount.c 2011-11-16 18:40:10.000000000 -0500
30980@@ -24,6 +24,7 @@
30981 #include <asm/errno.h>
30982 #include <linux/delay.h>
30983 #include <linux/slab.h>
30984+#include <linux/sched.h>
30985 #include <linux/mtd/mtd.h>
30986 #include <linux/mtd/nand.h>
30987 #include <linux/mtd/nftl.h>
30988@@ -45,6 +46,8 @@ static int find_boot_record(struct NFTLr
30989 struct mtd_info *mtd = nftl->mbd.mtd;
30990 unsigned int i;
30991
30992+ pax_track_stack();
30993+
30994 /* Assume logical EraseSize == physical erasesize for starting the scan.
30995 We'll sort it out later if we find a MediaHeader which says otherwise */
30996 /* Actually, we won't. The new DiskOnChip driver has already scanned
30997diff -urNp linux-3.1.1/drivers/mtd/ubi/build.c linux-3.1.1/drivers/mtd/ubi/build.c
30998--- linux-3.1.1/drivers/mtd/ubi/build.c 2011-11-11 15:19:27.000000000 -0500
30999+++ linux-3.1.1/drivers/mtd/ubi/build.c 2011-11-16 18:39:07.000000000 -0500
31000@@ -1311,7 +1311,7 @@ module_exit(ubi_exit);
31001 static int __init bytes_str_to_int(const char *str)
31002 {
31003 char *endp;
31004- unsigned long result;
31005+ unsigned long result, scale = 1;
31006
31007 result = simple_strtoul(str, &endp, 0);
31008 if (str == endp || result >= INT_MAX) {
31009@@ -1322,11 +1322,11 @@ static int __init bytes_str_to_int(const
31010
31011 switch (*endp) {
31012 case 'G':
31013- result *= 1024;
31014+ scale *= 1024;
31015 case 'M':
31016- result *= 1024;
31017+ scale *= 1024;
31018 case 'K':
31019- result *= 1024;
31020+ scale *= 1024;
31021 if (endp[1] == 'i' && endp[2] == 'B')
31022 endp += 2;
31023 case '\0':
31024@@ -1337,7 +1337,13 @@ static int __init bytes_str_to_int(const
31025 return -EINVAL;
31026 }
31027
31028- return result;
31029+ if ((intoverflow_t)result*scale >= INT_MAX) {
31030+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
31031+ str);
31032+ return -EINVAL;
31033+ }
31034+
31035+ return result*scale;
31036 }
31037
31038 /**
31039diff -urNp linux-3.1.1/drivers/net/atlx/atl2.c linux-3.1.1/drivers/net/atlx/atl2.c
31040--- linux-3.1.1/drivers/net/atlx/atl2.c 2011-11-11 15:19:27.000000000 -0500
31041+++ linux-3.1.1/drivers/net/atlx/atl2.c 2011-11-16 18:39:07.000000000 -0500
31042@@ -2857,7 +2857,7 @@ static void atl2_force_ps(struct atl2_hw
31043 */
31044
31045 #define ATL2_PARAM(X, desc) \
31046- static const int __devinitdata X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
31047+ static const int __devinitconst X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
31048 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
31049 MODULE_PARM_DESC(X, desc);
31050 #else
31051diff -urNp linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c
31052--- linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c 2011-11-11 15:19:27.000000000 -0500
31053+++ linux-3.1.1/drivers/net/bna/bfa_ioc_ct.c 2011-11-16 18:39:07.000000000 -0500
31054@@ -48,7 +48,21 @@ static void bfa_ioc_ct_sync_ack(struct b
31055 static bool bfa_ioc_ct_sync_complete(struct bfa_ioc *ioc);
31056 static enum bfa_status bfa_ioc_ct_pll_init(void __iomem *rb, bool fcmode);
31057
31058-static struct bfa_ioc_hwif nw_hwif_ct;
31059+static struct bfa_ioc_hwif nw_hwif_ct = {
31060+ .ioc_pll_init = bfa_ioc_ct_pll_init,
31061+ .ioc_firmware_lock = bfa_ioc_ct_firmware_lock,
31062+ .ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock,
31063+ .ioc_reg_init = bfa_ioc_ct_reg_init,
31064+ .ioc_map_port = bfa_ioc_ct_map_port,
31065+ .ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set,
31066+ .ioc_notify_fail = bfa_ioc_ct_notify_fail,
31067+ .ioc_ownership_reset = bfa_ioc_ct_ownership_reset,
31068+ .ioc_sync_start = bfa_ioc_ct_sync_start,
31069+ .ioc_sync_join = bfa_ioc_ct_sync_join,
31070+ .ioc_sync_leave = bfa_ioc_ct_sync_leave,
31071+ .ioc_sync_ack = bfa_ioc_ct_sync_ack,
31072+ .ioc_sync_complete = bfa_ioc_ct_sync_complete
31073+};
31074
31075 /**
31076 * Called from bfa_ioc_attach() to map asic specific calls.
31077@@ -56,20 +70,6 @@ static struct bfa_ioc_hwif nw_hwif_ct;
31078 void
31079 bfa_nw_ioc_set_ct_hwif(struct bfa_ioc *ioc)
31080 {
31081- nw_hwif_ct.ioc_pll_init = bfa_ioc_ct_pll_init;
31082- nw_hwif_ct.ioc_firmware_lock = bfa_ioc_ct_firmware_lock;
31083- nw_hwif_ct.ioc_firmware_unlock = bfa_ioc_ct_firmware_unlock;
31084- nw_hwif_ct.ioc_reg_init = bfa_ioc_ct_reg_init;
31085- nw_hwif_ct.ioc_map_port = bfa_ioc_ct_map_port;
31086- nw_hwif_ct.ioc_isr_mode_set = bfa_ioc_ct_isr_mode_set;
31087- nw_hwif_ct.ioc_notify_fail = bfa_ioc_ct_notify_fail;
31088- nw_hwif_ct.ioc_ownership_reset = bfa_ioc_ct_ownership_reset;
31089- nw_hwif_ct.ioc_sync_start = bfa_ioc_ct_sync_start;
31090- nw_hwif_ct.ioc_sync_join = bfa_ioc_ct_sync_join;
31091- nw_hwif_ct.ioc_sync_leave = bfa_ioc_ct_sync_leave;
31092- nw_hwif_ct.ioc_sync_ack = bfa_ioc_ct_sync_ack;
31093- nw_hwif_ct.ioc_sync_complete = bfa_ioc_ct_sync_complete;
31094-
31095 ioc->ioc_hwif = &nw_hwif_ct;
31096 }
31097
31098diff -urNp linux-3.1.1/drivers/net/bna/bnad.c linux-3.1.1/drivers/net/bna/bnad.c
31099--- linux-3.1.1/drivers/net/bna/bnad.c 2011-11-11 15:19:27.000000000 -0500
31100+++ linux-3.1.1/drivers/net/bna/bnad.c 2011-11-16 18:39:07.000000000 -0500
31101@@ -1673,7 +1673,14 @@ bnad_setup_tx(struct bnad *bnad, uint tx
31102 struct bna_intr_info *intr_info =
31103 &res_info[BNA_TX_RES_INTR_T_TXCMPL].res_u.intr_info;
31104 struct bna_tx_config *tx_config = &bnad->tx_config[tx_id];
31105- struct bna_tx_event_cbfn tx_cbfn;
31106+ static struct bna_tx_event_cbfn tx_cbfn = {
31107+ /* Initialize the tx event handlers */
31108+ .tcb_setup_cbfn = bnad_cb_tcb_setup,
31109+ .tcb_destroy_cbfn = bnad_cb_tcb_destroy,
31110+ .tx_stall_cbfn = bnad_cb_tx_stall,
31111+ .tx_resume_cbfn = bnad_cb_tx_resume,
31112+ .tx_cleanup_cbfn = bnad_cb_tx_cleanup
31113+ };
31114 struct bna_tx *tx;
31115 unsigned long flags;
31116
31117@@ -1682,13 +1689,6 @@ bnad_setup_tx(struct bnad *bnad, uint tx
31118 tx_config->txq_depth = bnad->txq_depth;
31119 tx_config->tx_type = BNA_TX_T_REGULAR;
31120
31121- /* Initialize the tx event handlers */
31122- tx_cbfn.tcb_setup_cbfn = bnad_cb_tcb_setup;
31123- tx_cbfn.tcb_destroy_cbfn = bnad_cb_tcb_destroy;
31124- tx_cbfn.tx_stall_cbfn = bnad_cb_tx_stall;
31125- tx_cbfn.tx_resume_cbfn = bnad_cb_tx_resume;
31126- tx_cbfn.tx_cleanup_cbfn = bnad_cb_tx_cleanup;
31127-
31128 /* Get BNA's resource requirement for one tx object */
31129 spin_lock_irqsave(&bnad->bna_lock, flags);
31130 bna_tx_res_req(bnad->num_txq_per_tx,
31131@@ -1819,21 +1819,21 @@ bnad_setup_rx(struct bnad *bnad, uint rx
31132 struct bna_intr_info *intr_info =
31133 &res_info[BNA_RX_RES_T_INTR].res_u.intr_info;
31134 struct bna_rx_config *rx_config = &bnad->rx_config[rx_id];
31135- struct bna_rx_event_cbfn rx_cbfn;
31136+ static struct bna_rx_event_cbfn rx_cbfn = {
31137+ /* Initialize the Rx event handlers */
31138+ .rcb_setup_cbfn = bnad_cb_rcb_setup,
31139+ .rcb_destroy_cbfn = bnad_cb_rcb_destroy,
31140+ .ccb_setup_cbfn = bnad_cb_ccb_setup,
31141+ .ccb_destroy_cbfn = bnad_cb_ccb_destroy,
31142+ .rx_cleanup_cbfn = bnad_cb_rx_cleanup,
31143+ .rx_post_cbfn = bnad_cb_rx_post
31144+ };
31145 struct bna_rx *rx;
31146 unsigned long flags;
31147
31148 /* Initialize the Rx object configuration */
31149 bnad_init_rx_config(bnad, rx_config);
31150
31151- /* Initialize the Rx event handlers */
31152- rx_cbfn.rcb_setup_cbfn = bnad_cb_rcb_setup;
31153- rx_cbfn.rcb_destroy_cbfn = bnad_cb_rcb_destroy;
31154- rx_cbfn.ccb_setup_cbfn = bnad_cb_ccb_setup;
31155- rx_cbfn.ccb_destroy_cbfn = bnad_cb_ccb_destroy;
31156- rx_cbfn.rx_cleanup_cbfn = bnad_cb_rx_cleanup;
31157- rx_cbfn.rx_post_cbfn = bnad_cb_rx_post;
31158-
31159 /* Get BNA's resource requirement for one Rx object */
31160 spin_lock_irqsave(&bnad->bna_lock, flags);
31161 bna_rx_res_req(rx_config, res_info);
31162diff -urNp linux-3.1.1/drivers/net/bnx2.c linux-3.1.1/drivers/net/bnx2.c
31163--- linux-3.1.1/drivers/net/bnx2.c 2011-11-11 15:19:27.000000000 -0500
31164+++ linux-3.1.1/drivers/net/bnx2.c 2011-11-16 18:40:11.000000000 -0500
31165@@ -5877,6 +5877,8 @@ bnx2_test_nvram(struct bnx2 *bp)
31166 int rc = 0;
31167 u32 magic, csum;
31168
31169+ pax_track_stack();
31170+
31171 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
31172 goto test_nvram_done;
31173
31174diff -urNp linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c
31175--- linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c 2011-11-11 15:19:27.000000000 -0500
31176+++ linux-3.1.1/drivers/net/bnx2x/bnx2x_ethtool.c 2011-11-16 18:40:11.000000000 -0500
31177@@ -1943,6 +1943,8 @@ static int bnx2x_test_nvram(struct bnx2x
31178 int i, rc;
31179 u32 magic, crc;
31180
31181+ pax_track_stack();
31182+
31183 if (BP_NOMCP(bp))
31184 return 0;
31185
31186diff -urNp linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h
31187--- linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h 2011-11-11 15:19:27.000000000 -0500
31188+++ linux-3.1.1/drivers/net/bnx2x/bnx2x_sp.h 2011-11-16 18:39:07.000000000 -0500
31189@@ -449,7 +449,7 @@ struct bnx2x_rx_mode_obj {
31190
31191 int (*wait_comp)(struct bnx2x *bp,
31192 struct bnx2x_rx_mode_ramrod_params *p);
31193-};
31194+} __no_const;
31195
31196 /********************** Set multicast group ***********************************/
31197
31198diff -urNp linux-3.1.1/drivers/net/cxgb3/l2t.h linux-3.1.1/drivers/net/cxgb3/l2t.h
31199--- linux-3.1.1/drivers/net/cxgb3/l2t.h 2011-11-11 15:19:27.000000000 -0500
31200+++ linux-3.1.1/drivers/net/cxgb3/l2t.h 2011-11-16 18:39:07.000000000 -0500
31201@@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)
31202 */
31203 struct l2t_skb_cb {
31204 arp_failure_handler_func arp_failure_handler;
31205-};
31206+} __no_const;
31207
31208 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
31209
31210diff -urNp linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c
31211--- linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c 2011-11-11 15:19:27.000000000 -0500
31212+++ linux-3.1.1/drivers/net/cxgb4/cxgb4_main.c 2011-11-16 18:40:22.000000000 -0500
31213@@ -3396,6 +3396,8 @@ static int __devinit enable_msix(struct
31214 unsigned int nchan = adap->params.nports;
31215 struct msix_entry entries[MAX_INGQ + 1];
31216
31217+ pax_track_stack();
31218+
31219 for (i = 0; i < ARRAY_SIZE(entries); ++i)
31220 entries[i].entry = i;
31221
31222diff -urNp linux-3.1.1/drivers/net/cxgb4/t4_hw.c linux-3.1.1/drivers/net/cxgb4/t4_hw.c
31223--- linux-3.1.1/drivers/net/cxgb4/t4_hw.c 2011-11-11 15:19:27.000000000 -0500
31224+++ linux-3.1.1/drivers/net/cxgb4/t4_hw.c 2011-11-16 18:40:22.000000000 -0500
31225@@ -362,6 +362,8 @@ static int get_vpd_params(struct adapter
31226 u8 vpd[VPD_LEN], csum;
31227 unsigned int vpdr_len, kw_offset, id_len;
31228
31229+ pax_track_stack();
31230+
31231 ret = pci_read_vpd(adapter->pdev, VPD_BASE, sizeof(vpd), vpd);
31232 if (ret < 0)
31233 return ret;
31234diff -urNp linux-3.1.1/drivers/net/e1000e/82571.c linux-3.1.1/drivers/net/e1000e/82571.c
31235--- linux-3.1.1/drivers/net/e1000e/82571.c 2011-11-11 15:19:27.000000000 -0500
31236+++ linux-3.1.1/drivers/net/e1000e/82571.c 2011-11-16 18:39:07.000000000 -0500
31237@@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
31238 {
31239 struct e1000_hw *hw = &adapter->hw;
31240 struct e1000_mac_info *mac = &hw->mac;
31241- struct e1000_mac_operations *func = &mac->ops;
31242+ e1000_mac_operations_no_const *func = &mac->ops;
31243 u32 swsm = 0;
31244 u32 swsm2 = 0;
31245 bool force_clear_smbi = false;
31246diff -urNp linux-3.1.1/drivers/net/e1000e/es2lan.c linux-3.1.1/drivers/net/e1000e/es2lan.c
31247--- linux-3.1.1/drivers/net/e1000e/es2lan.c 2011-11-11 15:19:27.000000000 -0500
31248+++ linux-3.1.1/drivers/net/e1000e/es2lan.c 2011-11-16 18:39:07.000000000 -0500
31249@@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
31250 {
31251 struct e1000_hw *hw = &adapter->hw;
31252 struct e1000_mac_info *mac = &hw->mac;
31253- struct e1000_mac_operations *func = &mac->ops;
31254+ e1000_mac_operations_no_const *func = &mac->ops;
31255
31256 /* Set media type */
31257 switch (adapter->pdev->device) {
31258diff -urNp linux-3.1.1/drivers/net/e1000e/hw.h linux-3.1.1/drivers/net/e1000e/hw.h
31259--- linux-3.1.1/drivers/net/e1000e/hw.h 2011-11-11 15:19:27.000000000 -0500
31260+++ linux-3.1.1/drivers/net/e1000e/hw.h 2011-11-16 18:39:07.000000000 -0500
31261@@ -778,6 +778,7 @@ struct e1000_mac_operations {
31262 void (*write_vfta)(struct e1000_hw *, u32, u32);
31263 s32 (*read_mac_addr)(struct e1000_hw *);
31264 };
31265+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31266
31267 /*
31268 * When to use various PHY register access functions:
31269@@ -818,6 +819,7 @@ struct e1000_phy_operations {
31270 void (*power_up)(struct e1000_hw *);
31271 void (*power_down)(struct e1000_hw *);
31272 };
31273+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
31274
31275 /* Function pointers for the NVM. */
31276 struct e1000_nvm_operations {
31277@@ -829,9 +831,10 @@ struct e1000_nvm_operations {
31278 s32 (*validate)(struct e1000_hw *);
31279 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
31280 };
31281+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
31282
31283 struct e1000_mac_info {
31284- struct e1000_mac_operations ops;
31285+ e1000_mac_operations_no_const ops;
31286 u8 addr[ETH_ALEN];
31287 u8 perm_addr[ETH_ALEN];
31288
31289@@ -872,7 +875,7 @@ struct e1000_mac_info {
31290 };
31291
31292 struct e1000_phy_info {
31293- struct e1000_phy_operations ops;
31294+ e1000_phy_operations_no_const ops;
31295
31296 enum e1000_phy_type type;
31297
31298@@ -906,7 +909,7 @@ struct e1000_phy_info {
31299 };
31300
31301 struct e1000_nvm_info {
31302- struct e1000_nvm_operations ops;
31303+ e1000_nvm_operations_no_const ops;
31304
31305 enum e1000_nvm_type type;
31306 enum e1000_nvm_override override;
31307diff -urNp linux-3.1.1/drivers/net/fealnx.c linux-3.1.1/drivers/net/fealnx.c
31308--- linux-3.1.1/drivers/net/fealnx.c 2011-11-11 15:19:27.000000000 -0500
31309+++ linux-3.1.1/drivers/net/fealnx.c 2011-11-16 18:39:07.000000000 -0500
31310@@ -150,7 +150,7 @@ struct chip_info {
31311 int flags;
31312 };
31313
31314-static const struct chip_info skel_netdrv_tbl[] __devinitdata = {
31315+static const struct chip_info skel_netdrv_tbl[] __devinitconst = {
31316 { "100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
31317 { "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR },
31318 { "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
31319diff -urNp linux-3.1.1/drivers/net/hamradio/6pack.c linux-3.1.1/drivers/net/hamradio/6pack.c
31320--- linux-3.1.1/drivers/net/hamradio/6pack.c 2011-11-11 15:19:27.000000000 -0500
31321+++ linux-3.1.1/drivers/net/hamradio/6pack.c 2011-11-16 18:40:22.000000000 -0500
31322@@ -463,6 +463,8 @@ static void sixpack_receive_buf(struct t
31323 unsigned char buf[512];
31324 int count1;
31325
31326+ pax_track_stack();
31327+
31328 if (!count)
31329 return;
31330
31331diff -urNp linux-3.1.1/drivers/net/igb/e1000_hw.h linux-3.1.1/drivers/net/igb/e1000_hw.h
31332--- linux-3.1.1/drivers/net/igb/e1000_hw.h 2011-11-11 15:19:27.000000000 -0500
31333+++ linux-3.1.1/drivers/net/igb/e1000_hw.h 2011-11-16 18:39:07.000000000 -0500
31334@@ -314,6 +314,7 @@ struct e1000_mac_operations {
31335 s32 (*read_mac_addr)(struct e1000_hw *);
31336 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
31337 };
31338+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31339
31340 struct e1000_phy_operations {
31341 s32 (*acquire)(struct e1000_hw *);
31342@@ -330,6 +331,7 @@ struct e1000_phy_operations {
31343 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
31344 s32 (*write_reg)(struct e1000_hw *, u32, u16);
31345 };
31346+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
31347
31348 struct e1000_nvm_operations {
31349 s32 (*acquire)(struct e1000_hw *);
31350@@ -339,6 +341,7 @@ struct e1000_nvm_operations {
31351 s32 (*update)(struct e1000_hw *);
31352 s32 (*validate)(struct e1000_hw *);
31353 };
31354+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
31355
31356 struct e1000_info {
31357 s32 (*get_invariants)(struct e1000_hw *);
31358@@ -350,7 +353,7 @@ struct e1000_info {
31359 extern const struct e1000_info e1000_82575_info;
31360
31361 struct e1000_mac_info {
31362- struct e1000_mac_operations ops;
31363+ e1000_mac_operations_no_const ops;
31364
31365 u8 addr[6];
31366 u8 perm_addr[6];
31367@@ -388,7 +391,7 @@ struct e1000_mac_info {
31368 };
31369
31370 struct e1000_phy_info {
31371- struct e1000_phy_operations ops;
31372+ e1000_phy_operations_no_const ops;
31373
31374 enum e1000_phy_type type;
31375
31376@@ -423,7 +426,7 @@ struct e1000_phy_info {
31377 };
31378
31379 struct e1000_nvm_info {
31380- struct e1000_nvm_operations ops;
31381+ e1000_nvm_operations_no_const ops;
31382 enum e1000_nvm_type type;
31383 enum e1000_nvm_override override;
31384
31385@@ -468,6 +471,7 @@ struct e1000_mbx_operations {
31386 s32 (*check_for_ack)(struct e1000_hw *, u16);
31387 s32 (*check_for_rst)(struct e1000_hw *, u16);
31388 };
31389+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31390
31391 struct e1000_mbx_stats {
31392 u32 msgs_tx;
31393@@ -479,7 +483,7 @@ struct e1000_mbx_stats {
31394 };
31395
31396 struct e1000_mbx_info {
31397- struct e1000_mbx_operations ops;
31398+ e1000_mbx_operations_no_const ops;
31399 struct e1000_mbx_stats stats;
31400 u32 timeout;
31401 u32 usec_delay;
31402diff -urNp linux-3.1.1/drivers/net/igbvf/vf.h linux-3.1.1/drivers/net/igbvf/vf.h
31403--- linux-3.1.1/drivers/net/igbvf/vf.h 2011-11-11 15:19:27.000000000 -0500
31404+++ linux-3.1.1/drivers/net/igbvf/vf.h 2011-11-16 18:39:07.000000000 -0500
31405@@ -189,9 +189,10 @@ struct e1000_mac_operations {
31406 s32 (*read_mac_addr)(struct e1000_hw *);
31407 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
31408 };
31409+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
31410
31411 struct e1000_mac_info {
31412- struct e1000_mac_operations ops;
31413+ e1000_mac_operations_no_const ops;
31414 u8 addr[6];
31415 u8 perm_addr[6];
31416
31417@@ -213,6 +214,7 @@ struct e1000_mbx_operations {
31418 s32 (*check_for_ack)(struct e1000_hw *);
31419 s32 (*check_for_rst)(struct e1000_hw *);
31420 };
31421+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
31422
31423 struct e1000_mbx_stats {
31424 u32 msgs_tx;
31425@@ -224,7 +226,7 @@ struct e1000_mbx_stats {
31426 };
31427
31428 struct e1000_mbx_info {
31429- struct e1000_mbx_operations ops;
31430+ e1000_mbx_operations_no_const ops;
31431 struct e1000_mbx_stats stats;
31432 u32 timeout;
31433 u32 usec_delay;
31434diff -urNp linux-3.1.1/drivers/net/ixgb/ixgb_main.c linux-3.1.1/drivers/net/ixgb/ixgb_main.c
31435--- linux-3.1.1/drivers/net/ixgb/ixgb_main.c 2011-11-11 15:19:27.000000000 -0500
31436+++ linux-3.1.1/drivers/net/ixgb/ixgb_main.c 2011-11-16 18:40:22.000000000 -0500
31437@@ -1070,6 +1070,8 @@ ixgb_set_multi(struct net_device *netdev
31438 u32 rctl;
31439 int i;
31440
31441+ pax_track_stack();
31442+
31443 /* Check for Promiscuous and All Multicast modes */
31444
31445 rctl = IXGB_READ_REG(hw, RCTL);
31446diff -urNp linux-3.1.1/drivers/net/ixgb/ixgb_param.c linux-3.1.1/drivers/net/ixgb/ixgb_param.c
31447--- linux-3.1.1/drivers/net/ixgb/ixgb_param.c 2011-11-11 15:19:27.000000000 -0500
31448+++ linux-3.1.1/drivers/net/ixgb/ixgb_param.c 2011-11-16 18:40:22.000000000 -0500
31449@@ -261,6 +261,9 @@ void __devinit
31450 ixgb_check_options(struct ixgb_adapter *adapter)
31451 {
31452 int bd = adapter->bd_number;
31453+
31454+ pax_track_stack();
31455+
31456 if (bd >= IXGB_MAX_NIC) {
31457 pr_notice("Warning: no configuration for board #%i\n", bd);
31458 pr_notice("Using defaults for all values\n");
31459diff -urNp linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h
31460--- linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h 2011-11-11 15:19:27.000000000 -0500
31461+++ linux-3.1.1/drivers/net/ixgbe/ixgbe_type.h 2011-11-16 18:39:07.000000000 -0500
31462@@ -2642,6 +2642,7 @@ struct ixgbe_eeprom_operations {
31463 s32 (*update_checksum)(struct ixgbe_hw *);
31464 u16 (*calc_checksum)(struct ixgbe_hw *);
31465 };
31466+typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
31467
31468 struct ixgbe_mac_operations {
31469 s32 (*init_hw)(struct ixgbe_hw *);
31470@@ -2703,6 +2704,7 @@ struct ixgbe_mac_operations {
31471 /* Manageability interface */
31472 s32 (*set_fw_drv_ver)(struct ixgbe_hw *, u8, u8, u8, u8);
31473 };
31474+typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31475
31476 struct ixgbe_phy_operations {
31477 s32 (*identify)(struct ixgbe_hw *);
31478@@ -2722,9 +2724,10 @@ struct ixgbe_phy_operations {
31479 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
31480 s32 (*check_overtemp)(struct ixgbe_hw *);
31481 };
31482+typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
31483
31484 struct ixgbe_eeprom_info {
31485- struct ixgbe_eeprom_operations ops;
31486+ ixgbe_eeprom_operations_no_const ops;
31487 enum ixgbe_eeprom_type type;
31488 u32 semaphore_delay;
31489 u16 word_size;
31490@@ -2734,7 +2737,7 @@ struct ixgbe_eeprom_info {
31491
31492 #define IXGBE_FLAGS_DOUBLE_RESET_REQUIRED 0x01
31493 struct ixgbe_mac_info {
31494- struct ixgbe_mac_operations ops;
31495+ ixgbe_mac_operations_no_const ops;
31496 enum ixgbe_mac_type type;
31497 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31498 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
31499@@ -2762,7 +2765,7 @@ struct ixgbe_mac_info {
31500 };
31501
31502 struct ixgbe_phy_info {
31503- struct ixgbe_phy_operations ops;
31504+ ixgbe_phy_operations_no_const ops;
31505 struct mdio_if_info mdio;
31506 enum ixgbe_phy_type type;
31507 u32 id;
31508@@ -2790,6 +2793,7 @@ struct ixgbe_mbx_operations {
31509 s32 (*check_for_ack)(struct ixgbe_hw *, u16);
31510 s32 (*check_for_rst)(struct ixgbe_hw *, u16);
31511 };
31512+typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31513
31514 struct ixgbe_mbx_stats {
31515 u32 msgs_tx;
31516@@ -2801,7 +2805,7 @@ struct ixgbe_mbx_stats {
31517 };
31518
31519 struct ixgbe_mbx_info {
31520- struct ixgbe_mbx_operations ops;
31521+ ixgbe_mbx_operations_no_const ops;
31522 struct ixgbe_mbx_stats stats;
31523 u32 timeout;
31524 u32 usec_delay;
31525diff -urNp linux-3.1.1/drivers/net/ixgbevf/vf.h linux-3.1.1/drivers/net/ixgbevf/vf.h
31526--- linux-3.1.1/drivers/net/ixgbevf/vf.h 2011-11-11 15:19:27.000000000 -0500
31527+++ linux-3.1.1/drivers/net/ixgbevf/vf.h 2011-11-16 18:39:07.000000000 -0500
31528@@ -70,6 +70,7 @@ struct ixgbe_mac_operations {
31529 s32 (*clear_vfta)(struct ixgbe_hw *);
31530 s32 (*set_vfta)(struct ixgbe_hw *, u32, u32, bool);
31531 };
31532+typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
31533
31534 enum ixgbe_mac_type {
31535 ixgbe_mac_unknown = 0,
31536@@ -79,7 +80,7 @@ enum ixgbe_mac_type {
31537 };
31538
31539 struct ixgbe_mac_info {
31540- struct ixgbe_mac_operations ops;
31541+ ixgbe_mac_operations_no_const ops;
31542 u8 addr[6];
31543 u8 perm_addr[6];
31544
31545@@ -103,6 +104,7 @@ struct ixgbe_mbx_operations {
31546 s32 (*check_for_ack)(struct ixgbe_hw *);
31547 s32 (*check_for_rst)(struct ixgbe_hw *);
31548 };
31549+typedef struct ixgbe_mbx_operations __no_const ixgbe_mbx_operations_no_const;
31550
31551 struct ixgbe_mbx_stats {
31552 u32 msgs_tx;
31553@@ -114,7 +116,7 @@ struct ixgbe_mbx_stats {
31554 };
31555
31556 struct ixgbe_mbx_info {
31557- struct ixgbe_mbx_operations ops;
31558+ ixgbe_mbx_operations_no_const ops;
31559 struct ixgbe_mbx_stats stats;
31560 u32 timeout;
31561 u32 udelay;
31562diff -urNp linux-3.1.1/drivers/net/ksz884x.c linux-3.1.1/drivers/net/ksz884x.c
31563--- linux-3.1.1/drivers/net/ksz884x.c 2011-11-11 15:19:27.000000000 -0500
31564+++ linux-3.1.1/drivers/net/ksz884x.c 2011-11-16 18:40:22.000000000 -0500
31565@@ -6533,6 +6533,8 @@ static void netdev_get_ethtool_stats(str
31566 int rc;
31567 u64 counter[TOTAL_PORT_COUNTER_NUM];
31568
31569+ pax_track_stack();
31570+
31571 mutex_lock(&hw_priv->lock);
31572 n = SWITCH_PORT_NUM;
31573 for (i = 0, p = port->first_port; i < port->mib_port_cnt; i++, p++) {
31574diff -urNp linux-3.1.1/drivers/net/mlx4/main.c linux-3.1.1/drivers/net/mlx4/main.c
31575--- linux-3.1.1/drivers/net/mlx4/main.c 2011-11-11 15:19:27.000000000 -0500
31576+++ linux-3.1.1/drivers/net/mlx4/main.c 2011-11-16 18:40:22.000000000 -0500
31577@@ -40,6 +40,7 @@
31578 #include <linux/dma-mapping.h>
31579 #include <linux/slab.h>
31580 #include <linux/io-mapping.h>
31581+#include <linux/sched.h>
31582
31583 #include <linux/mlx4/device.h>
31584 #include <linux/mlx4/doorbell.h>
31585@@ -762,6 +763,8 @@ static int mlx4_init_hca(struct mlx4_dev
31586 u64 icm_size;
31587 int err;
31588
31589+ pax_track_stack();
31590+
31591 err = mlx4_QUERY_FW(dev);
31592 if (err) {
31593 if (err == -EACCES)
31594diff -urNp linux-3.1.1/drivers/net/niu.c linux-3.1.1/drivers/net/niu.c
31595--- linux-3.1.1/drivers/net/niu.c 2011-11-11 15:19:27.000000000 -0500
31596+++ linux-3.1.1/drivers/net/niu.c 2011-11-16 18:40:22.000000000 -0500
31597@@ -9061,6 +9061,8 @@ static void __devinit niu_try_msix(struc
31598 int i, num_irqs, err;
31599 u8 first_ldg;
31600
31601+ pax_track_stack();
31602+
31603 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
31604 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
31605 ldg_num_map[i] = first_ldg + i;
31606diff -urNp linux-3.1.1/drivers/net/pcnet32.c linux-3.1.1/drivers/net/pcnet32.c
31607--- linux-3.1.1/drivers/net/pcnet32.c 2011-11-11 15:19:27.000000000 -0500
31608+++ linux-3.1.1/drivers/net/pcnet32.c 2011-11-16 18:39:07.000000000 -0500
31609@@ -270,7 +270,7 @@ struct pcnet32_private {
31610 struct sk_buff **rx_skbuff;
31611 dma_addr_t *tx_dma_addr;
31612 dma_addr_t *rx_dma_addr;
31613- struct pcnet32_access a;
31614+ struct pcnet32_access *a;
31615 spinlock_t lock; /* Guard lock */
31616 unsigned int cur_rx, cur_tx; /* The next free ring entry */
31617 unsigned int rx_ring_size; /* current rx ring size */
31618@@ -460,9 +460,9 @@ static void pcnet32_netif_start(struct n
31619 u16 val;
31620
31621 netif_wake_queue(dev);
31622- val = lp->a.read_csr(ioaddr, CSR3);
31623+ val = lp->a->read_csr(ioaddr, CSR3);
31624 val &= 0x00ff;
31625- lp->a.write_csr(ioaddr, CSR3, val);
31626+ lp->a->write_csr(ioaddr, CSR3, val);
31627 napi_enable(&lp->napi);
31628 }
31629
31630@@ -730,7 +730,7 @@ static u32 pcnet32_get_link(struct net_d
31631 r = mii_link_ok(&lp->mii_if);
31632 } else if (lp->chip_version >= PCNET32_79C970A) {
31633 ulong ioaddr = dev->base_addr; /* card base I/O address */
31634- r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
31635+ r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
31636 } else { /* can not detect link on really old chips */
31637 r = 1;
31638 }
31639@@ -792,7 +792,7 @@ static int pcnet32_set_ringparam(struct
31640 pcnet32_netif_stop(dev);
31641
31642 spin_lock_irqsave(&lp->lock, flags);
31643- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31644+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31645
31646 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
31647
31648@@ -868,7 +868,7 @@ static void pcnet32_ethtool_test(struct
31649 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
31650 {
31651 struct pcnet32_private *lp = netdev_priv(dev);
31652- struct pcnet32_access *a = &lp->a; /* access to registers */
31653+ struct pcnet32_access *a = lp->a; /* access to registers */
31654 ulong ioaddr = dev->base_addr; /* card base I/O address */
31655 struct sk_buff *skb; /* sk buff */
31656 int x, i; /* counters */
31657@@ -888,21 +888,21 @@ static int pcnet32_loopback_test(struct
31658 pcnet32_netif_stop(dev);
31659
31660 spin_lock_irqsave(&lp->lock, flags);
31661- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31662+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
31663
31664 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
31665
31666 /* Reset the PCNET32 */
31667- lp->a.reset(ioaddr);
31668- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31669+ lp->a->reset(ioaddr);
31670+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31671
31672 /* switch pcnet32 to 32bit mode */
31673- lp->a.write_bcr(ioaddr, 20, 2);
31674+ lp->a->write_bcr(ioaddr, 20, 2);
31675
31676 /* purge & init rings but don't actually restart */
31677 pcnet32_restart(dev, 0x0000);
31678
31679- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31680+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31681
31682 /* Initialize Transmit buffers. */
31683 size = data_len + 15;
31684@@ -947,10 +947,10 @@ static int pcnet32_loopback_test(struct
31685
31686 /* set int loopback in CSR15 */
31687 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
31688- lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
31689+ lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
31690
31691 teststatus = cpu_to_le16(0x8000);
31692- lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31693+ lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
31694
31695 /* Check status of descriptors */
31696 for (x = 0; x < numbuffs; x++) {
31697@@ -969,7 +969,7 @@ static int pcnet32_loopback_test(struct
31698 }
31699 }
31700
31701- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31702+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
31703 wmb();
31704 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
31705 netdev_printk(KERN_DEBUG, dev, "RX loopback packets:\n");
31706@@ -1015,7 +1015,7 @@ clean_up:
31707 pcnet32_restart(dev, CSR0_NORMAL);
31708 } else {
31709 pcnet32_purge_rx_ring(dev);
31710- lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31711+ lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
31712 }
31713 spin_unlock_irqrestore(&lp->lock, flags);
31714
31715@@ -1026,7 +1026,7 @@ static int pcnet32_set_phys_id(struct ne
31716 enum ethtool_phys_id_state state)
31717 {
31718 struct pcnet32_private *lp = netdev_priv(dev);
31719- struct pcnet32_access *a = &lp->a;
31720+ struct pcnet32_access *a = lp->a;
31721 ulong ioaddr = dev->base_addr;
31722 unsigned long flags;
31723 int i;
31724@@ -1067,7 +1067,7 @@ static int pcnet32_suspend(struct net_de
31725 {
31726 int csr5;
31727 struct pcnet32_private *lp = netdev_priv(dev);
31728- struct pcnet32_access *a = &lp->a;
31729+ struct pcnet32_access *a = lp->a;
31730 ulong ioaddr = dev->base_addr;
31731 int ticks;
31732
31733@@ -1324,8 +1324,8 @@ static int pcnet32_poll(struct napi_stru
31734 spin_lock_irqsave(&lp->lock, flags);
31735 if (pcnet32_tx(dev)) {
31736 /* reset the chip to clear the error condition, then restart */
31737- lp->a.reset(ioaddr);
31738- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31739+ lp->a->reset(ioaddr);
31740+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31741 pcnet32_restart(dev, CSR0_START);
31742 netif_wake_queue(dev);
31743 }
31744@@ -1337,12 +1337,12 @@ static int pcnet32_poll(struct napi_stru
31745 __napi_complete(napi);
31746
31747 /* clear interrupt masks */
31748- val = lp->a.read_csr(ioaddr, CSR3);
31749+ val = lp->a->read_csr(ioaddr, CSR3);
31750 val &= 0x00ff;
31751- lp->a.write_csr(ioaddr, CSR3, val);
31752+ lp->a->write_csr(ioaddr, CSR3, val);
31753
31754 /* Set interrupt enable. */
31755- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
31756+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
31757
31758 spin_unlock_irqrestore(&lp->lock, flags);
31759 }
31760@@ -1365,7 +1365,7 @@ static void pcnet32_get_regs(struct net_
31761 int i, csr0;
31762 u16 *buff = ptr;
31763 struct pcnet32_private *lp = netdev_priv(dev);
31764- struct pcnet32_access *a = &lp->a;
31765+ struct pcnet32_access *a = lp->a;
31766 ulong ioaddr = dev->base_addr;
31767 unsigned long flags;
31768
31769@@ -1401,9 +1401,9 @@ static void pcnet32_get_regs(struct net_
31770 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
31771 if (lp->phymask & (1 << j)) {
31772 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
31773- lp->a.write_bcr(ioaddr, 33,
31774+ lp->a->write_bcr(ioaddr, 33,
31775 (j << 5) | i);
31776- *buff++ = lp->a.read_bcr(ioaddr, 34);
31777+ *buff++ = lp->a->read_bcr(ioaddr, 34);
31778 }
31779 }
31780 }
31781@@ -1785,7 +1785,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31782 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
31783 lp->options |= PCNET32_PORT_FD;
31784
31785- lp->a = *a;
31786+ lp->a = a;
31787
31788 /* prior to register_netdev, dev->name is not yet correct */
31789 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
31790@@ -1844,7 +1844,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31791 if (lp->mii) {
31792 /* lp->phycount and lp->phymask are set to 0 by memset above */
31793
31794- lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31795+ lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
31796 /* scan for PHYs */
31797 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31798 unsigned short id1, id2;
31799@@ -1864,7 +1864,7 @@ pcnet32_probe1(unsigned long ioaddr, int
31800 pr_info("Found PHY %04x:%04x at address %d\n",
31801 id1, id2, i);
31802 }
31803- lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31804+ lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
31805 if (lp->phycount > 1)
31806 lp->options |= PCNET32_PORT_MII;
31807 }
31808@@ -2020,10 +2020,10 @@ static int pcnet32_open(struct net_devic
31809 }
31810
31811 /* Reset the PCNET32 */
31812- lp->a.reset(ioaddr);
31813+ lp->a->reset(ioaddr);
31814
31815 /* switch pcnet32 to 32bit mode */
31816- lp->a.write_bcr(ioaddr, 20, 2);
31817+ lp->a->write_bcr(ioaddr, 20, 2);
31818
31819 netif_printk(lp, ifup, KERN_DEBUG, dev,
31820 "%s() irq %d tx/rx rings %#x/%#x init %#x\n",
31821@@ -2032,14 +2032,14 @@ static int pcnet32_open(struct net_devic
31822 (u32) (lp->init_dma_addr));
31823
31824 /* set/reset autoselect bit */
31825- val = lp->a.read_bcr(ioaddr, 2) & ~2;
31826+ val = lp->a->read_bcr(ioaddr, 2) & ~2;
31827 if (lp->options & PCNET32_PORT_ASEL)
31828 val |= 2;
31829- lp->a.write_bcr(ioaddr, 2, val);
31830+ lp->a->write_bcr(ioaddr, 2, val);
31831
31832 /* handle full duplex setting */
31833 if (lp->mii_if.full_duplex) {
31834- val = lp->a.read_bcr(ioaddr, 9) & ~3;
31835+ val = lp->a->read_bcr(ioaddr, 9) & ~3;
31836 if (lp->options & PCNET32_PORT_FD) {
31837 val |= 1;
31838 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
31839@@ -2049,14 +2049,14 @@ static int pcnet32_open(struct net_devic
31840 if (lp->chip_version == 0x2627)
31841 val |= 3;
31842 }
31843- lp->a.write_bcr(ioaddr, 9, val);
31844+ lp->a->write_bcr(ioaddr, 9, val);
31845 }
31846
31847 /* set/reset GPSI bit in test register */
31848- val = lp->a.read_csr(ioaddr, 124) & ~0x10;
31849+ val = lp->a->read_csr(ioaddr, 124) & ~0x10;
31850 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
31851 val |= 0x10;
31852- lp->a.write_csr(ioaddr, 124, val);
31853+ lp->a->write_csr(ioaddr, 124, val);
31854
31855 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
31856 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
31857@@ -2075,24 +2075,24 @@ static int pcnet32_open(struct net_devic
31858 * duplex, and/or enable auto negotiation, and clear DANAS
31859 */
31860 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
31861- lp->a.write_bcr(ioaddr, 32,
31862- lp->a.read_bcr(ioaddr, 32) | 0x0080);
31863+ lp->a->write_bcr(ioaddr, 32,
31864+ lp->a->read_bcr(ioaddr, 32) | 0x0080);
31865 /* disable Auto Negotiation, set 10Mpbs, HD */
31866- val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
31867+ val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
31868 if (lp->options & PCNET32_PORT_FD)
31869 val |= 0x10;
31870 if (lp->options & PCNET32_PORT_100)
31871 val |= 0x08;
31872- lp->a.write_bcr(ioaddr, 32, val);
31873+ lp->a->write_bcr(ioaddr, 32, val);
31874 } else {
31875 if (lp->options & PCNET32_PORT_ASEL) {
31876- lp->a.write_bcr(ioaddr, 32,
31877- lp->a.read_bcr(ioaddr,
31878+ lp->a->write_bcr(ioaddr, 32,
31879+ lp->a->read_bcr(ioaddr,
31880 32) | 0x0080);
31881 /* enable auto negotiate, setup, disable fd */
31882- val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
31883+ val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
31884 val |= 0x20;
31885- lp->a.write_bcr(ioaddr, 32, val);
31886+ lp->a->write_bcr(ioaddr, 32, val);
31887 }
31888 }
31889 } else {
31890@@ -2105,10 +2105,10 @@ static int pcnet32_open(struct net_devic
31891 * There is really no good other way to handle multiple PHYs
31892 * other than turning off all automatics
31893 */
31894- val = lp->a.read_bcr(ioaddr, 2);
31895- lp->a.write_bcr(ioaddr, 2, val & ~2);
31896- val = lp->a.read_bcr(ioaddr, 32);
31897- lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31898+ val = lp->a->read_bcr(ioaddr, 2);
31899+ lp->a->write_bcr(ioaddr, 2, val & ~2);
31900+ val = lp->a->read_bcr(ioaddr, 32);
31901+ lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
31902
31903 if (!(lp->options & PCNET32_PORT_ASEL)) {
31904 /* setup ecmd */
31905@@ -2118,7 +2118,7 @@ static int pcnet32_open(struct net_devic
31906 ethtool_cmd_speed_set(&ecmd,
31907 (lp->options & PCNET32_PORT_100) ?
31908 SPEED_100 : SPEED_10);
31909- bcr9 = lp->a.read_bcr(ioaddr, 9);
31910+ bcr9 = lp->a->read_bcr(ioaddr, 9);
31911
31912 if (lp->options & PCNET32_PORT_FD) {
31913 ecmd.duplex = DUPLEX_FULL;
31914@@ -2127,7 +2127,7 @@ static int pcnet32_open(struct net_devic
31915 ecmd.duplex = DUPLEX_HALF;
31916 bcr9 |= ~(1 << 0);
31917 }
31918- lp->a.write_bcr(ioaddr, 9, bcr9);
31919+ lp->a->write_bcr(ioaddr, 9, bcr9);
31920 }
31921
31922 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
31923@@ -2158,9 +2158,9 @@ static int pcnet32_open(struct net_devic
31924
31925 #ifdef DO_DXSUFLO
31926 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
31927- val = lp->a.read_csr(ioaddr, CSR3);
31928+ val = lp->a->read_csr(ioaddr, CSR3);
31929 val |= 0x40;
31930- lp->a.write_csr(ioaddr, CSR3, val);
31931+ lp->a->write_csr(ioaddr, CSR3, val);
31932 }
31933 #endif
31934
31935@@ -2176,11 +2176,11 @@ static int pcnet32_open(struct net_devic
31936 napi_enable(&lp->napi);
31937
31938 /* Re-initialize the PCNET32, and start it when done. */
31939- lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31940- lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31941+ lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
31942+ lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
31943
31944- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31945- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
31946+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
31947+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
31948
31949 netif_start_queue(dev);
31950
31951@@ -2192,19 +2192,19 @@ static int pcnet32_open(struct net_devic
31952
31953 i = 0;
31954 while (i++ < 100)
31955- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
31956+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
31957 break;
31958 /*
31959 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
31960 * reports that doing so triggers a bug in the '974.
31961 */
31962- lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
31963+ lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
31964
31965 netif_printk(lp, ifup, KERN_DEBUG, dev,
31966 "pcnet32 open after %d ticks, init block %#x csr0 %4.4x\n",
31967 i,
31968 (u32) (lp->init_dma_addr),
31969- lp->a.read_csr(ioaddr, CSR0));
31970+ lp->a->read_csr(ioaddr, CSR0));
31971
31972 spin_unlock_irqrestore(&lp->lock, flags);
31973
31974@@ -2218,7 +2218,7 @@ err_free_ring:
31975 * Switch back to 16bit mode to avoid problems with dumb
31976 * DOS packet driver after a warm reboot
31977 */
31978- lp->a.write_bcr(ioaddr, 20, 4);
31979+ lp->a->write_bcr(ioaddr, 20, 4);
31980
31981 err_free_irq:
31982 spin_unlock_irqrestore(&lp->lock, flags);
31983@@ -2323,7 +2323,7 @@ static void pcnet32_restart(struct net_d
31984
31985 /* wait for stop */
31986 for (i = 0; i < 100; i++)
31987- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
31988+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
31989 break;
31990
31991 if (i >= 100)
31992@@ -2335,13 +2335,13 @@ static void pcnet32_restart(struct net_d
31993 return;
31994
31995 /* ReInit Ring */
31996- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
31997+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
31998 i = 0;
31999 while (i++ < 1000)
32000- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
32001+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
32002 break;
32003
32004- lp->a.write_csr(ioaddr, CSR0, csr0_bits);
32005+ lp->a->write_csr(ioaddr, CSR0, csr0_bits);
32006 }
32007
32008 static void pcnet32_tx_timeout(struct net_device *dev)
32009@@ -2353,8 +2353,8 @@ static void pcnet32_tx_timeout(struct ne
32010 /* Transmitter timeout, serious problems. */
32011 if (pcnet32_debug & NETIF_MSG_DRV)
32012 pr_err("%s: transmit timed out, status %4.4x, resetting\n",
32013- dev->name, lp->a.read_csr(ioaddr, CSR0));
32014- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32015+ dev->name, lp->a->read_csr(ioaddr, CSR0));
32016+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32017 dev->stats.tx_errors++;
32018 if (netif_msg_tx_err(lp)) {
32019 int i;
32020@@ -2397,7 +2397,7 @@ static netdev_tx_t pcnet32_start_xmit(st
32021
32022 netif_printk(lp, tx_queued, KERN_DEBUG, dev,
32023 "%s() called, csr0 %4.4x\n",
32024- __func__, lp->a.read_csr(ioaddr, CSR0));
32025+ __func__, lp->a->read_csr(ioaddr, CSR0));
32026
32027 /* Default status -- will not enable Successful-TxDone
32028 * interrupt when that option is available to us.
32029@@ -2427,7 +2427,7 @@ static netdev_tx_t pcnet32_start_xmit(st
32030 dev->stats.tx_bytes += skb->len;
32031
32032 /* Trigger an immediate send poll. */
32033- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
32034+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
32035
32036 if (lp->tx_ring[(entry + 1) & lp->tx_mod_mask].base != 0) {
32037 lp->tx_full = 1;
32038@@ -2452,16 +2452,16 @@ pcnet32_interrupt(int irq, void *dev_id)
32039
32040 spin_lock(&lp->lock);
32041
32042- csr0 = lp->a.read_csr(ioaddr, CSR0);
32043+ csr0 = lp->a->read_csr(ioaddr, CSR0);
32044 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
32045 if (csr0 == 0xffff)
32046 break; /* PCMCIA remove happened */
32047 /* Acknowledge all of the current interrupt sources ASAP. */
32048- lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
32049+ lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
32050
32051 netif_printk(lp, intr, KERN_DEBUG, dev,
32052 "interrupt csr0=%#2.2x new csr=%#2.2x\n",
32053- csr0, lp->a.read_csr(ioaddr, CSR0));
32054+ csr0, lp->a->read_csr(ioaddr, CSR0));
32055
32056 /* Log misc errors. */
32057 if (csr0 & 0x4000)
32058@@ -2488,19 +2488,19 @@ pcnet32_interrupt(int irq, void *dev_id)
32059 if (napi_schedule_prep(&lp->napi)) {
32060 u16 val;
32061 /* set interrupt masks */
32062- val = lp->a.read_csr(ioaddr, CSR3);
32063+ val = lp->a->read_csr(ioaddr, CSR3);
32064 val |= 0x5f00;
32065- lp->a.write_csr(ioaddr, CSR3, val);
32066+ lp->a->write_csr(ioaddr, CSR3, val);
32067
32068 __napi_schedule(&lp->napi);
32069 break;
32070 }
32071- csr0 = lp->a.read_csr(ioaddr, CSR0);
32072+ csr0 = lp->a->read_csr(ioaddr, CSR0);
32073 }
32074
32075 netif_printk(lp, intr, KERN_DEBUG, dev,
32076 "exiting interrupt, csr0=%#4.4x\n",
32077- lp->a.read_csr(ioaddr, CSR0));
32078+ lp->a->read_csr(ioaddr, CSR0));
32079
32080 spin_unlock(&lp->lock);
32081
32082@@ -2520,20 +2520,20 @@ static int pcnet32_close(struct net_devi
32083
32084 spin_lock_irqsave(&lp->lock, flags);
32085
32086- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
32087+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
32088
32089 netif_printk(lp, ifdown, KERN_DEBUG, dev,
32090 "Shutting down ethercard, status was %2.2x\n",
32091- lp->a.read_csr(ioaddr, CSR0));
32092+ lp->a->read_csr(ioaddr, CSR0));
32093
32094 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
32095- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32096+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32097
32098 /*
32099 * Switch back to 16bit mode to avoid problems with dumb
32100 * DOS packet driver after a warm reboot
32101 */
32102- lp->a.write_bcr(ioaddr, 20, 4);
32103+ lp->a->write_bcr(ioaddr, 20, 4);
32104
32105 spin_unlock_irqrestore(&lp->lock, flags);
32106
32107@@ -2556,7 +2556,7 @@ static struct net_device_stats *pcnet32_
32108 unsigned long flags;
32109
32110 spin_lock_irqsave(&lp->lock, flags);
32111- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
32112+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
32113 spin_unlock_irqrestore(&lp->lock, flags);
32114
32115 return &dev->stats;
32116@@ -2577,10 +2577,10 @@ static void pcnet32_load_multicast(struc
32117 if (dev->flags & IFF_ALLMULTI) {
32118 ib->filter[0] = cpu_to_le32(~0U);
32119 ib->filter[1] = cpu_to_le32(~0U);
32120- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
32121- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
32122- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
32123- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
32124+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
32125+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
32126+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
32127+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
32128 return;
32129 }
32130 /* clear the multicast filter */
32131@@ -2594,7 +2594,7 @@ static void pcnet32_load_multicast(struc
32132 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
32133 }
32134 for (i = 0; i < 4; i++)
32135- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
32136+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
32137 le16_to_cpu(mcast_table[i]));
32138 }
32139
32140@@ -2609,28 +2609,28 @@ static void pcnet32_set_multicast_list(s
32141
32142 spin_lock_irqsave(&lp->lock, flags);
32143 suspended = pcnet32_suspend(dev, &flags, 0);
32144- csr15 = lp->a.read_csr(ioaddr, CSR15);
32145+ csr15 = lp->a->read_csr(ioaddr, CSR15);
32146 if (dev->flags & IFF_PROMISC) {
32147 /* Log any net taps. */
32148 netif_info(lp, hw, dev, "Promiscuous mode enabled\n");
32149 lp->init_block->mode =
32150 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
32151 7);
32152- lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
32153+ lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
32154 } else {
32155 lp->init_block->mode =
32156 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
32157- lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
32158+ lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
32159 pcnet32_load_multicast(dev);
32160 }
32161
32162 if (suspended) {
32163 int csr5;
32164 /* clear SUSPEND (SPND) - CSR5 bit 0 */
32165- csr5 = lp->a.read_csr(ioaddr, CSR5);
32166- lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
32167+ csr5 = lp->a->read_csr(ioaddr, CSR5);
32168+ lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
32169 } else {
32170- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
32171+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
32172 pcnet32_restart(dev, CSR0_NORMAL);
32173 netif_wake_queue(dev);
32174 }
32175@@ -2648,8 +2648,8 @@ static int mdio_read(struct net_device *
32176 if (!lp->mii)
32177 return 0;
32178
32179- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32180- val_out = lp->a.read_bcr(ioaddr, 34);
32181+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32182+ val_out = lp->a->read_bcr(ioaddr, 34);
32183
32184 return val_out;
32185 }
32186@@ -2663,8 +2663,8 @@ static void mdio_write(struct net_device
32187 if (!lp->mii)
32188 return;
32189
32190- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32191- lp->a.write_bcr(ioaddr, 34, val);
32192+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
32193+ lp->a->write_bcr(ioaddr, 34, val);
32194 }
32195
32196 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
32197@@ -2741,7 +2741,7 @@ static void pcnet32_check_media(struct n
32198 curr_link = mii_link_ok(&lp->mii_if);
32199 } else {
32200 ulong ioaddr = dev->base_addr; /* card base I/O address */
32201- curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
32202+ curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
32203 }
32204 if (!curr_link) {
32205 if (prev_link || verbose) {
32206@@ -2764,13 +2764,13 @@ static void pcnet32_check_media(struct n
32207 (ecmd.duplex == DUPLEX_FULL)
32208 ? "full" : "half");
32209 }
32210- bcr9 = lp->a.read_bcr(dev->base_addr, 9);
32211+ bcr9 = lp->a->read_bcr(dev->base_addr, 9);
32212 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
32213 if (lp->mii_if.full_duplex)
32214 bcr9 |= (1 << 0);
32215 else
32216 bcr9 &= ~(1 << 0);
32217- lp->a.write_bcr(dev->base_addr, 9, bcr9);
32218+ lp->a->write_bcr(dev->base_addr, 9, bcr9);
32219 }
32220 } else {
32221 netif_info(lp, link, dev, "link up\n");
32222diff -urNp linux-3.1.1/drivers/net/ppp_generic.c linux-3.1.1/drivers/net/ppp_generic.c
32223--- linux-3.1.1/drivers/net/ppp_generic.c 2011-11-11 15:19:27.000000000 -0500
32224+++ linux-3.1.1/drivers/net/ppp_generic.c 2011-11-16 18:39:07.000000000 -0500
32225@@ -987,7 +987,6 @@ ppp_net_ioctl(struct net_device *dev, st
32226 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
32227 struct ppp_stats stats;
32228 struct ppp_comp_stats cstats;
32229- char *vers;
32230
32231 switch (cmd) {
32232 case SIOCGPPPSTATS:
32233@@ -1009,8 +1008,7 @@ ppp_net_ioctl(struct net_device *dev, st
32234 break;
32235
32236 case SIOCGPPPVER:
32237- vers = PPP_VERSION;
32238- if (copy_to_user(addr, vers, strlen(vers) + 1))
32239+ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
32240 break;
32241 err = 0;
32242 break;
32243diff -urNp linux-3.1.1/drivers/net/r8169.c linux-3.1.1/drivers/net/r8169.c
32244--- linux-3.1.1/drivers/net/r8169.c 2011-11-11 15:19:27.000000000 -0500
32245+++ linux-3.1.1/drivers/net/r8169.c 2011-11-16 18:39:07.000000000 -0500
32246@@ -663,12 +663,12 @@ struct rtl8169_private {
32247 struct mdio_ops {
32248 void (*write)(void __iomem *, int, int);
32249 int (*read)(void __iomem *, int);
32250- } mdio_ops;
32251+ } __no_const mdio_ops;
32252
32253 struct pll_power_ops {
32254 void (*down)(struct rtl8169_private *);
32255 void (*up)(struct rtl8169_private *);
32256- } pll_power_ops;
32257+ } __no_const pll_power_ops;
32258
32259 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
32260 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
32261diff -urNp linux-3.1.1/drivers/net/sis190.c linux-3.1.1/drivers/net/sis190.c
32262--- linux-3.1.1/drivers/net/sis190.c 2011-11-11 15:19:27.000000000 -0500
32263+++ linux-3.1.1/drivers/net/sis190.c 2011-11-16 18:39:07.000000000 -0500
32264@@ -1624,7 +1624,7 @@ static int __devinit sis190_get_mac_addr
32265 static int __devinit sis190_get_mac_addr_from_apc(struct pci_dev *pdev,
32266 struct net_device *dev)
32267 {
32268- static const u16 __devinitdata ids[] = { 0x0965, 0x0966, 0x0968 };
32269+ static const u16 __devinitconst ids[] = { 0x0965, 0x0966, 0x0968 };
32270 struct sis190_private *tp = netdev_priv(dev);
32271 struct pci_dev *isa_bridge;
32272 u8 reg, tmp8;
32273diff -urNp linux-3.1.1/drivers/net/sundance.c linux-3.1.1/drivers/net/sundance.c
32274--- linux-3.1.1/drivers/net/sundance.c 2011-11-11 15:19:27.000000000 -0500
32275+++ linux-3.1.1/drivers/net/sundance.c 2011-11-16 18:39:07.000000000 -0500
32276@@ -218,7 +218,7 @@ enum {
32277 struct pci_id_info {
32278 const char *name;
32279 };
32280-static const struct pci_id_info pci_id_tbl[] __devinitdata = {
32281+static const struct pci_id_info pci_id_tbl[] __devinitconst = {
32282 {"D-Link DFE-550TX FAST Ethernet Adapter"},
32283 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"},
32284 {"D-Link DFE-580TX 4 port Server Adapter"},
32285diff -urNp linux-3.1.1/drivers/net/tg3.h linux-3.1.1/drivers/net/tg3.h
32286--- linux-3.1.1/drivers/net/tg3.h 2011-11-11 15:19:27.000000000 -0500
32287+++ linux-3.1.1/drivers/net/tg3.h 2011-11-16 18:39:07.000000000 -0500
32288@@ -134,6 +134,7 @@
32289 #define CHIPREV_ID_5750_A0 0x4000
32290 #define CHIPREV_ID_5750_A1 0x4001
32291 #define CHIPREV_ID_5750_A3 0x4003
32292+#define CHIPREV_ID_5750_C1 0x4201
32293 #define CHIPREV_ID_5750_C2 0x4202
32294 #define CHIPREV_ID_5752_A0_HW 0x5000
32295 #define CHIPREV_ID_5752_A0 0x6000
32296diff -urNp linux-3.1.1/drivers/net/tokenring/abyss.c linux-3.1.1/drivers/net/tokenring/abyss.c
32297--- linux-3.1.1/drivers/net/tokenring/abyss.c 2011-11-11 15:19:27.000000000 -0500
32298+++ linux-3.1.1/drivers/net/tokenring/abyss.c 2011-11-16 18:39:07.000000000 -0500
32299@@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
32300
32301 static int __init abyss_init (void)
32302 {
32303- abyss_netdev_ops = tms380tr_netdev_ops;
32304+ pax_open_kernel();
32305+ memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32306
32307- abyss_netdev_ops.ndo_open = abyss_open;
32308- abyss_netdev_ops.ndo_stop = abyss_close;
32309+ *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
32310+ *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
32311+ pax_close_kernel();
32312
32313 return pci_register_driver(&abyss_driver);
32314 }
32315diff -urNp linux-3.1.1/drivers/net/tokenring/madgemc.c linux-3.1.1/drivers/net/tokenring/madgemc.c
32316--- linux-3.1.1/drivers/net/tokenring/madgemc.c 2011-11-11 15:19:27.000000000 -0500
32317+++ linux-3.1.1/drivers/net/tokenring/madgemc.c 2011-11-16 18:39:07.000000000 -0500
32318@@ -744,9 +744,11 @@ static struct mca_driver madgemc_driver
32319
32320 static int __init madgemc_init (void)
32321 {
32322- madgemc_netdev_ops = tms380tr_netdev_ops;
32323- madgemc_netdev_ops.ndo_open = madgemc_open;
32324- madgemc_netdev_ops.ndo_stop = madgemc_close;
32325+ pax_open_kernel();
32326+ memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32327+ *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
32328+ *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
32329+ pax_close_kernel();
32330
32331 return mca_register_driver (&madgemc_driver);
32332 }
32333diff -urNp linux-3.1.1/drivers/net/tokenring/proteon.c linux-3.1.1/drivers/net/tokenring/proteon.c
32334--- linux-3.1.1/drivers/net/tokenring/proteon.c 2011-11-11 15:19:27.000000000 -0500
32335+++ linux-3.1.1/drivers/net/tokenring/proteon.c 2011-11-16 18:39:07.000000000 -0500
32336@@ -353,9 +353,11 @@ static int __init proteon_init(void)
32337 struct platform_device *pdev;
32338 int i, num = 0, err = 0;
32339
32340- proteon_netdev_ops = tms380tr_netdev_ops;
32341- proteon_netdev_ops.ndo_open = proteon_open;
32342- proteon_netdev_ops.ndo_stop = tms380tr_close;
32343+ pax_open_kernel();
32344+ memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32345+ *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
32346+ *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
32347+ pax_close_kernel();
32348
32349 err = platform_driver_register(&proteon_driver);
32350 if (err)
32351diff -urNp linux-3.1.1/drivers/net/tokenring/skisa.c linux-3.1.1/drivers/net/tokenring/skisa.c
32352--- linux-3.1.1/drivers/net/tokenring/skisa.c 2011-11-11 15:19:27.000000000 -0500
32353+++ linux-3.1.1/drivers/net/tokenring/skisa.c 2011-11-16 18:39:07.000000000 -0500
32354@@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
32355 struct platform_device *pdev;
32356 int i, num = 0, err = 0;
32357
32358- sk_isa_netdev_ops = tms380tr_netdev_ops;
32359- sk_isa_netdev_ops.ndo_open = sk_isa_open;
32360- sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32361+ pax_open_kernel();
32362+ memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
32363+ *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
32364+ *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
32365+ pax_close_kernel();
32366
32367 err = platform_driver_register(&sk_isa_driver);
32368 if (err)
32369diff -urNp linux-3.1.1/drivers/net/tulip/de2104x.c linux-3.1.1/drivers/net/tulip/de2104x.c
32370--- linux-3.1.1/drivers/net/tulip/de2104x.c 2011-11-11 15:19:27.000000000 -0500
32371+++ linux-3.1.1/drivers/net/tulip/de2104x.c 2011-11-16 18:40:22.000000000 -0500
32372@@ -1795,6 +1795,8 @@ static void __devinit de21041_get_srom_i
32373 struct de_srom_info_leaf *il;
32374 void *bufp;
32375
32376+ pax_track_stack();
32377+
32378 /* download entire eeprom */
32379 for (i = 0; i < DE_EEPROM_WORDS; i++)
32380 ((__le16 *)ee_data)[i] =
32381diff -urNp linux-3.1.1/drivers/net/tulip/de4x5.c linux-3.1.1/drivers/net/tulip/de4x5.c
32382--- linux-3.1.1/drivers/net/tulip/de4x5.c 2011-11-11 15:19:27.000000000 -0500
32383+++ linux-3.1.1/drivers/net/tulip/de4x5.c 2011-11-16 18:39:07.000000000 -0500
32384@@ -5397,7 +5397,7 @@ de4x5_ioctl(struct net_device *dev, stru
32385 for (i=0; i<ETH_ALEN; i++) {
32386 tmp.addr[i] = dev->dev_addr[i];
32387 }
32388- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32389+ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32390 break;
32391
32392 case DE4X5_SET_HWADDR: /* Set the hardware address */
32393@@ -5437,7 +5437,7 @@ de4x5_ioctl(struct net_device *dev, stru
32394 spin_lock_irqsave(&lp->lock, flags);
32395 memcpy(&statbuf, &lp->pktStats, ioc->len);
32396 spin_unlock_irqrestore(&lp->lock, flags);
32397- if (copy_to_user(ioc->data, &statbuf, ioc->len))
32398+ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
32399 return -EFAULT;
32400 break;
32401 }
32402diff -urNp linux-3.1.1/drivers/net/tulip/eeprom.c linux-3.1.1/drivers/net/tulip/eeprom.c
32403--- linux-3.1.1/drivers/net/tulip/eeprom.c 2011-11-11 15:19:27.000000000 -0500
32404+++ linux-3.1.1/drivers/net/tulip/eeprom.c 2011-11-16 18:39:07.000000000 -0500
32405@@ -81,7 +81,7 @@ static struct eeprom_fixup eeprom_fixups
32406 {NULL}};
32407
32408
32409-static const char *block_name[] __devinitdata = {
32410+static const char *block_name[] __devinitconst = {
32411 "21140 non-MII",
32412 "21140 MII PHY",
32413 "21142 Serial PHY",
32414diff -urNp linux-3.1.1/drivers/net/tulip/winbond-840.c linux-3.1.1/drivers/net/tulip/winbond-840.c
32415--- linux-3.1.1/drivers/net/tulip/winbond-840.c 2011-11-11 15:19:27.000000000 -0500
32416+++ linux-3.1.1/drivers/net/tulip/winbond-840.c 2011-11-16 18:39:07.000000000 -0500
32417@@ -236,7 +236,7 @@ struct pci_id_info {
32418 int drv_flags; /* Driver use, intended as capability flags. */
32419 };
32420
32421-static const struct pci_id_info pci_id_tbl[] __devinitdata = {
32422+static const struct pci_id_info pci_id_tbl[] __devinitconst = {
32423 { /* Sometime a Level-One switch card. */
32424 "Winbond W89c840", CanHaveMII | HasBrokenTx | FDXOnNoMII},
32425 { "Winbond W89c840", CanHaveMII | HasBrokenTx},
32426diff -urNp linux-3.1.1/drivers/net/usb/hso.c linux-3.1.1/drivers/net/usb/hso.c
32427--- linux-3.1.1/drivers/net/usb/hso.c 2011-11-11 15:19:27.000000000 -0500
32428+++ linux-3.1.1/drivers/net/usb/hso.c 2011-11-16 18:39:07.000000000 -0500
32429@@ -71,7 +71,7 @@
32430 #include <asm/byteorder.h>
32431 #include <linux/serial_core.h>
32432 #include <linux/serial.h>
32433-
32434+#include <asm/local.h>
32435
32436 #define MOD_AUTHOR "Option Wireless"
32437 #define MOD_DESCRIPTION "USB High Speed Option driver"
32438@@ -257,7 +257,7 @@ struct hso_serial {
32439
32440 /* from usb_serial_port */
32441 struct tty_struct *tty;
32442- int open_count;
32443+ local_t open_count;
32444 spinlock_t serial_lock;
32445
32446 int (*write_data) (struct hso_serial *serial);
32447@@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
32448 struct urb *urb;
32449
32450 urb = serial->rx_urb[0];
32451- if (serial->open_count > 0) {
32452+ if (local_read(&serial->open_count) > 0) {
32453 count = put_rxbuf_data(urb, serial);
32454 if (count == -1)
32455 return;
32456@@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
32457 DUMP1(urb->transfer_buffer, urb->actual_length);
32458
32459 /* Anyone listening? */
32460- if (serial->open_count == 0)
32461+ if (local_read(&serial->open_count) == 0)
32462 return;
32463
32464 if (status == 0) {
32465@@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
32466 spin_unlock_irq(&serial->serial_lock);
32467
32468 /* check for port already opened, if not set the termios */
32469- serial->open_count++;
32470- if (serial->open_count == 1) {
32471+ if (local_inc_return(&serial->open_count) == 1) {
32472 serial->rx_state = RX_IDLE;
32473 /* Force default termio settings */
32474 _hso_serial_set_termios(tty, NULL);
32475@@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
32476 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
32477 if (result) {
32478 hso_stop_serial_device(serial->parent);
32479- serial->open_count--;
32480+ local_dec(&serial->open_count);
32481 kref_put(&serial->parent->ref, hso_serial_ref_free);
32482 }
32483 } else {
32484@@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
32485
32486 /* reset the rts and dtr */
32487 /* do the actual close */
32488- serial->open_count--;
32489+ local_dec(&serial->open_count);
32490
32491- if (serial->open_count <= 0) {
32492- serial->open_count = 0;
32493+ if (local_read(&serial->open_count) <= 0) {
32494+ local_set(&serial->open_count, 0);
32495 spin_lock_irq(&serial->serial_lock);
32496 if (serial->tty == tty) {
32497 serial->tty->driver_data = NULL;
32498@@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
32499
32500 /* the actual setup */
32501 spin_lock_irqsave(&serial->serial_lock, flags);
32502- if (serial->open_count)
32503+ if (local_read(&serial->open_count))
32504 _hso_serial_set_termios(tty, old);
32505 else
32506 tty->termios = old;
32507@@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
32508 D1("Pending read interrupt on port %d\n", i);
32509 spin_lock(&serial->serial_lock);
32510 if (serial->rx_state == RX_IDLE &&
32511- serial->open_count > 0) {
32512+ local_read(&serial->open_count) > 0) {
32513 /* Setup and send a ctrl req read on
32514 * port i */
32515 if (!serial->rx_urb_filled[0]) {
32516@@ -3098,7 +3097,7 @@ static int hso_resume(struct usb_interfa
32517 /* Start all serial ports */
32518 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
32519 if (serial_table[i] && (serial_table[i]->interface == iface)) {
32520- if (dev2ser(serial_table[i])->open_count) {
32521+ if (local_read(&dev2ser(serial_table[i])->open_count)) {
32522 result =
32523 hso_start_serial_device(serial_table[i], GFP_NOIO);
32524 hso_kick_transmit(dev2ser(serial_table[i]));
32525diff -urNp linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c
32526--- linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-11-11 15:19:27.000000000 -0500
32527+++ linux-3.1.1/drivers/net/vmxnet3/vmxnet3_ethtool.c 2011-11-16 18:39:07.000000000 -0500
32528@@ -601,8 +601,7 @@ vmxnet3_set_rss_indir(struct net_device
32529 * Return with error code if any of the queue indices
32530 * is out of range
32531 */
32532- if (p->ring_index[i] < 0 ||
32533- p->ring_index[i] >= adapter->num_rx_queues)
32534+ if (p->ring_index[i] >= adapter->num_rx_queues)
32535 return -EINVAL;
32536 }
32537
32538diff -urNp linux-3.1.1/drivers/net/vxge/vxge-config.h linux-3.1.1/drivers/net/vxge/vxge-config.h
32539--- linux-3.1.1/drivers/net/vxge/vxge-config.h 2011-11-11 15:19:27.000000000 -0500
32540+++ linux-3.1.1/drivers/net/vxge/vxge-config.h 2011-11-16 18:39:07.000000000 -0500
32541@@ -514,7 +514,7 @@ struct vxge_hw_uld_cbs {
32542 void (*link_down)(struct __vxge_hw_device *devh);
32543 void (*crit_err)(struct __vxge_hw_device *devh,
32544 enum vxge_hw_event type, u64 ext_data);
32545-};
32546+} __no_const;
32547
32548 /*
32549 * struct __vxge_hw_blockpool_entry - Block private data structure
32550diff -urNp linux-3.1.1/drivers/net/vxge/vxge-main.c linux-3.1.1/drivers/net/vxge/vxge-main.c
32551--- linux-3.1.1/drivers/net/vxge/vxge-main.c 2011-11-11 15:19:27.000000000 -0500
32552+++ linux-3.1.1/drivers/net/vxge/vxge-main.c 2011-11-16 18:40:22.000000000 -0500
32553@@ -100,6 +100,8 @@ static inline void VXGE_COMPLETE_VPATH_T
32554 struct sk_buff *completed[NR_SKB_COMPLETED];
32555 int more;
32556
32557+ pax_track_stack();
32558+
32559 do {
32560 more = 0;
32561 skb_ptr = completed;
32562@@ -1915,6 +1917,8 @@ static enum vxge_hw_status vxge_rth_conf
32563 u8 mtable[256] = {0}; /* CPU to vpath mapping */
32564 int index;
32565
32566+ pax_track_stack();
32567+
32568 /*
32569 * Filling
32570 * - itable with bucket numbers
32571diff -urNp linux-3.1.1/drivers/net/vxge/vxge-traffic.h linux-3.1.1/drivers/net/vxge/vxge-traffic.h
32572--- linux-3.1.1/drivers/net/vxge/vxge-traffic.h 2011-11-11 15:19:27.000000000 -0500
32573+++ linux-3.1.1/drivers/net/vxge/vxge-traffic.h 2011-11-16 18:39:07.000000000 -0500
32574@@ -2088,7 +2088,7 @@ struct vxge_hw_mempool_cbs {
32575 struct vxge_hw_mempool_dma *dma_object,
32576 u32 index,
32577 u32 is_last);
32578-};
32579+} __no_const;
32580
32581 #define VXGE_HW_VIRTUAL_PATH_HANDLE(vpath) \
32582 ((struct __vxge_hw_vpath_handle *)(vpath)->vpath_handles.next)
32583diff -urNp linux-3.1.1/drivers/net/wan/hdlc_x25.c linux-3.1.1/drivers/net/wan/hdlc_x25.c
32584--- linux-3.1.1/drivers/net/wan/hdlc_x25.c 2011-11-11 15:19:27.000000000 -0500
32585+++ linux-3.1.1/drivers/net/wan/hdlc_x25.c 2011-11-16 18:39:07.000000000 -0500
32586@@ -134,16 +134,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
32587
32588 static int x25_open(struct net_device *dev)
32589 {
32590- struct lapb_register_struct cb;
32591+ static struct lapb_register_struct cb = {
32592+ .connect_confirmation = x25_connected,
32593+ .connect_indication = x25_connected,
32594+ .disconnect_confirmation = x25_disconnected,
32595+ .disconnect_indication = x25_disconnected,
32596+ .data_indication = x25_data_indication,
32597+ .data_transmit = x25_data_transmit
32598+ };
32599 int result;
32600
32601- cb.connect_confirmation = x25_connected;
32602- cb.connect_indication = x25_connected;
32603- cb.disconnect_confirmation = x25_disconnected;
32604- cb.disconnect_indication = x25_disconnected;
32605- cb.data_indication = x25_data_indication;
32606- cb.data_transmit = x25_data_transmit;
32607-
32608 result = lapb_register(dev, &cb);
32609 if (result != LAPB_OK)
32610 return result;
32611diff -urNp linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c
32612--- linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c 2011-11-11 15:19:27.000000000 -0500
32613+++ linux-3.1.1/drivers/net/wimax/i2400m/usb-fw.c 2011-11-16 18:40:22.000000000 -0500
32614@@ -287,6 +287,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
32615 int do_autopm = 1;
32616 DECLARE_COMPLETION_ONSTACK(notif_completion);
32617
32618+ pax_track_stack();
32619+
32620 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
32621 i2400m, ack, ack_size);
32622 BUG_ON(_ack == i2400m->bm_ack_buf);
32623diff -urNp linux-3.1.1/drivers/net/wireless/airo.c linux-3.1.1/drivers/net/wireless/airo.c
32624--- linux-3.1.1/drivers/net/wireless/airo.c 2011-11-11 15:19:27.000000000 -0500
32625+++ linux-3.1.1/drivers/net/wireless/airo.c 2011-11-16 18:40:22.000000000 -0500
32626@@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
32627 BSSListElement * loop_net;
32628 BSSListElement * tmp_net;
32629
32630+ pax_track_stack();
32631+
32632 /* Blow away current list of scan results */
32633 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
32634 list_move_tail (&loop_net->list, &ai->network_free_list);
32635@@ -3794,6 +3796,8 @@ static u16 setup_card(struct airo_info *
32636 WepKeyRid wkr;
32637 int rc;
32638
32639+ pax_track_stack();
32640+
32641 memset( &mySsid, 0, sizeof( mySsid ) );
32642 kfree (ai->flash);
32643 ai->flash = NULL;
32644@@ -4753,6 +4757,8 @@ static int proc_stats_rid_open( struct i
32645 __le32 *vals = stats.vals;
32646 int len;
32647
32648+ pax_track_stack();
32649+
32650 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32651 return -ENOMEM;
32652 data = file->private_data;
32653@@ -5476,6 +5482,8 @@ static int proc_BSSList_open( struct ino
32654 /* If doLoseSync is not 1, we won't do a Lose Sync */
32655 int doLoseSync = -1;
32656
32657+ pax_track_stack();
32658+
32659 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32660 return -ENOMEM;
32661 data = file->private_data;
32662@@ -7181,6 +7189,8 @@ static int airo_get_aplist(struct net_de
32663 int i;
32664 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
32665
32666+ pax_track_stack();
32667+
32668 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
32669 if (!qual)
32670 return -ENOMEM;
32671@@ -7741,6 +7751,8 @@ static void airo_read_wireless_stats(str
32672 CapabilityRid cap_rid;
32673 __le32 *vals = stats_rid.vals;
32674
32675+ pax_track_stack();
32676+
32677 /* Get stats out of the card */
32678 clear_bit(JOB_WSTATS, &local->jobs);
32679 if (local->power.event) {
32680diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c
32681--- linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c 2011-11-11 15:19:27.000000000 -0500
32682+++ linux-3.1.1/drivers/net/wireless/ath/ath5k/debug.c 2011-11-16 19:08:21.000000000 -0500
32683@@ -203,6 +203,8 @@ static ssize_t read_file_beacon(struct f
32684 unsigned int v;
32685 u64 tsf;
32686
32687+ pax_track_stack();
32688+
32689 v = ath5k_hw_reg_read(ah, AR5K_BEACON);
32690 len += snprintf(buf + len, sizeof(buf) - len,
32691 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
32692@@ -321,6 +323,8 @@ static ssize_t read_file_debug(struct fi
32693 unsigned int len = 0;
32694 unsigned int i;
32695
32696+ pax_track_stack();
32697+
32698 len += snprintf(buf + len, sizeof(buf) - len,
32699 "DEBUG LEVEL: 0x%08x\n\n", ah->debug.level);
32700
32701@@ -492,6 +496,8 @@ static ssize_t read_file_misc(struct fil
32702 unsigned int len = 0;
32703 u32 filt = ath5k_hw_get_rx_filter(ah);
32704
32705+ pax_track_stack();
32706+
32707 len += snprintf(buf + len, sizeof(buf) - len, "bssid-mask: %pM\n",
32708 ah->bssidmask);
32709 len += snprintf(buf + len, sizeof(buf) - len, "filter-flags: 0x%x ",
32710@@ -548,6 +554,8 @@ static ssize_t read_file_frameerrors(str
32711 unsigned int len = 0;
32712 int i;
32713
32714+ pax_track_stack();
32715+
32716 len += snprintf(buf + len, sizeof(buf) - len,
32717 "RX\n---------------------\n");
32718 len += snprintf(buf + len, sizeof(buf) - len, "CRC\t%u\t(%u%%)\n",
32719@@ -665,6 +673,8 @@ static ssize_t read_file_ani(struct file
32720 char buf[700];
32721 unsigned int len = 0;
32722
32723+ pax_track_stack();
32724+
32725 len += snprintf(buf + len, sizeof(buf) - len,
32726 "HW has PHY error counters:\t%s\n",
32727 ah->ah_capabilities.cap_has_phyerr_counters ?
32728@@ -829,6 +839,8 @@ static ssize_t read_file_queue(struct fi
32729 struct ath5k_buf *bf, *bf0;
32730 int i, n;
32731
32732+ pax_track_stack();
32733+
32734 len += snprintf(buf + len, sizeof(buf) - len,
32735 "available txbuffers: %d\n", ah->txbuf_len);
32736
32737diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c
32738--- linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-11-11 15:19:27.000000000 -0500
32739+++ linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_calib.c 2011-11-16 18:40:22.000000000 -0500
32740@@ -758,6 +758,8 @@ static void ar9003_hw_tx_iq_cal_post_pro
32741 int i, im, j;
32742 int nmeasurement;
32743
32744+ pax_track_stack();
32745+
32746 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
32747 if (ah->txchainmask & (1 << i))
32748 num_chains++;
32749diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c
32750--- linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-11-11 15:19:27.000000000 -0500
32751+++ linux-3.1.1/drivers/net/wireless/ath/ath9k/ar9003_paprd.c 2011-11-16 18:40:22.000000000 -0500
32752@@ -406,6 +406,8 @@ static bool create_pa_curve(u32 *data_L,
32753 int theta_low_bin = 0;
32754 int i;
32755
32756+ pax_track_stack();
32757+
32758 /* disregard any bin that contains <= 16 samples */
32759 thresh_accum_cnt = 16;
32760 scale_factor = 5;
32761diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c
32762--- linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c 2011-11-11 15:19:27.000000000 -0500
32763+++ linux-3.1.1/drivers/net/wireless/ath/ath9k/debug.c 2011-11-16 18:40:22.000000000 -0500
32764@@ -387,6 +387,8 @@ static ssize_t read_file_interrupt(struc
32765 char buf[512];
32766 unsigned int len = 0;
32767
32768+ pax_track_stack();
32769+
32770 if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
32771 len += snprintf(buf + len, sizeof(buf) - len,
32772 "%8s: %10u\n", "RXLP", sc->debug.stats.istats.rxlp);
32773@@ -477,6 +479,8 @@ static ssize_t read_file_wiphy(struct fi
32774 u8 addr[ETH_ALEN];
32775 u32 tmp;
32776
32777+ pax_track_stack();
32778+
32779 len += snprintf(buf + len, sizeof(buf) - len,
32780 "%s (chan=%d center-freq: %d MHz channel-type: %d (%s))\n",
32781 wiphy_name(sc->hw->wiphy),
32782diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
32783--- linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-11-11 15:19:27.000000000 -0500
32784+++ linux-3.1.1/drivers/net/wireless/ath/ath9k/htc_drv_debug.c 2011-11-16 18:40:22.000000000 -0500
32785@@ -31,6 +31,8 @@ static ssize_t read_file_tgt_int_stats(s
32786 unsigned int len = 0;
32787 int ret = 0;
32788
32789+ pax_track_stack();
32790+
32791 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32792
32793 ath9k_htc_ps_wakeup(priv);
32794@@ -89,6 +91,8 @@ static ssize_t read_file_tgt_tx_stats(st
32795 unsigned int len = 0;
32796 int ret = 0;
32797
32798+ pax_track_stack();
32799+
32800 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32801
32802 ath9k_htc_ps_wakeup(priv);
32803@@ -159,6 +163,8 @@ static ssize_t read_file_tgt_rx_stats(st
32804 unsigned int len = 0;
32805 int ret = 0;
32806
32807+ pax_track_stack();
32808+
32809 memset(&cmd_rsp, 0, sizeof(cmd_rsp));
32810
32811 ath9k_htc_ps_wakeup(priv);
32812@@ -203,6 +209,8 @@ static ssize_t read_file_xmit(struct fil
32813 char buf[512];
32814 unsigned int len = 0;
32815
32816+ pax_track_stack();
32817+
32818 len += snprintf(buf + len, sizeof(buf) - len,
32819 "%20s : %10u\n", "Buffers queued",
32820 priv->debug.tx_stats.buf_queued);
32821@@ -376,6 +384,8 @@ static ssize_t read_file_slot(struct fil
32822 char buf[512];
32823 unsigned int len = 0;
32824
32825+ pax_track_stack();
32826+
32827 spin_lock_bh(&priv->tx.tx_lock);
32828
32829 len += snprintf(buf + len, sizeof(buf) - len, "TX slot bitmap : ");
32830@@ -411,6 +421,8 @@ static ssize_t read_file_queue(struct fi
32831 char buf[512];
32832 unsigned int len = 0;
32833
32834+ pax_track_stack();
32835+
32836 len += snprintf(buf + len, sizeof(buf) - len, "%20s : %10u\n",
32837 "Mgmt endpoint", skb_queue_len(&priv->tx.mgmt_ep_queue));
32838
32839diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h
32840--- linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h 2011-11-11 15:19:27.000000000 -0500
32841+++ linux-3.1.1/drivers/net/wireless/ath/ath9k/hw.h 2011-11-16 18:39:07.000000000 -0500
32842@@ -588,7 +588,7 @@ struct ath_hw_private_ops {
32843
32844 /* ANI */
32845 void (*ani_cache_ini_regs)(struct ath_hw *ah);
32846-};
32847+} __no_const;
32848
32849 /**
32850 * struct ath_hw_ops - callbacks used by hardware code and driver code
32851@@ -639,7 +639,7 @@ struct ath_hw_ops {
32852 void (*antdiv_comb_conf_set)(struct ath_hw *ah,
32853 struct ath_hw_antcomb_conf *antconf);
32854
32855-};
32856+} __no_const;
32857
32858 struct ath_nf_limits {
32859 s16 max;
32860@@ -652,7 +652,7 @@ struct ath_nf_limits {
32861 #define AH_UNPLUGGED 0x2 /* The card has been physically removed. */
32862
32863 struct ath_hw {
32864- struct ath_ops reg_ops;
32865+ ath_ops_no_const reg_ops;
32866
32867 struct ieee80211_hw *hw;
32868 struct ath_common common;
32869diff -urNp linux-3.1.1/drivers/net/wireless/ath/ath.h linux-3.1.1/drivers/net/wireless/ath/ath.h
32870--- linux-3.1.1/drivers/net/wireless/ath/ath.h 2011-11-11 15:19:27.000000000 -0500
32871+++ linux-3.1.1/drivers/net/wireless/ath/ath.h 2011-11-16 18:39:07.000000000 -0500
32872@@ -121,6 +121,7 @@ struct ath_ops {
32873 void (*write_flush) (void *);
32874 u32 (*rmw)(void *, u32 reg_offset, u32 set, u32 clr);
32875 };
32876+typedef struct ath_ops __no_const ath_ops_no_const;
32877
32878 struct ath_common;
32879 struct ath_bus_ops;
32880diff -urNp linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c
32881--- linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-11 15:19:27.000000000 -0500
32882+++ linux-3.1.1/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-16 18:40:22.000000000 -0500
32883@@ -2102,6 +2102,8 @@ static int ipw2100_set_essid(struct ipw2
32884 int err;
32885 DECLARE_SSID_BUF(ssid);
32886
32887+ pax_track_stack();
32888+
32889 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
32890
32891 if (ssid_len)
32892@@ -5451,6 +5453,8 @@ static int ipw2100_set_key(struct ipw210
32893 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
32894 int err;
32895
32896+ pax_track_stack();
32897+
32898 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
32899 idx, keylen, len);
32900
32901diff -urNp linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c
32902--- linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-11 15:19:27.000000000 -0500
32903+++ linux-3.1.1/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-16 18:40:22.000000000 -0500
32904@@ -1565,6 +1565,8 @@ static void libipw_process_probe_respons
32905 unsigned long flags;
32906 DECLARE_SSID_BUF(ssid);
32907
32908+ pax_track_stack();
32909+
32910 LIBIPW_DEBUG_SCAN("'%s' (%pM"
32911 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
32912 print_ssid(ssid, info_element->data, info_element->len),
32913diff -urNp linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c
32914--- linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-11-11 15:19:27.000000000 -0500
32915+++ linux-3.1.1/drivers/net/wireless/iwlegacy/iwl3945-base.c 2011-11-16 18:39:07.000000000 -0500
32916@@ -3687,7 +3687,9 @@ static int iwl3945_pci_probe(struct pci_
32917 */
32918 if (iwl3945_mod_params.disable_hw_scan) {
32919 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
32920- iwl3945_hw_ops.hw_scan = NULL;
32921+ pax_open_kernel();
32922+ *(void **)&iwl3945_hw_ops.hw_scan = NULL;
32923+ pax_close_kernel();
32924 }
32925
32926 IWL_DEBUG_INFO(priv, "*** LOAD DRIVER ***\n");
32927diff -urNp linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
32928--- linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-11 15:19:27.000000000 -0500
32929+++ linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-16 18:40:22.000000000 -0500
32930@@ -920,6 +920,8 @@ static void rs_tx_status(void *priv_r, s
32931 struct iwl_station_priv *sta_priv = (void *)sta->drv_priv;
32932 struct iwl_rxon_context *ctx = sta_priv->common.ctx;
32933
32934+ pax_track_stack();
32935+
32936 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
32937
32938 /* Treat uninitialized rate scaling data same as non-existing. */
32939@@ -2931,6 +2933,8 @@ static void rs_fill_link_cmd(struct iwl_
32940 container_of(lq_sta, struct iwl_station_priv, lq_sta);
32941 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
32942
32943+ pax_track_stack();
32944+
32945 /* Override starting rate (index 0) if needed for debug purposes */
32946 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
32947
32948diff -urNp linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c
32949--- linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-11 15:19:27.000000000 -0500
32950+++ linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-16 18:40:22.000000000 -0500
32951@@ -561,6 +561,8 @@ static ssize_t iwl_dbgfs_status_read(str
32952 int pos = 0;
32953 const size_t bufsz = sizeof(buf);
32954
32955+ pax_track_stack();
32956+
32957 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
32958 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
32959 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_INT_ENABLED:\t %d\n",
32960@@ -693,6 +695,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
32961 char buf[256 * NUM_IWL_RXON_CTX];
32962 const size_t bufsz = sizeof(buf);
32963
32964+ pax_track_stack();
32965+
32966 for_each_context(priv, ctx) {
32967 pos += scnprintf(buf + pos, bufsz - pos, "context %d:\n",
32968 ctx->ctxid);
32969diff -urNp linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h
32970--- linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-11 15:19:27.000000000 -0500
32971+++ linux-3.1.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-16 18:39:07.000000000 -0500
32972@@ -68,8 +68,8 @@ do {
32973 } while (0)
32974
32975 #else
32976-#define IWL_DEBUG(__priv, level, fmt, args...)
32977-#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
32978+#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
32979+#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
32980 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
32981 const void *p, u32 len)
32982 {}
32983diff -urNp linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c
32984--- linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-11 15:19:27.000000000 -0500
32985+++ linux-3.1.1/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-16 18:40:22.000000000 -0500
32986@@ -327,6 +327,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
32987 int buf_len = 512;
32988 size_t len = 0;
32989
32990+ pax_track_stack();
32991+
32992 if (*ppos != 0)
32993 return 0;
32994 if (count < sizeof(buf))
32995diff -urNp linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c
32996--- linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c 2011-11-11 15:19:27.000000000 -0500
32997+++ linux-3.1.1/drivers/net/wireless/mac80211_hwsim.c 2011-11-16 18:39:07.000000000 -0500
32998@@ -1670,9 +1670,11 @@ static int __init init_mac80211_hwsim(vo
32999 return -EINVAL;
33000
33001 if (fake_hw_scan) {
33002- mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
33003- mac80211_hwsim_ops.sw_scan_start = NULL;
33004- mac80211_hwsim_ops.sw_scan_complete = NULL;
33005+ pax_open_kernel();
33006+ *(void **)&mac80211_hwsim_ops.hw_scan = mac80211_hwsim_hw_scan;
33007+ *(void **)&mac80211_hwsim_ops.sw_scan_start = NULL;
33008+ *(void **)&mac80211_hwsim_ops.sw_scan_complete = NULL;
33009+ pax_close_kernel();
33010 }
33011
33012 spin_lock_init(&hwsim_radio_lock);
33013diff -urNp linux-3.1.1/drivers/net/wireless/mwifiex/main.h linux-3.1.1/drivers/net/wireless/mwifiex/main.h
33014--- linux-3.1.1/drivers/net/wireless/mwifiex/main.h 2011-11-11 15:19:27.000000000 -0500
33015+++ linux-3.1.1/drivers/net/wireless/mwifiex/main.h 2011-11-16 18:39:07.000000000 -0500
33016@@ -560,7 +560,7 @@ struct mwifiex_if_ops {
33017
33018 void (*update_mp_end_port) (struct mwifiex_adapter *, u16);
33019 void (*cleanup_mpa_buf) (struct mwifiex_adapter *);
33020-};
33021+} __no_const;
33022
33023 struct mwifiex_adapter {
33024 struct mwifiex_private *priv[MWIFIEX_MAX_BSS_NUM];
33025diff -urNp linux-3.1.1/drivers/net/wireless/rndis_wlan.c linux-3.1.1/drivers/net/wireless/rndis_wlan.c
33026--- linux-3.1.1/drivers/net/wireless/rndis_wlan.c 2011-11-11 15:19:27.000000000 -0500
33027+++ linux-3.1.1/drivers/net/wireless/rndis_wlan.c 2011-11-16 18:39:07.000000000 -0500
33028@@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
33029
33030 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
33031
33032- if (rts_threshold < 0 || rts_threshold > 2347)
33033+ if (rts_threshold > 2347)
33034 rts_threshold = 2347;
33035
33036 tmp = cpu_to_le32(rts_threshold);
33037diff -urNp linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c
33038--- linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-11-11 15:19:27.000000000 -0500
33039+++ linux-3.1.1/drivers/net/wireless/rtlwifi/rtl8192c/phy_common.c 2011-11-16 18:40:22.000000000 -0500
33040@@ -837,6 +837,8 @@ bool _rtl92c_phy_sw_chnl_step_by_step(st
33041 u8 rfpath;
33042 u8 num_total_rfpath = rtlphy->num_total_rfpath;
33043
33044+ pax_track_stack();
33045+
33046 precommoncmdcnt = 0;
33047 _rtl92c_phy_set_sw_chnl_cmdarray(precommoncmd, precommoncmdcnt++,
33048 MAX_PRECMD_CNT,
33049diff -urNp linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h
33050--- linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h 2011-11-11 15:19:27.000000000 -0500
33051+++ linux-3.1.1/drivers/net/wireless/wl1251/wl1251.h 2011-11-16 18:39:07.000000000 -0500
33052@@ -266,7 +266,7 @@ struct wl1251_if_operations {
33053 void (*reset)(struct wl1251 *wl);
33054 void (*enable_irq)(struct wl1251 *wl);
33055 void (*disable_irq)(struct wl1251 *wl);
33056-};
33057+} __no_const;
33058
33059 struct wl1251 {
33060 struct ieee80211_hw *hw;
33061diff -urNp linux-3.1.1/drivers/net/wireless/wl12xx/spi.c linux-3.1.1/drivers/net/wireless/wl12xx/spi.c
33062--- linux-3.1.1/drivers/net/wireless/wl12xx/spi.c 2011-11-11 15:19:27.000000000 -0500
33063+++ linux-3.1.1/drivers/net/wireless/wl12xx/spi.c 2011-11-16 18:40:22.000000000 -0500
33064@@ -281,6 +281,8 @@ static void wl1271_spi_raw_write(struct
33065 u32 chunk_len;
33066 int i;
33067
33068+ pax_track_stack();
33069+
33070 WARN_ON(len > WL1271_AGGR_BUFFER_SIZE);
33071
33072 spi_message_init(&m);
33073diff -urNp linux-3.1.1/drivers/oprofile/buffer_sync.c linux-3.1.1/drivers/oprofile/buffer_sync.c
33074--- linux-3.1.1/drivers/oprofile/buffer_sync.c 2011-11-11 15:19:27.000000000 -0500
33075+++ linux-3.1.1/drivers/oprofile/buffer_sync.c 2011-11-16 18:39:07.000000000 -0500
33076@@ -343,7 +343,7 @@ static void add_data(struct op_entry *en
33077 if (cookie == NO_COOKIE)
33078 offset = pc;
33079 if (cookie == INVALID_COOKIE) {
33080- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
33081+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
33082 offset = pc;
33083 }
33084 if (cookie != last_cookie) {
33085@@ -387,14 +387,14 @@ add_sample(struct mm_struct *mm, struct
33086 /* add userspace sample */
33087
33088 if (!mm) {
33089- atomic_inc(&oprofile_stats.sample_lost_no_mm);
33090+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
33091 return 0;
33092 }
33093
33094 cookie = lookup_dcookie(mm, s->eip, &offset);
33095
33096 if (cookie == INVALID_COOKIE) {
33097- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
33098+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
33099 return 0;
33100 }
33101
33102@@ -563,7 +563,7 @@ void sync_buffer(int cpu)
33103 /* ignore backtraces if failed to add a sample */
33104 if (state == sb_bt_start) {
33105 state = sb_bt_ignore;
33106- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
33107+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
33108 }
33109 }
33110 release_mm(mm);
33111diff -urNp linux-3.1.1/drivers/oprofile/event_buffer.c linux-3.1.1/drivers/oprofile/event_buffer.c
33112--- linux-3.1.1/drivers/oprofile/event_buffer.c 2011-11-11 15:19:27.000000000 -0500
33113+++ linux-3.1.1/drivers/oprofile/event_buffer.c 2011-11-16 18:39:07.000000000 -0500
33114@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
33115 }
33116
33117 if (buffer_pos == buffer_size) {
33118- atomic_inc(&oprofile_stats.event_lost_overflow);
33119+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
33120 return;
33121 }
33122
33123diff -urNp linux-3.1.1/drivers/oprofile/oprof.c linux-3.1.1/drivers/oprofile/oprof.c
33124--- linux-3.1.1/drivers/oprofile/oprof.c 2011-11-11 15:19:27.000000000 -0500
33125+++ linux-3.1.1/drivers/oprofile/oprof.c 2011-11-16 18:39:07.000000000 -0500
33126@@ -110,7 +110,7 @@ static void switch_worker(struct work_st
33127 if (oprofile_ops.switch_events())
33128 return;
33129
33130- atomic_inc(&oprofile_stats.multiplex_counter);
33131+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
33132 start_switch_worker();
33133 }
33134
33135diff -urNp linux-3.1.1/drivers/oprofile/oprofilefs.c linux-3.1.1/drivers/oprofile/oprofilefs.c
33136--- linux-3.1.1/drivers/oprofile/oprofilefs.c 2011-11-11 15:19:27.000000000 -0500
33137+++ linux-3.1.1/drivers/oprofile/oprofilefs.c 2011-11-16 18:39:07.000000000 -0500
33138@@ -186,7 +186,7 @@ static const struct file_operations atom
33139
33140
33141 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
33142- char const *name, atomic_t *val)
33143+ char const *name, atomic_unchecked_t *val)
33144 {
33145 return __oprofilefs_create_file(sb, root, name,
33146 &atomic_ro_fops, 0444, val);
33147diff -urNp linux-3.1.1/drivers/oprofile/oprofile_stats.c linux-3.1.1/drivers/oprofile/oprofile_stats.c
33148--- linux-3.1.1/drivers/oprofile/oprofile_stats.c 2011-11-11 15:19:27.000000000 -0500
33149+++ linux-3.1.1/drivers/oprofile/oprofile_stats.c 2011-11-16 18:39:07.000000000 -0500
33150@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
33151 cpu_buf->sample_invalid_eip = 0;
33152 }
33153
33154- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
33155- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
33156- atomic_set(&oprofile_stats.event_lost_overflow, 0);
33157- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
33158- atomic_set(&oprofile_stats.multiplex_counter, 0);
33159+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
33160+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
33161+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
33162+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
33163+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
33164 }
33165
33166
33167diff -urNp linux-3.1.1/drivers/oprofile/oprofile_stats.h linux-3.1.1/drivers/oprofile/oprofile_stats.h
33168--- linux-3.1.1/drivers/oprofile/oprofile_stats.h 2011-11-11 15:19:27.000000000 -0500
33169+++ linux-3.1.1/drivers/oprofile/oprofile_stats.h 2011-11-16 18:39:07.000000000 -0500
33170@@ -13,11 +13,11 @@
33171 #include <linux/atomic.h>
33172
33173 struct oprofile_stat_struct {
33174- atomic_t sample_lost_no_mm;
33175- atomic_t sample_lost_no_mapping;
33176- atomic_t bt_lost_no_mapping;
33177- atomic_t event_lost_overflow;
33178- atomic_t multiplex_counter;
33179+ atomic_unchecked_t sample_lost_no_mm;
33180+ atomic_unchecked_t sample_lost_no_mapping;
33181+ atomic_unchecked_t bt_lost_no_mapping;
33182+ atomic_unchecked_t event_lost_overflow;
33183+ atomic_unchecked_t multiplex_counter;
33184 };
33185
33186 extern struct oprofile_stat_struct oprofile_stats;
33187diff -urNp linux-3.1.1/drivers/parport/procfs.c linux-3.1.1/drivers/parport/procfs.c
33188--- linux-3.1.1/drivers/parport/procfs.c 2011-11-11 15:19:27.000000000 -0500
33189+++ linux-3.1.1/drivers/parport/procfs.c 2011-11-16 18:39:07.000000000 -0500
33190@@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
33191
33192 *ppos += len;
33193
33194- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
33195+ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
33196 }
33197
33198 #ifdef CONFIG_PARPORT_1284
33199@@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
33200
33201 *ppos += len;
33202
33203- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
33204+ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
33205 }
33206 #endif /* IEEE1284.3 support. */
33207
33208diff -urNp linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h
33209--- linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h 2011-11-11 15:19:27.000000000 -0500
33210+++ linux-3.1.1/drivers/pci/hotplug/cpci_hotplug.h 2011-11-16 18:39:07.000000000 -0500
33211@@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
33212 int (*hardware_test) (struct slot* slot, u32 value);
33213 u8 (*get_power) (struct slot* slot);
33214 int (*set_power) (struct slot* slot, int value);
33215-};
33216+} __no_const;
33217
33218 struct cpci_hp_controller {
33219 unsigned int irq;
33220diff -urNp linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c
33221--- linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-11 15:19:27.000000000 -0500
33222+++ linux-3.1.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-16 18:39:07.000000000 -0500
33223@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
33224
33225 void compaq_nvram_init (void __iomem *rom_start)
33226 {
33227+
33228+#ifndef CONFIG_PAX_KERNEXEC
33229 if (rom_start) {
33230 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
33231 }
33232+#endif
33233+
33234 dbg("int15 entry = %p\n", compaq_int15_entry_point);
33235
33236 /* initialize our int15 lock */
33237diff -urNp linux-3.1.1/drivers/pci/pcie/aspm.c linux-3.1.1/drivers/pci/pcie/aspm.c
33238--- linux-3.1.1/drivers/pci/pcie/aspm.c 2011-11-11 15:19:27.000000000 -0500
33239+++ linux-3.1.1/drivers/pci/pcie/aspm.c 2011-11-16 18:39:07.000000000 -0500
33240@@ -27,9 +27,9 @@
33241 #define MODULE_PARAM_PREFIX "pcie_aspm."
33242
33243 /* Note: those are not register definitions */
33244-#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
33245-#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
33246-#define ASPM_STATE_L1 (4) /* L1 state */
33247+#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
33248+#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
33249+#define ASPM_STATE_L1 (4U) /* L1 state */
33250 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
33251 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
33252
33253diff -urNp linux-3.1.1/drivers/pci/probe.c linux-3.1.1/drivers/pci/probe.c
33254--- linux-3.1.1/drivers/pci/probe.c 2011-11-11 15:19:27.000000000 -0500
33255+++ linux-3.1.1/drivers/pci/probe.c 2011-11-16 18:39:07.000000000 -0500
33256@@ -136,7 +136,7 @@ int __pci_read_base(struct pci_dev *dev,
33257 u32 l, sz, mask;
33258 u16 orig_cmd;
33259
33260- mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
33261+ mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
33262
33263 if (!dev->mmio_always_on) {
33264 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
33265diff -urNp linux-3.1.1/drivers/pci/proc.c linux-3.1.1/drivers/pci/proc.c
33266--- linux-3.1.1/drivers/pci/proc.c 2011-11-11 15:19:27.000000000 -0500
33267+++ linux-3.1.1/drivers/pci/proc.c 2011-11-16 18:40:22.000000000 -0500
33268@@ -476,7 +476,16 @@ static const struct file_operations proc
33269 static int __init pci_proc_init(void)
33270 {
33271 struct pci_dev *dev = NULL;
33272+
33273+#ifdef CONFIG_GRKERNSEC_PROC_ADD
33274+#ifdef CONFIG_GRKERNSEC_PROC_USER
33275+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
33276+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33277+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33278+#endif
33279+#else
33280 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
33281+#endif
33282 proc_create("devices", 0, proc_bus_pci_dir,
33283 &proc_bus_pci_dev_operations);
33284 proc_initialized = 1;
33285diff -urNp linux-3.1.1/drivers/pci/xen-pcifront.c linux-3.1.1/drivers/pci/xen-pcifront.c
33286--- linux-3.1.1/drivers/pci/xen-pcifront.c 2011-11-11 15:19:27.000000000 -0500
33287+++ linux-3.1.1/drivers/pci/xen-pcifront.c 2011-11-16 18:40:22.000000000 -0500
33288@@ -187,6 +187,8 @@ static int pcifront_bus_read(struct pci_
33289 struct pcifront_sd *sd = bus->sysdata;
33290 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33291
33292+ pax_track_stack();
33293+
33294 if (verbose_request)
33295 dev_info(&pdev->xdev->dev,
33296 "read dev=%04x:%02x:%02x.%01x - offset %x size %d\n",
33297@@ -226,6 +228,8 @@ static int pcifront_bus_write(struct pci
33298 struct pcifront_sd *sd = bus->sysdata;
33299 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33300
33301+ pax_track_stack();
33302+
33303 if (verbose_request)
33304 dev_info(&pdev->xdev->dev,
33305 "write dev=%04x:%02x:%02x.%01x - "
33306@@ -258,6 +262,8 @@ static int pci_frontend_enable_msix(stru
33307 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33308 struct msi_desc *entry;
33309
33310+ pax_track_stack();
33311+
33312 if (nvec > SH_INFO_MAX_VEC) {
33313 dev_err(&dev->dev, "too much vector for pci frontend: %x."
33314 " Increase SH_INFO_MAX_VEC.\n", nvec);
33315@@ -309,6 +315,8 @@ static void pci_frontend_disable_msix(st
33316 struct pcifront_sd *sd = dev->bus->sysdata;
33317 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33318
33319+ pax_track_stack();
33320+
33321 err = do_pci_op(pdev, &op);
33322
33323 /* What should do for error ? */
33324@@ -328,6 +336,8 @@ static int pci_frontend_enable_msi(struc
33325 struct pcifront_sd *sd = dev->bus->sysdata;
33326 struct pcifront_device *pdev = pcifront_get_pdev(sd);
33327
33328+ pax_track_stack();
33329+
33330 err = do_pci_op(pdev, &op);
33331 if (likely(!err)) {
33332 vector[0] = op.value;
33333diff -urNp linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c
33334--- linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c 2011-11-11 15:19:27.000000000 -0500
33335+++ linux-3.1.1/drivers/platform/x86/thinkpad_acpi.c 2011-11-16 18:39:07.000000000 -0500
33336@@ -2094,7 +2094,7 @@ static int hotkey_mask_get(void)
33337 return 0;
33338 }
33339
33340-void static hotkey_mask_warn_incomplete_mask(void)
33341+static void hotkey_mask_warn_incomplete_mask(void)
33342 {
33343 /* log only what the user can fix... */
33344 const u32 wantedmask = hotkey_driver_mask &
33345diff -urNp linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c
33346--- linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c 2011-11-11 15:19:27.000000000 -0500
33347+++ linux-3.1.1/drivers/pnp/pnpbios/bioscalls.c 2011-11-16 18:39:07.000000000 -0500
33348@@ -59,7 +59,7 @@ do { \
33349 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
33350 } while(0)
33351
33352-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
33353+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
33354 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
33355
33356 /*
33357@@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
33358
33359 cpu = get_cpu();
33360 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
33361+
33362+ pax_open_kernel();
33363 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
33364+ pax_close_kernel();
33365
33366 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
33367 spin_lock_irqsave(&pnp_bios_lock, flags);
33368@@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
33369 :"memory");
33370 spin_unlock_irqrestore(&pnp_bios_lock, flags);
33371
33372+ pax_open_kernel();
33373 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
33374+ pax_close_kernel();
33375+
33376 put_cpu();
33377
33378 /* If we get here and this is set then the PnP BIOS faulted on us. */
33379@@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
33380 return status;
33381 }
33382
33383-void pnpbios_calls_init(union pnp_bios_install_struct *header)
33384+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
33385 {
33386 int i;
33387
33388@@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
33389 pnp_bios_callpoint.offset = header->fields.pm16offset;
33390 pnp_bios_callpoint.segment = PNP_CS16;
33391
33392+ pax_open_kernel();
33393+
33394 for_each_possible_cpu(i) {
33395 struct desc_struct *gdt = get_cpu_gdt_table(i);
33396 if (!gdt)
33397@@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
33398 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
33399 (unsigned long)__va(header->fields.pm16dseg));
33400 }
33401+
33402+ pax_close_kernel();
33403 }
33404diff -urNp linux-3.1.1/drivers/pnp/resource.c linux-3.1.1/drivers/pnp/resource.c
33405--- linux-3.1.1/drivers/pnp/resource.c 2011-11-11 15:19:27.000000000 -0500
33406+++ linux-3.1.1/drivers/pnp/resource.c 2011-11-16 18:39:07.000000000 -0500
33407@@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
33408 return 1;
33409
33410 /* check if the resource is valid */
33411- if (*irq < 0 || *irq > 15)
33412+ if (*irq > 15)
33413 return 0;
33414
33415 /* check if the resource is reserved */
33416@@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
33417 return 1;
33418
33419 /* check if the resource is valid */
33420- if (*dma < 0 || *dma == 4 || *dma > 7)
33421+ if (*dma == 4 || *dma > 7)
33422 return 0;
33423
33424 /* check if the resource is reserved */
33425diff -urNp linux-3.1.1/drivers/power/bq27x00_battery.c linux-3.1.1/drivers/power/bq27x00_battery.c
33426--- linux-3.1.1/drivers/power/bq27x00_battery.c 2011-11-11 15:19:27.000000000 -0500
33427+++ linux-3.1.1/drivers/power/bq27x00_battery.c 2011-11-16 18:39:07.000000000 -0500
33428@@ -67,7 +67,7 @@
33429 struct bq27x00_device_info;
33430 struct bq27x00_access_methods {
33431 int (*read)(struct bq27x00_device_info *di, u8 reg, bool single);
33432-};
33433+} __no_const;
33434
33435 enum bq27x00_chip { BQ27000, BQ27500 };
33436
33437diff -urNp linux-3.1.1/drivers/regulator/max8660.c linux-3.1.1/drivers/regulator/max8660.c
33438--- linux-3.1.1/drivers/regulator/max8660.c 2011-11-11 15:19:27.000000000 -0500
33439+++ linux-3.1.1/drivers/regulator/max8660.c 2011-11-16 18:39:07.000000000 -0500
33440@@ -383,8 +383,10 @@ static int __devinit max8660_probe(struc
33441 max8660->shadow_regs[MAX8660_OVER1] = 5;
33442 } else {
33443 /* Otherwise devices can be toggled via software */
33444- max8660_dcdc_ops.enable = max8660_dcdc_enable;
33445- max8660_dcdc_ops.disable = max8660_dcdc_disable;
33446+ pax_open_kernel();
33447+ *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
33448+ *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
33449+ pax_close_kernel();
33450 }
33451
33452 /*
33453diff -urNp linux-3.1.1/drivers/regulator/mc13892-regulator.c linux-3.1.1/drivers/regulator/mc13892-regulator.c
33454--- linux-3.1.1/drivers/regulator/mc13892-regulator.c 2011-11-11 15:19:27.000000000 -0500
33455+++ linux-3.1.1/drivers/regulator/mc13892-regulator.c 2011-11-16 18:39:07.000000000 -0500
33456@@ -564,10 +564,12 @@ static int __devinit mc13892_regulator_p
33457 }
33458 mc13xxx_unlock(mc13892);
33459
33460- mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33461+ pax_open_kernel();
33462+ *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->set_mode
33463 = mc13892_vcam_set_mode;
33464- mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33465+ *(void **)&mc13892_regulators[MC13892_VCAM].desc.ops->get_mode
33466 = mc13892_vcam_get_mode;
33467+ pax_close_kernel();
33468 for (i = 0; i < pdata->num_regulators; i++) {
33469 init_data = &pdata->regulators[i];
33470 priv->regulators[i] = regulator_register(
33471diff -urNp linux-3.1.1/drivers/rtc/rtc-dev.c linux-3.1.1/drivers/rtc/rtc-dev.c
33472--- linux-3.1.1/drivers/rtc/rtc-dev.c 2011-11-11 15:19:27.000000000 -0500
33473+++ linux-3.1.1/drivers/rtc/rtc-dev.c 2011-11-16 18:40:22.000000000 -0500
33474@@ -14,6 +14,7 @@
33475 #include <linux/module.h>
33476 #include <linux/rtc.h>
33477 #include <linux/sched.h>
33478+#include <linux/grsecurity.h>
33479 #include "rtc-core.h"
33480
33481 static dev_t rtc_devt;
33482@@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
33483 if (copy_from_user(&tm, uarg, sizeof(tm)))
33484 return -EFAULT;
33485
33486+ gr_log_timechange();
33487+
33488 return rtc_set_time(rtc, &tm);
33489
33490 case RTC_PIE_ON:
33491diff -urNp linux-3.1.1/drivers/scsi/aacraid/aacraid.h linux-3.1.1/drivers/scsi/aacraid/aacraid.h
33492--- linux-3.1.1/drivers/scsi/aacraid/aacraid.h 2011-11-11 15:19:27.000000000 -0500
33493+++ linux-3.1.1/drivers/scsi/aacraid/aacraid.h 2011-11-16 18:39:07.000000000 -0500
33494@@ -492,7 +492,7 @@ struct adapter_ops
33495 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
33496 /* Administrative operations */
33497 int (*adapter_comm)(struct aac_dev * dev, int comm);
33498-};
33499+} __no_const;
33500
33501 /*
33502 * Define which interrupt handler needs to be installed
33503diff -urNp linux-3.1.1/drivers/scsi/aacraid/commctrl.c linux-3.1.1/drivers/scsi/aacraid/commctrl.c
33504--- linux-3.1.1/drivers/scsi/aacraid/commctrl.c 2011-11-11 15:19:27.000000000 -0500
33505+++ linux-3.1.1/drivers/scsi/aacraid/commctrl.c 2011-11-16 18:40:22.000000000 -0500
33506@@ -482,6 +482,7 @@ static int aac_send_raw_srb(struct aac_d
33507 u32 actual_fibsize64, actual_fibsize = 0;
33508 int i;
33509
33510+ pax_track_stack();
33511
33512 if (dev->in_reset) {
33513 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
33514diff -urNp linux-3.1.1/drivers/scsi/aacraid/linit.c linux-3.1.1/drivers/scsi/aacraid/linit.c
33515--- linux-3.1.1/drivers/scsi/aacraid/linit.c 2011-11-11 15:19:27.000000000 -0500
33516+++ linux-3.1.1/drivers/scsi/aacraid/linit.c 2011-11-16 18:39:07.000000000 -0500
33517@@ -92,7 +92,7 @@ static DECLARE_PCI_DEVICE_TABLE(aac_pci_
33518 #elif defined(__devinitconst)
33519 static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33520 #else
33521-static const struct pci_device_id aac_pci_tbl[] __devinitdata = {
33522+static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
33523 #endif
33524 { 0x1028, 0x0001, 0x1028, 0x0001, 0, 0, 0 }, /* PERC 2/Si (Iguana/PERC2Si) */
33525 { 0x1028, 0x0002, 0x1028, 0x0002, 0, 0, 1 }, /* PERC 3/Di (Opal/PERC3Di) */
33526diff -urNp linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c
33527--- linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-11 15:19:27.000000000 -0500
33528+++ linux-3.1.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-16 18:39:07.000000000 -0500
33529@@ -1012,7 +1012,7 @@ static struct sas_domain_function_templa
33530 .lldd_control_phy = asd_control_phy,
33531 };
33532
33533-static const struct pci_device_id aic94xx_pci_table[] __devinitdata = {
33534+static const struct pci_device_id aic94xx_pci_table[] __devinitconst = {
33535 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x410),0, 0, 1},
33536 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x412),0, 0, 1},
33537 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x416),0, 0, 1},
33538diff -urNp linux-3.1.1/drivers/scsi/bfa/bfad.c linux-3.1.1/drivers/scsi/bfa/bfad.c
33539--- linux-3.1.1/drivers/scsi/bfa/bfad.c 2011-11-11 15:19:27.000000000 -0500
33540+++ linux-3.1.1/drivers/scsi/bfa/bfad.c 2011-11-16 19:01:15.000000000 -0500
33541@@ -1019,6 +1019,8 @@ bfad_start_ops(struct bfad_s *bfad) {
33542 struct bfad_vport_s *vport, *vport_new;
33543 struct bfa_fcs_driver_info_s driver_info;
33544
33545+ pax_track_stack();
33546+
33547 /* Limit min/max. xfer size to [64k-32MB] */
33548 if (max_xfer_size < BFAD_MIN_SECTORS >> 1)
33549 max_xfer_size = BFAD_MIN_SECTORS >> 1;
33550diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c
33551--- linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c 2011-11-11 15:19:27.000000000 -0500
33552+++ linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.c 2011-11-16 18:39:07.000000000 -0500
33553@@ -4179,7 +4179,7 @@ bfa_itn_create(struct bfa_s *bfa, struct
33554 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m))
33555 {
33556 struct bfa_fcp_mod_s *fcp = BFA_FCP_MOD(bfa);
33557- struct bfa_itn_s *itn;
33558+ bfa_itn_s_no_const *itn;
33559
33560 itn = BFA_ITN_FROM_TAG(fcp, rport->rport_tag);
33561 itn->isr = isr;
33562diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h
33563--- linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h 2011-11-11 15:19:27.000000000 -0500
33564+++ linux-3.1.1/drivers/scsi/bfa/bfa_fcpim.h 2011-11-16 18:39:07.000000000 -0500
33565@@ -37,6 +37,7 @@ struct bfa_iotag_s {
33566 struct bfa_itn_s {
33567 bfa_isr_func_t isr;
33568 };
33569+typedef struct bfa_itn_s __no_const bfa_itn_s_no_const;
33570
33571 void bfa_itn_create(struct bfa_s *bfa, struct bfa_rport_s *rport,
33572 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m));
33573@@ -149,7 +150,7 @@ struct bfa_fcp_mod_s {
33574 struct list_head iotag_tio_free_q; /* free IO resources */
33575 struct list_head iotag_unused_q; /* unused IO resources*/
33576 struct bfa_iotag_s *iotag_arr;
33577- struct bfa_itn_s *itn_arr;
33578+ bfa_itn_s_no_const *itn_arr;
33579 int num_ioim_reqs;
33580 int num_fwtio_reqs;
33581 int num_itns;
33582diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c
33583--- linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c 2011-11-11 15:19:27.000000000 -0500
33584+++ linux-3.1.1/drivers/scsi/bfa/bfa_fcs_lport.c 2011-11-16 18:40:22.000000000 -0500
33585@@ -1700,6 +1700,8 @@ bfa_fcs_lport_fdmi_build_rhba_pyld(struc
33586 u16 len, count;
33587 u16 templen;
33588
33589+ pax_track_stack();
33590+
33591 /*
33592 * get hba attributes
33593 */
33594@@ -1977,6 +1979,8 @@ bfa_fcs_lport_fdmi_build_portattr_block(
33595 u8 count = 0;
33596 u16 templen;
33597
33598+ pax_track_stack();
33599+
33600 /*
33601 * get port attributes
33602 */
33603diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c
33604--- linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c 2011-11-11 15:19:27.000000000 -0500
33605+++ linux-3.1.1/drivers/scsi/bfa/bfa_fcs_rport.c 2011-11-16 18:40:22.000000000 -0500
33606@@ -1871,6 +1871,8 @@ bfa_fcs_rport_process_rpsc(struct bfa_fc
33607 struct fc_rpsc_speed_info_s speeds;
33608 struct bfa_port_attr_s pport_attr;
33609
33610+ pax_track_stack();
33611+
33612 bfa_trc(port->fcs, rx_fchs->s_id);
33613 bfa_trc(port->fcs, rx_fchs->d_id);
33614
33615diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa.h linux-3.1.1/drivers/scsi/bfa/bfa.h
33616--- linux-3.1.1/drivers/scsi/bfa/bfa.h 2011-11-11 15:19:27.000000000 -0500
33617+++ linux-3.1.1/drivers/scsi/bfa/bfa.h 2011-11-16 18:39:07.000000000 -0500
33618@@ -196,7 +196,7 @@ struct bfa_hwif_s {
33619 u32 *end);
33620 int cpe_vec_q0;
33621 int rme_vec_q0;
33622-};
33623+} __no_const;
33624 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
33625
33626 struct bfa_faa_cbfn_s {
33627diff -urNp linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h
33628--- linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h 2011-11-11 15:19:27.000000000 -0500
33629+++ linux-3.1.1/drivers/scsi/bfa/bfa_ioc.h 2011-11-16 18:39:07.000000000 -0500
33630@@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s {
33631 bfa_ioc_disable_cbfn_t disable_cbfn;
33632 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
33633 bfa_ioc_reset_cbfn_t reset_cbfn;
33634-};
33635+} __no_const;
33636
33637 /*
33638 * IOC event notification mechanism.
33639@@ -346,7 +346,7 @@ struct bfa_ioc_hwif_s {
33640 void (*ioc_sync_ack) (struct bfa_ioc_s *ioc);
33641 bfa_boolean_t (*ioc_sync_complete) (struct bfa_ioc_s *ioc);
33642 bfa_boolean_t (*ioc_lpu_read_stat) (struct bfa_ioc_s *ioc);
33643-};
33644+} __no_const;
33645
33646 /*
33647 * Queue element to wait for room in request queue. FIFO order is
33648diff -urNp linux-3.1.1/drivers/scsi/BusLogic.c linux-3.1.1/drivers/scsi/BusLogic.c
33649--- linux-3.1.1/drivers/scsi/BusLogic.c 2011-11-11 15:19:27.000000000 -0500
33650+++ linux-3.1.1/drivers/scsi/BusLogic.c 2011-11-16 18:40:22.000000000 -0500
33651@@ -962,6 +962,8 @@ static int __init BusLogic_InitializeFla
33652 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
33653 *PrototypeHostAdapter)
33654 {
33655+ pax_track_stack();
33656+
33657 /*
33658 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
33659 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
33660diff -urNp linux-3.1.1/drivers/scsi/dpt_i2o.c linux-3.1.1/drivers/scsi/dpt_i2o.c
33661--- linux-3.1.1/drivers/scsi/dpt_i2o.c 2011-11-11 15:19:27.000000000 -0500
33662+++ linux-3.1.1/drivers/scsi/dpt_i2o.c 2011-11-16 18:40:22.000000000 -0500
33663@@ -1811,6 +1811,8 @@ static int adpt_i2o_passthru(adpt_hba* p
33664 dma_addr_t addr;
33665 ulong flags = 0;
33666
33667+ pax_track_stack();
33668+
33669 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
33670 // get user msg size in u32s
33671 if(get_user(size, &user_msg[0])){
33672@@ -2317,6 +2319,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
33673 s32 rcode;
33674 dma_addr_t addr;
33675
33676+ pax_track_stack();
33677+
33678 memset(msg, 0 , sizeof(msg));
33679 len = scsi_bufflen(cmd);
33680 direction = 0x00000000;
33681diff -urNp linux-3.1.1/drivers/scsi/eata.c linux-3.1.1/drivers/scsi/eata.c
33682--- linux-3.1.1/drivers/scsi/eata.c 2011-11-11 15:19:27.000000000 -0500
33683+++ linux-3.1.1/drivers/scsi/eata.c 2011-11-16 18:40:22.000000000 -0500
33684@@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
33685 struct hostdata *ha;
33686 char name[16];
33687
33688+ pax_track_stack();
33689+
33690 sprintf(name, "%s%d", driver_name, j);
33691
33692 if (!request_region(port_base, REGION_SIZE, driver_name)) {
33693diff -urNp linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c
33694--- linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c 2011-11-11 15:19:27.000000000 -0500
33695+++ linux-3.1.1/drivers/scsi/fcoe/fcoe_ctlr.c 2011-11-16 18:40:22.000000000 -0500
33696@@ -2503,6 +2503,8 @@ static int fcoe_ctlr_vn_recv(struct fcoe
33697 } buf;
33698 int rc;
33699
33700+ pax_track_stack();
33701+
33702 fiph = (struct fip_header *)skb->data;
33703 sub = fiph->fip_subcode;
33704
33705diff -urNp linux-3.1.1/drivers/scsi/gdth.c linux-3.1.1/drivers/scsi/gdth.c
33706--- linux-3.1.1/drivers/scsi/gdth.c 2011-11-11 15:19:27.000000000 -0500
33707+++ linux-3.1.1/drivers/scsi/gdth.c 2011-11-16 18:40:22.000000000 -0500
33708@@ -4107,6 +4107,8 @@ static int ioc_lockdrv(void __user *arg)
33709 unsigned long flags;
33710 gdth_ha_str *ha;
33711
33712+ pax_track_stack();
33713+
33714 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
33715 return -EFAULT;
33716 ha = gdth_find_ha(ldrv.ionode);
33717@@ -4139,6 +4141,8 @@ static int ioc_resetdrv(void __user *arg
33718 gdth_ha_str *ha;
33719 int rval;
33720
33721+ pax_track_stack();
33722+
33723 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
33724 res.number >= MAX_HDRIVES)
33725 return -EFAULT;
33726@@ -4174,6 +4178,8 @@ static int ioc_general(void __user *arg,
33727 gdth_ha_str *ha;
33728 int rval;
33729
33730+ pax_track_stack();
33731+
33732 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
33733 return -EFAULT;
33734 ha = gdth_find_ha(gen.ionode);
33735@@ -4642,6 +4648,9 @@ static void gdth_flush(gdth_ha_str *ha)
33736 int i;
33737 gdth_cmd_str gdtcmd;
33738 char cmnd[MAX_COMMAND_SIZE];
33739+
33740+ pax_track_stack();
33741+
33742 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
33743
33744 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
33745diff -urNp linux-3.1.1/drivers/scsi/gdth_proc.c linux-3.1.1/drivers/scsi/gdth_proc.c
33746--- linux-3.1.1/drivers/scsi/gdth_proc.c 2011-11-11 15:19:27.000000000 -0500
33747+++ linux-3.1.1/drivers/scsi/gdth_proc.c 2011-11-16 18:40:22.000000000 -0500
33748@@ -47,6 +47,9 @@ static int gdth_set_asc_info(struct Scsi
33749 u64 paddr;
33750
33751 char cmnd[MAX_COMMAND_SIZE];
33752+
33753+ pax_track_stack();
33754+
33755 memset(cmnd, 0xff, 12);
33756 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
33757
33758@@ -175,6 +178,8 @@ static int gdth_get_info(char *buffer,ch
33759 gdth_hget_str *phg;
33760 char cmnd[MAX_COMMAND_SIZE];
33761
33762+ pax_track_stack();
33763+
33764 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
33765 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
33766 if (!gdtcmd || !estr)
33767diff -urNp linux-3.1.1/drivers/scsi/hosts.c linux-3.1.1/drivers/scsi/hosts.c
33768--- linux-3.1.1/drivers/scsi/hosts.c 2011-11-11 15:19:27.000000000 -0500
33769+++ linux-3.1.1/drivers/scsi/hosts.c 2011-11-16 18:39:07.000000000 -0500
33770@@ -42,7 +42,7 @@
33771 #include "scsi_logging.h"
33772
33773
33774-static atomic_t scsi_host_next_hn; /* host_no for next new host */
33775+static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
33776
33777
33778 static void scsi_host_cls_release(struct device *dev)
33779@@ -357,7 +357,7 @@ struct Scsi_Host *scsi_host_alloc(struct
33780 * subtract one because we increment first then return, but we need to
33781 * know what the next host number was before increment
33782 */
33783- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
33784+ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
33785 shost->dma_channel = 0xff;
33786
33787 /* These three are default values which can be overridden */
33788diff -urNp linux-3.1.1/drivers/scsi/hpsa.c linux-3.1.1/drivers/scsi/hpsa.c
33789--- linux-3.1.1/drivers/scsi/hpsa.c 2011-11-11 15:19:27.000000000 -0500
33790+++ linux-3.1.1/drivers/scsi/hpsa.c 2011-11-16 18:39:07.000000000 -0500
33791@@ -498,7 +498,7 @@ static inline u32 next_command(struct ct
33792 u32 a;
33793
33794 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
33795- return h->access.command_completed(h);
33796+ return h->access->command_completed(h);
33797
33798 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
33799 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
33800@@ -2955,7 +2955,7 @@ static void start_io(struct ctlr_info *h
33801 while (!list_empty(&h->reqQ)) {
33802 c = list_entry(h->reqQ.next, struct CommandList, list);
33803 /* can't do anything if fifo is full */
33804- if ((h->access.fifo_full(h))) {
33805+ if ((h->access->fifo_full(h))) {
33806 dev_warn(&h->pdev->dev, "fifo full\n");
33807 break;
33808 }
33809@@ -2965,7 +2965,7 @@ static void start_io(struct ctlr_info *h
33810 h->Qdepth--;
33811
33812 /* Tell the controller execute command */
33813- h->access.submit_command(h, c);
33814+ h->access->submit_command(h, c);
33815
33816 /* Put job onto the completed Q */
33817 addQ(&h->cmpQ, c);
33818@@ -2974,17 +2974,17 @@ static void start_io(struct ctlr_info *h
33819
33820 static inline unsigned long get_next_completion(struct ctlr_info *h)
33821 {
33822- return h->access.command_completed(h);
33823+ return h->access->command_completed(h);
33824 }
33825
33826 static inline bool interrupt_pending(struct ctlr_info *h)
33827 {
33828- return h->access.intr_pending(h);
33829+ return h->access->intr_pending(h);
33830 }
33831
33832 static inline long interrupt_not_for_us(struct ctlr_info *h)
33833 {
33834- return (h->access.intr_pending(h) == 0) ||
33835+ return (h->access->intr_pending(h) == 0) ||
33836 (h->interrupts_enabled == 0);
33837 }
33838
33839@@ -3881,7 +3881,7 @@ static int __devinit hpsa_pci_init(struc
33840 if (prod_index < 0)
33841 return -ENODEV;
33842 h->product_name = products[prod_index].product_name;
33843- h->access = *(products[prod_index].access);
33844+ h->access = products[prod_index].access;
33845
33846 if (hpsa_board_disabled(h->pdev)) {
33847 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
33848@@ -4158,7 +4158,7 @@ reinit_after_soft_reset:
33849 }
33850
33851 /* make sure the board interrupts are off */
33852- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33853+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33854
33855 if (hpsa_request_irq(h, do_hpsa_intr_msi, do_hpsa_intr_intx))
33856 goto clean2;
33857@@ -4192,7 +4192,7 @@ reinit_after_soft_reset:
33858 * fake ones to scoop up any residual completions.
33859 */
33860 spin_lock_irqsave(&h->lock, flags);
33861- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33862+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33863 spin_unlock_irqrestore(&h->lock, flags);
33864 free_irq(h->intr[h->intr_mode], h);
33865 rc = hpsa_request_irq(h, hpsa_msix_discard_completions,
33866@@ -4211,9 +4211,9 @@ reinit_after_soft_reset:
33867 dev_info(&h->pdev->dev, "Board READY.\n");
33868 dev_info(&h->pdev->dev,
33869 "Waiting for stale completions to drain.\n");
33870- h->access.set_intr_mask(h, HPSA_INTR_ON);
33871+ h->access->set_intr_mask(h, HPSA_INTR_ON);
33872 msleep(10000);
33873- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33874+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33875
33876 rc = controller_reset_failed(h->cfgtable);
33877 if (rc)
33878@@ -4234,7 +4234,7 @@ reinit_after_soft_reset:
33879 }
33880
33881 /* Turn the interrupts on so we can service requests */
33882- h->access.set_intr_mask(h, HPSA_INTR_ON);
33883+ h->access->set_intr_mask(h, HPSA_INTR_ON);
33884
33885 hpsa_hba_inquiry(h);
33886 hpsa_register_scsi(h); /* hook ourselves into SCSI subsystem */
33887@@ -4287,7 +4287,7 @@ static void hpsa_shutdown(struct pci_dev
33888 * To write all data in the battery backed cache to disks
33889 */
33890 hpsa_flush_cache(h);
33891- h->access.set_intr_mask(h, HPSA_INTR_OFF);
33892+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
33893 free_irq(h->intr[h->intr_mode], h);
33894 #ifdef CONFIG_PCI_MSI
33895 if (h->msix_vector)
33896@@ -4450,7 +4450,7 @@ static __devinit void hpsa_enter_perform
33897 return;
33898 }
33899 /* Change the access methods to the performant access methods */
33900- h->access = SA5_performant_access;
33901+ h->access = &SA5_performant_access;
33902 h->transMethod = CFGTBL_Trans_Performant;
33903 }
33904
33905diff -urNp linux-3.1.1/drivers/scsi/hpsa.h linux-3.1.1/drivers/scsi/hpsa.h
33906--- linux-3.1.1/drivers/scsi/hpsa.h 2011-11-11 15:19:27.000000000 -0500
33907+++ linux-3.1.1/drivers/scsi/hpsa.h 2011-11-16 18:39:07.000000000 -0500
33908@@ -73,7 +73,7 @@ struct ctlr_info {
33909 unsigned int msix_vector;
33910 unsigned int msi_vector;
33911 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
33912- struct access_method access;
33913+ struct access_method *access;
33914
33915 /* queue and queue Info */
33916 struct list_head reqQ;
33917diff -urNp linux-3.1.1/drivers/scsi/ips.h linux-3.1.1/drivers/scsi/ips.h
33918--- linux-3.1.1/drivers/scsi/ips.h 2011-11-11 15:19:27.000000000 -0500
33919+++ linux-3.1.1/drivers/scsi/ips.h 2011-11-16 18:39:07.000000000 -0500
33920@@ -1027,7 +1027,7 @@ typedef struct {
33921 int (*intr)(struct ips_ha *);
33922 void (*enableint)(struct ips_ha *);
33923 uint32_t (*statupd)(struct ips_ha *);
33924-} ips_hw_func_t;
33925+} __no_const ips_hw_func_t;
33926
33927 typedef struct ips_ha {
33928 uint8_t ha_id[IPS_MAX_CHANNELS+1];
33929diff -urNp linux-3.1.1/drivers/scsi/libfc/fc_exch.c linux-3.1.1/drivers/scsi/libfc/fc_exch.c
33930--- linux-3.1.1/drivers/scsi/libfc/fc_exch.c 2011-11-11 15:19:27.000000000 -0500
33931+++ linux-3.1.1/drivers/scsi/libfc/fc_exch.c 2011-11-16 18:39:07.000000000 -0500
33932@@ -105,12 +105,12 @@ struct fc_exch_mgr {
33933 * all together if not used XXX
33934 */
33935 struct {
33936- atomic_t no_free_exch;
33937- atomic_t no_free_exch_xid;
33938- atomic_t xid_not_found;
33939- atomic_t xid_busy;
33940- atomic_t seq_not_found;
33941- atomic_t non_bls_resp;
33942+ atomic_unchecked_t no_free_exch;
33943+ atomic_unchecked_t no_free_exch_xid;
33944+ atomic_unchecked_t xid_not_found;
33945+ atomic_unchecked_t xid_busy;
33946+ atomic_unchecked_t seq_not_found;
33947+ atomic_unchecked_t non_bls_resp;
33948 } stats;
33949 };
33950
33951@@ -718,7 +718,7 @@ static struct fc_exch *fc_exch_em_alloc(
33952 /* allocate memory for exchange */
33953 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
33954 if (!ep) {
33955- atomic_inc(&mp->stats.no_free_exch);
33956+ atomic_inc_unchecked(&mp->stats.no_free_exch);
33957 goto out;
33958 }
33959 memset(ep, 0, sizeof(*ep));
33960@@ -779,7 +779,7 @@ out:
33961 return ep;
33962 err:
33963 spin_unlock_bh(&pool->lock);
33964- atomic_inc(&mp->stats.no_free_exch_xid);
33965+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
33966 mempool_free(ep, mp->ep_pool);
33967 return NULL;
33968 }
33969@@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33970 xid = ntohs(fh->fh_ox_id); /* we originated exch */
33971 ep = fc_exch_find(mp, xid);
33972 if (!ep) {
33973- atomic_inc(&mp->stats.xid_not_found);
33974+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33975 reject = FC_RJT_OX_ID;
33976 goto out;
33977 }
33978@@ -952,7 +952,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33979 ep = fc_exch_find(mp, xid);
33980 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
33981 if (ep) {
33982- atomic_inc(&mp->stats.xid_busy);
33983+ atomic_inc_unchecked(&mp->stats.xid_busy);
33984 reject = FC_RJT_RX_ID;
33985 goto rel;
33986 }
33987@@ -963,7 +963,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33988 }
33989 xid = ep->xid; /* get our XID */
33990 } else if (!ep) {
33991- atomic_inc(&mp->stats.xid_not_found);
33992+ atomic_inc_unchecked(&mp->stats.xid_not_found);
33993 reject = FC_RJT_RX_ID; /* XID not found */
33994 goto out;
33995 }
33996@@ -980,7 +980,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33997 } else {
33998 sp = &ep->seq;
33999 if (sp->id != fh->fh_seq_id) {
34000- atomic_inc(&mp->stats.seq_not_found);
34001+ atomic_inc_unchecked(&mp->stats.seq_not_found);
34002 if (f_ctl & FC_FC_END_SEQ) {
34003 /*
34004 * Update sequence_id based on incoming last
34005@@ -1430,22 +1430,22 @@ static void fc_exch_recv_seq_resp(struct
34006
34007 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
34008 if (!ep) {
34009- atomic_inc(&mp->stats.xid_not_found);
34010+ atomic_inc_unchecked(&mp->stats.xid_not_found);
34011 goto out;
34012 }
34013 if (ep->esb_stat & ESB_ST_COMPLETE) {
34014- atomic_inc(&mp->stats.xid_not_found);
34015+ atomic_inc_unchecked(&mp->stats.xid_not_found);
34016 goto rel;
34017 }
34018 if (ep->rxid == FC_XID_UNKNOWN)
34019 ep->rxid = ntohs(fh->fh_rx_id);
34020 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
34021- atomic_inc(&mp->stats.xid_not_found);
34022+ atomic_inc_unchecked(&mp->stats.xid_not_found);
34023 goto rel;
34024 }
34025 if (ep->did != ntoh24(fh->fh_s_id) &&
34026 ep->did != FC_FID_FLOGI) {
34027- atomic_inc(&mp->stats.xid_not_found);
34028+ atomic_inc_unchecked(&mp->stats.xid_not_found);
34029 goto rel;
34030 }
34031 sof = fr_sof(fp);
34032@@ -1454,7 +1454,7 @@ static void fc_exch_recv_seq_resp(struct
34033 sp->ssb_stat |= SSB_ST_RESP;
34034 sp->id = fh->fh_seq_id;
34035 } else if (sp->id != fh->fh_seq_id) {
34036- atomic_inc(&mp->stats.seq_not_found);
34037+ atomic_inc_unchecked(&mp->stats.seq_not_found);
34038 goto rel;
34039 }
34040
34041@@ -1518,9 +1518,9 @@ static void fc_exch_recv_resp(struct fc_
34042 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
34043
34044 if (!sp)
34045- atomic_inc(&mp->stats.xid_not_found);
34046+ atomic_inc_unchecked(&mp->stats.xid_not_found);
34047 else
34048- atomic_inc(&mp->stats.non_bls_resp);
34049+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
34050
34051 fc_frame_free(fp);
34052 }
34053diff -urNp linux-3.1.1/drivers/scsi/libsas/sas_ata.c linux-3.1.1/drivers/scsi/libsas/sas_ata.c
34054--- linux-3.1.1/drivers/scsi/libsas/sas_ata.c 2011-11-11 15:19:27.000000000 -0500
34055+++ linux-3.1.1/drivers/scsi/libsas/sas_ata.c 2011-11-16 18:39:07.000000000 -0500
34056@@ -368,7 +368,7 @@ static struct ata_port_operations sas_sa
34057 .postreset = ata_std_postreset,
34058 .error_handler = ata_std_error_handler,
34059 .post_internal_cmd = sas_ata_post_internal,
34060- .qc_defer = ata_std_qc_defer,
34061+ .qc_defer = ata_std_qc_defer,
34062 .qc_prep = ata_noop_qc_prep,
34063 .qc_issue = sas_ata_qc_issue,
34064 .qc_fill_rtf = sas_ata_qc_fill_rtf,
34065diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c
34066--- linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-11 15:19:27.000000000 -0500
34067+++ linux-3.1.1/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-16 18:40:22.000000000 -0500
34068@@ -105,7 +105,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_
34069
34070 #include <linux/debugfs.h>
34071
34072-static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
34073+static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
34074 static unsigned long lpfc_debugfs_start_time = 0L;
34075
34076 /* iDiag */
34077@@ -146,7 +146,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
34078 lpfc_debugfs_enable = 0;
34079
34080 len = 0;
34081- index = (atomic_read(&vport->disc_trc_cnt) + 1) &
34082+ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
34083 (lpfc_debugfs_max_disc_trc - 1);
34084 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
34085 dtp = vport->disc_trc + i;
34086@@ -212,7 +212,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
34087 lpfc_debugfs_enable = 0;
34088
34089 len = 0;
34090- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
34091+ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
34092 (lpfc_debugfs_max_slow_ring_trc - 1);
34093 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
34094 dtp = phba->slow_ring_trc + i;
34095@@ -635,14 +635,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
34096 !vport || !vport->disc_trc)
34097 return;
34098
34099- index = atomic_inc_return(&vport->disc_trc_cnt) &
34100+ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
34101 (lpfc_debugfs_max_disc_trc - 1);
34102 dtp = vport->disc_trc + index;
34103 dtp->fmt = fmt;
34104 dtp->data1 = data1;
34105 dtp->data2 = data2;
34106 dtp->data3 = data3;
34107- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
34108+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
34109 dtp->jif = jiffies;
34110 #endif
34111 return;
34112@@ -673,14 +673,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
34113 !phba || !phba->slow_ring_trc)
34114 return;
34115
34116- index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
34117+ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
34118 (lpfc_debugfs_max_slow_ring_trc - 1);
34119 dtp = phba->slow_ring_trc + index;
34120 dtp->fmt = fmt;
34121 dtp->data1 = data1;
34122 dtp->data2 = data2;
34123 dtp->data3 = data3;
34124- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
34125+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
34126 dtp->jif = jiffies;
34127 #endif
34128 return;
34129@@ -3828,7 +3828,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
34130 "slow_ring buffer\n");
34131 goto debug_failed;
34132 }
34133- atomic_set(&phba->slow_ring_trc_cnt, 0);
34134+ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
34135 memset(phba->slow_ring_trc, 0,
34136 (sizeof(struct lpfc_debugfs_trc) *
34137 lpfc_debugfs_max_slow_ring_trc));
34138@@ -3874,7 +3874,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
34139 "buffer\n");
34140 goto debug_failed;
34141 }
34142- atomic_set(&vport->disc_trc_cnt, 0);
34143+ atomic_set_unchecked(&vport->disc_trc_cnt, 0);
34144
34145 snprintf(name, sizeof(name), "discovery_trace");
34146 vport->debug_disc_trc =
34147diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc.h linux-3.1.1/drivers/scsi/lpfc/lpfc.h
34148--- linux-3.1.1/drivers/scsi/lpfc/lpfc.h 2011-11-11 15:19:27.000000000 -0500
34149+++ linux-3.1.1/drivers/scsi/lpfc/lpfc.h 2011-11-16 18:39:07.000000000 -0500
34150@@ -425,7 +425,7 @@ struct lpfc_vport {
34151 struct dentry *debug_nodelist;
34152 struct dentry *vport_debugfs_root;
34153 struct lpfc_debugfs_trc *disc_trc;
34154- atomic_t disc_trc_cnt;
34155+ atomic_unchecked_t disc_trc_cnt;
34156 #endif
34157 uint8_t stat_data_enabled;
34158 uint8_t stat_data_blocked;
34159@@ -835,8 +835,8 @@ struct lpfc_hba {
34160 struct timer_list fabric_block_timer;
34161 unsigned long bit_flags;
34162 #define FABRIC_COMANDS_BLOCKED 0
34163- atomic_t num_rsrc_err;
34164- atomic_t num_cmd_success;
34165+ atomic_unchecked_t num_rsrc_err;
34166+ atomic_unchecked_t num_cmd_success;
34167 unsigned long last_rsrc_error_time;
34168 unsigned long last_ramp_down_time;
34169 unsigned long last_ramp_up_time;
34170@@ -850,7 +850,7 @@ struct lpfc_hba {
34171 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
34172 struct dentry *debug_slow_ring_trc;
34173 struct lpfc_debugfs_trc *slow_ring_trc;
34174- atomic_t slow_ring_trc_cnt;
34175+ atomic_unchecked_t slow_ring_trc_cnt;
34176 /* iDiag debugfs sub-directory */
34177 struct dentry *idiag_root;
34178 struct dentry *idiag_pci_cfg;
34179diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c
34180--- linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c 2011-11-11 15:19:27.000000000 -0500
34181+++ linux-3.1.1/drivers/scsi/lpfc/lpfc_init.c 2011-11-16 18:39:07.000000000 -0500
34182@@ -9969,8 +9969,10 @@ lpfc_init(void)
34183 printk(LPFC_COPYRIGHT "\n");
34184
34185 if (lpfc_enable_npiv) {
34186- lpfc_transport_functions.vport_create = lpfc_vport_create;
34187- lpfc_transport_functions.vport_delete = lpfc_vport_delete;
34188+ pax_open_kernel();
34189+ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
34190+ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
34191+ pax_close_kernel();
34192 }
34193 lpfc_transport_template =
34194 fc_attach_transport(&lpfc_transport_functions);
34195diff -urNp linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c
34196--- linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-11 15:19:27.000000000 -0500
34197+++ linux-3.1.1/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-16 18:39:07.000000000 -0500
34198@@ -297,7 +297,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
34199 uint32_t evt_posted;
34200
34201 spin_lock_irqsave(&phba->hbalock, flags);
34202- atomic_inc(&phba->num_rsrc_err);
34203+ atomic_inc_unchecked(&phba->num_rsrc_err);
34204 phba->last_rsrc_error_time = jiffies;
34205
34206 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
34207@@ -338,7 +338,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
34208 unsigned long flags;
34209 struct lpfc_hba *phba = vport->phba;
34210 uint32_t evt_posted;
34211- atomic_inc(&phba->num_cmd_success);
34212+ atomic_inc_unchecked(&phba->num_cmd_success);
34213
34214 if (vport->cfg_lun_queue_depth <= queue_depth)
34215 return;
34216@@ -382,8 +382,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
34217 unsigned long num_rsrc_err, num_cmd_success;
34218 int i;
34219
34220- num_rsrc_err = atomic_read(&phba->num_rsrc_err);
34221- num_cmd_success = atomic_read(&phba->num_cmd_success);
34222+ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
34223+ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
34224
34225 vports = lpfc_create_vport_work_array(phba);
34226 if (vports != NULL)
34227@@ -403,8 +403,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
34228 }
34229 }
34230 lpfc_destroy_vport_work_array(phba, vports);
34231- atomic_set(&phba->num_rsrc_err, 0);
34232- atomic_set(&phba->num_cmd_success, 0);
34233+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
34234+ atomic_set_unchecked(&phba->num_cmd_success, 0);
34235 }
34236
34237 /**
34238@@ -438,8 +438,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
34239 }
34240 }
34241 lpfc_destroy_vport_work_array(phba, vports);
34242- atomic_set(&phba->num_rsrc_err, 0);
34243- atomic_set(&phba->num_cmd_success, 0);
34244+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
34245+ atomic_set_unchecked(&phba->num_cmd_success, 0);
34246 }
34247
34248 /**
34249diff -urNp linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c
34250--- linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-11 15:19:27.000000000 -0500
34251+++ linux-3.1.1/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-16 18:40:22.000000000 -0500
34252@@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
34253 int rval;
34254 int i;
34255
34256+ pax_track_stack();
34257+
34258 // Allocate memory for the base list of scb for management module.
34259 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
34260
34261diff -urNp linux-3.1.1/drivers/scsi/osd/osd_initiator.c linux-3.1.1/drivers/scsi/osd/osd_initiator.c
34262--- linux-3.1.1/drivers/scsi/osd/osd_initiator.c 2011-11-11 15:19:27.000000000 -0500
34263+++ linux-3.1.1/drivers/scsi/osd/osd_initiator.c 2011-11-16 18:40:22.000000000 -0500
34264@@ -97,6 +97,8 @@ static int _osd_get_print_system_info(st
34265 int nelem = ARRAY_SIZE(get_attrs), a = 0;
34266 int ret;
34267
34268+ pax_track_stack();
34269+
34270 or = osd_start_request(od, GFP_KERNEL);
34271 if (!or)
34272 return -ENOMEM;
34273diff -urNp linux-3.1.1/drivers/scsi/pmcraid.c linux-3.1.1/drivers/scsi/pmcraid.c
34274--- linux-3.1.1/drivers/scsi/pmcraid.c 2011-11-11 15:19:27.000000000 -0500
34275+++ linux-3.1.1/drivers/scsi/pmcraid.c 2011-11-16 18:39:07.000000000 -0500
34276@@ -201,8 +201,8 @@ static int pmcraid_slave_alloc(struct sc
34277 res->scsi_dev = scsi_dev;
34278 scsi_dev->hostdata = res;
34279 res->change_detected = 0;
34280- atomic_set(&res->read_failures, 0);
34281- atomic_set(&res->write_failures, 0);
34282+ atomic_set_unchecked(&res->read_failures, 0);
34283+ atomic_set_unchecked(&res->write_failures, 0);
34284 rc = 0;
34285 }
34286 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
34287@@ -2677,9 +2677,9 @@ static int pmcraid_error_handler(struct
34288
34289 /* If this was a SCSI read/write command keep count of errors */
34290 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
34291- atomic_inc(&res->read_failures);
34292+ atomic_inc_unchecked(&res->read_failures);
34293 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
34294- atomic_inc(&res->write_failures);
34295+ atomic_inc_unchecked(&res->write_failures);
34296
34297 if (!RES_IS_GSCSI(res->cfg_entry) &&
34298 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
34299@@ -3535,7 +3535,7 @@ static int pmcraid_queuecommand_lck(
34300 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
34301 * hrrq_id assigned here in queuecommand
34302 */
34303- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
34304+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
34305 pinstance->num_hrrq;
34306 cmd->cmd_done = pmcraid_io_done;
34307
34308@@ -3860,7 +3860,7 @@ static long pmcraid_ioctl_passthrough(
34309 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
34310 * hrrq_id assigned here in queuecommand
34311 */
34312- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
34313+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
34314 pinstance->num_hrrq;
34315
34316 if (request_size) {
34317@@ -4498,7 +4498,7 @@ static void pmcraid_worker_function(stru
34318
34319 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
34320 /* add resources only after host is added into system */
34321- if (!atomic_read(&pinstance->expose_resources))
34322+ if (!atomic_read_unchecked(&pinstance->expose_resources))
34323 return;
34324
34325 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
34326@@ -5332,8 +5332,8 @@ static int __devinit pmcraid_init_instan
34327 init_waitqueue_head(&pinstance->reset_wait_q);
34328
34329 atomic_set(&pinstance->outstanding_cmds, 0);
34330- atomic_set(&pinstance->last_message_id, 0);
34331- atomic_set(&pinstance->expose_resources, 0);
34332+ atomic_set_unchecked(&pinstance->last_message_id, 0);
34333+ atomic_set_unchecked(&pinstance->expose_resources, 0);
34334
34335 INIT_LIST_HEAD(&pinstance->free_res_q);
34336 INIT_LIST_HEAD(&pinstance->used_res_q);
34337@@ -6048,7 +6048,7 @@ static int __devinit pmcraid_probe(
34338 /* Schedule worker thread to handle CCN and take care of adding and
34339 * removing devices to OS
34340 */
34341- atomic_set(&pinstance->expose_resources, 1);
34342+ atomic_set_unchecked(&pinstance->expose_resources, 1);
34343 schedule_work(&pinstance->worker_q);
34344 return rc;
34345
34346diff -urNp linux-3.1.1/drivers/scsi/pmcraid.h linux-3.1.1/drivers/scsi/pmcraid.h
34347--- linux-3.1.1/drivers/scsi/pmcraid.h 2011-11-11 15:19:27.000000000 -0500
34348+++ linux-3.1.1/drivers/scsi/pmcraid.h 2011-11-16 18:39:07.000000000 -0500
34349@@ -749,7 +749,7 @@ struct pmcraid_instance {
34350 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
34351
34352 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
34353- atomic_t last_message_id;
34354+ atomic_unchecked_t last_message_id;
34355
34356 /* configuration table */
34357 struct pmcraid_config_table *cfg_table;
34358@@ -778,7 +778,7 @@ struct pmcraid_instance {
34359 atomic_t outstanding_cmds;
34360
34361 /* should add/delete resources to mid-layer now ?*/
34362- atomic_t expose_resources;
34363+ atomic_unchecked_t expose_resources;
34364
34365
34366
34367@@ -814,8 +814,8 @@ struct pmcraid_resource_entry {
34368 struct pmcraid_config_table_entry_ext cfg_entry_ext;
34369 };
34370 struct scsi_device *scsi_dev; /* Link scsi_device structure */
34371- atomic_t read_failures; /* count of failed READ commands */
34372- atomic_t write_failures; /* count of failed WRITE commands */
34373+ atomic_unchecked_t read_failures; /* count of failed READ commands */
34374+ atomic_unchecked_t write_failures; /* count of failed WRITE commands */
34375
34376 /* To indicate add/delete/modify during CCN */
34377 u8 change_detected;
34378diff -urNp linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h
34379--- linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h 2011-11-11 15:19:27.000000000 -0500
34380+++ linux-3.1.1/drivers/scsi/qla2xxx/qla_def.h 2011-11-16 18:39:07.000000000 -0500
34381@@ -2244,7 +2244,7 @@ struct isp_operations {
34382 int (*get_flash_version) (struct scsi_qla_host *, void *);
34383 int (*start_scsi) (srb_t *);
34384 int (*abort_isp) (struct scsi_qla_host *);
34385-};
34386+} __no_const;
34387
34388 /* MSI-X Support *************************************************************/
34389
34390diff -urNp linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h
34391--- linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h 2011-11-11 15:19:27.000000000 -0500
34392+++ linux-3.1.1/drivers/scsi/qla4xxx/ql4_def.h 2011-11-16 18:39:07.000000000 -0500
34393@@ -256,7 +256,7 @@ struct ddb_entry {
34394 atomic_t retry_relogin_timer; /* Min Time between relogins
34395 * (4000 only) */
34396 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
34397- atomic_t relogin_retry_count; /* Num of times relogin has been
34398+ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
34399 * retried */
34400
34401 uint16_t port;
34402diff -urNp linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c
34403--- linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c 2011-11-11 15:19:27.000000000 -0500
34404+++ linux-3.1.1/drivers/scsi/qla4xxx/ql4_init.c 2011-11-16 18:39:07.000000000 -0500
34405@@ -680,7 +680,7 @@ static struct ddb_entry * qla4xxx_alloc_
34406 ddb_entry->fw_ddb_index = fw_ddb_index;
34407 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
34408 atomic_set(&ddb_entry->relogin_timer, 0);
34409- atomic_set(&ddb_entry->relogin_retry_count, 0);
34410+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34411 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34412 list_add_tail(&ddb_entry->list, &ha->ddb_list);
34413 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
34414@@ -1433,7 +1433,7 @@ int qla4xxx_process_ddb_changed(struct s
34415 if ((ddb_entry->fw_ddb_device_state == DDB_DS_SESSION_ACTIVE) &&
34416 (atomic_read(&ddb_entry->state) != DDB_STATE_ONLINE)) {
34417 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34418- atomic_set(&ddb_entry->relogin_retry_count, 0);
34419+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34420 atomic_set(&ddb_entry->relogin_timer, 0);
34421 clear_bit(DF_RELOGIN, &ddb_entry->flags);
34422 iscsi_unblock_session(ddb_entry->sess);
34423diff -urNp linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c
34424--- linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c 2011-11-11 15:19:27.000000000 -0500
34425+++ linux-3.1.1/drivers/scsi/qla4xxx/ql4_os.c 2011-11-16 18:39:07.000000000 -0500
34426@@ -811,13 +811,13 @@ static void qla4xxx_timer(struct scsi_ql
34427 ddb_entry->fw_ddb_device_state ==
34428 DDB_DS_SESSION_FAILED) {
34429 /* Reset retry relogin timer */
34430- atomic_inc(&ddb_entry->relogin_retry_count);
34431+ atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
34432 DEBUG2(printk("scsi%ld: ddb [%d] relogin"
34433 " timed out-retrying"
34434 " relogin (%d)\n",
34435 ha->host_no,
34436 ddb_entry->fw_ddb_index,
34437- atomic_read(&ddb_entry->
34438+ atomic_read_unchecked(&ddb_entry->
34439 relogin_retry_count))
34440 );
34441 start_dpc++;
34442diff -urNp linux-3.1.1/drivers/scsi/scsi.c linux-3.1.1/drivers/scsi/scsi.c
34443--- linux-3.1.1/drivers/scsi/scsi.c 2011-11-11 15:19:27.000000000 -0500
34444+++ linux-3.1.1/drivers/scsi/scsi.c 2011-11-16 18:39:07.000000000 -0500
34445@@ -655,7 +655,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
34446 unsigned long timeout;
34447 int rtn = 0;
34448
34449- atomic_inc(&cmd->device->iorequest_cnt);
34450+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34451
34452 /* check if the device is still usable */
34453 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
34454diff -urNp linux-3.1.1/drivers/scsi/scsi_debug.c linux-3.1.1/drivers/scsi/scsi_debug.c
34455--- linux-3.1.1/drivers/scsi/scsi_debug.c 2011-11-11 15:19:27.000000000 -0500
34456+++ linux-3.1.1/drivers/scsi/scsi_debug.c 2011-11-16 18:40:22.000000000 -0500
34457@@ -1493,6 +1493,8 @@ static int resp_mode_select(struct scsi_
34458 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
34459 unsigned char *cmd = (unsigned char *)scp->cmnd;
34460
34461+ pax_track_stack();
34462+
34463 if ((errsts = check_readiness(scp, 1, devip)))
34464 return errsts;
34465 memset(arr, 0, sizeof(arr));
34466@@ -1590,6 +1592,8 @@ static int resp_log_sense(struct scsi_cm
34467 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
34468 unsigned char *cmd = (unsigned char *)scp->cmnd;
34469
34470+ pax_track_stack();
34471+
34472 if ((errsts = check_readiness(scp, 1, devip)))
34473 return errsts;
34474 memset(arr, 0, sizeof(arr));
34475diff -urNp linux-3.1.1/drivers/scsi/scsi_lib.c linux-3.1.1/drivers/scsi/scsi_lib.c
34476--- linux-3.1.1/drivers/scsi/scsi_lib.c 2011-11-11 15:19:27.000000000 -0500
34477+++ linux-3.1.1/drivers/scsi/scsi_lib.c 2011-11-16 18:39:07.000000000 -0500
34478@@ -1413,7 +1413,7 @@ static void scsi_kill_request(struct req
34479 shost = sdev->host;
34480 scsi_init_cmd_errh(cmd);
34481 cmd->result = DID_NO_CONNECT << 16;
34482- atomic_inc(&cmd->device->iorequest_cnt);
34483+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34484
34485 /*
34486 * SCSI request completion path will do scsi_device_unbusy(),
34487@@ -1439,9 +1439,9 @@ static void scsi_softirq_done(struct req
34488
34489 INIT_LIST_HEAD(&cmd->eh_entry);
34490
34491- atomic_inc(&cmd->device->iodone_cnt);
34492+ atomic_inc_unchecked(&cmd->device->iodone_cnt);
34493 if (cmd->result)
34494- atomic_inc(&cmd->device->ioerr_cnt);
34495+ atomic_inc_unchecked(&cmd->device->ioerr_cnt);
34496
34497 disposition = scsi_decide_disposition(cmd);
34498 if (disposition != SUCCESS &&
34499diff -urNp linux-3.1.1/drivers/scsi/scsi_sysfs.c linux-3.1.1/drivers/scsi/scsi_sysfs.c
34500--- linux-3.1.1/drivers/scsi/scsi_sysfs.c 2011-11-11 15:19:27.000000000 -0500
34501+++ linux-3.1.1/drivers/scsi/scsi_sysfs.c 2011-11-16 18:39:07.000000000 -0500
34502@@ -622,7 +622,7 @@ show_iostat_##field(struct device *dev,
34503 char *buf) \
34504 { \
34505 struct scsi_device *sdev = to_scsi_device(dev); \
34506- unsigned long long count = atomic_read(&sdev->field); \
34507+ unsigned long long count = atomic_read_unchecked(&sdev->field); \
34508 return snprintf(buf, 20, "0x%llx\n", count); \
34509 } \
34510 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
34511diff -urNp linux-3.1.1/drivers/scsi/scsi_tgt_lib.c linux-3.1.1/drivers/scsi/scsi_tgt_lib.c
34512--- linux-3.1.1/drivers/scsi/scsi_tgt_lib.c 2011-11-11 15:19:27.000000000 -0500
34513+++ linux-3.1.1/drivers/scsi/scsi_tgt_lib.c 2011-11-16 18:39:07.000000000 -0500
34514@@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
34515 int err;
34516
34517 dprintk("%lx %u\n", uaddr, len);
34518- err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
34519+ err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
34520 if (err) {
34521 /*
34522 * TODO: need to fixup sg_tablesize, max_segment_size,
34523diff -urNp linux-3.1.1/drivers/scsi/scsi_transport_fc.c linux-3.1.1/drivers/scsi/scsi_transport_fc.c
34524--- linux-3.1.1/drivers/scsi/scsi_transport_fc.c 2011-11-11 15:19:27.000000000 -0500
34525+++ linux-3.1.1/drivers/scsi/scsi_transport_fc.c 2011-11-16 18:39:07.000000000 -0500
34526@@ -484,7 +484,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_
34527 * Netlink Infrastructure
34528 */
34529
34530-static atomic_t fc_event_seq;
34531+static atomic_unchecked_t fc_event_seq;
34532
34533 /**
34534 * fc_get_event_number - Obtain the next sequential FC event number
34535@@ -497,7 +497,7 @@ static atomic_t fc_event_seq;
34536 u32
34537 fc_get_event_number(void)
34538 {
34539- return atomic_add_return(1, &fc_event_seq);
34540+ return atomic_add_return_unchecked(1, &fc_event_seq);
34541 }
34542 EXPORT_SYMBOL(fc_get_event_number);
34543
34544@@ -645,7 +645,7 @@ static __init int fc_transport_init(void
34545 {
34546 int error;
34547
34548- atomic_set(&fc_event_seq, 0);
34549+ atomic_set_unchecked(&fc_event_seq, 0);
34550
34551 error = transport_class_register(&fc_host_class);
34552 if (error)
34553@@ -835,7 +835,7 @@ static int fc_str_to_dev_loss(const char
34554 char *cp;
34555
34556 *val = simple_strtoul(buf, &cp, 0);
34557- if ((*cp && (*cp != '\n')) || (*val < 0))
34558+ if (*cp && (*cp != '\n'))
34559 return -EINVAL;
34560 /*
34561 * Check for overflow; dev_loss_tmo is u32
34562diff -urNp linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c
34563--- linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c 2011-11-11 15:19:27.000000000 -0500
34564+++ linux-3.1.1/drivers/scsi/scsi_transport_iscsi.c 2011-11-16 18:39:07.000000000 -0500
34565@@ -83,7 +83,7 @@ struct iscsi_internal {
34566 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
34567 };
34568
34569-static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
34570+static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
34571 static struct workqueue_struct *iscsi_eh_timer_workq;
34572
34573 /*
34574@@ -761,7 +761,7 @@ int iscsi_add_session(struct iscsi_cls_s
34575 int err;
34576
34577 ihost = shost->shost_data;
34578- session->sid = atomic_add_return(1, &iscsi_session_nr);
34579+ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
34580
34581 if (id == ISCSI_MAX_TARGET) {
34582 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
34583@@ -2200,7 +2200,7 @@ static __init int iscsi_transport_init(v
34584 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
34585 ISCSI_TRANSPORT_VERSION);
34586
34587- atomic_set(&iscsi_session_nr, 0);
34588+ atomic_set_unchecked(&iscsi_session_nr, 0);
34589
34590 err = class_register(&iscsi_transport_class);
34591 if (err)
34592diff -urNp linux-3.1.1/drivers/scsi/scsi_transport_srp.c linux-3.1.1/drivers/scsi/scsi_transport_srp.c
34593--- linux-3.1.1/drivers/scsi/scsi_transport_srp.c 2011-11-11 15:19:27.000000000 -0500
34594+++ linux-3.1.1/drivers/scsi/scsi_transport_srp.c 2011-11-16 18:39:07.000000000 -0500
34595@@ -33,7 +33,7 @@
34596 #include "scsi_transport_srp_internal.h"
34597
34598 struct srp_host_attrs {
34599- atomic_t next_port_id;
34600+ atomic_unchecked_t next_port_id;
34601 };
34602 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
34603
34604@@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
34605 struct Scsi_Host *shost = dev_to_shost(dev);
34606 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
34607
34608- atomic_set(&srp_host->next_port_id, 0);
34609+ atomic_set_unchecked(&srp_host->next_port_id, 0);
34610 return 0;
34611 }
34612
34613@@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
34614 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
34615 rport->roles = ids->roles;
34616
34617- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
34618+ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
34619 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
34620
34621 transport_setup_device(&rport->dev);
34622diff -urNp linux-3.1.1/drivers/scsi/sg.c linux-3.1.1/drivers/scsi/sg.c
34623--- linux-3.1.1/drivers/scsi/sg.c 2011-11-11 15:19:27.000000000 -0500
34624+++ linux-3.1.1/drivers/scsi/sg.c 2011-11-16 18:39:07.000000000 -0500
34625@@ -1075,7 +1075,7 @@ sg_ioctl(struct file *filp, unsigned int
34626 sdp->disk->disk_name,
34627 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
34628 NULL,
34629- (char *)arg);
34630+ (char __user *)arg);
34631 case BLKTRACESTART:
34632 return blk_trace_startstop(sdp->device->request_queue, 1);
34633 case BLKTRACESTOP:
34634@@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
34635 const struct file_operations * fops;
34636 };
34637
34638-static struct sg_proc_leaf sg_proc_leaf_arr[] = {
34639+static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
34640 {"allow_dio", &adio_fops},
34641 {"debug", &debug_fops},
34642 {"def_reserved_size", &dressz_fops},
34643@@ -2325,7 +2325,7 @@ sg_proc_init(void)
34644 {
34645 int k, mask;
34646 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
34647- struct sg_proc_leaf * leaf;
34648+ const struct sg_proc_leaf * leaf;
34649
34650 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
34651 if (!sg_proc_sgp)
34652diff -urNp linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c
34653--- linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-11 15:19:27.000000000 -0500
34654+++ linux-3.1.1/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-16 18:40:22.000000000 -0500
34655@@ -1756,6 +1756,8 @@ static int __devinit sym2_probe(struct p
34656 int do_iounmap = 0;
34657 int do_disable_device = 1;
34658
34659+ pax_track_stack();
34660+
34661 memset(&sym_dev, 0, sizeof(sym_dev));
34662 memset(&nvram, 0, sizeof(nvram));
34663 sym_dev.pdev = pdev;
34664diff -urNp linux-3.1.1/drivers/scsi/vmw_pvscsi.c linux-3.1.1/drivers/scsi/vmw_pvscsi.c
34665--- linux-3.1.1/drivers/scsi/vmw_pvscsi.c 2011-11-11 15:19:27.000000000 -0500
34666+++ linux-3.1.1/drivers/scsi/vmw_pvscsi.c 2011-11-16 18:40:22.000000000 -0500
34667@@ -447,6 +447,8 @@ static void pvscsi_setup_all_rings(const
34668 dma_addr_t base;
34669 unsigned i;
34670
34671+ pax_track_stack();
34672+
34673 cmd.ringsStatePPN = adapter->ringStatePA >> PAGE_SHIFT;
34674 cmd.reqRingNumPages = adapter->req_pages;
34675 cmd.cmpRingNumPages = adapter->cmp_pages;
34676diff -urNp linux-3.1.1/drivers/spi/spi.c linux-3.1.1/drivers/spi/spi.c
34677--- linux-3.1.1/drivers/spi/spi.c 2011-11-11 15:19:27.000000000 -0500
34678+++ linux-3.1.1/drivers/spi/spi.c 2011-11-16 18:39:07.000000000 -0500
34679@@ -1023,7 +1023,7 @@ int spi_bus_unlock(struct spi_master *ma
34680 EXPORT_SYMBOL_GPL(spi_bus_unlock);
34681
34682 /* portable code must never pass more than 32 bytes */
34683-#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
34684+#define SPI_BUFSIZ max(32UL,SMP_CACHE_BYTES)
34685
34686 static u8 *buf;
34687
34688diff -urNp linux-3.1.1/drivers/spi/spi-dw-pci.c linux-3.1.1/drivers/spi/spi-dw-pci.c
34689--- linux-3.1.1/drivers/spi/spi-dw-pci.c 2011-11-11 15:19:27.000000000 -0500
34690+++ linux-3.1.1/drivers/spi/spi-dw-pci.c 2011-11-16 18:39:07.000000000 -0500
34691@@ -148,7 +148,7 @@ static int spi_resume(struct pci_dev *pd
34692 #define spi_resume NULL
34693 #endif
34694
34695-static const struct pci_device_id pci_ids[] __devinitdata = {
34696+static const struct pci_device_id pci_ids[] __devinitconst = {
34697 /* Intel MID platform SPI controller 0 */
34698 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0800) },
34699 {},
34700diff -urNp linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c
34701--- linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-11-11 15:19:27.000000000 -0500
34702+++ linux-3.1.1/drivers/staging/ath6kl/os/linux/ar6000_drv.c 2011-11-16 18:39:07.000000000 -0500
34703@@ -362,7 +362,7 @@ static struct ar_cookie s_ar_cookie_mem[
34704 (((ar)->arTargetType == TARGET_TYPE_AR6003) ? AR6003_HOST_INTEREST_ITEM_ADDRESS(item) : 0))
34705
34706
34707-static struct net_device_ops ar6000_netdev_ops = {
34708+static net_device_ops_no_const ar6000_netdev_ops = {
34709 .ndo_init = NULL,
34710 .ndo_open = ar6000_open,
34711 .ndo_stop = ar6000_close,
34712diff -urNp linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h
34713--- linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-11-11 15:19:27.000000000 -0500
34714+++ linux-3.1.1/drivers/staging/ath6kl/os/linux/include/ar6k_pal.h 2011-11-16 18:39:07.000000000 -0500
34715@@ -30,7 +30,7 @@ typedef bool (*ar6k_pal_recv_pkt_t)(void
34716 typedef struct ar6k_pal_config_s
34717 {
34718 ar6k_pal_recv_pkt_t fpar6k_pal_recv_pkt;
34719-}ar6k_pal_config_t;
34720+} __no_const ar6k_pal_config_t;
34721
34722 void register_pal_cb(ar6k_pal_config_t *palConfig_p);
34723 #endif /* _AR6K_PAL_H_ */
34724diff -urNp linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
34725--- linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-11-11 15:19:27.000000000 -0500
34726+++ linux-3.1.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-11-16 18:39:07.000000000 -0500
34727@@ -451,14 +451,14 @@ static void brcmf_op_if(struct brcmf_if
34728 free_netdev(ifp->net);
34729 }
34730 /* Allocate etherdev, including space for private structure */
34731- ifp->net = alloc_etherdev(sizeof(drvr_priv));
34732+ ifp->net = alloc_etherdev(sizeof(*drvr_priv));
34733 if (!ifp->net) {
34734 BRCMF_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34735 ret = -ENOMEM;
34736 }
34737 if (ret == 0) {
34738 strcpy(ifp->net->name, ifp->name);
34739- memcpy(netdev_priv(ifp->net), &drvr_priv, sizeof(drvr_priv));
34740+ memcpy(netdev_priv(ifp->net), &drvr_priv, sizeof(*drvr_priv));
34741 err = brcmf_net_attach(&drvr_priv->pub, ifp->idx);
34742 if (err != 0) {
34743 BRCMF_ERROR(("%s: brcmf_net_attach failed, "
34744@@ -1279,7 +1279,7 @@ struct brcmf_pub *brcmf_attach(struct br
34745 BRCMF_TRACE(("%s: Enter\n", __func__));
34746
34747 /* Allocate etherdev, including space for private structure */
34748- net = alloc_etherdev(sizeof(drvr_priv));
34749+ net = alloc_etherdev(sizeof(*drvr_priv));
34750 if (!net) {
34751 BRCMF_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
34752 goto fail;
34753@@ -1295,7 +1295,7 @@ struct brcmf_pub *brcmf_attach(struct br
34754 /*
34755 * Save the brcmf_info into the priv
34756 */
34757- memcpy(netdev_priv(net), &drvr_priv, sizeof(drvr_priv));
34758+ memcpy(netdev_priv(net), &drvr_priv, sizeof(*drvr_priv));
34759
34760 /* Set network interface name if it was provided as module parameter */
34761 if (iface_name[0]) {
34762@@ -1352,7 +1352,7 @@ struct brcmf_pub *brcmf_attach(struct br
34763 /*
34764 * Save the brcmf_info into the priv
34765 */
34766- memcpy(netdev_priv(net), &drvr_priv, sizeof(drvr_priv));
34767+ memcpy(netdev_priv(net), &drvr_priv, sizeof(*drvr_priv));
34768
34769 #if defined(CONFIG_PM_SLEEP)
34770 atomic_set(&brcmf_mmc_suspend, false);
34771diff -urNp linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h
34772--- linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h 2011-11-11 15:19:27.000000000 -0500
34773+++ linux-3.1.1/drivers/staging/brcm80211/brcmfmac/sdio_host.h 2011-11-16 18:39:07.000000000 -0500
34774@@ -263,7 +263,7 @@ struct brcmf_sdioh_driver {
34775 u16 func, uint bustype, u32 regsva, void *param);
34776 /* detach from device */
34777 void (*detach) (void *ch);
34778-};
34779+} __no_const;
34780
34781 struct sdioh_info;
34782
34783diff -urNp linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h
34784--- linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h 2011-11-11 15:19:27.000000000 -0500
34785+++ linux-3.1.1/drivers/staging/brcm80211/brcmsmac/phy/phy_int.h 2011-11-16 18:39:07.000000000 -0500
34786@@ -591,7 +591,7 @@ struct phy_func_ptr {
34787 initfn_t carrsuppr;
34788 rxsigpwrfn_t rxsigpwr;
34789 detachfn_t detach;
34790-};
34791+} __no_const;
34792
34793 struct brcms_phy {
34794 struct brcms_phy_pub pubpi_ro;
34795diff -urNp linux-3.1.1/drivers/staging/et131x/et1310_tx.c linux-3.1.1/drivers/staging/et131x/et1310_tx.c
34796--- linux-3.1.1/drivers/staging/et131x/et1310_tx.c 2011-11-11 15:19:27.000000000 -0500
34797+++ linux-3.1.1/drivers/staging/et131x/et1310_tx.c 2011-11-16 18:39:07.000000000 -0500
34798@@ -635,11 +635,11 @@ inline void et131x_free_send_packet(stru
34799 struct net_device_stats *stats = &etdev->net_stats;
34800
34801 if (tcb->flags & fMP_DEST_BROAD)
34802- atomic_inc(&etdev->stats.brdcstxmt);
34803+ atomic_inc_unchecked(&etdev->stats.brdcstxmt);
34804 else if (tcb->flags & fMP_DEST_MULTI)
34805- atomic_inc(&etdev->stats.multixmt);
34806+ atomic_inc_unchecked(&etdev->stats.multixmt);
34807 else
34808- atomic_inc(&etdev->stats.unixmt);
34809+ atomic_inc_unchecked(&etdev->stats.unixmt);
34810
34811 if (tcb->skb) {
34812 stats->tx_bytes += tcb->skb->len;
34813diff -urNp linux-3.1.1/drivers/staging/et131x/et131x_adapter.h linux-3.1.1/drivers/staging/et131x/et131x_adapter.h
34814--- linux-3.1.1/drivers/staging/et131x/et131x_adapter.h 2011-11-11 15:19:27.000000000 -0500
34815+++ linux-3.1.1/drivers/staging/et131x/et131x_adapter.h 2011-11-16 18:39:07.000000000 -0500
34816@@ -106,11 +106,11 @@ struct ce_stats {
34817 * operations
34818 */
34819 u32 unircv; /* # multicast packets received */
34820- atomic_t unixmt; /* # multicast packets for Tx */
34821+ atomic_unchecked_t unixmt; /* # multicast packets for Tx */
34822 u32 multircv; /* # multicast packets received */
34823- atomic_t multixmt; /* # multicast packets for Tx */
34824+ atomic_unchecked_t multixmt; /* # multicast packets for Tx */
34825 u32 brdcstrcv; /* # broadcast packets received */
34826- atomic_t brdcstxmt; /* # broadcast packets for Tx */
34827+ atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
34828 u32 norcvbuf; /* # Rx packets discarded */
34829 u32 noxmtbuf; /* # Tx packets discarded */
34830
34831diff -urNp linux-3.1.1/drivers/staging/hv/channel.c linux-3.1.1/drivers/staging/hv/channel.c
34832--- linux-3.1.1/drivers/staging/hv/channel.c 2011-11-11 15:19:27.000000000 -0500
34833+++ linux-3.1.1/drivers/staging/hv/channel.c 2011-11-16 18:39:07.000000000 -0500
34834@@ -447,8 +447,8 @@ int vmbus_establish_gpadl(struct vmbus_c
34835 int ret = 0;
34836 int t;
34837
34838- next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle);
34839- atomic_inc(&vmbus_connection.next_gpadl_handle);
34840+ next_gpadl_handle = atomic_read_unchecked(&vmbus_connection.next_gpadl_handle);
34841+ atomic_inc_unchecked(&vmbus_connection.next_gpadl_handle);
34842
34843 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
34844 if (ret)
34845diff -urNp linux-3.1.1/drivers/staging/hv/hv.c linux-3.1.1/drivers/staging/hv/hv.c
34846--- linux-3.1.1/drivers/staging/hv/hv.c 2011-11-11 15:19:27.000000000 -0500
34847+++ linux-3.1.1/drivers/staging/hv/hv.c 2011-11-16 18:39:07.000000000 -0500
34848@@ -132,7 +132,7 @@ static u64 do_hypercall(u64 control, voi
34849 u64 output_address = (output) ? virt_to_phys(output) : 0;
34850 u32 output_address_hi = output_address >> 32;
34851 u32 output_address_lo = output_address & 0xFFFFFFFF;
34852- volatile void *hypercall_page = hv_context.hypercall_page;
34853+ volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
34854
34855 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
34856 "=a"(hv_status_lo) : "d" (control_hi),
34857diff -urNp linux-3.1.1/drivers/staging/hv/hv_mouse.c linux-3.1.1/drivers/staging/hv/hv_mouse.c
34858--- linux-3.1.1/drivers/staging/hv/hv_mouse.c 2011-11-11 15:19:27.000000000 -0500
34859+++ linux-3.1.1/drivers/staging/hv/hv_mouse.c 2011-11-16 18:39:07.000000000 -0500
34860@@ -878,8 +878,10 @@ static void reportdesc_callback(struct h
34861 if (hid_dev) {
34862 DPRINT_INFO(INPUTVSC_DRV, "hid_device created");
34863
34864- hid_dev->ll_driver->open = mousevsc_hid_open;
34865- hid_dev->ll_driver->close = mousevsc_hid_close;
34866+ pax_open_kernel();
34867+ *(void **)&hid_dev->ll_driver->open = mousevsc_hid_open;
34868+ *(void **)&hid_dev->ll_driver->close = mousevsc_hid_close;
34869+ pax_close_kernel();
34870
34871 hid_dev->bus = BUS_VIRTUAL;
34872 hid_dev->vendor = input_device_ctx->device_info.vendor;
34873diff -urNp linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h
34874--- linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h 2011-11-11 15:19:27.000000000 -0500
34875+++ linux-3.1.1/drivers/staging/hv/hyperv_vmbus.h 2011-11-16 18:39:07.000000000 -0500
34876@@ -559,7 +559,7 @@ enum vmbus_connect_state {
34877 struct vmbus_connection {
34878 enum vmbus_connect_state conn_state;
34879
34880- atomic_t next_gpadl_handle;
34881+ atomic_unchecked_t next_gpadl_handle;
34882
34883 /*
34884 * Represents channel interrupts. Each bit position represents a
34885diff -urNp linux-3.1.1/drivers/staging/hv/rndis_filter.c linux-3.1.1/drivers/staging/hv/rndis_filter.c
34886--- linux-3.1.1/drivers/staging/hv/rndis_filter.c 2011-11-11 15:19:27.000000000 -0500
34887+++ linux-3.1.1/drivers/staging/hv/rndis_filter.c 2011-11-16 18:39:07.000000000 -0500
34888@@ -43,7 +43,7 @@ struct rndis_device {
34889
34890 enum rndis_device_state state;
34891 u32 link_stat;
34892- atomic_t new_req_id;
34893+ atomic_unchecked_t new_req_id;
34894
34895 spinlock_t request_lock;
34896 struct list_head req_list;
34897@@ -117,7 +117,7 @@ static struct rndis_request *get_rndis_r
34898 * template
34899 */
34900 set = &rndis_msg->msg.set_req;
34901- set->req_id = atomic_inc_return(&dev->new_req_id);
34902+ set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34903
34904 /* Add to the request list */
34905 spin_lock_irqsave(&dev->request_lock, flags);
34906@@ -622,7 +622,7 @@ static void rndis_filter_halt_device(str
34907
34908 /* Setup the rndis set */
34909 halt = &request->request_msg.msg.halt_req;
34910- halt->req_id = atomic_inc_return(&dev->new_req_id);
34911+ halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
34912
34913 /* Ignore return since this msg is optional. */
34914 rndis_filter_send_request(dev, request);
34915diff -urNp linux-3.1.1/drivers/staging/hv/vmbus_drv.c linux-3.1.1/drivers/staging/hv/vmbus_drv.c
34916--- linux-3.1.1/drivers/staging/hv/vmbus_drv.c 2011-11-11 15:19:27.000000000 -0500
34917+++ linux-3.1.1/drivers/staging/hv/vmbus_drv.c 2011-11-16 18:39:07.000000000 -0500
34918@@ -660,11 +660,11 @@ int vmbus_child_device_register(struct h
34919 {
34920 int ret = 0;
34921
34922- static atomic_t device_num = ATOMIC_INIT(0);
34923+ static atomic_unchecked_t device_num = ATOMIC_INIT(0);
34924
34925 /* Set the device name. Otherwise, device_register() will fail. */
34926 dev_set_name(&child_device_obj->device, "vmbus_0_%d",
34927- atomic_inc_return(&device_num));
34928+ atomic_inc_return_unchecked(&device_num));
34929
34930 /* The new device belongs to this bus */
34931 child_device_obj->device.bus = &hv_bus; /* device->dev.bus; */
34932diff -urNp linux-3.1.1/drivers/staging/iio/ring_generic.h linux-3.1.1/drivers/staging/iio/ring_generic.h
34933--- linux-3.1.1/drivers/staging/iio/ring_generic.h 2011-11-11 15:19:27.000000000 -0500
34934+++ linux-3.1.1/drivers/staging/iio/ring_generic.h 2011-11-16 18:39:07.000000000 -0500
34935@@ -62,7 +62,7 @@ struct iio_ring_access_funcs {
34936
34937 int (*is_enabled)(struct iio_ring_buffer *ring);
34938 int (*enable)(struct iio_ring_buffer *ring);
34939-};
34940+} __no_const;
34941
34942 struct iio_ring_setup_ops {
34943 int (*preenable)(struct iio_dev *);
34944diff -urNp linux-3.1.1/drivers/staging/mei/interface.c linux-3.1.1/drivers/staging/mei/interface.c
34945--- linux-3.1.1/drivers/staging/mei/interface.c 2011-11-11 15:19:27.000000000 -0500
34946+++ linux-3.1.1/drivers/staging/mei/interface.c 2011-11-17 18:39:18.000000000 -0500
34947@@ -332,7 +332,7 @@ int mei_send_flow_control(struct mei_dev
34948 mei_hdr->reserved = 0;
34949
34950 mei_flow_control = (struct hbm_flow_control *) &dev->wr_msg_buf[1];
34951- memset(mei_flow_control, 0, sizeof(mei_flow_control));
34952+ memset(mei_flow_control, 0, sizeof(*mei_flow_control));
34953 mei_flow_control->host_addr = cl->host_client_id;
34954 mei_flow_control->me_addr = cl->me_client_id;
34955 mei_flow_control->cmd.cmd = MEI_FLOW_CONTROL_CMD;
34956@@ -396,7 +396,7 @@ int mei_disconnect(struct mei_device *de
34957
34958 mei_cli_disconnect =
34959 (struct hbm_client_disconnect_request *) &dev->wr_msg_buf[1];
34960- memset(mei_cli_disconnect, 0, sizeof(mei_cli_disconnect));
34961+ memset(mei_cli_disconnect, 0, sizeof(*mei_cli_disconnect));
34962 mei_cli_disconnect->host_addr = cl->host_client_id;
34963 mei_cli_disconnect->me_addr = cl->me_client_id;
34964 mei_cli_disconnect->cmd.cmd = CLIENT_DISCONNECT_REQ_CMD;
34965diff -urNp linux-3.1.1/drivers/staging/octeon/ethernet.c linux-3.1.1/drivers/staging/octeon/ethernet.c
34966--- linux-3.1.1/drivers/staging/octeon/ethernet.c 2011-11-11 15:19:27.000000000 -0500
34967+++ linux-3.1.1/drivers/staging/octeon/ethernet.c 2011-11-16 18:39:07.000000000 -0500
34968@@ -258,11 +258,11 @@ static struct net_device_stats *cvm_oct_
34969 * since the RX tasklet also increments it.
34970 */
34971 #ifdef CONFIG_64BIT
34972- atomic64_add(rx_status.dropped_packets,
34973- (atomic64_t *)&priv->stats.rx_dropped);
34974+ atomic64_add_unchecked(rx_status.dropped_packets,
34975+ (atomic64_unchecked_t *)&priv->stats.rx_dropped);
34976 #else
34977- atomic_add(rx_status.dropped_packets,
34978- (atomic_t *)&priv->stats.rx_dropped);
34979+ atomic_add_unchecked(rx_status.dropped_packets,
34980+ (atomic_unchecked_t *)&priv->stats.rx_dropped);
34981 #endif
34982 }
34983
34984diff -urNp linux-3.1.1/drivers/staging/octeon/ethernet-rx.c linux-3.1.1/drivers/staging/octeon/ethernet-rx.c
34985--- linux-3.1.1/drivers/staging/octeon/ethernet-rx.c 2011-11-11 15:19:27.000000000 -0500
34986+++ linux-3.1.1/drivers/staging/octeon/ethernet-rx.c 2011-11-16 18:39:07.000000000 -0500
34987@@ -420,11 +420,11 @@ static int cvm_oct_napi_poll(struct napi
34988 /* Increment RX stats for virtual ports */
34989 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
34990 #ifdef CONFIG_64BIT
34991- atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
34992- atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
34993+ atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
34994+ atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
34995 #else
34996- atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
34997- atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
34998+ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
34999+ atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
35000 #endif
35001 }
35002 netif_receive_skb(skb);
35003@@ -436,9 +436,9 @@ static int cvm_oct_napi_poll(struct napi
35004 dev->name);
35005 */
35006 #ifdef CONFIG_64BIT
35007- atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
35008+ atomic64_unchecked_add(1, (atomic64_unchecked_t *)&priv->stats.rx_dropped);
35009 #else
35010- atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
35011+ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_dropped);
35012 #endif
35013 dev_kfree_skb_irq(skb);
35014 }
35015diff -urNp linux-3.1.1/drivers/staging/pohmelfs/inode.c linux-3.1.1/drivers/staging/pohmelfs/inode.c
35016--- linux-3.1.1/drivers/staging/pohmelfs/inode.c 2011-11-11 15:19:27.000000000 -0500
35017+++ linux-3.1.1/drivers/staging/pohmelfs/inode.c 2011-11-16 18:39:07.000000000 -0500
35018@@ -1861,7 +1861,7 @@ static int pohmelfs_fill_super(struct su
35019 mutex_init(&psb->mcache_lock);
35020 psb->mcache_root = RB_ROOT;
35021 psb->mcache_timeout = msecs_to_jiffies(5000);
35022- atomic_long_set(&psb->mcache_gen, 0);
35023+ atomic_long_set_unchecked(&psb->mcache_gen, 0);
35024
35025 psb->trans_max_pages = 100;
35026
35027@@ -1876,7 +1876,7 @@ static int pohmelfs_fill_super(struct su
35028 INIT_LIST_HEAD(&psb->crypto_ready_list);
35029 INIT_LIST_HEAD(&psb->crypto_active_list);
35030
35031- atomic_set(&psb->trans_gen, 1);
35032+ atomic_set_unchecked(&psb->trans_gen, 1);
35033 atomic_long_set(&psb->total_inodes, 0);
35034
35035 mutex_init(&psb->state_lock);
35036diff -urNp linux-3.1.1/drivers/staging/pohmelfs/mcache.c linux-3.1.1/drivers/staging/pohmelfs/mcache.c
35037--- linux-3.1.1/drivers/staging/pohmelfs/mcache.c 2011-11-11 15:19:27.000000000 -0500
35038+++ linux-3.1.1/drivers/staging/pohmelfs/mcache.c 2011-11-16 18:39:07.000000000 -0500
35039@@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
35040 m->data = data;
35041 m->start = start;
35042 m->size = size;
35043- m->gen = atomic_long_inc_return(&psb->mcache_gen);
35044+ m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
35045
35046 mutex_lock(&psb->mcache_lock);
35047 err = pohmelfs_mcache_insert(psb, m);
35048diff -urNp linux-3.1.1/drivers/staging/pohmelfs/netfs.h linux-3.1.1/drivers/staging/pohmelfs/netfs.h
35049--- linux-3.1.1/drivers/staging/pohmelfs/netfs.h 2011-11-11 15:19:27.000000000 -0500
35050+++ linux-3.1.1/drivers/staging/pohmelfs/netfs.h 2011-11-16 18:39:07.000000000 -0500
35051@@ -571,14 +571,14 @@ struct pohmelfs_config;
35052 struct pohmelfs_sb {
35053 struct rb_root mcache_root;
35054 struct mutex mcache_lock;
35055- atomic_long_t mcache_gen;
35056+ atomic_long_unchecked_t mcache_gen;
35057 unsigned long mcache_timeout;
35058
35059 unsigned int idx;
35060
35061 unsigned int trans_retries;
35062
35063- atomic_t trans_gen;
35064+ atomic_unchecked_t trans_gen;
35065
35066 unsigned int crypto_attached_size;
35067 unsigned int crypto_align_size;
35068diff -urNp linux-3.1.1/drivers/staging/pohmelfs/trans.c linux-3.1.1/drivers/staging/pohmelfs/trans.c
35069--- linux-3.1.1/drivers/staging/pohmelfs/trans.c 2011-11-11 15:19:27.000000000 -0500
35070+++ linux-3.1.1/drivers/staging/pohmelfs/trans.c 2011-11-16 18:39:07.000000000 -0500
35071@@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
35072 int err;
35073 struct netfs_cmd *cmd = t->iovec.iov_base;
35074
35075- t->gen = atomic_inc_return(&psb->trans_gen);
35076+ t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
35077
35078 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
35079 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
35080diff -urNp linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h
35081--- linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h 2011-11-11 15:19:27.000000000 -0500
35082+++ linux-3.1.1/drivers/staging/rtl8712/rtl871x_io.h 2011-11-16 18:39:07.000000000 -0500
35083@@ -83,7 +83,7 @@ struct _io_ops {
35084 u8 *pmem);
35085 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
35086 u8 *pmem);
35087-};
35088+} __no_const;
35089
35090 struct io_req {
35091 struct list_head list;
35092diff -urNp linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c
35093--- linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c 2011-11-11 15:19:27.000000000 -0500
35094+++ linux-3.1.1/drivers/staging/sbe-2t3e3/netdev.c 2011-11-16 18:39:08.000000000 -0500
35095@@ -51,7 +51,7 @@ int t3e3_ioctl(struct net_device *dev, s
35096 t3e3_if_config(sc, cmd_2t3e3, (char *)&param, &resp, &rlen);
35097
35098 if (rlen)
35099- if (copy_to_user(data, &resp, rlen))
35100+ if (rlen > sizeof resp || copy_to_user(data, &resp, rlen))
35101 return -EFAULT;
35102
35103 return 0;
35104diff -urNp linux-3.1.1/drivers/staging/usbip/usbip_common.h linux-3.1.1/drivers/staging/usbip/usbip_common.h
35105--- linux-3.1.1/drivers/staging/usbip/usbip_common.h 2011-11-11 15:19:27.000000000 -0500
35106+++ linux-3.1.1/drivers/staging/usbip/usbip_common.h 2011-11-16 18:39:08.000000000 -0500
35107@@ -289,7 +289,7 @@ struct usbip_device {
35108 void (*shutdown)(struct usbip_device *);
35109 void (*reset)(struct usbip_device *);
35110 void (*unusable)(struct usbip_device *);
35111- } eh_ops;
35112+ } __no_const eh_ops;
35113 };
35114
35115 #if 0
35116diff -urNp linux-3.1.1/drivers/staging/usbip/vhci.h linux-3.1.1/drivers/staging/usbip/vhci.h
35117--- linux-3.1.1/drivers/staging/usbip/vhci.h 2011-11-11 15:19:27.000000000 -0500
35118+++ linux-3.1.1/drivers/staging/usbip/vhci.h 2011-11-16 18:39:08.000000000 -0500
35119@@ -85,7 +85,7 @@ struct vhci_hcd {
35120 unsigned resuming:1;
35121 unsigned long re_timeout;
35122
35123- atomic_t seqnum;
35124+ atomic_unchecked_t seqnum;
35125
35126 /*
35127 * NOTE:
35128diff -urNp linux-3.1.1/drivers/staging/usbip/vhci_hcd.c linux-3.1.1/drivers/staging/usbip/vhci_hcd.c
35129--- linux-3.1.1/drivers/staging/usbip/vhci_hcd.c 2011-11-11 15:19:27.000000000 -0500
35130+++ linux-3.1.1/drivers/staging/usbip/vhci_hcd.c 2011-11-16 18:39:08.000000000 -0500
35131@@ -527,7 +527,7 @@ static void vhci_tx_urb(struct urb *urb)
35132 return;
35133 }
35134
35135- priv->seqnum = atomic_inc_return(&the_controller->seqnum);
35136+ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
35137 if (priv->seqnum == 0xffff)
35138 dev_info(&urb->dev->dev, "seqnum max\n");
35139
35140@@ -779,7 +779,7 @@ static int vhci_urb_dequeue(struct usb_h
35141 return -ENOMEM;
35142 }
35143
35144- unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
35145+ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
35146 if (unlink->seqnum == 0xffff)
35147 pr_info("seqnum max\n");
35148
35149@@ -969,7 +969,7 @@ static int vhci_start(struct usb_hcd *hc
35150 vdev->rhport = rhport;
35151 }
35152
35153- atomic_set(&vhci->seqnum, 0);
35154+ atomic_set_unchecked(&vhci->seqnum, 0);
35155 spin_lock_init(&vhci->lock);
35156
35157 hcd->power_budget = 0; /* no limit */
35158diff -urNp linux-3.1.1/drivers/staging/usbip/vhci_rx.c linux-3.1.1/drivers/staging/usbip/vhci_rx.c
35159--- linux-3.1.1/drivers/staging/usbip/vhci_rx.c 2011-11-11 15:19:27.000000000 -0500
35160+++ linux-3.1.1/drivers/staging/usbip/vhci_rx.c 2011-11-16 18:39:08.000000000 -0500
35161@@ -76,7 +76,7 @@ static void vhci_recv_ret_submit(struct
35162 if (!urb) {
35163 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
35164 pr_info("max seqnum %d\n",
35165- atomic_read(&the_controller->seqnum));
35166+ atomic_read_unchecked(&the_controller->seqnum));
35167 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
35168 return;
35169 }
35170diff -urNp linux-3.1.1/drivers/staging/vt6655/hostap.c linux-3.1.1/drivers/staging/vt6655/hostap.c
35171--- linux-3.1.1/drivers/staging/vt6655/hostap.c 2011-11-11 15:19:27.000000000 -0500
35172+++ linux-3.1.1/drivers/staging/vt6655/hostap.c 2011-11-16 18:39:08.000000000 -0500
35173@@ -79,14 +79,13 @@ static int msglevel
35174 *
35175 */
35176
35177+static net_device_ops_no_const apdev_netdev_ops;
35178+
35179 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
35180 {
35181 PSDevice apdev_priv;
35182 struct net_device *dev = pDevice->dev;
35183 int ret;
35184- const struct net_device_ops apdev_netdev_ops = {
35185- .ndo_start_xmit = pDevice->tx_80211,
35186- };
35187
35188 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
35189
35190@@ -98,6 +97,8 @@ static int hostap_enable_hostapd(PSDevic
35191 *apdev_priv = *pDevice;
35192 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
35193
35194+ /* only half broken now */
35195+ apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
35196 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
35197
35198 pDevice->apdev->type = ARPHRD_IEEE80211;
35199diff -urNp linux-3.1.1/drivers/staging/vt6656/hostap.c linux-3.1.1/drivers/staging/vt6656/hostap.c
35200--- linux-3.1.1/drivers/staging/vt6656/hostap.c 2011-11-11 15:19:27.000000000 -0500
35201+++ linux-3.1.1/drivers/staging/vt6656/hostap.c 2011-11-16 18:39:08.000000000 -0500
35202@@ -80,14 +80,13 @@ static int msglevel
35203 *
35204 */
35205
35206+static net_device_ops_no_const apdev_netdev_ops;
35207+
35208 static int hostap_enable_hostapd(PSDevice pDevice, int rtnl_locked)
35209 {
35210 PSDevice apdev_priv;
35211 struct net_device *dev = pDevice->dev;
35212 int ret;
35213- const struct net_device_ops apdev_netdev_ops = {
35214- .ndo_start_xmit = pDevice->tx_80211,
35215- };
35216
35217 DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "%s: Enabling hostapd mode\n", dev->name);
35218
35219@@ -99,6 +98,8 @@ static int hostap_enable_hostapd(PSDevic
35220 *apdev_priv = *pDevice;
35221 memcpy(pDevice->apdev->dev_addr, dev->dev_addr, ETH_ALEN);
35222
35223+ /* only half broken now */
35224+ apdev_netdev_ops.ndo_start_xmit = pDevice->tx_80211;
35225 pDevice->apdev->netdev_ops = &apdev_netdev_ops;
35226
35227 pDevice->apdev->type = ARPHRD_IEEE80211;
35228diff -urNp linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c
35229--- linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-11 15:19:27.000000000 -0500
35230+++ linux-3.1.1/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-16 18:39:08.000000000 -0500
35231@@ -204,7 +204,7 @@ static void unlocked_usbctlx_complete(hf
35232
35233 struct usbctlx_completor {
35234 int (*complete) (struct usbctlx_completor *);
35235-};
35236+} __no_const;
35237
35238 static int
35239 hfa384x_usbctlx_complete_sync(hfa384x_t *hw,
35240diff -urNp linux-3.1.1/drivers/staging/zcache/tmem.c linux-3.1.1/drivers/staging/zcache/tmem.c
35241--- linux-3.1.1/drivers/staging/zcache/tmem.c 2011-11-11 15:19:27.000000000 -0500
35242+++ linux-3.1.1/drivers/staging/zcache/tmem.c 2011-11-16 18:39:08.000000000 -0500
35243@@ -39,7 +39,7 @@
35244 * A tmem host implementation must use this function to register callbacks
35245 * for memory allocation.
35246 */
35247-static struct tmem_hostops tmem_hostops;
35248+static tmem_hostops_no_const tmem_hostops;
35249
35250 static void tmem_objnode_tree_init(void);
35251
35252@@ -53,7 +53,7 @@ void tmem_register_hostops(struct tmem_h
35253 * A tmem host implementation must use this function to register
35254 * callbacks for a page-accessible memory (PAM) implementation
35255 */
35256-static struct tmem_pamops tmem_pamops;
35257+static tmem_pamops_no_const tmem_pamops;
35258
35259 void tmem_register_pamops(struct tmem_pamops *m)
35260 {
35261diff -urNp linux-3.1.1/drivers/staging/zcache/tmem.h linux-3.1.1/drivers/staging/zcache/tmem.h
35262--- linux-3.1.1/drivers/staging/zcache/tmem.h 2011-11-11 15:19:27.000000000 -0500
35263+++ linux-3.1.1/drivers/staging/zcache/tmem.h 2011-11-16 18:39:08.000000000 -0500
35264@@ -180,6 +180,7 @@ struct tmem_pamops {
35265 void (*new_obj)(struct tmem_obj *);
35266 int (*replace_in_obj)(void *, struct tmem_obj *);
35267 };
35268+typedef struct tmem_pamops __no_const tmem_pamops_no_const;
35269 extern void tmem_register_pamops(struct tmem_pamops *m);
35270
35271 /* memory allocation methods provided by the host implementation */
35272@@ -189,6 +190,7 @@ struct tmem_hostops {
35273 struct tmem_objnode *(*objnode_alloc)(struct tmem_pool *);
35274 void (*objnode_free)(struct tmem_objnode *, struct tmem_pool *);
35275 };
35276+typedef struct tmem_hostops __no_const tmem_hostops_no_const;
35277 extern void tmem_register_hostops(struct tmem_hostops *m);
35278
35279 /* core tmem accessor functions */
35280diff -urNp linux-3.1.1/drivers/target/iscsi/iscsi_target.c linux-3.1.1/drivers/target/iscsi/iscsi_target.c
35281--- linux-3.1.1/drivers/target/iscsi/iscsi_target.c 2011-11-11 15:19:27.000000000 -0500
35282+++ linux-3.1.1/drivers/target/iscsi/iscsi_target.c 2011-11-16 18:39:08.000000000 -0500
35283@@ -1368,7 +1368,7 @@ static int iscsit_handle_data_out(struct
35284 * outstanding_r2ts reaches zero, go ahead and send the delayed
35285 * TASK_ABORTED status.
35286 */
35287- if (atomic_read(&se_cmd->t_transport_aborted) != 0) {
35288+ if (atomic_read_unchecked(&se_cmd->t_transport_aborted) != 0) {
35289 if (hdr->flags & ISCSI_FLAG_CMD_FINAL)
35290 if (--cmd->outstanding_r2ts < 1) {
35291 iscsit_stop_dataout_timer(cmd);
35292diff -urNp linux-3.1.1/drivers/target/target_core_alua.c linux-3.1.1/drivers/target/target_core_alua.c
35293--- linux-3.1.1/drivers/target/target_core_alua.c 2011-11-11 15:19:27.000000000 -0500
35294+++ linux-3.1.1/drivers/target/target_core_alua.c 2011-11-16 18:40:29.000000000 -0500
35295@@ -723,6 +723,8 @@ static int core_alua_update_tpg_primary_
35296 char path[ALUA_METADATA_PATH_LEN];
35297 int len;
35298
35299+ pax_track_stack();
35300+
35301 memset(path, 0, ALUA_METADATA_PATH_LEN);
35302
35303 len = snprintf(md_buf, tg_pt_gp->tg_pt_gp_md_buf_len,
35304@@ -986,6 +988,8 @@ static int core_alua_update_tpg_secondar
35305 char path[ALUA_METADATA_PATH_LEN], wwn[ALUA_SECONDARY_METADATA_WWN_LEN];
35306 int len;
35307
35308+ pax_track_stack();
35309+
35310 memset(path, 0, ALUA_METADATA_PATH_LEN);
35311 memset(wwn, 0, ALUA_SECONDARY_METADATA_WWN_LEN);
35312
35313diff -urNp linux-3.1.1/drivers/target/target_core_cdb.c linux-3.1.1/drivers/target/target_core_cdb.c
35314--- linux-3.1.1/drivers/target/target_core_cdb.c 2011-11-11 15:19:27.000000000 -0500
35315+++ linux-3.1.1/drivers/target/target_core_cdb.c 2011-11-16 18:40:29.000000000 -0500
35316@@ -933,6 +933,8 @@ target_emulate_modesense(struct se_cmd *
35317 int length = 0;
35318 unsigned char buf[SE_MODE_PAGE_BUF];
35319
35320+ pax_track_stack();
35321+
35322 memset(buf, 0, SE_MODE_PAGE_BUF);
35323
35324 switch (cdb[2] & 0x3f) {
35325diff -urNp linux-3.1.1/drivers/target/target_core_configfs.c linux-3.1.1/drivers/target/target_core_configfs.c
35326--- linux-3.1.1/drivers/target/target_core_configfs.c 2011-11-11 15:19:27.000000000 -0500
35327+++ linux-3.1.1/drivers/target/target_core_configfs.c 2011-11-16 19:04:37.000000000 -0500
35328@@ -1267,6 +1267,8 @@ static ssize_t target_core_dev_pr_show_a
35329 ssize_t len = 0;
35330 int reg_count = 0, prf_isid;
35331
35332+ pax_track_stack();
35333+
35334 if (!su_dev->se_dev_ptr)
35335 return -ENODEV;
35336
35337diff -urNp linux-3.1.1/drivers/target/target_core_pr.c linux-3.1.1/drivers/target/target_core_pr.c
35338--- linux-3.1.1/drivers/target/target_core_pr.c 2011-11-11 15:19:27.000000000 -0500
35339+++ linux-3.1.1/drivers/target/target_core_pr.c 2011-11-16 18:40:29.000000000 -0500
35340@@ -918,6 +918,8 @@ static int __core_scsi3_check_aptpl_regi
35341 unsigned char t_port[PR_APTPL_MAX_TPORT_LEN];
35342 u16 tpgt;
35343
35344+ pax_track_stack();
35345+
35346 memset(i_port, 0, PR_APTPL_MAX_IPORT_LEN);
35347 memset(t_port, 0, PR_APTPL_MAX_TPORT_LEN);
35348 /*
35349@@ -1867,6 +1869,8 @@ static int __core_scsi3_update_aptpl_buf
35350 ssize_t len = 0;
35351 int reg_count = 0;
35352
35353+ pax_track_stack();
35354+
35355 memset(buf, 0, pr_aptpl_buf_len);
35356 /*
35357 * Called to clear metadata once APTPL has been deactivated.
35358@@ -1989,6 +1993,8 @@ static int __core_scsi3_write_aptpl_to_f
35359 char path[512];
35360 int ret;
35361
35362+ pax_track_stack();
35363+
35364 memset(iov, 0, sizeof(struct iovec));
35365 memset(path, 0, 512);
35366
35367diff -urNp linux-3.1.1/drivers/target/target_core_tmr.c linux-3.1.1/drivers/target/target_core_tmr.c
35368--- linux-3.1.1/drivers/target/target_core_tmr.c 2011-11-11 15:19:27.000000000 -0500
35369+++ linux-3.1.1/drivers/target/target_core_tmr.c 2011-11-16 18:39:08.000000000 -0500
35370@@ -255,7 +255,7 @@ static void core_tmr_drain_task_list(
35371 cmd->se_tfo->get_task_tag(cmd), cmd->pr_res_key,
35372 cmd->t_task_list_num,
35373 atomic_read(&cmd->t_task_cdbs_left),
35374- atomic_read(&cmd->t_task_cdbs_sent),
35375+ atomic_read_unchecked(&cmd->t_task_cdbs_sent),
35376 atomic_read(&cmd->t_transport_active),
35377 atomic_read(&cmd->t_transport_stop),
35378 atomic_read(&cmd->t_transport_sent));
35379@@ -291,7 +291,7 @@ static void core_tmr_drain_task_list(
35380 pr_debug("LUN_RESET: got t_transport_active = 1 for"
35381 " task: %p, t_fe_count: %d dev: %p\n", task,
35382 fe_count, dev);
35383- atomic_set(&cmd->t_transport_aborted, 1);
35384+ atomic_set_unchecked(&cmd->t_transport_aborted, 1);
35385 spin_unlock_irqrestore(&cmd->t_state_lock, flags);
35386
35387 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35388@@ -299,7 +299,7 @@ static void core_tmr_drain_task_list(
35389 }
35390 pr_debug("LUN_RESET: Got t_transport_active = 0 for task: %p,"
35391 " t_fe_count: %d dev: %p\n", task, fe_count, dev);
35392- atomic_set(&cmd->t_transport_aborted, 1);
35393+ atomic_set_unchecked(&cmd->t_transport_aborted, 1);
35394 spin_unlock_irqrestore(&cmd->t_state_lock, flags);
35395
35396 core_tmr_handle_tas_abort(tmr_nacl, cmd, tas, fe_count);
35397diff -urNp linux-3.1.1/drivers/target/target_core_transport.c linux-3.1.1/drivers/target/target_core_transport.c
35398--- linux-3.1.1/drivers/target/target_core_transport.c 2011-11-11 15:19:27.000000000 -0500
35399+++ linux-3.1.1/drivers/target/target_core_transport.c 2011-11-16 18:39:08.000000000 -0500
35400@@ -1445,7 +1445,7 @@ struct se_device *transport_add_device_t
35401
35402 dev->queue_depth = dev_limits->queue_depth;
35403 atomic_set(&dev->depth_left, dev->queue_depth);
35404- atomic_set(&dev->dev_ordered_id, 0);
35405+ atomic_set_unchecked(&dev->dev_ordered_id, 0);
35406
35407 se_dev_set_default_attribs(dev, dev_limits);
35408
35409@@ -1633,7 +1633,7 @@ static int transport_check_alloc_task_at
35410 * Used to determine when ORDERED commands should go from
35411 * Dormant to Active status.
35412 */
35413- cmd->se_ordered_id = atomic_inc_return(&cmd->se_dev->dev_ordered_id);
35414+ cmd->se_ordered_id = atomic_inc_return_unchecked(&cmd->se_dev->dev_ordered_id);
35415 smp_mb__after_atomic_inc();
35416 pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
35417 cmd->se_ordered_id, cmd->sam_task_attr,
35418@@ -1960,7 +1960,7 @@ static void transport_generic_request_fa
35419 " t_transport_active: %d t_transport_stop: %d"
35420 " t_transport_sent: %d\n", cmd->t_task_list_num,
35421 atomic_read(&cmd->t_task_cdbs_left),
35422- atomic_read(&cmd->t_task_cdbs_sent),
35423+ atomic_read_unchecked(&cmd->t_task_cdbs_sent),
35424 atomic_read(&cmd->t_task_cdbs_ex_left),
35425 atomic_read(&cmd->t_transport_active),
35426 atomic_read(&cmd->t_transport_stop),
35427@@ -2460,9 +2460,9 @@ check_depth:
35428 spin_lock_irqsave(&cmd->t_state_lock, flags);
35429 atomic_set(&task->task_active, 1);
35430 atomic_set(&task->task_sent, 1);
35431- atomic_inc(&cmd->t_task_cdbs_sent);
35432+ atomic_inc_unchecked(&cmd->t_task_cdbs_sent);
35433
35434- if (atomic_read(&cmd->t_task_cdbs_sent) ==
35435+ if (atomic_read_unchecked(&cmd->t_task_cdbs_sent) ==
35436 cmd->t_task_list_num)
35437 atomic_set(&cmd->transport_sent, 1);
35438
35439@@ -4665,7 +4665,7 @@ static void transport_generic_wait_for_t
35440 atomic_set(&cmd->transport_lun_stop, 0);
35441 }
35442 if (!atomic_read(&cmd->t_transport_active) ||
35443- atomic_read(&cmd->t_transport_aborted))
35444+ atomic_read_unchecked(&cmd->t_transport_aborted))
35445 goto remove;
35446
35447 atomic_set(&cmd->t_transport_stop, 1);
35448@@ -4900,7 +4900,7 @@ int transport_check_aborted_status(struc
35449 {
35450 int ret = 0;
35451
35452- if (atomic_read(&cmd->t_transport_aborted) != 0) {
35453+ if (atomic_read_unchecked(&cmd->t_transport_aborted) != 0) {
35454 if (!send_status ||
35455 (cmd->se_cmd_flags & SCF_SENT_DELAYED_TAS))
35456 return 1;
35457@@ -4937,7 +4937,7 @@ void transport_send_task_abort(struct se
35458 */
35459 if (cmd->data_direction == DMA_TO_DEVICE) {
35460 if (cmd->se_tfo->write_pending_status(cmd) != 0) {
35461- atomic_inc(&cmd->t_transport_aborted);
35462+ atomic_inc_unchecked(&cmd->t_transport_aborted);
35463 smp_mb__after_atomic_inc();
35464 cmd->scsi_status = SAM_STAT_TASK_ABORTED;
35465 transport_new_cmd_failure(cmd);
35466@@ -5051,7 +5051,7 @@ static void transport_processing_shutdow
35467 cmd->se_tfo->get_task_tag(cmd),
35468 cmd->t_task_list_num,
35469 atomic_read(&cmd->t_task_cdbs_left),
35470- atomic_read(&cmd->t_task_cdbs_sent),
35471+ atomic_read_unchecked(&cmd->t_task_cdbs_sent),
35472 atomic_read(&cmd->t_transport_active),
35473 atomic_read(&cmd->t_transport_stop),
35474 atomic_read(&cmd->t_transport_sent));
35475diff -urNp linux-3.1.1/drivers/telephony/ixj.c linux-3.1.1/drivers/telephony/ixj.c
35476--- linux-3.1.1/drivers/telephony/ixj.c 2011-11-11 15:19:27.000000000 -0500
35477+++ linux-3.1.1/drivers/telephony/ixj.c 2011-11-16 18:40:29.000000000 -0500
35478@@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
35479 bool mContinue;
35480 char *pIn, *pOut;
35481
35482+ pax_track_stack();
35483+
35484 if (!SCI_Prepare(j))
35485 return 0;
35486
35487diff -urNp linux-3.1.1/drivers/tty/hvc/hvcs.c linux-3.1.1/drivers/tty/hvc/hvcs.c
35488--- linux-3.1.1/drivers/tty/hvc/hvcs.c 2011-11-11 15:19:27.000000000 -0500
35489+++ linux-3.1.1/drivers/tty/hvc/hvcs.c 2011-11-16 18:39:08.000000000 -0500
35490@@ -83,6 +83,7 @@
35491 #include <asm/hvcserver.h>
35492 #include <asm/uaccess.h>
35493 #include <asm/vio.h>
35494+#include <asm/local.h>
35495
35496 /*
35497 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
35498@@ -270,7 +271,7 @@ struct hvcs_struct {
35499 unsigned int index;
35500
35501 struct tty_struct *tty;
35502- int open_count;
35503+ local_t open_count;
35504
35505 /*
35506 * Used to tell the driver kernel_thread what operations need to take
35507@@ -422,7 +423,7 @@ static ssize_t hvcs_vterm_state_store(st
35508
35509 spin_lock_irqsave(&hvcsd->lock, flags);
35510
35511- if (hvcsd->open_count > 0) {
35512+ if (local_read(&hvcsd->open_count) > 0) {
35513 spin_unlock_irqrestore(&hvcsd->lock, flags);
35514 printk(KERN_INFO "HVCS: vterm state unchanged. "
35515 "The hvcs device node is still in use.\n");
35516@@ -1145,7 +1146,7 @@ static int hvcs_open(struct tty_struct *
35517 if ((retval = hvcs_partner_connect(hvcsd)))
35518 goto error_release;
35519
35520- hvcsd->open_count = 1;
35521+ local_set(&hvcsd->open_count, 1);
35522 hvcsd->tty = tty;
35523 tty->driver_data = hvcsd;
35524
35525@@ -1179,7 +1180,7 @@ fast_open:
35526
35527 spin_lock_irqsave(&hvcsd->lock, flags);
35528 kref_get(&hvcsd->kref);
35529- hvcsd->open_count++;
35530+ local_inc(&hvcsd->open_count);
35531 hvcsd->todo_mask |= HVCS_SCHED_READ;
35532 spin_unlock_irqrestore(&hvcsd->lock, flags);
35533
35534@@ -1223,7 +1224,7 @@ static void hvcs_close(struct tty_struct
35535 hvcsd = tty->driver_data;
35536
35537 spin_lock_irqsave(&hvcsd->lock, flags);
35538- if (--hvcsd->open_count == 0) {
35539+ if (local_dec_and_test(&hvcsd->open_count)) {
35540
35541 vio_disable_interrupts(hvcsd->vdev);
35542
35543@@ -1249,10 +1250,10 @@ static void hvcs_close(struct tty_struct
35544 free_irq(irq, hvcsd);
35545 kref_put(&hvcsd->kref, destroy_hvcs_struct);
35546 return;
35547- } else if (hvcsd->open_count < 0) {
35548+ } else if (local_read(&hvcsd->open_count) < 0) {
35549 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
35550 " is missmanaged.\n",
35551- hvcsd->vdev->unit_address, hvcsd->open_count);
35552+ hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
35553 }
35554
35555 spin_unlock_irqrestore(&hvcsd->lock, flags);
35556@@ -1268,7 +1269,7 @@ static void hvcs_hangup(struct tty_struc
35557
35558 spin_lock_irqsave(&hvcsd->lock, flags);
35559 /* Preserve this so that we know how many kref refs to put */
35560- temp_open_count = hvcsd->open_count;
35561+ temp_open_count = local_read(&hvcsd->open_count);
35562
35563 /*
35564 * Don't kref put inside the spinlock because the destruction
35565@@ -1283,7 +1284,7 @@ static void hvcs_hangup(struct tty_struc
35566 hvcsd->tty->driver_data = NULL;
35567 hvcsd->tty = NULL;
35568
35569- hvcsd->open_count = 0;
35570+ local_set(&hvcsd->open_count, 0);
35571
35572 /* This will drop any buffered data on the floor which is OK in a hangup
35573 * scenario. */
35574@@ -1354,7 +1355,7 @@ static int hvcs_write(struct tty_struct
35575 * the middle of a write operation? This is a crummy place to do this
35576 * but we want to keep it all in the spinlock.
35577 */
35578- if (hvcsd->open_count <= 0) {
35579+ if (local_read(&hvcsd->open_count) <= 0) {
35580 spin_unlock_irqrestore(&hvcsd->lock, flags);
35581 return -ENODEV;
35582 }
35583@@ -1428,7 +1429,7 @@ static int hvcs_write_room(struct tty_st
35584 {
35585 struct hvcs_struct *hvcsd = tty->driver_data;
35586
35587- if (!hvcsd || hvcsd->open_count <= 0)
35588+ if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
35589 return 0;
35590
35591 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
35592diff -urNp linux-3.1.1/drivers/tty/ipwireless/tty.c linux-3.1.1/drivers/tty/ipwireless/tty.c
35593--- linux-3.1.1/drivers/tty/ipwireless/tty.c 2011-11-11 15:19:27.000000000 -0500
35594+++ linux-3.1.1/drivers/tty/ipwireless/tty.c 2011-11-16 18:39:08.000000000 -0500
35595@@ -29,6 +29,7 @@
35596 #include <linux/tty_driver.h>
35597 #include <linux/tty_flip.h>
35598 #include <linux/uaccess.h>
35599+#include <asm/local.h>
35600
35601 #include "tty.h"
35602 #include "network.h"
35603@@ -51,7 +52,7 @@ struct ipw_tty {
35604 int tty_type;
35605 struct ipw_network *network;
35606 struct tty_struct *linux_tty;
35607- int open_count;
35608+ local_t open_count;
35609 unsigned int control_lines;
35610 struct mutex ipw_tty_mutex;
35611 int tx_bytes_queued;
35612@@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
35613 mutex_unlock(&tty->ipw_tty_mutex);
35614 return -ENODEV;
35615 }
35616- if (tty->open_count == 0)
35617+ if (local_read(&tty->open_count) == 0)
35618 tty->tx_bytes_queued = 0;
35619
35620- tty->open_count++;
35621+ local_inc(&tty->open_count);
35622
35623 tty->linux_tty = linux_tty;
35624 linux_tty->driver_data = tty;
35625@@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
35626
35627 static void do_ipw_close(struct ipw_tty *tty)
35628 {
35629- tty->open_count--;
35630-
35631- if (tty->open_count == 0) {
35632+ if (local_dec_return(&tty->open_count) == 0) {
35633 struct tty_struct *linux_tty = tty->linux_tty;
35634
35635 if (linux_tty != NULL) {
35636@@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
35637 return;
35638
35639 mutex_lock(&tty->ipw_tty_mutex);
35640- if (tty->open_count == 0) {
35641+ if (local_read(&tty->open_count) == 0) {
35642 mutex_unlock(&tty->ipw_tty_mutex);
35643 return;
35644 }
35645@@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
35646 return;
35647 }
35648
35649- if (!tty->open_count) {
35650+ if (!local_read(&tty->open_count)) {
35651 mutex_unlock(&tty->ipw_tty_mutex);
35652 return;
35653 }
35654@@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
35655 return -ENODEV;
35656
35657 mutex_lock(&tty->ipw_tty_mutex);
35658- if (!tty->open_count) {
35659+ if (!local_read(&tty->open_count)) {
35660 mutex_unlock(&tty->ipw_tty_mutex);
35661 return -EINVAL;
35662 }
35663@@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
35664 if (!tty)
35665 return -ENODEV;
35666
35667- if (!tty->open_count)
35668+ if (!local_read(&tty->open_count))
35669 return -EINVAL;
35670
35671 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
35672@@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
35673 if (!tty)
35674 return 0;
35675
35676- if (!tty->open_count)
35677+ if (!local_read(&tty->open_count))
35678 return 0;
35679
35680 return tty->tx_bytes_queued;
35681@@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
35682 if (!tty)
35683 return -ENODEV;
35684
35685- if (!tty->open_count)
35686+ if (!local_read(&tty->open_count))
35687 return -EINVAL;
35688
35689 return get_control_lines(tty);
35690@@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
35691 if (!tty)
35692 return -ENODEV;
35693
35694- if (!tty->open_count)
35695+ if (!local_read(&tty->open_count))
35696 return -EINVAL;
35697
35698 return set_control_lines(tty, set, clear);
35699@@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
35700 if (!tty)
35701 return -ENODEV;
35702
35703- if (!tty->open_count)
35704+ if (!local_read(&tty->open_count))
35705 return -EINVAL;
35706
35707 /* FIXME: Exactly how is the tty object locked here .. */
35708@@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
35709 against a parallel ioctl etc */
35710 mutex_lock(&ttyj->ipw_tty_mutex);
35711 }
35712- while (ttyj->open_count)
35713+ while (local_read(&ttyj->open_count))
35714 do_ipw_close(ttyj);
35715 ipwireless_disassociate_network_ttys(network,
35716 ttyj->channel_idx);
35717diff -urNp linux-3.1.1/drivers/tty/n_gsm.c linux-3.1.1/drivers/tty/n_gsm.c
35718--- linux-3.1.1/drivers/tty/n_gsm.c 2011-11-11 15:19:27.000000000 -0500
35719+++ linux-3.1.1/drivers/tty/n_gsm.c 2011-11-16 18:39:08.000000000 -0500
35720@@ -1625,7 +1625,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
35721 kref_init(&dlci->ref);
35722 mutex_init(&dlci->mutex);
35723 dlci->fifo = &dlci->_fifo;
35724- if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
35725+ if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
35726 kfree(dlci);
35727 return NULL;
35728 }
35729diff -urNp linux-3.1.1/drivers/tty/n_tty.c linux-3.1.1/drivers/tty/n_tty.c
35730--- linux-3.1.1/drivers/tty/n_tty.c 2011-11-11 15:19:27.000000000 -0500
35731+++ linux-3.1.1/drivers/tty/n_tty.c 2011-11-16 18:39:08.000000000 -0500
35732@@ -2123,6 +2123,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
35733 {
35734 *ops = tty_ldisc_N_TTY;
35735 ops->owner = NULL;
35736- ops->refcount = ops->flags = 0;
35737+ atomic_set(&ops->refcount, 0);
35738+ ops->flags = 0;
35739 }
35740 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
35741diff -urNp linux-3.1.1/drivers/tty/pty.c linux-3.1.1/drivers/tty/pty.c
35742--- linux-3.1.1/drivers/tty/pty.c 2011-11-11 15:19:27.000000000 -0500
35743+++ linux-3.1.1/drivers/tty/pty.c 2011-11-16 18:39:08.000000000 -0500
35744@@ -773,8 +773,10 @@ static void __init unix98_pty_init(void)
35745 register_sysctl_table(pty_root_table);
35746
35747 /* Now create the /dev/ptmx special device */
35748+ pax_open_kernel();
35749 tty_default_fops(&ptmx_fops);
35750- ptmx_fops.open = ptmx_open;
35751+ *(void **)&ptmx_fops.open = ptmx_open;
35752+ pax_close_kernel();
35753
35754 cdev_init(&ptmx_cdev, &ptmx_fops);
35755 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
35756diff -urNp linux-3.1.1/drivers/tty/rocket.c linux-3.1.1/drivers/tty/rocket.c
35757--- linux-3.1.1/drivers/tty/rocket.c 2011-11-11 15:19:27.000000000 -0500
35758+++ linux-3.1.1/drivers/tty/rocket.c 2011-11-16 18:40:29.000000000 -0500
35759@@ -1277,6 +1277,8 @@ static int get_ports(struct r_port *info
35760 struct rocket_ports tmp;
35761 int board;
35762
35763+ pax_track_stack();
35764+
35765 if (!retports)
35766 return -EFAULT;
35767 memset(&tmp, 0, sizeof (tmp));
35768diff -urNp linux-3.1.1/drivers/tty/serial/kgdboc.c linux-3.1.1/drivers/tty/serial/kgdboc.c
35769--- linux-3.1.1/drivers/tty/serial/kgdboc.c 2011-11-11 15:19:27.000000000 -0500
35770+++ linux-3.1.1/drivers/tty/serial/kgdboc.c 2011-11-16 18:39:08.000000000 -0500
35771@@ -23,8 +23,9 @@
35772 #define MAX_CONFIG_LEN 40
35773
35774 static struct kgdb_io kgdboc_io_ops;
35775+static struct kgdb_io kgdboc_io_ops_console;
35776
35777-/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
35778+/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
35779 static int configured = -1;
35780
35781 static char config[MAX_CONFIG_LEN];
35782@@ -147,6 +148,8 @@ static void cleanup_kgdboc(void)
35783 kgdboc_unregister_kbd();
35784 if (configured == 1)
35785 kgdb_unregister_io_module(&kgdboc_io_ops);
35786+ else if (configured == 2)
35787+ kgdb_unregister_io_module(&kgdboc_io_ops_console);
35788 }
35789
35790 static int configure_kgdboc(void)
35791@@ -156,13 +159,13 @@ static int configure_kgdboc(void)
35792 int err;
35793 char *cptr = config;
35794 struct console *cons;
35795+ int is_console = 0;
35796
35797 err = kgdboc_option_setup(config);
35798 if (err || !strlen(config) || isspace(config[0]))
35799 goto noconfig;
35800
35801 err = -ENODEV;
35802- kgdboc_io_ops.is_console = 0;
35803 kgdb_tty_driver = NULL;
35804
35805 kgdboc_use_kms = 0;
35806@@ -183,7 +186,7 @@ static int configure_kgdboc(void)
35807 int idx;
35808 if (cons->device && cons->device(cons, &idx) == p &&
35809 idx == tty_line) {
35810- kgdboc_io_ops.is_console = 1;
35811+ is_console = 1;
35812 break;
35813 }
35814 cons = cons->next;
35815@@ -193,12 +196,16 @@ static int configure_kgdboc(void)
35816 kgdb_tty_line = tty_line;
35817
35818 do_register:
35819- err = kgdb_register_io_module(&kgdboc_io_ops);
35820+ if (is_console) {
35821+ err = kgdb_register_io_module(&kgdboc_io_ops_console);
35822+ configured = 2;
35823+ } else {
35824+ err = kgdb_register_io_module(&kgdboc_io_ops);
35825+ configured = 1;
35826+ }
35827 if (err)
35828 goto noconfig;
35829
35830- configured = 1;
35831-
35832 return 0;
35833
35834 noconfig:
35835@@ -212,7 +219,7 @@ noconfig:
35836 static int __init init_kgdboc(void)
35837 {
35838 /* Already configured? */
35839- if (configured == 1)
35840+ if (configured >= 1)
35841 return 0;
35842
35843 return configure_kgdboc();
35844@@ -261,7 +268,7 @@ static int param_set_kgdboc_var(const ch
35845 if (config[len - 1] == '\n')
35846 config[len - 1] = '\0';
35847
35848- if (configured == 1)
35849+ if (configured >= 1)
35850 cleanup_kgdboc();
35851
35852 /* Go and configure with the new params. */
35853@@ -301,6 +308,15 @@ static struct kgdb_io kgdboc_io_ops = {
35854 .post_exception = kgdboc_post_exp_handler,
35855 };
35856
35857+static struct kgdb_io kgdboc_io_ops_console = {
35858+ .name = "kgdboc",
35859+ .read_char = kgdboc_get_char,
35860+ .write_char = kgdboc_put_char,
35861+ .pre_exception = kgdboc_pre_exp_handler,
35862+ .post_exception = kgdboc_post_exp_handler,
35863+ .is_console = 1
35864+};
35865+
35866 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
35867 /* This is only available if kgdboc is a built in for early debugging */
35868 static int __init kgdboc_early_init(char *opt)
35869diff -urNp linux-3.1.1/drivers/tty/serial/mfd.c linux-3.1.1/drivers/tty/serial/mfd.c
35870--- linux-3.1.1/drivers/tty/serial/mfd.c 2011-11-11 15:19:27.000000000 -0500
35871+++ linux-3.1.1/drivers/tty/serial/mfd.c 2011-11-16 18:39:08.000000000 -0500
35872@@ -1423,7 +1423,7 @@ static void serial_hsu_remove(struct pci
35873 }
35874
35875 /* First 3 are UART ports, and the 4th is the DMA */
35876-static const struct pci_device_id pci_ids[] __devinitdata = {
35877+static const struct pci_device_id pci_ids[] __devinitconst = {
35878 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081B) },
35879 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081C) },
35880 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x081D) },
35881diff -urNp linux-3.1.1/drivers/tty/serial/mrst_max3110.c linux-3.1.1/drivers/tty/serial/mrst_max3110.c
35882--- linux-3.1.1/drivers/tty/serial/mrst_max3110.c 2011-11-11 15:19:27.000000000 -0500
35883+++ linux-3.1.1/drivers/tty/serial/mrst_max3110.c 2011-11-16 18:40:29.000000000 -0500
35884@@ -393,6 +393,8 @@ static void max3110_con_receive(struct u
35885 int loop = 1, num, total = 0;
35886 u8 recv_buf[512], *pbuf;
35887
35888+ pax_track_stack();
35889+
35890 pbuf = recv_buf;
35891 do {
35892 num = max3110_read_multi(max, pbuf);
35893diff -urNp linux-3.1.1/drivers/tty/tty_io.c linux-3.1.1/drivers/tty/tty_io.c
35894--- linux-3.1.1/drivers/tty/tty_io.c 2011-11-11 15:19:27.000000000 -0500
35895+++ linux-3.1.1/drivers/tty/tty_io.c 2011-11-16 18:39:08.000000000 -0500
35896@@ -3238,7 +3238,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
35897
35898 void tty_default_fops(struct file_operations *fops)
35899 {
35900- *fops = tty_fops;
35901+ memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
35902 }
35903
35904 /*
35905diff -urNp linux-3.1.1/drivers/tty/tty_ldisc.c linux-3.1.1/drivers/tty/tty_ldisc.c
35906--- linux-3.1.1/drivers/tty/tty_ldisc.c 2011-11-11 15:19:27.000000000 -0500
35907+++ linux-3.1.1/drivers/tty/tty_ldisc.c 2011-11-16 18:39:08.000000000 -0500
35908@@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
35909 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
35910 struct tty_ldisc_ops *ldo = ld->ops;
35911
35912- ldo->refcount--;
35913+ atomic_dec(&ldo->refcount);
35914 module_put(ldo->owner);
35915 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35916
35917@@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
35918 spin_lock_irqsave(&tty_ldisc_lock, flags);
35919 tty_ldiscs[disc] = new_ldisc;
35920 new_ldisc->num = disc;
35921- new_ldisc->refcount = 0;
35922+ atomic_set(&new_ldisc->refcount, 0);
35923 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35924
35925 return ret;
35926@@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
35927 return -EINVAL;
35928
35929 spin_lock_irqsave(&tty_ldisc_lock, flags);
35930- if (tty_ldiscs[disc]->refcount)
35931+ if (atomic_read(&tty_ldiscs[disc]->refcount))
35932 ret = -EBUSY;
35933 else
35934 tty_ldiscs[disc] = NULL;
35935@@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
35936 if (ldops) {
35937 ret = ERR_PTR(-EAGAIN);
35938 if (try_module_get(ldops->owner)) {
35939- ldops->refcount++;
35940+ atomic_inc(&ldops->refcount);
35941 ret = ldops;
35942 }
35943 }
35944@@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
35945 unsigned long flags;
35946
35947 spin_lock_irqsave(&tty_ldisc_lock, flags);
35948- ldops->refcount--;
35949+ atomic_dec(&ldops->refcount);
35950 module_put(ldops->owner);
35951 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
35952 }
35953diff -urNp linux-3.1.1/drivers/tty/vt/keyboard.c linux-3.1.1/drivers/tty/vt/keyboard.c
35954--- linux-3.1.1/drivers/tty/vt/keyboard.c 2011-11-11 15:19:27.000000000 -0500
35955+++ linux-3.1.1/drivers/tty/vt/keyboard.c 2011-11-16 18:40:29.000000000 -0500
35956@@ -656,6 +656,16 @@ static void k_spec(struct vc_data *vc, u
35957 kbd->kbdmode == VC_OFF) &&
35958 value != KVAL(K_SAK))
35959 return; /* SAK is allowed even in raw mode */
35960+
35961+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
35962+ {
35963+ void *func = fn_handler[value];
35964+ if (func == fn_show_state || func == fn_show_ptregs ||
35965+ func == fn_show_mem)
35966+ return;
35967+ }
35968+#endif
35969+
35970 fn_handler[value](vc);
35971 }
35972
35973diff -urNp linux-3.1.1/drivers/tty/vt/vt.c linux-3.1.1/drivers/tty/vt/vt.c
35974--- linux-3.1.1/drivers/tty/vt/vt.c 2011-11-11 15:19:27.000000000 -0500
35975+++ linux-3.1.1/drivers/tty/vt/vt.c 2011-11-16 18:39:08.000000000 -0500
35976@@ -259,7 +259,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
35977
35978 static void notify_write(struct vc_data *vc, unsigned int unicode)
35979 {
35980- struct vt_notifier_param param = { .vc = vc, unicode = unicode };
35981+ struct vt_notifier_param param = { .vc = vc, .c = unicode };
35982 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
35983 }
35984
35985diff -urNp linux-3.1.1/drivers/tty/vt/vt_ioctl.c linux-3.1.1/drivers/tty/vt/vt_ioctl.c
35986--- linux-3.1.1/drivers/tty/vt/vt_ioctl.c 2011-11-11 15:19:27.000000000 -0500
35987+++ linux-3.1.1/drivers/tty/vt/vt_ioctl.c 2011-11-16 18:40:29.000000000 -0500
35988@@ -207,9 +207,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35989 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
35990 return -EFAULT;
35991
35992- if (!capable(CAP_SYS_TTY_CONFIG))
35993- perm = 0;
35994-
35995 switch (cmd) {
35996 case KDGKBENT:
35997 key_map = key_maps[s];
35998@@ -221,6 +218,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
35999 val = (i ? K_HOLE : K_NOSUCHMAP);
36000 return put_user(val, &user_kbe->kb_value);
36001 case KDSKBENT:
36002+ if (!capable(CAP_SYS_TTY_CONFIG))
36003+ perm = 0;
36004+
36005 if (!perm)
36006 return -EPERM;
36007 if (!i && v == K_NOSUCHMAP) {
36008@@ -322,9 +322,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
36009 int i, j, k;
36010 int ret;
36011
36012- if (!capable(CAP_SYS_TTY_CONFIG))
36013- perm = 0;
36014-
36015 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
36016 if (!kbs) {
36017 ret = -ENOMEM;
36018@@ -358,6 +355,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
36019 kfree(kbs);
36020 return ((p && *p) ? -EOVERFLOW : 0);
36021 case KDSKBSENT:
36022+ if (!capable(CAP_SYS_TTY_CONFIG))
36023+ perm = 0;
36024+
36025 if (!perm) {
36026 ret = -EPERM;
36027 goto reterr;
36028diff -urNp linux-3.1.1/drivers/uio/uio.c linux-3.1.1/drivers/uio/uio.c
36029--- linux-3.1.1/drivers/uio/uio.c 2011-11-11 15:19:27.000000000 -0500
36030+++ linux-3.1.1/drivers/uio/uio.c 2011-11-16 18:39:08.000000000 -0500
36031@@ -25,6 +25,7 @@
36032 #include <linux/kobject.h>
36033 #include <linux/cdev.h>
36034 #include <linux/uio_driver.h>
36035+#include <asm/local.h>
36036
36037 #define UIO_MAX_DEVICES (1U << MINORBITS)
36038
36039@@ -32,10 +33,10 @@ struct uio_device {
36040 struct module *owner;
36041 struct device *dev;
36042 int minor;
36043- atomic_t event;
36044+ atomic_unchecked_t event;
36045 struct fasync_struct *async_queue;
36046 wait_queue_head_t wait;
36047- int vma_count;
36048+ local_t vma_count;
36049 struct uio_info *info;
36050 struct kobject *map_dir;
36051 struct kobject *portio_dir;
36052@@ -242,7 +243,7 @@ static ssize_t show_event(struct device
36053 struct device_attribute *attr, char *buf)
36054 {
36055 struct uio_device *idev = dev_get_drvdata(dev);
36056- return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
36057+ return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
36058 }
36059
36060 static struct device_attribute uio_class_attributes[] = {
36061@@ -408,7 +409,7 @@ void uio_event_notify(struct uio_info *i
36062 {
36063 struct uio_device *idev = info->uio_dev;
36064
36065- atomic_inc(&idev->event);
36066+ atomic_inc_unchecked(&idev->event);
36067 wake_up_interruptible(&idev->wait);
36068 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
36069 }
36070@@ -461,7 +462,7 @@ static int uio_open(struct inode *inode,
36071 }
36072
36073 listener->dev = idev;
36074- listener->event_count = atomic_read(&idev->event);
36075+ listener->event_count = atomic_read_unchecked(&idev->event);
36076 filep->private_data = listener;
36077
36078 if (idev->info->open) {
36079@@ -512,7 +513,7 @@ static unsigned int uio_poll(struct file
36080 return -EIO;
36081
36082 poll_wait(filep, &idev->wait, wait);
36083- if (listener->event_count != atomic_read(&idev->event))
36084+ if (listener->event_count != atomic_read_unchecked(&idev->event))
36085 return POLLIN | POLLRDNORM;
36086 return 0;
36087 }
36088@@ -537,7 +538,7 @@ static ssize_t uio_read(struct file *fil
36089 do {
36090 set_current_state(TASK_INTERRUPTIBLE);
36091
36092- event_count = atomic_read(&idev->event);
36093+ event_count = atomic_read_unchecked(&idev->event);
36094 if (event_count != listener->event_count) {
36095 if (copy_to_user(buf, &event_count, count))
36096 retval = -EFAULT;
36097@@ -606,13 +607,13 @@ static int uio_find_mem_index(struct vm_
36098 static void uio_vma_open(struct vm_area_struct *vma)
36099 {
36100 struct uio_device *idev = vma->vm_private_data;
36101- idev->vma_count++;
36102+ local_inc(&idev->vma_count);
36103 }
36104
36105 static void uio_vma_close(struct vm_area_struct *vma)
36106 {
36107 struct uio_device *idev = vma->vm_private_data;
36108- idev->vma_count--;
36109+ local_dec(&idev->vma_count);
36110 }
36111
36112 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
36113@@ -823,7 +824,7 @@ int __uio_register_device(struct module
36114 idev->owner = owner;
36115 idev->info = info;
36116 init_waitqueue_head(&idev->wait);
36117- atomic_set(&idev->event, 0);
36118+ atomic_set_unchecked(&idev->event, 0);
36119
36120 ret = uio_get_minor(idev);
36121 if (ret)
36122diff -urNp linux-3.1.1/drivers/usb/atm/cxacru.c linux-3.1.1/drivers/usb/atm/cxacru.c
36123--- linux-3.1.1/drivers/usb/atm/cxacru.c 2011-11-11 15:19:27.000000000 -0500
36124+++ linux-3.1.1/drivers/usb/atm/cxacru.c 2011-11-16 18:39:08.000000000 -0500
36125@@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
36126 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
36127 if (ret < 2)
36128 return -EINVAL;
36129- if (index < 0 || index > 0x7f)
36130+ if (index > 0x7f)
36131 return -EINVAL;
36132 pos += tmp;
36133
36134diff -urNp linux-3.1.1/drivers/usb/atm/usbatm.c linux-3.1.1/drivers/usb/atm/usbatm.c
36135--- linux-3.1.1/drivers/usb/atm/usbatm.c 2011-11-11 15:19:27.000000000 -0500
36136+++ linux-3.1.1/drivers/usb/atm/usbatm.c 2011-11-16 18:39:08.000000000 -0500
36137@@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
36138 if (printk_ratelimit())
36139 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
36140 __func__, vpi, vci);
36141- atomic_inc(&vcc->stats->rx_err);
36142+ atomic_inc_unchecked(&vcc->stats->rx_err);
36143 return;
36144 }
36145
36146@@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
36147 if (length > ATM_MAX_AAL5_PDU) {
36148 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
36149 __func__, length, vcc);
36150- atomic_inc(&vcc->stats->rx_err);
36151+ atomic_inc_unchecked(&vcc->stats->rx_err);
36152 goto out;
36153 }
36154
36155@@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
36156 if (sarb->len < pdu_length) {
36157 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
36158 __func__, pdu_length, sarb->len, vcc);
36159- atomic_inc(&vcc->stats->rx_err);
36160+ atomic_inc_unchecked(&vcc->stats->rx_err);
36161 goto out;
36162 }
36163
36164 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
36165 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
36166 __func__, vcc);
36167- atomic_inc(&vcc->stats->rx_err);
36168+ atomic_inc_unchecked(&vcc->stats->rx_err);
36169 goto out;
36170 }
36171
36172@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
36173 if (printk_ratelimit())
36174 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
36175 __func__, length);
36176- atomic_inc(&vcc->stats->rx_drop);
36177+ atomic_inc_unchecked(&vcc->stats->rx_drop);
36178 goto out;
36179 }
36180
36181@@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
36182
36183 vcc->push(vcc, skb);
36184
36185- atomic_inc(&vcc->stats->rx);
36186+ atomic_inc_unchecked(&vcc->stats->rx);
36187 out:
36188 skb_trim(sarb, 0);
36189 }
36190@@ -615,7 +615,7 @@ static void usbatm_tx_process(unsigned l
36191 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
36192
36193 usbatm_pop(vcc, skb);
36194- atomic_inc(&vcc->stats->tx);
36195+ atomic_inc_unchecked(&vcc->stats->tx);
36196
36197 skb = skb_dequeue(&instance->sndqueue);
36198 }
36199@@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
36200 if (!left--)
36201 return sprintf(page,
36202 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
36203- atomic_read(&atm_dev->stats.aal5.tx),
36204- atomic_read(&atm_dev->stats.aal5.tx_err),
36205- atomic_read(&atm_dev->stats.aal5.rx),
36206- atomic_read(&atm_dev->stats.aal5.rx_err),
36207- atomic_read(&atm_dev->stats.aal5.rx_drop));
36208+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
36209+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
36210+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
36211+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
36212+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
36213
36214 if (!left--) {
36215 if (instance->disconnected)
36216diff -urNp linux-3.1.1/drivers/usb/core/devices.c linux-3.1.1/drivers/usb/core/devices.c
36217--- linux-3.1.1/drivers/usb/core/devices.c 2011-11-11 15:19:27.000000000 -0500
36218+++ linux-3.1.1/drivers/usb/core/devices.c 2011-11-16 18:39:08.000000000 -0500
36219@@ -126,7 +126,7 @@ static const char format_endpt[] =
36220 * time it gets called.
36221 */
36222 static struct device_connect_event {
36223- atomic_t count;
36224+ atomic_unchecked_t count;
36225 wait_queue_head_t wait;
36226 } device_event = {
36227 .count = ATOMIC_INIT(1),
36228@@ -164,7 +164,7 @@ static const struct class_info clas_info
36229
36230 void usbfs_conn_disc_event(void)
36231 {
36232- atomic_add(2, &device_event.count);
36233+ atomic_add_unchecked(2, &device_event.count);
36234 wake_up(&device_event.wait);
36235 }
36236
36237@@ -648,7 +648,7 @@ static unsigned int usb_device_poll(stru
36238
36239 poll_wait(file, &device_event.wait, wait);
36240
36241- event_count = atomic_read(&device_event.count);
36242+ event_count = atomic_read_unchecked(&device_event.count);
36243 if (file->f_version != event_count) {
36244 file->f_version = event_count;
36245 return POLLIN | POLLRDNORM;
36246diff -urNp linux-3.1.1/drivers/usb/core/message.c linux-3.1.1/drivers/usb/core/message.c
36247--- linux-3.1.1/drivers/usb/core/message.c 2011-11-11 15:19:27.000000000 -0500
36248+++ linux-3.1.1/drivers/usb/core/message.c 2011-11-16 18:39:08.000000000 -0500
36249@@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
36250 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
36251 if (buf) {
36252 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
36253- if (len > 0) {
36254- smallbuf = kmalloc(++len, GFP_NOIO);
36255+ if (len++ > 0) {
36256+ smallbuf = kmalloc(len, GFP_NOIO);
36257 if (!smallbuf)
36258 return buf;
36259 memcpy(smallbuf, buf, len);
36260diff -urNp linux-3.1.1/drivers/usb/early/ehci-dbgp.c linux-3.1.1/drivers/usb/early/ehci-dbgp.c
36261--- linux-3.1.1/drivers/usb/early/ehci-dbgp.c 2011-11-11 15:19:27.000000000 -0500
36262+++ linux-3.1.1/drivers/usb/early/ehci-dbgp.c 2011-11-16 18:39:08.000000000 -0500
36263@@ -97,7 +97,8 @@ static inline u32 dbgp_len_update(u32 x,
36264
36265 #ifdef CONFIG_KGDB
36266 static struct kgdb_io kgdbdbgp_io_ops;
36267-#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
36268+static struct kgdb_io kgdbdbgp_io_ops_console;
36269+#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
36270 #else
36271 #define dbgp_kgdb_mode (0)
36272 #endif
36273@@ -1035,6 +1036,13 @@ static struct kgdb_io kgdbdbgp_io_ops =
36274 .write_char = kgdbdbgp_write_char,
36275 };
36276
36277+static struct kgdb_io kgdbdbgp_io_ops_console = {
36278+ .name = "kgdbdbgp",
36279+ .read_char = kgdbdbgp_read_char,
36280+ .write_char = kgdbdbgp_write_char,
36281+ .is_console = 1
36282+};
36283+
36284 static int kgdbdbgp_wait_time;
36285
36286 static int __init kgdbdbgp_parse_config(char *str)
36287@@ -1050,8 +1058,10 @@ static int __init kgdbdbgp_parse_config(
36288 ptr++;
36289 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
36290 }
36291- kgdb_register_io_module(&kgdbdbgp_io_ops);
36292- kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
36293+ if (early_dbgp_console.index != -1)
36294+ kgdb_register_io_module(&kgdbdbgp_io_ops_console);
36295+ else
36296+ kgdb_register_io_module(&kgdbdbgp_io_ops);
36297
36298 return 0;
36299 }
36300diff -urNp linux-3.1.1/drivers/usb/host/xhci-mem.c linux-3.1.1/drivers/usb/host/xhci-mem.c
36301--- linux-3.1.1/drivers/usb/host/xhci-mem.c 2011-11-11 15:19:27.000000000 -0500
36302+++ linux-3.1.1/drivers/usb/host/xhci-mem.c 2011-11-16 18:40:29.000000000 -0500
36303@@ -1690,6 +1690,8 @@ static int xhci_check_trb_in_td_math(str
36304 unsigned int num_tests;
36305 int i, ret;
36306
36307+ pax_track_stack();
36308+
36309 num_tests = ARRAY_SIZE(simple_test_vector);
36310 for (i = 0; i < num_tests; i++) {
36311 ret = xhci_test_trb_in_td(xhci,
36312diff -urNp linux-3.1.1/drivers/usb/wusbcore/wa-hc.h linux-3.1.1/drivers/usb/wusbcore/wa-hc.h
36313--- linux-3.1.1/drivers/usb/wusbcore/wa-hc.h 2011-11-11 15:19:27.000000000 -0500
36314+++ linux-3.1.1/drivers/usb/wusbcore/wa-hc.h 2011-11-16 18:39:08.000000000 -0500
36315@@ -192,7 +192,7 @@ struct wahc {
36316 struct list_head xfer_delayed_list;
36317 spinlock_t xfer_list_lock;
36318 struct work_struct xfer_work;
36319- atomic_t xfer_id_count;
36320+ atomic_unchecked_t xfer_id_count;
36321 };
36322
36323
36324@@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
36325 INIT_LIST_HEAD(&wa->xfer_delayed_list);
36326 spin_lock_init(&wa->xfer_list_lock);
36327 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
36328- atomic_set(&wa->xfer_id_count, 1);
36329+ atomic_set_unchecked(&wa->xfer_id_count, 1);
36330 }
36331
36332 /**
36333diff -urNp linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c
36334--- linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c 2011-11-11 15:19:27.000000000 -0500
36335+++ linux-3.1.1/drivers/usb/wusbcore/wa-xfer.c 2011-11-16 18:39:08.000000000 -0500
36336@@ -295,7 +295,7 @@ out:
36337 */
36338 static void wa_xfer_id_init(struct wa_xfer *xfer)
36339 {
36340- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
36341+ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
36342 }
36343
36344 /*
36345diff -urNp linux-3.1.1/drivers/vhost/vhost.c linux-3.1.1/drivers/vhost/vhost.c
36346--- linux-3.1.1/drivers/vhost/vhost.c 2011-11-11 15:19:27.000000000 -0500
36347+++ linux-3.1.1/drivers/vhost/vhost.c 2011-11-16 18:39:08.000000000 -0500
36348@@ -629,7 +629,7 @@ static long vhost_set_memory(struct vhos
36349 return 0;
36350 }
36351
36352-static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
36353+static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
36354 {
36355 struct file *eventfp, *filep = NULL,
36356 *pollstart = NULL, *pollstop = NULL;
36357diff -urNp linux-3.1.1/drivers/video/aty/aty128fb.c linux-3.1.1/drivers/video/aty/aty128fb.c
36358--- linux-3.1.1/drivers/video/aty/aty128fb.c 2011-11-11 15:19:27.000000000 -0500
36359+++ linux-3.1.1/drivers/video/aty/aty128fb.c 2011-11-16 18:39:08.000000000 -0500
36360@@ -148,7 +148,7 @@ enum {
36361 };
36362
36363 /* Must match above enum */
36364-static const char *r128_family[] __devinitdata = {
36365+static const char *r128_family[] __devinitconst = {
36366 "AGP",
36367 "PCI",
36368 "PRO AGP",
36369diff -urNp linux-3.1.1/drivers/video/fbcmap.c linux-3.1.1/drivers/video/fbcmap.c
36370--- linux-3.1.1/drivers/video/fbcmap.c 2011-11-11 15:19:27.000000000 -0500
36371+++ linux-3.1.1/drivers/video/fbcmap.c 2011-11-16 18:39:08.000000000 -0500
36372@@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
36373 rc = -ENODEV;
36374 goto out;
36375 }
36376- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
36377- !info->fbops->fb_setcmap)) {
36378+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
36379 rc = -EINVAL;
36380 goto out1;
36381 }
36382diff -urNp linux-3.1.1/drivers/video/fbmem.c linux-3.1.1/drivers/video/fbmem.c
36383--- linux-3.1.1/drivers/video/fbmem.c 2011-11-11 15:19:27.000000000 -0500
36384+++ linux-3.1.1/drivers/video/fbmem.c 2011-11-16 18:40:29.000000000 -0500
36385@@ -428,7 +428,7 @@ static void fb_do_show_logo(struct fb_in
36386 image->dx += image->width + 8;
36387 }
36388 } else if (rotate == FB_ROTATE_UD) {
36389- for (x = 0; x < num && image->dx >= 0; x++) {
36390+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
36391 info->fbops->fb_imageblit(info, image);
36392 image->dx -= image->width + 8;
36393 }
36394@@ -440,7 +440,7 @@ static void fb_do_show_logo(struct fb_in
36395 image->dy += image->height + 8;
36396 }
36397 } else if (rotate == FB_ROTATE_CCW) {
36398- for (x = 0; x < num && image->dy >= 0; x++) {
36399+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
36400 info->fbops->fb_imageblit(info, image);
36401 image->dy -= image->height + 8;
36402 }
36403@@ -939,6 +939,8 @@ fb_set_var(struct fb_info *info, struct
36404 int flags = info->flags;
36405 int ret = 0;
36406
36407+ pax_track_stack();
36408+
36409 if (var->activate & FB_ACTIVATE_INV_MODE) {
36410 struct fb_videomode mode1, mode2;
36411
36412@@ -1064,6 +1066,8 @@ static long do_fb_ioctl(struct fb_info *
36413 void __user *argp = (void __user *)arg;
36414 long ret = 0;
36415
36416+ pax_track_stack();
36417+
36418 switch (cmd) {
36419 case FBIOGET_VSCREENINFO:
36420 if (!lock_fb_info(info))
36421@@ -1143,7 +1147,7 @@ static long do_fb_ioctl(struct fb_info *
36422 return -EFAULT;
36423 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
36424 return -EINVAL;
36425- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
36426+ if (con2fb.framebuffer >= FB_MAX)
36427 return -EINVAL;
36428 if (!registered_fb[con2fb.framebuffer])
36429 request_module("fb%d", con2fb.framebuffer);
36430diff -urNp linux-3.1.1/drivers/video/geode/gx1fb_core.c linux-3.1.1/drivers/video/geode/gx1fb_core.c
36431--- linux-3.1.1/drivers/video/geode/gx1fb_core.c 2011-11-11 15:19:27.000000000 -0500
36432+++ linux-3.1.1/drivers/video/geode/gx1fb_core.c 2011-11-16 18:39:08.000000000 -0500
36433@@ -29,7 +29,7 @@ static int crt_option = 1;
36434 static char panel_option[32] = "";
36435
36436 /* Modes relevant to the GX1 (taken from modedb.c) */
36437-static const struct fb_videomode __devinitdata gx1_modedb[] = {
36438+static const struct fb_videomode __devinitconst gx1_modedb[] = {
36439 /* 640x480-60 VESA */
36440 { NULL, 60, 640, 480, 39682, 48, 16, 33, 10, 96, 2,
36441 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_VESA },
36442diff -urNp linux-3.1.1/drivers/video/gxt4500.c linux-3.1.1/drivers/video/gxt4500.c
36443--- linux-3.1.1/drivers/video/gxt4500.c 2011-11-11 15:19:27.000000000 -0500
36444+++ linux-3.1.1/drivers/video/gxt4500.c 2011-11-16 18:39:08.000000000 -0500
36445@@ -156,7 +156,7 @@ struct gxt4500_par {
36446 static char *mode_option;
36447
36448 /* default mode: 1280x1024 @ 60 Hz, 8 bpp */
36449-static const struct fb_videomode defaultmode __devinitdata = {
36450+static const struct fb_videomode defaultmode __devinitconst = {
36451 .refresh = 60,
36452 .xres = 1280,
36453 .yres = 1024,
36454@@ -581,7 +581,7 @@ static int gxt4500_blank(int blank, stru
36455 return 0;
36456 }
36457
36458-static const struct fb_fix_screeninfo gxt4500_fix __devinitdata = {
36459+static const struct fb_fix_screeninfo gxt4500_fix __devinitconst = {
36460 .id = "IBM GXT4500P",
36461 .type = FB_TYPE_PACKED_PIXELS,
36462 .visual = FB_VISUAL_PSEUDOCOLOR,
36463diff -urNp linux-3.1.1/drivers/video/i810/i810_accel.c linux-3.1.1/drivers/video/i810/i810_accel.c
36464--- linux-3.1.1/drivers/video/i810/i810_accel.c 2011-11-11 15:19:27.000000000 -0500
36465+++ linux-3.1.1/drivers/video/i810/i810_accel.c 2011-11-16 18:39:08.000000000 -0500
36466@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
36467 }
36468 }
36469 printk("ringbuffer lockup!!!\n");
36470+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
36471 i810_report_error(mmio);
36472 par->dev_flags |= LOCKUP;
36473 info->pixmap.scan_align = 1;
36474diff -urNp linux-3.1.1/drivers/video/i810/i810_main.c linux-3.1.1/drivers/video/i810/i810_main.c
36475--- linux-3.1.1/drivers/video/i810/i810_main.c 2011-11-11 15:19:27.000000000 -0500
36476+++ linux-3.1.1/drivers/video/i810/i810_main.c 2011-11-16 18:39:08.000000000 -0500
36477@@ -97,7 +97,7 @@ static int i810fb_blank (int blank_
36478 static void i810fb_release_resource (struct fb_info *info, struct i810fb_par *par);
36479
36480 /* PCI */
36481-static const char *i810_pci_list[] __devinitdata = {
36482+static const char *i810_pci_list[] __devinitconst = {
36483 "Intel(R) 810 Framebuffer Device" ,
36484 "Intel(R) 810-DC100 Framebuffer Device" ,
36485 "Intel(R) 810E Framebuffer Device" ,
36486diff -urNp linux-3.1.1/drivers/video/jz4740_fb.c linux-3.1.1/drivers/video/jz4740_fb.c
36487--- linux-3.1.1/drivers/video/jz4740_fb.c 2011-11-11 15:19:27.000000000 -0500
36488+++ linux-3.1.1/drivers/video/jz4740_fb.c 2011-11-16 18:39:08.000000000 -0500
36489@@ -136,7 +136,7 @@ struct jzfb {
36490 uint32_t pseudo_palette[16];
36491 };
36492
36493-static const struct fb_fix_screeninfo jzfb_fix __devinitdata = {
36494+static const struct fb_fix_screeninfo jzfb_fix __devinitconst = {
36495 .id = "JZ4740 FB",
36496 .type = FB_TYPE_PACKED_PIXELS,
36497 .visual = FB_VISUAL_TRUECOLOR,
36498diff -urNp linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm
36499--- linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm 2011-11-11 15:19:27.000000000 -0500
36500+++ linux-3.1.1/drivers/video/logo/logo_linux_clut224.ppm 2011-11-16 18:40:29.000000000 -0500
36501@@ -1,1604 +1,1123 @@
36502 P3
36503-# Standard 224-color Linux logo
36504 80 80
36505 255
36506- 0 0 0 0 0 0 0 0 0 0 0 0
36507- 0 0 0 0 0 0 0 0 0 0 0 0
36508- 0 0 0 0 0 0 0 0 0 0 0 0
36509- 0 0 0 0 0 0 0 0 0 0 0 0
36510- 0 0 0 0 0 0 0 0 0 0 0 0
36511- 0 0 0 0 0 0 0 0 0 0 0 0
36512- 0 0 0 0 0 0 0 0 0 0 0 0
36513- 0 0 0 0 0 0 0 0 0 0 0 0
36514- 0 0 0 0 0 0 0 0 0 0 0 0
36515- 6 6 6 6 6 6 10 10 10 10 10 10
36516- 10 10 10 6 6 6 6 6 6 6 6 6
36517- 0 0 0 0 0 0 0 0 0 0 0 0
36518- 0 0 0 0 0 0 0 0 0 0 0 0
36519- 0 0 0 0 0 0 0 0 0 0 0 0
36520- 0 0 0 0 0 0 0 0 0 0 0 0
36521- 0 0 0 0 0 0 0 0 0 0 0 0
36522- 0 0 0 0 0 0 0 0 0 0 0 0
36523- 0 0 0 0 0 0 0 0 0 0 0 0
36524- 0 0 0 0 0 0 0 0 0 0 0 0
36525- 0 0 0 0 0 0 0 0 0 0 0 0
36526- 0 0 0 0 0 0 0 0 0 0 0 0
36527- 0 0 0 0 0 0 0 0 0 0 0 0
36528- 0 0 0 0 0 0 0 0 0 0 0 0
36529- 0 0 0 0 0 0 0 0 0 0 0 0
36530- 0 0 0 0 0 0 0 0 0 0 0 0
36531- 0 0 0 0 0 0 0 0 0 0 0 0
36532- 0 0 0 0 0 0 0 0 0 0 0 0
36533- 0 0 0 0 0 0 0 0 0 0 0 0
36534- 0 0 0 6 6 6 10 10 10 14 14 14
36535- 22 22 22 26 26 26 30 30 30 34 34 34
36536- 30 30 30 30 30 30 26 26 26 18 18 18
36537- 14 14 14 10 10 10 6 6 6 0 0 0
36538- 0 0 0 0 0 0 0 0 0 0 0 0
36539- 0 0 0 0 0 0 0 0 0 0 0 0
36540- 0 0 0 0 0 0 0 0 0 0 0 0
36541- 0 0 0 0 0 0 0 0 0 0 0 0
36542- 0 0 0 0 0 0 0 0 0 0 0 0
36543- 0 0 0 0 0 0 0 0 0 0 0 0
36544- 0 0 0 0 0 0 0 0 0 0 0 0
36545- 0 0 0 0 0 0 0 0 0 0 0 0
36546- 0 0 0 0 0 0 0 0 0 0 0 0
36547- 0 0 0 0 0 1 0 0 1 0 0 0
36548- 0 0 0 0 0 0 0 0 0 0 0 0
36549- 0 0 0 0 0 0 0 0 0 0 0 0
36550- 0 0 0 0 0 0 0 0 0 0 0 0
36551- 0 0 0 0 0 0 0 0 0 0 0 0
36552- 0 0 0 0 0 0 0 0 0 0 0 0
36553- 0 0 0 0 0 0 0 0 0 0 0 0
36554- 6 6 6 14 14 14 26 26 26 42 42 42
36555- 54 54 54 66 66 66 78 78 78 78 78 78
36556- 78 78 78 74 74 74 66 66 66 54 54 54
36557- 42 42 42 26 26 26 18 18 18 10 10 10
36558- 6 6 6 0 0 0 0 0 0 0 0 0
36559- 0 0 0 0 0 0 0 0 0 0 0 0
36560- 0 0 0 0 0 0 0 0 0 0 0 0
36561- 0 0 0 0 0 0 0 0 0 0 0 0
36562- 0 0 0 0 0 0 0 0 0 0 0 0
36563- 0 0 0 0 0 0 0 0 0 0 0 0
36564- 0 0 0 0 0 0 0 0 0 0 0 0
36565- 0 0 0 0 0 0 0 0 0 0 0 0
36566- 0 0 0 0 0 0 0 0 0 0 0 0
36567- 0 0 1 0 0 0 0 0 0 0 0 0
36568- 0 0 0 0 0 0 0 0 0 0 0 0
36569- 0 0 0 0 0 0 0 0 0 0 0 0
36570- 0 0 0 0 0 0 0 0 0 0 0 0
36571- 0 0 0 0 0 0 0 0 0 0 0 0
36572- 0 0 0 0 0 0 0 0 0 0 0 0
36573- 0 0 0 0 0 0 0 0 0 10 10 10
36574- 22 22 22 42 42 42 66 66 66 86 86 86
36575- 66 66 66 38 38 38 38 38 38 22 22 22
36576- 26 26 26 34 34 34 54 54 54 66 66 66
36577- 86 86 86 70 70 70 46 46 46 26 26 26
36578- 14 14 14 6 6 6 0 0 0 0 0 0
36579- 0 0 0 0 0 0 0 0 0 0 0 0
36580- 0 0 0 0 0 0 0 0 0 0 0 0
36581- 0 0 0 0 0 0 0 0 0 0 0 0
36582- 0 0 0 0 0 0 0 0 0 0 0 0
36583- 0 0 0 0 0 0 0 0 0 0 0 0
36584- 0 0 0 0 0 0 0 0 0 0 0 0
36585- 0 0 0 0 0 0 0 0 0 0 0 0
36586- 0 0 0 0 0 0 0 0 0 0 0 0
36587- 0 0 1 0 0 1 0 0 1 0 0 0
36588- 0 0 0 0 0 0 0 0 0 0 0 0
36589- 0 0 0 0 0 0 0 0 0 0 0 0
36590- 0 0 0 0 0 0 0 0 0 0 0 0
36591- 0 0 0 0 0 0 0 0 0 0 0 0
36592- 0 0 0 0 0 0 0 0 0 0 0 0
36593- 0 0 0 0 0 0 10 10 10 26 26 26
36594- 50 50 50 82 82 82 58 58 58 6 6 6
36595- 2 2 6 2 2 6 2 2 6 2 2 6
36596- 2 2 6 2 2 6 2 2 6 2 2 6
36597- 6 6 6 54 54 54 86 86 86 66 66 66
36598- 38 38 38 18 18 18 6 6 6 0 0 0
36599- 0 0 0 0 0 0 0 0 0 0 0 0
36600- 0 0 0 0 0 0 0 0 0 0 0 0
36601- 0 0 0 0 0 0 0 0 0 0 0 0
36602- 0 0 0 0 0 0 0 0 0 0 0 0
36603- 0 0 0 0 0 0 0 0 0 0 0 0
36604- 0 0 0 0 0 0 0 0 0 0 0 0
36605- 0 0 0 0 0 0 0 0 0 0 0 0
36606- 0 0 0 0 0 0 0 0 0 0 0 0
36607- 0 0 0 0 0 0 0 0 0 0 0 0
36608- 0 0 0 0 0 0 0 0 0 0 0 0
36609- 0 0 0 0 0 0 0 0 0 0 0 0
36610- 0 0 0 0 0 0 0 0 0 0 0 0
36611- 0 0 0 0 0 0 0 0 0 0 0 0
36612- 0 0 0 0 0 0 0 0 0 0 0 0
36613- 0 0 0 6 6 6 22 22 22 50 50 50
36614- 78 78 78 34 34 34 2 2 6 2 2 6
36615- 2 2 6 2 2 6 2 2 6 2 2 6
36616- 2 2 6 2 2 6 2 2 6 2 2 6
36617- 2 2 6 2 2 6 6 6 6 70 70 70
36618- 78 78 78 46 46 46 22 22 22 6 6 6
36619- 0 0 0 0 0 0 0 0 0 0 0 0
36620- 0 0 0 0 0 0 0 0 0 0 0 0
36621- 0 0 0 0 0 0 0 0 0 0 0 0
36622- 0 0 0 0 0 0 0 0 0 0 0 0
36623- 0 0 0 0 0 0 0 0 0 0 0 0
36624- 0 0 0 0 0 0 0 0 0 0 0 0
36625- 0 0 0 0 0 0 0 0 0 0 0 0
36626- 0 0 0 0 0 0 0 0 0 0 0 0
36627- 0 0 1 0 0 1 0 0 1 0 0 0
36628- 0 0 0 0 0 0 0 0 0 0 0 0
36629- 0 0 0 0 0 0 0 0 0 0 0 0
36630- 0 0 0 0 0 0 0 0 0 0 0 0
36631- 0 0 0 0 0 0 0 0 0 0 0 0
36632- 0 0 0 0 0 0 0 0 0 0 0 0
36633- 6 6 6 18 18 18 42 42 42 82 82 82
36634- 26 26 26 2 2 6 2 2 6 2 2 6
36635- 2 2 6 2 2 6 2 2 6 2 2 6
36636- 2 2 6 2 2 6 2 2 6 14 14 14
36637- 46 46 46 34 34 34 6 6 6 2 2 6
36638- 42 42 42 78 78 78 42 42 42 18 18 18
36639- 6 6 6 0 0 0 0 0 0 0 0 0
36640- 0 0 0 0 0 0 0 0 0 0 0 0
36641- 0 0 0 0 0 0 0 0 0 0 0 0
36642- 0 0 0 0 0 0 0 0 0 0 0 0
36643- 0 0 0 0 0 0 0 0 0 0 0 0
36644- 0 0 0 0 0 0 0 0 0 0 0 0
36645- 0 0 0 0 0 0 0 0 0 0 0 0
36646- 0 0 0 0 0 0 0 0 0 0 0 0
36647- 0 0 1 0 0 0 0 0 1 0 0 0
36648- 0 0 0 0 0 0 0 0 0 0 0 0
36649- 0 0 0 0 0 0 0 0 0 0 0 0
36650- 0 0 0 0 0 0 0 0 0 0 0 0
36651- 0 0 0 0 0 0 0 0 0 0 0 0
36652- 0 0 0 0 0 0 0 0 0 0 0 0
36653- 10 10 10 30 30 30 66 66 66 58 58 58
36654- 2 2 6 2 2 6 2 2 6 2 2 6
36655- 2 2 6 2 2 6 2 2 6 2 2 6
36656- 2 2 6 2 2 6 2 2 6 26 26 26
36657- 86 86 86 101 101 101 46 46 46 10 10 10
36658- 2 2 6 58 58 58 70 70 70 34 34 34
36659- 10 10 10 0 0 0 0 0 0 0 0 0
36660- 0 0 0 0 0 0 0 0 0 0 0 0
36661- 0 0 0 0 0 0 0 0 0 0 0 0
36662- 0 0 0 0 0 0 0 0 0 0 0 0
36663- 0 0 0 0 0 0 0 0 0 0 0 0
36664- 0 0 0 0 0 0 0 0 0 0 0 0
36665- 0 0 0 0 0 0 0 0 0 0 0 0
36666- 0 0 0 0 0 0 0 0 0 0 0 0
36667- 0 0 1 0 0 1 0 0 1 0 0 0
36668- 0 0 0 0 0 0 0 0 0 0 0 0
36669- 0 0 0 0 0 0 0 0 0 0 0 0
36670- 0 0 0 0 0 0 0 0 0 0 0 0
36671- 0 0 0 0 0 0 0 0 0 0 0 0
36672- 0 0 0 0 0 0 0 0 0 0 0 0
36673- 14 14 14 42 42 42 86 86 86 10 10 10
36674- 2 2 6 2 2 6 2 2 6 2 2 6
36675- 2 2 6 2 2 6 2 2 6 2 2 6
36676- 2 2 6 2 2 6 2 2 6 30 30 30
36677- 94 94 94 94 94 94 58 58 58 26 26 26
36678- 2 2 6 6 6 6 78 78 78 54 54 54
36679- 22 22 22 6 6 6 0 0 0 0 0 0
36680- 0 0 0 0 0 0 0 0 0 0 0 0
36681- 0 0 0 0 0 0 0 0 0 0 0 0
36682- 0 0 0 0 0 0 0 0 0 0 0 0
36683- 0 0 0 0 0 0 0 0 0 0 0 0
36684- 0 0 0 0 0 0 0 0 0 0 0 0
36685- 0 0 0 0 0 0 0 0 0 0 0 0
36686- 0 0 0 0 0 0 0 0 0 0 0 0
36687- 0 0 0 0 0 0 0 0 0 0 0 0
36688- 0 0 0 0 0 0 0 0 0 0 0 0
36689- 0 0 0 0 0 0 0 0 0 0 0 0
36690- 0 0 0 0 0 0 0 0 0 0 0 0
36691- 0 0 0 0 0 0 0 0 0 0 0 0
36692- 0 0 0 0 0 0 0 0 0 6 6 6
36693- 22 22 22 62 62 62 62 62 62 2 2 6
36694- 2 2 6 2 2 6 2 2 6 2 2 6
36695- 2 2 6 2 2 6 2 2 6 2 2 6
36696- 2 2 6 2 2 6 2 2 6 26 26 26
36697- 54 54 54 38 38 38 18 18 18 10 10 10
36698- 2 2 6 2 2 6 34 34 34 82 82 82
36699- 38 38 38 14 14 14 0 0 0 0 0 0
36700- 0 0 0 0 0 0 0 0 0 0 0 0
36701- 0 0 0 0 0 0 0 0 0 0 0 0
36702- 0 0 0 0 0 0 0 0 0 0 0 0
36703- 0 0 0 0 0 0 0 0 0 0 0 0
36704- 0 0 0 0 0 0 0 0 0 0 0 0
36705- 0 0 0 0 0 0 0 0 0 0 0 0
36706- 0 0 0 0 0 0 0 0 0 0 0 0
36707- 0 0 0 0 0 1 0 0 1 0 0 0
36708- 0 0 0 0 0 0 0 0 0 0 0 0
36709- 0 0 0 0 0 0 0 0 0 0 0 0
36710- 0 0 0 0 0 0 0 0 0 0 0 0
36711- 0 0 0 0 0 0 0 0 0 0 0 0
36712- 0 0 0 0 0 0 0 0 0 6 6 6
36713- 30 30 30 78 78 78 30 30 30 2 2 6
36714- 2 2 6 2 2 6 2 2 6 2 2 6
36715- 2 2 6 2 2 6 2 2 6 2 2 6
36716- 2 2 6 2 2 6 2 2 6 10 10 10
36717- 10 10 10 2 2 6 2 2 6 2 2 6
36718- 2 2 6 2 2 6 2 2 6 78 78 78
36719- 50 50 50 18 18 18 6 6 6 0 0 0
36720- 0 0 0 0 0 0 0 0 0 0 0 0
36721- 0 0 0 0 0 0 0 0 0 0 0 0
36722- 0 0 0 0 0 0 0 0 0 0 0 0
36723- 0 0 0 0 0 0 0 0 0 0 0 0
36724- 0 0 0 0 0 0 0 0 0 0 0 0
36725- 0 0 0 0 0 0 0 0 0 0 0 0
36726- 0 0 0 0 0 0 0 0 0 0 0 0
36727- 0 0 1 0 0 0 0 0 0 0 0 0
36728- 0 0 0 0 0 0 0 0 0 0 0 0
36729- 0 0 0 0 0 0 0 0 0 0 0 0
36730- 0 0 0 0 0 0 0 0 0 0 0 0
36731- 0 0 0 0 0 0 0 0 0 0 0 0
36732- 0 0 0 0 0 0 0 0 0 10 10 10
36733- 38 38 38 86 86 86 14 14 14 2 2 6
36734- 2 2 6 2 2 6 2 2 6 2 2 6
36735- 2 2 6 2 2 6 2 2 6 2 2 6
36736- 2 2 6 2 2 6 2 2 6 2 2 6
36737- 2 2 6 2 2 6 2 2 6 2 2 6
36738- 2 2 6 2 2 6 2 2 6 54 54 54
36739- 66 66 66 26 26 26 6 6 6 0 0 0
36740- 0 0 0 0 0 0 0 0 0 0 0 0
36741- 0 0 0 0 0 0 0 0 0 0 0 0
36742- 0 0 0 0 0 0 0 0 0 0 0 0
36743- 0 0 0 0 0 0 0 0 0 0 0 0
36744- 0 0 0 0 0 0 0 0 0 0 0 0
36745- 0 0 0 0 0 0 0 0 0 0 0 0
36746- 0 0 0 0 0 0 0 0 0 0 0 0
36747- 0 0 0 0 0 1 0 0 1 0 0 0
36748- 0 0 0 0 0 0 0 0 0 0 0 0
36749- 0 0 0 0 0 0 0 0 0 0 0 0
36750- 0 0 0 0 0 0 0 0 0 0 0 0
36751- 0 0 0 0 0 0 0 0 0 0 0 0
36752- 0 0 0 0 0 0 0 0 0 14 14 14
36753- 42 42 42 82 82 82 2 2 6 2 2 6
36754- 2 2 6 6 6 6 10 10 10 2 2 6
36755- 2 2 6 2 2 6 2 2 6 2 2 6
36756- 2 2 6 2 2 6 2 2 6 6 6 6
36757- 14 14 14 10 10 10 2 2 6 2 2 6
36758- 2 2 6 2 2 6 2 2 6 18 18 18
36759- 82 82 82 34 34 34 10 10 10 0 0 0
36760- 0 0 0 0 0 0 0 0 0 0 0 0
36761- 0 0 0 0 0 0 0 0 0 0 0 0
36762- 0 0 0 0 0 0 0 0 0 0 0 0
36763- 0 0 0 0 0 0 0 0 0 0 0 0
36764- 0 0 0 0 0 0 0 0 0 0 0 0
36765- 0 0 0 0 0 0 0 0 0 0 0 0
36766- 0 0 0 0 0 0 0 0 0 0 0 0
36767- 0 0 1 0 0 0 0 0 0 0 0 0
36768- 0 0 0 0 0 0 0 0 0 0 0 0
36769- 0 0 0 0 0 0 0 0 0 0 0 0
36770- 0 0 0 0 0 0 0 0 0 0 0 0
36771- 0 0 0 0 0 0 0 0 0 0 0 0
36772- 0 0 0 0 0 0 0 0 0 14 14 14
36773- 46 46 46 86 86 86 2 2 6 2 2 6
36774- 6 6 6 6 6 6 22 22 22 34 34 34
36775- 6 6 6 2 2 6 2 2 6 2 2 6
36776- 2 2 6 2 2 6 18 18 18 34 34 34
36777- 10 10 10 50 50 50 22 22 22 2 2 6
36778- 2 2 6 2 2 6 2 2 6 10 10 10
36779- 86 86 86 42 42 42 14 14 14 0 0 0
36780- 0 0 0 0 0 0 0 0 0 0 0 0
36781- 0 0 0 0 0 0 0 0 0 0 0 0
36782- 0 0 0 0 0 0 0 0 0 0 0 0
36783- 0 0 0 0 0 0 0 0 0 0 0 0
36784- 0 0 0 0 0 0 0 0 0 0 0 0
36785- 0 0 0 0 0 0 0 0 0 0 0 0
36786- 0 0 0 0 0 0 0 0 0 0 0 0
36787- 0 0 1 0 0 1 0 0 1 0 0 0
36788- 0 0 0 0 0 0 0 0 0 0 0 0
36789- 0 0 0 0 0 0 0 0 0 0 0 0
36790- 0 0 0 0 0 0 0 0 0 0 0 0
36791- 0 0 0 0 0 0 0 0 0 0 0 0
36792- 0 0 0 0 0 0 0 0 0 14 14 14
36793- 46 46 46 86 86 86 2 2 6 2 2 6
36794- 38 38 38 116 116 116 94 94 94 22 22 22
36795- 22 22 22 2 2 6 2 2 6 2 2 6
36796- 14 14 14 86 86 86 138 138 138 162 162 162
36797-154 154 154 38 38 38 26 26 26 6 6 6
36798- 2 2 6 2 2 6 2 2 6 2 2 6
36799- 86 86 86 46 46 46 14 14 14 0 0 0
36800- 0 0 0 0 0 0 0 0 0 0 0 0
36801- 0 0 0 0 0 0 0 0 0 0 0 0
36802- 0 0 0 0 0 0 0 0 0 0 0 0
36803- 0 0 0 0 0 0 0 0 0 0 0 0
36804- 0 0 0 0 0 0 0 0 0 0 0 0
36805- 0 0 0 0 0 0 0 0 0 0 0 0
36806- 0 0 0 0 0 0 0 0 0 0 0 0
36807- 0 0 0 0 0 0 0 0 0 0 0 0
36808- 0 0 0 0 0 0 0 0 0 0 0 0
36809- 0 0 0 0 0 0 0 0 0 0 0 0
36810- 0 0 0 0 0 0 0 0 0 0 0 0
36811- 0 0 0 0 0 0 0 0 0 0 0 0
36812- 0 0 0 0 0 0 0 0 0 14 14 14
36813- 46 46 46 86 86 86 2 2 6 14 14 14
36814-134 134 134 198 198 198 195 195 195 116 116 116
36815- 10 10 10 2 2 6 2 2 6 6 6 6
36816-101 98 89 187 187 187 210 210 210 218 218 218
36817-214 214 214 134 134 134 14 14 14 6 6 6
36818- 2 2 6 2 2 6 2 2 6 2 2 6
36819- 86 86 86 50 50 50 18 18 18 6 6 6
36820- 0 0 0 0 0 0 0 0 0 0 0 0
36821- 0 0 0 0 0 0 0 0 0 0 0 0
36822- 0 0 0 0 0 0 0 0 0 0 0 0
36823- 0 0 0 0 0 0 0 0 0 0 0 0
36824- 0 0 0 0 0 0 0 0 0 0 0 0
36825- 0 0 0 0 0 0 0 0 0 0 0 0
36826- 0 0 0 0 0 0 0 0 1 0 0 0
36827- 0 0 1 0 0 1 0 0 1 0 0 0
36828- 0 0 0 0 0 0 0 0 0 0 0 0
36829- 0 0 0 0 0 0 0 0 0 0 0 0
36830- 0 0 0 0 0 0 0 0 0 0 0 0
36831- 0 0 0 0 0 0 0 0 0 0 0 0
36832- 0 0 0 0 0 0 0 0 0 14 14 14
36833- 46 46 46 86 86 86 2 2 6 54 54 54
36834-218 218 218 195 195 195 226 226 226 246 246 246
36835- 58 58 58 2 2 6 2 2 6 30 30 30
36836-210 210 210 253 253 253 174 174 174 123 123 123
36837-221 221 221 234 234 234 74 74 74 2 2 6
36838- 2 2 6 2 2 6 2 2 6 2 2 6
36839- 70 70 70 58 58 58 22 22 22 6 6 6
36840- 0 0 0 0 0 0 0 0 0 0 0 0
36841- 0 0 0 0 0 0 0 0 0 0 0 0
36842- 0 0 0 0 0 0 0 0 0 0 0 0
36843- 0 0 0 0 0 0 0 0 0 0 0 0
36844- 0 0 0 0 0 0 0 0 0 0 0 0
36845- 0 0 0 0 0 0 0 0 0 0 0 0
36846- 0 0 0 0 0 0 0 0 0 0 0 0
36847- 0 0 0 0 0 0 0 0 0 0 0 0
36848- 0 0 0 0 0 0 0 0 0 0 0 0
36849- 0 0 0 0 0 0 0 0 0 0 0 0
36850- 0 0 0 0 0 0 0 0 0 0 0 0
36851- 0 0 0 0 0 0 0 0 0 0 0 0
36852- 0 0 0 0 0 0 0 0 0 14 14 14
36853- 46 46 46 82 82 82 2 2 6 106 106 106
36854-170 170 170 26 26 26 86 86 86 226 226 226
36855-123 123 123 10 10 10 14 14 14 46 46 46
36856-231 231 231 190 190 190 6 6 6 70 70 70
36857- 90 90 90 238 238 238 158 158 158 2 2 6
36858- 2 2 6 2 2 6 2 2 6 2 2 6
36859- 70 70 70 58 58 58 22 22 22 6 6 6
36860- 0 0 0 0 0 0 0 0 0 0 0 0
36861- 0 0 0 0 0 0 0 0 0 0 0 0
36862- 0 0 0 0 0 0 0 0 0 0 0 0
36863- 0 0 0 0 0 0 0 0 0 0 0 0
36864- 0 0 0 0 0 0 0 0 0 0 0 0
36865- 0 0 0 0 0 0 0 0 0 0 0 0
36866- 0 0 0 0 0 0 0 0 1 0 0 0
36867- 0 0 1 0 0 1 0 0 1 0 0 0
36868- 0 0 0 0 0 0 0 0 0 0 0 0
36869- 0 0 0 0 0 0 0 0 0 0 0 0
36870- 0 0 0 0 0 0 0 0 0 0 0 0
36871- 0 0 0 0 0 0 0 0 0 0 0 0
36872- 0 0 0 0 0 0 0 0 0 14 14 14
36873- 42 42 42 86 86 86 6 6 6 116 116 116
36874-106 106 106 6 6 6 70 70 70 149 149 149
36875-128 128 128 18 18 18 38 38 38 54 54 54
36876-221 221 221 106 106 106 2 2 6 14 14 14
36877- 46 46 46 190 190 190 198 198 198 2 2 6
36878- 2 2 6 2 2 6 2 2 6 2 2 6
36879- 74 74 74 62 62 62 22 22 22 6 6 6
36880- 0 0 0 0 0 0 0 0 0 0 0 0
36881- 0 0 0 0 0 0 0 0 0 0 0 0
36882- 0 0 0 0 0 0 0 0 0 0 0 0
36883- 0 0 0 0 0 0 0 0 0 0 0 0
36884- 0 0 0 0 0 0 0 0 0 0 0 0
36885- 0 0 0 0 0 0 0 0 0 0 0 0
36886- 0 0 0 0 0 0 0 0 1 0 0 0
36887- 0 0 1 0 0 0 0 0 1 0 0 0
36888- 0 0 0 0 0 0 0 0 0 0 0 0
36889- 0 0 0 0 0 0 0 0 0 0 0 0
36890- 0 0 0 0 0 0 0 0 0 0 0 0
36891- 0 0 0 0 0 0 0 0 0 0 0 0
36892- 0 0 0 0 0 0 0 0 0 14 14 14
36893- 42 42 42 94 94 94 14 14 14 101 101 101
36894-128 128 128 2 2 6 18 18 18 116 116 116
36895-118 98 46 121 92 8 121 92 8 98 78 10
36896-162 162 162 106 106 106 2 2 6 2 2 6
36897- 2 2 6 195 195 195 195 195 195 6 6 6
36898- 2 2 6 2 2 6 2 2 6 2 2 6
36899- 74 74 74 62 62 62 22 22 22 6 6 6
36900- 0 0 0 0 0 0 0 0 0 0 0 0
36901- 0 0 0 0 0 0 0 0 0 0 0 0
36902- 0 0 0 0 0 0 0 0 0 0 0 0
36903- 0 0 0 0 0 0 0 0 0 0 0 0
36904- 0 0 0 0 0 0 0 0 0 0 0 0
36905- 0 0 0 0 0 0 0 0 0 0 0 0
36906- 0 0 0 0 0 0 0 0 1 0 0 1
36907- 0 0 1 0 0 0 0 0 1 0 0 0
36908- 0 0 0 0 0 0 0 0 0 0 0 0
36909- 0 0 0 0 0 0 0 0 0 0 0 0
36910- 0 0 0 0 0 0 0 0 0 0 0 0
36911- 0 0 0 0 0 0 0 0 0 0 0 0
36912- 0 0 0 0 0 0 0 0 0 10 10 10
36913- 38 38 38 90 90 90 14 14 14 58 58 58
36914-210 210 210 26 26 26 54 38 6 154 114 10
36915-226 170 11 236 186 11 225 175 15 184 144 12
36916-215 174 15 175 146 61 37 26 9 2 2 6
36917- 70 70 70 246 246 246 138 138 138 2 2 6
36918- 2 2 6 2 2 6 2 2 6 2 2 6
36919- 70 70 70 66 66 66 26 26 26 6 6 6
36920- 0 0 0 0 0 0 0 0 0 0 0 0
36921- 0 0 0 0 0 0 0 0 0 0 0 0
36922- 0 0 0 0 0 0 0 0 0 0 0 0
36923- 0 0 0 0 0 0 0 0 0 0 0 0
36924- 0 0 0 0 0 0 0 0 0 0 0 0
36925- 0 0 0 0 0 0 0 0 0 0 0 0
36926- 0 0 0 0 0 0 0 0 0 0 0 0
36927- 0 0 0 0 0 0 0 0 0 0 0 0
36928- 0 0 0 0 0 0 0 0 0 0 0 0
36929- 0 0 0 0 0 0 0 0 0 0 0 0
36930- 0 0 0 0 0 0 0 0 0 0 0 0
36931- 0 0 0 0 0 0 0 0 0 0 0 0
36932- 0 0 0 0 0 0 0 0 0 10 10 10
36933- 38 38 38 86 86 86 14 14 14 10 10 10
36934-195 195 195 188 164 115 192 133 9 225 175 15
36935-239 182 13 234 190 10 232 195 16 232 200 30
36936-245 207 45 241 208 19 232 195 16 184 144 12
36937-218 194 134 211 206 186 42 42 42 2 2 6
36938- 2 2 6 2 2 6 2 2 6 2 2 6
36939- 50 50 50 74 74 74 30 30 30 6 6 6
36940- 0 0 0 0 0 0 0 0 0 0 0 0
36941- 0 0 0 0 0 0 0 0 0 0 0 0
36942- 0 0 0 0 0 0 0 0 0 0 0 0
36943- 0 0 0 0 0 0 0 0 0 0 0 0
36944- 0 0 0 0 0 0 0 0 0 0 0 0
36945- 0 0 0 0 0 0 0 0 0 0 0 0
36946- 0 0 0 0 0 0 0 0 0 0 0 0
36947- 0 0 0 0 0 0 0 0 0 0 0 0
36948- 0 0 0 0 0 0 0 0 0 0 0 0
36949- 0 0 0 0 0 0 0 0 0 0 0 0
36950- 0 0 0 0 0 0 0 0 0 0 0 0
36951- 0 0 0 0 0 0 0 0 0 0 0 0
36952- 0 0 0 0 0 0 0 0 0 10 10 10
36953- 34 34 34 86 86 86 14 14 14 2 2 6
36954-121 87 25 192 133 9 219 162 10 239 182 13
36955-236 186 11 232 195 16 241 208 19 244 214 54
36956-246 218 60 246 218 38 246 215 20 241 208 19
36957-241 208 19 226 184 13 121 87 25 2 2 6
36958- 2 2 6 2 2 6 2 2 6 2 2 6
36959- 50 50 50 82 82 82 34 34 34 10 10 10
36960- 0 0 0 0 0 0 0 0 0 0 0 0
36961- 0 0 0 0 0 0 0 0 0 0 0 0
36962- 0 0 0 0 0 0 0 0 0 0 0 0
36963- 0 0 0 0 0 0 0 0 0 0 0 0
36964- 0 0 0 0 0 0 0 0 0 0 0 0
36965- 0 0 0 0 0 0 0 0 0 0 0 0
36966- 0 0 0 0 0 0 0 0 0 0 0 0
36967- 0 0 0 0 0 0 0 0 0 0 0 0
36968- 0 0 0 0 0 0 0 0 0 0 0 0
36969- 0 0 0 0 0 0 0 0 0 0 0 0
36970- 0 0 0 0 0 0 0 0 0 0 0 0
36971- 0 0 0 0 0 0 0 0 0 0 0 0
36972- 0 0 0 0 0 0 0 0 0 10 10 10
36973- 34 34 34 82 82 82 30 30 30 61 42 6
36974-180 123 7 206 145 10 230 174 11 239 182 13
36975-234 190 10 238 202 15 241 208 19 246 218 74
36976-246 218 38 246 215 20 246 215 20 246 215 20
36977-226 184 13 215 174 15 184 144 12 6 6 6
36978- 2 2 6 2 2 6 2 2 6 2 2 6
36979- 26 26 26 94 94 94 42 42 42 14 14 14
36980- 0 0 0 0 0 0 0 0 0 0 0 0
36981- 0 0 0 0 0 0 0 0 0 0 0 0
36982- 0 0 0 0 0 0 0 0 0 0 0 0
36983- 0 0 0 0 0 0 0 0 0 0 0 0
36984- 0 0 0 0 0 0 0 0 0 0 0 0
36985- 0 0 0 0 0 0 0 0 0 0 0 0
36986- 0 0 0 0 0 0 0 0 0 0 0 0
36987- 0 0 0 0 0 0 0 0 0 0 0 0
36988- 0 0 0 0 0 0 0 0 0 0 0 0
36989- 0 0 0 0 0 0 0 0 0 0 0 0
36990- 0 0 0 0 0 0 0 0 0 0 0 0
36991- 0 0 0 0 0 0 0 0 0 0 0 0
36992- 0 0 0 0 0 0 0 0 0 10 10 10
36993- 30 30 30 78 78 78 50 50 50 104 69 6
36994-192 133 9 216 158 10 236 178 12 236 186 11
36995-232 195 16 241 208 19 244 214 54 245 215 43
36996-246 215 20 246 215 20 241 208 19 198 155 10
36997-200 144 11 216 158 10 156 118 10 2 2 6
36998- 2 2 6 2 2 6 2 2 6 2 2 6
36999- 6 6 6 90 90 90 54 54 54 18 18 18
37000- 6 6 6 0 0 0 0 0 0 0 0 0
37001- 0 0 0 0 0 0 0 0 0 0 0 0
37002- 0 0 0 0 0 0 0 0 0 0 0 0
37003- 0 0 0 0 0 0 0 0 0 0 0 0
37004- 0 0 0 0 0 0 0 0 0 0 0 0
37005- 0 0 0 0 0 0 0 0 0 0 0 0
37006- 0 0 0 0 0 0 0 0 0 0 0 0
37007- 0 0 0 0 0 0 0 0 0 0 0 0
37008- 0 0 0 0 0 0 0 0 0 0 0 0
37009- 0 0 0 0 0 0 0 0 0 0 0 0
37010- 0 0 0 0 0 0 0 0 0 0 0 0
37011- 0 0 0 0 0 0 0 0 0 0 0 0
37012- 0 0 0 0 0 0 0 0 0 10 10 10
37013- 30 30 30 78 78 78 46 46 46 22 22 22
37014-137 92 6 210 162 10 239 182 13 238 190 10
37015-238 202 15 241 208 19 246 215 20 246 215 20
37016-241 208 19 203 166 17 185 133 11 210 150 10
37017-216 158 10 210 150 10 102 78 10 2 2 6
37018- 6 6 6 54 54 54 14 14 14 2 2 6
37019- 2 2 6 62 62 62 74 74 74 30 30 30
37020- 10 10 10 0 0 0 0 0 0 0 0 0
37021- 0 0 0 0 0 0 0 0 0 0 0 0
37022- 0 0 0 0 0 0 0 0 0 0 0 0
37023- 0 0 0 0 0 0 0 0 0 0 0 0
37024- 0 0 0 0 0 0 0 0 0 0 0 0
37025- 0 0 0 0 0 0 0 0 0 0 0 0
37026- 0 0 0 0 0 0 0 0 0 0 0 0
37027- 0 0 0 0 0 0 0 0 0 0 0 0
37028- 0 0 0 0 0 0 0 0 0 0 0 0
37029- 0 0 0 0 0 0 0 0 0 0 0 0
37030- 0 0 0 0 0 0 0 0 0 0 0 0
37031- 0 0 0 0 0 0 0 0 0 0 0 0
37032- 0 0 0 0 0 0 0 0 0 10 10 10
37033- 34 34 34 78 78 78 50 50 50 6 6 6
37034- 94 70 30 139 102 15 190 146 13 226 184 13
37035-232 200 30 232 195 16 215 174 15 190 146 13
37036-168 122 10 192 133 9 210 150 10 213 154 11
37037-202 150 34 182 157 106 101 98 89 2 2 6
37038- 2 2 6 78 78 78 116 116 116 58 58 58
37039- 2 2 6 22 22 22 90 90 90 46 46 46
37040- 18 18 18 6 6 6 0 0 0 0 0 0
37041- 0 0 0 0 0 0 0 0 0 0 0 0
37042- 0 0 0 0 0 0 0 0 0 0 0 0
37043- 0 0 0 0 0 0 0 0 0 0 0 0
37044- 0 0 0 0 0 0 0 0 0 0 0 0
37045- 0 0 0 0 0 0 0 0 0 0 0 0
37046- 0 0 0 0 0 0 0 0 0 0 0 0
37047- 0 0 0 0 0 0 0 0 0 0 0 0
37048- 0 0 0 0 0 0 0 0 0 0 0 0
37049- 0 0 0 0 0 0 0 0 0 0 0 0
37050- 0 0 0 0 0 0 0 0 0 0 0 0
37051- 0 0 0 0 0 0 0 0 0 0 0 0
37052- 0 0 0 0 0 0 0 0 0 10 10 10
37053- 38 38 38 86 86 86 50 50 50 6 6 6
37054-128 128 128 174 154 114 156 107 11 168 122 10
37055-198 155 10 184 144 12 197 138 11 200 144 11
37056-206 145 10 206 145 10 197 138 11 188 164 115
37057-195 195 195 198 198 198 174 174 174 14 14 14
37058- 2 2 6 22 22 22 116 116 116 116 116 116
37059- 22 22 22 2 2 6 74 74 74 70 70 70
37060- 30 30 30 10 10 10 0 0 0 0 0 0
37061- 0 0 0 0 0 0 0 0 0 0 0 0
37062- 0 0 0 0 0 0 0 0 0 0 0 0
37063- 0 0 0 0 0 0 0 0 0 0 0 0
37064- 0 0 0 0 0 0 0 0 0 0 0 0
37065- 0 0 0 0 0 0 0 0 0 0 0 0
37066- 0 0 0 0 0 0 0 0 0 0 0 0
37067- 0 0 0 0 0 0 0 0 0 0 0 0
37068- 0 0 0 0 0 0 0 0 0 0 0 0
37069- 0 0 0 0 0 0 0 0 0 0 0 0
37070- 0 0 0 0 0 0 0 0 0 0 0 0
37071- 0 0 0 0 0 0 0 0 0 0 0 0
37072- 0 0 0 0 0 0 6 6 6 18 18 18
37073- 50 50 50 101 101 101 26 26 26 10 10 10
37074-138 138 138 190 190 190 174 154 114 156 107 11
37075-197 138 11 200 144 11 197 138 11 192 133 9
37076-180 123 7 190 142 34 190 178 144 187 187 187
37077-202 202 202 221 221 221 214 214 214 66 66 66
37078- 2 2 6 2 2 6 50 50 50 62 62 62
37079- 6 6 6 2 2 6 10 10 10 90 90 90
37080- 50 50 50 18 18 18 6 6 6 0 0 0
37081- 0 0 0 0 0 0 0 0 0 0 0 0
37082- 0 0 0 0 0 0 0 0 0 0 0 0
37083- 0 0 0 0 0 0 0 0 0 0 0 0
37084- 0 0 0 0 0 0 0 0 0 0 0 0
37085- 0 0 0 0 0 0 0 0 0 0 0 0
37086- 0 0 0 0 0 0 0 0 0 0 0 0
37087- 0 0 0 0 0 0 0 0 0 0 0 0
37088- 0 0 0 0 0 0 0 0 0 0 0 0
37089- 0 0 0 0 0 0 0 0 0 0 0 0
37090- 0 0 0 0 0 0 0 0 0 0 0 0
37091- 0 0 0 0 0 0 0 0 0 0 0 0
37092- 0 0 0 0 0 0 10 10 10 34 34 34
37093- 74 74 74 74 74 74 2 2 6 6 6 6
37094-144 144 144 198 198 198 190 190 190 178 166 146
37095-154 121 60 156 107 11 156 107 11 168 124 44
37096-174 154 114 187 187 187 190 190 190 210 210 210
37097-246 246 246 253 253 253 253 253 253 182 182 182
37098- 6 6 6 2 2 6 2 2 6 2 2 6
37099- 2 2 6 2 2 6 2 2 6 62 62 62
37100- 74 74 74 34 34 34 14 14 14 0 0 0
37101- 0 0 0 0 0 0 0 0 0 0 0 0
37102- 0 0 0 0 0 0 0 0 0 0 0 0
37103- 0 0 0 0 0 0 0 0 0 0 0 0
37104- 0 0 0 0 0 0 0 0 0 0 0 0
37105- 0 0 0 0 0 0 0 0 0 0 0 0
37106- 0 0 0 0 0 0 0 0 0 0 0 0
37107- 0 0 0 0 0 0 0 0 0 0 0 0
37108- 0 0 0 0 0 0 0 0 0 0 0 0
37109- 0 0 0 0 0 0 0 0 0 0 0 0
37110- 0 0 0 0 0 0 0 0 0 0 0 0
37111- 0 0 0 0 0 0 0 0 0 0 0 0
37112- 0 0 0 10 10 10 22 22 22 54 54 54
37113- 94 94 94 18 18 18 2 2 6 46 46 46
37114-234 234 234 221 221 221 190 190 190 190 190 190
37115-190 190 190 187 187 187 187 187 187 190 190 190
37116-190 190 190 195 195 195 214 214 214 242 242 242
37117-253 253 253 253 253 253 253 253 253 253 253 253
37118- 82 82 82 2 2 6 2 2 6 2 2 6
37119- 2 2 6 2 2 6 2 2 6 14 14 14
37120- 86 86 86 54 54 54 22 22 22 6 6 6
37121- 0 0 0 0 0 0 0 0 0 0 0 0
37122- 0 0 0 0 0 0 0 0 0 0 0 0
37123- 0 0 0 0 0 0 0 0 0 0 0 0
37124- 0 0 0 0 0 0 0 0 0 0 0 0
37125- 0 0 0 0 0 0 0 0 0 0 0 0
37126- 0 0 0 0 0 0 0 0 0 0 0 0
37127- 0 0 0 0 0 0 0 0 0 0 0 0
37128- 0 0 0 0 0 0 0 0 0 0 0 0
37129- 0 0 0 0 0 0 0 0 0 0 0 0
37130- 0 0 0 0 0 0 0 0 0 0 0 0
37131- 0 0 0 0 0 0 0 0 0 0 0 0
37132- 6 6 6 18 18 18 46 46 46 90 90 90
37133- 46 46 46 18 18 18 6 6 6 182 182 182
37134-253 253 253 246 246 246 206 206 206 190 190 190
37135-190 190 190 190 190 190 190 190 190 190 190 190
37136-206 206 206 231 231 231 250 250 250 253 253 253
37137-253 253 253 253 253 253 253 253 253 253 253 253
37138-202 202 202 14 14 14 2 2 6 2 2 6
37139- 2 2 6 2 2 6 2 2 6 2 2 6
37140- 42 42 42 86 86 86 42 42 42 18 18 18
37141- 6 6 6 0 0 0 0 0 0 0 0 0
37142- 0 0 0 0 0 0 0 0 0 0 0 0
37143- 0 0 0 0 0 0 0 0 0 0 0 0
37144- 0 0 0 0 0 0 0 0 0 0 0 0
37145- 0 0 0 0 0 0 0 0 0 0 0 0
37146- 0 0 0 0 0 0 0 0 0 0 0 0
37147- 0 0 0 0 0 0 0 0 0 0 0 0
37148- 0 0 0 0 0 0 0 0 0 0 0 0
37149- 0 0 0 0 0 0 0 0 0 0 0 0
37150- 0 0 0 0 0 0 0 0 0 0 0 0
37151- 0 0 0 0 0 0 0 0 0 6 6 6
37152- 14 14 14 38 38 38 74 74 74 66 66 66
37153- 2 2 6 6 6 6 90 90 90 250 250 250
37154-253 253 253 253 253 253 238 238 238 198 198 198
37155-190 190 190 190 190 190 195 195 195 221 221 221
37156-246 246 246 253 253 253 253 253 253 253 253 253
37157-253 253 253 253 253 253 253 253 253 253 253 253
37158-253 253 253 82 82 82 2 2 6 2 2 6
37159- 2 2 6 2 2 6 2 2 6 2 2 6
37160- 2 2 6 78 78 78 70 70 70 34 34 34
37161- 14 14 14 6 6 6 0 0 0 0 0 0
37162- 0 0 0 0 0 0 0 0 0 0 0 0
37163- 0 0 0 0 0 0 0 0 0 0 0 0
37164- 0 0 0 0 0 0 0 0 0 0 0 0
37165- 0 0 0 0 0 0 0 0 0 0 0 0
37166- 0 0 0 0 0 0 0 0 0 0 0 0
37167- 0 0 0 0 0 0 0 0 0 0 0 0
37168- 0 0 0 0 0 0 0 0 0 0 0 0
37169- 0 0 0 0 0 0 0 0 0 0 0 0
37170- 0 0 0 0 0 0 0 0 0 0 0 0
37171- 0 0 0 0 0 0 0 0 0 14 14 14
37172- 34 34 34 66 66 66 78 78 78 6 6 6
37173- 2 2 6 18 18 18 218 218 218 253 253 253
37174-253 253 253 253 253 253 253 253 253 246 246 246
37175-226 226 226 231 231 231 246 246 246 253 253 253
37176-253 253 253 253 253 253 253 253 253 253 253 253
37177-253 253 253 253 253 253 253 253 253 253 253 253
37178-253 253 253 178 178 178 2 2 6 2 2 6
37179- 2 2 6 2 2 6 2 2 6 2 2 6
37180- 2 2 6 18 18 18 90 90 90 62 62 62
37181- 30 30 30 10 10 10 0 0 0 0 0 0
37182- 0 0 0 0 0 0 0 0 0 0 0 0
37183- 0 0 0 0 0 0 0 0 0 0 0 0
37184- 0 0 0 0 0 0 0 0 0 0 0 0
37185- 0 0 0 0 0 0 0 0 0 0 0 0
37186- 0 0 0 0 0 0 0 0 0 0 0 0
37187- 0 0 0 0 0 0 0 0 0 0 0 0
37188- 0 0 0 0 0 0 0 0 0 0 0 0
37189- 0 0 0 0 0 0 0 0 0 0 0 0
37190- 0 0 0 0 0 0 0 0 0 0 0 0
37191- 0 0 0 0 0 0 10 10 10 26 26 26
37192- 58 58 58 90 90 90 18 18 18 2 2 6
37193- 2 2 6 110 110 110 253 253 253 253 253 253
37194-253 253 253 253 253 253 253 253 253 253 253 253
37195-250 250 250 253 253 253 253 253 253 253 253 253
37196-253 253 253 253 253 253 253 253 253 253 253 253
37197-253 253 253 253 253 253 253 253 253 253 253 253
37198-253 253 253 231 231 231 18 18 18 2 2 6
37199- 2 2 6 2 2 6 2 2 6 2 2 6
37200- 2 2 6 2 2 6 18 18 18 94 94 94
37201- 54 54 54 26 26 26 10 10 10 0 0 0
37202- 0 0 0 0 0 0 0 0 0 0 0 0
37203- 0 0 0 0 0 0 0 0 0 0 0 0
37204- 0 0 0 0 0 0 0 0 0 0 0 0
37205- 0 0 0 0 0 0 0 0 0 0 0 0
37206- 0 0 0 0 0 0 0 0 0 0 0 0
37207- 0 0 0 0 0 0 0 0 0 0 0 0
37208- 0 0 0 0 0 0 0 0 0 0 0 0
37209- 0 0 0 0 0 0 0 0 0 0 0 0
37210- 0 0 0 0 0 0 0 0 0 0 0 0
37211- 0 0 0 6 6 6 22 22 22 50 50 50
37212- 90 90 90 26 26 26 2 2 6 2 2 6
37213- 14 14 14 195 195 195 250 250 250 253 253 253
37214-253 253 253 253 253 253 253 253 253 253 253 253
37215-253 253 253 253 253 253 253 253 253 253 253 253
37216-253 253 253 253 253 253 253 253 253 253 253 253
37217-253 253 253 253 253 253 253 253 253 253 253 253
37218-250 250 250 242 242 242 54 54 54 2 2 6
37219- 2 2 6 2 2 6 2 2 6 2 2 6
37220- 2 2 6 2 2 6 2 2 6 38 38 38
37221- 86 86 86 50 50 50 22 22 22 6 6 6
37222- 0 0 0 0 0 0 0 0 0 0 0 0
37223- 0 0 0 0 0 0 0 0 0 0 0 0
37224- 0 0 0 0 0 0 0 0 0 0 0 0
37225- 0 0 0 0 0 0 0 0 0 0 0 0
37226- 0 0 0 0 0 0 0 0 0 0 0 0
37227- 0 0 0 0 0 0 0 0 0 0 0 0
37228- 0 0 0 0 0 0 0 0 0 0 0 0
37229- 0 0 0 0 0 0 0 0 0 0 0 0
37230- 0 0 0 0 0 0 0 0 0 0 0 0
37231- 6 6 6 14 14 14 38 38 38 82 82 82
37232- 34 34 34 2 2 6 2 2 6 2 2 6
37233- 42 42 42 195 195 195 246 246 246 253 253 253
37234-253 253 253 253 253 253 253 253 253 250 250 250
37235-242 242 242 242 242 242 250 250 250 253 253 253
37236-253 253 253 253 253 253 253 253 253 253 253 253
37237-253 253 253 250 250 250 246 246 246 238 238 238
37238-226 226 226 231 231 231 101 101 101 6 6 6
37239- 2 2 6 2 2 6 2 2 6 2 2 6
37240- 2 2 6 2 2 6 2 2 6 2 2 6
37241- 38 38 38 82 82 82 42 42 42 14 14 14
37242- 6 6 6 0 0 0 0 0 0 0 0 0
37243- 0 0 0 0 0 0 0 0 0 0 0 0
37244- 0 0 0 0 0 0 0 0 0 0 0 0
37245- 0 0 0 0 0 0 0 0 0 0 0 0
37246- 0 0 0 0 0 0 0 0 0 0 0 0
37247- 0 0 0 0 0 0 0 0 0 0 0 0
37248- 0 0 0 0 0 0 0 0 0 0 0 0
37249- 0 0 0 0 0 0 0 0 0 0 0 0
37250- 0 0 0 0 0 0 0 0 0 0 0 0
37251- 10 10 10 26 26 26 62 62 62 66 66 66
37252- 2 2 6 2 2 6 2 2 6 6 6 6
37253- 70 70 70 170 170 170 206 206 206 234 234 234
37254-246 246 246 250 250 250 250 250 250 238 238 238
37255-226 226 226 231 231 231 238 238 238 250 250 250
37256-250 250 250 250 250 250 246 246 246 231 231 231
37257-214 214 214 206 206 206 202 202 202 202 202 202
37258-198 198 198 202 202 202 182 182 182 18 18 18
37259- 2 2 6 2 2 6 2 2 6 2 2 6
37260- 2 2 6 2 2 6 2 2 6 2 2 6
37261- 2 2 6 62 62 62 66 66 66 30 30 30
37262- 10 10 10 0 0 0 0 0 0 0 0 0
37263- 0 0 0 0 0 0 0 0 0 0 0 0
37264- 0 0 0 0 0 0 0 0 0 0 0 0
37265- 0 0 0 0 0 0 0 0 0 0 0 0
37266- 0 0 0 0 0 0 0 0 0 0 0 0
37267- 0 0 0 0 0 0 0 0 0 0 0 0
37268- 0 0 0 0 0 0 0 0 0 0 0 0
37269- 0 0 0 0 0 0 0 0 0 0 0 0
37270- 0 0 0 0 0 0 0 0 0 0 0 0
37271- 14 14 14 42 42 42 82 82 82 18 18 18
37272- 2 2 6 2 2 6 2 2 6 10 10 10
37273- 94 94 94 182 182 182 218 218 218 242 242 242
37274-250 250 250 253 253 253 253 253 253 250 250 250
37275-234 234 234 253 253 253 253 253 253 253 253 253
37276-253 253 253 253 253 253 253 253 253 246 246 246
37277-238 238 238 226 226 226 210 210 210 202 202 202
37278-195 195 195 195 195 195 210 210 210 158 158 158
37279- 6 6 6 14 14 14 50 50 50 14 14 14
37280- 2 2 6 2 2 6 2 2 6 2 2 6
37281- 2 2 6 6 6 6 86 86 86 46 46 46
37282- 18 18 18 6 6 6 0 0 0 0 0 0
37283- 0 0 0 0 0 0 0 0 0 0 0 0
37284- 0 0 0 0 0 0 0 0 0 0 0 0
37285- 0 0 0 0 0 0 0 0 0 0 0 0
37286- 0 0 0 0 0 0 0 0 0 0 0 0
37287- 0 0 0 0 0 0 0 0 0 0 0 0
37288- 0 0 0 0 0 0 0 0 0 0 0 0
37289- 0 0 0 0 0 0 0 0 0 0 0 0
37290- 0 0 0 0 0 0 0 0 0 6 6 6
37291- 22 22 22 54 54 54 70 70 70 2 2 6
37292- 2 2 6 10 10 10 2 2 6 22 22 22
37293-166 166 166 231 231 231 250 250 250 253 253 253
37294-253 253 253 253 253 253 253 253 253 250 250 250
37295-242 242 242 253 253 253 253 253 253 253 253 253
37296-253 253 253 253 253 253 253 253 253 253 253 253
37297-253 253 253 253 253 253 253 253 253 246 246 246
37298-231 231 231 206 206 206 198 198 198 226 226 226
37299- 94 94 94 2 2 6 6 6 6 38 38 38
37300- 30 30 30 2 2 6 2 2 6 2 2 6
37301- 2 2 6 2 2 6 62 62 62 66 66 66
37302- 26 26 26 10 10 10 0 0 0 0 0 0
37303- 0 0 0 0 0 0 0 0 0 0 0 0
37304- 0 0 0 0 0 0 0 0 0 0 0 0
37305- 0 0 0 0 0 0 0 0 0 0 0 0
37306- 0 0 0 0 0 0 0 0 0 0 0 0
37307- 0 0 0 0 0 0 0 0 0 0 0 0
37308- 0 0 0 0 0 0 0 0 0 0 0 0
37309- 0 0 0 0 0 0 0 0 0 0 0 0
37310- 0 0 0 0 0 0 0 0 0 10 10 10
37311- 30 30 30 74 74 74 50 50 50 2 2 6
37312- 26 26 26 26 26 26 2 2 6 106 106 106
37313-238 238 238 253 253 253 253 253 253 253 253 253
37314-253 253 253 253 253 253 253 253 253 253 253 253
37315-253 253 253 253 253 253 253 253 253 253 253 253
37316-253 253 253 253 253 253 253 253 253 253 253 253
37317-253 253 253 253 253 253 253 253 253 253 253 253
37318-253 253 253 246 246 246 218 218 218 202 202 202
37319-210 210 210 14 14 14 2 2 6 2 2 6
37320- 30 30 30 22 22 22 2 2 6 2 2 6
37321- 2 2 6 2 2 6 18 18 18 86 86 86
37322- 42 42 42 14 14 14 0 0 0 0 0 0
37323- 0 0 0 0 0 0 0 0 0 0 0 0
37324- 0 0 0 0 0 0 0 0 0 0 0 0
37325- 0 0 0 0 0 0 0 0 0 0 0 0
37326- 0 0 0 0 0 0 0 0 0 0 0 0
37327- 0 0 0 0 0 0 0 0 0 0 0 0
37328- 0 0 0 0 0 0 0 0 0 0 0 0
37329- 0 0 0 0 0 0 0 0 0 0 0 0
37330- 0 0 0 0 0 0 0 0 0 14 14 14
37331- 42 42 42 90 90 90 22 22 22 2 2 6
37332- 42 42 42 2 2 6 18 18 18 218 218 218
37333-253 253 253 253 253 253 253 253 253 253 253 253
37334-253 253 253 253 253 253 253 253 253 253 253 253
37335-253 253 253 253 253 253 253 253 253 253 253 253
37336-253 253 253 253 253 253 253 253 253 253 253 253
37337-253 253 253 253 253 253 253 253 253 253 253 253
37338-253 253 253 253 253 253 250 250 250 221 221 221
37339-218 218 218 101 101 101 2 2 6 14 14 14
37340- 18 18 18 38 38 38 10 10 10 2 2 6
37341- 2 2 6 2 2 6 2 2 6 78 78 78
37342- 58 58 58 22 22 22 6 6 6 0 0 0
37343- 0 0 0 0 0 0 0 0 0 0 0 0
37344- 0 0 0 0 0 0 0 0 0 0 0 0
37345- 0 0 0 0 0 0 0 0 0 0 0 0
37346- 0 0 0 0 0 0 0 0 0 0 0 0
37347- 0 0 0 0 0 0 0 0 0 0 0 0
37348- 0 0 0 0 0 0 0 0 0 0 0 0
37349- 0 0 0 0 0 0 0 0 0 0 0 0
37350- 0 0 0 0 0 0 6 6 6 18 18 18
37351- 54 54 54 82 82 82 2 2 6 26 26 26
37352- 22 22 22 2 2 6 123 123 123 253 253 253
37353-253 253 253 253 253 253 253 253 253 253 253 253
37354-253 253 253 253 253 253 253 253 253 253 253 253
37355-253 253 253 253 253 253 253 253 253 253 253 253
37356-253 253 253 253 253 253 253 253 253 253 253 253
37357-253 253 253 253 253 253 253 253 253 253 253 253
37358-253 253 253 253 253 253 253 253 253 250 250 250
37359-238 238 238 198 198 198 6 6 6 38 38 38
37360- 58 58 58 26 26 26 38 38 38 2 2 6
37361- 2 2 6 2 2 6 2 2 6 46 46 46
37362- 78 78 78 30 30 30 10 10 10 0 0 0
37363- 0 0 0 0 0 0 0 0 0 0 0 0
37364- 0 0 0 0 0 0 0 0 0 0 0 0
37365- 0 0 0 0 0 0 0 0 0 0 0 0
37366- 0 0 0 0 0 0 0 0 0 0 0 0
37367- 0 0 0 0 0 0 0 0 0 0 0 0
37368- 0 0 0 0 0 0 0 0 0 0 0 0
37369- 0 0 0 0 0 0 0 0 0 0 0 0
37370- 0 0 0 0 0 0 10 10 10 30 30 30
37371- 74 74 74 58 58 58 2 2 6 42 42 42
37372- 2 2 6 22 22 22 231 231 231 253 253 253
37373-253 253 253 253 253 253 253 253 253 253 253 253
37374-253 253 253 253 253 253 253 253 253 250 250 250
37375-253 253 253 253 253 253 253 253 253 253 253 253
37376-253 253 253 253 253 253 253 253 253 253 253 253
37377-253 253 253 253 253 253 253 253 253 253 253 253
37378-253 253 253 253 253 253 253 253 253 253 253 253
37379-253 253 253 246 246 246 46 46 46 38 38 38
37380- 42 42 42 14 14 14 38 38 38 14 14 14
37381- 2 2 6 2 2 6 2 2 6 6 6 6
37382- 86 86 86 46 46 46 14 14 14 0 0 0
37383- 0 0 0 0 0 0 0 0 0 0 0 0
37384- 0 0 0 0 0 0 0 0 0 0 0 0
37385- 0 0 0 0 0 0 0 0 0 0 0 0
37386- 0 0 0 0 0 0 0 0 0 0 0 0
37387- 0 0 0 0 0 0 0 0 0 0 0 0
37388- 0 0 0 0 0 0 0 0 0 0 0 0
37389- 0 0 0 0 0 0 0 0 0 0 0 0
37390- 0 0 0 6 6 6 14 14 14 42 42 42
37391- 90 90 90 18 18 18 18 18 18 26 26 26
37392- 2 2 6 116 116 116 253 253 253 253 253 253
37393-253 253 253 253 253 253 253 253 253 253 253 253
37394-253 253 253 253 253 253 250 250 250 238 238 238
37395-253 253 253 253 253 253 253 253 253 253 253 253
37396-253 253 253 253 253 253 253 253 253 253 253 253
37397-253 253 253 253 253 253 253 253 253 253 253 253
37398-253 253 253 253 253 253 253 253 253 253 253 253
37399-253 253 253 253 253 253 94 94 94 6 6 6
37400- 2 2 6 2 2 6 10 10 10 34 34 34
37401- 2 2 6 2 2 6 2 2 6 2 2 6
37402- 74 74 74 58 58 58 22 22 22 6 6 6
37403- 0 0 0 0 0 0 0 0 0 0 0 0
37404- 0 0 0 0 0 0 0 0 0 0 0 0
37405- 0 0 0 0 0 0 0 0 0 0 0 0
37406- 0 0 0 0 0 0 0 0 0 0 0 0
37407- 0 0 0 0 0 0 0 0 0 0 0 0
37408- 0 0 0 0 0 0 0 0 0 0 0 0
37409- 0 0 0 0 0 0 0 0 0 0 0 0
37410- 0 0 0 10 10 10 26 26 26 66 66 66
37411- 82 82 82 2 2 6 38 38 38 6 6 6
37412- 14 14 14 210 210 210 253 253 253 253 253 253
37413-253 253 253 253 253 253 253 253 253 253 253 253
37414-253 253 253 253 253 253 246 246 246 242 242 242
37415-253 253 253 253 253 253 253 253 253 253 253 253
37416-253 253 253 253 253 253 253 253 253 253 253 253
37417-253 253 253 253 253 253 253 253 253 253 253 253
37418-253 253 253 253 253 253 253 253 253 253 253 253
37419-253 253 253 253 253 253 144 144 144 2 2 6
37420- 2 2 6 2 2 6 2 2 6 46 46 46
37421- 2 2 6 2 2 6 2 2 6 2 2 6
37422- 42 42 42 74 74 74 30 30 30 10 10 10
37423- 0 0 0 0 0 0 0 0 0 0 0 0
37424- 0 0 0 0 0 0 0 0 0 0 0 0
37425- 0 0 0 0 0 0 0 0 0 0 0 0
37426- 0 0 0 0 0 0 0 0 0 0 0 0
37427- 0 0 0 0 0 0 0 0 0 0 0 0
37428- 0 0 0 0 0 0 0 0 0 0 0 0
37429- 0 0 0 0 0 0 0 0 0 0 0 0
37430- 6 6 6 14 14 14 42 42 42 90 90 90
37431- 26 26 26 6 6 6 42 42 42 2 2 6
37432- 74 74 74 250 250 250 253 253 253 253 253 253
37433-253 253 253 253 253 253 253 253 253 253 253 253
37434-253 253 253 253 253 253 242 242 242 242 242 242
37435-253 253 253 253 253 253 253 253 253 253 253 253
37436-253 253 253 253 253 253 253 253 253 253 253 253
37437-253 253 253 253 253 253 253 253 253 253 253 253
37438-253 253 253 253 253 253 253 253 253 253 253 253
37439-253 253 253 253 253 253 182 182 182 2 2 6
37440- 2 2 6 2 2 6 2 2 6 46 46 46
37441- 2 2 6 2 2 6 2 2 6 2 2 6
37442- 10 10 10 86 86 86 38 38 38 10 10 10
37443- 0 0 0 0 0 0 0 0 0 0 0 0
37444- 0 0 0 0 0 0 0 0 0 0 0 0
37445- 0 0 0 0 0 0 0 0 0 0 0 0
37446- 0 0 0 0 0 0 0 0 0 0 0 0
37447- 0 0 0 0 0 0 0 0 0 0 0 0
37448- 0 0 0 0 0 0 0 0 0 0 0 0
37449- 0 0 0 0 0 0 0 0 0 0 0 0
37450- 10 10 10 26 26 26 66 66 66 82 82 82
37451- 2 2 6 22 22 22 18 18 18 2 2 6
37452-149 149 149 253 253 253 253 253 253 253 253 253
37453-253 253 253 253 253 253 253 253 253 253 253 253
37454-253 253 253 253 253 253 234 234 234 242 242 242
37455-253 253 253 253 253 253 253 253 253 253 253 253
37456-253 253 253 253 253 253 253 253 253 253 253 253
37457-253 253 253 253 253 253 253 253 253 253 253 253
37458-253 253 253 253 253 253 253 253 253 253 253 253
37459-253 253 253 253 253 253 206 206 206 2 2 6
37460- 2 2 6 2 2 6 2 2 6 38 38 38
37461- 2 2 6 2 2 6 2 2 6 2 2 6
37462- 6 6 6 86 86 86 46 46 46 14 14 14
37463- 0 0 0 0 0 0 0 0 0 0 0 0
37464- 0 0 0 0 0 0 0 0 0 0 0 0
37465- 0 0 0 0 0 0 0 0 0 0 0 0
37466- 0 0 0 0 0 0 0 0 0 0 0 0
37467- 0 0 0 0 0 0 0 0 0 0 0 0
37468- 0 0 0 0 0 0 0 0 0 0 0 0
37469- 0 0 0 0 0 0 0 0 0 6 6 6
37470- 18 18 18 46 46 46 86 86 86 18 18 18
37471- 2 2 6 34 34 34 10 10 10 6 6 6
37472-210 210 210 253 253 253 253 253 253 253 253 253
37473-253 253 253 253 253 253 253 253 253 253 253 253
37474-253 253 253 253 253 253 234 234 234 242 242 242
37475-253 253 253 253 253 253 253 253 253 253 253 253
37476-253 253 253 253 253 253 253 253 253 253 253 253
37477-253 253 253 253 253 253 253 253 253 253 253 253
37478-253 253 253 253 253 253 253 253 253 253 253 253
37479-253 253 253 253 253 253 221 221 221 6 6 6
37480- 2 2 6 2 2 6 6 6 6 30 30 30
37481- 2 2 6 2 2 6 2 2 6 2 2 6
37482- 2 2 6 82 82 82 54 54 54 18 18 18
37483- 6 6 6 0 0 0 0 0 0 0 0 0
37484- 0 0 0 0 0 0 0 0 0 0 0 0
37485- 0 0 0 0 0 0 0 0 0 0 0 0
37486- 0 0 0 0 0 0 0 0 0 0 0 0
37487- 0 0 0 0 0 0 0 0 0 0 0 0
37488- 0 0 0 0 0 0 0 0 0 0 0 0
37489- 0 0 0 0 0 0 0 0 0 10 10 10
37490- 26 26 26 66 66 66 62 62 62 2 2 6
37491- 2 2 6 38 38 38 10 10 10 26 26 26
37492-238 238 238 253 253 253 253 253 253 253 253 253
37493-253 253 253 253 253 253 253 253 253 253 253 253
37494-253 253 253 253 253 253 231 231 231 238 238 238
37495-253 253 253 253 253 253 253 253 253 253 253 253
37496-253 253 253 253 253 253 253 253 253 253 253 253
37497-253 253 253 253 253 253 253 253 253 253 253 253
37498-253 253 253 253 253 253 253 253 253 253 253 253
37499-253 253 253 253 253 253 231 231 231 6 6 6
37500- 2 2 6 2 2 6 10 10 10 30 30 30
37501- 2 2 6 2 2 6 2 2 6 2 2 6
37502- 2 2 6 66 66 66 58 58 58 22 22 22
37503- 6 6 6 0 0 0 0 0 0 0 0 0
37504- 0 0 0 0 0 0 0 0 0 0 0 0
37505- 0 0 0 0 0 0 0 0 0 0 0 0
37506- 0 0 0 0 0 0 0 0 0 0 0 0
37507- 0 0 0 0 0 0 0 0 0 0 0 0
37508- 0 0 0 0 0 0 0 0 0 0 0 0
37509- 0 0 0 0 0 0 0 0 0 10 10 10
37510- 38 38 38 78 78 78 6 6 6 2 2 6
37511- 2 2 6 46 46 46 14 14 14 42 42 42
37512-246 246 246 253 253 253 253 253 253 253 253 253
37513-253 253 253 253 253 253 253 253 253 253 253 253
37514-253 253 253 253 253 253 231 231 231 242 242 242
37515-253 253 253 253 253 253 253 253 253 253 253 253
37516-253 253 253 253 253 253 253 253 253 253 253 253
37517-253 253 253 253 253 253 253 253 253 253 253 253
37518-253 253 253 253 253 253 253 253 253 253 253 253
37519-253 253 253 253 253 253 234 234 234 10 10 10
37520- 2 2 6 2 2 6 22 22 22 14 14 14
37521- 2 2 6 2 2 6 2 2 6 2 2 6
37522- 2 2 6 66 66 66 62 62 62 22 22 22
37523- 6 6 6 0 0 0 0 0 0 0 0 0
37524- 0 0 0 0 0 0 0 0 0 0 0 0
37525- 0 0 0 0 0 0 0 0 0 0 0 0
37526- 0 0 0 0 0 0 0 0 0 0 0 0
37527- 0 0 0 0 0 0 0 0 0 0 0 0
37528- 0 0 0 0 0 0 0 0 0 0 0 0
37529- 0 0 0 0 0 0 6 6 6 18 18 18
37530- 50 50 50 74 74 74 2 2 6 2 2 6
37531- 14 14 14 70 70 70 34 34 34 62 62 62
37532-250 250 250 253 253 253 253 253 253 253 253 253
37533-253 253 253 253 253 253 253 253 253 253 253 253
37534-253 253 253 253 253 253 231 231 231 246 246 246
37535-253 253 253 253 253 253 253 253 253 253 253 253
37536-253 253 253 253 253 253 253 253 253 253 253 253
37537-253 253 253 253 253 253 253 253 253 253 253 253
37538-253 253 253 253 253 253 253 253 253 253 253 253
37539-253 253 253 253 253 253 234 234 234 14 14 14
37540- 2 2 6 2 2 6 30 30 30 2 2 6
37541- 2 2 6 2 2 6 2 2 6 2 2 6
37542- 2 2 6 66 66 66 62 62 62 22 22 22
37543- 6 6 6 0 0 0 0 0 0 0 0 0
37544- 0 0 0 0 0 0 0 0 0 0 0 0
37545- 0 0 0 0 0 0 0 0 0 0 0 0
37546- 0 0 0 0 0 0 0 0 0 0 0 0
37547- 0 0 0 0 0 0 0 0 0 0 0 0
37548- 0 0 0 0 0 0 0 0 0 0 0 0
37549- 0 0 0 0 0 0 6 6 6 18 18 18
37550- 54 54 54 62 62 62 2 2 6 2 2 6
37551- 2 2 6 30 30 30 46 46 46 70 70 70
37552-250 250 250 253 253 253 253 253 253 253 253 253
37553-253 253 253 253 253 253 253 253 253 253 253 253
37554-253 253 253 253 253 253 231 231 231 246 246 246
37555-253 253 253 253 253 253 253 253 253 253 253 253
37556-253 253 253 253 253 253 253 253 253 253 253 253
37557-253 253 253 253 253 253 253 253 253 253 253 253
37558-253 253 253 253 253 253 253 253 253 253 253 253
37559-253 253 253 253 253 253 226 226 226 10 10 10
37560- 2 2 6 6 6 6 30 30 30 2 2 6
37561- 2 2 6 2 2 6 2 2 6 2 2 6
37562- 2 2 6 66 66 66 58 58 58 22 22 22
37563- 6 6 6 0 0 0 0 0 0 0 0 0
37564- 0 0 0 0 0 0 0 0 0 0 0 0
37565- 0 0 0 0 0 0 0 0 0 0 0 0
37566- 0 0 0 0 0 0 0 0 0 0 0 0
37567- 0 0 0 0 0 0 0 0 0 0 0 0
37568- 0 0 0 0 0 0 0 0 0 0 0 0
37569- 0 0 0 0 0 0 6 6 6 22 22 22
37570- 58 58 58 62 62 62 2 2 6 2 2 6
37571- 2 2 6 2 2 6 30 30 30 78 78 78
37572-250 250 250 253 253 253 253 253 253 253 253 253
37573-253 253 253 253 253 253 253 253 253 253 253 253
37574-253 253 253 253 253 253 231 231 231 246 246 246
37575-253 253 253 253 253 253 253 253 253 253 253 253
37576-253 253 253 253 253 253 253 253 253 253 253 253
37577-253 253 253 253 253 253 253 253 253 253 253 253
37578-253 253 253 253 253 253 253 253 253 253 253 253
37579-253 253 253 253 253 253 206 206 206 2 2 6
37580- 22 22 22 34 34 34 18 14 6 22 22 22
37581- 26 26 26 18 18 18 6 6 6 2 2 6
37582- 2 2 6 82 82 82 54 54 54 18 18 18
37583- 6 6 6 0 0 0 0 0 0 0 0 0
37584- 0 0 0 0 0 0 0 0 0 0 0 0
37585- 0 0 0 0 0 0 0 0 0 0 0 0
37586- 0 0 0 0 0 0 0 0 0 0 0 0
37587- 0 0 0 0 0 0 0 0 0 0 0 0
37588- 0 0 0 0 0 0 0 0 0 0 0 0
37589- 0 0 0 0 0 0 6 6 6 26 26 26
37590- 62 62 62 106 106 106 74 54 14 185 133 11
37591-210 162 10 121 92 8 6 6 6 62 62 62
37592-238 238 238 253 253 253 253 253 253 253 253 253
37593-253 253 253 253 253 253 253 253 253 253 253 253
37594-253 253 253 253 253 253 231 231 231 246 246 246
37595-253 253 253 253 253 253 253 253 253 253 253 253
37596-253 253 253 253 253 253 253 253 253 253 253 253
37597-253 253 253 253 253 253 253 253 253 253 253 253
37598-253 253 253 253 253 253 253 253 253 253 253 253
37599-253 253 253 253 253 253 158 158 158 18 18 18
37600- 14 14 14 2 2 6 2 2 6 2 2 6
37601- 6 6 6 18 18 18 66 66 66 38 38 38
37602- 6 6 6 94 94 94 50 50 50 18 18 18
37603- 6 6 6 0 0 0 0 0 0 0 0 0
37604- 0 0 0 0 0 0 0 0 0 0 0 0
37605- 0 0 0 0 0 0 0 0 0 0 0 0
37606- 0 0 0 0 0 0 0 0 0 0 0 0
37607- 0 0 0 0 0 0 0 0 0 0 0 0
37608- 0 0 0 0 0 0 0 0 0 6 6 6
37609- 10 10 10 10 10 10 18 18 18 38 38 38
37610- 78 78 78 142 134 106 216 158 10 242 186 14
37611-246 190 14 246 190 14 156 118 10 10 10 10
37612- 90 90 90 238 238 238 253 253 253 253 253 253
37613-253 253 253 253 253 253 253 253 253 253 253 253
37614-253 253 253 253 253 253 231 231 231 250 250 250
37615-253 253 253 253 253 253 253 253 253 253 253 253
37616-253 253 253 253 253 253 253 253 253 253 253 253
37617-253 253 253 253 253 253 253 253 253 253 253 253
37618-253 253 253 253 253 253 253 253 253 246 230 190
37619-238 204 91 238 204 91 181 142 44 37 26 9
37620- 2 2 6 2 2 6 2 2 6 2 2 6
37621- 2 2 6 2 2 6 38 38 38 46 46 46
37622- 26 26 26 106 106 106 54 54 54 18 18 18
37623- 6 6 6 0 0 0 0 0 0 0 0 0
37624- 0 0 0 0 0 0 0 0 0 0 0 0
37625- 0 0 0 0 0 0 0 0 0 0 0 0
37626- 0 0 0 0 0 0 0 0 0 0 0 0
37627- 0 0 0 0 0 0 0 0 0 0 0 0
37628- 0 0 0 6 6 6 14 14 14 22 22 22
37629- 30 30 30 38 38 38 50 50 50 70 70 70
37630-106 106 106 190 142 34 226 170 11 242 186 14
37631-246 190 14 246 190 14 246 190 14 154 114 10
37632- 6 6 6 74 74 74 226 226 226 253 253 253
37633-253 253 253 253 253 253 253 253 253 253 253 253
37634-253 253 253 253 253 253 231 231 231 250 250 250
37635-253 253 253 253 253 253 253 253 253 253 253 253
37636-253 253 253 253 253 253 253 253 253 253 253 253
37637-253 253 253 253 253 253 253 253 253 253 253 253
37638-253 253 253 253 253 253 253 253 253 228 184 62
37639-241 196 14 241 208 19 232 195 16 38 30 10
37640- 2 2 6 2 2 6 2 2 6 2 2 6
37641- 2 2 6 6 6 6 30 30 30 26 26 26
37642-203 166 17 154 142 90 66 66 66 26 26 26
37643- 6 6 6 0 0 0 0 0 0 0 0 0
37644- 0 0 0 0 0 0 0 0 0 0 0 0
37645- 0 0 0 0 0 0 0 0 0 0 0 0
37646- 0 0 0 0 0 0 0 0 0 0 0 0
37647- 0 0 0 0 0 0 0 0 0 0 0 0
37648- 6 6 6 18 18 18 38 38 38 58 58 58
37649- 78 78 78 86 86 86 101 101 101 123 123 123
37650-175 146 61 210 150 10 234 174 13 246 186 14
37651-246 190 14 246 190 14 246 190 14 238 190 10
37652-102 78 10 2 2 6 46 46 46 198 198 198
37653-253 253 253 253 253 253 253 253 253 253 253 253
37654-253 253 253 253 253 253 234 234 234 242 242 242
37655-253 253 253 253 253 253 253 253 253 253 253 253
37656-253 253 253 253 253 253 253 253 253 253 253 253
37657-253 253 253 253 253 253 253 253 253 253 253 253
37658-253 253 253 253 253 253 253 253 253 224 178 62
37659-242 186 14 241 196 14 210 166 10 22 18 6
37660- 2 2 6 2 2 6 2 2 6 2 2 6
37661- 2 2 6 2 2 6 6 6 6 121 92 8
37662-238 202 15 232 195 16 82 82 82 34 34 34
37663- 10 10 10 0 0 0 0 0 0 0 0 0
37664- 0 0 0 0 0 0 0 0 0 0 0 0
37665- 0 0 0 0 0 0 0 0 0 0 0 0
37666- 0 0 0 0 0 0 0 0 0 0 0 0
37667- 0 0 0 0 0 0 0 0 0 0 0 0
37668- 14 14 14 38 38 38 70 70 70 154 122 46
37669-190 142 34 200 144 11 197 138 11 197 138 11
37670-213 154 11 226 170 11 242 186 14 246 190 14
37671-246 190 14 246 190 14 246 190 14 246 190 14
37672-225 175 15 46 32 6 2 2 6 22 22 22
37673-158 158 158 250 250 250 253 253 253 253 253 253
37674-253 253 253 253 253 253 253 253 253 253 253 253
37675-253 253 253 253 253 253 253 253 253 253 253 253
37676-253 253 253 253 253 253 253 253 253 253 253 253
37677-253 253 253 253 253 253 253 253 253 253 253 253
37678-253 253 253 250 250 250 242 242 242 224 178 62
37679-239 182 13 236 186 11 213 154 11 46 32 6
37680- 2 2 6 2 2 6 2 2 6 2 2 6
37681- 2 2 6 2 2 6 61 42 6 225 175 15
37682-238 190 10 236 186 11 112 100 78 42 42 42
37683- 14 14 14 0 0 0 0 0 0 0 0 0
37684- 0 0 0 0 0 0 0 0 0 0 0 0
37685- 0 0 0 0 0 0 0 0 0 0 0 0
37686- 0 0 0 0 0 0 0 0 0 0 0 0
37687- 0 0 0 0 0 0 0 0 0 6 6 6
37688- 22 22 22 54 54 54 154 122 46 213 154 11
37689-226 170 11 230 174 11 226 170 11 226 170 11
37690-236 178 12 242 186 14 246 190 14 246 190 14
37691-246 190 14 246 190 14 246 190 14 246 190 14
37692-241 196 14 184 144 12 10 10 10 2 2 6
37693- 6 6 6 116 116 116 242 242 242 253 253 253
37694-253 253 253 253 253 253 253 253 253 253 253 253
37695-253 253 253 253 253 253 253 253 253 253 253 253
37696-253 253 253 253 253 253 253 253 253 253 253 253
37697-253 253 253 253 253 253 253 253 253 253 253 253
37698-253 253 253 231 231 231 198 198 198 214 170 54
37699-236 178 12 236 178 12 210 150 10 137 92 6
37700- 18 14 6 2 2 6 2 2 6 2 2 6
37701- 6 6 6 70 47 6 200 144 11 236 178 12
37702-239 182 13 239 182 13 124 112 88 58 58 58
37703- 22 22 22 6 6 6 0 0 0 0 0 0
37704- 0 0 0 0 0 0 0 0 0 0 0 0
37705- 0 0 0 0 0 0 0 0 0 0 0 0
37706- 0 0 0 0 0 0 0 0 0 0 0 0
37707- 0 0 0 0 0 0 0 0 0 10 10 10
37708- 30 30 30 70 70 70 180 133 36 226 170 11
37709-239 182 13 242 186 14 242 186 14 246 186 14
37710-246 190 14 246 190 14 246 190 14 246 190 14
37711-246 190 14 246 190 14 246 190 14 246 190 14
37712-246 190 14 232 195 16 98 70 6 2 2 6
37713- 2 2 6 2 2 6 66 66 66 221 221 221
37714-253 253 253 253 253 253 253 253 253 253 253 253
37715-253 253 253 253 253 253 253 253 253 253 253 253
37716-253 253 253 253 253 253 253 253 253 253 253 253
37717-253 253 253 253 253 253 253 253 253 253 253 253
37718-253 253 253 206 206 206 198 198 198 214 166 58
37719-230 174 11 230 174 11 216 158 10 192 133 9
37720-163 110 8 116 81 8 102 78 10 116 81 8
37721-167 114 7 197 138 11 226 170 11 239 182 13
37722-242 186 14 242 186 14 162 146 94 78 78 78
37723- 34 34 34 14 14 14 6 6 6 0 0 0
37724- 0 0 0 0 0 0 0 0 0 0 0 0
37725- 0 0 0 0 0 0 0 0 0 0 0 0
37726- 0 0 0 0 0 0 0 0 0 0 0 0
37727- 0 0 0 0 0 0 0 0 0 6 6 6
37728- 30 30 30 78 78 78 190 142 34 226 170 11
37729-239 182 13 246 190 14 246 190 14 246 190 14
37730-246 190 14 246 190 14 246 190 14 246 190 14
37731-246 190 14 246 190 14 246 190 14 246 190 14
37732-246 190 14 241 196 14 203 166 17 22 18 6
37733- 2 2 6 2 2 6 2 2 6 38 38 38
37734-218 218 218 253 253 253 253 253 253 253 253 253
37735-253 253 253 253 253 253 253 253 253 253 253 253
37736-253 253 253 253 253 253 253 253 253 253 253 253
37737-253 253 253 253 253 253 253 253 253 253 253 253
37738-250 250 250 206 206 206 198 198 198 202 162 69
37739-226 170 11 236 178 12 224 166 10 210 150 10
37740-200 144 11 197 138 11 192 133 9 197 138 11
37741-210 150 10 226 170 11 242 186 14 246 190 14
37742-246 190 14 246 186 14 225 175 15 124 112 88
37743- 62 62 62 30 30 30 14 14 14 6 6 6
37744- 0 0 0 0 0 0 0 0 0 0 0 0
37745- 0 0 0 0 0 0 0 0 0 0 0 0
37746- 0 0 0 0 0 0 0 0 0 0 0 0
37747- 0 0 0 0 0 0 0 0 0 10 10 10
37748- 30 30 30 78 78 78 174 135 50 224 166 10
37749-239 182 13 246 190 14 246 190 14 246 190 14
37750-246 190 14 246 190 14 246 190 14 246 190 14
37751-246 190 14 246 190 14 246 190 14 246 190 14
37752-246 190 14 246 190 14 241 196 14 139 102 15
37753- 2 2 6 2 2 6 2 2 6 2 2 6
37754- 78 78 78 250 250 250 253 253 253 253 253 253
37755-253 253 253 253 253 253 253 253 253 253 253 253
37756-253 253 253 253 253 253 253 253 253 253 253 253
37757-253 253 253 253 253 253 253 253 253 253 253 253
37758-250 250 250 214 214 214 198 198 198 190 150 46
37759-219 162 10 236 178 12 234 174 13 224 166 10
37760-216 158 10 213 154 11 213 154 11 216 158 10
37761-226 170 11 239 182 13 246 190 14 246 190 14
37762-246 190 14 246 190 14 242 186 14 206 162 42
37763-101 101 101 58 58 58 30 30 30 14 14 14
37764- 6 6 6 0 0 0 0 0 0 0 0 0
37765- 0 0 0 0 0 0 0 0 0 0 0 0
37766- 0 0 0 0 0 0 0 0 0 0 0 0
37767- 0 0 0 0 0 0 0 0 0 10 10 10
37768- 30 30 30 74 74 74 174 135 50 216 158 10
37769-236 178 12 246 190 14 246 190 14 246 190 14
37770-246 190 14 246 190 14 246 190 14 246 190 14
37771-246 190 14 246 190 14 246 190 14 246 190 14
37772-246 190 14 246 190 14 241 196 14 226 184 13
37773- 61 42 6 2 2 6 2 2 6 2 2 6
37774- 22 22 22 238 238 238 253 253 253 253 253 253
37775-253 253 253 253 253 253 253 253 253 253 253 253
37776-253 253 253 253 253 253 253 253 253 253 253 253
37777-253 253 253 253 253 253 253 253 253 253 253 253
37778-253 253 253 226 226 226 187 187 187 180 133 36
37779-216 158 10 236 178 12 239 182 13 236 178 12
37780-230 174 11 226 170 11 226 170 11 230 174 11
37781-236 178 12 242 186 14 246 190 14 246 190 14
37782-246 190 14 246 190 14 246 186 14 239 182 13
37783-206 162 42 106 106 106 66 66 66 34 34 34
37784- 14 14 14 6 6 6 0 0 0 0 0 0
37785- 0 0 0 0 0 0 0 0 0 0 0 0
37786- 0 0 0 0 0 0 0 0 0 0 0 0
37787- 0 0 0 0 0 0 0 0 0 6 6 6
37788- 26 26 26 70 70 70 163 133 67 213 154 11
37789-236 178 12 246 190 14 246 190 14 246 190 14
37790-246 190 14 246 190 14 246 190 14 246 190 14
37791-246 190 14 246 190 14 246 190 14 246 190 14
37792-246 190 14 246 190 14 246 190 14 241 196 14
37793-190 146 13 18 14 6 2 2 6 2 2 6
37794- 46 46 46 246 246 246 253 253 253 253 253 253
37795-253 253 253 253 253 253 253 253 253 253 253 253
37796-253 253 253 253 253 253 253 253 253 253 253 253
37797-253 253 253 253 253 253 253 253 253 253 253 253
37798-253 253 253 221 221 221 86 86 86 156 107 11
37799-216 158 10 236 178 12 242 186 14 246 186 14
37800-242 186 14 239 182 13 239 182 13 242 186 14
37801-242 186 14 246 186 14 246 190 14 246 190 14
37802-246 190 14 246 190 14 246 190 14 246 190 14
37803-242 186 14 225 175 15 142 122 72 66 66 66
37804- 30 30 30 10 10 10 0 0 0 0 0 0
37805- 0 0 0 0 0 0 0 0 0 0 0 0
37806- 0 0 0 0 0 0 0 0 0 0 0 0
37807- 0 0 0 0 0 0 0 0 0 6 6 6
37808- 26 26 26 70 70 70 163 133 67 210 150 10
37809-236 178 12 246 190 14 246 190 14 246 190 14
37810-246 190 14 246 190 14 246 190 14 246 190 14
37811-246 190 14 246 190 14 246 190 14 246 190 14
37812-246 190 14 246 190 14 246 190 14 246 190 14
37813-232 195 16 121 92 8 34 34 34 106 106 106
37814-221 221 221 253 253 253 253 253 253 253 253 253
37815-253 253 253 253 253 253 253 253 253 253 253 253
37816-253 253 253 253 253 253 253 253 253 253 253 253
37817-253 253 253 253 253 253 253 253 253 253 253 253
37818-242 242 242 82 82 82 18 14 6 163 110 8
37819-216 158 10 236 178 12 242 186 14 246 190 14
37820-246 190 14 246 190 14 246 190 14 246 190 14
37821-246 190 14 246 190 14 246 190 14 246 190 14
37822-246 190 14 246 190 14 246 190 14 246 190 14
37823-246 190 14 246 190 14 242 186 14 163 133 67
37824- 46 46 46 18 18 18 6 6 6 0 0 0
37825- 0 0 0 0 0 0 0 0 0 0 0 0
37826- 0 0 0 0 0 0 0 0 0 0 0 0
37827- 0 0 0 0 0 0 0 0 0 10 10 10
37828- 30 30 30 78 78 78 163 133 67 210 150 10
37829-236 178 12 246 186 14 246 190 14 246 190 14
37830-246 190 14 246 190 14 246 190 14 246 190 14
37831-246 190 14 246 190 14 246 190 14 246 190 14
37832-246 190 14 246 190 14 246 190 14 246 190 14
37833-241 196 14 215 174 15 190 178 144 253 253 253
37834-253 253 253 253 253 253 253 253 253 253 253 253
37835-253 253 253 253 253 253 253 253 253 253 253 253
37836-253 253 253 253 253 253 253 253 253 253 253 253
37837-253 253 253 253 253 253 253 253 253 218 218 218
37838- 58 58 58 2 2 6 22 18 6 167 114 7
37839-216 158 10 236 178 12 246 186 14 246 190 14
37840-246 190 14 246 190 14 246 190 14 246 190 14
37841-246 190 14 246 190 14 246 190 14 246 190 14
37842-246 190 14 246 190 14 246 190 14 246 190 14
37843-246 190 14 246 186 14 242 186 14 190 150 46
37844- 54 54 54 22 22 22 6 6 6 0 0 0
37845- 0 0 0 0 0 0 0 0 0 0 0 0
37846- 0 0 0 0 0 0 0 0 0 0 0 0
37847- 0 0 0 0 0 0 0 0 0 14 14 14
37848- 38 38 38 86 86 86 180 133 36 213 154 11
37849-236 178 12 246 186 14 246 190 14 246 190 14
37850-246 190 14 246 190 14 246 190 14 246 190 14
37851-246 190 14 246 190 14 246 190 14 246 190 14
37852-246 190 14 246 190 14 246 190 14 246 190 14
37853-246 190 14 232 195 16 190 146 13 214 214 214
37854-253 253 253 253 253 253 253 253 253 253 253 253
37855-253 253 253 253 253 253 253 253 253 253 253 253
37856-253 253 253 253 253 253 253 253 253 253 253 253
37857-253 253 253 250 250 250 170 170 170 26 26 26
37858- 2 2 6 2 2 6 37 26 9 163 110 8
37859-219 162 10 239 182 13 246 186 14 246 190 14
37860-246 190 14 246 190 14 246 190 14 246 190 14
37861-246 190 14 246 190 14 246 190 14 246 190 14
37862-246 190 14 246 190 14 246 190 14 246 190 14
37863-246 186 14 236 178 12 224 166 10 142 122 72
37864- 46 46 46 18 18 18 6 6 6 0 0 0
37865- 0 0 0 0 0 0 0 0 0 0 0 0
37866- 0 0 0 0 0 0 0 0 0 0 0 0
37867- 0 0 0 0 0 0 6 6 6 18 18 18
37868- 50 50 50 109 106 95 192 133 9 224 166 10
37869-242 186 14 246 190 14 246 190 14 246 190 14
37870-246 190 14 246 190 14 246 190 14 246 190 14
37871-246 190 14 246 190 14 246 190 14 246 190 14
37872-246 190 14 246 190 14 246 190 14 246 190 14
37873-242 186 14 226 184 13 210 162 10 142 110 46
37874-226 226 226 253 253 253 253 253 253 253 253 253
37875-253 253 253 253 253 253 253 253 253 253 253 253
37876-253 253 253 253 253 253 253 253 253 253 253 253
37877-198 198 198 66 66 66 2 2 6 2 2 6
37878- 2 2 6 2 2 6 50 34 6 156 107 11
37879-219 162 10 239 182 13 246 186 14 246 190 14
37880-246 190 14 246 190 14 246 190 14 246 190 14
37881-246 190 14 246 190 14 246 190 14 246 190 14
37882-246 190 14 246 190 14 246 190 14 242 186 14
37883-234 174 13 213 154 11 154 122 46 66 66 66
37884- 30 30 30 10 10 10 0 0 0 0 0 0
37885- 0 0 0 0 0 0 0 0 0 0 0 0
37886- 0 0 0 0 0 0 0 0 0 0 0 0
37887- 0 0 0 0 0 0 6 6 6 22 22 22
37888- 58 58 58 154 121 60 206 145 10 234 174 13
37889-242 186 14 246 186 14 246 190 14 246 190 14
37890-246 190 14 246 190 14 246 190 14 246 190 14
37891-246 190 14 246 190 14 246 190 14 246 190 14
37892-246 190 14 246 190 14 246 190 14 246 190 14
37893-246 186 14 236 178 12 210 162 10 163 110 8
37894- 61 42 6 138 138 138 218 218 218 250 250 250
37895-253 253 253 253 253 253 253 253 253 250 250 250
37896-242 242 242 210 210 210 144 144 144 66 66 66
37897- 6 6 6 2 2 6 2 2 6 2 2 6
37898- 2 2 6 2 2 6 61 42 6 163 110 8
37899-216 158 10 236 178 12 246 190 14 246 190 14
37900-246 190 14 246 190 14 246 190 14 246 190 14
37901-246 190 14 246 190 14 246 190 14 246 190 14
37902-246 190 14 239 182 13 230 174 11 216 158 10
37903-190 142 34 124 112 88 70 70 70 38 38 38
37904- 18 18 18 6 6 6 0 0 0 0 0 0
37905- 0 0 0 0 0 0 0 0 0 0 0 0
37906- 0 0 0 0 0 0 0 0 0 0 0 0
37907- 0 0 0 0 0 0 6 6 6 22 22 22
37908- 62 62 62 168 124 44 206 145 10 224 166 10
37909-236 178 12 239 182 13 242 186 14 242 186 14
37910-246 186 14 246 190 14 246 190 14 246 190 14
37911-246 190 14 246 190 14 246 190 14 246 190 14
37912-246 190 14 246 190 14 246 190 14 246 190 14
37913-246 190 14 236 178 12 216 158 10 175 118 6
37914- 80 54 7 2 2 6 6 6 6 30 30 30
37915- 54 54 54 62 62 62 50 50 50 38 38 38
37916- 14 14 14 2 2 6 2 2 6 2 2 6
37917- 2 2 6 2 2 6 2 2 6 2 2 6
37918- 2 2 6 6 6 6 80 54 7 167 114 7
37919-213 154 11 236 178 12 246 190 14 246 190 14
37920-246 190 14 246 190 14 246 190 14 246 190 14
37921-246 190 14 242 186 14 239 182 13 239 182 13
37922-230 174 11 210 150 10 174 135 50 124 112 88
37923- 82 82 82 54 54 54 34 34 34 18 18 18
37924- 6 6 6 0 0 0 0 0 0 0 0 0
37925- 0 0 0 0 0 0 0 0 0 0 0 0
37926- 0 0 0 0 0 0 0 0 0 0 0 0
37927- 0 0 0 0 0 0 6 6 6 18 18 18
37928- 50 50 50 158 118 36 192 133 9 200 144 11
37929-216 158 10 219 162 10 224 166 10 226 170 11
37930-230 174 11 236 178 12 239 182 13 239 182 13
37931-242 186 14 246 186 14 246 190 14 246 190 14
37932-246 190 14 246 190 14 246 190 14 246 190 14
37933-246 186 14 230 174 11 210 150 10 163 110 8
37934-104 69 6 10 10 10 2 2 6 2 2 6
37935- 2 2 6 2 2 6 2 2 6 2 2 6
37936- 2 2 6 2 2 6 2 2 6 2 2 6
37937- 2 2 6 2 2 6 2 2 6 2 2 6
37938- 2 2 6 6 6 6 91 60 6 167 114 7
37939-206 145 10 230 174 11 242 186 14 246 190 14
37940-246 190 14 246 190 14 246 186 14 242 186 14
37941-239 182 13 230 174 11 224 166 10 213 154 11
37942-180 133 36 124 112 88 86 86 86 58 58 58
37943- 38 38 38 22 22 22 10 10 10 6 6 6
37944- 0 0 0 0 0 0 0 0 0 0 0 0
37945- 0 0 0 0 0 0 0 0 0 0 0 0
37946- 0 0 0 0 0 0 0 0 0 0 0 0
37947- 0 0 0 0 0 0 0 0 0 14 14 14
37948- 34 34 34 70 70 70 138 110 50 158 118 36
37949-167 114 7 180 123 7 192 133 9 197 138 11
37950-200 144 11 206 145 10 213 154 11 219 162 10
37951-224 166 10 230 174 11 239 182 13 242 186 14
37952-246 186 14 246 186 14 246 186 14 246 186 14
37953-239 182 13 216 158 10 185 133 11 152 99 6
37954-104 69 6 18 14 6 2 2 6 2 2 6
37955- 2 2 6 2 2 6 2 2 6 2 2 6
37956- 2 2 6 2 2 6 2 2 6 2 2 6
37957- 2 2 6 2 2 6 2 2 6 2 2 6
37958- 2 2 6 6 6 6 80 54 7 152 99 6
37959-192 133 9 219 162 10 236 178 12 239 182 13
37960-246 186 14 242 186 14 239 182 13 236 178 12
37961-224 166 10 206 145 10 192 133 9 154 121 60
37962- 94 94 94 62 62 62 42 42 42 22 22 22
37963- 14 14 14 6 6 6 0 0 0 0 0 0
37964- 0 0 0 0 0 0 0 0 0 0 0 0
37965- 0 0 0 0 0 0 0 0 0 0 0 0
37966- 0 0 0 0 0 0 0 0 0 0 0 0
37967- 0 0 0 0 0 0 0 0 0 6 6 6
37968- 18 18 18 34 34 34 58 58 58 78 78 78
37969-101 98 89 124 112 88 142 110 46 156 107 11
37970-163 110 8 167 114 7 175 118 6 180 123 7
37971-185 133 11 197 138 11 210 150 10 219 162 10
37972-226 170 11 236 178 12 236 178 12 234 174 13
37973-219 162 10 197 138 11 163 110 8 130 83 6
37974- 91 60 6 10 10 10 2 2 6 2 2 6
37975- 18 18 18 38 38 38 38 38 38 38 38 38
37976- 38 38 38 38 38 38 38 38 38 38 38 38
37977- 38 38 38 38 38 38 26 26 26 2 2 6
37978- 2 2 6 6 6 6 70 47 6 137 92 6
37979-175 118 6 200 144 11 219 162 10 230 174 11
37980-234 174 13 230 174 11 219 162 10 210 150 10
37981-192 133 9 163 110 8 124 112 88 82 82 82
37982- 50 50 50 30 30 30 14 14 14 6 6 6
37983- 0 0 0 0 0 0 0 0 0 0 0 0
37984- 0 0 0 0 0 0 0 0 0 0 0 0
37985- 0 0 0 0 0 0 0 0 0 0 0 0
37986- 0 0 0 0 0 0 0 0 0 0 0 0
37987- 0 0 0 0 0 0 0 0 0 0 0 0
37988- 6 6 6 14 14 14 22 22 22 34 34 34
37989- 42 42 42 58 58 58 74 74 74 86 86 86
37990-101 98 89 122 102 70 130 98 46 121 87 25
37991-137 92 6 152 99 6 163 110 8 180 123 7
37992-185 133 11 197 138 11 206 145 10 200 144 11
37993-180 123 7 156 107 11 130 83 6 104 69 6
37994- 50 34 6 54 54 54 110 110 110 101 98 89
37995- 86 86 86 82 82 82 78 78 78 78 78 78
37996- 78 78 78 78 78 78 78 78 78 78 78 78
37997- 78 78 78 82 82 82 86 86 86 94 94 94
37998-106 106 106 101 101 101 86 66 34 124 80 6
37999-156 107 11 180 123 7 192 133 9 200 144 11
38000-206 145 10 200 144 11 192 133 9 175 118 6
38001-139 102 15 109 106 95 70 70 70 42 42 42
38002- 22 22 22 10 10 10 0 0 0 0 0 0
38003- 0 0 0 0 0 0 0 0 0 0 0 0
38004- 0 0 0 0 0 0 0 0 0 0 0 0
38005- 0 0 0 0 0 0 0 0 0 0 0 0
38006- 0 0 0 0 0 0 0 0 0 0 0 0
38007- 0 0 0 0 0 0 0 0 0 0 0 0
38008- 0 0 0 0 0 0 6 6 6 10 10 10
38009- 14 14 14 22 22 22 30 30 30 38 38 38
38010- 50 50 50 62 62 62 74 74 74 90 90 90
38011-101 98 89 112 100 78 121 87 25 124 80 6
38012-137 92 6 152 99 6 152 99 6 152 99 6
38013-138 86 6 124 80 6 98 70 6 86 66 30
38014-101 98 89 82 82 82 58 58 58 46 46 46
38015- 38 38 38 34 34 34 34 34 34 34 34 34
38016- 34 34 34 34 34 34 34 34 34 34 34 34
38017- 34 34 34 34 34 34 38 38 38 42 42 42
38018- 54 54 54 82 82 82 94 86 76 91 60 6
38019-134 86 6 156 107 11 167 114 7 175 118 6
38020-175 118 6 167 114 7 152 99 6 121 87 25
38021-101 98 89 62 62 62 34 34 34 18 18 18
38022- 6 6 6 0 0 0 0 0 0 0 0 0
38023- 0 0 0 0 0 0 0 0 0 0 0 0
38024- 0 0 0 0 0 0 0 0 0 0 0 0
38025- 0 0 0 0 0 0 0 0 0 0 0 0
38026- 0 0 0 0 0 0 0 0 0 0 0 0
38027- 0 0 0 0 0 0 0 0 0 0 0 0
38028- 0 0 0 0 0 0 0 0 0 0 0 0
38029- 0 0 0 6 6 6 6 6 6 10 10 10
38030- 18 18 18 22 22 22 30 30 30 42 42 42
38031- 50 50 50 66 66 66 86 86 86 101 98 89
38032-106 86 58 98 70 6 104 69 6 104 69 6
38033-104 69 6 91 60 6 82 62 34 90 90 90
38034- 62 62 62 38 38 38 22 22 22 14 14 14
38035- 10 10 10 10 10 10 10 10 10 10 10 10
38036- 10 10 10 10 10 10 6 6 6 10 10 10
38037- 10 10 10 10 10 10 10 10 10 14 14 14
38038- 22 22 22 42 42 42 70 70 70 89 81 66
38039- 80 54 7 104 69 6 124 80 6 137 92 6
38040-134 86 6 116 81 8 100 82 52 86 86 86
38041- 58 58 58 30 30 30 14 14 14 6 6 6
38042- 0 0 0 0 0 0 0 0 0 0 0 0
38043- 0 0 0 0 0 0 0 0 0 0 0 0
38044- 0 0 0 0 0 0 0 0 0 0 0 0
38045- 0 0 0 0 0 0 0 0 0 0 0 0
38046- 0 0 0 0 0 0 0 0 0 0 0 0
38047- 0 0 0 0 0 0 0 0 0 0 0 0
38048- 0 0 0 0 0 0 0 0 0 0 0 0
38049- 0 0 0 0 0 0 0 0 0 0 0 0
38050- 0 0 0 6 6 6 10 10 10 14 14 14
38051- 18 18 18 26 26 26 38 38 38 54 54 54
38052- 70 70 70 86 86 86 94 86 76 89 81 66
38053- 89 81 66 86 86 86 74 74 74 50 50 50
38054- 30 30 30 14 14 14 6 6 6 0 0 0
38055- 0 0 0 0 0 0 0 0 0 0 0 0
38056- 0 0 0 0 0 0 0 0 0 0 0 0
38057- 0 0 0 0 0 0 0 0 0 0 0 0
38058- 6 6 6 18 18 18 34 34 34 58 58 58
38059- 82 82 82 89 81 66 89 81 66 89 81 66
38060- 94 86 66 94 86 76 74 74 74 50 50 50
38061- 26 26 26 14 14 14 6 6 6 0 0 0
38062- 0 0 0 0 0 0 0 0 0 0 0 0
38063- 0 0 0 0 0 0 0 0 0 0 0 0
38064- 0 0 0 0 0 0 0 0 0 0 0 0
38065- 0 0 0 0 0 0 0 0 0 0 0 0
38066- 0 0 0 0 0 0 0 0 0 0 0 0
38067- 0 0 0 0 0 0 0 0 0 0 0 0
38068- 0 0 0 0 0 0 0 0 0 0 0 0
38069- 0 0 0 0 0 0 0 0 0 0 0 0
38070- 0 0 0 0 0 0 0 0 0 0 0 0
38071- 6 6 6 6 6 6 14 14 14 18 18 18
38072- 30 30 30 38 38 38 46 46 46 54 54 54
38073- 50 50 50 42 42 42 30 30 30 18 18 18
38074- 10 10 10 0 0 0 0 0 0 0 0 0
38075- 0 0 0 0 0 0 0 0 0 0 0 0
38076- 0 0 0 0 0 0 0 0 0 0 0 0
38077- 0 0 0 0 0 0 0 0 0 0 0 0
38078- 0 0 0 6 6 6 14 14 14 26 26 26
38079- 38 38 38 50 50 50 58 58 58 58 58 58
38080- 54 54 54 42 42 42 30 30 30 18 18 18
38081- 10 10 10 0 0 0 0 0 0 0 0 0
38082- 0 0 0 0 0 0 0 0 0 0 0 0
38083- 0 0 0 0 0 0 0 0 0 0 0 0
38084- 0 0 0 0 0 0 0 0 0 0 0 0
38085- 0 0 0 0 0 0 0 0 0 0 0 0
38086- 0 0 0 0 0 0 0 0 0 0 0 0
38087- 0 0 0 0 0 0 0 0 0 0 0 0
38088- 0 0 0 0 0 0 0 0 0 0 0 0
38089- 0 0 0 0 0 0 0 0 0 0 0 0
38090- 0 0 0 0 0 0 0 0 0 0 0 0
38091- 0 0 0 0 0 0 0 0 0 6 6 6
38092- 6 6 6 10 10 10 14 14 14 18 18 18
38093- 18 18 18 14 14 14 10 10 10 6 6 6
38094- 0 0 0 0 0 0 0 0 0 0 0 0
38095- 0 0 0 0 0 0 0 0 0 0 0 0
38096- 0 0 0 0 0 0 0 0 0 0 0 0
38097- 0 0 0 0 0 0 0 0 0 0 0 0
38098- 0 0 0 0 0 0 0 0 0 6 6 6
38099- 14 14 14 18 18 18 22 22 22 22 22 22
38100- 18 18 18 14 14 14 10 10 10 6 6 6
38101- 0 0 0 0 0 0 0 0 0 0 0 0
38102- 0 0 0 0 0 0 0 0 0 0 0 0
38103- 0 0 0 0 0 0 0 0 0 0 0 0
38104- 0 0 0 0 0 0 0 0 0 0 0 0
38105- 0 0 0 0 0 0 0 0 0 0 0 0
38106+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38107+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38108+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38109+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38110+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38111+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38112+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38113+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38114+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38115+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38116+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38117+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38118+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38119+4 4 4 4 4 4
38120+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38121+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38122+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38123+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38124+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38125+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38126+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38127+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38128+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38129+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38130+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38131+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38132+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38133+4 4 4 4 4 4
38134+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38135+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38136+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38137+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38138+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38139+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38140+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38141+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38142+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38143+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38144+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38145+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38146+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38147+4 4 4 4 4 4
38148+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38149+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38150+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38151+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38152+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38153+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38154+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38155+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38156+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38157+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38158+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38159+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38160+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38161+4 4 4 4 4 4
38162+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38163+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38164+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38165+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38166+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38167+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38168+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38169+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38170+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38171+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38172+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38173+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38174+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38175+4 4 4 4 4 4
38176+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38177+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38178+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38179+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38180+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38181+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38182+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38183+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38184+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38185+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38186+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38187+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38188+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38189+4 4 4 4 4 4
38190+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38191+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38192+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38193+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38194+4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
38195+0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
38196+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38197+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38198+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38199+4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
38200+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38201+4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
38202+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38203+4 4 4 4 4 4
38204+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38205+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38206+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38207+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38208+4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
38209+37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
38210+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38211+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38212+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38213+4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
38214+2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
38215+4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
38216+1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38217+4 4 4 4 4 4
38218+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38219+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38220+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38221+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38222+2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
38223+153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
38224+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38225+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38226+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38227+4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
38228+60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
38229+4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
38230+2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
38231+4 4 4 4 4 4
38232+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38233+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38234+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38235+4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
38236+4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
38237+165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
38238+1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
38239+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38240+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
38241+3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
38242+163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
38243+0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
38244+37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
38245+4 4 4 4 4 4
38246+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38247+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38248+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38249+4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
38250+37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
38251+156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
38252+125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
38253+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38254+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
38255+0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
38256+174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
38257+0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
38258+64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
38259+4 4 4 4 4 4
38260+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38261+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38262+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
38263+5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
38264+156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
38265+156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
38266+174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
38267+1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
38268+4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
38269+13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
38270+174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
38271+22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
38272+90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
38273+4 4 4 4 4 4
38274+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38275+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38276+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
38277+0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
38278+174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
38279+156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
38280+163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
38281+4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
38282+5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
38283+131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
38284+190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
38285+90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
38286+31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
38287+4 4 4 4 4 4
38288+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38289+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38290+4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
38291+4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
38292+155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
38293+167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
38294+153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
38295+41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
38296+1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
38297+177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
38298+125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
38299+136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
38300+7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
38301+4 4 4 4 4 4
38302+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38303+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38304+4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
38305+125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
38306+156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
38307+137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
38308+156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
38309+167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
38310+0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
38311+166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
38312+6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
38313+90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
38314+1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
38315+4 4 4 4 4 4
38316+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38317+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38318+1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
38319+167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
38320+157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
38321+26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
38322+158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
38323+165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
38324+60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
38325+137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
38326+52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
38327+13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
38328+4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
38329+4 4 4 4 4 4
38330+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38331+4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
38332+0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
38333+158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
38334+167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
38335+4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
38336+174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
38337+155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
38338+137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
38339+16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
38340+136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
38341+2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
38342+4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
38343+4 4 4 4 4 4
38344+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38345+4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
38346+37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
38347+157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
38348+153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
38349+4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
38350+125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
38351+156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
38352+174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
38353+4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
38354+136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
38355+1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
38356+2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
38357+0 0 0 4 4 4
38358+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
38359+4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
38360+158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
38361+153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
38362+37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
38363+4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
38364+4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
38365+154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
38366+174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
38367+32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
38368+28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
38369+50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
38370+0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
38371+2 0 0 0 0 0
38372+4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
38373+0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
38374+174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
38375+165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
38376+4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
38377+4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
38378+4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
38379+174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
38380+60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
38381+136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
38382+22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
38383+136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
38384+26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
38385+37 38 37 0 0 0
38386+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38387+13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
38388+153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
38389+177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
38390+4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
38391+5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
38392+6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
38393+166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
38394+4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
38395+146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
38396+71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
38397+90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
38398+125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
38399+85 115 134 4 0 0
38400+4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
38401+125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
38402+155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
38403+125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
38404+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
38405+0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
38406+5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
38407+37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
38408+4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
38409+90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
38410+2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
38411+13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
38412+166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
38413+60 73 81 4 0 0
38414+4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
38415+174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
38416+156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
38417+4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
38418+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
38419+10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
38420+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
38421+4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
38422+80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
38423+28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
38424+50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
38425+1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
38426+167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
38427+16 19 21 4 0 0
38428+4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
38429+158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
38430+167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
38431+4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
38432+4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
38433+80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
38434+4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
38435+3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
38436+146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
38437+68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
38438+136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
38439+24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
38440+163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
38441+4 0 0 4 3 3
38442+3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
38443+156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
38444+155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
38445+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
38446+2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
38447+136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
38448+0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
38449+0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
38450+136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
38451+28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
38452+22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
38453+137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
38454+60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
38455+3 2 2 4 4 4
38456+3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
38457+157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
38458+37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
38459+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
38460+0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
38461+101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
38462+14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
38463+22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
38464+136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
38465+17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
38466+2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
38467+166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
38468+13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
38469+4 4 4 4 4 4
38470+1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
38471+163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
38472+4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
38473+4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
38474+40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
38475+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
38476+101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
38477+136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
38478+136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
38479+136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
38480+3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
38481+174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
38482+4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
38483+4 4 4 4 4 4
38484+4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
38485+155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
38486+4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
38487+4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
38488+101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
38489+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38490+136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
38491+136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
38492+136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
38493+90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
38494+85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
38495+167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
38496+6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
38497+5 5 5 5 5 5
38498+1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
38499+131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
38500+6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
38501+0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
38502+101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
38503+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38504+101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
38505+136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
38506+101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
38507+7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
38508+174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
38509+24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
38510+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
38511+5 5 5 4 4 4
38512+4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
38513+131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
38514+6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
38515+13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
38516+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38517+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
38518+101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
38519+136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
38520+136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
38521+2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
38522+174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
38523+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38524+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38525+4 4 4 4 4 4
38526+1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
38527+137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
38528+4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
38529+64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
38530+90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
38531+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38532+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38533+136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
38534+101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
38535+37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
38536+167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
38537+3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
38538+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38539+4 4 4 4 4 4
38540+4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
38541+153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
38542+4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
38543+90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
38544+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38545+90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
38546+101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
38547+101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
38548+35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
38549+154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
38550+60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
38551+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38552+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38553+4 4 4 4 4 4
38554+1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
38555+153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
38556+4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
38557+64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
38558+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38559+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38560+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
38561+136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
38562+13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
38563+174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
38564+6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
38565+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38566+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38567+4 4 4 4 4 4
38568+4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
38569+156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
38570+4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
38571+90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
38572+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38573+90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
38574+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
38575+101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
38576+2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
38577+174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
38578+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38579+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38580+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38581+4 4 4 4 4 4
38582+3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
38583+158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
38584+4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
38585+37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
38586+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
38587+90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
38588+101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
38589+90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
38590+5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
38591+167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
38592+6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
38593+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38594+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38595+4 4 4 4 4 4
38596+4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
38597+163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
38598+4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
38599+18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
38600+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
38601+90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
38602+101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
38603+13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
38604+3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
38605+174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
38606+4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
38607+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38608+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38609+4 4 4 4 4 4
38610+1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
38611+167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
38612+4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
38613+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38614+26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
38615+90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
38616+101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
38617+7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
38618+4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
38619+174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
38620+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38621+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38622+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38623+4 4 4 4 4 4
38624+4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
38625+174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
38626+5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
38627+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38628+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38629+90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
38630+101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
38631+2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
38632+3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
38633+153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
38634+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38635+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38636+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38637+4 4 4 4 4 4
38638+1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
38639+174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
38640+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38641+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
38642+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38643+26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
38644+35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
38645+2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
38646+3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
38647+131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
38648+4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38649+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38650+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38651+4 4 4 4 4 4
38652+3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
38653+174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
38654+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38655+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
38656+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38657+26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
38658+7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
38659+4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
38660+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38661+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38662+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38663+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38664+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38665+4 4 4 4 4 4
38666+1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38667+174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
38668+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
38669+18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
38670+18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
38671+26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
38672+28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
38673+3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
38674+4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38675+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38676+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38677+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38678+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38679+4 4 4 4 4 4
38680+4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
38681+174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
38682+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
38683+10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
38684+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38685+18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
38686+90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
38687+3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
38688+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38689+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38690+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38691+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38692+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38693+4 4 4 4 4 4
38694+1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
38695+177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
38696+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38697+10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
38698+26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
38699+6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
38700+10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
38701+2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
38702+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38703+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38704+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38705+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38706+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38707+4 4 4 4 4 4
38708+4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
38709+177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
38710+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38711+10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
38712+26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
38713+7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
38714+3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
38715+21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
38716+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
38717+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38718+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38719+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38720+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38721+4 4 4 4 4 4
38722+3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38723+190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
38724+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
38725+10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
38726+24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
38727+18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
38728+28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
38729+26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
38730+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38731+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38732+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38733+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38734+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38735+4 4 4 4 4 4
38736+4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
38737+190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
38738+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38739+10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
38740+0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
38741+26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
38742+37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
38743+90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
38744+4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
38745+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38746+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38747+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38748+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38749+4 4 4 4 4 4
38750+4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
38751+193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
38752+5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
38753+10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
38754+1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
38755+26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
38756+22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
38757+26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
38758+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38759+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38760+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38761+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38762+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38763+4 4 4 4 4 4
38764+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38765+190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
38766+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
38767+10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
38768+2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
38769+26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
38770+10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
38771+26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
38772+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38773+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38774+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38775+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38776+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38777+4 4 4 4 4 4
38778+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38779+193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
38780+5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
38781+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
38782+13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
38783+10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
38784+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38785+26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
38786+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
38787+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38788+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38789+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38790+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38791+4 4 4 4 4 4
38792+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38793+190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
38794+5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
38795+28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38796+10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
38797+28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
38798+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
38799+26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
38800+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
38801+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38802+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38803+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38804+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38805+4 4 4 4 4 4
38806+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
38807+193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
38808+5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
38809+4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
38810+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
38811+10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
38812+18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
38813+22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
38814+4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
38815+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38816+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38817+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38818+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38819+4 4 4 4 4 4
38820+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38821+190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
38822+6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
38823+1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
38824+18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
38825+10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
38826+26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
38827+1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
38828+5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
38829+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38830+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38831+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38832+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38833+4 4 4 4 4 4
38834+4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
38835+193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
38836+2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
38837+4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
38838+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
38839+10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
38840+26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
38841+2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
38842+3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
38843+131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38844+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38845+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38846+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38847+4 4 4 4 4 4
38848+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
38849+193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
38850+0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
38851+4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
38852+13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
38853+10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
38854+28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
38855+4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
38856+0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
38857+125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
38858+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38859+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38860+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38861+4 4 4 4 4 4
38862+4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
38863+193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
38864+120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
38865+4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
38866+4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
38867+10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
38868+4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
38869+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
38870+24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
38871+125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
38872+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
38873+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38874+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38875+4 4 4 4 4 4
38876+4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
38877+174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38878+220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
38879+3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
38880+4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
38881+10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
38882+1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
38883+5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
38884+137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
38885+125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
38886+0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38887+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38888+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38889+4 4 4 4 4 4
38890+5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
38891+193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
38892+220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
38893+4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
38894+4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
38895+22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
38896+4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38897+1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
38898+166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
38899+125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
38900+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38901+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38902+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38903+4 4 4 4 4 4
38904+4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
38905+220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
38906+205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
38907+24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
38908+4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
38909+4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
38910+4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
38911+2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
38912+156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
38913+137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
38914+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38915+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38916+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38917+4 4 4 4 4 4
38918+5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
38919+125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
38920+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38921+193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
38922+5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
38923+1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
38924+5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
38925+60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
38926+153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
38927+125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
38928+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38929+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38930+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38931+4 4 4 4 4 4
38932+4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38933+6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
38934+193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
38935+244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
38936+0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
38937+4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
38938+3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
38939+220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
38940+153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
38941+13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
38942+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38943+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38944+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38945+4 4 4 4 4 4
38946+5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
38947+6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
38948+244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
38949+220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
38950+3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
38951+4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
38952+0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
38953+177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
38954+158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
38955+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
38956+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38957+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38958+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38959+4 4 4 4 4 4
38960+5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
38961+6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
38962+177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
38963+220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
38964+125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
38965+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
38966+37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
38967+174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
38968+158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
38969+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
38970+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38971+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38972+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38973+4 4 4 4 4 4
38974+4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
38975+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
38976+26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
38977+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
38978+244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
38979+0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
38980+177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
38981+174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
38982+60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
38983+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38984+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38985+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38986+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38987+4 4 4 4 4 4
38988+5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
38989+6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
38990+6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
38991+220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
38992+220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
38993+0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
38994+220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
38995+174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
38996+4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
38997+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38998+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
38999+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39000+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39001+4 4 4 4 4 4
39002+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
39003+6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
39004+4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
39005+220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
39006+205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
39007+60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
39008+177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
39009+190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
39010+4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39011+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39012+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39013+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39014+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39015+4 4 4 4 4 4
39016+4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
39017+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
39018+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
39019+125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
39020+205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
39021+193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
39022+190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
39023+153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
39024+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39025+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39026+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39027+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39028+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39029+4 4 4 4 4 4
39030+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
39031+6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
39032+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
39033+4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
39034+205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
39035+220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
39036+174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
39037+6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
39038+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39039+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39040+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39041+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39042+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39043+4 4 4 4 4 4
39044+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39045+5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
39046+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39047+4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
39048+220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
39049+190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
39050+193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
39051+4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
39052+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39053+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39054+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39055+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39056+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39057+4 4 4 4 4 4
39058+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39059+4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
39060+4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
39061+6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
39062+174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
39063+193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
39064+193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
39065+6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
39066+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39067+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39068+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39069+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39070+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39071+4 4 4 4 4 4
39072+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39073+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
39074+5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
39075+5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
39076+6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
39077+193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
39078+60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
39079+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
39080+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39081+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39082+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39083+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39084+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39085+4 4 4 4 4 4
39086+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39087+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39088+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
39089+5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
39090+4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
39091+193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
39092+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
39093+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
39094+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39095+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39096+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39097+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39098+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39099+4 4 4 4 4 4
39100+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39101+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39102+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39103+4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39104+6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
39105+153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
39106+6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
39107+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39108+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39109+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39110+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39111+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39112+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39113+4 4 4 4 4 4
39114+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39115+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39116+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39117+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
39118+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
39119+24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
39120+6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
39121+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39122+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39123+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39124+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39125+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39126+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39127+4 4 4 4 4 4
39128+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39129+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39130+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39131+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
39132+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
39133+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
39134+4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
39135+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39136+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39137+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39138+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39139+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39140+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39141+4 4 4 4 4 4
39142+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39143+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39144+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39145+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
39146+5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
39147+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
39148+6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
39149+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39150+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39151+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39152+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39153+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39154+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39155+4 4 4 4 4 4
39156+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39157+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39158+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39159+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
39160+4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
39161+4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
39162+6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
39163+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39164+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39165+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39166+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39167+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39168+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39169+4 4 4 4 4 4
39170+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39171+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39172+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39173+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39174+4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
39175+6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
39176+4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
39177+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39178+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39179+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39180+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39181+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39182+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39183+4 4 4 4 4 4
39184+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39185+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39186+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39187+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39188+4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
39189+4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
39190+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39191+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39192+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39193+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39194+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39195+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39196+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39197+4 4 4 4 4 4
39198+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39199+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39200+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39201+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39202+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
39203+5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
39204+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39205+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39206+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39207+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39208+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39209+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39210+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39211+4 4 4 4 4 4
39212+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39213+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39214+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39215+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39216+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
39217+5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
39218+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39219+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39220+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39221+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39222+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39223+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39224+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
39225+4 4 4 4 4 4
39226diff -urNp linux-3.1.1/drivers/video/udlfb.c linux-3.1.1/drivers/video/udlfb.c
39227--- linux-3.1.1/drivers/video/udlfb.c 2011-11-11 15:19:27.000000000 -0500
39228+++ linux-3.1.1/drivers/video/udlfb.c 2011-11-16 18:39:08.000000000 -0500
39229@@ -585,11 +585,11 @@ int dlfb_handle_damage(struct dlfb_data
39230 dlfb_urb_completion(urb);
39231
39232 error:
39233- atomic_add(bytes_sent, &dev->bytes_sent);
39234- atomic_add(bytes_identical, &dev->bytes_identical);
39235- atomic_add(width*height*2, &dev->bytes_rendered);
39236+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
39237+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
39238+ atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
39239 end_cycles = get_cycles();
39240- atomic_add(((unsigned int) ((end_cycles - start_cycles)
39241+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
39242 >> 10)), /* Kcycles */
39243 &dev->cpu_kcycles_used);
39244
39245@@ -710,11 +710,11 @@ static void dlfb_dpy_deferred_io(struct
39246 dlfb_urb_completion(urb);
39247
39248 error:
39249- atomic_add(bytes_sent, &dev->bytes_sent);
39250- atomic_add(bytes_identical, &dev->bytes_identical);
39251- atomic_add(bytes_rendered, &dev->bytes_rendered);
39252+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
39253+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
39254+ atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
39255 end_cycles = get_cycles();
39256- atomic_add(((unsigned int) ((end_cycles - start_cycles)
39257+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
39258 >> 10)), /* Kcycles */
39259 &dev->cpu_kcycles_used);
39260 }
39261@@ -1306,7 +1306,7 @@ static ssize_t metrics_bytes_rendered_sh
39262 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39263 struct dlfb_data *dev = fb_info->par;
39264 return snprintf(buf, PAGE_SIZE, "%u\n",
39265- atomic_read(&dev->bytes_rendered));
39266+ atomic_read_unchecked(&dev->bytes_rendered));
39267 }
39268
39269 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
39270@@ -1314,7 +1314,7 @@ static ssize_t metrics_bytes_identical_s
39271 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39272 struct dlfb_data *dev = fb_info->par;
39273 return snprintf(buf, PAGE_SIZE, "%u\n",
39274- atomic_read(&dev->bytes_identical));
39275+ atomic_read_unchecked(&dev->bytes_identical));
39276 }
39277
39278 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
39279@@ -1322,7 +1322,7 @@ static ssize_t metrics_bytes_sent_show(s
39280 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39281 struct dlfb_data *dev = fb_info->par;
39282 return snprintf(buf, PAGE_SIZE, "%u\n",
39283- atomic_read(&dev->bytes_sent));
39284+ atomic_read_unchecked(&dev->bytes_sent));
39285 }
39286
39287 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
39288@@ -1330,7 +1330,7 @@ static ssize_t metrics_cpu_kcycles_used_
39289 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39290 struct dlfb_data *dev = fb_info->par;
39291 return snprintf(buf, PAGE_SIZE, "%u\n",
39292- atomic_read(&dev->cpu_kcycles_used));
39293+ atomic_read_unchecked(&dev->cpu_kcycles_used));
39294 }
39295
39296 static ssize_t edid_show(
39297@@ -1387,10 +1387,10 @@ static ssize_t metrics_reset_store(struc
39298 struct fb_info *fb_info = dev_get_drvdata(fbdev);
39299 struct dlfb_data *dev = fb_info->par;
39300
39301- atomic_set(&dev->bytes_rendered, 0);
39302- atomic_set(&dev->bytes_identical, 0);
39303- atomic_set(&dev->bytes_sent, 0);
39304- atomic_set(&dev->cpu_kcycles_used, 0);
39305+ atomic_set_unchecked(&dev->bytes_rendered, 0);
39306+ atomic_set_unchecked(&dev->bytes_identical, 0);
39307+ atomic_set_unchecked(&dev->bytes_sent, 0);
39308+ atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
39309
39310 return count;
39311 }
39312diff -urNp linux-3.1.1/drivers/video/uvesafb.c linux-3.1.1/drivers/video/uvesafb.c
39313--- linux-3.1.1/drivers/video/uvesafb.c 2011-11-11 15:19:27.000000000 -0500
39314+++ linux-3.1.1/drivers/video/uvesafb.c 2011-11-16 18:39:08.000000000 -0500
39315@@ -19,6 +19,7 @@
39316 #include <linux/io.h>
39317 #include <linux/mutex.h>
39318 #include <linux/slab.h>
39319+#include <linux/moduleloader.h>
39320 #include <video/edid.h>
39321 #include <video/uvesafb.h>
39322 #ifdef CONFIG_X86
39323@@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
39324 NULL,
39325 };
39326
39327- return call_usermodehelper(v86d_path, argv, envp, 1);
39328+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
39329 }
39330
39331 /*
39332@@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
39333 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
39334 par->pmi_setpal = par->ypan = 0;
39335 } else {
39336+
39337+#ifdef CONFIG_PAX_KERNEXEC
39338+#ifdef CONFIG_MODULES
39339+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
39340+#endif
39341+ if (!par->pmi_code) {
39342+ par->pmi_setpal = par->ypan = 0;
39343+ return 0;
39344+ }
39345+#endif
39346+
39347 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
39348 + task->t.regs.edi);
39349+
39350+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39351+ pax_open_kernel();
39352+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
39353+ pax_close_kernel();
39354+
39355+ par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
39356+ par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
39357+#else
39358 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
39359 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
39360+#endif
39361+
39362 printk(KERN_INFO "uvesafb: protected mode interface info at "
39363 "%04x:%04x\n",
39364 (u16)task->t.regs.es, (u16)task->t.regs.edi);
39365@@ -1821,6 +1844,11 @@ out:
39366 if (par->vbe_modes)
39367 kfree(par->vbe_modes);
39368
39369+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39370+ if (par->pmi_code)
39371+ module_free_exec(NULL, par->pmi_code);
39372+#endif
39373+
39374 framebuffer_release(info);
39375 return err;
39376 }
39377@@ -1847,6 +1875,12 @@ static int uvesafb_remove(struct platfor
39378 kfree(par->vbe_state_orig);
39379 if (par->vbe_state_saved)
39380 kfree(par->vbe_state_saved);
39381+
39382+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39383+ if (par->pmi_code)
39384+ module_free_exec(NULL, par->pmi_code);
39385+#endif
39386+
39387 }
39388
39389 framebuffer_release(info);
39390diff -urNp linux-3.1.1/drivers/video/vesafb.c linux-3.1.1/drivers/video/vesafb.c
39391--- linux-3.1.1/drivers/video/vesafb.c 2011-11-11 15:19:27.000000000 -0500
39392+++ linux-3.1.1/drivers/video/vesafb.c 2011-11-16 18:39:08.000000000 -0500
39393@@ -9,6 +9,7 @@
39394 */
39395
39396 #include <linux/module.h>
39397+#include <linux/moduleloader.h>
39398 #include <linux/kernel.h>
39399 #include <linux/errno.h>
39400 #include <linux/string.h>
39401@@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
39402 static int vram_total __initdata; /* Set total amount of memory */
39403 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
39404 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
39405-static void (*pmi_start)(void) __read_mostly;
39406-static void (*pmi_pal) (void) __read_mostly;
39407+static void (*pmi_start)(void) __read_only;
39408+static void (*pmi_pal) (void) __read_only;
39409 static int depth __read_mostly;
39410 static int vga_compat __read_mostly;
39411 /* --------------------------------------------------------------------- */
39412@@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
39413 unsigned int size_vmode;
39414 unsigned int size_remap;
39415 unsigned int size_total;
39416+ void *pmi_code = NULL;
39417
39418 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
39419 return -ENODEV;
39420@@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
39421 size_remap = size_total;
39422 vesafb_fix.smem_len = size_remap;
39423
39424-#ifndef __i386__
39425- screen_info.vesapm_seg = 0;
39426-#endif
39427-
39428 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
39429 printk(KERN_WARNING
39430 "vesafb: cannot reserve video memory at 0x%lx\n",
39431@@ -307,9 +305,21 @@ static int __init vesafb_probe(struct pl
39432 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
39433 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
39434
39435+#ifdef __i386__
39436+
39437+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39438+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
39439+ if (!pmi_code)
39440+#elif !defined(CONFIG_PAX_KERNEXEC)
39441+ if (0)
39442+#endif
39443+
39444+#endif
39445+ screen_info.vesapm_seg = 0;
39446+
39447 if (screen_info.vesapm_seg) {
39448- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
39449- screen_info.vesapm_seg,screen_info.vesapm_off);
39450+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
39451+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
39452 }
39453
39454 if (screen_info.vesapm_seg < 0xc000)
39455@@ -317,9 +327,25 @@ static int __init vesafb_probe(struct pl
39456
39457 if (ypan || pmi_setpal) {
39458 unsigned short *pmi_base;
39459+
39460 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
39461- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
39462- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
39463+
39464+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39465+ pax_open_kernel();
39466+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
39467+#else
39468+ pmi_code = pmi_base;
39469+#endif
39470+
39471+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
39472+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
39473+
39474+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39475+ pmi_start = ktva_ktla(pmi_start);
39476+ pmi_pal = ktva_ktla(pmi_pal);
39477+ pax_close_kernel();
39478+#endif
39479+
39480 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
39481 if (pmi_base[3]) {
39482 printk(KERN_INFO "vesafb: pmi: ports = ");
39483@@ -488,6 +514,11 @@ static int __init vesafb_probe(struct pl
39484 info->node, info->fix.id);
39485 return 0;
39486 err:
39487+
39488+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
39489+ module_free_exec(NULL, pmi_code);
39490+#endif
39491+
39492 if (info->screen_base)
39493 iounmap(info->screen_base);
39494 framebuffer_release(info);
39495diff -urNp linux-3.1.1/drivers/video/via/via_clock.h linux-3.1.1/drivers/video/via/via_clock.h
39496--- linux-3.1.1/drivers/video/via/via_clock.h 2011-11-11 15:19:27.000000000 -0500
39497+++ linux-3.1.1/drivers/video/via/via_clock.h 2011-11-16 18:39:08.000000000 -0500
39498@@ -56,7 +56,7 @@ struct via_clock {
39499
39500 void (*set_engine_pll_state)(u8 state);
39501 void (*set_engine_pll)(struct via_pll_config config);
39502-};
39503+} __no_const;
39504
39505
39506 static inline u32 get_pll_internal_frequency(u32 ref_freq,
39507diff -urNp linux-3.1.1/drivers/virtio/virtio_balloon.c linux-3.1.1/drivers/virtio/virtio_balloon.c
39508--- linux-3.1.1/drivers/virtio/virtio_balloon.c 2011-11-11 15:19:27.000000000 -0500
39509+++ linux-3.1.1/drivers/virtio/virtio_balloon.c 2011-11-16 18:40:29.000000000 -0500
39510@@ -174,6 +174,8 @@ static void update_balloon_stats(struct
39511 struct sysinfo i;
39512 int idx = 0;
39513
39514+ pax_track_stack();
39515+
39516 all_vm_events(events);
39517 si_meminfo(&i);
39518
39519diff -urNp linux-3.1.1/drivers/xen/xen-pciback/conf_space.h linux-3.1.1/drivers/xen/xen-pciback/conf_space.h
39520--- linux-3.1.1/drivers/xen/xen-pciback/conf_space.h 2011-11-11 15:19:27.000000000 -0500
39521+++ linux-3.1.1/drivers/xen/xen-pciback/conf_space.h 2011-11-16 18:39:08.000000000 -0500
39522@@ -44,15 +44,15 @@ struct config_field {
39523 struct {
39524 conf_dword_write write;
39525 conf_dword_read read;
39526- } dw;
39527+ } __no_const dw;
39528 struct {
39529 conf_word_write write;
39530 conf_word_read read;
39531- } w;
39532+ } __no_const w;
39533 struct {
39534 conf_byte_write write;
39535 conf_byte_read read;
39536- } b;
39537+ } __no_const b;
39538 } u;
39539 struct list_head list;
39540 };
39541diff -urNp linux-3.1.1/fs/9p/vfs_inode.c linux-3.1.1/fs/9p/vfs_inode.c
39542--- linux-3.1.1/fs/9p/vfs_inode.c 2011-11-11 15:19:27.000000000 -0500
39543+++ linux-3.1.1/fs/9p/vfs_inode.c 2011-11-16 18:39:08.000000000 -0500
39544@@ -1288,7 +1288,7 @@ static void *v9fs_vfs_follow_link(struct
39545 void
39546 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
39547 {
39548- char *s = nd_get_link(nd);
39549+ const char *s = nd_get_link(nd);
39550
39551 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
39552 IS_ERR(s) ? "<error>" : s);
39553diff -urNp linux-3.1.1/fs/aio.c linux-3.1.1/fs/aio.c
39554--- linux-3.1.1/fs/aio.c 2011-11-11 15:19:27.000000000 -0500
39555+++ linux-3.1.1/fs/aio.c 2011-11-16 18:40:29.000000000 -0500
39556@@ -119,7 +119,7 @@ static int aio_setup_ring(struct kioctx
39557 size += sizeof(struct io_event) * nr_events;
39558 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
39559
39560- if (nr_pages < 0)
39561+ if (nr_pages <= 0)
39562 return -EINVAL;
39563
39564 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
39565@@ -1088,6 +1088,8 @@ static int read_events(struct kioctx *ct
39566 struct aio_timeout to;
39567 int retry = 0;
39568
39569+ pax_track_stack();
39570+
39571 /* needed to zero any padding within an entry (there shouldn't be
39572 * any, but C is fun!
39573 */
39574@@ -1381,22 +1383,27 @@ static ssize_t aio_fsync(struct kiocb *i
39575 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb, bool compat)
39576 {
39577 ssize_t ret;
39578+ struct iovec iovstack;
39579
39580 #ifdef CONFIG_COMPAT
39581 if (compat)
39582 ret = compat_rw_copy_check_uvector(type,
39583 (struct compat_iovec __user *)kiocb->ki_buf,
39584- kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39585+ kiocb->ki_nbytes, 1, &iovstack,
39586 &kiocb->ki_iovec);
39587 else
39588 #endif
39589 ret = rw_copy_check_uvector(type,
39590 (struct iovec __user *)kiocb->ki_buf,
39591- kiocb->ki_nbytes, 1, &kiocb->ki_inline_vec,
39592+ kiocb->ki_nbytes, 1, &iovstack,
39593 &kiocb->ki_iovec);
39594 if (ret < 0)
39595 goto out;
39596
39597+ if (kiocb->ki_iovec == &iovstack) {
39598+ kiocb->ki_inline_vec = iovstack;
39599+ kiocb->ki_iovec = &kiocb->ki_inline_vec;
39600+ }
39601 kiocb->ki_nr_segs = kiocb->ki_nbytes;
39602 kiocb->ki_cur_seg = 0;
39603 /* ki_nbytes/left now reflect bytes instead of segs */
39604diff -urNp linux-3.1.1/fs/attr.c linux-3.1.1/fs/attr.c
39605--- linux-3.1.1/fs/attr.c 2011-11-11 15:19:27.000000000 -0500
39606+++ linux-3.1.1/fs/attr.c 2011-11-16 18:40:29.000000000 -0500
39607@@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
39608 unsigned long limit;
39609
39610 limit = rlimit(RLIMIT_FSIZE);
39611+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
39612 if (limit != RLIM_INFINITY && offset > limit)
39613 goto out_sig;
39614 if (offset > inode->i_sb->s_maxbytes)
39615diff -urNp linux-3.1.1/fs/autofs4/waitq.c linux-3.1.1/fs/autofs4/waitq.c
39616--- linux-3.1.1/fs/autofs4/waitq.c 2011-11-11 15:19:27.000000000 -0500
39617+++ linux-3.1.1/fs/autofs4/waitq.c 2011-11-16 18:39:08.000000000 -0500
39618@@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
39619 {
39620 unsigned long sigpipe, flags;
39621 mm_segment_t fs;
39622- const char *data = (const char *)addr;
39623+ const char __user *data = (const char __force_user *)addr;
39624 ssize_t wr = 0;
39625
39626 /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
39627diff -urNp linux-3.1.1/fs/befs/linuxvfs.c linux-3.1.1/fs/befs/linuxvfs.c
39628--- linux-3.1.1/fs/befs/linuxvfs.c 2011-11-11 15:19:27.000000000 -0500
39629+++ linux-3.1.1/fs/befs/linuxvfs.c 2011-11-16 18:39:08.000000000 -0500
39630@@ -503,7 +503,7 @@ static void befs_put_link(struct dentry
39631 {
39632 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
39633 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
39634- char *link = nd_get_link(nd);
39635+ const char *link = nd_get_link(nd);
39636 if (!IS_ERR(link))
39637 kfree(link);
39638 }
39639diff -urNp linux-3.1.1/fs/binfmt_aout.c linux-3.1.1/fs/binfmt_aout.c
39640--- linux-3.1.1/fs/binfmt_aout.c 2011-11-11 15:19:27.000000000 -0500
39641+++ linux-3.1.1/fs/binfmt_aout.c 2011-11-16 18:40:29.000000000 -0500
39642@@ -16,6 +16,7 @@
39643 #include <linux/string.h>
39644 #include <linux/fs.h>
39645 #include <linux/file.h>
39646+#include <linux/security.h>
39647 #include <linux/stat.h>
39648 #include <linux/fcntl.h>
39649 #include <linux/ptrace.h>
39650@@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
39651 #endif
39652 # define START_STACK(u) ((void __user *)u.start_stack)
39653
39654+ memset(&dump, 0, sizeof(dump));
39655+
39656 fs = get_fs();
39657 set_fs(KERNEL_DS);
39658 has_dumped = 1;
39659@@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
39660
39661 /* If the size of the dump file exceeds the rlimit, then see what would happen
39662 if we wrote the stack, but not the data area. */
39663+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
39664 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
39665 dump.u_dsize = 0;
39666
39667 /* Make sure we have enough room to write the stack and data areas. */
39668+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
39669 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
39670 dump.u_ssize = 0;
39671
39672@@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
39673 rlim = rlimit(RLIMIT_DATA);
39674 if (rlim >= RLIM_INFINITY)
39675 rlim = ~0;
39676+
39677+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
39678 if (ex.a_data + ex.a_bss > rlim)
39679 return -ENOMEM;
39680
39681@@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
39682 install_exec_creds(bprm);
39683 current->flags &= ~PF_FORKNOEXEC;
39684
39685+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
39686+ current->mm->pax_flags = 0UL;
39687+#endif
39688+
39689+#ifdef CONFIG_PAX_PAGEEXEC
39690+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
39691+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
39692+
39693+#ifdef CONFIG_PAX_EMUTRAMP
39694+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
39695+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
39696+#endif
39697+
39698+#ifdef CONFIG_PAX_MPROTECT
39699+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
39700+ current->mm->pax_flags |= MF_PAX_MPROTECT;
39701+#endif
39702+
39703+ }
39704+#endif
39705+
39706 if (N_MAGIC(ex) == OMAGIC) {
39707 unsigned long text_addr, map_size;
39708 loff_t pos;
39709@@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
39710
39711 down_write(&current->mm->mmap_sem);
39712 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
39713- PROT_READ | PROT_WRITE | PROT_EXEC,
39714+ PROT_READ | PROT_WRITE,
39715 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
39716 fd_offset + ex.a_text);
39717 up_write(&current->mm->mmap_sem);
39718diff -urNp linux-3.1.1/fs/binfmt_elf.c linux-3.1.1/fs/binfmt_elf.c
39719--- linux-3.1.1/fs/binfmt_elf.c 2011-11-11 15:19:27.000000000 -0500
39720+++ linux-3.1.1/fs/binfmt_elf.c 2011-11-16 18:40:29.000000000 -0500
39721@@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
39722 #define elf_core_dump NULL
39723 #endif
39724
39725+#ifdef CONFIG_PAX_MPROTECT
39726+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
39727+#endif
39728+
39729 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
39730 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
39731 #else
39732@@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
39733 .load_binary = load_elf_binary,
39734 .load_shlib = load_elf_library,
39735 .core_dump = elf_core_dump,
39736+
39737+#ifdef CONFIG_PAX_MPROTECT
39738+ .handle_mprotect= elf_handle_mprotect,
39739+#endif
39740+
39741 .min_coredump = ELF_EXEC_PAGESIZE,
39742 };
39743
39744@@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
39745
39746 static int set_brk(unsigned long start, unsigned long end)
39747 {
39748+ unsigned long e = end;
39749+
39750 start = ELF_PAGEALIGN(start);
39751 end = ELF_PAGEALIGN(end);
39752 if (end > start) {
39753@@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
39754 if (BAD_ADDR(addr))
39755 return addr;
39756 }
39757- current->mm->start_brk = current->mm->brk = end;
39758+ current->mm->start_brk = current->mm->brk = e;
39759 return 0;
39760 }
39761
39762@@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
39763 elf_addr_t __user *u_rand_bytes;
39764 const char *k_platform = ELF_PLATFORM;
39765 const char *k_base_platform = ELF_BASE_PLATFORM;
39766- unsigned char k_rand_bytes[16];
39767+ u32 k_rand_bytes[4];
39768 int items;
39769 elf_addr_t *elf_info;
39770 int ei_index = 0;
39771 const struct cred *cred = current_cred();
39772 struct vm_area_struct *vma;
39773+ unsigned long saved_auxv[AT_VECTOR_SIZE];
39774+
39775+ pax_track_stack();
39776
39777 /*
39778 * In some cases (e.g. Hyper-Threading), we want to avoid L1
39779@@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
39780 * Generate 16 random bytes for userspace PRNG seeding.
39781 */
39782 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
39783- u_rand_bytes = (elf_addr_t __user *)
39784- STACK_ALLOC(p, sizeof(k_rand_bytes));
39785+ srandom32(k_rand_bytes[0] ^ random32());
39786+ srandom32(k_rand_bytes[1] ^ random32());
39787+ srandom32(k_rand_bytes[2] ^ random32());
39788+ srandom32(k_rand_bytes[3] ^ random32());
39789+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
39790+ u_rand_bytes = (elf_addr_t __user *) p;
39791 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
39792 return -EFAULT;
39793
39794@@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
39795 return -EFAULT;
39796 current->mm->env_end = p;
39797
39798+ memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
39799+
39800 /* Put the elf_info on the stack in the right place. */
39801 sp = (elf_addr_t __user *)envp + 1;
39802- if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
39803+ if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
39804 return -EFAULT;
39805 return 0;
39806 }
39807@@ -381,10 +401,10 @@ static unsigned long load_elf_interp(str
39808 {
39809 struct elf_phdr *elf_phdata;
39810 struct elf_phdr *eppnt;
39811- unsigned long load_addr = 0;
39812+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
39813 int load_addr_set = 0;
39814 unsigned long last_bss = 0, elf_bss = 0;
39815- unsigned long error = ~0UL;
39816+ unsigned long error = -EINVAL;
39817 unsigned long total_size;
39818 int retval, i, size;
39819
39820@@ -430,6 +450,11 @@ static unsigned long load_elf_interp(str
39821 goto out_close;
39822 }
39823
39824+#ifdef CONFIG_PAX_SEGMEXEC
39825+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
39826+ pax_task_size = SEGMEXEC_TASK_SIZE;
39827+#endif
39828+
39829 eppnt = elf_phdata;
39830 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
39831 if (eppnt->p_type == PT_LOAD) {
39832@@ -473,8 +498,8 @@ static unsigned long load_elf_interp(str
39833 k = load_addr + eppnt->p_vaddr;
39834 if (BAD_ADDR(k) ||
39835 eppnt->p_filesz > eppnt->p_memsz ||
39836- eppnt->p_memsz > TASK_SIZE ||
39837- TASK_SIZE - eppnt->p_memsz < k) {
39838+ eppnt->p_memsz > pax_task_size ||
39839+ pax_task_size - eppnt->p_memsz < k) {
39840 error = -ENOMEM;
39841 goto out_close;
39842 }
39843@@ -528,6 +553,193 @@ out:
39844 return error;
39845 }
39846
39847+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
39848+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
39849+{
39850+ unsigned long pax_flags = 0UL;
39851+
39852+#ifdef CONFIG_PAX_PAGEEXEC
39853+ if (elf_phdata->p_flags & PF_PAGEEXEC)
39854+ pax_flags |= MF_PAX_PAGEEXEC;
39855+#endif
39856+
39857+#ifdef CONFIG_PAX_SEGMEXEC
39858+ if (elf_phdata->p_flags & PF_SEGMEXEC)
39859+ pax_flags |= MF_PAX_SEGMEXEC;
39860+#endif
39861+
39862+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39863+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39864+ if ((__supported_pte_mask & _PAGE_NX))
39865+ pax_flags &= ~MF_PAX_SEGMEXEC;
39866+ else
39867+ pax_flags &= ~MF_PAX_PAGEEXEC;
39868+ }
39869+#endif
39870+
39871+#ifdef CONFIG_PAX_EMUTRAMP
39872+ if (elf_phdata->p_flags & PF_EMUTRAMP)
39873+ pax_flags |= MF_PAX_EMUTRAMP;
39874+#endif
39875+
39876+#ifdef CONFIG_PAX_MPROTECT
39877+ if (elf_phdata->p_flags & PF_MPROTECT)
39878+ pax_flags |= MF_PAX_MPROTECT;
39879+#endif
39880+
39881+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39882+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
39883+ pax_flags |= MF_PAX_RANDMMAP;
39884+#endif
39885+
39886+ return pax_flags;
39887+}
39888+#endif
39889+
39890+#ifdef CONFIG_PAX_PT_PAX_FLAGS
39891+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
39892+{
39893+ unsigned long pax_flags = 0UL;
39894+
39895+#ifdef CONFIG_PAX_PAGEEXEC
39896+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
39897+ pax_flags |= MF_PAX_PAGEEXEC;
39898+#endif
39899+
39900+#ifdef CONFIG_PAX_SEGMEXEC
39901+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
39902+ pax_flags |= MF_PAX_SEGMEXEC;
39903+#endif
39904+
39905+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39906+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39907+ if ((__supported_pte_mask & _PAGE_NX))
39908+ pax_flags &= ~MF_PAX_SEGMEXEC;
39909+ else
39910+ pax_flags &= ~MF_PAX_PAGEEXEC;
39911+ }
39912+#endif
39913+
39914+#ifdef CONFIG_PAX_EMUTRAMP
39915+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
39916+ pax_flags |= MF_PAX_EMUTRAMP;
39917+#endif
39918+
39919+#ifdef CONFIG_PAX_MPROTECT
39920+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
39921+ pax_flags |= MF_PAX_MPROTECT;
39922+#endif
39923+
39924+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39925+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
39926+ pax_flags |= MF_PAX_RANDMMAP;
39927+#endif
39928+
39929+ return pax_flags;
39930+}
39931+#endif
39932+
39933+#ifdef CONFIG_PAX_EI_PAX
39934+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
39935+{
39936+ unsigned long pax_flags = 0UL;
39937+
39938+#ifdef CONFIG_PAX_PAGEEXEC
39939+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
39940+ pax_flags |= MF_PAX_PAGEEXEC;
39941+#endif
39942+
39943+#ifdef CONFIG_PAX_SEGMEXEC
39944+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
39945+ pax_flags |= MF_PAX_SEGMEXEC;
39946+#endif
39947+
39948+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39949+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39950+ if ((__supported_pte_mask & _PAGE_NX))
39951+ pax_flags &= ~MF_PAX_SEGMEXEC;
39952+ else
39953+ pax_flags &= ~MF_PAX_PAGEEXEC;
39954+ }
39955+#endif
39956+
39957+#ifdef CONFIG_PAX_EMUTRAMP
39958+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
39959+ pax_flags |= MF_PAX_EMUTRAMP;
39960+#endif
39961+
39962+#ifdef CONFIG_PAX_MPROTECT
39963+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
39964+ pax_flags |= MF_PAX_MPROTECT;
39965+#endif
39966+
39967+#ifdef CONFIG_PAX_ASLR
39968+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
39969+ pax_flags |= MF_PAX_RANDMMAP;
39970+#endif
39971+
39972+ return pax_flags;
39973+}
39974+#endif
39975+
39976+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
39977+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
39978+{
39979+ unsigned long pax_flags = 0UL;
39980+
39981+#ifdef CONFIG_PAX_PT_PAX_FLAGS
39982+ unsigned long i;
39983+ int found_flags = 0;
39984+#endif
39985+
39986+#ifdef CONFIG_PAX_EI_PAX
39987+ pax_flags = pax_parse_ei_pax(elf_ex);
39988+#endif
39989+
39990+#ifdef CONFIG_PAX_PT_PAX_FLAGS
39991+ for (i = 0UL; i < elf_ex->e_phnum; i++)
39992+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
39993+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
39994+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
39995+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
39996+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
39997+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
39998+ return -EINVAL;
39999+
40000+#ifdef CONFIG_PAX_SOFTMODE
40001+ if (pax_softmode)
40002+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
40003+ else
40004+#endif
40005+
40006+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
40007+ found_flags = 1;
40008+ break;
40009+ }
40010+#endif
40011+
40012+#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
40013+ if (found_flags == 0) {
40014+ struct elf_phdr phdr;
40015+ memset(&phdr, 0, sizeof(phdr));
40016+ phdr.p_flags = PF_NOEMUTRAMP;
40017+#ifdef CONFIG_PAX_SOFTMODE
40018+ if (pax_softmode)
40019+ pax_flags = pax_parse_softmode(&phdr);
40020+ else
40021+#endif
40022+ pax_flags = pax_parse_hardmode(&phdr);
40023+ }
40024+#endif
40025+
40026+ if (0 > pax_check_flags(&pax_flags))
40027+ return -EINVAL;
40028+
40029+ current->mm->pax_flags = pax_flags;
40030+ return 0;
40031+}
40032+#endif
40033+
40034 /*
40035 * These are the functions used to load ELF style executables and shared
40036 * libraries. There is no binary dependent code anywhere else.
40037@@ -544,6 +756,11 @@ static unsigned long randomize_stack_top
40038 {
40039 unsigned int random_variable = 0;
40040
40041+#ifdef CONFIG_PAX_RANDUSTACK
40042+ if (randomize_va_space)
40043+ return stack_top - current->mm->delta_stack;
40044+#endif
40045+
40046 if ((current->flags & PF_RANDOMIZE) &&
40047 !(current->personality & ADDR_NO_RANDOMIZE)) {
40048 random_variable = get_random_int() & STACK_RND_MASK;
40049@@ -562,7 +779,7 @@ static int load_elf_binary(struct linux_
40050 unsigned long load_addr = 0, load_bias = 0;
40051 int load_addr_set = 0;
40052 char * elf_interpreter = NULL;
40053- unsigned long error;
40054+ unsigned long error = 0;
40055 struct elf_phdr *elf_ppnt, *elf_phdata;
40056 unsigned long elf_bss, elf_brk;
40057 int retval, i;
40058@@ -572,11 +789,11 @@ static int load_elf_binary(struct linux_
40059 unsigned long start_code, end_code, start_data, end_data;
40060 unsigned long reloc_func_desc __maybe_unused = 0;
40061 int executable_stack = EXSTACK_DEFAULT;
40062- unsigned long def_flags = 0;
40063 struct {
40064 struct elfhdr elf_ex;
40065 struct elfhdr interp_elf_ex;
40066 } *loc;
40067+ unsigned long pax_task_size = TASK_SIZE;
40068
40069 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
40070 if (!loc) {
40071@@ -713,11 +930,81 @@ static int load_elf_binary(struct linux_
40072
40073 /* OK, This is the point of no return */
40074 current->flags &= ~PF_FORKNOEXEC;
40075- current->mm->def_flags = def_flags;
40076+
40077+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
40078+ current->mm->pax_flags = 0UL;
40079+#endif
40080+
40081+#ifdef CONFIG_PAX_DLRESOLVE
40082+ current->mm->call_dl_resolve = 0UL;
40083+#endif
40084+
40085+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
40086+ current->mm->call_syscall = 0UL;
40087+#endif
40088+
40089+#ifdef CONFIG_PAX_ASLR
40090+ current->mm->delta_mmap = 0UL;
40091+ current->mm->delta_stack = 0UL;
40092+#endif
40093+
40094+ current->mm->def_flags = 0;
40095+
40096+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
40097+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
40098+ send_sig(SIGKILL, current, 0);
40099+ goto out_free_dentry;
40100+ }
40101+#endif
40102+
40103+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40104+ pax_set_initial_flags(bprm);
40105+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
40106+ if (pax_set_initial_flags_func)
40107+ (pax_set_initial_flags_func)(bprm);
40108+#endif
40109+
40110+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
40111+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
40112+ current->mm->context.user_cs_limit = PAGE_SIZE;
40113+ current->mm->def_flags |= VM_PAGEEXEC;
40114+ }
40115+#endif
40116+
40117+#ifdef CONFIG_PAX_SEGMEXEC
40118+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
40119+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
40120+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
40121+ pax_task_size = SEGMEXEC_TASK_SIZE;
40122+ current->mm->def_flags |= VM_NOHUGEPAGE;
40123+ }
40124+#endif
40125+
40126+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
40127+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
40128+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
40129+ put_cpu();
40130+ }
40131+#endif
40132
40133 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
40134 may depend on the personality. */
40135 SET_PERSONALITY(loc->elf_ex);
40136+
40137+#ifdef CONFIG_PAX_ASLR
40138+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
40139+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
40140+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
40141+ }
40142+#endif
40143+
40144+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
40145+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
40146+ executable_stack = EXSTACK_DISABLE_X;
40147+ current->personality &= ~READ_IMPLIES_EXEC;
40148+ } else
40149+#endif
40150+
40151 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
40152 current->personality |= READ_IMPLIES_EXEC;
40153
40154@@ -808,6 +1095,20 @@ static int load_elf_binary(struct linux_
40155 #else
40156 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
40157 #endif
40158+
40159+#ifdef CONFIG_PAX_RANDMMAP
40160+ /* PaX: randomize base address at the default exe base if requested */
40161+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
40162+#ifdef CONFIG_SPARC64
40163+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
40164+#else
40165+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
40166+#endif
40167+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
40168+ elf_flags |= MAP_FIXED;
40169+ }
40170+#endif
40171+
40172 }
40173
40174 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
40175@@ -840,9 +1141,9 @@ static int load_elf_binary(struct linux_
40176 * allowed task size. Note that p_filesz must always be
40177 * <= p_memsz so it is only necessary to check p_memsz.
40178 */
40179- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
40180- elf_ppnt->p_memsz > TASK_SIZE ||
40181- TASK_SIZE - elf_ppnt->p_memsz < k) {
40182+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
40183+ elf_ppnt->p_memsz > pax_task_size ||
40184+ pax_task_size - elf_ppnt->p_memsz < k) {
40185 /* set_brk can never work. Avoid overflows. */
40186 send_sig(SIGKILL, current, 0);
40187 retval = -EINVAL;
40188@@ -870,6 +1171,11 @@ static int load_elf_binary(struct linux_
40189 start_data += load_bias;
40190 end_data += load_bias;
40191
40192+#ifdef CONFIG_PAX_RANDMMAP
40193+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
40194+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
40195+#endif
40196+
40197 /* Calling set_brk effectively mmaps the pages that we need
40198 * for the bss and break sections. We must do this before
40199 * mapping in the interpreter, to make sure it doesn't wind
40200@@ -881,9 +1187,11 @@ static int load_elf_binary(struct linux_
40201 goto out_free_dentry;
40202 }
40203 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
40204- send_sig(SIGSEGV, current, 0);
40205- retval = -EFAULT; /* Nobody gets to see this, but.. */
40206- goto out_free_dentry;
40207+ /*
40208+ * This bss-zeroing can fail if the ELF
40209+ * file specifies odd protections. So
40210+ * we don't check the return value
40211+ */
40212 }
40213
40214 if (elf_interpreter) {
40215@@ -1098,7 +1406,7 @@ out:
40216 * Decide what to dump of a segment, part, all or none.
40217 */
40218 static unsigned long vma_dump_size(struct vm_area_struct *vma,
40219- unsigned long mm_flags)
40220+ unsigned long mm_flags, long signr)
40221 {
40222 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
40223
40224@@ -1132,7 +1440,7 @@ static unsigned long vma_dump_size(struc
40225 if (vma->vm_file == NULL)
40226 return 0;
40227
40228- if (FILTER(MAPPED_PRIVATE))
40229+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
40230 goto whole;
40231
40232 /*
40233@@ -1354,9 +1662,9 @@ static void fill_auxv_note(struct memelf
40234 {
40235 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
40236 int i = 0;
40237- do
40238+ do {
40239 i += 2;
40240- while (auxv[i - 2] != AT_NULL);
40241+ } while (auxv[i - 2] != AT_NULL);
40242 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
40243 }
40244
40245@@ -1862,14 +2170,14 @@ static void fill_extnum_info(struct elfh
40246 }
40247
40248 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
40249- unsigned long mm_flags)
40250+ struct coredump_params *cprm)
40251 {
40252 struct vm_area_struct *vma;
40253 size_t size = 0;
40254
40255 for (vma = first_vma(current, gate_vma); vma != NULL;
40256 vma = next_vma(vma, gate_vma))
40257- size += vma_dump_size(vma, mm_flags);
40258+ size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40259 return size;
40260 }
40261
40262@@ -1963,7 +2271,7 @@ static int elf_core_dump(struct coredump
40263
40264 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
40265
40266- offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
40267+ offset += elf_core_vma_data_size(gate_vma, cprm);
40268 offset += elf_core_extra_data_size();
40269 e_shoff = offset;
40270
40271@@ -1977,10 +2285,12 @@ static int elf_core_dump(struct coredump
40272 offset = dataoff;
40273
40274 size += sizeof(*elf);
40275+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
40276 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
40277 goto end_coredump;
40278
40279 size += sizeof(*phdr4note);
40280+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
40281 if (size > cprm->limit
40282 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
40283 goto end_coredump;
40284@@ -1994,7 +2304,7 @@ static int elf_core_dump(struct coredump
40285 phdr.p_offset = offset;
40286 phdr.p_vaddr = vma->vm_start;
40287 phdr.p_paddr = 0;
40288- phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
40289+ phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40290 phdr.p_memsz = vma->vm_end - vma->vm_start;
40291 offset += phdr.p_filesz;
40292 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
40293@@ -2005,6 +2315,7 @@ static int elf_core_dump(struct coredump
40294 phdr.p_align = ELF_EXEC_PAGESIZE;
40295
40296 size += sizeof(phdr);
40297+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
40298 if (size > cprm->limit
40299 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
40300 goto end_coredump;
40301@@ -2029,7 +2340,7 @@ static int elf_core_dump(struct coredump
40302 unsigned long addr;
40303 unsigned long end;
40304
40305- end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
40306+ end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
40307
40308 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
40309 struct page *page;
40310@@ -2038,6 +2349,7 @@ static int elf_core_dump(struct coredump
40311 page = get_dump_page(addr);
40312 if (page) {
40313 void *kaddr = kmap(page);
40314+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
40315 stop = ((size += PAGE_SIZE) > cprm->limit) ||
40316 !dump_write(cprm->file, kaddr,
40317 PAGE_SIZE);
40318@@ -2055,6 +2367,7 @@ static int elf_core_dump(struct coredump
40319
40320 if (e_phnum == PN_XNUM) {
40321 size += sizeof(*shdr4extnum);
40322+ gr_learn_resource(current, RLIMIT_CORE, size, 1);
40323 if (size > cprm->limit
40324 || !dump_write(cprm->file, shdr4extnum,
40325 sizeof(*shdr4extnum)))
40326@@ -2075,6 +2388,97 @@ out:
40327
40328 #endif /* CONFIG_ELF_CORE */
40329
40330+#ifdef CONFIG_PAX_MPROTECT
40331+/* PaX: non-PIC ELF libraries need relocations on their executable segments
40332+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
40333+ * we'll remove VM_MAYWRITE for good on RELRO segments.
40334+ *
40335+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
40336+ * basis because we want to allow the common case and not the special ones.
40337+ */
40338+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
40339+{
40340+ struct elfhdr elf_h;
40341+ struct elf_phdr elf_p;
40342+ unsigned long i;
40343+ unsigned long oldflags;
40344+ bool is_textrel_rw, is_textrel_rx, is_relro;
40345+
40346+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
40347+ return;
40348+
40349+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
40350+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
40351+
40352+#ifdef CONFIG_PAX_ELFRELOCS
40353+ /* possible TEXTREL */
40354+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
40355+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
40356+#else
40357+ is_textrel_rw = false;
40358+ is_textrel_rx = false;
40359+#endif
40360+
40361+ /* possible RELRO */
40362+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
40363+
40364+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
40365+ return;
40366+
40367+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
40368+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
40369+
40370+#ifdef CONFIG_PAX_ETEXECRELOCS
40371+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40372+#else
40373+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
40374+#endif
40375+
40376+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
40377+ !elf_check_arch(&elf_h) ||
40378+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
40379+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
40380+ return;
40381+
40382+ for (i = 0UL; i < elf_h.e_phnum; i++) {
40383+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
40384+ return;
40385+ switch (elf_p.p_type) {
40386+ case PT_DYNAMIC:
40387+ if (!is_textrel_rw && !is_textrel_rx)
40388+ continue;
40389+ i = 0UL;
40390+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
40391+ elf_dyn dyn;
40392+
40393+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
40394+ return;
40395+ if (dyn.d_tag == DT_NULL)
40396+ return;
40397+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
40398+ gr_log_textrel(vma);
40399+ if (is_textrel_rw)
40400+ vma->vm_flags |= VM_MAYWRITE;
40401+ else
40402+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
40403+ vma->vm_flags &= ~VM_MAYWRITE;
40404+ return;
40405+ }
40406+ i++;
40407+ }
40408+ return;
40409+
40410+ case PT_GNU_RELRO:
40411+ if (!is_relro)
40412+ continue;
40413+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
40414+ vma->vm_flags &= ~VM_MAYWRITE;
40415+ return;
40416+ }
40417+ }
40418+}
40419+#endif
40420+
40421 static int __init init_elf_binfmt(void)
40422 {
40423 return register_binfmt(&elf_format);
40424diff -urNp linux-3.1.1/fs/binfmt_flat.c linux-3.1.1/fs/binfmt_flat.c
40425--- linux-3.1.1/fs/binfmt_flat.c 2011-11-11 15:19:27.000000000 -0500
40426+++ linux-3.1.1/fs/binfmt_flat.c 2011-11-16 18:39:08.000000000 -0500
40427@@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
40428 realdatastart = (unsigned long) -ENOMEM;
40429 printk("Unable to allocate RAM for process data, errno %d\n",
40430 (int)-realdatastart);
40431+ down_write(&current->mm->mmap_sem);
40432 do_munmap(current->mm, textpos, text_len);
40433+ up_write(&current->mm->mmap_sem);
40434 ret = realdatastart;
40435 goto err;
40436 }
40437@@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
40438 }
40439 if (IS_ERR_VALUE(result)) {
40440 printk("Unable to read data+bss, errno %d\n", (int)-result);
40441+ down_write(&current->mm->mmap_sem);
40442 do_munmap(current->mm, textpos, text_len);
40443 do_munmap(current->mm, realdatastart, len);
40444+ up_write(&current->mm->mmap_sem);
40445 ret = result;
40446 goto err;
40447 }
40448@@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
40449 }
40450 if (IS_ERR_VALUE(result)) {
40451 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
40452+ down_write(&current->mm->mmap_sem);
40453 do_munmap(current->mm, textpos, text_len + data_len + extra +
40454 MAX_SHARED_LIBS * sizeof(unsigned long));
40455+ up_write(&current->mm->mmap_sem);
40456 ret = result;
40457 goto err;
40458 }
40459diff -urNp linux-3.1.1/fs/bio.c linux-3.1.1/fs/bio.c
40460--- linux-3.1.1/fs/bio.c 2011-11-11 15:19:27.000000000 -0500
40461+++ linux-3.1.1/fs/bio.c 2011-11-16 18:39:08.000000000 -0500
40462@@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
40463 const int read = bio_data_dir(bio) == READ;
40464 struct bio_map_data *bmd = bio->bi_private;
40465 int i;
40466- char *p = bmd->sgvecs[0].iov_base;
40467+ char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
40468
40469 __bio_for_each_segment(bvec, bio, i, 0) {
40470 char *addr = page_address(bvec->bv_page);
40471diff -urNp linux-3.1.1/fs/block_dev.c linux-3.1.1/fs/block_dev.c
40472--- linux-3.1.1/fs/block_dev.c 2011-11-11 15:19:27.000000000 -0500
40473+++ linux-3.1.1/fs/block_dev.c 2011-11-16 18:39:08.000000000 -0500
40474@@ -681,7 +681,7 @@ static bool bd_may_claim(struct block_de
40475 else if (bdev->bd_contains == bdev)
40476 return true; /* is a whole device which isn't held */
40477
40478- else if (whole->bd_holder == bd_may_claim)
40479+ else if (whole->bd_holder == (void *)bd_may_claim)
40480 return true; /* is a partition of a device that is being partitioned */
40481 else if (whole->bd_holder != NULL)
40482 return false; /* is a partition of a held device */
40483diff -urNp linux-3.1.1/fs/btrfs/ctree.c linux-3.1.1/fs/btrfs/ctree.c
40484--- linux-3.1.1/fs/btrfs/ctree.c 2011-11-11 15:19:27.000000000 -0500
40485+++ linux-3.1.1/fs/btrfs/ctree.c 2011-11-16 18:39:08.000000000 -0500
40486@@ -488,9 +488,12 @@ static noinline int __btrfs_cow_block(st
40487 free_extent_buffer(buf);
40488 add_root_to_dirty_list(root);
40489 } else {
40490- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
40491- parent_start = parent->start;
40492- else
40493+ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
40494+ if (parent)
40495+ parent_start = parent->start;
40496+ else
40497+ parent_start = 0;
40498+ } else
40499 parent_start = 0;
40500
40501 WARN_ON(trans->transid != btrfs_header_generation(parent));
40502diff -urNp linux-3.1.1/fs/btrfs/inode.c linux-3.1.1/fs/btrfs/inode.c
40503--- linux-3.1.1/fs/btrfs/inode.c 2011-11-11 15:19:27.000000000 -0500
40504+++ linux-3.1.1/fs/btrfs/inode.c 2011-11-17 18:12:11.000000000 -0500
40505@@ -6922,7 +6922,7 @@ fail:
40506 return -ENOMEM;
40507 }
40508
40509-static int btrfs_getattr(struct vfsmount *mnt,
40510+int btrfs_getattr(struct vfsmount *mnt,
40511 struct dentry *dentry, struct kstat *stat)
40512 {
40513 struct inode *inode = dentry->d_inode;
40514@@ -6934,6 +6934,14 @@ static int btrfs_getattr(struct vfsmount
40515 return 0;
40516 }
40517
40518+EXPORT_SYMBOL(btrfs_getattr);
40519+
40520+dev_t get_btrfs_dev_from_inode(struct inode *inode)
40521+{
40522+ return BTRFS_I(inode)->root->anon_dev;
40523+}
40524+EXPORT_SYMBOL(get_btrfs_dev_from_inode);
40525+
40526 /*
40527 * If a file is moved, it will inherit the cow and compression flags of the new
40528 * directory.
40529diff -urNp linux-3.1.1/fs/btrfs/ioctl.c linux-3.1.1/fs/btrfs/ioctl.c
40530--- linux-3.1.1/fs/btrfs/ioctl.c 2011-11-11 15:19:27.000000000 -0500
40531+++ linux-3.1.1/fs/btrfs/ioctl.c 2011-11-16 18:40:29.000000000 -0500
40532@@ -2704,9 +2704,12 @@ long btrfs_ioctl_space_info(struct btrfs
40533 for (i = 0; i < num_types; i++) {
40534 struct btrfs_space_info *tmp;
40535
40536+ /* Don't copy in more than we allocated */
40537 if (!slot_count)
40538 break;
40539
40540+ slot_count--;
40541+
40542 info = NULL;
40543 rcu_read_lock();
40544 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
40545@@ -2728,15 +2731,12 @@ long btrfs_ioctl_space_info(struct btrfs
40546 memcpy(dest, &space, sizeof(space));
40547 dest++;
40548 space_args.total_spaces++;
40549- slot_count--;
40550 }
40551- if (!slot_count)
40552- break;
40553 }
40554 up_read(&info->groups_sem);
40555 }
40556
40557- user_dest = (struct btrfs_ioctl_space_info *)
40558+ user_dest = (struct btrfs_ioctl_space_info __user *)
40559 (arg + sizeof(struct btrfs_ioctl_space_args));
40560
40561 if (copy_to_user(user_dest, dest_orig, alloc_size))
40562diff -urNp linux-3.1.1/fs/btrfs/relocation.c linux-3.1.1/fs/btrfs/relocation.c
40563--- linux-3.1.1/fs/btrfs/relocation.c 2011-11-11 15:19:27.000000000 -0500
40564+++ linux-3.1.1/fs/btrfs/relocation.c 2011-11-16 18:39:08.000000000 -0500
40565@@ -1242,7 +1242,7 @@ static int __update_reloc_root(struct bt
40566 }
40567 spin_unlock(&rc->reloc_root_tree.lock);
40568
40569- BUG_ON((struct btrfs_root *)node->data != root);
40570+ BUG_ON(!node || (struct btrfs_root *)node->data != root);
40571
40572 if (!del) {
40573 spin_lock(&rc->reloc_root_tree.lock);
40574diff -urNp linux-3.1.1/fs/cachefiles/bind.c linux-3.1.1/fs/cachefiles/bind.c
40575--- linux-3.1.1/fs/cachefiles/bind.c 2011-11-11 15:19:27.000000000 -0500
40576+++ linux-3.1.1/fs/cachefiles/bind.c 2011-11-16 18:39:08.000000000 -0500
40577@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
40578 args);
40579
40580 /* start by checking things over */
40581- ASSERT(cache->fstop_percent >= 0 &&
40582- cache->fstop_percent < cache->fcull_percent &&
40583+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
40584 cache->fcull_percent < cache->frun_percent &&
40585 cache->frun_percent < 100);
40586
40587- ASSERT(cache->bstop_percent >= 0 &&
40588- cache->bstop_percent < cache->bcull_percent &&
40589+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
40590 cache->bcull_percent < cache->brun_percent &&
40591 cache->brun_percent < 100);
40592
40593diff -urNp linux-3.1.1/fs/cachefiles/daemon.c linux-3.1.1/fs/cachefiles/daemon.c
40594--- linux-3.1.1/fs/cachefiles/daemon.c 2011-11-11 15:19:27.000000000 -0500
40595+++ linux-3.1.1/fs/cachefiles/daemon.c 2011-11-16 18:39:08.000000000 -0500
40596@@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
40597 if (n > buflen)
40598 return -EMSGSIZE;
40599
40600- if (copy_to_user(_buffer, buffer, n) != 0)
40601+ if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
40602 return -EFAULT;
40603
40604 return n;
40605@@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
40606 if (test_bit(CACHEFILES_DEAD, &cache->flags))
40607 return -EIO;
40608
40609- if (datalen < 0 || datalen > PAGE_SIZE - 1)
40610+ if (datalen > PAGE_SIZE - 1)
40611 return -EOPNOTSUPP;
40612
40613 /* drag the command string into the kernel so we can parse it */
40614@@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
40615 if (args[0] != '%' || args[1] != '\0')
40616 return -EINVAL;
40617
40618- if (fstop < 0 || fstop >= cache->fcull_percent)
40619+ if (fstop >= cache->fcull_percent)
40620 return cachefiles_daemon_range_error(cache, args);
40621
40622 cache->fstop_percent = fstop;
40623@@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
40624 if (args[0] != '%' || args[1] != '\0')
40625 return -EINVAL;
40626
40627- if (bstop < 0 || bstop >= cache->bcull_percent)
40628+ if (bstop >= cache->bcull_percent)
40629 return cachefiles_daemon_range_error(cache, args);
40630
40631 cache->bstop_percent = bstop;
40632diff -urNp linux-3.1.1/fs/cachefiles/internal.h linux-3.1.1/fs/cachefiles/internal.h
40633--- linux-3.1.1/fs/cachefiles/internal.h 2011-11-11 15:19:27.000000000 -0500
40634+++ linux-3.1.1/fs/cachefiles/internal.h 2011-11-16 18:39:08.000000000 -0500
40635@@ -57,7 +57,7 @@ struct cachefiles_cache {
40636 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
40637 struct rb_root active_nodes; /* active nodes (can't be culled) */
40638 rwlock_t active_lock; /* lock for active_nodes */
40639- atomic_t gravecounter; /* graveyard uniquifier */
40640+ atomic_unchecked_t gravecounter; /* graveyard uniquifier */
40641 unsigned frun_percent; /* when to stop culling (% files) */
40642 unsigned fcull_percent; /* when to start culling (% files) */
40643 unsigned fstop_percent; /* when to stop allocating (% files) */
40644@@ -169,19 +169,19 @@ extern int cachefiles_check_in_use(struc
40645 * proc.c
40646 */
40647 #ifdef CONFIG_CACHEFILES_HISTOGRAM
40648-extern atomic_t cachefiles_lookup_histogram[HZ];
40649-extern atomic_t cachefiles_mkdir_histogram[HZ];
40650-extern atomic_t cachefiles_create_histogram[HZ];
40651+extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40652+extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40653+extern atomic_unchecked_t cachefiles_create_histogram[HZ];
40654
40655 extern int __init cachefiles_proc_init(void);
40656 extern void cachefiles_proc_cleanup(void);
40657 static inline
40658-void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
40659+void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
40660 {
40661 unsigned long jif = jiffies - start_jif;
40662 if (jif >= HZ)
40663 jif = HZ - 1;
40664- atomic_inc(&histogram[jif]);
40665+ atomic_inc_unchecked(&histogram[jif]);
40666 }
40667
40668 #else
40669diff -urNp linux-3.1.1/fs/cachefiles/namei.c linux-3.1.1/fs/cachefiles/namei.c
40670--- linux-3.1.1/fs/cachefiles/namei.c 2011-11-11 15:19:27.000000000 -0500
40671+++ linux-3.1.1/fs/cachefiles/namei.c 2011-11-16 18:39:08.000000000 -0500
40672@@ -318,7 +318,7 @@ try_again:
40673 /* first step is to make up a grave dentry in the graveyard */
40674 sprintf(nbuffer, "%08x%08x",
40675 (uint32_t) get_seconds(),
40676- (uint32_t) atomic_inc_return(&cache->gravecounter));
40677+ (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
40678
40679 /* do the multiway lock magic */
40680 trap = lock_rename(cache->graveyard, dir);
40681diff -urNp linux-3.1.1/fs/cachefiles/proc.c linux-3.1.1/fs/cachefiles/proc.c
40682--- linux-3.1.1/fs/cachefiles/proc.c 2011-11-11 15:19:27.000000000 -0500
40683+++ linux-3.1.1/fs/cachefiles/proc.c 2011-11-16 18:39:08.000000000 -0500
40684@@ -14,9 +14,9 @@
40685 #include <linux/seq_file.h>
40686 #include "internal.h"
40687
40688-atomic_t cachefiles_lookup_histogram[HZ];
40689-atomic_t cachefiles_mkdir_histogram[HZ];
40690-atomic_t cachefiles_create_histogram[HZ];
40691+atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40692+atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40693+atomic_unchecked_t cachefiles_create_histogram[HZ];
40694
40695 /*
40696 * display the latency histogram
40697@@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
40698 return 0;
40699 default:
40700 index = (unsigned long) v - 3;
40701- x = atomic_read(&cachefiles_lookup_histogram[index]);
40702- y = atomic_read(&cachefiles_mkdir_histogram[index]);
40703- z = atomic_read(&cachefiles_create_histogram[index]);
40704+ x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
40705+ y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
40706+ z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
40707 if (x == 0 && y == 0 && z == 0)
40708 return 0;
40709
40710diff -urNp linux-3.1.1/fs/cachefiles/rdwr.c linux-3.1.1/fs/cachefiles/rdwr.c
40711--- linux-3.1.1/fs/cachefiles/rdwr.c 2011-11-11 15:19:27.000000000 -0500
40712+++ linux-3.1.1/fs/cachefiles/rdwr.c 2011-11-16 18:39:08.000000000 -0500
40713@@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
40714 old_fs = get_fs();
40715 set_fs(KERNEL_DS);
40716 ret = file->f_op->write(
40717- file, (const void __user *) data, len, &pos);
40718+ file, (const void __force_user *) data, len, &pos);
40719 set_fs(old_fs);
40720 kunmap(page);
40721 if (ret != len)
40722diff -urNp linux-3.1.1/fs/ceph/dir.c linux-3.1.1/fs/ceph/dir.c
40723--- linux-3.1.1/fs/ceph/dir.c 2011-11-11 15:19:27.000000000 -0500
40724+++ linux-3.1.1/fs/ceph/dir.c 2011-11-16 18:39:08.000000000 -0500
40725@@ -244,7 +244,7 @@ static int ceph_readdir(struct file *fil
40726 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
40727 struct ceph_mds_client *mdsc = fsc->mdsc;
40728 unsigned frag = fpos_frag(filp->f_pos);
40729- int off = fpos_off(filp->f_pos);
40730+ unsigned int off = fpos_off(filp->f_pos);
40731 int err;
40732 u32 ftype;
40733 struct ceph_mds_reply_info_parsed *rinfo;
40734diff -urNp linux-3.1.1/fs/cifs/cifs_debug.c linux-3.1.1/fs/cifs/cifs_debug.c
40735--- linux-3.1.1/fs/cifs/cifs_debug.c 2011-11-11 15:19:27.000000000 -0500
40736+++ linux-3.1.1/fs/cifs/cifs_debug.c 2011-11-16 18:39:08.000000000 -0500
40737@@ -265,8 +265,8 @@ static ssize_t cifs_stats_proc_write(str
40738
40739 if (c == '1' || c == 'y' || c == 'Y' || c == '0') {
40740 #ifdef CONFIG_CIFS_STATS2
40741- atomic_set(&totBufAllocCount, 0);
40742- atomic_set(&totSmBufAllocCount, 0);
40743+ atomic_set_unchecked(&totBufAllocCount, 0);
40744+ atomic_set_unchecked(&totSmBufAllocCount, 0);
40745 #endif /* CONFIG_CIFS_STATS2 */
40746 spin_lock(&cifs_tcp_ses_lock);
40747 list_for_each(tmp1, &cifs_tcp_ses_list) {
40748@@ -279,25 +279,25 @@ static ssize_t cifs_stats_proc_write(str
40749 tcon = list_entry(tmp3,
40750 struct cifs_tcon,
40751 tcon_list);
40752- atomic_set(&tcon->num_smbs_sent, 0);
40753- atomic_set(&tcon->num_writes, 0);
40754- atomic_set(&tcon->num_reads, 0);
40755- atomic_set(&tcon->num_oplock_brks, 0);
40756- atomic_set(&tcon->num_opens, 0);
40757- atomic_set(&tcon->num_posixopens, 0);
40758- atomic_set(&tcon->num_posixmkdirs, 0);
40759- atomic_set(&tcon->num_closes, 0);
40760- atomic_set(&tcon->num_deletes, 0);
40761- atomic_set(&tcon->num_mkdirs, 0);
40762- atomic_set(&tcon->num_rmdirs, 0);
40763- atomic_set(&tcon->num_renames, 0);
40764- atomic_set(&tcon->num_t2renames, 0);
40765- atomic_set(&tcon->num_ffirst, 0);
40766- atomic_set(&tcon->num_fnext, 0);
40767- atomic_set(&tcon->num_fclose, 0);
40768- atomic_set(&tcon->num_hardlinks, 0);
40769- atomic_set(&tcon->num_symlinks, 0);
40770- atomic_set(&tcon->num_locks, 0);
40771+ atomic_set_unchecked(&tcon->num_smbs_sent, 0);
40772+ atomic_set_unchecked(&tcon->num_writes, 0);
40773+ atomic_set_unchecked(&tcon->num_reads, 0);
40774+ atomic_set_unchecked(&tcon->num_oplock_brks, 0);
40775+ atomic_set_unchecked(&tcon->num_opens, 0);
40776+ atomic_set_unchecked(&tcon->num_posixopens, 0);
40777+ atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
40778+ atomic_set_unchecked(&tcon->num_closes, 0);
40779+ atomic_set_unchecked(&tcon->num_deletes, 0);
40780+ atomic_set_unchecked(&tcon->num_mkdirs, 0);
40781+ atomic_set_unchecked(&tcon->num_rmdirs, 0);
40782+ atomic_set_unchecked(&tcon->num_renames, 0);
40783+ atomic_set_unchecked(&tcon->num_t2renames, 0);
40784+ atomic_set_unchecked(&tcon->num_ffirst, 0);
40785+ atomic_set_unchecked(&tcon->num_fnext, 0);
40786+ atomic_set_unchecked(&tcon->num_fclose, 0);
40787+ atomic_set_unchecked(&tcon->num_hardlinks, 0);
40788+ atomic_set_unchecked(&tcon->num_symlinks, 0);
40789+ atomic_set_unchecked(&tcon->num_locks, 0);
40790 }
40791 }
40792 }
40793@@ -327,8 +327,8 @@ static int cifs_stats_proc_show(struct s
40794 smBufAllocCount.counter, cifs_min_small);
40795 #ifdef CONFIG_CIFS_STATS2
40796 seq_printf(m, "Total Large %d Small %d Allocations\n",
40797- atomic_read(&totBufAllocCount),
40798- atomic_read(&totSmBufAllocCount));
40799+ atomic_read_unchecked(&totBufAllocCount),
40800+ atomic_read_unchecked(&totSmBufAllocCount));
40801 #endif /* CONFIG_CIFS_STATS2 */
40802
40803 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
40804@@ -357,41 +357,41 @@ static int cifs_stats_proc_show(struct s
40805 if (tcon->need_reconnect)
40806 seq_puts(m, "\tDISCONNECTED ");
40807 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
40808- atomic_read(&tcon->num_smbs_sent),
40809- atomic_read(&tcon->num_oplock_brks));
40810+ atomic_read_unchecked(&tcon->num_smbs_sent),
40811+ atomic_read_unchecked(&tcon->num_oplock_brks));
40812 seq_printf(m, "\nReads: %d Bytes: %lld",
40813- atomic_read(&tcon->num_reads),
40814+ atomic_read_unchecked(&tcon->num_reads),
40815 (long long)(tcon->bytes_read));
40816 seq_printf(m, "\nWrites: %d Bytes: %lld",
40817- atomic_read(&tcon->num_writes),
40818+ atomic_read_unchecked(&tcon->num_writes),
40819 (long long)(tcon->bytes_written));
40820 seq_printf(m, "\nFlushes: %d",
40821- atomic_read(&tcon->num_flushes));
40822+ atomic_read_unchecked(&tcon->num_flushes));
40823 seq_printf(m, "\nLocks: %d HardLinks: %d "
40824 "Symlinks: %d",
40825- atomic_read(&tcon->num_locks),
40826- atomic_read(&tcon->num_hardlinks),
40827- atomic_read(&tcon->num_symlinks));
40828+ atomic_read_unchecked(&tcon->num_locks),
40829+ atomic_read_unchecked(&tcon->num_hardlinks),
40830+ atomic_read_unchecked(&tcon->num_symlinks));
40831 seq_printf(m, "\nOpens: %d Closes: %d "
40832 "Deletes: %d",
40833- atomic_read(&tcon->num_opens),
40834- atomic_read(&tcon->num_closes),
40835- atomic_read(&tcon->num_deletes));
40836+ atomic_read_unchecked(&tcon->num_opens),
40837+ atomic_read_unchecked(&tcon->num_closes),
40838+ atomic_read_unchecked(&tcon->num_deletes));
40839 seq_printf(m, "\nPosix Opens: %d "
40840 "Posix Mkdirs: %d",
40841- atomic_read(&tcon->num_posixopens),
40842- atomic_read(&tcon->num_posixmkdirs));
40843+ atomic_read_unchecked(&tcon->num_posixopens),
40844+ atomic_read_unchecked(&tcon->num_posixmkdirs));
40845 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
40846- atomic_read(&tcon->num_mkdirs),
40847- atomic_read(&tcon->num_rmdirs));
40848+ atomic_read_unchecked(&tcon->num_mkdirs),
40849+ atomic_read_unchecked(&tcon->num_rmdirs));
40850 seq_printf(m, "\nRenames: %d T2 Renames %d",
40851- atomic_read(&tcon->num_renames),
40852- atomic_read(&tcon->num_t2renames));
40853+ atomic_read_unchecked(&tcon->num_renames),
40854+ atomic_read_unchecked(&tcon->num_t2renames));
40855 seq_printf(m, "\nFindFirst: %d FNext %d "
40856 "FClose %d",
40857- atomic_read(&tcon->num_ffirst),
40858- atomic_read(&tcon->num_fnext),
40859- atomic_read(&tcon->num_fclose));
40860+ atomic_read_unchecked(&tcon->num_ffirst),
40861+ atomic_read_unchecked(&tcon->num_fnext),
40862+ atomic_read_unchecked(&tcon->num_fclose));
40863 }
40864 }
40865 }
40866diff -urNp linux-3.1.1/fs/cifs/cifsfs.c linux-3.1.1/fs/cifs/cifsfs.c
40867--- linux-3.1.1/fs/cifs/cifsfs.c 2011-11-11 15:19:27.000000000 -0500
40868+++ linux-3.1.1/fs/cifs/cifsfs.c 2011-11-16 18:39:08.000000000 -0500
40869@@ -981,7 +981,7 @@ cifs_init_request_bufs(void)
40870 cifs_req_cachep = kmem_cache_create("cifs_request",
40871 CIFSMaxBufSize +
40872 MAX_CIFS_HDR_SIZE, 0,
40873- SLAB_HWCACHE_ALIGN, NULL);
40874+ SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
40875 if (cifs_req_cachep == NULL)
40876 return -ENOMEM;
40877
40878@@ -1008,7 +1008,7 @@ cifs_init_request_bufs(void)
40879 efficient to alloc 1 per page off the slab compared to 17K (5page)
40880 alloc of large cifs buffers even when page debugging is on */
40881 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
40882- MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
40883+ MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
40884 NULL);
40885 if (cifs_sm_req_cachep == NULL) {
40886 mempool_destroy(cifs_req_poolp);
40887@@ -1093,8 +1093,8 @@ init_cifs(void)
40888 atomic_set(&bufAllocCount, 0);
40889 atomic_set(&smBufAllocCount, 0);
40890 #ifdef CONFIG_CIFS_STATS2
40891- atomic_set(&totBufAllocCount, 0);
40892- atomic_set(&totSmBufAllocCount, 0);
40893+ atomic_set_unchecked(&totBufAllocCount, 0);
40894+ atomic_set_unchecked(&totSmBufAllocCount, 0);
40895 #endif /* CONFIG_CIFS_STATS2 */
40896
40897 atomic_set(&midCount, 0);
40898diff -urNp linux-3.1.1/fs/cifs/cifsglob.h linux-3.1.1/fs/cifs/cifsglob.h
40899--- linux-3.1.1/fs/cifs/cifsglob.h 2011-11-11 15:19:27.000000000 -0500
40900+++ linux-3.1.1/fs/cifs/cifsglob.h 2011-11-16 18:39:08.000000000 -0500
40901@@ -381,28 +381,28 @@ struct cifs_tcon {
40902 __u16 Flags; /* optional support bits */
40903 enum statusEnum tidStatus;
40904 #ifdef CONFIG_CIFS_STATS
40905- atomic_t num_smbs_sent;
40906- atomic_t num_writes;
40907- atomic_t num_reads;
40908- atomic_t num_flushes;
40909- atomic_t num_oplock_brks;
40910- atomic_t num_opens;
40911- atomic_t num_closes;
40912- atomic_t num_deletes;
40913- atomic_t num_mkdirs;
40914- atomic_t num_posixopens;
40915- atomic_t num_posixmkdirs;
40916- atomic_t num_rmdirs;
40917- atomic_t num_renames;
40918- atomic_t num_t2renames;
40919- atomic_t num_ffirst;
40920- atomic_t num_fnext;
40921- atomic_t num_fclose;
40922- atomic_t num_hardlinks;
40923- atomic_t num_symlinks;
40924- atomic_t num_locks;
40925- atomic_t num_acl_get;
40926- atomic_t num_acl_set;
40927+ atomic_unchecked_t num_smbs_sent;
40928+ atomic_unchecked_t num_writes;
40929+ atomic_unchecked_t num_reads;
40930+ atomic_unchecked_t num_flushes;
40931+ atomic_unchecked_t num_oplock_brks;
40932+ atomic_unchecked_t num_opens;
40933+ atomic_unchecked_t num_closes;
40934+ atomic_unchecked_t num_deletes;
40935+ atomic_unchecked_t num_mkdirs;
40936+ atomic_unchecked_t num_posixopens;
40937+ atomic_unchecked_t num_posixmkdirs;
40938+ atomic_unchecked_t num_rmdirs;
40939+ atomic_unchecked_t num_renames;
40940+ atomic_unchecked_t num_t2renames;
40941+ atomic_unchecked_t num_ffirst;
40942+ atomic_unchecked_t num_fnext;
40943+ atomic_unchecked_t num_fclose;
40944+ atomic_unchecked_t num_hardlinks;
40945+ atomic_unchecked_t num_symlinks;
40946+ atomic_unchecked_t num_locks;
40947+ atomic_unchecked_t num_acl_get;
40948+ atomic_unchecked_t num_acl_set;
40949 #ifdef CONFIG_CIFS_STATS2
40950 unsigned long long time_writes;
40951 unsigned long long time_reads;
40952@@ -613,7 +613,7 @@ convert_delimiter(char *path, char delim
40953 }
40954
40955 #ifdef CONFIG_CIFS_STATS
40956-#define cifs_stats_inc atomic_inc
40957+#define cifs_stats_inc atomic_inc_unchecked
40958
40959 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
40960 unsigned int bytes)
40961@@ -953,8 +953,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
40962 /* Various Debug counters */
40963 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
40964 #ifdef CONFIG_CIFS_STATS2
40965-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
40966-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
40967+GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
40968+GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
40969 #endif
40970 GLOBAL_EXTERN atomic_t smBufAllocCount;
40971 GLOBAL_EXTERN atomic_t midCount;
40972diff -urNp linux-3.1.1/fs/cifs/link.c linux-3.1.1/fs/cifs/link.c
40973--- linux-3.1.1/fs/cifs/link.c 2011-11-11 15:19:27.000000000 -0500
40974+++ linux-3.1.1/fs/cifs/link.c 2011-11-16 18:39:08.000000000 -0500
40975@@ -593,7 +593,7 @@ symlink_exit:
40976
40977 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
40978 {
40979- char *p = nd_get_link(nd);
40980+ const char *p = nd_get_link(nd);
40981 if (!IS_ERR(p))
40982 kfree(p);
40983 }
40984diff -urNp linux-3.1.1/fs/cifs/misc.c linux-3.1.1/fs/cifs/misc.c
40985--- linux-3.1.1/fs/cifs/misc.c 2011-11-11 15:19:27.000000000 -0500
40986+++ linux-3.1.1/fs/cifs/misc.c 2011-11-16 18:39:08.000000000 -0500
40987@@ -156,7 +156,7 @@ cifs_buf_get(void)
40988 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
40989 atomic_inc(&bufAllocCount);
40990 #ifdef CONFIG_CIFS_STATS2
40991- atomic_inc(&totBufAllocCount);
40992+ atomic_inc_unchecked(&totBufAllocCount);
40993 #endif /* CONFIG_CIFS_STATS2 */
40994 }
40995
40996@@ -191,7 +191,7 @@ cifs_small_buf_get(void)
40997 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
40998 atomic_inc(&smBufAllocCount);
40999 #ifdef CONFIG_CIFS_STATS2
41000- atomic_inc(&totSmBufAllocCount);
41001+ atomic_inc_unchecked(&totSmBufAllocCount);
41002 #endif /* CONFIG_CIFS_STATS2 */
41003
41004 }
41005diff -urNp linux-3.1.1/fs/coda/cache.c linux-3.1.1/fs/coda/cache.c
41006--- linux-3.1.1/fs/coda/cache.c 2011-11-11 15:19:27.000000000 -0500
41007+++ linux-3.1.1/fs/coda/cache.c 2011-11-16 18:39:08.000000000 -0500
41008@@ -24,7 +24,7 @@
41009 #include "coda_linux.h"
41010 #include "coda_cache.h"
41011
41012-static atomic_t permission_epoch = ATOMIC_INIT(0);
41013+static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
41014
41015 /* replace or extend an acl cache hit */
41016 void coda_cache_enter(struct inode *inode, int mask)
41017@@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inod
41018 struct coda_inode_info *cii = ITOC(inode);
41019
41020 spin_lock(&cii->c_lock);
41021- cii->c_cached_epoch = atomic_read(&permission_epoch);
41022+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
41023 if (cii->c_uid != current_fsuid()) {
41024 cii->c_uid = current_fsuid();
41025 cii->c_cached_perm = mask;
41026@@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode
41027 {
41028 struct coda_inode_info *cii = ITOC(inode);
41029 spin_lock(&cii->c_lock);
41030- cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
41031+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
41032 spin_unlock(&cii->c_lock);
41033 }
41034
41035 /* remove all acl caches */
41036 void coda_cache_clear_all(struct super_block *sb)
41037 {
41038- atomic_inc(&permission_epoch);
41039+ atomic_inc_unchecked(&permission_epoch);
41040 }
41041
41042
41043@@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode
41044 spin_lock(&cii->c_lock);
41045 hit = (mask & cii->c_cached_perm) == mask &&
41046 cii->c_uid == current_fsuid() &&
41047- cii->c_cached_epoch == atomic_read(&permission_epoch);
41048+ cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
41049 spin_unlock(&cii->c_lock);
41050
41051 return hit;
41052diff -urNp linux-3.1.1/fs/compat_binfmt_elf.c linux-3.1.1/fs/compat_binfmt_elf.c
41053--- linux-3.1.1/fs/compat_binfmt_elf.c 2011-11-11 15:19:27.000000000 -0500
41054+++ linux-3.1.1/fs/compat_binfmt_elf.c 2011-11-16 18:39:08.000000000 -0500
41055@@ -30,11 +30,13 @@
41056 #undef elf_phdr
41057 #undef elf_shdr
41058 #undef elf_note
41059+#undef elf_dyn
41060 #undef elf_addr_t
41061 #define elfhdr elf32_hdr
41062 #define elf_phdr elf32_phdr
41063 #define elf_shdr elf32_shdr
41064 #define elf_note elf32_note
41065+#define elf_dyn Elf32_Dyn
41066 #define elf_addr_t Elf32_Addr
41067
41068 /*
41069diff -urNp linux-3.1.1/fs/compat.c linux-3.1.1/fs/compat.c
41070--- linux-3.1.1/fs/compat.c 2011-11-11 15:19:27.000000000 -0500
41071+++ linux-3.1.1/fs/compat.c 2011-11-16 18:40:29.000000000 -0500
41072@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(const
41073 static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
41074 {
41075 compat_ino_t ino = stat->ino;
41076- typeof(ubuf->st_uid) uid = 0;
41077- typeof(ubuf->st_gid) gid = 0;
41078+ typeof(((struct compat_stat *)0)->st_uid) uid = 0;
41079+ typeof(((struct compat_stat *)0)->st_gid) gid = 0;
41080 int err;
41081
41082 SET_UID(uid, stat->uid);
41083@@ -508,7 +508,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
41084
41085 set_fs(KERNEL_DS);
41086 /* The __user pointer cast is valid because of the set_fs() */
41087- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
41088+ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
41089 set_fs(oldfs);
41090 /* truncating is ok because it's a user address */
41091 if (!ret)
41092@@ -566,7 +566,7 @@ ssize_t compat_rw_copy_check_uvector(int
41093 goto out;
41094
41095 ret = -EINVAL;
41096- if (nr_segs > UIO_MAXIOV || nr_segs < 0)
41097+ if (nr_segs > UIO_MAXIOV)
41098 goto out;
41099 if (nr_segs > fast_segs) {
41100 ret = -ENOMEM;
41101@@ -848,6 +848,7 @@ struct compat_old_linux_dirent {
41102
41103 struct compat_readdir_callback {
41104 struct compat_old_linux_dirent __user *dirent;
41105+ struct file * file;
41106 int result;
41107 };
41108
41109@@ -865,6 +866,10 @@ static int compat_fillonedir(void *__buf
41110 buf->result = -EOVERFLOW;
41111 return -EOVERFLOW;
41112 }
41113+
41114+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41115+ return 0;
41116+
41117 buf->result++;
41118 dirent = buf->dirent;
41119 if (!access_ok(VERIFY_WRITE, dirent,
41120@@ -897,6 +902,7 @@ asmlinkage long compat_sys_old_readdir(u
41121
41122 buf.result = 0;
41123 buf.dirent = dirent;
41124+ buf.file = file;
41125
41126 error = vfs_readdir(file, compat_fillonedir, &buf);
41127 if (buf.result)
41128@@ -917,6 +923,7 @@ struct compat_linux_dirent {
41129 struct compat_getdents_callback {
41130 struct compat_linux_dirent __user *current_dir;
41131 struct compat_linux_dirent __user *previous;
41132+ struct file * file;
41133 int count;
41134 int error;
41135 };
41136@@ -938,6 +945,10 @@ static int compat_filldir(void *__buf, c
41137 buf->error = -EOVERFLOW;
41138 return -EOVERFLOW;
41139 }
41140+
41141+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41142+ return 0;
41143+
41144 dirent = buf->previous;
41145 if (dirent) {
41146 if (__put_user(offset, &dirent->d_off))
41147@@ -985,6 +996,7 @@ asmlinkage long compat_sys_getdents(unsi
41148 buf.previous = NULL;
41149 buf.count = count;
41150 buf.error = 0;
41151+ buf.file = file;
41152
41153 error = vfs_readdir(file, compat_filldir, &buf);
41154 if (error >= 0)
41155@@ -1006,6 +1018,7 @@ out:
41156 struct compat_getdents_callback64 {
41157 struct linux_dirent64 __user *current_dir;
41158 struct linux_dirent64 __user *previous;
41159+ struct file * file;
41160 int count;
41161 int error;
41162 };
41163@@ -1022,6 +1035,10 @@ static int compat_filldir64(void * __buf
41164 buf->error = -EINVAL; /* only used if we fail.. */
41165 if (reclen > buf->count)
41166 return -EINVAL;
41167+
41168+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
41169+ return 0;
41170+
41171 dirent = buf->previous;
41172
41173 if (dirent) {
41174@@ -1073,13 +1090,14 @@ asmlinkage long compat_sys_getdents64(un
41175 buf.previous = NULL;
41176 buf.count = count;
41177 buf.error = 0;
41178+ buf.file = file;
41179
41180 error = vfs_readdir(file, compat_filldir64, &buf);
41181 if (error >= 0)
41182 error = buf.error;
41183 lastdirent = buf.previous;
41184 if (lastdirent) {
41185- typeof(lastdirent->d_off) d_off = file->f_pos;
41186+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
41187 if (__put_user_unaligned(d_off, &lastdirent->d_off))
41188 error = -EFAULT;
41189 else
41190@@ -1446,6 +1464,8 @@ int compat_core_sys_select(int n, compat
41191 struct fdtable *fdt;
41192 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
41193
41194+ pax_track_stack();
41195+
41196 if (n < 0)
41197 goto out_nofds;
41198
41199diff -urNp linux-3.1.1/fs/compat_ioctl.c linux-3.1.1/fs/compat_ioctl.c
41200--- linux-3.1.1/fs/compat_ioctl.c 2011-11-11 15:19:27.000000000 -0500
41201+++ linux-3.1.1/fs/compat_ioctl.c 2011-11-16 18:39:08.000000000 -0500
41202@@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsi
41203
41204 err = get_user(palp, &up->palette);
41205 err |= get_user(length, &up->length);
41206+ if (err)
41207+ return -EFAULT;
41208
41209 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
41210 err = put_user(compat_ptr(palp), &up_native->palette);
41211@@ -621,7 +623,7 @@ static int serial_struct_ioctl(unsigned
41212 return -EFAULT;
41213 if (__get_user(udata, &ss32->iomem_base))
41214 return -EFAULT;
41215- ss.iomem_base = compat_ptr(udata);
41216+ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
41217 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
41218 __get_user(ss.port_high, &ss32->port_high))
41219 return -EFAULT;
41220@@ -796,7 +798,7 @@ static int compat_ioctl_preallocate(stru
41221 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
41222 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
41223 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
41224- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
41225+ copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
41226 return -EFAULT;
41227
41228 return ioctl_preallocate(file, p);
41229@@ -1644,8 +1646,8 @@ asmlinkage long compat_sys_ioctl(unsigne
41230 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
41231 {
41232 unsigned int a, b;
41233- a = *(unsigned int *)p;
41234- b = *(unsigned int *)q;
41235+ a = *(const unsigned int *)p;
41236+ b = *(const unsigned int *)q;
41237 if (a > b)
41238 return 1;
41239 if (a < b)
41240diff -urNp linux-3.1.1/fs/configfs/dir.c linux-3.1.1/fs/configfs/dir.c
41241--- linux-3.1.1/fs/configfs/dir.c 2011-11-11 15:19:27.000000000 -0500
41242+++ linux-3.1.1/fs/configfs/dir.c 2011-11-16 18:39:08.000000000 -0500
41243@@ -1575,7 +1575,8 @@ static int configfs_readdir(struct file
41244 }
41245 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
41246 struct configfs_dirent *next;
41247- const char * name;
41248+ const unsigned char * name;
41249+ char d_name[sizeof(next->s_dentry->d_iname)];
41250 int len;
41251 struct inode *inode = NULL;
41252
41253@@ -1585,7 +1586,12 @@ static int configfs_readdir(struct file
41254 continue;
41255
41256 name = configfs_get_name(next);
41257- len = strlen(name);
41258+ if (next->s_dentry && name == next->s_dentry->d_iname) {
41259+ len = next->s_dentry->d_name.len;
41260+ memcpy(d_name, name, len);
41261+ name = d_name;
41262+ } else
41263+ len = strlen(name);
41264
41265 /*
41266 * We'll have a dentry and an inode for
41267diff -urNp linux-3.1.1/fs/dcache.c linux-3.1.1/fs/dcache.c
41268--- linux-3.1.1/fs/dcache.c 2011-11-11 15:19:27.000000000 -0500
41269+++ linux-3.1.1/fs/dcache.c 2011-11-16 18:39:08.000000000 -0500
41270@@ -2998,7 +2998,7 @@ void __init vfs_caches_init(unsigned lon
41271 mempages -= reserve;
41272
41273 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
41274- SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
41275+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
41276
41277 dcache_init();
41278 inode_init();
41279diff -urNp linux-3.1.1/fs/ecryptfs/inode.c linux-3.1.1/fs/ecryptfs/inode.c
41280--- linux-3.1.1/fs/ecryptfs/inode.c 2011-11-11 15:19:27.000000000 -0500
41281+++ linux-3.1.1/fs/ecryptfs/inode.c 2011-11-16 18:39:08.000000000 -0500
41282@@ -681,7 +681,7 @@ static int ecryptfs_readlink_lower(struc
41283 old_fs = get_fs();
41284 set_fs(get_ds());
41285 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
41286- (char __user *)lower_buf,
41287+ (char __force_user *)lower_buf,
41288 lower_bufsiz);
41289 set_fs(old_fs);
41290 if (rc < 0)
41291@@ -727,7 +727,7 @@ static void *ecryptfs_follow_link(struct
41292 }
41293 old_fs = get_fs();
41294 set_fs(get_ds());
41295- rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
41296+ rc = dentry->d_inode->i_op->readlink(dentry, (char __force_user *)buf, len);
41297 set_fs(old_fs);
41298 if (rc < 0) {
41299 kfree(buf);
41300@@ -742,7 +742,7 @@ out:
41301 static void
41302 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
41303 {
41304- char *buf = nd_get_link(nd);
41305+ const char *buf = nd_get_link(nd);
41306 if (!IS_ERR(buf)) {
41307 /* Free the char* */
41308 kfree(buf);
41309diff -urNp linux-3.1.1/fs/ecryptfs/miscdev.c linux-3.1.1/fs/ecryptfs/miscdev.c
41310--- linux-3.1.1/fs/ecryptfs/miscdev.c 2011-11-11 15:19:27.000000000 -0500
41311+++ linux-3.1.1/fs/ecryptfs/miscdev.c 2011-11-16 18:39:08.000000000 -0500
41312@@ -328,7 +328,7 @@ check_list:
41313 goto out_unlock_msg_ctx;
41314 i = 5;
41315 if (msg_ctx->msg) {
41316- if (copy_to_user(&buf[i], packet_length, packet_length_size))
41317+ if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
41318 goto out_unlock_msg_ctx;
41319 i += packet_length_size;
41320 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
41321diff -urNp linux-3.1.1/fs/ecryptfs/read_write.c linux-3.1.1/fs/ecryptfs/read_write.c
41322--- linux-3.1.1/fs/ecryptfs/read_write.c 2011-11-11 15:19:27.000000000 -0500
41323+++ linux-3.1.1/fs/ecryptfs/read_write.c 2011-11-16 18:39:08.000000000 -0500
41324@@ -48,7 +48,7 @@ int ecryptfs_write_lower(struct inode *e
41325 return -EIO;
41326 fs_save = get_fs();
41327 set_fs(get_ds());
41328- rc = vfs_write(lower_file, data, size, &offset);
41329+ rc = vfs_write(lower_file, (const char __force_user *)data, size, &offset);
41330 set_fs(fs_save);
41331 mark_inode_dirty_sync(ecryptfs_inode);
41332 return rc;
41333@@ -235,7 +235,7 @@ int ecryptfs_read_lower(char *data, loff
41334 return -EIO;
41335 fs_save = get_fs();
41336 set_fs(get_ds());
41337- rc = vfs_read(lower_file, data, size, &offset);
41338+ rc = vfs_read(lower_file, (char __force_user *)data, size, &offset);
41339 set_fs(fs_save);
41340 return rc;
41341 }
41342diff -urNp linux-3.1.1/fs/exec.c linux-3.1.1/fs/exec.c
41343--- linux-3.1.1/fs/exec.c 2011-11-11 15:19:27.000000000 -0500
41344+++ linux-3.1.1/fs/exec.c 2011-11-17 18:40:47.000000000 -0500
41345@@ -55,12 +55,24 @@
41346 #include <linux/pipe_fs_i.h>
41347 #include <linux/oom.h>
41348 #include <linux/compat.h>
41349+#include <linux/random.h>
41350+#include <linux/seq_file.h>
41351+
41352+#ifdef CONFIG_PAX_REFCOUNT
41353+#include <linux/kallsyms.h>
41354+#include <linux/kdebug.h>
41355+#endif
41356
41357 #include <asm/uaccess.h>
41358 #include <asm/mmu_context.h>
41359 #include <asm/tlb.h>
41360 #include "internal.h"
41361
41362+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
41363+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
41364+EXPORT_SYMBOL(pax_set_initial_flags_func);
41365+#endif
41366+
41367 int core_uses_pid;
41368 char core_pattern[CORENAME_MAX_SIZE] = "core";
41369 unsigned int core_pipe_limit;
41370@@ -70,7 +82,7 @@ struct core_name {
41371 char *corename;
41372 int used, size;
41373 };
41374-static atomic_t call_count = ATOMIC_INIT(1);
41375+static atomic_unchecked_t call_count = ATOMIC_INIT(1);
41376
41377 /* The maximal length of core_pattern is also specified in sysctl.c */
41378
41379@@ -188,18 +200,10 @@ static struct page *get_arg_page(struct
41380 int write)
41381 {
41382 struct page *page;
41383- int ret;
41384
41385-#ifdef CONFIG_STACK_GROWSUP
41386- if (write) {
41387- ret = expand_downwards(bprm->vma, pos);
41388- if (ret < 0)
41389- return NULL;
41390- }
41391-#endif
41392- ret = get_user_pages(current, bprm->mm, pos,
41393- 1, write, 1, &page, NULL);
41394- if (ret <= 0)
41395+ if (0 > expand_downwards(bprm->vma, pos))
41396+ return NULL;
41397+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
41398 return NULL;
41399
41400 if (write) {
41401@@ -274,6 +278,11 @@ static int __bprm_mm_init(struct linux_b
41402 vma->vm_end = STACK_TOP_MAX;
41403 vma->vm_start = vma->vm_end - PAGE_SIZE;
41404 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
41405+
41406+#ifdef CONFIG_PAX_SEGMEXEC
41407+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
41408+#endif
41409+
41410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
41411 INIT_LIST_HEAD(&vma->anon_vma_chain);
41412
41413@@ -288,6 +297,12 @@ static int __bprm_mm_init(struct linux_b
41414 mm->stack_vm = mm->total_vm = 1;
41415 up_write(&mm->mmap_sem);
41416 bprm->p = vma->vm_end - sizeof(void *);
41417+
41418+#ifdef CONFIG_PAX_RANDUSTACK
41419+ if (randomize_va_space)
41420+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
41421+#endif
41422+
41423 return 0;
41424 err:
41425 up_write(&mm->mmap_sem);
41426@@ -396,19 +411,7 @@ err:
41427 return err;
41428 }
41429
41430-struct user_arg_ptr {
41431-#ifdef CONFIG_COMPAT
41432- bool is_compat;
41433-#endif
41434- union {
41435- const char __user *const __user *native;
41436-#ifdef CONFIG_COMPAT
41437- compat_uptr_t __user *compat;
41438-#endif
41439- } ptr;
41440-};
41441-
41442-static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41443+const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
41444 {
41445 const char __user *native;
41446
41447@@ -417,14 +420,14 @@ static const char __user *get_user_arg_p
41448 compat_uptr_t compat;
41449
41450 if (get_user(compat, argv.ptr.compat + nr))
41451- return ERR_PTR(-EFAULT);
41452+ return (const char __force_user *)ERR_PTR(-EFAULT);
41453
41454 return compat_ptr(compat);
41455 }
41456 #endif
41457
41458 if (get_user(native, argv.ptr.native + nr))
41459- return ERR_PTR(-EFAULT);
41460+ return (const char __force_user *)ERR_PTR(-EFAULT);
41461
41462 return native;
41463 }
41464@@ -443,7 +446,7 @@ static int count(struct user_arg_ptr arg
41465 if (!p)
41466 break;
41467
41468- if (IS_ERR(p))
41469+ if (IS_ERR((const char __force_kernel *)p))
41470 return -EFAULT;
41471
41472 if (i++ >= max)
41473@@ -477,7 +480,7 @@ static int copy_strings(int argc, struct
41474
41475 ret = -EFAULT;
41476 str = get_user_arg_ptr(argv, argc);
41477- if (IS_ERR(str))
41478+ if (IS_ERR((const char __force_kernel *)str))
41479 goto out;
41480
41481 len = strnlen_user(str, MAX_ARG_STRLEN);
41482@@ -559,7 +562,7 @@ int copy_strings_kernel(int argc, const
41483 int r;
41484 mm_segment_t oldfs = get_fs();
41485 struct user_arg_ptr argv = {
41486- .ptr.native = (const char __user *const __user *)__argv,
41487+ .ptr.native = (const char __force_user *const __force_user *)__argv,
41488 };
41489
41490 set_fs(KERNEL_DS);
41491@@ -594,7 +597,8 @@ static int shift_arg_pages(struct vm_are
41492 unsigned long new_end = old_end - shift;
41493 struct mmu_gather tlb;
41494
41495- BUG_ON(new_start > new_end);
41496+ if (new_start >= new_end || new_start < mmap_min_addr)
41497+ return -ENOMEM;
41498
41499 /*
41500 * ensure there are no vmas between where we want to go
41501@@ -603,6 +607,10 @@ static int shift_arg_pages(struct vm_are
41502 if (vma != find_vma(mm, new_start))
41503 return -EFAULT;
41504
41505+#ifdef CONFIG_PAX_SEGMEXEC
41506+ BUG_ON(pax_find_mirror_vma(vma));
41507+#endif
41508+
41509 /*
41510 * cover the whole range: [new_start, old_end)
41511 */
41512@@ -683,10 +691,6 @@ int setup_arg_pages(struct linux_binprm
41513 stack_top = arch_align_stack(stack_top);
41514 stack_top = PAGE_ALIGN(stack_top);
41515
41516- if (unlikely(stack_top < mmap_min_addr) ||
41517- unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
41518- return -ENOMEM;
41519-
41520 stack_shift = vma->vm_end - stack_top;
41521
41522 bprm->p -= stack_shift;
41523@@ -698,8 +702,28 @@ int setup_arg_pages(struct linux_binprm
41524 bprm->exec -= stack_shift;
41525
41526 down_write(&mm->mmap_sem);
41527+
41528+ /* Move stack pages down in memory. */
41529+ if (stack_shift) {
41530+ ret = shift_arg_pages(vma, stack_shift);
41531+ if (ret)
41532+ goto out_unlock;
41533+ }
41534+
41535 vm_flags = VM_STACK_FLAGS;
41536
41537+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41538+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41539+ vm_flags &= ~VM_EXEC;
41540+
41541+#ifdef CONFIG_PAX_MPROTECT
41542+ if (mm->pax_flags & MF_PAX_MPROTECT)
41543+ vm_flags &= ~VM_MAYEXEC;
41544+#endif
41545+
41546+ }
41547+#endif
41548+
41549 /*
41550 * Adjust stack execute permissions; explicitly enable for
41551 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
41552@@ -718,13 +742,6 @@ int setup_arg_pages(struct linux_binprm
41553 goto out_unlock;
41554 BUG_ON(prev != vma);
41555
41556- /* Move stack pages down in memory. */
41557- if (stack_shift) {
41558- ret = shift_arg_pages(vma, stack_shift);
41559- if (ret)
41560- goto out_unlock;
41561- }
41562-
41563 /* mprotect_fixup is overkill to remove the temporary stack flags */
41564 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
41565
41566@@ -805,7 +822,7 @@ int kernel_read(struct file *file, loff_
41567 old_fs = get_fs();
41568 set_fs(get_ds());
41569 /* The cast to a user pointer is valid due to the set_fs() */
41570- result = vfs_read(file, (void __user *)addr, count, &pos);
41571+ result = vfs_read(file, (void __force_user *)addr, count, &pos);
41572 set_fs(old_fs);
41573 return result;
41574 }
41575@@ -1251,7 +1268,7 @@ int check_unsafe_exec(struct linux_binpr
41576 }
41577 rcu_read_unlock();
41578
41579- if (p->fs->users > n_fs) {
41580+ if (atomic_read(&p->fs->users) > n_fs) {
41581 bprm->unsafe |= LSM_UNSAFE_SHARE;
41582 } else {
41583 res = -EAGAIN;
41584@@ -1454,6 +1471,11 @@ static int do_execve_common(const char *
41585 struct user_arg_ptr envp,
41586 struct pt_regs *regs)
41587 {
41588+#ifdef CONFIG_GRKERNSEC
41589+ struct file *old_exec_file;
41590+ struct acl_subject_label *old_acl;
41591+ struct rlimit old_rlim[RLIM_NLIMITS];
41592+#endif
41593 struct linux_binprm *bprm;
41594 struct file *file;
41595 struct files_struct *displaced;
41596@@ -1461,6 +1483,8 @@ static int do_execve_common(const char *
41597 int retval;
41598 const struct cred *cred = current_cred();
41599
41600+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
41601+
41602 /*
41603 * We move the actual failure in case of RLIMIT_NPROC excess from
41604 * set*uid() to execve() because too many poorly written programs
41605@@ -1507,6 +1531,16 @@ static int do_execve_common(const char *
41606 bprm->filename = filename;
41607 bprm->interp = filename;
41608
41609+ if (gr_process_user_ban()) {
41610+ retval = -EPERM;
41611+ goto out_file;
41612+ }
41613+
41614+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
41615+ retval = -EACCES;
41616+ goto out_file;
41617+ }
41618+
41619 retval = bprm_mm_init(bprm);
41620 if (retval)
41621 goto out_file;
41622@@ -1536,9 +1570,40 @@ static int do_execve_common(const char *
41623 if (retval < 0)
41624 goto out;
41625
41626+ if (!gr_tpe_allow(file)) {
41627+ retval = -EACCES;
41628+ goto out;
41629+ }
41630+
41631+ if (gr_check_crash_exec(file)) {
41632+ retval = -EACCES;
41633+ goto out;
41634+ }
41635+
41636+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
41637+
41638+ gr_handle_exec_args(bprm, argv);
41639+
41640+#ifdef CONFIG_GRKERNSEC
41641+ old_acl = current->acl;
41642+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
41643+ old_exec_file = current->exec_file;
41644+ get_file(file);
41645+ current->exec_file = file;
41646+#endif
41647+
41648+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
41649+ bprm->unsafe & LSM_UNSAFE_SHARE);
41650+ if (retval < 0)
41651+ goto out_fail;
41652+
41653 retval = search_binary_handler(bprm,regs);
41654 if (retval < 0)
41655- goto out;
41656+ goto out_fail;
41657+#ifdef CONFIG_GRKERNSEC
41658+ if (old_exec_file)
41659+ fput(old_exec_file);
41660+#endif
41661
41662 /* execve succeeded */
41663 current->fs->in_exec = 0;
41664@@ -1549,6 +1614,14 @@ static int do_execve_common(const char *
41665 put_files_struct(displaced);
41666 return retval;
41667
41668+out_fail:
41669+#ifdef CONFIG_GRKERNSEC
41670+ current->acl = old_acl;
41671+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
41672+ fput(current->exec_file);
41673+ current->exec_file = old_exec_file;
41674+#endif
41675+
41676 out:
41677 if (bprm->mm) {
41678 acct_arg_size(bprm, 0);
41679@@ -1622,7 +1695,7 @@ static int expand_corename(struct core_n
41680 {
41681 char *old_corename = cn->corename;
41682
41683- cn->size = CORENAME_MAX_SIZE * atomic_inc_return(&call_count);
41684+ cn->size = CORENAME_MAX_SIZE * atomic_inc_return_unchecked(&call_count);
41685 cn->corename = krealloc(old_corename, cn->size, GFP_KERNEL);
41686
41687 if (!cn->corename) {
41688@@ -1719,7 +1792,7 @@ static int format_corename(struct core_n
41689 int pid_in_pattern = 0;
41690 int err = 0;
41691
41692- cn->size = CORENAME_MAX_SIZE * atomic_read(&call_count);
41693+ cn->size = CORENAME_MAX_SIZE * atomic_read_unchecked(&call_count);
41694 cn->corename = kmalloc(cn->size, GFP_KERNEL);
41695 cn->used = 0;
41696
41697@@ -1816,6 +1889,218 @@ out:
41698 return ispipe;
41699 }
41700
41701+int pax_check_flags(unsigned long *flags)
41702+{
41703+ int retval = 0;
41704+
41705+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
41706+ if (*flags & MF_PAX_SEGMEXEC)
41707+ {
41708+ *flags &= ~MF_PAX_SEGMEXEC;
41709+ retval = -EINVAL;
41710+ }
41711+#endif
41712+
41713+ if ((*flags & MF_PAX_PAGEEXEC)
41714+
41715+#ifdef CONFIG_PAX_PAGEEXEC
41716+ && (*flags & MF_PAX_SEGMEXEC)
41717+#endif
41718+
41719+ )
41720+ {
41721+ *flags &= ~MF_PAX_PAGEEXEC;
41722+ retval = -EINVAL;
41723+ }
41724+
41725+ if ((*flags & MF_PAX_MPROTECT)
41726+
41727+#ifdef CONFIG_PAX_MPROTECT
41728+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41729+#endif
41730+
41731+ )
41732+ {
41733+ *flags &= ~MF_PAX_MPROTECT;
41734+ retval = -EINVAL;
41735+ }
41736+
41737+ if ((*flags & MF_PAX_EMUTRAMP)
41738+
41739+#ifdef CONFIG_PAX_EMUTRAMP
41740+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41741+#endif
41742+
41743+ )
41744+ {
41745+ *flags &= ~MF_PAX_EMUTRAMP;
41746+ retval = -EINVAL;
41747+ }
41748+
41749+ return retval;
41750+}
41751+
41752+EXPORT_SYMBOL(pax_check_flags);
41753+
41754+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41755+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
41756+{
41757+ struct task_struct *tsk = current;
41758+ struct mm_struct *mm = current->mm;
41759+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
41760+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
41761+ char *path_exec = NULL;
41762+ char *path_fault = NULL;
41763+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
41764+
41765+ if (buffer_exec && buffer_fault) {
41766+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
41767+
41768+ down_read(&mm->mmap_sem);
41769+ vma = mm->mmap;
41770+ while (vma && (!vma_exec || !vma_fault)) {
41771+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
41772+ vma_exec = vma;
41773+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
41774+ vma_fault = vma;
41775+ vma = vma->vm_next;
41776+ }
41777+ if (vma_exec) {
41778+ path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
41779+ if (IS_ERR(path_exec))
41780+ path_exec = "<path too long>";
41781+ else {
41782+ path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
41783+ if (path_exec) {
41784+ *path_exec = 0;
41785+ path_exec = buffer_exec;
41786+ } else
41787+ path_exec = "<path too long>";
41788+ }
41789+ }
41790+ if (vma_fault) {
41791+ start = vma_fault->vm_start;
41792+ end = vma_fault->vm_end;
41793+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
41794+ if (vma_fault->vm_file) {
41795+ path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
41796+ if (IS_ERR(path_fault))
41797+ path_fault = "<path too long>";
41798+ else {
41799+ path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
41800+ if (path_fault) {
41801+ *path_fault = 0;
41802+ path_fault = buffer_fault;
41803+ } else
41804+ path_fault = "<path too long>";
41805+ }
41806+ } else
41807+ path_fault = "<anonymous mapping>";
41808+ }
41809+ up_read(&mm->mmap_sem);
41810+ }
41811+ if (tsk->signal->curr_ip)
41812+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
41813+ else
41814+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
41815+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
41816+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
41817+ task_uid(tsk), task_euid(tsk), pc, sp);
41818+ free_page((unsigned long)buffer_exec);
41819+ free_page((unsigned long)buffer_fault);
41820+ pax_report_insns(regs, pc, sp);
41821+ do_coredump(SIGKILL, SIGKILL, regs);
41822+}
41823+#endif
41824+
41825+#ifdef CONFIG_PAX_REFCOUNT
41826+void pax_report_refcount_overflow(struct pt_regs *regs)
41827+{
41828+ if (current->signal->curr_ip)
41829+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41830+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
41831+ else
41832+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41833+ current->comm, task_pid_nr(current), current_uid(), current_euid());
41834+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
41835+ show_regs(regs);
41836+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
41837+}
41838+#endif
41839+
41840+#ifdef CONFIG_PAX_USERCOPY
41841+/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
41842+int object_is_on_stack(const void *obj, unsigned long len)
41843+{
41844+ const void * const stack = task_stack_page(current);
41845+ const void * const stackend = stack + THREAD_SIZE;
41846+
41847+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41848+ const void *frame = NULL;
41849+ const void *oldframe;
41850+#endif
41851+
41852+ if (obj + len < obj)
41853+ return -1;
41854+
41855+ if (obj + len <= stack || stackend <= obj)
41856+ return 0;
41857+
41858+ if (obj < stack || stackend < obj + len)
41859+ return -1;
41860+
41861+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41862+ oldframe = __builtin_frame_address(1);
41863+ if (oldframe)
41864+ frame = __builtin_frame_address(2);
41865+ /*
41866+ low ----------------------------------------------> high
41867+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
41868+ ^----------------^
41869+ allow copies only within here
41870+ */
41871+ while (stack <= frame && frame < stackend) {
41872+ /* if obj + len extends past the last frame, this
41873+ check won't pass and the next frame will be 0,
41874+ causing us to bail out and correctly report
41875+ the copy as invalid
41876+ */
41877+ if (obj + len <= frame)
41878+ return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
41879+ oldframe = frame;
41880+ frame = *(const void * const *)frame;
41881+ }
41882+ return -1;
41883+#else
41884+ return 1;
41885+#endif
41886+}
41887+
41888+NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
41889+{
41890+ if (current->signal->curr_ip)
41891+ printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41892+ &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41893+ else
41894+ printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41895+ to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41896+ dump_stack();
41897+ gr_handle_kernel_exploit();
41898+ do_group_exit(SIGKILL);
41899+}
41900+#endif
41901+
41902+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
41903+void pax_track_stack(void)
41904+{
41905+ unsigned long sp = (unsigned long)&sp;
41906+ if (sp < current_thread_info()->lowest_stack &&
41907+ sp > (unsigned long)task_stack_page(current))
41908+ current_thread_info()->lowest_stack = sp;
41909+}
41910+EXPORT_SYMBOL(pax_track_stack);
41911+#endif
41912+
41913 static int zap_process(struct task_struct *start, int exit_code)
41914 {
41915 struct task_struct *t;
41916@@ -2027,17 +2312,17 @@ static void wait_for_dump_helpers(struct
41917 pipe = file->f_path.dentry->d_inode->i_pipe;
41918
41919 pipe_lock(pipe);
41920- pipe->readers++;
41921- pipe->writers--;
41922+ atomic_inc(&pipe->readers);
41923+ atomic_dec(&pipe->writers);
41924
41925- while ((pipe->readers > 1) && (!signal_pending(current))) {
41926+ while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
41927 wake_up_interruptible_sync(&pipe->wait);
41928 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
41929 pipe_wait(pipe);
41930 }
41931
41932- pipe->readers--;
41933- pipe->writers++;
41934+ atomic_dec(&pipe->readers);
41935+ atomic_inc(&pipe->writers);
41936 pipe_unlock(pipe);
41937
41938 }
41939@@ -2098,7 +2383,7 @@ void do_coredump(long signr, int exit_co
41940 int retval = 0;
41941 int flag = 0;
41942 int ispipe;
41943- static atomic_t core_dump_count = ATOMIC_INIT(0);
41944+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
41945 struct coredump_params cprm = {
41946 .signr = signr,
41947 .regs = regs,
41948@@ -2113,6 +2398,9 @@ void do_coredump(long signr, int exit_co
41949
41950 audit_core_dumps(signr);
41951
41952+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
41953+ gr_handle_brute_attach(current, cprm.mm_flags);
41954+
41955 binfmt = mm->binfmt;
41956 if (!binfmt || !binfmt->core_dump)
41957 goto fail;
41958@@ -2180,7 +2468,7 @@ void do_coredump(long signr, int exit_co
41959 }
41960 cprm.limit = RLIM_INFINITY;
41961
41962- dump_count = atomic_inc_return(&core_dump_count);
41963+ dump_count = atomic_inc_return_unchecked(&core_dump_count);
41964 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
41965 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
41966 task_tgid_vnr(current), current->comm);
41967@@ -2207,6 +2495,8 @@ void do_coredump(long signr, int exit_co
41968 } else {
41969 struct inode *inode;
41970
41971+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
41972+
41973 if (cprm.limit < binfmt->min_coredump)
41974 goto fail_unlock;
41975
41976@@ -2250,7 +2540,7 @@ close_fail:
41977 filp_close(cprm.file, NULL);
41978 fail_dropcount:
41979 if (ispipe)
41980- atomic_dec(&core_dump_count);
41981+ atomic_dec_unchecked(&core_dump_count);
41982 fail_unlock:
41983 kfree(cn.corename);
41984 fail_corename:
41985@@ -2269,7 +2559,7 @@ fail:
41986 */
41987 int dump_write(struct file *file, const void *addr, int nr)
41988 {
41989- return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, addr, nr, &file->f_pos) == nr;
41990+ return access_ok(VERIFY_READ, addr, nr) && file->f_op->write(file, (const char __force_user *)addr, nr, &file->f_pos) == nr;
41991 }
41992 EXPORT_SYMBOL(dump_write);
41993
41994diff -urNp linux-3.1.1/fs/ext2/balloc.c linux-3.1.1/fs/ext2/balloc.c
41995--- linux-3.1.1/fs/ext2/balloc.c 2011-11-11 15:19:27.000000000 -0500
41996+++ linux-3.1.1/fs/ext2/balloc.c 2011-11-16 18:40:29.000000000 -0500
41997@@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
41998
41999 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
42000 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
42001- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
42002+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
42003 sbi->s_resuid != current_fsuid() &&
42004 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
42005 return 0;
42006diff -urNp linux-3.1.1/fs/ext3/balloc.c linux-3.1.1/fs/ext3/balloc.c
42007--- linux-3.1.1/fs/ext3/balloc.c 2011-11-11 15:19:27.000000000 -0500
42008+++ linux-3.1.1/fs/ext3/balloc.c 2011-11-16 18:40:29.000000000 -0500
42009@@ -1446,7 +1446,7 @@ static int ext3_has_free_blocks(struct e
42010
42011 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
42012 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
42013- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
42014+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
42015 sbi->s_resuid != current_fsuid() &&
42016 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
42017 return 0;
42018diff -urNp linux-3.1.1/fs/ext4/balloc.c linux-3.1.1/fs/ext4/balloc.c
42019--- linux-3.1.1/fs/ext4/balloc.c 2011-11-11 15:19:27.000000000 -0500
42020+++ linux-3.1.1/fs/ext4/balloc.c 2011-11-16 18:40:29.000000000 -0500
42021@@ -394,8 +394,8 @@ static int ext4_has_free_blocks(struct e
42022 /* Hm, nope. Are (enough) root reserved blocks available? */
42023 if (sbi->s_resuid == current_fsuid() ||
42024 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
42025- capable(CAP_SYS_RESOURCE) ||
42026- (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
42027+ (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
42028+ capable_nolog(CAP_SYS_RESOURCE)) {
42029
42030 if (free_blocks >= (nblocks + dirty_blocks))
42031 return 1;
42032diff -urNp linux-3.1.1/fs/ext4/ext4.h linux-3.1.1/fs/ext4/ext4.h
42033--- linux-3.1.1/fs/ext4/ext4.h 2011-11-11 15:19:27.000000000 -0500
42034+++ linux-3.1.1/fs/ext4/ext4.h 2011-11-16 18:39:08.000000000 -0500
42035@@ -1180,19 +1180,19 @@ struct ext4_sb_info {
42036 unsigned long s_mb_last_start;
42037
42038 /* stats for buddy allocator */
42039- atomic_t s_bal_reqs; /* number of reqs with len > 1 */
42040- atomic_t s_bal_success; /* we found long enough chunks */
42041- atomic_t s_bal_allocated; /* in blocks */
42042- atomic_t s_bal_ex_scanned; /* total extents scanned */
42043- atomic_t s_bal_goals; /* goal hits */
42044- atomic_t s_bal_breaks; /* too long searches */
42045- atomic_t s_bal_2orders; /* 2^order hits */
42046+ atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
42047+ atomic_unchecked_t s_bal_success; /* we found long enough chunks */
42048+ atomic_unchecked_t s_bal_allocated; /* in blocks */
42049+ atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
42050+ atomic_unchecked_t s_bal_goals; /* goal hits */
42051+ atomic_unchecked_t s_bal_breaks; /* too long searches */
42052+ atomic_unchecked_t s_bal_2orders; /* 2^order hits */
42053 spinlock_t s_bal_lock;
42054 unsigned long s_mb_buddies_generated;
42055 unsigned long long s_mb_generation_time;
42056- atomic_t s_mb_lost_chunks;
42057- atomic_t s_mb_preallocated;
42058- atomic_t s_mb_discarded;
42059+ atomic_unchecked_t s_mb_lost_chunks;
42060+ atomic_unchecked_t s_mb_preallocated;
42061+ atomic_unchecked_t s_mb_discarded;
42062 atomic_t s_lock_busy;
42063
42064 /* locality groups */
42065diff -urNp linux-3.1.1/fs/ext4/file.c linux-3.1.1/fs/ext4/file.c
42066--- linux-3.1.1/fs/ext4/file.c 2011-11-11 15:19:27.000000000 -0500
42067+++ linux-3.1.1/fs/ext4/file.c 2011-11-16 18:40:29.000000000 -0500
42068@@ -181,8 +181,8 @@ static int ext4_file_open(struct inode *
42069 path.dentry = mnt->mnt_root;
42070 cp = d_path(&path, buf, sizeof(buf));
42071 if (!IS_ERR(cp)) {
42072- memcpy(sbi->s_es->s_last_mounted, cp,
42073- sizeof(sbi->s_es->s_last_mounted));
42074+ strlcpy(sbi->s_es->s_last_mounted, cp,
42075+ sizeof(sbi->s_es->s_last_mounted));
42076 ext4_mark_super_dirty(sb);
42077 }
42078 }
42079diff -urNp linux-3.1.1/fs/ext4/ioctl.c linux-3.1.1/fs/ext4/ioctl.c
42080--- linux-3.1.1/fs/ext4/ioctl.c 2011-11-11 15:19:27.000000000 -0500
42081+++ linux-3.1.1/fs/ext4/ioctl.c 2011-11-16 18:39:08.000000000 -0500
42082@@ -348,7 +348,7 @@ mext_out:
42083 if (!blk_queue_discard(q))
42084 return -EOPNOTSUPP;
42085
42086- if (copy_from_user(&range, (struct fstrim_range *)arg,
42087+ if (copy_from_user(&range, (struct fstrim_range __user *)arg,
42088 sizeof(range)))
42089 return -EFAULT;
42090
42091@@ -358,7 +358,7 @@ mext_out:
42092 if (ret < 0)
42093 return ret;
42094
42095- if (copy_to_user((struct fstrim_range *)arg, &range,
42096+ if (copy_to_user((struct fstrim_range __user *)arg, &range,
42097 sizeof(range)))
42098 return -EFAULT;
42099
42100diff -urNp linux-3.1.1/fs/ext4/mballoc.c linux-3.1.1/fs/ext4/mballoc.c
42101--- linux-3.1.1/fs/ext4/mballoc.c 2011-11-11 15:19:27.000000000 -0500
42102+++ linux-3.1.1/fs/ext4/mballoc.c 2011-11-16 18:40:29.000000000 -0500
42103@@ -1795,7 +1795,7 @@ void ext4_mb_simple_scan_group(struct ex
42104 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
42105
42106 if (EXT4_SB(sb)->s_mb_stats)
42107- atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
42108+ atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
42109
42110 break;
42111 }
42112@@ -2089,7 +2089,7 @@ repeat:
42113 ac->ac_status = AC_STATUS_CONTINUE;
42114 ac->ac_flags |= EXT4_MB_HINT_FIRST;
42115 cr = 3;
42116- atomic_inc(&sbi->s_mb_lost_chunks);
42117+ atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
42118 goto repeat;
42119 }
42120 }
42121@@ -2132,6 +2132,8 @@ static int ext4_mb_seq_groups_show(struc
42122 ext4_grpblk_t counters[16];
42123 } sg;
42124
42125+ pax_track_stack();
42126+
42127 group--;
42128 if (group == 0)
42129 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
42130@@ -2573,25 +2575,25 @@ int ext4_mb_release(struct super_block *
42131 if (sbi->s_mb_stats) {
42132 ext4_msg(sb, KERN_INFO,
42133 "mballoc: %u blocks %u reqs (%u success)",
42134- atomic_read(&sbi->s_bal_allocated),
42135- atomic_read(&sbi->s_bal_reqs),
42136- atomic_read(&sbi->s_bal_success));
42137+ atomic_read_unchecked(&sbi->s_bal_allocated),
42138+ atomic_read_unchecked(&sbi->s_bal_reqs),
42139+ atomic_read_unchecked(&sbi->s_bal_success));
42140 ext4_msg(sb, KERN_INFO,
42141 "mballoc: %u extents scanned, %u goal hits, "
42142 "%u 2^N hits, %u breaks, %u lost",
42143- atomic_read(&sbi->s_bal_ex_scanned),
42144- atomic_read(&sbi->s_bal_goals),
42145- atomic_read(&sbi->s_bal_2orders),
42146- atomic_read(&sbi->s_bal_breaks),
42147- atomic_read(&sbi->s_mb_lost_chunks));
42148+ atomic_read_unchecked(&sbi->s_bal_ex_scanned),
42149+ atomic_read_unchecked(&sbi->s_bal_goals),
42150+ atomic_read_unchecked(&sbi->s_bal_2orders),
42151+ atomic_read_unchecked(&sbi->s_bal_breaks),
42152+ atomic_read_unchecked(&sbi->s_mb_lost_chunks));
42153 ext4_msg(sb, KERN_INFO,
42154 "mballoc: %lu generated and it took %Lu",
42155 sbi->s_mb_buddies_generated,
42156 sbi->s_mb_generation_time);
42157 ext4_msg(sb, KERN_INFO,
42158 "mballoc: %u preallocated, %u discarded",
42159- atomic_read(&sbi->s_mb_preallocated),
42160- atomic_read(&sbi->s_mb_discarded));
42161+ atomic_read_unchecked(&sbi->s_mb_preallocated),
42162+ atomic_read_unchecked(&sbi->s_mb_discarded));
42163 }
42164
42165 free_percpu(sbi->s_locality_groups);
42166@@ -3070,16 +3072,16 @@ static void ext4_mb_collect_stats(struct
42167 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
42168
42169 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
42170- atomic_inc(&sbi->s_bal_reqs);
42171- atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
42172+ atomic_inc_unchecked(&sbi->s_bal_reqs);
42173+ atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
42174 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
42175- atomic_inc(&sbi->s_bal_success);
42176- atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
42177+ atomic_inc_unchecked(&sbi->s_bal_success);
42178+ atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
42179 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
42180 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
42181- atomic_inc(&sbi->s_bal_goals);
42182+ atomic_inc_unchecked(&sbi->s_bal_goals);
42183 if (ac->ac_found > sbi->s_mb_max_to_scan)
42184- atomic_inc(&sbi->s_bal_breaks);
42185+ atomic_inc_unchecked(&sbi->s_bal_breaks);
42186 }
42187
42188 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
42189@@ -3477,7 +3479,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
42190 trace_ext4_mb_new_inode_pa(ac, pa);
42191
42192 ext4_mb_use_inode_pa(ac, pa);
42193- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42194+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42195
42196 ei = EXT4_I(ac->ac_inode);
42197 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
42198@@ -3537,7 +3539,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
42199 trace_ext4_mb_new_group_pa(ac, pa);
42200
42201 ext4_mb_use_group_pa(ac, pa);
42202- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42203+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
42204
42205 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
42206 lg = ac->ac_lg;
42207@@ -3625,7 +3627,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
42208 * from the bitmap and continue.
42209 */
42210 }
42211- atomic_add(free, &sbi->s_mb_discarded);
42212+ atomic_add_unchecked(free, &sbi->s_mb_discarded);
42213
42214 return err;
42215 }
42216@@ -3643,7 +3645,7 @@ ext4_mb_release_group_pa(struct ext4_bud
42217 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
42218 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
42219 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
42220- atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
42221+ atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
42222 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
42223
42224 return 0;
42225diff -urNp linux-3.1.1/fs/fcntl.c linux-3.1.1/fs/fcntl.c
42226--- linux-3.1.1/fs/fcntl.c 2011-11-11 15:19:27.000000000 -0500
42227+++ linux-3.1.1/fs/fcntl.c 2011-11-16 23:40:25.000000000 -0500
42228@@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
42229 if (err)
42230 return err;
42231
42232+ if (gr_handle_chroot_fowner(pid, type))
42233+ return -ENOENT;
42234+ if (gr_check_protected_task_fowner(pid, type))
42235+ return -EACCES;
42236+
42237 f_modown(filp, pid, type, force);
42238 return 0;
42239 }
42240@@ -266,7 +271,7 @@ pid_t f_getown(struct file *filp)
42241
42242 static int f_setown_ex(struct file *filp, unsigned long arg)
42243 {
42244- struct f_owner_ex * __user owner_p = (void * __user)arg;
42245+ struct f_owner_ex __user *owner_p = (void __user *)arg;
42246 struct f_owner_ex owner;
42247 struct pid *pid;
42248 int type;
42249@@ -306,7 +311,7 @@ static int f_setown_ex(struct file *filp
42250
42251 static int f_getown_ex(struct file *filp, unsigned long arg)
42252 {
42253- struct f_owner_ex * __user owner_p = (void * __user)arg;
42254+ struct f_owner_ex __user *owner_p = (void __user *)arg;
42255 struct f_owner_ex owner;
42256 int ret = 0;
42257
42258@@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
42259 switch (cmd) {
42260 case F_DUPFD:
42261 case F_DUPFD_CLOEXEC:
42262+ gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
42263 if (arg >= rlimit(RLIMIT_NOFILE))
42264 break;
42265 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
42266diff -urNp linux-3.1.1/fs/fifo.c linux-3.1.1/fs/fifo.c
42267--- linux-3.1.1/fs/fifo.c 2011-11-11 15:19:27.000000000 -0500
42268+++ linux-3.1.1/fs/fifo.c 2011-11-16 18:39:08.000000000 -0500
42269@@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
42270 */
42271 filp->f_op = &read_pipefifo_fops;
42272 pipe->r_counter++;
42273- if (pipe->readers++ == 0)
42274+ if (atomic_inc_return(&pipe->readers) == 1)
42275 wake_up_partner(inode);
42276
42277- if (!pipe->writers) {
42278+ if (!atomic_read(&pipe->writers)) {
42279 if ((filp->f_flags & O_NONBLOCK)) {
42280 /* suppress POLLHUP until we have
42281 * seen a writer */
42282@@ -81,15 +81,15 @@ static int fifo_open(struct inode *inode
42283 * errno=ENXIO when there is no process reading the FIFO.
42284 */
42285 ret = -ENXIO;
42286- if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
42287+ if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
42288 goto err;
42289
42290 filp->f_op = &write_pipefifo_fops;
42291 pipe->w_counter++;
42292- if (!pipe->writers++)
42293+ if (atomic_inc_return(&pipe->writers) == 1)
42294 wake_up_partner(inode);
42295
42296- if (!pipe->readers) {
42297+ if (!atomic_read(&pipe->readers)) {
42298 wait_for_partner(inode, &pipe->r_counter);
42299 if (signal_pending(current))
42300 goto err_wr;
42301@@ -105,11 +105,11 @@ static int fifo_open(struct inode *inode
42302 */
42303 filp->f_op = &rdwr_pipefifo_fops;
42304
42305- pipe->readers++;
42306- pipe->writers++;
42307+ atomic_inc(&pipe->readers);
42308+ atomic_inc(&pipe->writers);
42309 pipe->r_counter++;
42310 pipe->w_counter++;
42311- if (pipe->readers == 1 || pipe->writers == 1)
42312+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
42313 wake_up_partner(inode);
42314 break;
42315
42316@@ -123,19 +123,19 @@ static int fifo_open(struct inode *inode
42317 return 0;
42318
42319 err_rd:
42320- if (!--pipe->readers)
42321+ if (atomic_dec_and_test(&pipe->readers))
42322 wake_up_interruptible(&pipe->wait);
42323 ret = -ERESTARTSYS;
42324 goto err;
42325
42326 err_wr:
42327- if (!--pipe->writers)
42328+ if (atomic_dec_and_test(&pipe->writers))
42329 wake_up_interruptible(&pipe->wait);
42330 ret = -ERESTARTSYS;
42331 goto err;
42332
42333 err:
42334- if (!pipe->readers && !pipe->writers)
42335+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
42336 free_pipe_info(inode);
42337
42338 err_nocleanup:
42339diff -urNp linux-3.1.1/fs/file.c linux-3.1.1/fs/file.c
42340--- linux-3.1.1/fs/file.c 2011-11-11 15:19:27.000000000 -0500
42341+++ linux-3.1.1/fs/file.c 2011-11-16 18:40:29.000000000 -0500
42342@@ -15,6 +15,7 @@
42343 #include <linux/slab.h>
42344 #include <linux/vmalloc.h>
42345 #include <linux/file.h>
42346+#include <linux/security.h>
42347 #include <linux/fdtable.h>
42348 #include <linux/bitops.h>
42349 #include <linux/interrupt.h>
42350@@ -254,6 +255,7 @@ int expand_files(struct files_struct *fi
42351 * N.B. For clone tasks sharing a files structure, this test
42352 * will limit the total number of files that can be opened.
42353 */
42354+ gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
42355 if (nr >= rlimit(RLIMIT_NOFILE))
42356 return -EMFILE;
42357
42358diff -urNp linux-3.1.1/fs/filesystems.c linux-3.1.1/fs/filesystems.c
42359--- linux-3.1.1/fs/filesystems.c 2011-11-11 15:19:27.000000000 -0500
42360+++ linux-3.1.1/fs/filesystems.c 2011-11-16 18:40:29.000000000 -0500
42361@@ -274,7 +274,12 @@ struct file_system_type *get_fs_type(con
42362 int len = dot ? dot - name : strlen(name);
42363
42364 fs = __get_fs_type(name, len);
42365+
42366+#ifdef CONFIG_GRKERNSEC_MODHARDEN
42367+ if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
42368+#else
42369 if (!fs && (request_module("%.*s", len, name) == 0))
42370+#endif
42371 fs = __get_fs_type(name, len);
42372
42373 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
42374diff -urNp linux-3.1.1/fs/fscache/cookie.c linux-3.1.1/fs/fscache/cookie.c
42375--- linux-3.1.1/fs/fscache/cookie.c 2011-11-11 15:19:27.000000000 -0500
42376+++ linux-3.1.1/fs/fscache/cookie.c 2011-11-16 18:39:08.000000000 -0500
42377@@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
42378 parent ? (char *) parent->def->name : "<no-parent>",
42379 def->name, netfs_data);
42380
42381- fscache_stat(&fscache_n_acquires);
42382+ fscache_stat_unchecked(&fscache_n_acquires);
42383
42384 /* if there's no parent cookie, then we don't create one here either */
42385 if (!parent) {
42386- fscache_stat(&fscache_n_acquires_null);
42387+ fscache_stat_unchecked(&fscache_n_acquires_null);
42388 _leave(" [no parent]");
42389 return NULL;
42390 }
42391@@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
42392 /* allocate and initialise a cookie */
42393 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
42394 if (!cookie) {
42395- fscache_stat(&fscache_n_acquires_oom);
42396+ fscache_stat_unchecked(&fscache_n_acquires_oom);
42397 _leave(" [ENOMEM]");
42398 return NULL;
42399 }
42400@@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
42401
42402 switch (cookie->def->type) {
42403 case FSCACHE_COOKIE_TYPE_INDEX:
42404- fscache_stat(&fscache_n_cookie_index);
42405+ fscache_stat_unchecked(&fscache_n_cookie_index);
42406 break;
42407 case FSCACHE_COOKIE_TYPE_DATAFILE:
42408- fscache_stat(&fscache_n_cookie_data);
42409+ fscache_stat_unchecked(&fscache_n_cookie_data);
42410 break;
42411 default:
42412- fscache_stat(&fscache_n_cookie_special);
42413+ fscache_stat_unchecked(&fscache_n_cookie_special);
42414 break;
42415 }
42416
42417@@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
42418 if (fscache_acquire_non_index_cookie(cookie) < 0) {
42419 atomic_dec(&parent->n_children);
42420 __fscache_cookie_put(cookie);
42421- fscache_stat(&fscache_n_acquires_nobufs);
42422+ fscache_stat_unchecked(&fscache_n_acquires_nobufs);
42423 _leave(" = NULL");
42424 return NULL;
42425 }
42426 }
42427
42428- fscache_stat(&fscache_n_acquires_ok);
42429+ fscache_stat_unchecked(&fscache_n_acquires_ok);
42430 _leave(" = %p", cookie);
42431 return cookie;
42432 }
42433@@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
42434 cache = fscache_select_cache_for_object(cookie->parent);
42435 if (!cache) {
42436 up_read(&fscache_addremove_sem);
42437- fscache_stat(&fscache_n_acquires_no_cache);
42438+ fscache_stat_unchecked(&fscache_n_acquires_no_cache);
42439 _leave(" = -ENOMEDIUM [no cache]");
42440 return -ENOMEDIUM;
42441 }
42442@@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
42443 object = cache->ops->alloc_object(cache, cookie);
42444 fscache_stat_d(&fscache_n_cop_alloc_object);
42445 if (IS_ERR(object)) {
42446- fscache_stat(&fscache_n_object_no_alloc);
42447+ fscache_stat_unchecked(&fscache_n_object_no_alloc);
42448 ret = PTR_ERR(object);
42449 goto error;
42450 }
42451
42452- fscache_stat(&fscache_n_object_alloc);
42453+ fscache_stat_unchecked(&fscache_n_object_alloc);
42454
42455 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
42456
42457@@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
42458 struct fscache_object *object;
42459 struct hlist_node *_p;
42460
42461- fscache_stat(&fscache_n_updates);
42462+ fscache_stat_unchecked(&fscache_n_updates);
42463
42464 if (!cookie) {
42465- fscache_stat(&fscache_n_updates_null);
42466+ fscache_stat_unchecked(&fscache_n_updates_null);
42467 _leave(" [no cookie]");
42468 return;
42469 }
42470@@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
42471 struct fscache_object *object;
42472 unsigned long event;
42473
42474- fscache_stat(&fscache_n_relinquishes);
42475+ fscache_stat_unchecked(&fscache_n_relinquishes);
42476 if (retire)
42477- fscache_stat(&fscache_n_relinquishes_retire);
42478+ fscache_stat_unchecked(&fscache_n_relinquishes_retire);
42479
42480 if (!cookie) {
42481- fscache_stat(&fscache_n_relinquishes_null);
42482+ fscache_stat_unchecked(&fscache_n_relinquishes_null);
42483 _leave(" [no cookie]");
42484 return;
42485 }
42486@@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
42487
42488 /* wait for the cookie to finish being instantiated (or to fail) */
42489 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
42490- fscache_stat(&fscache_n_relinquishes_waitcrt);
42491+ fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
42492 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
42493 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
42494 }
42495diff -urNp linux-3.1.1/fs/fscache/internal.h linux-3.1.1/fs/fscache/internal.h
42496--- linux-3.1.1/fs/fscache/internal.h 2011-11-11 15:19:27.000000000 -0500
42497+++ linux-3.1.1/fs/fscache/internal.h 2011-11-16 18:39:08.000000000 -0500
42498@@ -144,94 +144,94 @@ extern void fscache_proc_cleanup(void);
42499 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
42500 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
42501
42502-extern atomic_t fscache_n_op_pend;
42503-extern atomic_t fscache_n_op_run;
42504-extern atomic_t fscache_n_op_enqueue;
42505-extern atomic_t fscache_n_op_deferred_release;
42506-extern atomic_t fscache_n_op_release;
42507-extern atomic_t fscache_n_op_gc;
42508-extern atomic_t fscache_n_op_cancelled;
42509-extern atomic_t fscache_n_op_rejected;
42510-
42511-extern atomic_t fscache_n_attr_changed;
42512-extern atomic_t fscache_n_attr_changed_ok;
42513-extern atomic_t fscache_n_attr_changed_nobufs;
42514-extern atomic_t fscache_n_attr_changed_nomem;
42515-extern atomic_t fscache_n_attr_changed_calls;
42516-
42517-extern atomic_t fscache_n_allocs;
42518-extern atomic_t fscache_n_allocs_ok;
42519-extern atomic_t fscache_n_allocs_wait;
42520-extern atomic_t fscache_n_allocs_nobufs;
42521-extern atomic_t fscache_n_allocs_intr;
42522-extern atomic_t fscache_n_allocs_object_dead;
42523-extern atomic_t fscache_n_alloc_ops;
42524-extern atomic_t fscache_n_alloc_op_waits;
42525-
42526-extern atomic_t fscache_n_retrievals;
42527-extern atomic_t fscache_n_retrievals_ok;
42528-extern atomic_t fscache_n_retrievals_wait;
42529-extern atomic_t fscache_n_retrievals_nodata;
42530-extern atomic_t fscache_n_retrievals_nobufs;
42531-extern atomic_t fscache_n_retrievals_intr;
42532-extern atomic_t fscache_n_retrievals_nomem;
42533-extern atomic_t fscache_n_retrievals_object_dead;
42534-extern atomic_t fscache_n_retrieval_ops;
42535-extern atomic_t fscache_n_retrieval_op_waits;
42536-
42537-extern atomic_t fscache_n_stores;
42538-extern atomic_t fscache_n_stores_ok;
42539-extern atomic_t fscache_n_stores_again;
42540-extern atomic_t fscache_n_stores_nobufs;
42541-extern atomic_t fscache_n_stores_oom;
42542-extern atomic_t fscache_n_store_ops;
42543-extern atomic_t fscache_n_store_calls;
42544-extern atomic_t fscache_n_store_pages;
42545-extern atomic_t fscache_n_store_radix_deletes;
42546-extern atomic_t fscache_n_store_pages_over_limit;
42547-
42548-extern atomic_t fscache_n_store_vmscan_not_storing;
42549-extern atomic_t fscache_n_store_vmscan_gone;
42550-extern atomic_t fscache_n_store_vmscan_busy;
42551-extern atomic_t fscache_n_store_vmscan_cancelled;
42552-
42553-extern atomic_t fscache_n_marks;
42554-extern atomic_t fscache_n_uncaches;
42555-
42556-extern atomic_t fscache_n_acquires;
42557-extern atomic_t fscache_n_acquires_null;
42558-extern atomic_t fscache_n_acquires_no_cache;
42559-extern atomic_t fscache_n_acquires_ok;
42560-extern atomic_t fscache_n_acquires_nobufs;
42561-extern atomic_t fscache_n_acquires_oom;
42562-
42563-extern atomic_t fscache_n_updates;
42564-extern atomic_t fscache_n_updates_null;
42565-extern atomic_t fscache_n_updates_run;
42566-
42567-extern atomic_t fscache_n_relinquishes;
42568-extern atomic_t fscache_n_relinquishes_null;
42569-extern atomic_t fscache_n_relinquishes_waitcrt;
42570-extern atomic_t fscache_n_relinquishes_retire;
42571-
42572-extern atomic_t fscache_n_cookie_index;
42573-extern atomic_t fscache_n_cookie_data;
42574-extern atomic_t fscache_n_cookie_special;
42575-
42576-extern atomic_t fscache_n_object_alloc;
42577-extern atomic_t fscache_n_object_no_alloc;
42578-extern atomic_t fscache_n_object_lookups;
42579-extern atomic_t fscache_n_object_lookups_negative;
42580-extern atomic_t fscache_n_object_lookups_positive;
42581-extern atomic_t fscache_n_object_lookups_timed_out;
42582-extern atomic_t fscache_n_object_created;
42583-extern atomic_t fscache_n_object_avail;
42584-extern atomic_t fscache_n_object_dead;
42585-
42586-extern atomic_t fscache_n_checkaux_none;
42587-extern atomic_t fscache_n_checkaux_okay;
42588-extern atomic_t fscache_n_checkaux_update;
42589-extern atomic_t fscache_n_checkaux_obsolete;
42590+extern atomic_unchecked_t fscache_n_op_pend;
42591+extern atomic_unchecked_t fscache_n_op_run;
42592+extern atomic_unchecked_t fscache_n_op_enqueue;
42593+extern atomic_unchecked_t fscache_n_op_deferred_release;
42594+extern atomic_unchecked_t fscache_n_op_release;
42595+extern atomic_unchecked_t fscache_n_op_gc;
42596+extern atomic_unchecked_t fscache_n_op_cancelled;
42597+extern atomic_unchecked_t fscache_n_op_rejected;
42598+
42599+extern atomic_unchecked_t fscache_n_attr_changed;
42600+extern atomic_unchecked_t fscache_n_attr_changed_ok;
42601+extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
42602+extern atomic_unchecked_t fscache_n_attr_changed_nomem;
42603+extern atomic_unchecked_t fscache_n_attr_changed_calls;
42604+
42605+extern atomic_unchecked_t fscache_n_allocs;
42606+extern atomic_unchecked_t fscache_n_allocs_ok;
42607+extern atomic_unchecked_t fscache_n_allocs_wait;
42608+extern atomic_unchecked_t fscache_n_allocs_nobufs;
42609+extern atomic_unchecked_t fscache_n_allocs_intr;
42610+extern atomic_unchecked_t fscache_n_allocs_object_dead;
42611+extern atomic_unchecked_t fscache_n_alloc_ops;
42612+extern atomic_unchecked_t fscache_n_alloc_op_waits;
42613+
42614+extern atomic_unchecked_t fscache_n_retrievals;
42615+extern atomic_unchecked_t fscache_n_retrievals_ok;
42616+extern atomic_unchecked_t fscache_n_retrievals_wait;
42617+extern atomic_unchecked_t fscache_n_retrievals_nodata;
42618+extern atomic_unchecked_t fscache_n_retrievals_nobufs;
42619+extern atomic_unchecked_t fscache_n_retrievals_intr;
42620+extern atomic_unchecked_t fscache_n_retrievals_nomem;
42621+extern atomic_unchecked_t fscache_n_retrievals_object_dead;
42622+extern atomic_unchecked_t fscache_n_retrieval_ops;
42623+extern atomic_unchecked_t fscache_n_retrieval_op_waits;
42624+
42625+extern atomic_unchecked_t fscache_n_stores;
42626+extern atomic_unchecked_t fscache_n_stores_ok;
42627+extern atomic_unchecked_t fscache_n_stores_again;
42628+extern atomic_unchecked_t fscache_n_stores_nobufs;
42629+extern atomic_unchecked_t fscache_n_stores_oom;
42630+extern atomic_unchecked_t fscache_n_store_ops;
42631+extern atomic_unchecked_t fscache_n_store_calls;
42632+extern atomic_unchecked_t fscache_n_store_pages;
42633+extern atomic_unchecked_t fscache_n_store_radix_deletes;
42634+extern atomic_unchecked_t fscache_n_store_pages_over_limit;
42635+
42636+extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
42637+extern atomic_unchecked_t fscache_n_store_vmscan_gone;
42638+extern atomic_unchecked_t fscache_n_store_vmscan_busy;
42639+extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
42640+
42641+extern atomic_unchecked_t fscache_n_marks;
42642+extern atomic_unchecked_t fscache_n_uncaches;
42643+
42644+extern atomic_unchecked_t fscache_n_acquires;
42645+extern atomic_unchecked_t fscache_n_acquires_null;
42646+extern atomic_unchecked_t fscache_n_acquires_no_cache;
42647+extern atomic_unchecked_t fscache_n_acquires_ok;
42648+extern atomic_unchecked_t fscache_n_acquires_nobufs;
42649+extern atomic_unchecked_t fscache_n_acquires_oom;
42650+
42651+extern atomic_unchecked_t fscache_n_updates;
42652+extern atomic_unchecked_t fscache_n_updates_null;
42653+extern atomic_unchecked_t fscache_n_updates_run;
42654+
42655+extern atomic_unchecked_t fscache_n_relinquishes;
42656+extern atomic_unchecked_t fscache_n_relinquishes_null;
42657+extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
42658+extern atomic_unchecked_t fscache_n_relinquishes_retire;
42659+
42660+extern atomic_unchecked_t fscache_n_cookie_index;
42661+extern atomic_unchecked_t fscache_n_cookie_data;
42662+extern atomic_unchecked_t fscache_n_cookie_special;
42663+
42664+extern atomic_unchecked_t fscache_n_object_alloc;
42665+extern atomic_unchecked_t fscache_n_object_no_alloc;
42666+extern atomic_unchecked_t fscache_n_object_lookups;
42667+extern atomic_unchecked_t fscache_n_object_lookups_negative;
42668+extern atomic_unchecked_t fscache_n_object_lookups_positive;
42669+extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
42670+extern atomic_unchecked_t fscache_n_object_created;
42671+extern atomic_unchecked_t fscache_n_object_avail;
42672+extern atomic_unchecked_t fscache_n_object_dead;
42673+
42674+extern atomic_unchecked_t fscache_n_checkaux_none;
42675+extern atomic_unchecked_t fscache_n_checkaux_okay;
42676+extern atomic_unchecked_t fscache_n_checkaux_update;
42677+extern atomic_unchecked_t fscache_n_checkaux_obsolete;
42678
42679 extern atomic_t fscache_n_cop_alloc_object;
42680 extern atomic_t fscache_n_cop_lookup_object;
42681@@ -255,6 +255,11 @@ static inline void fscache_stat(atomic_t
42682 atomic_inc(stat);
42683 }
42684
42685+static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
42686+{
42687+ atomic_inc_unchecked(stat);
42688+}
42689+
42690 static inline void fscache_stat_d(atomic_t *stat)
42691 {
42692 atomic_dec(stat);
42693@@ -267,6 +272,7 @@ extern const struct file_operations fsca
42694
42695 #define __fscache_stat(stat) (NULL)
42696 #define fscache_stat(stat) do {} while (0)
42697+#define fscache_stat_unchecked(stat) do {} while (0)
42698 #define fscache_stat_d(stat) do {} while (0)
42699 #endif
42700
42701diff -urNp linux-3.1.1/fs/fscache/object.c linux-3.1.1/fs/fscache/object.c
42702--- linux-3.1.1/fs/fscache/object.c 2011-11-11 15:19:27.000000000 -0500
42703+++ linux-3.1.1/fs/fscache/object.c 2011-11-16 18:39:08.000000000 -0500
42704@@ -128,7 +128,7 @@ static void fscache_object_state_machine
42705 /* update the object metadata on disk */
42706 case FSCACHE_OBJECT_UPDATING:
42707 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
42708- fscache_stat(&fscache_n_updates_run);
42709+ fscache_stat_unchecked(&fscache_n_updates_run);
42710 fscache_stat(&fscache_n_cop_update_object);
42711 object->cache->ops->update_object(object);
42712 fscache_stat_d(&fscache_n_cop_update_object);
42713@@ -217,7 +217,7 @@ static void fscache_object_state_machine
42714 spin_lock(&object->lock);
42715 object->state = FSCACHE_OBJECT_DEAD;
42716 spin_unlock(&object->lock);
42717- fscache_stat(&fscache_n_object_dead);
42718+ fscache_stat_unchecked(&fscache_n_object_dead);
42719 goto terminal_transit;
42720
42721 /* handle the parent cache of this object being withdrawn from
42722@@ -232,7 +232,7 @@ static void fscache_object_state_machine
42723 spin_lock(&object->lock);
42724 object->state = FSCACHE_OBJECT_DEAD;
42725 spin_unlock(&object->lock);
42726- fscache_stat(&fscache_n_object_dead);
42727+ fscache_stat_unchecked(&fscache_n_object_dead);
42728 goto terminal_transit;
42729
42730 /* complain about the object being woken up once it is
42731@@ -461,7 +461,7 @@ static void fscache_lookup_object(struct
42732 parent->cookie->def->name, cookie->def->name,
42733 object->cache->tag->name);
42734
42735- fscache_stat(&fscache_n_object_lookups);
42736+ fscache_stat_unchecked(&fscache_n_object_lookups);
42737 fscache_stat(&fscache_n_cop_lookup_object);
42738 ret = object->cache->ops->lookup_object(object);
42739 fscache_stat_d(&fscache_n_cop_lookup_object);
42740@@ -472,7 +472,7 @@ static void fscache_lookup_object(struct
42741 if (ret == -ETIMEDOUT) {
42742 /* probably stuck behind another object, so move this one to
42743 * the back of the queue */
42744- fscache_stat(&fscache_n_object_lookups_timed_out);
42745+ fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
42746 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42747 }
42748
42749@@ -495,7 +495,7 @@ void fscache_object_lookup_negative(stru
42750
42751 spin_lock(&object->lock);
42752 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42753- fscache_stat(&fscache_n_object_lookups_negative);
42754+ fscache_stat_unchecked(&fscache_n_object_lookups_negative);
42755
42756 /* transit here to allow write requests to begin stacking up
42757 * and read requests to begin returning ENODATA */
42758@@ -541,7 +541,7 @@ void fscache_obtained_object(struct fsca
42759 * result, in which case there may be data available */
42760 spin_lock(&object->lock);
42761 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42762- fscache_stat(&fscache_n_object_lookups_positive);
42763+ fscache_stat_unchecked(&fscache_n_object_lookups_positive);
42764
42765 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
42766
42767@@ -555,7 +555,7 @@ void fscache_obtained_object(struct fsca
42768 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42769 } else {
42770 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
42771- fscache_stat(&fscache_n_object_created);
42772+ fscache_stat_unchecked(&fscache_n_object_created);
42773
42774 object->state = FSCACHE_OBJECT_AVAILABLE;
42775 spin_unlock(&object->lock);
42776@@ -602,7 +602,7 @@ static void fscache_object_available(str
42777 fscache_enqueue_dependents(object);
42778
42779 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
42780- fscache_stat(&fscache_n_object_avail);
42781+ fscache_stat_unchecked(&fscache_n_object_avail);
42782
42783 _leave("");
42784 }
42785@@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
42786 enum fscache_checkaux result;
42787
42788 if (!object->cookie->def->check_aux) {
42789- fscache_stat(&fscache_n_checkaux_none);
42790+ fscache_stat_unchecked(&fscache_n_checkaux_none);
42791 return FSCACHE_CHECKAUX_OKAY;
42792 }
42793
42794@@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
42795 switch (result) {
42796 /* entry okay as is */
42797 case FSCACHE_CHECKAUX_OKAY:
42798- fscache_stat(&fscache_n_checkaux_okay);
42799+ fscache_stat_unchecked(&fscache_n_checkaux_okay);
42800 break;
42801
42802 /* entry requires update */
42803 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
42804- fscache_stat(&fscache_n_checkaux_update);
42805+ fscache_stat_unchecked(&fscache_n_checkaux_update);
42806 break;
42807
42808 /* entry requires deletion */
42809 case FSCACHE_CHECKAUX_OBSOLETE:
42810- fscache_stat(&fscache_n_checkaux_obsolete);
42811+ fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
42812 break;
42813
42814 default:
42815diff -urNp linux-3.1.1/fs/fscache/operation.c linux-3.1.1/fs/fscache/operation.c
42816--- linux-3.1.1/fs/fscache/operation.c 2011-11-11 15:19:27.000000000 -0500
42817+++ linux-3.1.1/fs/fscache/operation.c 2011-11-16 18:39:08.000000000 -0500
42818@@ -17,7 +17,7 @@
42819 #include <linux/slab.h>
42820 #include "internal.h"
42821
42822-atomic_t fscache_op_debug_id;
42823+atomic_unchecked_t fscache_op_debug_id;
42824 EXPORT_SYMBOL(fscache_op_debug_id);
42825
42826 /**
42827@@ -38,7 +38,7 @@ void fscache_enqueue_operation(struct fs
42828 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
42829 ASSERTCMP(atomic_read(&op->usage), >, 0);
42830
42831- fscache_stat(&fscache_n_op_enqueue);
42832+ fscache_stat_unchecked(&fscache_n_op_enqueue);
42833 switch (op->flags & FSCACHE_OP_TYPE) {
42834 case FSCACHE_OP_ASYNC:
42835 _debug("queue async");
42836@@ -69,7 +69,7 @@ static void fscache_run_op(struct fscach
42837 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
42838 if (op->processor)
42839 fscache_enqueue_operation(op);
42840- fscache_stat(&fscache_n_op_run);
42841+ fscache_stat_unchecked(&fscache_n_op_run);
42842 }
42843
42844 /*
42845@@ -98,11 +98,11 @@ int fscache_submit_exclusive_op(struct f
42846 if (object->n_ops > 1) {
42847 atomic_inc(&op->usage);
42848 list_add_tail(&op->pend_link, &object->pending_ops);
42849- fscache_stat(&fscache_n_op_pend);
42850+ fscache_stat_unchecked(&fscache_n_op_pend);
42851 } else if (!list_empty(&object->pending_ops)) {
42852 atomic_inc(&op->usage);
42853 list_add_tail(&op->pend_link, &object->pending_ops);
42854- fscache_stat(&fscache_n_op_pend);
42855+ fscache_stat_unchecked(&fscache_n_op_pend);
42856 fscache_start_operations(object);
42857 } else {
42858 ASSERTCMP(object->n_in_progress, ==, 0);
42859@@ -118,7 +118,7 @@ int fscache_submit_exclusive_op(struct f
42860 object->n_exclusive++; /* reads and writes must wait */
42861 atomic_inc(&op->usage);
42862 list_add_tail(&op->pend_link, &object->pending_ops);
42863- fscache_stat(&fscache_n_op_pend);
42864+ fscache_stat_unchecked(&fscache_n_op_pend);
42865 ret = 0;
42866 } else {
42867 /* not allowed to submit ops in any other state */
42868@@ -203,11 +203,11 @@ int fscache_submit_op(struct fscache_obj
42869 if (object->n_exclusive > 0) {
42870 atomic_inc(&op->usage);
42871 list_add_tail(&op->pend_link, &object->pending_ops);
42872- fscache_stat(&fscache_n_op_pend);
42873+ fscache_stat_unchecked(&fscache_n_op_pend);
42874 } else if (!list_empty(&object->pending_ops)) {
42875 atomic_inc(&op->usage);
42876 list_add_tail(&op->pend_link, &object->pending_ops);
42877- fscache_stat(&fscache_n_op_pend);
42878+ fscache_stat_unchecked(&fscache_n_op_pend);
42879 fscache_start_operations(object);
42880 } else {
42881 ASSERTCMP(object->n_exclusive, ==, 0);
42882@@ -219,12 +219,12 @@ int fscache_submit_op(struct fscache_obj
42883 object->n_ops++;
42884 atomic_inc(&op->usage);
42885 list_add_tail(&op->pend_link, &object->pending_ops);
42886- fscache_stat(&fscache_n_op_pend);
42887+ fscache_stat_unchecked(&fscache_n_op_pend);
42888 ret = 0;
42889 } else if (object->state == FSCACHE_OBJECT_DYING ||
42890 object->state == FSCACHE_OBJECT_LC_DYING ||
42891 object->state == FSCACHE_OBJECT_WITHDRAWING) {
42892- fscache_stat(&fscache_n_op_rejected);
42893+ fscache_stat_unchecked(&fscache_n_op_rejected);
42894 ret = -ENOBUFS;
42895 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
42896 fscache_report_unexpected_submission(object, op, ostate);
42897@@ -294,7 +294,7 @@ int fscache_cancel_op(struct fscache_ope
42898
42899 ret = -EBUSY;
42900 if (!list_empty(&op->pend_link)) {
42901- fscache_stat(&fscache_n_op_cancelled);
42902+ fscache_stat_unchecked(&fscache_n_op_cancelled);
42903 list_del_init(&op->pend_link);
42904 object->n_ops--;
42905 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
42906@@ -331,7 +331,7 @@ void fscache_put_operation(struct fscach
42907 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
42908 BUG();
42909
42910- fscache_stat(&fscache_n_op_release);
42911+ fscache_stat_unchecked(&fscache_n_op_release);
42912
42913 if (op->release) {
42914 op->release(op);
42915@@ -348,7 +348,7 @@ void fscache_put_operation(struct fscach
42916 * lock, and defer it otherwise */
42917 if (!spin_trylock(&object->lock)) {
42918 _debug("defer put");
42919- fscache_stat(&fscache_n_op_deferred_release);
42920+ fscache_stat_unchecked(&fscache_n_op_deferred_release);
42921
42922 cache = object->cache;
42923 spin_lock(&cache->op_gc_list_lock);
42924@@ -410,7 +410,7 @@ void fscache_operation_gc(struct work_st
42925
42926 _debug("GC DEFERRED REL OBJ%x OP%x",
42927 object->debug_id, op->debug_id);
42928- fscache_stat(&fscache_n_op_gc);
42929+ fscache_stat_unchecked(&fscache_n_op_gc);
42930
42931 ASSERTCMP(atomic_read(&op->usage), ==, 0);
42932
42933diff -urNp linux-3.1.1/fs/fscache/page.c linux-3.1.1/fs/fscache/page.c
42934--- linux-3.1.1/fs/fscache/page.c 2011-11-11 15:19:27.000000000 -0500
42935+++ linux-3.1.1/fs/fscache/page.c 2011-11-16 18:39:08.000000000 -0500
42936@@ -60,7 +60,7 @@ bool __fscache_maybe_release_page(struct
42937 val = radix_tree_lookup(&cookie->stores, page->index);
42938 if (!val) {
42939 rcu_read_unlock();
42940- fscache_stat(&fscache_n_store_vmscan_not_storing);
42941+ fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
42942 __fscache_uncache_page(cookie, page);
42943 return true;
42944 }
42945@@ -90,11 +90,11 @@ bool __fscache_maybe_release_page(struct
42946 spin_unlock(&cookie->stores_lock);
42947
42948 if (xpage) {
42949- fscache_stat(&fscache_n_store_vmscan_cancelled);
42950- fscache_stat(&fscache_n_store_radix_deletes);
42951+ fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
42952+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42953 ASSERTCMP(xpage, ==, page);
42954 } else {
42955- fscache_stat(&fscache_n_store_vmscan_gone);
42956+ fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
42957 }
42958
42959 wake_up_bit(&cookie->flags, 0);
42960@@ -107,7 +107,7 @@ page_busy:
42961 /* we might want to wait here, but that could deadlock the allocator as
42962 * the work threads writing to the cache may all end up sleeping
42963 * on memory allocation */
42964- fscache_stat(&fscache_n_store_vmscan_busy);
42965+ fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
42966 return false;
42967 }
42968 EXPORT_SYMBOL(__fscache_maybe_release_page);
42969@@ -131,7 +131,7 @@ static void fscache_end_page_write(struc
42970 FSCACHE_COOKIE_STORING_TAG);
42971 if (!radix_tree_tag_get(&cookie->stores, page->index,
42972 FSCACHE_COOKIE_PENDING_TAG)) {
42973- fscache_stat(&fscache_n_store_radix_deletes);
42974+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42975 xpage = radix_tree_delete(&cookie->stores, page->index);
42976 }
42977 spin_unlock(&cookie->stores_lock);
42978@@ -152,7 +152,7 @@ static void fscache_attr_changed_op(stru
42979
42980 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
42981
42982- fscache_stat(&fscache_n_attr_changed_calls);
42983+ fscache_stat_unchecked(&fscache_n_attr_changed_calls);
42984
42985 if (fscache_object_is_active(object)) {
42986 fscache_stat(&fscache_n_cop_attr_changed);
42987@@ -177,11 +177,11 @@ int __fscache_attr_changed(struct fscach
42988
42989 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
42990
42991- fscache_stat(&fscache_n_attr_changed);
42992+ fscache_stat_unchecked(&fscache_n_attr_changed);
42993
42994 op = kzalloc(sizeof(*op), GFP_KERNEL);
42995 if (!op) {
42996- fscache_stat(&fscache_n_attr_changed_nomem);
42997+ fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
42998 _leave(" = -ENOMEM");
42999 return -ENOMEM;
43000 }
43001@@ -199,7 +199,7 @@ int __fscache_attr_changed(struct fscach
43002 if (fscache_submit_exclusive_op(object, op) < 0)
43003 goto nobufs;
43004 spin_unlock(&cookie->lock);
43005- fscache_stat(&fscache_n_attr_changed_ok);
43006+ fscache_stat_unchecked(&fscache_n_attr_changed_ok);
43007 fscache_put_operation(op);
43008 _leave(" = 0");
43009 return 0;
43010@@ -207,7 +207,7 @@ int __fscache_attr_changed(struct fscach
43011 nobufs:
43012 spin_unlock(&cookie->lock);
43013 kfree(op);
43014- fscache_stat(&fscache_n_attr_changed_nobufs);
43015+ fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
43016 _leave(" = %d", -ENOBUFS);
43017 return -ENOBUFS;
43018 }
43019@@ -243,7 +243,7 @@ static struct fscache_retrieval *fscache
43020 /* allocate a retrieval operation and attempt to submit it */
43021 op = kzalloc(sizeof(*op), GFP_NOIO);
43022 if (!op) {
43023- fscache_stat(&fscache_n_retrievals_nomem);
43024+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43025 return NULL;
43026 }
43027
43028@@ -271,13 +271,13 @@ static int fscache_wait_for_deferred_loo
43029 return 0;
43030 }
43031
43032- fscache_stat(&fscache_n_retrievals_wait);
43033+ fscache_stat_unchecked(&fscache_n_retrievals_wait);
43034
43035 jif = jiffies;
43036 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
43037 fscache_wait_bit_interruptible,
43038 TASK_INTERRUPTIBLE) != 0) {
43039- fscache_stat(&fscache_n_retrievals_intr);
43040+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
43041 _leave(" = -ERESTARTSYS");
43042 return -ERESTARTSYS;
43043 }
43044@@ -295,8 +295,8 @@ static int fscache_wait_for_deferred_loo
43045 */
43046 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
43047 struct fscache_retrieval *op,
43048- atomic_t *stat_op_waits,
43049- atomic_t *stat_object_dead)
43050+ atomic_unchecked_t *stat_op_waits,
43051+ atomic_unchecked_t *stat_object_dead)
43052 {
43053 int ret;
43054
43055@@ -304,7 +304,7 @@ static int fscache_wait_for_retrieval_ac
43056 goto check_if_dead;
43057
43058 _debug(">>> WT");
43059- fscache_stat(stat_op_waits);
43060+ fscache_stat_unchecked(stat_op_waits);
43061 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
43062 fscache_wait_bit_interruptible,
43063 TASK_INTERRUPTIBLE) < 0) {
43064@@ -321,7 +321,7 @@ static int fscache_wait_for_retrieval_ac
43065
43066 check_if_dead:
43067 if (unlikely(fscache_object_is_dead(object))) {
43068- fscache_stat(stat_object_dead);
43069+ fscache_stat_unchecked(stat_object_dead);
43070 return -ENOBUFS;
43071 }
43072 return 0;
43073@@ -348,7 +348,7 @@ int __fscache_read_or_alloc_page(struct
43074
43075 _enter("%p,%p,,,", cookie, page);
43076
43077- fscache_stat(&fscache_n_retrievals);
43078+ fscache_stat_unchecked(&fscache_n_retrievals);
43079
43080 if (hlist_empty(&cookie->backing_objects))
43081 goto nobufs;
43082@@ -381,7 +381,7 @@ int __fscache_read_or_alloc_page(struct
43083 goto nobufs_unlock;
43084 spin_unlock(&cookie->lock);
43085
43086- fscache_stat(&fscache_n_retrieval_ops);
43087+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
43088
43089 /* pin the netfs read context in case we need to do the actual netfs
43090 * read because we've encountered a cache read failure */
43091@@ -411,15 +411,15 @@ int __fscache_read_or_alloc_page(struct
43092
43093 error:
43094 if (ret == -ENOMEM)
43095- fscache_stat(&fscache_n_retrievals_nomem);
43096+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43097 else if (ret == -ERESTARTSYS)
43098- fscache_stat(&fscache_n_retrievals_intr);
43099+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
43100 else if (ret == -ENODATA)
43101- fscache_stat(&fscache_n_retrievals_nodata);
43102+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
43103 else if (ret < 0)
43104- fscache_stat(&fscache_n_retrievals_nobufs);
43105+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43106 else
43107- fscache_stat(&fscache_n_retrievals_ok);
43108+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
43109
43110 fscache_put_retrieval(op);
43111 _leave(" = %d", ret);
43112@@ -429,7 +429,7 @@ nobufs_unlock:
43113 spin_unlock(&cookie->lock);
43114 kfree(op);
43115 nobufs:
43116- fscache_stat(&fscache_n_retrievals_nobufs);
43117+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43118 _leave(" = -ENOBUFS");
43119 return -ENOBUFS;
43120 }
43121@@ -467,7 +467,7 @@ int __fscache_read_or_alloc_pages(struct
43122
43123 _enter("%p,,%d,,,", cookie, *nr_pages);
43124
43125- fscache_stat(&fscache_n_retrievals);
43126+ fscache_stat_unchecked(&fscache_n_retrievals);
43127
43128 if (hlist_empty(&cookie->backing_objects))
43129 goto nobufs;
43130@@ -497,7 +497,7 @@ int __fscache_read_or_alloc_pages(struct
43131 goto nobufs_unlock;
43132 spin_unlock(&cookie->lock);
43133
43134- fscache_stat(&fscache_n_retrieval_ops);
43135+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
43136
43137 /* pin the netfs read context in case we need to do the actual netfs
43138 * read because we've encountered a cache read failure */
43139@@ -527,15 +527,15 @@ int __fscache_read_or_alloc_pages(struct
43140
43141 error:
43142 if (ret == -ENOMEM)
43143- fscache_stat(&fscache_n_retrievals_nomem);
43144+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
43145 else if (ret == -ERESTARTSYS)
43146- fscache_stat(&fscache_n_retrievals_intr);
43147+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
43148 else if (ret == -ENODATA)
43149- fscache_stat(&fscache_n_retrievals_nodata);
43150+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
43151 else if (ret < 0)
43152- fscache_stat(&fscache_n_retrievals_nobufs);
43153+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43154 else
43155- fscache_stat(&fscache_n_retrievals_ok);
43156+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
43157
43158 fscache_put_retrieval(op);
43159 _leave(" = %d", ret);
43160@@ -545,7 +545,7 @@ nobufs_unlock:
43161 spin_unlock(&cookie->lock);
43162 kfree(op);
43163 nobufs:
43164- fscache_stat(&fscache_n_retrievals_nobufs);
43165+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
43166 _leave(" = -ENOBUFS");
43167 return -ENOBUFS;
43168 }
43169@@ -569,7 +569,7 @@ int __fscache_alloc_page(struct fscache_
43170
43171 _enter("%p,%p,,,", cookie, page);
43172
43173- fscache_stat(&fscache_n_allocs);
43174+ fscache_stat_unchecked(&fscache_n_allocs);
43175
43176 if (hlist_empty(&cookie->backing_objects))
43177 goto nobufs;
43178@@ -595,7 +595,7 @@ int __fscache_alloc_page(struct fscache_
43179 goto nobufs_unlock;
43180 spin_unlock(&cookie->lock);
43181
43182- fscache_stat(&fscache_n_alloc_ops);
43183+ fscache_stat_unchecked(&fscache_n_alloc_ops);
43184
43185 ret = fscache_wait_for_retrieval_activation(
43186 object, op,
43187@@ -611,11 +611,11 @@ int __fscache_alloc_page(struct fscache_
43188
43189 error:
43190 if (ret == -ERESTARTSYS)
43191- fscache_stat(&fscache_n_allocs_intr);
43192+ fscache_stat_unchecked(&fscache_n_allocs_intr);
43193 else if (ret < 0)
43194- fscache_stat(&fscache_n_allocs_nobufs);
43195+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43196 else
43197- fscache_stat(&fscache_n_allocs_ok);
43198+ fscache_stat_unchecked(&fscache_n_allocs_ok);
43199
43200 fscache_put_retrieval(op);
43201 _leave(" = %d", ret);
43202@@ -625,7 +625,7 @@ nobufs_unlock:
43203 spin_unlock(&cookie->lock);
43204 kfree(op);
43205 nobufs:
43206- fscache_stat(&fscache_n_allocs_nobufs);
43207+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
43208 _leave(" = -ENOBUFS");
43209 return -ENOBUFS;
43210 }
43211@@ -666,7 +666,7 @@ static void fscache_write_op(struct fsca
43212
43213 spin_lock(&cookie->stores_lock);
43214
43215- fscache_stat(&fscache_n_store_calls);
43216+ fscache_stat_unchecked(&fscache_n_store_calls);
43217
43218 /* find a page to store */
43219 page = NULL;
43220@@ -677,7 +677,7 @@ static void fscache_write_op(struct fsca
43221 page = results[0];
43222 _debug("gang %d [%lx]", n, page->index);
43223 if (page->index > op->store_limit) {
43224- fscache_stat(&fscache_n_store_pages_over_limit);
43225+ fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
43226 goto superseded;
43227 }
43228
43229@@ -689,7 +689,7 @@ static void fscache_write_op(struct fsca
43230 spin_unlock(&cookie->stores_lock);
43231 spin_unlock(&object->lock);
43232
43233- fscache_stat(&fscache_n_store_pages);
43234+ fscache_stat_unchecked(&fscache_n_store_pages);
43235 fscache_stat(&fscache_n_cop_write_page);
43236 ret = object->cache->ops->write_page(op, page);
43237 fscache_stat_d(&fscache_n_cop_write_page);
43238@@ -757,7 +757,7 @@ int __fscache_write_page(struct fscache_
43239 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43240 ASSERT(PageFsCache(page));
43241
43242- fscache_stat(&fscache_n_stores);
43243+ fscache_stat_unchecked(&fscache_n_stores);
43244
43245 op = kzalloc(sizeof(*op), GFP_NOIO);
43246 if (!op)
43247@@ -808,7 +808,7 @@ int __fscache_write_page(struct fscache_
43248 spin_unlock(&cookie->stores_lock);
43249 spin_unlock(&object->lock);
43250
43251- op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
43252+ op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
43253 op->store_limit = object->store_limit;
43254
43255 if (fscache_submit_op(object, &op->op) < 0)
43256@@ -816,8 +816,8 @@ int __fscache_write_page(struct fscache_
43257
43258 spin_unlock(&cookie->lock);
43259 radix_tree_preload_end();
43260- fscache_stat(&fscache_n_store_ops);
43261- fscache_stat(&fscache_n_stores_ok);
43262+ fscache_stat_unchecked(&fscache_n_store_ops);
43263+ fscache_stat_unchecked(&fscache_n_stores_ok);
43264
43265 /* the work queue now carries its own ref on the object */
43266 fscache_put_operation(&op->op);
43267@@ -825,14 +825,14 @@ int __fscache_write_page(struct fscache_
43268 return 0;
43269
43270 already_queued:
43271- fscache_stat(&fscache_n_stores_again);
43272+ fscache_stat_unchecked(&fscache_n_stores_again);
43273 already_pending:
43274 spin_unlock(&cookie->stores_lock);
43275 spin_unlock(&object->lock);
43276 spin_unlock(&cookie->lock);
43277 radix_tree_preload_end();
43278 kfree(op);
43279- fscache_stat(&fscache_n_stores_ok);
43280+ fscache_stat_unchecked(&fscache_n_stores_ok);
43281 _leave(" = 0");
43282 return 0;
43283
43284@@ -851,14 +851,14 @@ nobufs:
43285 spin_unlock(&cookie->lock);
43286 radix_tree_preload_end();
43287 kfree(op);
43288- fscache_stat(&fscache_n_stores_nobufs);
43289+ fscache_stat_unchecked(&fscache_n_stores_nobufs);
43290 _leave(" = -ENOBUFS");
43291 return -ENOBUFS;
43292
43293 nomem_free:
43294 kfree(op);
43295 nomem:
43296- fscache_stat(&fscache_n_stores_oom);
43297+ fscache_stat_unchecked(&fscache_n_stores_oom);
43298 _leave(" = -ENOMEM");
43299 return -ENOMEM;
43300 }
43301@@ -876,7 +876,7 @@ void __fscache_uncache_page(struct fscac
43302 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
43303 ASSERTCMP(page, !=, NULL);
43304
43305- fscache_stat(&fscache_n_uncaches);
43306+ fscache_stat_unchecked(&fscache_n_uncaches);
43307
43308 /* cache withdrawal may beat us to it */
43309 if (!PageFsCache(page))
43310@@ -929,7 +929,7 @@ void fscache_mark_pages_cached(struct fs
43311 unsigned long loop;
43312
43313 #ifdef CONFIG_FSCACHE_STATS
43314- atomic_add(pagevec->nr, &fscache_n_marks);
43315+ atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
43316 #endif
43317
43318 for (loop = 0; loop < pagevec->nr; loop++) {
43319diff -urNp linux-3.1.1/fs/fscache/stats.c linux-3.1.1/fs/fscache/stats.c
43320--- linux-3.1.1/fs/fscache/stats.c 2011-11-11 15:19:27.000000000 -0500
43321+++ linux-3.1.1/fs/fscache/stats.c 2011-11-16 18:39:08.000000000 -0500
43322@@ -18,95 +18,95 @@
43323 /*
43324 * operation counters
43325 */
43326-atomic_t fscache_n_op_pend;
43327-atomic_t fscache_n_op_run;
43328-atomic_t fscache_n_op_enqueue;
43329-atomic_t fscache_n_op_requeue;
43330-atomic_t fscache_n_op_deferred_release;
43331-atomic_t fscache_n_op_release;
43332-atomic_t fscache_n_op_gc;
43333-atomic_t fscache_n_op_cancelled;
43334-atomic_t fscache_n_op_rejected;
43335-
43336-atomic_t fscache_n_attr_changed;
43337-atomic_t fscache_n_attr_changed_ok;
43338-atomic_t fscache_n_attr_changed_nobufs;
43339-atomic_t fscache_n_attr_changed_nomem;
43340-atomic_t fscache_n_attr_changed_calls;
43341-
43342-atomic_t fscache_n_allocs;
43343-atomic_t fscache_n_allocs_ok;
43344-atomic_t fscache_n_allocs_wait;
43345-atomic_t fscache_n_allocs_nobufs;
43346-atomic_t fscache_n_allocs_intr;
43347-atomic_t fscache_n_allocs_object_dead;
43348-atomic_t fscache_n_alloc_ops;
43349-atomic_t fscache_n_alloc_op_waits;
43350-
43351-atomic_t fscache_n_retrievals;
43352-atomic_t fscache_n_retrievals_ok;
43353-atomic_t fscache_n_retrievals_wait;
43354-atomic_t fscache_n_retrievals_nodata;
43355-atomic_t fscache_n_retrievals_nobufs;
43356-atomic_t fscache_n_retrievals_intr;
43357-atomic_t fscache_n_retrievals_nomem;
43358-atomic_t fscache_n_retrievals_object_dead;
43359-atomic_t fscache_n_retrieval_ops;
43360-atomic_t fscache_n_retrieval_op_waits;
43361-
43362-atomic_t fscache_n_stores;
43363-atomic_t fscache_n_stores_ok;
43364-atomic_t fscache_n_stores_again;
43365-atomic_t fscache_n_stores_nobufs;
43366-atomic_t fscache_n_stores_oom;
43367-atomic_t fscache_n_store_ops;
43368-atomic_t fscache_n_store_calls;
43369-atomic_t fscache_n_store_pages;
43370-atomic_t fscache_n_store_radix_deletes;
43371-atomic_t fscache_n_store_pages_over_limit;
43372-
43373-atomic_t fscache_n_store_vmscan_not_storing;
43374-atomic_t fscache_n_store_vmscan_gone;
43375-atomic_t fscache_n_store_vmscan_busy;
43376-atomic_t fscache_n_store_vmscan_cancelled;
43377-
43378-atomic_t fscache_n_marks;
43379-atomic_t fscache_n_uncaches;
43380-
43381-atomic_t fscache_n_acquires;
43382-atomic_t fscache_n_acquires_null;
43383-atomic_t fscache_n_acquires_no_cache;
43384-atomic_t fscache_n_acquires_ok;
43385-atomic_t fscache_n_acquires_nobufs;
43386-atomic_t fscache_n_acquires_oom;
43387-
43388-atomic_t fscache_n_updates;
43389-atomic_t fscache_n_updates_null;
43390-atomic_t fscache_n_updates_run;
43391-
43392-atomic_t fscache_n_relinquishes;
43393-atomic_t fscache_n_relinquishes_null;
43394-atomic_t fscache_n_relinquishes_waitcrt;
43395-atomic_t fscache_n_relinquishes_retire;
43396-
43397-atomic_t fscache_n_cookie_index;
43398-atomic_t fscache_n_cookie_data;
43399-atomic_t fscache_n_cookie_special;
43400-
43401-atomic_t fscache_n_object_alloc;
43402-atomic_t fscache_n_object_no_alloc;
43403-atomic_t fscache_n_object_lookups;
43404-atomic_t fscache_n_object_lookups_negative;
43405-atomic_t fscache_n_object_lookups_positive;
43406-atomic_t fscache_n_object_lookups_timed_out;
43407-atomic_t fscache_n_object_created;
43408-atomic_t fscache_n_object_avail;
43409-atomic_t fscache_n_object_dead;
43410-
43411-atomic_t fscache_n_checkaux_none;
43412-atomic_t fscache_n_checkaux_okay;
43413-atomic_t fscache_n_checkaux_update;
43414-atomic_t fscache_n_checkaux_obsolete;
43415+atomic_unchecked_t fscache_n_op_pend;
43416+atomic_unchecked_t fscache_n_op_run;
43417+atomic_unchecked_t fscache_n_op_enqueue;
43418+atomic_unchecked_t fscache_n_op_requeue;
43419+atomic_unchecked_t fscache_n_op_deferred_release;
43420+atomic_unchecked_t fscache_n_op_release;
43421+atomic_unchecked_t fscache_n_op_gc;
43422+atomic_unchecked_t fscache_n_op_cancelled;
43423+atomic_unchecked_t fscache_n_op_rejected;
43424+
43425+atomic_unchecked_t fscache_n_attr_changed;
43426+atomic_unchecked_t fscache_n_attr_changed_ok;
43427+atomic_unchecked_t fscache_n_attr_changed_nobufs;
43428+atomic_unchecked_t fscache_n_attr_changed_nomem;
43429+atomic_unchecked_t fscache_n_attr_changed_calls;
43430+
43431+atomic_unchecked_t fscache_n_allocs;
43432+atomic_unchecked_t fscache_n_allocs_ok;
43433+atomic_unchecked_t fscache_n_allocs_wait;
43434+atomic_unchecked_t fscache_n_allocs_nobufs;
43435+atomic_unchecked_t fscache_n_allocs_intr;
43436+atomic_unchecked_t fscache_n_allocs_object_dead;
43437+atomic_unchecked_t fscache_n_alloc_ops;
43438+atomic_unchecked_t fscache_n_alloc_op_waits;
43439+
43440+atomic_unchecked_t fscache_n_retrievals;
43441+atomic_unchecked_t fscache_n_retrievals_ok;
43442+atomic_unchecked_t fscache_n_retrievals_wait;
43443+atomic_unchecked_t fscache_n_retrievals_nodata;
43444+atomic_unchecked_t fscache_n_retrievals_nobufs;
43445+atomic_unchecked_t fscache_n_retrievals_intr;
43446+atomic_unchecked_t fscache_n_retrievals_nomem;
43447+atomic_unchecked_t fscache_n_retrievals_object_dead;
43448+atomic_unchecked_t fscache_n_retrieval_ops;
43449+atomic_unchecked_t fscache_n_retrieval_op_waits;
43450+
43451+atomic_unchecked_t fscache_n_stores;
43452+atomic_unchecked_t fscache_n_stores_ok;
43453+atomic_unchecked_t fscache_n_stores_again;
43454+atomic_unchecked_t fscache_n_stores_nobufs;
43455+atomic_unchecked_t fscache_n_stores_oom;
43456+atomic_unchecked_t fscache_n_store_ops;
43457+atomic_unchecked_t fscache_n_store_calls;
43458+atomic_unchecked_t fscache_n_store_pages;
43459+atomic_unchecked_t fscache_n_store_radix_deletes;
43460+atomic_unchecked_t fscache_n_store_pages_over_limit;
43461+
43462+atomic_unchecked_t fscache_n_store_vmscan_not_storing;
43463+atomic_unchecked_t fscache_n_store_vmscan_gone;
43464+atomic_unchecked_t fscache_n_store_vmscan_busy;
43465+atomic_unchecked_t fscache_n_store_vmscan_cancelled;
43466+
43467+atomic_unchecked_t fscache_n_marks;
43468+atomic_unchecked_t fscache_n_uncaches;
43469+
43470+atomic_unchecked_t fscache_n_acquires;
43471+atomic_unchecked_t fscache_n_acquires_null;
43472+atomic_unchecked_t fscache_n_acquires_no_cache;
43473+atomic_unchecked_t fscache_n_acquires_ok;
43474+atomic_unchecked_t fscache_n_acquires_nobufs;
43475+atomic_unchecked_t fscache_n_acquires_oom;
43476+
43477+atomic_unchecked_t fscache_n_updates;
43478+atomic_unchecked_t fscache_n_updates_null;
43479+atomic_unchecked_t fscache_n_updates_run;
43480+
43481+atomic_unchecked_t fscache_n_relinquishes;
43482+atomic_unchecked_t fscache_n_relinquishes_null;
43483+atomic_unchecked_t fscache_n_relinquishes_waitcrt;
43484+atomic_unchecked_t fscache_n_relinquishes_retire;
43485+
43486+atomic_unchecked_t fscache_n_cookie_index;
43487+atomic_unchecked_t fscache_n_cookie_data;
43488+atomic_unchecked_t fscache_n_cookie_special;
43489+
43490+atomic_unchecked_t fscache_n_object_alloc;
43491+atomic_unchecked_t fscache_n_object_no_alloc;
43492+atomic_unchecked_t fscache_n_object_lookups;
43493+atomic_unchecked_t fscache_n_object_lookups_negative;
43494+atomic_unchecked_t fscache_n_object_lookups_positive;
43495+atomic_unchecked_t fscache_n_object_lookups_timed_out;
43496+atomic_unchecked_t fscache_n_object_created;
43497+atomic_unchecked_t fscache_n_object_avail;
43498+atomic_unchecked_t fscache_n_object_dead;
43499+
43500+atomic_unchecked_t fscache_n_checkaux_none;
43501+atomic_unchecked_t fscache_n_checkaux_okay;
43502+atomic_unchecked_t fscache_n_checkaux_update;
43503+atomic_unchecked_t fscache_n_checkaux_obsolete;
43504
43505 atomic_t fscache_n_cop_alloc_object;
43506 atomic_t fscache_n_cop_lookup_object;
43507@@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
43508 seq_puts(m, "FS-Cache statistics\n");
43509
43510 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
43511- atomic_read(&fscache_n_cookie_index),
43512- atomic_read(&fscache_n_cookie_data),
43513- atomic_read(&fscache_n_cookie_special));
43514+ atomic_read_unchecked(&fscache_n_cookie_index),
43515+ atomic_read_unchecked(&fscache_n_cookie_data),
43516+ atomic_read_unchecked(&fscache_n_cookie_special));
43517
43518 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
43519- atomic_read(&fscache_n_object_alloc),
43520- atomic_read(&fscache_n_object_no_alloc),
43521- atomic_read(&fscache_n_object_avail),
43522- atomic_read(&fscache_n_object_dead));
43523+ atomic_read_unchecked(&fscache_n_object_alloc),
43524+ atomic_read_unchecked(&fscache_n_object_no_alloc),
43525+ atomic_read_unchecked(&fscache_n_object_avail),
43526+ atomic_read_unchecked(&fscache_n_object_dead));
43527 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
43528- atomic_read(&fscache_n_checkaux_none),
43529- atomic_read(&fscache_n_checkaux_okay),
43530- atomic_read(&fscache_n_checkaux_update),
43531- atomic_read(&fscache_n_checkaux_obsolete));
43532+ atomic_read_unchecked(&fscache_n_checkaux_none),
43533+ atomic_read_unchecked(&fscache_n_checkaux_okay),
43534+ atomic_read_unchecked(&fscache_n_checkaux_update),
43535+ atomic_read_unchecked(&fscache_n_checkaux_obsolete));
43536
43537 seq_printf(m, "Pages : mrk=%u unc=%u\n",
43538- atomic_read(&fscache_n_marks),
43539- atomic_read(&fscache_n_uncaches));
43540+ atomic_read_unchecked(&fscache_n_marks),
43541+ atomic_read_unchecked(&fscache_n_uncaches));
43542
43543 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
43544 " oom=%u\n",
43545- atomic_read(&fscache_n_acquires),
43546- atomic_read(&fscache_n_acquires_null),
43547- atomic_read(&fscache_n_acquires_no_cache),
43548- atomic_read(&fscache_n_acquires_ok),
43549- atomic_read(&fscache_n_acquires_nobufs),
43550- atomic_read(&fscache_n_acquires_oom));
43551+ atomic_read_unchecked(&fscache_n_acquires),
43552+ atomic_read_unchecked(&fscache_n_acquires_null),
43553+ atomic_read_unchecked(&fscache_n_acquires_no_cache),
43554+ atomic_read_unchecked(&fscache_n_acquires_ok),
43555+ atomic_read_unchecked(&fscache_n_acquires_nobufs),
43556+ atomic_read_unchecked(&fscache_n_acquires_oom));
43557
43558 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
43559- atomic_read(&fscache_n_object_lookups),
43560- atomic_read(&fscache_n_object_lookups_negative),
43561- atomic_read(&fscache_n_object_lookups_positive),
43562- atomic_read(&fscache_n_object_created),
43563- atomic_read(&fscache_n_object_lookups_timed_out));
43564+ atomic_read_unchecked(&fscache_n_object_lookups),
43565+ atomic_read_unchecked(&fscache_n_object_lookups_negative),
43566+ atomic_read_unchecked(&fscache_n_object_lookups_positive),
43567+ atomic_read_unchecked(&fscache_n_object_created),
43568+ atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
43569
43570 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
43571- atomic_read(&fscache_n_updates),
43572- atomic_read(&fscache_n_updates_null),
43573- atomic_read(&fscache_n_updates_run));
43574+ atomic_read_unchecked(&fscache_n_updates),
43575+ atomic_read_unchecked(&fscache_n_updates_null),
43576+ atomic_read_unchecked(&fscache_n_updates_run));
43577
43578 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
43579- atomic_read(&fscache_n_relinquishes),
43580- atomic_read(&fscache_n_relinquishes_null),
43581- atomic_read(&fscache_n_relinquishes_waitcrt),
43582- atomic_read(&fscache_n_relinquishes_retire));
43583+ atomic_read_unchecked(&fscache_n_relinquishes),
43584+ atomic_read_unchecked(&fscache_n_relinquishes_null),
43585+ atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
43586+ atomic_read_unchecked(&fscache_n_relinquishes_retire));
43587
43588 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
43589- atomic_read(&fscache_n_attr_changed),
43590- atomic_read(&fscache_n_attr_changed_ok),
43591- atomic_read(&fscache_n_attr_changed_nobufs),
43592- atomic_read(&fscache_n_attr_changed_nomem),
43593- atomic_read(&fscache_n_attr_changed_calls));
43594+ atomic_read_unchecked(&fscache_n_attr_changed),
43595+ atomic_read_unchecked(&fscache_n_attr_changed_ok),
43596+ atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
43597+ atomic_read_unchecked(&fscache_n_attr_changed_nomem),
43598+ atomic_read_unchecked(&fscache_n_attr_changed_calls));
43599
43600 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
43601- atomic_read(&fscache_n_allocs),
43602- atomic_read(&fscache_n_allocs_ok),
43603- atomic_read(&fscache_n_allocs_wait),
43604- atomic_read(&fscache_n_allocs_nobufs),
43605- atomic_read(&fscache_n_allocs_intr));
43606+ atomic_read_unchecked(&fscache_n_allocs),
43607+ atomic_read_unchecked(&fscache_n_allocs_ok),
43608+ atomic_read_unchecked(&fscache_n_allocs_wait),
43609+ atomic_read_unchecked(&fscache_n_allocs_nobufs),
43610+ atomic_read_unchecked(&fscache_n_allocs_intr));
43611 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
43612- atomic_read(&fscache_n_alloc_ops),
43613- atomic_read(&fscache_n_alloc_op_waits),
43614- atomic_read(&fscache_n_allocs_object_dead));
43615+ atomic_read_unchecked(&fscache_n_alloc_ops),
43616+ atomic_read_unchecked(&fscache_n_alloc_op_waits),
43617+ atomic_read_unchecked(&fscache_n_allocs_object_dead));
43618
43619 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
43620 " int=%u oom=%u\n",
43621- atomic_read(&fscache_n_retrievals),
43622- atomic_read(&fscache_n_retrievals_ok),
43623- atomic_read(&fscache_n_retrievals_wait),
43624- atomic_read(&fscache_n_retrievals_nodata),
43625- atomic_read(&fscache_n_retrievals_nobufs),
43626- atomic_read(&fscache_n_retrievals_intr),
43627- atomic_read(&fscache_n_retrievals_nomem));
43628+ atomic_read_unchecked(&fscache_n_retrievals),
43629+ atomic_read_unchecked(&fscache_n_retrievals_ok),
43630+ atomic_read_unchecked(&fscache_n_retrievals_wait),
43631+ atomic_read_unchecked(&fscache_n_retrievals_nodata),
43632+ atomic_read_unchecked(&fscache_n_retrievals_nobufs),
43633+ atomic_read_unchecked(&fscache_n_retrievals_intr),
43634+ atomic_read_unchecked(&fscache_n_retrievals_nomem));
43635 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
43636- atomic_read(&fscache_n_retrieval_ops),
43637- atomic_read(&fscache_n_retrieval_op_waits),
43638- atomic_read(&fscache_n_retrievals_object_dead));
43639+ atomic_read_unchecked(&fscache_n_retrieval_ops),
43640+ atomic_read_unchecked(&fscache_n_retrieval_op_waits),
43641+ atomic_read_unchecked(&fscache_n_retrievals_object_dead));
43642
43643 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
43644- atomic_read(&fscache_n_stores),
43645- atomic_read(&fscache_n_stores_ok),
43646- atomic_read(&fscache_n_stores_again),
43647- atomic_read(&fscache_n_stores_nobufs),
43648- atomic_read(&fscache_n_stores_oom));
43649+ atomic_read_unchecked(&fscache_n_stores),
43650+ atomic_read_unchecked(&fscache_n_stores_ok),
43651+ atomic_read_unchecked(&fscache_n_stores_again),
43652+ atomic_read_unchecked(&fscache_n_stores_nobufs),
43653+ atomic_read_unchecked(&fscache_n_stores_oom));
43654 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
43655- atomic_read(&fscache_n_store_ops),
43656- atomic_read(&fscache_n_store_calls),
43657- atomic_read(&fscache_n_store_pages),
43658- atomic_read(&fscache_n_store_radix_deletes),
43659- atomic_read(&fscache_n_store_pages_over_limit));
43660+ atomic_read_unchecked(&fscache_n_store_ops),
43661+ atomic_read_unchecked(&fscache_n_store_calls),
43662+ atomic_read_unchecked(&fscache_n_store_pages),
43663+ atomic_read_unchecked(&fscache_n_store_radix_deletes),
43664+ atomic_read_unchecked(&fscache_n_store_pages_over_limit));
43665
43666 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
43667- atomic_read(&fscache_n_store_vmscan_not_storing),
43668- atomic_read(&fscache_n_store_vmscan_gone),
43669- atomic_read(&fscache_n_store_vmscan_busy),
43670- atomic_read(&fscache_n_store_vmscan_cancelled));
43671+ atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
43672+ atomic_read_unchecked(&fscache_n_store_vmscan_gone),
43673+ atomic_read_unchecked(&fscache_n_store_vmscan_busy),
43674+ atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
43675
43676 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
43677- atomic_read(&fscache_n_op_pend),
43678- atomic_read(&fscache_n_op_run),
43679- atomic_read(&fscache_n_op_enqueue),
43680- atomic_read(&fscache_n_op_cancelled),
43681- atomic_read(&fscache_n_op_rejected));
43682+ atomic_read_unchecked(&fscache_n_op_pend),
43683+ atomic_read_unchecked(&fscache_n_op_run),
43684+ atomic_read_unchecked(&fscache_n_op_enqueue),
43685+ atomic_read_unchecked(&fscache_n_op_cancelled),
43686+ atomic_read_unchecked(&fscache_n_op_rejected));
43687 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
43688- atomic_read(&fscache_n_op_deferred_release),
43689- atomic_read(&fscache_n_op_release),
43690- atomic_read(&fscache_n_op_gc));
43691+ atomic_read_unchecked(&fscache_n_op_deferred_release),
43692+ atomic_read_unchecked(&fscache_n_op_release),
43693+ atomic_read_unchecked(&fscache_n_op_gc));
43694
43695 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
43696 atomic_read(&fscache_n_cop_alloc_object),
43697diff -urNp linux-3.1.1/fs/fs_struct.c linux-3.1.1/fs/fs_struct.c
43698--- linux-3.1.1/fs/fs_struct.c 2011-11-11 15:19:27.000000000 -0500
43699+++ linux-3.1.1/fs/fs_struct.c 2011-11-16 18:40:29.000000000 -0500
43700@@ -4,6 +4,7 @@
43701 #include <linux/path.h>
43702 #include <linux/slab.h>
43703 #include <linux/fs_struct.h>
43704+#include <linux/grsecurity.h>
43705 #include "internal.h"
43706
43707 static inline void path_get_longterm(struct path *path)
43708@@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
43709 old_root = fs->root;
43710 fs->root = *path;
43711 path_get_longterm(path);
43712+ gr_set_chroot_entries(current, path);
43713 write_seqcount_end(&fs->seq);
43714 spin_unlock(&fs->lock);
43715 if (old_root.dentry)
43716@@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
43717 && fs->root.mnt == old_root->mnt) {
43718 path_get_longterm(new_root);
43719 fs->root = *new_root;
43720+ gr_set_chroot_entries(p, new_root);
43721 count++;
43722 }
43723 if (fs->pwd.dentry == old_root->dentry
43724@@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
43725 spin_lock(&fs->lock);
43726 write_seqcount_begin(&fs->seq);
43727 tsk->fs = NULL;
43728- kill = !--fs->users;
43729+ gr_clear_chroot_entries(tsk);
43730+ kill = !atomic_dec_return(&fs->users);
43731 write_seqcount_end(&fs->seq);
43732 spin_unlock(&fs->lock);
43733 task_unlock(tsk);
43734@@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
43735 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
43736 /* We don't need to lock fs - think why ;-) */
43737 if (fs) {
43738- fs->users = 1;
43739+ atomic_set(&fs->users, 1);
43740 fs->in_exec = 0;
43741 spin_lock_init(&fs->lock);
43742 seqcount_init(&fs->seq);
43743@@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
43744 spin_lock(&old->lock);
43745 fs->root = old->root;
43746 path_get_longterm(&fs->root);
43747+ /* instead of calling gr_set_chroot_entries here,
43748+ we call it from every caller of this function
43749+ */
43750 fs->pwd = old->pwd;
43751 path_get_longterm(&fs->pwd);
43752 spin_unlock(&old->lock);
43753@@ -150,8 +157,9 @@ int unshare_fs_struct(void)
43754
43755 task_lock(current);
43756 spin_lock(&fs->lock);
43757- kill = !--fs->users;
43758+ kill = !atomic_dec_return(&fs->users);
43759 current->fs = new_fs;
43760+ gr_set_chroot_entries(current, &new_fs->root);
43761 spin_unlock(&fs->lock);
43762 task_unlock(current);
43763
43764@@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
43765
43766 /* to be mentioned only in INIT_TASK */
43767 struct fs_struct init_fs = {
43768- .users = 1,
43769+ .users = ATOMIC_INIT(1),
43770 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
43771 .seq = SEQCNT_ZERO,
43772 .umask = 0022,
43773@@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
43774 task_lock(current);
43775
43776 spin_lock(&init_fs.lock);
43777- init_fs.users++;
43778+ atomic_inc(&init_fs.users);
43779 spin_unlock(&init_fs.lock);
43780
43781 spin_lock(&fs->lock);
43782 current->fs = &init_fs;
43783- kill = !--fs->users;
43784+ gr_set_chroot_entries(current, &current->fs->root);
43785+ kill = !atomic_dec_return(&fs->users);
43786 spin_unlock(&fs->lock);
43787
43788 task_unlock(current);
43789diff -urNp linux-3.1.1/fs/fuse/cuse.c linux-3.1.1/fs/fuse/cuse.c
43790--- linux-3.1.1/fs/fuse/cuse.c 2011-11-11 15:19:27.000000000 -0500
43791+++ linux-3.1.1/fs/fuse/cuse.c 2011-11-16 18:39:08.000000000 -0500
43792@@ -586,10 +586,12 @@ static int __init cuse_init(void)
43793 INIT_LIST_HEAD(&cuse_conntbl[i]);
43794
43795 /* inherit and extend fuse_dev_operations */
43796- cuse_channel_fops = fuse_dev_operations;
43797- cuse_channel_fops.owner = THIS_MODULE;
43798- cuse_channel_fops.open = cuse_channel_open;
43799- cuse_channel_fops.release = cuse_channel_release;
43800+ pax_open_kernel();
43801+ memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
43802+ *(void **)&cuse_channel_fops.owner = THIS_MODULE;
43803+ *(void **)&cuse_channel_fops.open = cuse_channel_open;
43804+ *(void **)&cuse_channel_fops.release = cuse_channel_release;
43805+ pax_close_kernel();
43806
43807 cuse_class = class_create(THIS_MODULE, "cuse");
43808 if (IS_ERR(cuse_class))
43809diff -urNp linux-3.1.1/fs/fuse/dev.c linux-3.1.1/fs/fuse/dev.c
43810--- linux-3.1.1/fs/fuse/dev.c 2011-11-11 15:19:27.000000000 -0500
43811+++ linux-3.1.1/fs/fuse/dev.c 2011-11-16 18:39:08.000000000 -0500
43812@@ -1242,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
43813 ret = 0;
43814 pipe_lock(pipe);
43815
43816- if (!pipe->readers) {
43817+ if (!atomic_read(&pipe->readers)) {
43818 send_sig(SIGPIPE, current, 0);
43819 if (!ret)
43820 ret = -EPIPE;
43821diff -urNp linux-3.1.1/fs/fuse/dir.c linux-3.1.1/fs/fuse/dir.c
43822--- linux-3.1.1/fs/fuse/dir.c 2011-11-11 15:19:27.000000000 -0500
43823+++ linux-3.1.1/fs/fuse/dir.c 2011-11-16 18:39:08.000000000 -0500
43824@@ -1147,7 +1147,7 @@ static char *read_link(struct dentry *de
43825 return link;
43826 }
43827
43828-static void free_link(char *link)
43829+static void free_link(const char *link)
43830 {
43831 if (!IS_ERR(link))
43832 free_page((unsigned long) link);
43833diff -urNp linux-3.1.1/fs/gfs2/inode.c linux-3.1.1/fs/gfs2/inode.c
43834--- linux-3.1.1/fs/gfs2/inode.c 2011-11-11 15:19:27.000000000 -0500
43835+++ linux-3.1.1/fs/gfs2/inode.c 2011-11-16 18:39:08.000000000 -0500
43836@@ -1517,7 +1517,7 @@ out:
43837
43838 static void gfs2_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43839 {
43840- char *s = nd_get_link(nd);
43841+ const char *s = nd_get_link(nd);
43842 if (!IS_ERR(s))
43843 kfree(s);
43844 }
43845diff -urNp linux-3.1.1/fs/hfs/btree.c linux-3.1.1/fs/hfs/btree.c
43846--- linux-3.1.1/fs/hfs/btree.c 2011-11-11 15:19:27.000000000 -0500
43847+++ linux-3.1.1/fs/hfs/btree.c 2011-11-18 18:48:11.000000000 -0500
43848@@ -46,11 +46,27 @@ struct hfs_btree *hfs_btree_open(struct
43849 case HFS_EXT_CNID:
43850 hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
43851 mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
43852+
43853+ if (HFS_I(tree->inode)->alloc_blocks >
43854+ HFS_I(tree->inode)->first_blocks) {
43855+ printk(KERN_ERR "hfs: invalid btree extent records\n");
43856+ unlock_new_inode(tree->inode);
43857+ goto free_inode;
43858+ }
43859+
43860 tree->inode->i_mapping->a_ops = &hfs_btree_aops;
43861 break;
43862 case HFS_CAT_CNID:
43863 hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
43864 mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
43865+
43866+ if (!HFS_I(tree->inode)->first_blocks) {
43867+ printk(KERN_ERR "hfs: invalid btree extent records "
43868+ "(0 size).\n");
43869+ unlock_new_inode(tree->inode);
43870+ goto free_inode;
43871+ }
43872+
43873 tree->inode->i_mapping->a_ops = &hfs_btree_aops;
43874 break;
43875 default:
43876@@ -59,11 +75,6 @@ struct hfs_btree *hfs_btree_open(struct
43877 }
43878 unlock_new_inode(tree->inode);
43879
43880- if (!HFS_I(tree->inode)->first_blocks) {
43881- printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n");
43882- goto free_inode;
43883- }
43884-
43885 mapping = tree->inode->i_mapping;
43886 page = read_mapping_page(mapping, 0, NULL);
43887 if (IS_ERR(page))
43888diff -urNp linux-3.1.1/fs/hfs/trans.c linux-3.1.1/fs/hfs/trans.c
43889--- linux-3.1.1/fs/hfs/trans.c 2011-11-11 15:19:27.000000000 -0500
43890+++ linux-3.1.1/fs/hfs/trans.c 2011-11-18 18:37:38.000000000 -0500
43891@@ -40,6 +40,8 @@ int hfs_mac2asc(struct super_block *sb,
43892
43893 src = in->name;
43894 srclen = in->len;
43895+ if (srclen > HFS_NAMELEN)
43896+ srclen = HFS_NAMELEN;
43897 dst = out;
43898 dstlen = HFS_MAX_NAMELEN;
43899 if (nls_io) {
43900diff -urNp linux-3.1.1/fs/hfsplus/catalog.c linux-3.1.1/fs/hfsplus/catalog.c
43901--- linux-3.1.1/fs/hfsplus/catalog.c 2011-11-11 15:19:27.000000000 -0500
43902+++ linux-3.1.1/fs/hfsplus/catalog.c 2011-11-16 19:23:09.000000000 -0500
43903@@ -179,6 +179,8 @@ int hfsplus_find_cat(struct super_block
43904 int err;
43905 u16 type;
43906
43907+ pax_track_stack();
43908+
43909 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
43910 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
43911 if (err)
43912@@ -210,6 +212,8 @@ int hfsplus_create_cat(u32 cnid, struct
43913 int entry_size;
43914 int err;
43915
43916+ pax_track_stack();
43917+
43918 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n",
43919 str->name, cnid, inode->i_nlink);
43920 err = hfs_find_init(HFSPLUS_SB(sb)->cat_tree, &fd);
43921@@ -353,6 +357,8 @@ int hfsplus_rename_cat(u32 cnid,
43922 int entry_size, type;
43923 int err;
43924
43925+ pax_track_stack();
43926+
43927 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n",
43928 cnid, src_dir->i_ino, src_name->name,
43929 dst_dir->i_ino, dst_name->name);
43930diff -urNp linux-3.1.1/fs/hfsplus/dir.c linux-3.1.1/fs/hfsplus/dir.c
43931--- linux-3.1.1/fs/hfsplus/dir.c 2011-11-11 15:19:27.000000000 -0500
43932+++ linux-3.1.1/fs/hfsplus/dir.c 2011-11-16 18:40:29.000000000 -0500
43933@@ -131,6 +131,8 @@ static int hfsplus_readdir(struct file *
43934 struct hfsplus_readdir_data *rd;
43935 u16 type;
43936
43937+ pax_track_stack();
43938+
43939 if (filp->f_pos >= inode->i_size)
43940 return 0;
43941
43942diff -urNp linux-3.1.1/fs/hfsplus/inode.c linux-3.1.1/fs/hfsplus/inode.c
43943--- linux-3.1.1/fs/hfsplus/inode.c 2011-11-11 15:19:27.000000000 -0500
43944+++ linux-3.1.1/fs/hfsplus/inode.c 2011-11-16 18:40:29.000000000 -0500
43945@@ -501,6 +501,8 @@ int hfsplus_cat_read_inode(struct inode
43946 int res = 0;
43947 u16 type;
43948
43949+ pax_track_stack();
43950+
43951 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
43952
43953 HFSPLUS_I(inode)->linkid = 0;
43954@@ -564,6 +566,8 @@ int hfsplus_cat_write_inode(struct inode
43955 struct hfs_find_data fd;
43956 hfsplus_cat_entry entry;
43957
43958+ pax_track_stack();
43959+
43960 if (HFSPLUS_IS_RSRC(inode))
43961 main_inode = HFSPLUS_I(inode)->rsrc_inode;
43962
43963diff -urNp linux-3.1.1/fs/hfsplus/ioctl.c linux-3.1.1/fs/hfsplus/ioctl.c
43964--- linux-3.1.1/fs/hfsplus/ioctl.c 2011-11-11 15:19:27.000000000 -0500
43965+++ linux-3.1.1/fs/hfsplus/ioctl.c 2011-11-16 18:40:29.000000000 -0500
43966@@ -122,6 +122,8 @@ int hfsplus_setxattr(struct dentry *dent
43967 struct hfsplus_cat_file *file;
43968 int res;
43969
43970+ pax_track_stack();
43971+
43972 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43973 return -EOPNOTSUPP;
43974
43975@@ -166,6 +168,8 @@ ssize_t hfsplus_getxattr(struct dentry *
43976 struct hfsplus_cat_file *file;
43977 ssize_t res = 0;
43978
43979+ pax_track_stack();
43980+
43981 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43982 return -EOPNOTSUPP;
43983
43984diff -urNp linux-3.1.1/fs/hfsplus/super.c linux-3.1.1/fs/hfsplus/super.c
43985--- linux-3.1.1/fs/hfsplus/super.c 2011-11-11 15:19:27.000000000 -0500
43986+++ linux-3.1.1/fs/hfsplus/super.c 2011-11-16 19:23:30.000000000 -0500
43987@@ -347,6 +347,8 @@ static int hfsplus_fill_super(struct sup
43988 u64 last_fs_block, last_fs_page;
43989 int err;
43990
43991+ pax_track_stack();
43992+
43993 err = -EINVAL;
43994 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
43995 if (!sbi)
43996diff -urNp linux-3.1.1/fs/hugetlbfs/inode.c linux-3.1.1/fs/hugetlbfs/inode.c
43997--- linux-3.1.1/fs/hugetlbfs/inode.c 2011-11-11 15:19:27.000000000 -0500
43998+++ linux-3.1.1/fs/hugetlbfs/inode.c 2011-11-16 18:40:29.000000000 -0500
43999@@ -915,7 +915,7 @@ static struct file_system_type hugetlbfs
44000 .kill_sb = kill_litter_super,
44001 };
44002
44003-static struct vfsmount *hugetlbfs_vfsmount;
44004+struct vfsmount *hugetlbfs_vfsmount;
44005
44006 static int can_do_hugetlb_shm(void)
44007 {
44008diff -urNp linux-3.1.1/fs/inode.c linux-3.1.1/fs/inode.c
44009--- linux-3.1.1/fs/inode.c 2011-11-11 15:19:27.000000000 -0500
44010+++ linux-3.1.1/fs/inode.c 2011-11-16 18:39:08.000000000 -0500
44011@@ -787,8 +787,8 @@ unsigned int get_next_ino(void)
44012
44013 #ifdef CONFIG_SMP
44014 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
44015- static atomic_t shared_last_ino;
44016- int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
44017+ static atomic_unchecked_t shared_last_ino;
44018+ int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
44019
44020 res = next - LAST_INO_BATCH;
44021 }
44022diff -urNp linux-3.1.1/fs/jbd/checkpoint.c linux-3.1.1/fs/jbd/checkpoint.c
44023--- linux-3.1.1/fs/jbd/checkpoint.c 2011-11-11 15:19:27.000000000 -0500
44024+++ linux-3.1.1/fs/jbd/checkpoint.c 2011-11-16 18:40:29.000000000 -0500
44025@@ -358,6 +358,8 @@ int log_do_checkpoint(journal_t *journal
44026 tid_t this_tid;
44027 int result;
44028
44029+ pax_track_stack();
44030+
44031 jbd_debug(1, "Start checkpoint\n");
44032
44033 /*
44034diff -urNp linux-3.1.1/fs/jffs2/compr_rtime.c linux-3.1.1/fs/jffs2/compr_rtime.c
44035--- linux-3.1.1/fs/jffs2/compr_rtime.c 2011-11-11 15:19:27.000000000 -0500
44036+++ linux-3.1.1/fs/jffs2/compr_rtime.c 2011-11-16 18:40:29.000000000 -0500
44037@@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
44038 int outpos = 0;
44039 int pos=0;
44040
44041+ pax_track_stack();
44042+
44043 memset(positions,0,sizeof(positions));
44044
44045 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
44046@@ -78,6 +80,8 @@ static int jffs2_rtime_decompress(unsign
44047 int outpos = 0;
44048 int pos=0;
44049
44050+ pax_track_stack();
44051+
44052 memset(positions,0,sizeof(positions));
44053
44054 while (outpos<destlen) {
44055diff -urNp linux-3.1.1/fs/jffs2/compr_rubin.c linux-3.1.1/fs/jffs2/compr_rubin.c
44056--- linux-3.1.1/fs/jffs2/compr_rubin.c 2011-11-11 15:19:27.000000000 -0500
44057+++ linux-3.1.1/fs/jffs2/compr_rubin.c 2011-11-16 18:40:29.000000000 -0500
44058@@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
44059 int ret;
44060 uint32_t mysrclen, mydstlen;
44061
44062+ pax_track_stack();
44063+
44064 mysrclen = *sourcelen;
44065 mydstlen = *dstlen - 8;
44066
44067diff -urNp linux-3.1.1/fs/jffs2/erase.c linux-3.1.1/fs/jffs2/erase.c
44068--- linux-3.1.1/fs/jffs2/erase.c 2011-11-11 15:19:27.000000000 -0500
44069+++ linux-3.1.1/fs/jffs2/erase.c 2011-11-16 18:39:08.000000000 -0500
44070@@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
44071 struct jffs2_unknown_node marker = {
44072 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
44073 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
44074- .totlen = cpu_to_je32(c->cleanmarker_size)
44075+ .totlen = cpu_to_je32(c->cleanmarker_size),
44076+ .hdr_crc = cpu_to_je32(0)
44077 };
44078
44079 jffs2_prealloc_raw_node_refs(c, jeb, 1);
44080diff -urNp linux-3.1.1/fs/jffs2/wbuf.c linux-3.1.1/fs/jffs2/wbuf.c
44081--- linux-3.1.1/fs/jffs2/wbuf.c 2011-11-11 15:19:27.000000000 -0500
44082+++ linux-3.1.1/fs/jffs2/wbuf.c 2011-11-16 18:39:08.000000000 -0500
44083@@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
44084 {
44085 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
44086 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
44087- .totlen = constant_cpu_to_je32(8)
44088+ .totlen = constant_cpu_to_je32(8),
44089+ .hdr_crc = constant_cpu_to_je32(0)
44090 };
44091
44092 /*
44093diff -urNp linux-3.1.1/fs/jffs2/xattr.c linux-3.1.1/fs/jffs2/xattr.c
44094--- linux-3.1.1/fs/jffs2/xattr.c 2011-11-11 15:19:27.000000000 -0500
44095+++ linux-3.1.1/fs/jffs2/xattr.c 2011-11-16 18:40:29.000000000 -0500
44096@@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
44097
44098 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
44099
44100+ pax_track_stack();
44101+
44102 /* Phase.1 : Merge same xref */
44103 for (i=0; i < XREF_TMPHASH_SIZE; i++)
44104 xref_tmphash[i] = NULL;
44105diff -urNp linux-3.1.1/fs/jfs/super.c linux-3.1.1/fs/jfs/super.c
44106--- linux-3.1.1/fs/jfs/super.c 2011-11-11 15:19:27.000000000 -0500
44107+++ linux-3.1.1/fs/jfs/super.c 2011-11-16 18:39:08.000000000 -0500
44108@@ -803,7 +803,7 @@ static int __init init_jfs_fs(void)
44109
44110 jfs_inode_cachep =
44111 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
44112- SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
44113+ SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
44114 init_once);
44115 if (jfs_inode_cachep == NULL)
44116 return -ENOMEM;
44117diff -urNp linux-3.1.1/fs/Kconfig.binfmt linux-3.1.1/fs/Kconfig.binfmt
44118--- linux-3.1.1/fs/Kconfig.binfmt 2011-11-11 15:19:27.000000000 -0500
44119+++ linux-3.1.1/fs/Kconfig.binfmt 2011-11-16 18:39:08.000000000 -0500
44120@@ -86,7 +86,7 @@ config HAVE_AOUT
44121
44122 config BINFMT_AOUT
44123 tristate "Kernel support for a.out and ECOFF binaries"
44124- depends on HAVE_AOUT
44125+ depends on HAVE_AOUT && BROKEN
44126 ---help---
44127 A.out (Assembler.OUTput) is a set of formats for libraries and
44128 executables used in the earliest versions of UNIX. Linux used
44129diff -urNp linux-3.1.1/fs/libfs.c linux-3.1.1/fs/libfs.c
44130--- linux-3.1.1/fs/libfs.c 2011-11-11 15:19:27.000000000 -0500
44131+++ linux-3.1.1/fs/libfs.c 2011-11-16 18:39:08.000000000 -0500
44132@@ -165,6 +165,9 @@ int dcache_readdir(struct file * filp, v
44133
44134 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
44135 struct dentry *next;
44136+ char d_name[sizeof(next->d_iname)];
44137+ const unsigned char *name;
44138+
44139 next = list_entry(p, struct dentry, d_u.d_child);
44140 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
44141 if (!simple_positive(next)) {
44142@@ -174,7 +177,12 @@ int dcache_readdir(struct file * filp, v
44143
44144 spin_unlock(&next->d_lock);
44145 spin_unlock(&dentry->d_lock);
44146- if (filldir(dirent, next->d_name.name,
44147+ name = next->d_name.name;
44148+ if (name == next->d_iname) {
44149+ memcpy(d_name, name, next->d_name.len);
44150+ name = d_name;
44151+ }
44152+ if (filldir(dirent, name,
44153 next->d_name.len, filp->f_pos,
44154 next->d_inode->i_ino,
44155 dt_type(next->d_inode)) < 0)
44156diff -urNp linux-3.1.1/fs/lockd/clntproc.c linux-3.1.1/fs/lockd/clntproc.c
44157--- linux-3.1.1/fs/lockd/clntproc.c 2011-11-11 15:19:27.000000000 -0500
44158+++ linux-3.1.1/fs/lockd/clntproc.c 2011-11-16 18:40:29.000000000 -0500
44159@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
44160 /*
44161 * Cookie counter for NLM requests
44162 */
44163-static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
44164+static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
44165
44166 void nlmclnt_next_cookie(struct nlm_cookie *c)
44167 {
44168- u32 cookie = atomic_inc_return(&nlm_cookie);
44169+ u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
44170
44171 memcpy(c->data, &cookie, 4);
44172 c->len=4;
44173@@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
44174 struct nlm_rqst reqst, *req;
44175 int status;
44176
44177+ pax_track_stack();
44178+
44179 req = &reqst;
44180 memset(req, 0, sizeof(*req));
44181 locks_init_lock(&req->a_args.lock.fl);
44182diff -urNp linux-3.1.1/fs/locks.c linux-3.1.1/fs/locks.c
44183--- linux-3.1.1/fs/locks.c 2011-11-11 15:19:27.000000000 -0500
44184+++ linux-3.1.1/fs/locks.c 2011-11-16 18:39:08.000000000 -0500
44185@@ -2022,16 +2022,16 @@ void locks_remove_flock(struct file *fil
44186 return;
44187
44188 if (filp->f_op && filp->f_op->flock) {
44189- struct file_lock fl = {
44190+ struct file_lock flock = {
44191 .fl_pid = current->tgid,
44192 .fl_file = filp,
44193 .fl_flags = FL_FLOCK,
44194 .fl_type = F_UNLCK,
44195 .fl_end = OFFSET_MAX,
44196 };
44197- filp->f_op->flock(filp, F_SETLKW, &fl);
44198- if (fl.fl_ops && fl.fl_ops->fl_release_private)
44199- fl.fl_ops->fl_release_private(&fl);
44200+ filp->f_op->flock(filp, F_SETLKW, &flock);
44201+ if (flock.fl_ops && flock.fl_ops->fl_release_private)
44202+ flock.fl_ops->fl_release_private(&flock);
44203 }
44204
44205 lock_flocks();
44206diff -urNp linux-3.1.1/fs/logfs/super.c linux-3.1.1/fs/logfs/super.c
44207--- linux-3.1.1/fs/logfs/super.c 2011-11-11 15:19:27.000000000 -0500
44208+++ linux-3.1.1/fs/logfs/super.c 2011-11-16 18:40:29.000000000 -0500
44209@@ -266,6 +266,8 @@ static int logfs_recover_sb(struct super
44210 struct logfs_disk_super _ds1, *ds1 = &_ds1;
44211 int err, valid0, valid1;
44212
44213+ pax_track_stack();
44214+
44215 /* read first superblock */
44216 err = wbuf_read(sb, super->s_sb_ofs[0], sizeof(*ds0), ds0);
44217 if (err)
44218diff -urNp linux-3.1.1/fs/namei.c linux-3.1.1/fs/namei.c
44219--- linux-3.1.1/fs/namei.c 2011-11-11 15:19:27.000000000 -0500
44220+++ linux-3.1.1/fs/namei.c 2011-11-17 00:36:54.000000000 -0500
44221@@ -283,14 +283,22 @@ int generic_permission(struct inode *ino
44222
44223 if (S_ISDIR(inode->i_mode)) {
44224 /* DACs are overridable for directories */
44225- if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44226- return 0;
44227 if (!(mask & MAY_WRITE))
44228 if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44229 return 0;
44230+ if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44231+ return 0;
44232 return -EACCES;
44233 }
44234 /*
44235+ * Searching includes executable on directories, else just read.
44236+ */
44237+ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
44238+ if (mask == MAY_READ)
44239+ if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44240+ return 0;
44241+
44242+ /*
44243 * Read/write DACs are always overridable.
44244 * Executable DACs are overridable when there is
44245 * at least one exec bit set.
44246@@ -299,14 +307,6 @@ int generic_permission(struct inode *ino
44247 if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
44248 return 0;
44249
44250- /*
44251- * Searching includes executable on directories, else just read.
44252- */
44253- mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
44254- if (mask == MAY_READ)
44255- if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
44256- return 0;
44257-
44258 return -EACCES;
44259 }
44260
44261@@ -653,11 +653,19 @@ follow_link(struct path *link, struct na
44262 return error;
44263 }
44264
44265+ if (gr_handle_follow_link(dentry->d_parent->d_inode,
44266+ dentry->d_inode, dentry, nd->path.mnt)) {
44267+ error = -EACCES;
44268+ *p = ERR_PTR(error); /* no ->put_link(), please */
44269+ path_put(&nd->path);
44270+ return error;
44271+ }
44272+
44273 nd->last_type = LAST_BIND;
44274 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
44275 error = PTR_ERR(*p);
44276 if (!IS_ERR(*p)) {
44277- char *s = nd_get_link(nd);
44278+ const char *s = nd_get_link(nd);
44279 error = 0;
44280 if (s)
44281 error = __vfs_follow_link(nd, s);
44282@@ -1622,6 +1630,12 @@ static int path_lookupat(int dfd, const
44283 if (!err)
44284 err = complete_walk(nd);
44285
44286+ if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44287+ if (!err)
44288+ path_put(&nd->path);
44289+ err = -ENOENT;
44290+ }
44291+
44292 if (!err && nd->flags & LOOKUP_DIRECTORY) {
44293 if (!nd->inode->i_op->lookup) {
44294 path_put(&nd->path);
44295@@ -1649,6 +1663,9 @@ static int do_path_lookup(int dfd, const
44296 retval = path_lookupat(dfd, name, flags | LOOKUP_REVAL, nd);
44297
44298 if (likely(!retval)) {
44299+ if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
44300+ return -ENOENT;
44301+
44302 if (unlikely(!audit_dummy_context())) {
44303 if (nd->path.dentry && nd->inode)
44304 audit_inode(name, nd->path.dentry);
44305@@ -2049,7 +2066,27 @@ static int may_open(struct path *path, i
44306 /*
44307 * Ensure there are no outstanding leases on the file.
44308 */
44309- return break_lease(inode, flag);
44310+ error = break_lease(inode, flag);
44311+
44312+ if (error)
44313+ return error;
44314+
44315+ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
44316+ error = -EPERM;
44317+ goto exit;
44318+ }
44319+
44320+ if (gr_handle_rawio(inode)) {
44321+ error = -EPERM;
44322+ goto exit;
44323+ }
44324+
44325+ if (!gr_acl_handle_open(dentry, path->mnt, acc_mode)) {
44326+ error = -EACCES;
44327+ goto exit;
44328+ }
44329+exit:
44330+ return error;
44331 }
44332
44333 static int handle_truncate(struct file *filp)
44334@@ -2110,6 +2147,10 @@ static struct file *do_last(struct namei
44335 error = complete_walk(nd);
44336 if (error)
44337 return ERR_PTR(error);
44338+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44339+ error = -ENOENT;
44340+ goto exit;
44341+ }
44342 audit_inode(pathname, nd->path.dentry);
44343 if (open_flag & O_CREAT) {
44344 error = -EISDIR;
44345@@ -2120,6 +2161,10 @@ static struct file *do_last(struct namei
44346 error = complete_walk(nd);
44347 if (error)
44348 return ERR_PTR(error);
44349+ if (!gr_acl_handle_hidden_file(dir, nd->path.mnt)) {
44350+ error = -ENOENT;
44351+ goto exit;
44352+ }
44353 audit_inode(pathname, dir);
44354 goto ok;
44355 }
44356@@ -2142,6 +2187,11 @@ static struct file *do_last(struct namei
44357 if (error)
44358 return ERR_PTR(-ECHILD);
44359
44360+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
44361+ error = -ENOENT;
44362+ goto exit;
44363+ }
44364+
44365 error = -ENOTDIR;
44366 if (nd->flags & LOOKUP_DIRECTORY) {
44367 if (!nd->inode->i_op->lookup)
44368@@ -2181,6 +2231,12 @@ static struct file *do_last(struct namei
44369 /* Negative dentry, just create the file */
44370 if (!dentry->d_inode) {
44371 int mode = op->mode;
44372+
44373+ if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, path->mnt, open_flag, acc_mode, mode)) {
44374+ error = -EACCES;
44375+ goto exit_mutex_unlock;
44376+ }
44377+
44378 if (!IS_POSIXACL(dir->d_inode))
44379 mode &= ~current_umask();
44380 /*
44381@@ -2204,6 +2260,8 @@ static struct file *do_last(struct namei
44382 error = vfs_create(dir->d_inode, dentry, mode, nd);
44383 if (error)
44384 goto exit_mutex_unlock;
44385+ else
44386+ gr_handle_create(path->dentry, path->mnt);
44387 mutex_unlock(&dir->d_inode->i_mutex);
44388 dput(nd->path.dentry);
44389 nd->path.dentry = dentry;
44390@@ -2213,6 +2271,19 @@ static struct file *do_last(struct namei
44391 /*
44392 * It already exists.
44393 */
44394+
44395+ if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
44396+ error = -ENOENT;
44397+ goto exit_mutex_unlock;
44398+ }
44399+
44400+ /* only check if O_CREAT is specified, all other checks need to go
44401+ into may_open */
44402+ if (gr_handle_fifo(path->dentry, path->mnt, dir, open_flag, acc_mode)) {
44403+ error = -EACCES;
44404+ goto exit_mutex_unlock;
44405+ }
44406+
44407 mutex_unlock(&dir->d_inode->i_mutex);
44408 audit_inode(pathname, path->dentry);
44409
44410@@ -2425,6 +2496,11 @@ struct dentry *kern_path_create(int dfd,
44411 *path = nd.path;
44412 return dentry;
44413 eexist:
44414+ if (!gr_acl_handle_hidden_file(dentry, nd.path.mnt)) {
44415+ dput(dentry);
44416+ dentry = ERR_PTR(-ENOENT);
44417+ goto fail;
44418+ }
44419 dput(dentry);
44420 dentry = ERR_PTR(-EEXIST);
44421 fail:
44422@@ -2447,6 +2523,20 @@ struct dentry *user_path_create(int dfd,
44423 }
44424 EXPORT_SYMBOL(user_path_create);
44425
44426+static struct dentry *user_path_create_with_name(int dfd, const char __user *pathname, struct path *path, char **to, int is_dir)
44427+{
44428+ char *tmp = getname(pathname);
44429+ struct dentry *res;
44430+ if (IS_ERR(tmp))
44431+ return ERR_CAST(tmp);
44432+ res = kern_path_create(dfd, tmp, path, is_dir);
44433+ if (IS_ERR(res))
44434+ putname(tmp);
44435+ else
44436+ *to = tmp;
44437+ return res;
44438+}
44439+
44440 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
44441 {
44442 int error = may_create(dir, dentry);
44443@@ -2514,6 +2604,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44444 error = mnt_want_write(path.mnt);
44445 if (error)
44446 goto out_dput;
44447+
44448+ if (gr_handle_chroot_mknod(dentry, path.mnt, mode)) {
44449+ error = -EPERM;
44450+ goto out_drop_write;
44451+ }
44452+
44453+ if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
44454+ error = -EACCES;
44455+ goto out_drop_write;
44456+ }
44457+
44458 error = security_path_mknod(&path, dentry, mode, dev);
44459 if (error)
44460 goto out_drop_write;
44461@@ -2531,6 +2632,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
44462 }
44463 out_drop_write:
44464 mnt_drop_write(path.mnt);
44465+
44466+ if (!error)
44467+ gr_handle_create(dentry, path.mnt);
44468 out_dput:
44469 dput(dentry);
44470 mutex_unlock(&path.dentry->d_inode->i_mutex);
44471@@ -2580,12 +2684,21 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
44472 error = mnt_want_write(path.mnt);
44473 if (error)
44474 goto out_dput;
44475+
44476+ if (!gr_acl_handle_mkdir(dentry, path.dentry, path.mnt)) {
44477+ error = -EACCES;
44478+ goto out_drop_write;
44479+ }
44480+
44481 error = security_path_mkdir(&path, dentry, mode);
44482 if (error)
44483 goto out_drop_write;
44484 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
44485 out_drop_write:
44486 mnt_drop_write(path.mnt);
44487+
44488+ if (!error)
44489+ gr_handle_create(dentry, path.mnt);
44490 out_dput:
44491 dput(dentry);
44492 mutex_unlock(&path.dentry->d_inode->i_mutex);
44493@@ -2665,6 +2778,8 @@ static long do_rmdir(int dfd, const char
44494 char * name;
44495 struct dentry *dentry;
44496 struct nameidata nd;
44497+ ino_t saved_ino = 0;
44498+ dev_t saved_dev = 0;
44499
44500 error = user_path_parent(dfd, pathname, &nd, &name);
44501 if (error)
44502@@ -2693,6 +2808,15 @@ static long do_rmdir(int dfd, const char
44503 error = -ENOENT;
44504 goto exit3;
44505 }
44506+
44507+ saved_ino = dentry->d_inode->i_ino;
44508+ saved_dev = gr_get_dev_from_dentry(dentry);
44509+
44510+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
44511+ error = -EACCES;
44512+ goto exit3;
44513+ }
44514+
44515 error = mnt_want_write(nd.path.mnt);
44516 if (error)
44517 goto exit3;
44518@@ -2700,6 +2824,8 @@ static long do_rmdir(int dfd, const char
44519 if (error)
44520 goto exit4;
44521 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
44522+ if (!error && (saved_dev || saved_ino))
44523+ gr_handle_delete(saved_ino, saved_dev);
44524 exit4:
44525 mnt_drop_write(nd.path.mnt);
44526 exit3:
44527@@ -2762,6 +2888,8 @@ static long do_unlinkat(int dfd, const c
44528 struct dentry *dentry;
44529 struct nameidata nd;
44530 struct inode *inode = NULL;
44531+ ino_t saved_ino = 0;
44532+ dev_t saved_dev = 0;
44533
44534 error = user_path_parent(dfd, pathname, &nd, &name);
44535 if (error)
44536@@ -2784,6 +2912,16 @@ static long do_unlinkat(int dfd, const c
44537 if (!inode)
44538 goto slashes;
44539 ihold(inode);
44540+
44541+ if (inode->i_nlink <= 1) {
44542+ saved_ino = inode->i_ino;
44543+ saved_dev = gr_get_dev_from_dentry(dentry);
44544+ }
44545+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
44546+ error = -EACCES;
44547+ goto exit2;
44548+ }
44549+
44550 error = mnt_want_write(nd.path.mnt);
44551 if (error)
44552 goto exit2;
44553@@ -2791,6 +2929,8 @@ static long do_unlinkat(int dfd, const c
44554 if (error)
44555 goto exit3;
44556 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
44557+ if (!error && (saved_ino || saved_dev))
44558+ gr_handle_delete(saved_ino, saved_dev);
44559 exit3:
44560 mnt_drop_write(nd.path.mnt);
44561 exit2:
44562@@ -2866,10 +3006,18 @@ SYSCALL_DEFINE3(symlinkat, const char __
44563 error = mnt_want_write(path.mnt);
44564 if (error)
44565 goto out_dput;
44566+
44567+ if (!gr_acl_handle_symlink(dentry, path.dentry, path.mnt, from)) {
44568+ error = -EACCES;
44569+ goto out_drop_write;
44570+ }
44571+
44572 error = security_path_symlink(&path, dentry, from);
44573 if (error)
44574 goto out_drop_write;
44575 error = vfs_symlink(path.dentry->d_inode, dentry, from);
44576+ if (!error)
44577+ gr_handle_create(dentry, path.mnt);
44578 out_drop_write:
44579 mnt_drop_write(path.mnt);
44580 out_dput:
44581@@ -2941,6 +3089,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44582 {
44583 struct dentry *new_dentry;
44584 struct path old_path, new_path;
44585+ char *to;
44586 int how = 0;
44587 int error;
44588
44589@@ -2964,7 +3113,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44590 if (error)
44591 return error;
44592
44593- new_dentry = user_path_create(newdfd, newname, &new_path, 0);
44594+ new_dentry = user_path_create_with_name(newdfd, newname, &new_path, &to, 0);
44595 error = PTR_ERR(new_dentry);
44596 if (IS_ERR(new_dentry))
44597 goto out;
44598@@ -2975,13 +3124,30 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44599 error = mnt_want_write(new_path.mnt);
44600 if (error)
44601 goto out_dput;
44602+
44603+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
44604+ old_path.dentry->d_inode,
44605+ old_path.dentry->d_inode->i_mode, to)) {
44606+ error = -EACCES;
44607+ goto out_drop_write;
44608+ }
44609+
44610+ if (!gr_acl_handle_link(new_dentry, new_path.dentry, new_path.mnt,
44611+ old_path.dentry, old_path.mnt, to)) {
44612+ error = -EACCES;
44613+ goto out_drop_write;
44614+ }
44615+
44616 error = security_path_link(old_path.dentry, &new_path, new_dentry);
44617 if (error)
44618 goto out_drop_write;
44619 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry);
44620+ if (!error)
44621+ gr_handle_create(new_dentry, new_path.mnt);
44622 out_drop_write:
44623 mnt_drop_write(new_path.mnt);
44624 out_dput:
44625+ putname(to);
44626 dput(new_dentry);
44627 mutex_unlock(&new_path.dentry->d_inode->i_mutex);
44628 path_put(&new_path);
44629@@ -3153,6 +3319,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44630 char *to;
44631 int error;
44632
44633+ pax_track_stack();
44634+
44635 error = user_path_parent(olddfd, oldname, &oldnd, &from);
44636 if (error)
44637 goto exit;
44638@@ -3209,6 +3377,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44639 if (new_dentry == trap)
44640 goto exit5;
44641
44642+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
44643+ old_dentry, old_dir->d_inode, oldnd.path.mnt,
44644+ to);
44645+ if (error)
44646+ goto exit5;
44647+
44648 error = mnt_want_write(oldnd.path.mnt);
44649 if (error)
44650 goto exit5;
44651@@ -3218,6 +3392,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44652 goto exit6;
44653 error = vfs_rename(old_dir->d_inode, old_dentry,
44654 new_dir->d_inode, new_dentry);
44655+ if (!error)
44656+ gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
44657+ new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
44658 exit6:
44659 mnt_drop_write(oldnd.path.mnt);
44660 exit5:
44661@@ -3243,6 +3420,8 @@ SYSCALL_DEFINE2(rename, const char __use
44662
44663 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
44664 {
44665+ char tmpbuf[64];
44666+ const char *newlink;
44667 int len;
44668
44669 len = PTR_ERR(link);
44670@@ -3252,7 +3431,14 @@ int vfs_readlink(struct dentry *dentry,
44671 len = strlen(link);
44672 if (len > (unsigned) buflen)
44673 len = buflen;
44674- if (copy_to_user(buffer, link, len))
44675+
44676+ if (len < sizeof(tmpbuf)) {
44677+ memcpy(tmpbuf, link, len);
44678+ newlink = tmpbuf;
44679+ } else
44680+ newlink = link;
44681+
44682+ if (copy_to_user(buffer, newlink, len))
44683 len = -EFAULT;
44684 out:
44685 return len;
44686diff -urNp linux-3.1.1/fs/namespace.c linux-3.1.1/fs/namespace.c
44687--- linux-3.1.1/fs/namespace.c 2011-11-11 15:19:27.000000000 -0500
44688+++ linux-3.1.1/fs/namespace.c 2011-11-16 18:40:29.000000000 -0500
44689@@ -1329,6 +1329,9 @@ static int do_umount(struct vfsmount *mn
44690 if (!(sb->s_flags & MS_RDONLY))
44691 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
44692 up_write(&sb->s_umount);
44693+
44694+ gr_log_remount(mnt->mnt_devname, retval);
44695+
44696 return retval;
44697 }
44698
44699@@ -1348,6 +1351,9 @@ static int do_umount(struct vfsmount *mn
44700 br_write_unlock(vfsmount_lock);
44701 up_write(&namespace_sem);
44702 release_mounts(&umount_list);
44703+
44704+ gr_log_unmount(mnt->mnt_devname, retval);
44705+
44706 return retval;
44707 }
44708
44709@@ -2339,6 +2345,16 @@ long do_mount(char *dev_name, char *dir_
44710 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
44711 MS_STRICTATIME);
44712
44713+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
44714+ retval = -EPERM;
44715+ goto dput_out;
44716+ }
44717+
44718+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
44719+ retval = -EPERM;
44720+ goto dput_out;
44721+ }
44722+
44723 if (flags & MS_REMOUNT)
44724 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
44725 data_page);
44726@@ -2353,6 +2369,9 @@ long do_mount(char *dev_name, char *dir_
44727 dev_name, data_page);
44728 dput_out:
44729 path_put(&path);
44730+
44731+ gr_log_mount(dev_name, dir_name, retval);
44732+
44733 return retval;
44734 }
44735
44736@@ -2576,6 +2595,11 @@ SYSCALL_DEFINE2(pivot_root, const char _
44737 if (error)
44738 goto out2;
44739
44740+ if (gr_handle_chroot_pivot()) {
44741+ error = -EPERM;
44742+ goto out2;
44743+ }
44744+
44745 get_fs_root(current->fs, &root);
44746 error = lock_mount(&old);
44747 if (error)
44748diff -urNp linux-3.1.1/fs/ncpfs/dir.c linux-3.1.1/fs/ncpfs/dir.c
44749--- linux-3.1.1/fs/ncpfs/dir.c 2011-11-11 15:19:27.000000000 -0500
44750+++ linux-3.1.1/fs/ncpfs/dir.c 2011-11-16 18:40:29.000000000 -0500
44751@@ -299,6 +299,8 @@ ncp_lookup_validate(struct dentry *dentr
44752 int res, val = 0, len;
44753 __u8 __name[NCP_MAXPATHLEN + 1];
44754
44755+ pax_track_stack();
44756+
44757 if (dentry == dentry->d_sb->s_root)
44758 return 1;
44759
44760@@ -844,6 +846,8 @@ static struct dentry *ncp_lookup(struct
44761 int error, res, len;
44762 __u8 __name[NCP_MAXPATHLEN + 1];
44763
44764+ pax_track_stack();
44765+
44766 error = -EIO;
44767 if (!ncp_conn_valid(server))
44768 goto finished;
44769@@ -931,6 +935,8 @@ int ncp_create_new(struct inode *dir, st
44770 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
44771 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
44772
44773+ pax_track_stack();
44774+
44775 ncp_age_dentry(server, dentry);
44776 len = sizeof(__name);
44777 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
44778@@ -992,6 +998,8 @@ static int ncp_mkdir(struct inode *dir,
44779 int error, len;
44780 __u8 __name[NCP_MAXPATHLEN + 1];
44781
44782+ pax_track_stack();
44783+
44784 DPRINTK("ncp_mkdir: making %s/%s\n",
44785 dentry->d_parent->d_name.name, dentry->d_name.name);
44786
44787@@ -1140,6 +1148,8 @@ static int ncp_rename(struct inode *old_
44788 int old_len, new_len;
44789 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
44790
44791+ pax_track_stack();
44792+
44793 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
44794 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
44795 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
44796diff -urNp linux-3.1.1/fs/ncpfs/inode.c linux-3.1.1/fs/ncpfs/inode.c
44797--- linux-3.1.1/fs/ncpfs/inode.c 2011-11-11 15:19:27.000000000 -0500
44798+++ linux-3.1.1/fs/ncpfs/inode.c 2011-11-16 18:40:29.000000000 -0500
44799@@ -461,6 +461,8 @@ static int ncp_fill_super(struct super_b
44800 #endif
44801 struct ncp_entry_info finfo;
44802
44803+ pax_track_stack();
44804+
44805 memset(&data, 0, sizeof(data));
44806 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
44807 if (!server)
44808diff -urNp linux-3.1.1/fs/nfs/blocklayout/blocklayout.c linux-3.1.1/fs/nfs/blocklayout/blocklayout.c
44809--- linux-3.1.1/fs/nfs/blocklayout/blocklayout.c 2011-11-11 15:19:27.000000000 -0500
44810+++ linux-3.1.1/fs/nfs/blocklayout/blocklayout.c 2011-11-16 18:39:08.000000000 -0500
44811@@ -90,7 +90,7 @@ static int is_writable(struct pnfs_block
44812 */
44813 struct parallel_io {
44814 struct kref refcnt;
44815- struct rpc_call_ops call_ops;
44816+ rpc_call_ops_no_const call_ops;
44817 void (*pnfs_callback) (void *data);
44818 void *data;
44819 };
44820diff -urNp linux-3.1.1/fs/nfs/inode.c linux-3.1.1/fs/nfs/inode.c
44821--- linux-3.1.1/fs/nfs/inode.c 2011-11-11 15:19:27.000000000 -0500
44822+++ linux-3.1.1/fs/nfs/inode.c 2011-11-16 18:39:08.000000000 -0500
44823@@ -150,7 +150,7 @@ static void nfs_zap_caches_locked(struct
44824 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
44825 nfsi->attrtimeo_timestamp = jiffies;
44826
44827- memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
44828+ memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
44829 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
44830 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
44831 else
44832@@ -1002,16 +1002,16 @@ static int nfs_size_need_update(const st
44833 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
44834 }
44835
44836-static atomic_long_t nfs_attr_generation_counter;
44837+static atomic_long_unchecked_t nfs_attr_generation_counter;
44838
44839 static unsigned long nfs_read_attr_generation_counter(void)
44840 {
44841- return atomic_long_read(&nfs_attr_generation_counter);
44842+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
44843 }
44844
44845 unsigned long nfs_inc_attr_generation_counter(void)
44846 {
44847- return atomic_long_inc_return(&nfs_attr_generation_counter);
44848+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
44849 }
44850
44851 void nfs_fattr_init(struct nfs_fattr *fattr)
44852diff -urNp linux-3.1.1/fs/nfsd/nfs4state.c linux-3.1.1/fs/nfsd/nfs4state.c
44853--- linux-3.1.1/fs/nfsd/nfs4state.c 2011-11-11 15:19:27.000000000 -0500
44854+++ linux-3.1.1/fs/nfsd/nfs4state.c 2011-11-16 18:40:29.000000000 -0500
44855@@ -3999,6 +3999,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
44856 unsigned int strhashval;
44857 int err;
44858
44859+ pax_track_stack();
44860+
44861 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
44862 (long long) lock->lk_offset,
44863 (long long) lock->lk_length);
44864diff -urNp linux-3.1.1/fs/nfsd/nfs4xdr.c linux-3.1.1/fs/nfsd/nfs4xdr.c
44865--- linux-3.1.1/fs/nfsd/nfs4xdr.c 2011-11-11 15:19:27.000000000 -0500
44866+++ linux-3.1.1/fs/nfsd/nfs4xdr.c 2011-11-16 18:40:29.000000000 -0500
44867@@ -1875,6 +1875,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
44868 .dentry = dentry,
44869 };
44870
44871+ pax_track_stack();
44872+
44873 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
44874 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
44875 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
44876diff -urNp linux-3.1.1/fs/nfsd/vfs.c linux-3.1.1/fs/nfsd/vfs.c
44877--- linux-3.1.1/fs/nfsd/vfs.c 2011-11-11 15:19:27.000000000 -0500
44878+++ linux-3.1.1/fs/nfsd/vfs.c 2011-11-16 18:39:08.000000000 -0500
44879@@ -896,7 +896,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
44880 } else {
44881 oldfs = get_fs();
44882 set_fs(KERNEL_DS);
44883- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
44884+ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
44885 set_fs(oldfs);
44886 }
44887
44888@@ -1000,7 +1000,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
44889
44890 /* Write the data. */
44891 oldfs = get_fs(); set_fs(KERNEL_DS);
44892- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
44893+ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
44894 set_fs(oldfs);
44895 if (host_err < 0)
44896 goto out_nfserr;
44897@@ -1535,7 +1535,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
44898 */
44899
44900 oldfs = get_fs(); set_fs(KERNEL_DS);
44901- host_err = inode->i_op->readlink(dentry, buf, *lenp);
44902+ host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
44903 set_fs(oldfs);
44904
44905 if (host_err < 0)
44906diff -urNp linux-3.1.1/fs/notify/fanotify/fanotify_user.c linux-3.1.1/fs/notify/fanotify/fanotify_user.c
44907--- linux-3.1.1/fs/notify/fanotify/fanotify_user.c 2011-11-11 15:19:27.000000000 -0500
44908+++ linux-3.1.1/fs/notify/fanotify/fanotify_user.c 2011-11-16 18:39:08.000000000 -0500
44909@@ -276,7 +276,8 @@ static ssize_t copy_event_to_user(struct
44910 goto out_close_fd;
44911
44912 ret = -EFAULT;
44913- if (copy_to_user(buf, &fanotify_event_metadata,
44914+ if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
44915+ copy_to_user(buf, &fanotify_event_metadata,
44916 fanotify_event_metadata.event_len))
44917 goto out_kill_access_response;
44918
44919diff -urNp linux-3.1.1/fs/notify/notification.c linux-3.1.1/fs/notify/notification.c
44920--- linux-3.1.1/fs/notify/notification.c 2011-11-11 15:19:27.000000000 -0500
44921+++ linux-3.1.1/fs/notify/notification.c 2011-11-16 18:39:08.000000000 -0500
44922@@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
44923 * get set to 0 so it will never get 'freed'
44924 */
44925 static struct fsnotify_event *q_overflow_event;
44926-static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44927+static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44928
44929 /**
44930 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
44931@@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
44932 */
44933 u32 fsnotify_get_cookie(void)
44934 {
44935- return atomic_inc_return(&fsnotify_sync_cookie);
44936+ return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
44937 }
44938 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
44939
44940diff -urNp linux-3.1.1/fs/ntfs/dir.c linux-3.1.1/fs/ntfs/dir.c
44941--- linux-3.1.1/fs/ntfs/dir.c 2011-11-11 15:19:27.000000000 -0500
44942+++ linux-3.1.1/fs/ntfs/dir.c 2011-11-16 18:39:08.000000000 -0500
44943@@ -1329,7 +1329,7 @@ find_next_index_buffer:
44944 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
44945 ~(s64)(ndir->itype.index.block_size - 1)));
44946 /* Bounds checks. */
44947- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44948+ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44949 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
44950 "inode 0x%lx or driver bug.", vdir->i_ino);
44951 goto err_out;
44952diff -urNp linux-3.1.1/fs/ntfs/file.c linux-3.1.1/fs/ntfs/file.c
44953--- linux-3.1.1/fs/ntfs/file.c 2011-11-11 15:19:27.000000000 -0500
44954+++ linux-3.1.1/fs/ntfs/file.c 2011-11-16 18:39:08.000000000 -0500
44955@@ -2229,6 +2229,6 @@ const struct inode_operations ntfs_file_
44956 #endif /* NTFS_RW */
44957 };
44958
44959-const struct file_operations ntfs_empty_file_ops = {};
44960+const struct file_operations ntfs_empty_file_ops __read_only;
44961
44962-const struct inode_operations ntfs_empty_inode_ops = {};
44963+const struct inode_operations ntfs_empty_inode_ops __read_only;
44964diff -urNp linux-3.1.1/fs/ocfs2/localalloc.c linux-3.1.1/fs/ocfs2/localalloc.c
44965--- linux-3.1.1/fs/ocfs2/localalloc.c 2011-11-11 15:19:27.000000000 -0500
44966+++ linux-3.1.1/fs/ocfs2/localalloc.c 2011-11-16 18:39:08.000000000 -0500
44967@@ -1283,7 +1283,7 @@ static int ocfs2_local_alloc_slide_windo
44968 goto bail;
44969 }
44970
44971- atomic_inc(&osb->alloc_stats.moves);
44972+ atomic_inc_unchecked(&osb->alloc_stats.moves);
44973
44974 bail:
44975 if (handle)
44976diff -urNp linux-3.1.1/fs/ocfs2/namei.c linux-3.1.1/fs/ocfs2/namei.c
44977--- linux-3.1.1/fs/ocfs2/namei.c 2011-11-11 15:19:27.000000000 -0500
44978+++ linux-3.1.1/fs/ocfs2/namei.c 2011-11-16 18:40:29.000000000 -0500
44979@@ -1063,6 +1063,8 @@ static int ocfs2_rename(struct inode *ol
44980 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
44981 struct ocfs2_dir_lookup_result target_insert = { NULL, };
44982
44983+ pax_track_stack();
44984+
44985 /* At some point it might be nice to break this function up a
44986 * bit. */
44987
44988diff -urNp linux-3.1.1/fs/ocfs2/ocfs2.h linux-3.1.1/fs/ocfs2/ocfs2.h
44989--- linux-3.1.1/fs/ocfs2/ocfs2.h 2011-11-11 15:19:27.000000000 -0500
44990+++ linux-3.1.1/fs/ocfs2/ocfs2.h 2011-11-16 18:39:08.000000000 -0500
44991@@ -235,11 +235,11 @@ enum ocfs2_vol_state
44992
44993 struct ocfs2_alloc_stats
44994 {
44995- atomic_t moves;
44996- atomic_t local_data;
44997- atomic_t bitmap_data;
44998- atomic_t bg_allocs;
44999- atomic_t bg_extends;
45000+ atomic_unchecked_t moves;
45001+ atomic_unchecked_t local_data;
45002+ atomic_unchecked_t bitmap_data;
45003+ atomic_unchecked_t bg_allocs;
45004+ atomic_unchecked_t bg_extends;
45005 };
45006
45007 enum ocfs2_local_alloc_state
45008diff -urNp linux-3.1.1/fs/ocfs2/suballoc.c linux-3.1.1/fs/ocfs2/suballoc.c
45009--- linux-3.1.1/fs/ocfs2/suballoc.c 2011-11-11 15:19:27.000000000 -0500
45010+++ linux-3.1.1/fs/ocfs2/suballoc.c 2011-11-16 18:39:08.000000000 -0500
45011@@ -872,7 +872,7 @@ static int ocfs2_reserve_suballoc_bits(s
45012 mlog_errno(status);
45013 goto bail;
45014 }
45015- atomic_inc(&osb->alloc_stats.bg_extends);
45016+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
45017
45018 /* You should never ask for this much metadata */
45019 BUG_ON(bits_wanted >
45020@@ -2008,7 +2008,7 @@ int ocfs2_claim_metadata(handle_t *handl
45021 mlog_errno(status);
45022 goto bail;
45023 }
45024- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45025+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45026
45027 *suballoc_loc = res.sr_bg_blkno;
45028 *suballoc_bit_start = res.sr_bit_offset;
45029@@ -2172,7 +2172,7 @@ int ocfs2_claim_new_inode_at_loc(handle_
45030 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
45031 res->sr_bits);
45032
45033- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45034+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45035
45036 BUG_ON(res->sr_bits != 1);
45037
45038@@ -2214,7 +2214,7 @@ int ocfs2_claim_new_inode(handle_t *hand
45039 mlog_errno(status);
45040 goto bail;
45041 }
45042- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45043+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
45044
45045 BUG_ON(res.sr_bits != 1);
45046
45047@@ -2318,7 +2318,7 @@ int __ocfs2_claim_clusters(handle_t *han
45048 cluster_start,
45049 num_clusters);
45050 if (!status)
45051- atomic_inc(&osb->alloc_stats.local_data);
45052+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
45053 } else {
45054 if (min_clusters > (osb->bitmap_cpg - 1)) {
45055 /* The only paths asking for contiguousness
45056@@ -2344,7 +2344,7 @@ int __ocfs2_claim_clusters(handle_t *han
45057 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
45058 res.sr_bg_blkno,
45059 res.sr_bit_offset);
45060- atomic_inc(&osb->alloc_stats.bitmap_data);
45061+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
45062 *num_clusters = res.sr_bits;
45063 }
45064 }
45065diff -urNp linux-3.1.1/fs/ocfs2/super.c linux-3.1.1/fs/ocfs2/super.c
45066--- linux-3.1.1/fs/ocfs2/super.c 2011-11-11 15:19:27.000000000 -0500
45067+++ linux-3.1.1/fs/ocfs2/super.c 2011-11-16 18:39:08.000000000 -0500
45068@@ -300,11 +300,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
45069 "%10s => GlobalAllocs: %d LocalAllocs: %d "
45070 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
45071 "Stats",
45072- atomic_read(&osb->alloc_stats.bitmap_data),
45073- atomic_read(&osb->alloc_stats.local_data),
45074- atomic_read(&osb->alloc_stats.bg_allocs),
45075- atomic_read(&osb->alloc_stats.moves),
45076- atomic_read(&osb->alloc_stats.bg_extends));
45077+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
45078+ atomic_read_unchecked(&osb->alloc_stats.local_data),
45079+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
45080+ atomic_read_unchecked(&osb->alloc_stats.moves),
45081+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
45082
45083 out += snprintf(buf + out, len - out,
45084 "%10s => State: %u Descriptor: %llu Size: %u bits "
45085@@ -2112,11 +2112,11 @@ static int ocfs2_initialize_super(struct
45086 spin_lock_init(&osb->osb_xattr_lock);
45087 ocfs2_init_steal_slots(osb);
45088
45089- atomic_set(&osb->alloc_stats.moves, 0);
45090- atomic_set(&osb->alloc_stats.local_data, 0);
45091- atomic_set(&osb->alloc_stats.bitmap_data, 0);
45092- atomic_set(&osb->alloc_stats.bg_allocs, 0);
45093- atomic_set(&osb->alloc_stats.bg_extends, 0);
45094+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
45095+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
45096+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
45097+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
45098+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
45099
45100 /* Copy the blockcheck stats from the superblock probe */
45101 osb->osb_ecc_stats = *stats;
45102diff -urNp linux-3.1.1/fs/ocfs2/symlink.c linux-3.1.1/fs/ocfs2/symlink.c
45103--- linux-3.1.1/fs/ocfs2/symlink.c 2011-11-11 15:19:27.000000000 -0500
45104+++ linux-3.1.1/fs/ocfs2/symlink.c 2011-11-16 18:39:08.000000000 -0500
45105@@ -142,7 +142,7 @@ bail:
45106
45107 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
45108 {
45109- char *link = nd_get_link(nd);
45110+ const char *link = nd_get_link(nd);
45111 if (!IS_ERR(link))
45112 kfree(link);
45113 }
45114diff -urNp linux-3.1.1/fs/open.c linux-3.1.1/fs/open.c
45115--- linux-3.1.1/fs/open.c 2011-11-11 15:19:27.000000000 -0500
45116+++ linux-3.1.1/fs/open.c 2011-11-17 19:07:55.000000000 -0500
45117@@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
45118 error = locks_verify_truncate(inode, NULL, length);
45119 if (!error)
45120 error = security_path_truncate(&path);
45121+
45122+ if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
45123+ error = -EACCES;
45124+
45125 if (!error)
45126 error = do_truncate(path.dentry, length, 0, NULL);
45127
45128@@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
45129 if (__mnt_is_readonly(path.mnt))
45130 res = -EROFS;
45131
45132+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
45133+ res = -EACCES;
45134+
45135 out_path_release:
45136 path_put(&path);
45137 out:
45138@@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
45139 if (error)
45140 goto dput_and_out;
45141
45142+ gr_log_chdir(path.dentry, path.mnt);
45143+
45144 set_fs_pwd(current->fs, &path);
45145
45146 dput_and_out:
45147@@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
45148 goto out_putf;
45149
45150 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
45151+
45152+ if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
45153+ error = -EPERM;
45154+
45155+ if (!error)
45156+ gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
45157+
45158 if (!error)
45159 set_fs_pwd(current->fs, &file->f_path);
45160 out_putf:
45161@@ -438,7 +454,13 @@ SYSCALL_DEFINE1(chroot, const char __use
45162 if (error)
45163 goto dput_and_out;
45164
45165+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
45166+ goto dput_and_out;
45167+
45168 set_fs_root(current->fs, &path);
45169+
45170+ gr_handle_chroot_chdir(&path);
45171+
45172 error = 0;
45173 dput_and_out:
45174 path_put(&path);
45175@@ -456,6 +478,16 @@ static int chmod_common(struct path *pat
45176 if (error)
45177 return error;
45178 mutex_lock(&inode->i_mutex);
45179+
45180+ if (!gr_acl_handle_fchmod(path->dentry, path->mnt, mode)) {
45181+ error = -EACCES;
45182+ goto out_unlock;
45183+ }
45184+ if (gr_handle_chroot_chmod(path->dentry, path->mnt, mode)) {
45185+ error = -EACCES;
45186+ goto out_unlock;
45187+ }
45188+
45189 error = security_path_chmod(path->dentry, path->mnt, mode);
45190 if (error)
45191 goto out_unlock;
45192@@ -506,6 +538,9 @@ static int chown_common(struct path *pat
45193 int error;
45194 struct iattr newattrs;
45195
45196+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
45197+ return -EACCES;
45198+
45199 newattrs.ia_valid = ATTR_CTIME;
45200 if (user != (uid_t) -1) {
45201 newattrs.ia_valid |= ATTR_UID;
45202diff -urNp linux-3.1.1/fs/partitions/ldm.c linux-3.1.1/fs/partitions/ldm.c
45203--- linux-3.1.1/fs/partitions/ldm.c 2011-11-11 15:19:27.000000000 -0500
45204+++ linux-3.1.1/fs/partitions/ldm.c 2011-11-17 19:08:15.000000000 -0500
45205@@ -1322,7 +1322,7 @@ static bool ldm_frag_add (const u8 *data
45206 goto found;
45207 }
45208
45209- f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
45210+ f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
45211 if (!f) {
45212 ldm_crit ("Out of memory.");
45213 return false;
45214diff -urNp linux-3.1.1/fs/pipe.c linux-3.1.1/fs/pipe.c
45215--- linux-3.1.1/fs/pipe.c 2011-11-11 15:19:27.000000000 -0500
45216+++ linux-3.1.1/fs/pipe.c 2011-11-16 18:40:29.000000000 -0500
45217@@ -420,9 +420,9 @@ redo:
45218 }
45219 if (bufs) /* More to do? */
45220 continue;
45221- if (!pipe->writers)
45222+ if (!atomic_read(&pipe->writers))
45223 break;
45224- if (!pipe->waiting_writers) {
45225+ if (!atomic_read(&pipe->waiting_writers)) {
45226 /* syscall merging: Usually we must not sleep
45227 * if O_NONBLOCK is set, or if we got some data.
45228 * But if a writer sleeps in kernel space, then
45229@@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
45230 mutex_lock(&inode->i_mutex);
45231 pipe = inode->i_pipe;
45232
45233- if (!pipe->readers) {
45234+ if (!atomic_read(&pipe->readers)) {
45235 send_sig(SIGPIPE, current, 0);
45236 ret = -EPIPE;
45237 goto out;
45238@@ -530,7 +530,7 @@ redo1:
45239 for (;;) {
45240 int bufs;
45241
45242- if (!pipe->readers) {
45243+ if (!atomic_read(&pipe->readers)) {
45244 send_sig(SIGPIPE, current, 0);
45245 if (!ret)
45246 ret = -EPIPE;
45247@@ -616,9 +616,9 @@ redo2:
45248 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
45249 do_wakeup = 0;
45250 }
45251- pipe->waiting_writers++;
45252+ atomic_inc(&pipe->waiting_writers);
45253 pipe_wait(pipe);
45254- pipe->waiting_writers--;
45255+ atomic_dec(&pipe->waiting_writers);
45256 }
45257 out:
45258 mutex_unlock(&inode->i_mutex);
45259@@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
45260 mask = 0;
45261 if (filp->f_mode & FMODE_READ) {
45262 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
45263- if (!pipe->writers && filp->f_version != pipe->w_counter)
45264+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
45265 mask |= POLLHUP;
45266 }
45267
45268@@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
45269 * Most Unices do not set POLLERR for FIFOs but on Linux they
45270 * behave exactly like pipes for poll().
45271 */
45272- if (!pipe->readers)
45273+ if (!atomic_read(&pipe->readers))
45274 mask |= POLLERR;
45275 }
45276
45277@@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
45278
45279 mutex_lock(&inode->i_mutex);
45280 pipe = inode->i_pipe;
45281- pipe->readers -= decr;
45282- pipe->writers -= decw;
45283+ atomic_sub(decr, &pipe->readers);
45284+ atomic_sub(decw, &pipe->writers);
45285
45286- if (!pipe->readers && !pipe->writers) {
45287+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
45288 free_pipe_info(inode);
45289 } else {
45290 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
45291@@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
45292
45293 if (inode->i_pipe) {
45294 ret = 0;
45295- inode->i_pipe->readers++;
45296+ atomic_inc(&inode->i_pipe->readers);
45297 }
45298
45299 mutex_unlock(&inode->i_mutex);
45300@@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
45301
45302 if (inode->i_pipe) {
45303 ret = 0;
45304- inode->i_pipe->writers++;
45305+ atomic_inc(&inode->i_pipe->writers);
45306 }
45307
45308 mutex_unlock(&inode->i_mutex);
45309@@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
45310 if (inode->i_pipe) {
45311 ret = 0;
45312 if (filp->f_mode & FMODE_READ)
45313- inode->i_pipe->readers++;
45314+ atomic_inc(&inode->i_pipe->readers);
45315 if (filp->f_mode & FMODE_WRITE)
45316- inode->i_pipe->writers++;
45317+ atomic_inc(&inode->i_pipe->writers);
45318 }
45319
45320 mutex_unlock(&inode->i_mutex);
45321@@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
45322 inode->i_pipe = NULL;
45323 }
45324
45325-static struct vfsmount *pipe_mnt __read_mostly;
45326+struct vfsmount *pipe_mnt __read_mostly;
45327
45328 /*
45329 * pipefs_dname() is called from d_path().
45330@@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
45331 goto fail_iput;
45332 inode->i_pipe = pipe;
45333
45334- pipe->readers = pipe->writers = 1;
45335+ atomic_set(&pipe->readers, 1);
45336+ atomic_set(&pipe->writers, 1);
45337 inode->i_fop = &rdwr_pipefifo_fops;
45338
45339 /*
45340diff -urNp linux-3.1.1/fs/proc/array.c linux-3.1.1/fs/proc/array.c
45341--- linux-3.1.1/fs/proc/array.c 2011-11-11 15:19:27.000000000 -0500
45342+++ linux-3.1.1/fs/proc/array.c 2011-11-17 18:42:02.000000000 -0500
45343@@ -60,6 +60,7 @@
45344 #include <linux/tty.h>
45345 #include <linux/string.h>
45346 #include <linux/mman.h>
45347+#include <linux/grsecurity.h>
45348 #include <linux/proc_fs.h>
45349 #include <linux/ioport.h>
45350 #include <linux/uaccess.h>
45351@@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
45352 seq_putc(m, '\n');
45353 }
45354
45355+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45356+static inline void task_pax(struct seq_file *m, struct task_struct *p)
45357+{
45358+ if (p->mm)
45359+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
45360+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
45361+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
45362+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
45363+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
45364+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
45365+ else
45366+ seq_printf(m, "PaX:\t-----\n");
45367+}
45368+#endif
45369+
45370 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
45371 struct pid *pid, struct task_struct *task)
45372 {
45373@@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
45374 task_cpus_allowed(m, task);
45375 cpuset_task_status_allowed(m, task);
45376 task_context_switch_counts(m, task);
45377+
45378+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45379+ task_pax(m, task);
45380+#endif
45381+
45382+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
45383+ task_grsec_rbac(m, task);
45384+#endif
45385+
45386 return 0;
45387 }
45388
45389+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45390+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45391+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
45392+ _mm->pax_flags & MF_PAX_SEGMEXEC))
45393+#endif
45394+
45395 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
45396 struct pid *pid, struct task_struct *task, int whole)
45397 {
45398@@ -378,6 +409,8 @@ static int do_task_stat(struct seq_file
45399 char tcomm[sizeof(task->comm)];
45400 unsigned long flags;
45401
45402+ pax_track_stack();
45403+
45404 state = *get_task_state(task);
45405 vsize = eip = esp = 0;
45406 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
45407@@ -449,6 +482,19 @@ static int do_task_stat(struct seq_file
45408 gtime = task->gtime;
45409 }
45410
45411+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45412+ if (PAX_RAND_FLAGS(mm)) {
45413+ eip = 0;
45414+ esp = 0;
45415+ wchan = 0;
45416+ }
45417+#endif
45418+#ifdef CONFIG_GRKERNSEC_HIDESYM
45419+ wchan = 0;
45420+ eip =0;
45421+ esp =0;
45422+#endif
45423+
45424 /* scale priority and nice values from timeslices to -20..20 */
45425 /* to make it look like a "normal" Unix priority/nice value */
45426 priority = task_prio(task);
45427@@ -489,9 +535,15 @@ static int do_task_stat(struct seq_file
45428 vsize,
45429 mm ? get_mm_rss(mm) : 0,
45430 rsslim,
45431+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45432+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
45433+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
45434+ PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
45435+#else
45436 mm ? (permitted ? mm->start_code : 1) : 0,
45437 mm ? (permitted ? mm->end_code : 1) : 0,
45438 (permitted && mm) ? mm->start_stack : 0,
45439+#endif
45440 esp,
45441 eip,
45442 /* The signal information here is obsolete.
45443@@ -544,3 +596,18 @@ int proc_pid_statm(struct seq_file *m, s
45444
45445 return 0;
45446 }
45447+
45448+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45449+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
45450+{
45451+ u32 curr_ip = 0;
45452+ unsigned long flags;
45453+
45454+ if (lock_task_sighand(task, &flags)) {
45455+ curr_ip = task->signal->curr_ip;
45456+ unlock_task_sighand(task, &flags);
45457+ }
45458+
45459+ return sprintf(buffer, "%pI4\n", &curr_ip);
45460+}
45461+#endif
45462diff -urNp linux-3.1.1/fs/proc/base.c linux-3.1.1/fs/proc/base.c
45463--- linux-3.1.1/fs/proc/base.c 2011-11-11 15:19:27.000000000 -0500
45464+++ linux-3.1.1/fs/proc/base.c 2011-11-17 18:43:19.000000000 -0500
45465@@ -107,6 +107,22 @@ struct pid_entry {
45466 union proc_op op;
45467 };
45468
45469+struct getdents_callback {
45470+ struct linux_dirent __user * current_dir;
45471+ struct linux_dirent __user * previous;
45472+ struct file * file;
45473+ int count;
45474+ int error;
45475+};
45476+
45477+static int gr_fake_filldir(void * __buf, const char *name, int namlen,
45478+ loff_t offset, u64 ino, unsigned int d_type)
45479+{
45480+ struct getdents_callback * buf = (struct getdents_callback *) __buf;
45481+ buf->error = -EINVAL;
45482+ return 0;
45483+}
45484+
45485 #define NOD(NAME, MODE, IOP, FOP, OP) { \
45486 .name = (NAME), \
45487 .len = sizeof(NAME) - 1, \
45488@@ -209,6 +225,9 @@ static struct mm_struct *__check_mem_per
45489 if (task == current)
45490 return mm;
45491
45492+ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
45493+ return ERR_PTR(-EPERM);
45494+
45495 /*
45496 * If current is actively ptrace'ing, and would also be
45497 * permitted to freshly attach with ptrace now, permit it.
45498@@ -282,6 +301,9 @@ static int proc_pid_cmdline(struct task_
45499 if (!mm->arg_end)
45500 goto out_mm; /* Shh! No looking before we're done */
45501
45502+ if (gr_acl_handle_procpidmem(task))
45503+ goto out_mm;
45504+
45505 len = mm->arg_end - mm->arg_start;
45506
45507 if (len > PAGE_SIZE)
45508@@ -309,12 +331,28 @@ out:
45509 return res;
45510 }
45511
45512+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45513+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45514+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
45515+ _mm->pax_flags & MF_PAX_SEGMEXEC))
45516+#endif
45517+
45518 static int proc_pid_auxv(struct task_struct *task, char *buffer)
45519 {
45520 struct mm_struct *mm = mm_for_maps(task);
45521 int res = PTR_ERR(mm);
45522 if (mm && !IS_ERR(mm)) {
45523 unsigned int nwords = 0;
45524+
45525+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45526+ /* allow if we're currently ptracing this task */
45527+ if (PAX_RAND_FLAGS(mm) &&
45528+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
45529+ mmput(mm);
45530+ return 0;
45531+ }
45532+#endif
45533+
45534 do {
45535 nwords += 2;
45536 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
45537@@ -328,7 +366,7 @@ static int proc_pid_auxv(struct task_str
45538 }
45539
45540
45541-#ifdef CONFIG_KALLSYMS
45542+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45543 /*
45544 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
45545 * Returns the resolved symbol. If that fails, simply return the address.
45546@@ -367,7 +405,7 @@ static void unlock_trace(struct task_str
45547 mutex_unlock(&task->signal->cred_guard_mutex);
45548 }
45549
45550-#ifdef CONFIG_STACKTRACE
45551+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45552
45553 #define MAX_STACK_TRACE_DEPTH 64
45554
45555@@ -558,7 +596,7 @@ static int proc_pid_limits(struct task_s
45556 return count;
45557 }
45558
45559-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45560+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45561 static int proc_pid_syscall(struct task_struct *task, char *buffer)
45562 {
45563 long nr;
45564@@ -587,7 +625,7 @@ static int proc_pid_syscall(struct task_
45565 /************************************************************************/
45566
45567 /* permission checks */
45568-static int proc_fd_access_allowed(struct inode *inode)
45569+static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
45570 {
45571 struct task_struct *task;
45572 int allowed = 0;
45573@@ -597,7 +635,10 @@ static int proc_fd_access_allowed(struct
45574 */
45575 task = get_proc_task(inode);
45576 if (task) {
45577- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45578+ if (log)
45579+ allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
45580+ else
45581+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45582 put_task_struct(task);
45583 }
45584 return allowed;
45585@@ -978,6 +1019,9 @@ static ssize_t environ_read(struct file
45586 if (!task)
45587 goto out_no_task;
45588
45589+ if (gr_acl_handle_procpidmem(task))
45590+ goto out;
45591+
45592 ret = -ENOMEM;
45593 page = (char *)__get_free_page(GFP_TEMPORARY);
45594 if (!page)
45595@@ -1613,7 +1657,7 @@ static void *proc_pid_follow_link(struct
45596 path_put(&nd->path);
45597
45598 /* Are we allowed to snoop on the tasks file descriptors? */
45599- if (!proc_fd_access_allowed(inode))
45600+ if (!proc_fd_access_allowed(inode,0))
45601 goto out;
45602
45603 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
45604@@ -1652,8 +1696,18 @@ static int proc_pid_readlink(struct dent
45605 struct path path;
45606
45607 /* Are we allowed to snoop on the tasks file descriptors? */
45608- if (!proc_fd_access_allowed(inode))
45609- goto out;
45610+ /* logging this is needed for learning on chromium to work properly,
45611+ but we don't want to flood the logs from 'ps' which does a readlink
45612+ on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
45613+ CAP_SYS_PTRACE as it's not necessary for its basic functionality
45614+ */
45615+ if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
45616+ if (!proc_fd_access_allowed(inode,0))
45617+ goto out;
45618+ } else {
45619+ if (!proc_fd_access_allowed(inode,1))
45620+ goto out;
45621+ }
45622
45623 error = PROC_I(inode)->op.proc_get_link(inode, &path);
45624 if (error)
45625@@ -1718,7 +1772,11 @@ struct inode *proc_pid_make_inode(struct
45626 rcu_read_lock();
45627 cred = __task_cred(task);
45628 inode->i_uid = cred->euid;
45629+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45630+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45631+#else
45632 inode->i_gid = cred->egid;
45633+#endif
45634 rcu_read_unlock();
45635 }
45636 security_task_to_inode(task, inode);
45637@@ -1736,6 +1794,9 @@ int pid_getattr(struct vfsmount *mnt, st
45638 struct inode *inode = dentry->d_inode;
45639 struct task_struct *task;
45640 const struct cred *cred;
45641+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45642+ const struct cred *tmpcred = current_cred();
45643+#endif
45644
45645 generic_fillattr(inode, stat);
45646
45647@@ -1743,13 +1804,41 @@ int pid_getattr(struct vfsmount *mnt, st
45648 stat->uid = 0;
45649 stat->gid = 0;
45650 task = pid_task(proc_pid(inode), PIDTYPE_PID);
45651+
45652+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
45653+ rcu_read_unlock();
45654+ return -ENOENT;
45655+ }
45656+
45657 if (task) {
45658+ cred = __task_cred(task);
45659+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45660+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
45661+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45662+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45663+#endif
45664+ ) {
45665+#endif
45666 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45667+#ifdef CONFIG_GRKERNSEC_PROC_USER
45668+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45669+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45670+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45671+#endif
45672 task_dumpable(task)) {
45673- cred = __task_cred(task);
45674 stat->uid = cred->euid;
45675+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45676+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
45677+#else
45678 stat->gid = cred->egid;
45679+#endif
45680 }
45681+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45682+ } else {
45683+ rcu_read_unlock();
45684+ return -ENOENT;
45685+ }
45686+#endif
45687 }
45688 rcu_read_unlock();
45689 return 0;
45690@@ -1786,11 +1875,20 @@ int pid_revalidate(struct dentry *dentry
45691
45692 if (task) {
45693 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45694+#ifdef CONFIG_GRKERNSEC_PROC_USER
45695+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45696+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45697+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45698+#endif
45699 task_dumpable(task)) {
45700 rcu_read_lock();
45701 cred = __task_cred(task);
45702 inode->i_uid = cred->euid;
45703+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45704+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45705+#else
45706 inode->i_gid = cred->egid;
45707+#endif
45708 rcu_read_unlock();
45709 } else {
45710 inode->i_uid = 0;
45711@@ -1908,7 +2006,8 @@ static int proc_fd_info(struct inode *in
45712 int fd = proc_fd(inode);
45713
45714 if (task) {
45715- files = get_files_struct(task);
45716+ if (!gr_acl_handle_procpidmem(task))
45717+ files = get_files_struct(task);
45718 put_task_struct(task);
45719 }
45720 if (files) {
45721@@ -2176,11 +2275,21 @@ static const struct file_operations proc
45722 */
45723 static int proc_fd_permission(struct inode *inode, int mask)
45724 {
45725+ struct task_struct *task;
45726 int rv = generic_permission(inode, mask);
45727- if (rv == 0)
45728- return 0;
45729+
45730 if (task_pid(current) == proc_pid(inode))
45731 rv = 0;
45732+
45733+ task = get_proc_task(inode);
45734+ if (task == NULL)
45735+ return rv;
45736+
45737+ if (gr_acl_handle_procpidmem(task))
45738+ rv = -EACCES;
45739+
45740+ put_task_struct(task);
45741+
45742 return rv;
45743 }
45744
45745@@ -2290,6 +2399,9 @@ static struct dentry *proc_pident_lookup
45746 if (!task)
45747 goto out_no_task;
45748
45749+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45750+ goto out;
45751+
45752 /*
45753 * Yes, it does not scale. And it should not. Don't add
45754 * new entries into /proc/<tgid>/ without very good reasons.
45755@@ -2334,6 +2446,9 @@ static int proc_pident_readdir(struct fi
45756 if (!task)
45757 goto out_no_task;
45758
45759+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45760+ goto out;
45761+
45762 ret = 0;
45763 i = filp->f_pos;
45764 switch (i) {
45765@@ -2604,7 +2719,7 @@ static void *proc_self_follow_link(struc
45766 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
45767 void *cookie)
45768 {
45769- char *s = nd_get_link(nd);
45770+ const char *s = nd_get_link(nd);
45771 if (!IS_ERR(s))
45772 __putname(s);
45773 }
45774@@ -2802,7 +2917,7 @@ static const struct pid_entry tgid_base_
45775 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
45776 #endif
45777 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45778-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45779+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45780 INF("syscall", S_IRUGO, proc_pid_syscall),
45781 #endif
45782 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45783@@ -2827,10 +2942,10 @@ static const struct pid_entry tgid_base_
45784 #ifdef CONFIG_SECURITY
45785 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45786 #endif
45787-#ifdef CONFIG_KALLSYMS
45788+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45789 INF("wchan", S_IRUGO, proc_pid_wchan),
45790 #endif
45791-#ifdef CONFIG_STACKTRACE
45792+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45793 ONE("stack", S_IRUGO, proc_pid_stack),
45794 #endif
45795 #ifdef CONFIG_SCHEDSTATS
45796@@ -2864,6 +2979,9 @@ static const struct pid_entry tgid_base_
45797 #ifdef CONFIG_HARDWALL
45798 INF("hardwall", S_IRUGO, proc_pid_hardwall),
45799 #endif
45800+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45801+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
45802+#endif
45803 };
45804
45805 static int proc_tgid_base_readdir(struct file * filp,
45806@@ -2989,7 +3107,14 @@ static struct dentry *proc_pid_instantia
45807 if (!inode)
45808 goto out;
45809
45810+#ifdef CONFIG_GRKERNSEC_PROC_USER
45811+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
45812+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45813+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45814+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
45815+#else
45816 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
45817+#endif
45818 inode->i_op = &proc_tgid_base_inode_operations;
45819 inode->i_fop = &proc_tgid_base_operations;
45820 inode->i_flags|=S_IMMUTABLE;
45821@@ -3031,7 +3156,14 @@ struct dentry *proc_pid_lookup(struct in
45822 if (!task)
45823 goto out;
45824
45825+ if (!has_group_leader_pid(task))
45826+ goto out_put_task;
45827+
45828+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45829+ goto out_put_task;
45830+
45831 result = proc_pid_instantiate(dir, dentry, task, NULL);
45832+out_put_task:
45833 put_task_struct(task);
45834 out:
45835 return result;
45836@@ -3096,6 +3228,11 @@ int proc_pid_readdir(struct file * filp,
45837 {
45838 unsigned int nr;
45839 struct task_struct *reaper;
45840+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45841+ const struct cred *tmpcred = current_cred();
45842+ const struct cred *itercred;
45843+#endif
45844+ filldir_t __filldir = filldir;
45845 struct tgid_iter iter;
45846 struct pid_namespace *ns;
45847
45848@@ -3119,8 +3256,27 @@ int proc_pid_readdir(struct file * filp,
45849 for (iter = next_tgid(ns, iter);
45850 iter.task;
45851 iter.tgid += 1, iter = next_tgid(ns, iter)) {
45852+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45853+ rcu_read_lock();
45854+ itercred = __task_cred(iter.task);
45855+#endif
45856+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
45857+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45858+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
45859+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45860+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45861+#endif
45862+ )
45863+#endif
45864+ )
45865+ __filldir = &gr_fake_filldir;
45866+ else
45867+ __filldir = filldir;
45868+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45869+ rcu_read_unlock();
45870+#endif
45871 filp->f_pos = iter.tgid + TGID_OFFSET;
45872- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
45873+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
45874 put_task_struct(iter.task);
45875 goto out;
45876 }
45877@@ -3148,7 +3304,7 @@ static const struct pid_entry tid_base_s
45878 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
45879 #endif
45880 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
45881-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45882+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45883 INF("syscall", S_IRUGO, proc_pid_syscall),
45884 #endif
45885 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45886@@ -3172,10 +3328,10 @@ static const struct pid_entry tid_base_s
45887 #ifdef CONFIG_SECURITY
45888 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45889 #endif
45890-#ifdef CONFIG_KALLSYMS
45891+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45892 INF("wchan", S_IRUGO, proc_pid_wchan),
45893 #endif
45894-#ifdef CONFIG_STACKTRACE
45895+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45896 ONE("stack", S_IRUGO, proc_pid_stack),
45897 #endif
45898 #ifdef CONFIG_SCHEDSTATS
45899diff -urNp linux-3.1.1/fs/proc/cmdline.c linux-3.1.1/fs/proc/cmdline.c
45900--- linux-3.1.1/fs/proc/cmdline.c 2011-11-11 15:19:27.000000000 -0500
45901+++ linux-3.1.1/fs/proc/cmdline.c 2011-11-16 18:40:29.000000000 -0500
45902@@ -23,7 +23,11 @@ static const struct file_operations cmdl
45903
45904 static int __init proc_cmdline_init(void)
45905 {
45906+#ifdef CONFIG_GRKERNSEC_PROC_ADD
45907+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
45908+#else
45909 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
45910+#endif
45911 return 0;
45912 }
45913 module_init(proc_cmdline_init);
45914diff -urNp linux-3.1.1/fs/proc/devices.c linux-3.1.1/fs/proc/devices.c
45915--- linux-3.1.1/fs/proc/devices.c 2011-11-11 15:19:27.000000000 -0500
45916+++ linux-3.1.1/fs/proc/devices.c 2011-11-16 18:40:29.000000000 -0500
45917@@ -64,7 +64,11 @@ static const struct file_operations proc
45918
45919 static int __init proc_devices_init(void)
45920 {
45921+#ifdef CONFIG_GRKERNSEC_PROC_ADD
45922+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
45923+#else
45924 proc_create("devices", 0, NULL, &proc_devinfo_operations);
45925+#endif
45926 return 0;
45927 }
45928 module_init(proc_devices_init);
45929diff -urNp linux-3.1.1/fs/proc/inode.c linux-3.1.1/fs/proc/inode.c
45930--- linux-3.1.1/fs/proc/inode.c 2011-11-11 15:19:27.000000000 -0500
45931+++ linux-3.1.1/fs/proc/inode.c 2011-11-16 18:40:29.000000000 -0500
45932@@ -18,12 +18,18 @@
45933 #include <linux/module.h>
45934 #include <linux/sysctl.h>
45935 #include <linux/slab.h>
45936+#include <linux/grsecurity.h>
45937
45938 #include <asm/system.h>
45939 #include <asm/uaccess.h>
45940
45941 #include "internal.h"
45942
45943+#ifdef CONFIG_PROC_SYSCTL
45944+extern const struct inode_operations proc_sys_inode_operations;
45945+extern const struct inode_operations proc_sys_dir_operations;
45946+#endif
45947+
45948 static void proc_evict_inode(struct inode *inode)
45949 {
45950 struct proc_dir_entry *de;
45951@@ -49,6 +55,13 @@ static void proc_evict_inode(struct inod
45952 ns_ops = PROC_I(inode)->ns_ops;
45953 if (ns_ops && ns_ops->put)
45954 ns_ops->put(PROC_I(inode)->ns);
45955+
45956+#ifdef CONFIG_PROC_SYSCTL
45957+ if (inode->i_op == &proc_sys_inode_operations ||
45958+ inode->i_op == &proc_sys_dir_operations)
45959+ gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
45960+#endif
45961+
45962 }
45963
45964 static struct kmem_cache * proc_inode_cachep;
45965@@ -440,7 +453,11 @@ struct inode *proc_get_inode(struct supe
45966 if (de->mode) {
45967 inode->i_mode = de->mode;
45968 inode->i_uid = de->uid;
45969+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45970+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45971+#else
45972 inode->i_gid = de->gid;
45973+#endif
45974 }
45975 if (de->size)
45976 inode->i_size = de->size;
45977diff -urNp linux-3.1.1/fs/proc/internal.h linux-3.1.1/fs/proc/internal.h
45978--- linux-3.1.1/fs/proc/internal.h 2011-11-11 15:19:27.000000000 -0500
45979+++ linux-3.1.1/fs/proc/internal.h 2011-11-16 18:40:29.000000000 -0500
45980@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
45981 struct pid *pid, struct task_struct *task);
45982 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
45983 struct pid *pid, struct task_struct *task);
45984+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45985+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
45986+#endif
45987 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
45988
45989 extern const struct file_operations proc_maps_operations;
45990diff -urNp linux-3.1.1/fs/proc/Kconfig linux-3.1.1/fs/proc/Kconfig
45991--- linux-3.1.1/fs/proc/Kconfig 2011-11-11 15:19:27.000000000 -0500
45992+++ linux-3.1.1/fs/proc/Kconfig 2011-11-16 18:40:29.000000000 -0500
45993@@ -30,12 +30,12 @@ config PROC_FS
45994
45995 config PROC_KCORE
45996 bool "/proc/kcore support" if !ARM
45997- depends on PROC_FS && MMU
45998+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
45999
46000 config PROC_VMCORE
46001 bool "/proc/vmcore support"
46002- depends on PROC_FS && CRASH_DUMP
46003- default y
46004+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
46005+ default n
46006 help
46007 Exports the dump image of crashed kernel in ELF format.
46008
46009@@ -59,8 +59,8 @@ config PROC_SYSCTL
46010 limited in memory.
46011
46012 config PROC_PAGE_MONITOR
46013- default y
46014- depends on PROC_FS && MMU
46015+ default n
46016+ depends on PROC_FS && MMU && !GRKERNSEC
46017 bool "Enable /proc page monitoring" if EXPERT
46018 help
46019 Various /proc files exist to monitor process memory utilization:
46020diff -urNp linux-3.1.1/fs/proc/kcore.c linux-3.1.1/fs/proc/kcore.c
46021--- linux-3.1.1/fs/proc/kcore.c 2011-11-11 15:19:27.000000000 -0500
46022+++ linux-3.1.1/fs/proc/kcore.c 2011-11-16 18:40:29.000000000 -0500
46023@@ -321,6 +321,8 @@ static void elf_kcore_store_hdr(char *bu
46024 off_t offset = 0;
46025 struct kcore_list *m;
46026
46027+ pax_track_stack();
46028+
46029 /* setup ELF header */
46030 elf = (struct elfhdr *) bufp;
46031 bufp += sizeof(struct elfhdr);
46032@@ -478,9 +480,10 @@ read_kcore(struct file *file, char __use
46033 * the addresses in the elf_phdr on our list.
46034 */
46035 start = kc_offset_to_vaddr(*fpos - elf_buflen);
46036- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
46037+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
46038+ if (tsz > buflen)
46039 tsz = buflen;
46040-
46041+
46042 while (buflen) {
46043 struct kcore_list *m;
46044
46045@@ -509,20 +512,23 @@ read_kcore(struct file *file, char __use
46046 kfree(elf_buf);
46047 } else {
46048 if (kern_addr_valid(start)) {
46049- unsigned long n;
46050+ char *elf_buf;
46051+ mm_segment_t oldfs;
46052
46053- n = copy_to_user(buffer, (char *)start, tsz);
46054- /*
46055- * We cannot distingush between fault on source
46056- * and fault on destination. When this happens
46057- * we clear too and hope it will trigger the
46058- * EFAULT again.
46059- */
46060- if (n) {
46061- if (clear_user(buffer + tsz - n,
46062- n))
46063+ elf_buf = kmalloc(tsz, GFP_KERNEL);
46064+ if (!elf_buf)
46065+ return -ENOMEM;
46066+ oldfs = get_fs();
46067+ set_fs(KERNEL_DS);
46068+ if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
46069+ set_fs(oldfs);
46070+ if (copy_to_user(buffer, elf_buf, tsz)) {
46071+ kfree(elf_buf);
46072 return -EFAULT;
46073+ }
46074 }
46075+ set_fs(oldfs);
46076+ kfree(elf_buf);
46077 } else {
46078 if (clear_user(buffer, tsz))
46079 return -EFAULT;
46080@@ -542,6 +548,9 @@ read_kcore(struct file *file, char __use
46081
46082 static int open_kcore(struct inode *inode, struct file *filp)
46083 {
46084+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
46085+ return -EPERM;
46086+#endif
46087 if (!capable(CAP_SYS_RAWIO))
46088 return -EPERM;
46089 if (kcore_need_update)
46090diff -urNp linux-3.1.1/fs/proc/meminfo.c linux-3.1.1/fs/proc/meminfo.c
46091--- linux-3.1.1/fs/proc/meminfo.c 2011-11-11 15:19:27.000000000 -0500
46092+++ linux-3.1.1/fs/proc/meminfo.c 2011-11-16 18:40:29.000000000 -0500
46093@@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
46094 unsigned long pages[NR_LRU_LISTS];
46095 int lru;
46096
46097+ pax_track_stack();
46098+
46099 /*
46100 * display in kilobytes.
46101 */
46102@@ -157,7 +159,7 @@ static int meminfo_proc_show(struct seq_
46103 vmi.used >> 10,
46104 vmi.largest_chunk >> 10
46105 #ifdef CONFIG_MEMORY_FAILURE
46106- ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
46107+ ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
46108 #endif
46109 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
46110 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
46111diff -urNp linux-3.1.1/fs/proc/nommu.c linux-3.1.1/fs/proc/nommu.c
46112--- linux-3.1.1/fs/proc/nommu.c 2011-11-11 15:19:27.000000000 -0500
46113+++ linux-3.1.1/fs/proc/nommu.c 2011-11-16 18:39:08.000000000 -0500
46114@@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
46115 if (len < 1)
46116 len = 1;
46117 seq_printf(m, "%*c", len, ' ');
46118- seq_path(m, &file->f_path, "");
46119+ seq_path(m, &file->f_path, "\n\\");
46120 }
46121
46122 seq_putc(m, '\n');
46123diff -urNp linux-3.1.1/fs/proc/proc_net.c linux-3.1.1/fs/proc/proc_net.c
46124--- linux-3.1.1/fs/proc/proc_net.c 2011-11-11 15:19:27.000000000 -0500
46125+++ linux-3.1.1/fs/proc/proc_net.c 2011-11-16 18:40:29.000000000 -0500
46126@@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
46127 struct task_struct *task;
46128 struct nsproxy *ns;
46129 struct net *net = NULL;
46130+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46131+ const struct cred *cred = current_cred();
46132+#endif
46133+
46134+#ifdef CONFIG_GRKERNSEC_PROC_USER
46135+ if (cred->fsuid)
46136+ return net;
46137+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46138+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
46139+ return net;
46140+#endif
46141
46142 rcu_read_lock();
46143 task = pid_task(proc_pid(dir), PIDTYPE_PID);
46144diff -urNp linux-3.1.1/fs/proc/proc_sysctl.c linux-3.1.1/fs/proc/proc_sysctl.c
46145--- linux-3.1.1/fs/proc/proc_sysctl.c 2011-11-11 15:19:27.000000000 -0500
46146+++ linux-3.1.1/fs/proc/proc_sysctl.c 2011-11-18 18:45:33.000000000 -0500
46147@@ -8,11 +8,13 @@
46148 #include <linux/namei.h>
46149 #include "internal.h"
46150
46151+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
46152+
46153 static const struct dentry_operations proc_sys_dentry_operations;
46154 static const struct file_operations proc_sys_file_operations;
46155-static const struct inode_operations proc_sys_inode_operations;
46156+const struct inode_operations proc_sys_inode_operations;
46157 static const struct file_operations proc_sys_dir_file_operations;
46158-static const struct inode_operations proc_sys_dir_operations;
46159+const struct inode_operations proc_sys_dir_operations;
46160
46161 static struct inode *proc_sys_make_inode(struct super_block *sb,
46162 struct ctl_table_header *head, struct ctl_table *table)
46163@@ -121,8 +123,14 @@ static struct dentry *proc_sys_lookup(st
46164
46165 err = NULL;
46166 d_set_d_op(dentry, &proc_sys_dentry_operations);
46167+
46168+ gr_handle_proc_create(dentry, inode);
46169+
46170 d_add(dentry, inode);
46171
46172+ if (gr_handle_sysctl(p, MAY_EXEC))
46173+ err = ERR_PTR(-ENOENT);
46174+
46175 out:
46176 sysctl_head_finish(head);
46177 return err;
46178@@ -202,6 +210,9 @@ static int proc_sys_fill_cache(struct fi
46179 return -ENOMEM;
46180 } else {
46181 d_set_d_op(child, &proc_sys_dentry_operations);
46182+
46183+ gr_handle_proc_create(child, inode);
46184+
46185 d_add(child, inode);
46186 }
46187 } else {
46188@@ -230,6 +241,9 @@ static int scan(struct ctl_table_header
46189 if (*pos < file->f_pos)
46190 continue;
46191
46192+ if (gr_handle_sysctl(table, 0))
46193+ continue;
46194+
46195 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
46196 if (res)
46197 return res;
46198@@ -355,6 +369,9 @@ static int proc_sys_getattr(struct vfsmo
46199 if (IS_ERR(head))
46200 return PTR_ERR(head);
46201
46202+ if (table && gr_handle_sysctl(table, MAY_EXEC))
46203+ return -ENOENT;
46204+
46205 generic_fillattr(inode, stat);
46206 if (table)
46207 stat->mode = (stat->mode & S_IFMT) | table->mode;
46208@@ -370,17 +387,18 @@ static const struct file_operations proc
46209 };
46210
46211 static const struct file_operations proc_sys_dir_file_operations = {
46212+ .read = generic_read_dir,
46213 .readdir = proc_sys_readdir,
46214 .llseek = generic_file_llseek,
46215 };
46216
46217-static const struct inode_operations proc_sys_inode_operations = {
46218+const struct inode_operations proc_sys_inode_operations = {
46219 .permission = proc_sys_permission,
46220 .setattr = proc_sys_setattr,
46221 .getattr = proc_sys_getattr,
46222 };
46223
46224-static const struct inode_operations proc_sys_dir_operations = {
46225+const struct inode_operations proc_sys_dir_operations = {
46226 .lookup = proc_sys_lookup,
46227 .permission = proc_sys_permission,
46228 .setattr = proc_sys_setattr,
46229diff -urNp linux-3.1.1/fs/proc/root.c linux-3.1.1/fs/proc/root.c
46230--- linux-3.1.1/fs/proc/root.c 2011-11-11 15:19:27.000000000 -0500
46231+++ linux-3.1.1/fs/proc/root.c 2011-11-16 18:40:29.000000000 -0500
46232@@ -123,7 +123,15 @@ void __init proc_root_init(void)
46233 #ifdef CONFIG_PROC_DEVICETREE
46234 proc_device_tree_init();
46235 #endif
46236+#ifdef CONFIG_GRKERNSEC_PROC_ADD
46237+#ifdef CONFIG_GRKERNSEC_PROC_USER
46238+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
46239+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46240+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
46241+#endif
46242+#else
46243 proc_mkdir("bus", NULL);
46244+#endif
46245 proc_sys_init();
46246 }
46247
46248diff -urNp linux-3.1.1/fs/proc/task_mmu.c linux-3.1.1/fs/proc/task_mmu.c
46249--- linux-3.1.1/fs/proc/task_mmu.c 2011-11-11 15:19:27.000000000 -0500
46250+++ linux-3.1.1/fs/proc/task_mmu.c 2011-11-16 18:40:29.000000000 -0500
46251@@ -51,8 +51,13 @@ void task_mem(struct seq_file *m, struct
46252 "VmExe:\t%8lu kB\n"
46253 "VmLib:\t%8lu kB\n"
46254 "VmPTE:\t%8lu kB\n"
46255- "VmSwap:\t%8lu kB\n",
46256- hiwater_vm << (PAGE_SHIFT-10),
46257+ "VmSwap:\t%8lu kB\n"
46258+
46259+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46260+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
46261+#endif
46262+
46263+ ,hiwater_vm << (PAGE_SHIFT-10),
46264 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
46265 mm->locked_vm << (PAGE_SHIFT-10),
46266 hiwater_rss << (PAGE_SHIFT-10),
46267@@ -60,7 +65,13 @@ void task_mem(struct seq_file *m, struct
46268 data << (PAGE_SHIFT-10),
46269 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
46270 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
46271- swap << (PAGE_SHIFT-10));
46272+ swap << (PAGE_SHIFT-10)
46273+
46274+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46275+ , mm->context.user_cs_base, mm->context.user_cs_limit
46276+#endif
46277+
46278+ );
46279 }
46280
46281 unsigned long task_vsize(struct mm_struct *mm)
46282@@ -207,6 +218,12 @@ static int do_maps_open(struct inode *in
46283 return ret;
46284 }
46285
46286+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46287+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
46288+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
46289+ _mm->pax_flags & MF_PAX_SEGMEXEC))
46290+#endif
46291+
46292 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
46293 {
46294 struct mm_struct *mm = vma->vm_mm;
46295@@ -225,13 +242,13 @@ static void show_map_vma(struct seq_file
46296 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
46297 }
46298
46299- /* We don't show the stack guard page in /proc/maps */
46300+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46301+ start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
46302+ end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
46303+#else
46304 start = vma->vm_start;
46305- if (stack_guard_page_start(vma, start))
46306- start += PAGE_SIZE;
46307 end = vma->vm_end;
46308- if (stack_guard_page_end(vma, end))
46309- end -= PAGE_SIZE;
46310+#endif
46311
46312 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
46313 start,
46314@@ -240,7 +257,11 @@ static void show_map_vma(struct seq_file
46315 flags & VM_WRITE ? 'w' : '-',
46316 flags & VM_EXEC ? 'x' : '-',
46317 flags & VM_MAYSHARE ? 's' : 'p',
46318+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46319+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
46320+#else
46321 pgoff,
46322+#endif
46323 MAJOR(dev), MINOR(dev), ino, &len);
46324
46325 /*
46326@@ -249,7 +270,7 @@ static void show_map_vma(struct seq_file
46327 */
46328 if (file) {
46329 pad_len_spaces(m, len);
46330- seq_path(m, &file->f_path, "\n");
46331+ seq_path(m, &file->f_path, "\n\\");
46332 } else {
46333 const char *name = arch_vma_name(vma);
46334 if (!name) {
46335@@ -257,8 +278,9 @@ static void show_map_vma(struct seq_file
46336 if (vma->vm_start <= mm->brk &&
46337 vma->vm_end >= mm->start_brk) {
46338 name = "[heap]";
46339- } else if (vma->vm_start <= mm->start_stack &&
46340- vma->vm_end >= mm->start_stack) {
46341+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
46342+ (vma->vm_start <= mm->start_stack &&
46343+ vma->vm_end >= mm->start_stack)) {
46344 name = "[stack]";
46345 }
46346 } else {
46347@@ -433,11 +455,16 @@ static int show_smap(struct seq_file *m,
46348 };
46349
46350 memset(&mss, 0, sizeof mss);
46351- mss.vma = vma;
46352- /* mmap_sem is held in m_start */
46353- if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46354- walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46355-
46356+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46357+ if (!PAX_RAND_FLAGS(vma->vm_mm)) {
46358+#endif
46359+ mss.vma = vma;
46360+ /* mmap_sem is held in m_start */
46361+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
46362+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
46363+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46364+ }
46365+#endif
46366 show_map_vma(m, vma);
46367
46368 seq_printf(m,
46369@@ -455,7 +482,11 @@ static int show_smap(struct seq_file *m,
46370 "KernelPageSize: %8lu kB\n"
46371 "MMUPageSize: %8lu kB\n"
46372 "Locked: %8lu kB\n",
46373+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
46374+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
46375+#else
46376 (vma->vm_end - vma->vm_start) >> 10,
46377+#endif
46378 mss.resident >> 10,
46379 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
46380 mss.shared_clean >> 10,
46381@@ -1031,7 +1062,7 @@ static int show_numa_map(struct seq_file
46382
46383 if (file) {
46384 seq_printf(m, " file=");
46385- seq_path(m, &file->f_path, "\n\t= ");
46386+ seq_path(m, &file->f_path, "\n\t\\= ");
46387 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
46388 seq_printf(m, " heap");
46389 } else if (vma->vm_start <= mm->start_stack &&
46390diff -urNp linux-3.1.1/fs/proc/task_nommu.c linux-3.1.1/fs/proc/task_nommu.c
46391--- linux-3.1.1/fs/proc/task_nommu.c 2011-11-11 15:19:27.000000000 -0500
46392+++ linux-3.1.1/fs/proc/task_nommu.c 2011-11-16 18:39:08.000000000 -0500
46393@@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
46394 else
46395 bytes += kobjsize(mm);
46396
46397- if (current->fs && current->fs->users > 1)
46398+ if (current->fs && atomic_read(&current->fs->users) > 1)
46399 sbytes += kobjsize(current->fs);
46400 else
46401 bytes += kobjsize(current->fs);
46402@@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
46403
46404 if (file) {
46405 pad_len_spaces(m, len);
46406- seq_path(m, &file->f_path, "");
46407+ seq_path(m, &file->f_path, "\n\\");
46408 } else if (mm) {
46409 if (vma->vm_start <= mm->start_stack &&
46410 vma->vm_end >= mm->start_stack) {
46411diff -urNp linux-3.1.1/fs/quota/netlink.c linux-3.1.1/fs/quota/netlink.c
46412--- linux-3.1.1/fs/quota/netlink.c 2011-11-11 15:19:27.000000000 -0500
46413+++ linux-3.1.1/fs/quota/netlink.c 2011-11-16 18:39:08.000000000 -0500
46414@@ -33,7 +33,7 @@ static struct genl_family quota_genl_fam
46415 void quota_send_warning(short type, unsigned int id, dev_t dev,
46416 const char warntype)
46417 {
46418- static atomic_t seq;
46419+ static atomic_unchecked_t seq;
46420 struct sk_buff *skb;
46421 void *msg_head;
46422 int ret;
46423@@ -49,7 +49,7 @@ void quota_send_warning(short type, unsi
46424 "VFS: Not enough memory to send quota warning.\n");
46425 return;
46426 }
46427- msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
46428+ msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
46429 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
46430 if (!msg_head) {
46431 printk(KERN_ERR
46432diff -urNp linux-3.1.1/fs/readdir.c linux-3.1.1/fs/readdir.c
46433--- linux-3.1.1/fs/readdir.c 2011-11-11 15:19:27.000000000 -0500
46434+++ linux-3.1.1/fs/readdir.c 2011-11-16 18:40:29.000000000 -0500
46435@@ -17,6 +17,7 @@
46436 #include <linux/security.h>
46437 #include <linux/syscalls.h>
46438 #include <linux/unistd.h>
46439+#include <linux/namei.h>
46440
46441 #include <asm/uaccess.h>
46442
46443@@ -67,6 +68,7 @@ struct old_linux_dirent {
46444
46445 struct readdir_callback {
46446 struct old_linux_dirent __user * dirent;
46447+ struct file * file;
46448 int result;
46449 };
46450
46451@@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
46452 buf->result = -EOVERFLOW;
46453 return -EOVERFLOW;
46454 }
46455+
46456+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46457+ return 0;
46458+
46459 buf->result++;
46460 dirent = buf->dirent;
46461 if (!access_ok(VERIFY_WRITE, dirent,
46462@@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
46463
46464 buf.result = 0;
46465 buf.dirent = dirent;
46466+ buf.file = file;
46467
46468 error = vfs_readdir(file, fillonedir, &buf);
46469 if (buf.result)
46470@@ -142,6 +149,7 @@ struct linux_dirent {
46471 struct getdents_callback {
46472 struct linux_dirent __user * current_dir;
46473 struct linux_dirent __user * previous;
46474+ struct file * file;
46475 int count;
46476 int error;
46477 };
46478@@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
46479 buf->error = -EOVERFLOW;
46480 return -EOVERFLOW;
46481 }
46482+
46483+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46484+ return 0;
46485+
46486 dirent = buf->previous;
46487 if (dirent) {
46488 if (__put_user(offset, &dirent->d_off))
46489@@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
46490 buf.previous = NULL;
46491 buf.count = count;
46492 buf.error = 0;
46493+ buf.file = file;
46494
46495 error = vfs_readdir(file, filldir, &buf);
46496 if (error >= 0)
46497@@ -229,6 +242,7 @@ out:
46498 struct getdents_callback64 {
46499 struct linux_dirent64 __user * current_dir;
46500 struct linux_dirent64 __user * previous;
46501+ struct file *file;
46502 int count;
46503 int error;
46504 };
46505@@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
46506 buf->error = -EINVAL; /* only used if we fail.. */
46507 if (reclen > buf->count)
46508 return -EINVAL;
46509+
46510+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
46511+ return 0;
46512+
46513 dirent = buf->previous;
46514 if (dirent) {
46515 if (__put_user(offset, &dirent->d_off))
46516@@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46517
46518 buf.current_dir = dirent;
46519 buf.previous = NULL;
46520+ buf.file = file;
46521 buf.count = count;
46522 buf.error = 0;
46523
46524@@ -299,7 +318,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
46525 error = buf.error;
46526 lastdirent = buf.previous;
46527 if (lastdirent) {
46528- typeof(lastdirent->d_off) d_off = file->f_pos;
46529+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
46530 if (__put_user(d_off, &lastdirent->d_off))
46531 error = -EFAULT;
46532 else
46533diff -urNp linux-3.1.1/fs/reiserfs/dir.c linux-3.1.1/fs/reiserfs/dir.c
46534--- linux-3.1.1/fs/reiserfs/dir.c 2011-11-11 15:19:27.000000000 -0500
46535+++ linux-3.1.1/fs/reiserfs/dir.c 2011-11-16 18:40:29.000000000 -0500
46536@@ -75,6 +75,8 @@ int reiserfs_readdir_dentry(struct dentr
46537 struct reiserfs_dir_entry de;
46538 int ret = 0;
46539
46540+ pax_track_stack();
46541+
46542 reiserfs_write_lock(inode->i_sb);
46543
46544 reiserfs_check_lock_depth(inode->i_sb, "readdir");
46545diff -urNp linux-3.1.1/fs/reiserfs/do_balan.c linux-3.1.1/fs/reiserfs/do_balan.c
46546--- linux-3.1.1/fs/reiserfs/do_balan.c 2011-11-11 15:19:27.000000000 -0500
46547+++ linux-3.1.1/fs/reiserfs/do_balan.c 2011-11-16 18:39:08.000000000 -0500
46548@@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
46549 return;
46550 }
46551
46552- atomic_inc(&(fs_generation(tb->tb_sb)));
46553+ atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
46554 do_balance_starts(tb);
46555
46556 /* balance leaf returns 0 except if combining L R and S into
46557diff -urNp linux-3.1.1/fs/reiserfs/journal.c linux-3.1.1/fs/reiserfs/journal.c
46558--- linux-3.1.1/fs/reiserfs/journal.c 2011-11-11 15:19:27.000000000 -0500
46559+++ linux-3.1.1/fs/reiserfs/journal.c 2011-11-16 18:40:29.000000000 -0500
46560@@ -2289,6 +2289,8 @@ static struct buffer_head *reiserfs_brea
46561 struct buffer_head *bh;
46562 int i, j;
46563
46564+ pax_track_stack();
46565+
46566 bh = __getblk(dev, block, bufsize);
46567 if (buffer_uptodate(bh))
46568 return (bh);
46569diff -urNp linux-3.1.1/fs/reiserfs/namei.c linux-3.1.1/fs/reiserfs/namei.c
46570--- linux-3.1.1/fs/reiserfs/namei.c 2011-11-11 15:19:27.000000000 -0500
46571+++ linux-3.1.1/fs/reiserfs/namei.c 2011-11-16 18:40:29.000000000 -0500
46572@@ -1225,6 +1225,8 @@ static int reiserfs_rename(struct inode
46573 unsigned long savelink = 1;
46574 struct timespec ctime;
46575
46576+ pax_track_stack();
46577+
46578 /* three balancings: (1) old name removal, (2) new name insertion
46579 and (3) maybe "save" link insertion
46580 stat data updates: (1) old directory,
46581diff -urNp linux-3.1.1/fs/reiserfs/procfs.c linux-3.1.1/fs/reiserfs/procfs.c
46582--- linux-3.1.1/fs/reiserfs/procfs.c 2011-11-11 15:19:27.000000000 -0500
46583+++ linux-3.1.1/fs/reiserfs/procfs.c 2011-11-16 18:40:29.000000000 -0500
46584@@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
46585 "SMALL_TAILS " : "NO_TAILS ",
46586 replay_only(sb) ? "REPLAY_ONLY " : "",
46587 convert_reiserfs(sb) ? "CONV " : "",
46588- atomic_read(&r->s_generation_counter),
46589+ atomic_read_unchecked(&r->s_generation_counter),
46590 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
46591 SF(s_do_balance), SF(s_unneeded_left_neighbor),
46592 SF(s_good_search_by_key_reada), SF(s_bmaps),
46593@@ -299,6 +299,8 @@ static int show_journal(struct seq_file
46594 struct journal_params *jp = &rs->s_v1.s_journal;
46595 char b[BDEVNAME_SIZE];
46596
46597+ pax_track_stack();
46598+
46599 seq_printf(m, /* on-disk fields */
46600 "jp_journal_1st_block: \t%i\n"
46601 "jp_journal_dev: \t%s[%x]\n"
46602diff -urNp linux-3.1.1/fs/reiserfs/stree.c linux-3.1.1/fs/reiserfs/stree.c
46603--- linux-3.1.1/fs/reiserfs/stree.c 2011-11-11 15:19:27.000000000 -0500
46604+++ linux-3.1.1/fs/reiserfs/stree.c 2011-11-16 18:40:29.000000000 -0500
46605@@ -1196,6 +1196,8 @@ int reiserfs_delete_item(struct reiserfs
46606 int iter = 0;
46607 #endif
46608
46609+ pax_track_stack();
46610+
46611 BUG_ON(!th->t_trans_id);
46612
46613 init_tb_struct(th, &s_del_balance, sb, path,
46614@@ -1333,6 +1335,8 @@ void reiserfs_delete_solid_item(struct r
46615 int retval;
46616 int quota_cut_bytes = 0;
46617
46618+ pax_track_stack();
46619+
46620 BUG_ON(!th->t_trans_id);
46621
46622 le_key2cpu_key(&cpu_key, key);
46623@@ -1562,6 +1566,8 @@ int reiserfs_cut_from_item(struct reiser
46624 int quota_cut_bytes;
46625 loff_t tail_pos = 0;
46626
46627+ pax_track_stack();
46628+
46629 BUG_ON(!th->t_trans_id);
46630
46631 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
46632@@ -1957,6 +1963,8 @@ int reiserfs_paste_into_item(struct reis
46633 int retval;
46634 int fs_gen;
46635
46636+ pax_track_stack();
46637+
46638 BUG_ON(!th->t_trans_id);
46639
46640 fs_gen = get_generation(inode->i_sb);
46641@@ -2045,6 +2053,8 @@ int reiserfs_insert_item(struct reiserfs
46642 int fs_gen = 0;
46643 int quota_bytes = 0;
46644
46645+ pax_track_stack();
46646+
46647 BUG_ON(!th->t_trans_id);
46648
46649 if (inode) { /* Do we count quotas for item? */
46650diff -urNp linux-3.1.1/fs/reiserfs/super.c linux-3.1.1/fs/reiserfs/super.c
46651--- linux-3.1.1/fs/reiserfs/super.c 2011-11-11 15:19:27.000000000 -0500
46652+++ linux-3.1.1/fs/reiserfs/super.c 2011-11-16 18:40:29.000000000 -0500
46653@@ -927,6 +927,8 @@ static int reiserfs_parse_options(struct
46654 {.option_name = NULL}
46655 };
46656
46657+ pax_track_stack();
46658+
46659 *blocks = 0;
46660 if (!options || !*options)
46661 /* use default configuration: create tails, journaling on, no
46662diff -urNp linux-3.1.1/fs/select.c linux-3.1.1/fs/select.c
46663--- linux-3.1.1/fs/select.c 2011-11-11 15:19:27.000000000 -0500
46664+++ linux-3.1.1/fs/select.c 2011-11-16 18:40:29.000000000 -0500
46665@@ -20,6 +20,7 @@
46666 #include <linux/module.h>
46667 #include <linux/slab.h>
46668 #include <linux/poll.h>
46669+#include <linux/security.h>
46670 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
46671 #include <linux/file.h>
46672 #include <linux/fdtable.h>
46673@@ -403,6 +404,8 @@ int do_select(int n, fd_set_bits *fds, s
46674 int retval, i, timed_out = 0;
46675 unsigned long slack = 0;
46676
46677+ pax_track_stack();
46678+
46679 rcu_read_lock();
46680 retval = max_select_fd(n, fds);
46681 rcu_read_unlock();
46682@@ -528,6 +531,8 @@ int core_sys_select(int n, fd_set __user
46683 /* Allocate small arguments on the stack to save memory and be faster */
46684 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
46685
46686+ pax_track_stack();
46687+
46688 ret = -EINVAL;
46689 if (n < 0)
46690 goto out_nofds;
46691@@ -837,6 +842,9 @@ int do_sys_poll(struct pollfd __user *uf
46692 struct poll_list *walk = head;
46693 unsigned long todo = nfds;
46694
46695+ pax_track_stack();
46696+
46697+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
46698 if (nfds > rlimit(RLIMIT_NOFILE))
46699 return -EINVAL;
46700
46701diff -urNp linux-3.1.1/fs/seq_file.c linux-3.1.1/fs/seq_file.c
46702--- linux-3.1.1/fs/seq_file.c 2011-11-11 15:19:27.000000000 -0500
46703+++ linux-3.1.1/fs/seq_file.c 2011-11-16 18:39:08.000000000 -0500
46704@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
46705 return 0;
46706 }
46707 if (!m->buf) {
46708- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46709+ m->size = PAGE_SIZE;
46710+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46711 if (!m->buf)
46712 return -ENOMEM;
46713 }
46714@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
46715 Eoverflow:
46716 m->op->stop(m, p);
46717 kfree(m->buf);
46718- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46719+ m->size <<= 1;
46720+ m->buf = kmalloc(m->size, GFP_KERNEL);
46721 return !m->buf ? -ENOMEM : -EAGAIN;
46722 }
46723
46724@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
46725 m->version = file->f_version;
46726 /* grab buffer if we didn't have one */
46727 if (!m->buf) {
46728- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46729+ m->size = PAGE_SIZE;
46730+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46731 if (!m->buf)
46732 goto Enomem;
46733 }
46734@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
46735 goto Fill;
46736 m->op->stop(m, p);
46737 kfree(m->buf);
46738- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46739+ m->size <<= 1;
46740+ m->buf = kmalloc(m->size, GFP_KERNEL);
46741 if (!m->buf)
46742 goto Enomem;
46743 m->count = 0;
46744@@ -549,7 +553,7 @@ static void single_stop(struct seq_file
46745 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
46746 void *data)
46747 {
46748- struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
46749+ seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
46750 int res = -ENOMEM;
46751
46752 if (op) {
46753diff -urNp linux-3.1.1/fs/splice.c linux-3.1.1/fs/splice.c
46754--- linux-3.1.1/fs/splice.c 2011-11-11 15:19:27.000000000 -0500
46755+++ linux-3.1.1/fs/splice.c 2011-11-16 18:40:29.000000000 -0500
46756@@ -194,7 +194,7 @@ ssize_t splice_to_pipe(struct pipe_inode
46757 pipe_lock(pipe);
46758
46759 for (;;) {
46760- if (!pipe->readers) {
46761+ if (!atomic_read(&pipe->readers)) {
46762 send_sig(SIGPIPE, current, 0);
46763 if (!ret)
46764 ret = -EPIPE;
46765@@ -248,9 +248,9 @@ ssize_t splice_to_pipe(struct pipe_inode
46766 do_wakeup = 0;
46767 }
46768
46769- pipe->waiting_writers++;
46770+ atomic_inc(&pipe->waiting_writers);
46771 pipe_wait(pipe);
46772- pipe->waiting_writers--;
46773+ atomic_dec(&pipe->waiting_writers);
46774 }
46775
46776 pipe_unlock(pipe);
46777@@ -320,6 +320,8 @@ __generic_file_splice_read(struct file *
46778 .spd_release = spd_release_page,
46779 };
46780
46781+ pax_track_stack();
46782+
46783 if (splice_grow_spd(pipe, &spd))
46784 return -ENOMEM;
46785
46786@@ -560,7 +562,7 @@ static ssize_t kernel_readv(struct file
46787 old_fs = get_fs();
46788 set_fs(get_ds());
46789 /* The cast to a user pointer is valid due to the set_fs() */
46790- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
46791+ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
46792 set_fs(old_fs);
46793
46794 return res;
46795@@ -575,7 +577,7 @@ static ssize_t kernel_write(struct file
46796 old_fs = get_fs();
46797 set_fs(get_ds());
46798 /* The cast to a user pointer is valid due to the set_fs() */
46799- res = vfs_write(file, (const char __user *)buf, count, &pos);
46800+ res = vfs_write(file, (const char __force_user *)buf, count, &pos);
46801 set_fs(old_fs);
46802
46803 return res;
46804@@ -603,6 +605,8 @@ ssize_t default_file_splice_read(struct
46805 .spd_release = spd_release_page,
46806 };
46807
46808+ pax_track_stack();
46809+
46810 if (splice_grow_spd(pipe, &spd))
46811 return -ENOMEM;
46812
46813@@ -626,7 +630,7 @@ ssize_t default_file_splice_read(struct
46814 goto err;
46815
46816 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
46817- vec[i].iov_base = (void __user *) page_address(page);
46818+ vec[i].iov_base = (void __force_user *) page_address(page);
46819 vec[i].iov_len = this_len;
46820 spd.pages[i] = page;
46821 spd.nr_pages++;
46822@@ -846,10 +850,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
46823 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
46824 {
46825 while (!pipe->nrbufs) {
46826- if (!pipe->writers)
46827+ if (!atomic_read(&pipe->writers))
46828 return 0;
46829
46830- if (!pipe->waiting_writers && sd->num_spliced)
46831+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
46832 return 0;
46833
46834 if (sd->flags & SPLICE_F_NONBLOCK)
46835@@ -1182,7 +1186,7 @@ ssize_t splice_direct_to_actor(struct fi
46836 * out of the pipe right after the splice_to_pipe(). So set
46837 * PIPE_READERS appropriately.
46838 */
46839- pipe->readers = 1;
46840+ atomic_set(&pipe->readers, 1);
46841
46842 current->splice_pipe = pipe;
46843 }
46844@@ -1619,6 +1623,8 @@ static long vmsplice_to_pipe(struct file
46845 };
46846 long ret;
46847
46848+ pax_track_stack();
46849+
46850 pipe = get_pipe_info(file);
46851 if (!pipe)
46852 return -EBADF;
46853@@ -1734,9 +1740,9 @@ static int ipipe_prep(struct pipe_inode_
46854 ret = -ERESTARTSYS;
46855 break;
46856 }
46857- if (!pipe->writers)
46858+ if (!atomic_read(&pipe->writers))
46859 break;
46860- if (!pipe->waiting_writers) {
46861+ if (!atomic_read(&pipe->waiting_writers)) {
46862 if (flags & SPLICE_F_NONBLOCK) {
46863 ret = -EAGAIN;
46864 break;
46865@@ -1768,7 +1774,7 @@ static int opipe_prep(struct pipe_inode_
46866 pipe_lock(pipe);
46867
46868 while (pipe->nrbufs >= pipe->buffers) {
46869- if (!pipe->readers) {
46870+ if (!atomic_read(&pipe->readers)) {
46871 send_sig(SIGPIPE, current, 0);
46872 ret = -EPIPE;
46873 break;
46874@@ -1781,9 +1787,9 @@ static int opipe_prep(struct pipe_inode_
46875 ret = -ERESTARTSYS;
46876 break;
46877 }
46878- pipe->waiting_writers++;
46879+ atomic_inc(&pipe->waiting_writers);
46880 pipe_wait(pipe);
46881- pipe->waiting_writers--;
46882+ atomic_dec(&pipe->waiting_writers);
46883 }
46884
46885 pipe_unlock(pipe);
46886@@ -1819,14 +1825,14 @@ retry:
46887 pipe_double_lock(ipipe, opipe);
46888
46889 do {
46890- if (!opipe->readers) {
46891+ if (!atomic_read(&opipe->readers)) {
46892 send_sig(SIGPIPE, current, 0);
46893 if (!ret)
46894 ret = -EPIPE;
46895 break;
46896 }
46897
46898- if (!ipipe->nrbufs && !ipipe->writers)
46899+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
46900 break;
46901
46902 /*
46903@@ -1923,7 +1929,7 @@ static int link_pipe(struct pipe_inode_i
46904 pipe_double_lock(ipipe, opipe);
46905
46906 do {
46907- if (!opipe->readers) {
46908+ if (!atomic_read(&opipe->readers)) {
46909 send_sig(SIGPIPE, current, 0);
46910 if (!ret)
46911 ret = -EPIPE;
46912@@ -1968,7 +1974,7 @@ static int link_pipe(struct pipe_inode_i
46913 * return EAGAIN if we have the potential of some data in the
46914 * future, otherwise just return 0
46915 */
46916- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
46917+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
46918 ret = -EAGAIN;
46919
46920 pipe_unlock(ipipe);
46921diff -urNp linux-3.1.1/fs/sysfs/file.c linux-3.1.1/fs/sysfs/file.c
46922--- linux-3.1.1/fs/sysfs/file.c 2011-11-11 15:19:27.000000000 -0500
46923+++ linux-3.1.1/fs/sysfs/file.c 2011-11-16 18:39:08.000000000 -0500
46924@@ -37,7 +37,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
46925
46926 struct sysfs_open_dirent {
46927 atomic_t refcnt;
46928- atomic_t event;
46929+ atomic_unchecked_t event;
46930 wait_queue_head_t poll;
46931 struct list_head buffers; /* goes through sysfs_buffer.list */
46932 };
46933@@ -81,7 +81,7 @@ static int fill_read_buffer(struct dentr
46934 if (!sysfs_get_active(attr_sd))
46935 return -ENODEV;
46936
46937- buffer->event = atomic_read(&attr_sd->s_attr.open->event);
46938+ buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
46939 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
46940
46941 sysfs_put_active(attr_sd);
46942@@ -287,7 +287,7 @@ static int sysfs_get_open_dirent(struct
46943 return -ENOMEM;
46944
46945 atomic_set(&new_od->refcnt, 0);
46946- atomic_set(&new_od->event, 1);
46947+ atomic_set_unchecked(&new_od->event, 1);
46948 init_waitqueue_head(&new_od->poll);
46949 INIT_LIST_HEAD(&new_od->buffers);
46950 goto retry;
46951@@ -432,7 +432,7 @@ static unsigned int sysfs_poll(struct fi
46952
46953 sysfs_put_active(attr_sd);
46954
46955- if (buffer->event != atomic_read(&od->event))
46956+ if (buffer->event != atomic_read_unchecked(&od->event))
46957 goto trigger;
46958
46959 return DEFAULT_POLLMASK;
46960@@ -451,7 +451,7 @@ void sysfs_notify_dirent(struct sysfs_di
46961
46962 od = sd->s_attr.open;
46963 if (od) {
46964- atomic_inc(&od->event);
46965+ atomic_inc_unchecked(&od->event);
46966 wake_up_interruptible(&od->poll);
46967 }
46968
46969diff -urNp linux-3.1.1/fs/sysfs/mount.c linux-3.1.1/fs/sysfs/mount.c
46970--- linux-3.1.1/fs/sysfs/mount.c 2011-11-11 15:19:27.000000000 -0500
46971+++ linux-3.1.1/fs/sysfs/mount.c 2011-11-16 18:40:29.000000000 -0500
46972@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
46973 .s_name = "",
46974 .s_count = ATOMIC_INIT(1),
46975 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
46976+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
46977+ .s_mode = S_IFDIR | S_IRWXU,
46978+#else
46979 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
46980+#endif
46981 .s_ino = 1,
46982 };
46983
46984diff -urNp linux-3.1.1/fs/sysfs/symlink.c linux-3.1.1/fs/sysfs/symlink.c
46985--- linux-3.1.1/fs/sysfs/symlink.c 2011-11-11 15:19:27.000000000 -0500
46986+++ linux-3.1.1/fs/sysfs/symlink.c 2011-11-16 18:39:08.000000000 -0500
46987@@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
46988
46989 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
46990 {
46991- char *page = nd_get_link(nd);
46992+ const char *page = nd_get_link(nd);
46993 if (!IS_ERR(page))
46994 free_page((unsigned long)page);
46995 }
46996diff -urNp linux-3.1.1/fs/udf/inode.c linux-3.1.1/fs/udf/inode.c
46997--- linux-3.1.1/fs/udf/inode.c 2011-11-11 15:19:27.000000000 -0500
46998+++ linux-3.1.1/fs/udf/inode.c 2011-11-16 18:40:29.000000000 -0500
46999@@ -560,6 +560,8 @@ static struct buffer_head *inode_getblk(
47000 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
47001 int lastblock = 0;
47002
47003+ pax_track_stack();
47004+
47005 prev_epos.offset = udf_file_entry_alloc_offset(inode);
47006 prev_epos.block = iinfo->i_location;
47007 prev_epos.bh = NULL;
47008diff -urNp linux-3.1.1/fs/udf/misc.c linux-3.1.1/fs/udf/misc.c
47009--- linux-3.1.1/fs/udf/misc.c 2011-11-11 15:19:27.000000000 -0500
47010+++ linux-3.1.1/fs/udf/misc.c 2011-11-16 18:39:08.000000000 -0500
47011@@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
47012
47013 u8 udf_tag_checksum(const struct tag *t)
47014 {
47015- u8 *data = (u8 *)t;
47016+ const u8 *data = (const u8 *)t;
47017 u8 checksum = 0;
47018 int i;
47019 for (i = 0; i < sizeof(struct tag); ++i)
47020diff -urNp linux-3.1.1/fs/utimes.c linux-3.1.1/fs/utimes.c
47021--- linux-3.1.1/fs/utimes.c 2011-11-11 15:19:27.000000000 -0500
47022+++ linux-3.1.1/fs/utimes.c 2011-11-16 18:40:29.000000000 -0500
47023@@ -1,6 +1,7 @@
47024 #include <linux/compiler.h>
47025 #include <linux/file.h>
47026 #include <linux/fs.h>
47027+#include <linux/security.h>
47028 #include <linux/linkage.h>
47029 #include <linux/mount.h>
47030 #include <linux/namei.h>
47031@@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
47032 goto mnt_drop_write_and_out;
47033 }
47034 }
47035+
47036+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
47037+ error = -EACCES;
47038+ goto mnt_drop_write_and_out;
47039+ }
47040+
47041 mutex_lock(&inode->i_mutex);
47042 error = notify_change(path->dentry, &newattrs);
47043 mutex_unlock(&inode->i_mutex);
47044diff -urNp linux-3.1.1/fs/xattr_acl.c linux-3.1.1/fs/xattr_acl.c
47045--- linux-3.1.1/fs/xattr_acl.c 2011-11-11 15:19:27.000000000 -0500
47046+++ linux-3.1.1/fs/xattr_acl.c 2011-11-16 18:39:08.000000000 -0500
47047@@ -17,8 +17,8 @@
47048 struct posix_acl *
47049 posix_acl_from_xattr(const void *value, size_t size)
47050 {
47051- posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
47052- posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
47053+ const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
47054+ const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
47055 int count;
47056 struct posix_acl *acl;
47057 struct posix_acl_entry *acl_e;
47058diff -urNp linux-3.1.1/fs/xattr.c linux-3.1.1/fs/xattr.c
47059--- linux-3.1.1/fs/xattr.c 2011-11-11 15:19:27.000000000 -0500
47060+++ linux-3.1.1/fs/xattr.c 2011-11-16 18:40:29.000000000 -0500
47061@@ -254,7 +254,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
47062 * Extended attribute SET operations
47063 */
47064 static long
47065-setxattr(struct dentry *d, const char __user *name, const void __user *value,
47066+setxattr(struct path *path, const char __user *name, const void __user *value,
47067 size_t size, int flags)
47068 {
47069 int error;
47070@@ -278,7 +278,13 @@ setxattr(struct dentry *d, const char __
47071 return PTR_ERR(kvalue);
47072 }
47073
47074- error = vfs_setxattr(d, kname, kvalue, size, flags);
47075+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
47076+ error = -EACCES;
47077+ goto out;
47078+ }
47079+
47080+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
47081+out:
47082 kfree(kvalue);
47083 return error;
47084 }
47085@@ -295,7 +301,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
47086 return error;
47087 error = mnt_want_write(path.mnt);
47088 if (!error) {
47089- error = setxattr(path.dentry, name, value, size, flags);
47090+ error = setxattr(&path, name, value, size, flags);
47091 mnt_drop_write(path.mnt);
47092 }
47093 path_put(&path);
47094@@ -314,7 +320,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
47095 return error;
47096 error = mnt_want_write(path.mnt);
47097 if (!error) {
47098- error = setxattr(path.dentry, name, value, size, flags);
47099+ error = setxattr(&path, name, value, size, flags);
47100 mnt_drop_write(path.mnt);
47101 }
47102 path_put(&path);
47103@@ -325,17 +331,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
47104 const void __user *,value, size_t, size, int, flags)
47105 {
47106 struct file *f;
47107- struct dentry *dentry;
47108 int error = -EBADF;
47109
47110 f = fget(fd);
47111 if (!f)
47112 return error;
47113- dentry = f->f_path.dentry;
47114- audit_inode(NULL, dentry);
47115+ audit_inode(NULL, f->f_path.dentry);
47116 error = mnt_want_write_file(f);
47117 if (!error) {
47118- error = setxattr(dentry, name, value, size, flags);
47119+ error = setxattr(&f->f_path, name, value, size, flags);
47120 mnt_drop_write(f->f_path.mnt);
47121 }
47122 fput(f);
47123diff -urNp linux-3.1.1/fs/xfs/xfs_bmap.c linux-3.1.1/fs/xfs/xfs_bmap.c
47124--- linux-3.1.1/fs/xfs/xfs_bmap.c 2011-11-11 15:19:27.000000000 -0500
47125+++ linux-3.1.1/fs/xfs/xfs_bmap.c 2011-11-16 18:39:08.000000000 -0500
47126@@ -250,7 +250,7 @@ xfs_bmap_validate_ret(
47127 int nmap,
47128 int ret_nmap);
47129 #else
47130-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
47131+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
47132 #endif /* DEBUG */
47133
47134 STATIC int
47135diff -urNp linux-3.1.1/fs/xfs/xfs_dir2_sf.c linux-3.1.1/fs/xfs/xfs_dir2_sf.c
47136--- linux-3.1.1/fs/xfs/xfs_dir2_sf.c 2011-11-11 15:19:27.000000000 -0500
47137+++ linux-3.1.1/fs/xfs/xfs_dir2_sf.c 2011-11-16 18:39:08.000000000 -0500
47138@@ -852,7 +852,15 @@ xfs_dir2_sf_getdents(
47139 }
47140
47141 ino = xfs_dir2_sfe_get_ino(sfp, sfep);
47142- if (filldir(dirent, (char *)sfep->name, sfep->namelen,
47143+ if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
47144+ char name[sfep->namelen];
47145+ memcpy(name, sfep->name, sfep->namelen);
47146+ if (filldir(dirent, name, sfep->namelen,
47147+ off & 0x7fffffff, ino, DT_UNKNOWN)) {
47148+ *offset = off & 0x7fffffff;
47149+ return 0;
47150+ }
47151+ } else if (filldir(dirent, (char *)sfep->name, sfep->namelen,
47152 off & 0x7fffffff, ino, DT_UNKNOWN)) {
47153 *offset = off & 0x7fffffff;
47154 return 0;
47155diff -urNp linux-3.1.1/fs/xfs/xfs_ioctl.c linux-3.1.1/fs/xfs/xfs_ioctl.c
47156--- linux-3.1.1/fs/xfs/xfs_ioctl.c 2011-11-11 15:19:27.000000000 -0500
47157+++ linux-3.1.1/fs/xfs/xfs_ioctl.c 2011-11-16 18:39:08.000000000 -0500
47158@@ -128,7 +128,7 @@ xfs_find_handle(
47159 }
47160
47161 error = -EFAULT;
47162- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
47163+ if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
47164 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
47165 goto out_put;
47166
47167diff -urNp linux-3.1.1/fs/xfs/xfs_iops.c linux-3.1.1/fs/xfs/xfs_iops.c
47168--- linux-3.1.1/fs/xfs/xfs_iops.c 2011-11-11 15:19:27.000000000 -0500
47169+++ linux-3.1.1/fs/xfs/xfs_iops.c 2011-11-16 18:39:08.000000000 -0500
47170@@ -446,7 +446,7 @@ xfs_vn_put_link(
47171 struct nameidata *nd,
47172 void *p)
47173 {
47174- char *s = nd_get_link(nd);
47175+ const char *s = nd_get_link(nd);
47176
47177 if (!IS_ERR(s))
47178 kfree(s);
47179diff -urNp linux-3.1.1/fs/xfs/xfs_vnodeops.c linux-3.1.1/fs/xfs/xfs_vnodeops.c
47180--- linux-3.1.1/fs/xfs/xfs_vnodeops.c 2011-11-11 15:19:27.000000000 -0500
47181+++ linux-3.1.1/fs/xfs/xfs_vnodeops.c 2011-11-18 18:54:56.000000000 -0500
47182@@ -123,13 +123,17 @@ xfs_readlink(
47183
47184 xfs_ilock(ip, XFS_ILOCK_SHARED);
47185
47186- ASSERT(S_ISLNK(ip->i_d.di_mode));
47187- ASSERT(ip->i_d.di_size <= MAXPATHLEN);
47188-
47189 pathlen = ip->i_d.di_size;
47190 if (!pathlen)
47191 goto out;
47192
47193+ if (pathlen > MAXPATHLEN) {
47194+ xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long",
47195+ __func__, (unsigned long long)ip->i_ino, pathlen);
47196+ ASSERT(0);
47197+ return XFS_ERROR(EFSCORRUPTED);
47198+ }
47199+
47200 if (ip->i_df.if_flags & XFS_IFINLINE) {
47201 memcpy(link, ip->i_df.if_u1.if_data, pathlen);
47202 link[pathlen] = '\0';
47203diff -urNp linux-3.1.1/grsecurity/gracl_alloc.c linux-3.1.1/grsecurity/gracl_alloc.c
47204--- linux-3.1.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
47205+++ linux-3.1.1/grsecurity/gracl_alloc.c 2011-11-16 18:40:31.000000000 -0500
47206@@ -0,0 +1,105 @@
47207+#include <linux/kernel.h>
47208+#include <linux/mm.h>
47209+#include <linux/slab.h>
47210+#include <linux/vmalloc.h>
47211+#include <linux/gracl.h>
47212+#include <linux/grsecurity.h>
47213+
47214+static unsigned long alloc_stack_next = 1;
47215+static unsigned long alloc_stack_size = 1;
47216+static void **alloc_stack;
47217+
47218+static __inline__ int
47219+alloc_pop(void)
47220+{
47221+ if (alloc_stack_next == 1)
47222+ return 0;
47223+
47224+ kfree(alloc_stack[alloc_stack_next - 2]);
47225+
47226+ alloc_stack_next--;
47227+
47228+ return 1;
47229+}
47230+
47231+static __inline__ int
47232+alloc_push(void *buf)
47233+{
47234+ if (alloc_stack_next >= alloc_stack_size)
47235+ return 1;
47236+
47237+ alloc_stack[alloc_stack_next - 1] = buf;
47238+
47239+ alloc_stack_next++;
47240+
47241+ return 0;
47242+}
47243+
47244+void *
47245+acl_alloc(unsigned long len)
47246+{
47247+ void *ret = NULL;
47248+
47249+ if (!len || len > PAGE_SIZE)
47250+ goto out;
47251+
47252+ ret = kmalloc(len, GFP_KERNEL);
47253+
47254+ if (ret) {
47255+ if (alloc_push(ret)) {
47256+ kfree(ret);
47257+ ret = NULL;
47258+ }
47259+ }
47260+
47261+out:
47262+ return ret;
47263+}
47264+
47265+void *
47266+acl_alloc_num(unsigned long num, unsigned long len)
47267+{
47268+ if (!len || (num > (PAGE_SIZE / len)))
47269+ return NULL;
47270+
47271+ return acl_alloc(num * len);
47272+}
47273+
47274+void
47275+acl_free_all(void)
47276+{
47277+ if (gr_acl_is_enabled() || !alloc_stack)
47278+ return;
47279+
47280+ while (alloc_pop()) ;
47281+
47282+ if (alloc_stack) {
47283+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
47284+ kfree(alloc_stack);
47285+ else
47286+ vfree(alloc_stack);
47287+ }
47288+
47289+ alloc_stack = NULL;
47290+ alloc_stack_size = 1;
47291+ alloc_stack_next = 1;
47292+
47293+ return;
47294+}
47295+
47296+int
47297+acl_alloc_stack_init(unsigned long size)
47298+{
47299+ if ((size * sizeof (void *)) <= PAGE_SIZE)
47300+ alloc_stack =
47301+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
47302+ else
47303+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
47304+
47305+ alloc_stack_size = size;
47306+
47307+ if (!alloc_stack)
47308+ return 0;
47309+ else
47310+ return 1;
47311+}
47312diff -urNp linux-3.1.1/grsecurity/gracl.c linux-3.1.1/grsecurity/gracl.c
47313--- linux-3.1.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
47314+++ linux-3.1.1/grsecurity/gracl.c 2011-11-16 19:31:00.000000000 -0500
47315@@ -0,0 +1,4156 @@
47316+#include <linux/kernel.h>
47317+#include <linux/module.h>
47318+#include <linux/sched.h>
47319+#include <linux/mm.h>
47320+#include <linux/file.h>
47321+#include <linux/fs.h>
47322+#include <linux/namei.h>
47323+#include <linux/mount.h>
47324+#include <linux/tty.h>
47325+#include <linux/proc_fs.h>
47326+#include <linux/lglock.h>
47327+#include <linux/slab.h>
47328+#include <linux/vmalloc.h>
47329+#include <linux/types.h>
47330+#include <linux/sysctl.h>
47331+#include <linux/netdevice.h>
47332+#include <linux/ptrace.h>
47333+#include <linux/gracl.h>
47334+#include <linux/gralloc.h>
47335+#include <linux/grsecurity.h>
47336+#include <linux/grinternal.h>
47337+#include <linux/pid_namespace.h>
47338+#include <linux/fdtable.h>
47339+#include <linux/percpu.h>
47340+
47341+#include <asm/uaccess.h>
47342+#include <asm/errno.h>
47343+#include <asm/mman.h>
47344+
47345+static struct acl_role_db acl_role_set;
47346+static struct name_db name_set;
47347+static struct inodev_db inodev_set;
47348+
47349+/* for keeping track of userspace pointers used for subjects, so we
47350+ can share references in the kernel as well
47351+*/
47352+
47353+static struct path real_root;
47354+
47355+static struct acl_subj_map_db subj_map_set;
47356+
47357+static struct acl_role_label *default_role;
47358+
47359+static struct acl_role_label *role_list;
47360+
47361+static u16 acl_sp_role_value;
47362+
47363+extern char *gr_shared_page[4];
47364+static DEFINE_MUTEX(gr_dev_mutex);
47365+DEFINE_RWLOCK(gr_inode_lock);
47366+
47367+struct gr_arg *gr_usermode;
47368+
47369+static unsigned int gr_status __read_only = GR_STATUS_INIT;
47370+
47371+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
47372+extern void gr_clear_learn_entries(void);
47373+
47374+#ifdef CONFIG_GRKERNSEC_RESLOG
47375+extern void gr_log_resource(const struct task_struct *task,
47376+ const int res, const unsigned long wanted, const int gt);
47377+#endif
47378+
47379+unsigned char *gr_system_salt;
47380+unsigned char *gr_system_sum;
47381+
47382+static struct sprole_pw **acl_special_roles = NULL;
47383+static __u16 num_sprole_pws = 0;
47384+
47385+static struct acl_role_label *kernel_role = NULL;
47386+
47387+static unsigned int gr_auth_attempts = 0;
47388+static unsigned long gr_auth_expires = 0UL;
47389+
47390+#ifdef CONFIG_NET
47391+extern struct vfsmount *sock_mnt;
47392+#endif
47393+
47394+extern struct vfsmount *pipe_mnt;
47395+extern struct vfsmount *shm_mnt;
47396+#ifdef CONFIG_HUGETLBFS
47397+extern struct vfsmount *hugetlbfs_vfsmount;
47398+#endif
47399+
47400+static struct acl_object_label *fakefs_obj_rw;
47401+static struct acl_object_label *fakefs_obj_rwx;
47402+
47403+extern int gr_init_uidset(void);
47404+extern void gr_free_uidset(void);
47405+extern void gr_remove_uid(uid_t uid);
47406+extern int gr_find_uid(uid_t uid);
47407+
47408+DECLARE_BRLOCK(vfsmount_lock);
47409+
47410+__inline__ int
47411+gr_acl_is_enabled(void)
47412+{
47413+ return (gr_status & GR_READY);
47414+}
47415+
47416+#ifdef CONFIG_BTRFS_FS
47417+extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
47418+extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
47419+#endif
47420+
47421+static inline dev_t __get_dev(const struct dentry *dentry)
47422+{
47423+#ifdef CONFIG_BTRFS_FS
47424+ if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
47425+ return get_btrfs_dev_from_inode(dentry->d_inode);
47426+ else
47427+#endif
47428+ return dentry->d_inode->i_sb->s_dev;
47429+}
47430+
47431+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
47432+{
47433+ return __get_dev(dentry);
47434+}
47435+
47436+static char gr_task_roletype_to_char(struct task_struct *task)
47437+{
47438+ switch (task->role->roletype &
47439+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
47440+ GR_ROLE_SPECIAL)) {
47441+ case GR_ROLE_DEFAULT:
47442+ return 'D';
47443+ case GR_ROLE_USER:
47444+ return 'U';
47445+ case GR_ROLE_GROUP:
47446+ return 'G';
47447+ case GR_ROLE_SPECIAL:
47448+ return 'S';
47449+ }
47450+
47451+ return 'X';
47452+}
47453+
47454+char gr_roletype_to_char(void)
47455+{
47456+ return gr_task_roletype_to_char(current);
47457+}
47458+
47459+__inline__ int
47460+gr_acl_tpe_check(void)
47461+{
47462+ if (unlikely(!(gr_status & GR_READY)))
47463+ return 0;
47464+ if (current->role->roletype & GR_ROLE_TPE)
47465+ return 1;
47466+ else
47467+ return 0;
47468+}
47469+
47470+int
47471+gr_handle_rawio(const struct inode *inode)
47472+{
47473+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
47474+ if (inode && S_ISBLK(inode->i_mode) &&
47475+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
47476+ !capable(CAP_SYS_RAWIO))
47477+ return 1;
47478+#endif
47479+ return 0;
47480+}
47481+
47482+static int
47483+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
47484+{
47485+ if (likely(lena != lenb))
47486+ return 0;
47487+
47488+ return !memcmp(a, b, lena);
47489+}
47490+
47491+static int prepend(char **buffer, int *buflen, const char *str, int namelen)
47492+{
47493+ *buflen -= namelen;
47494+ if (*buflen < 0)
47495+ return -ENAMETOOLONG;
47496+ *buffer -= namelen;
47497+ memcpy(*buffer, str, namelen);
47498+ return 0;
47499+}
47500+
47501+static int prepend_name(char **buffer, int *buflen, struct qstr *name)
47502+{
47503+ return prepend(buffer, buflen, name->name, name->len);
47504+}
47505+
47506+static int prepend_path(const struct path *path, struct path *root,
47507+ char **buffer, int *buflen)
47508+{
47509+ struct dentry *dentry = path->dentry;
47510+ struct vfsmount *vfsmnt = path->mnt;
47511+ bool slash = false;
47512+ int error = 0;
47513+
47514+ while (dentry != root->dentry || vfsmnt != root->mnt) {
47515+ struct dentry * parent;
47516+
47517+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
47518+ /* Global root? */
47519+ if (vfsmnt->mnt_parent == vfsmnt) {
47520+ goto out;
47521+ }
47522+ dentry = vfsmnt->mnt_mountpoint;
47523+ vfsmnt = vfsmnt->mnt_parent;
47524+ continue;
47525+ }
47526+ parent = dentry->d_parent;
47527+ prefetch(parent);
47528+ spin_lock(&dentry->d_lock);
47529+ error = prepend_name(buffer, buflen, &dentry->d_name);
47530+ spin_unlock(&dentry->d_lock);
47531+ if (!error)
47532+ error = prepend(buffer, buflen, "/", 1);
47533+ if (error)
47534+ break;
47535+
47536+ slash = true;
47537+ dentry = parent;
47538+ }
47539+
47540+out:
47541+ if (!error && !slash)
47542+ error = prepend(buffer, buflen, "/", 1);
47543+
47544+ return error;
47545+}
47546+
47547+/* this must be called with vfsmount_lock and rename_lock held */
47548+
47549+static char *__our_d_path(const struct path *path, struct path *root,
47550+ char *buf, int buflen)
47551+{
47552+ char *res = buf + buflen;
47553+ int error;
47554+
47555+ prepend(&res, &buflen, "\0", 1);
47556+ error = prepend_path(path, root, &res, &buflen);
47557+ if (error)
47558+ return ERR_PTR(error);
47559+
47560+ return res;
47561+}
47562+
47563+static char *
47564+gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
47565+{
47566+ char *retval;
47567+
47568+ retval = __our_d_path(path, root, buf, buflen);
47569+ if (unlikely(IS_ERR(retval)))
47570+ retval = strcpy(buf, "<path too long>");
47571+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
47572+ retval[1] = '\0';
47573+
47574+ return retval;
47575+}
47576+
47577+static char *
47578+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47579+ char *buf, int buflen)
47580+{
47581+ struct path path;
47582+ char *res;
47583+
47584+ path.dentry = (struct dentry *)dentry;
47585+ path.mnt = (struct vfsmount *)vfsmnt;
47586+
47587+ /* we can use real_root.dentry, real_root.mnt, because this is only called
47588+ by the RBAC system */
47589+ res = gen_full_path(&path, &real_root, buf, buflen);
47590+
47591+ return res;
47592+}
47593+
47594+static char *
47595+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47596+ char *buf, int buflen)
47597+{
47598+ char *res;
47599+ struct path path;
47600+ struct path root;
47601+ struct task_struct *reaper = &init_task;
47602+
47603+ path.dentry = (struct dentry *)dentry;
47604+ path.mnt = (struct vfsmount *)vfsmnt;
47605+
47606+ /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
47607+ get_fs_root(reaper->fs, &root);
47608+
47609+ write_seqlock(&rename_lock);
47610+ br_read_lock(vfsmount_lock);
47611+ res = gen_full_path(&path, &root, buf, buflen);
47612+ br_read_unlock(vfsmount_lock);
47613+ write_sequnlock(&rename_lock);
47614+
47615+ path_put(&root);
47616+ return res;
47617+}
47618+
47619+static char *
47620+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
47621+{
47622+ char *ret;
47623+ write_seqlock(&rename_lock);
47624+ br_read_lock(vfsmount_lock);
47625+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47626+ PAGE_SIZE);
47627+ br_read_unlock(vfsmount_lock);
47628+ write_sequnlock(&rename_lock);
47629+ return ret;
47630+}
47631+
47632+static char *
47633+gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
47634+{
47635+ char *ret;
47636+ char *buf;
47637+ int buflen;
47638+
47639+ write_seqlock(&rename_lock);
47640+ br_read_lock(vfsmount_lock);
47641+ buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
47642+ ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
47643+ buflen = (int)(ret - buf);
47644+ if (buflen >= 5)
47645+ prepend(&ret, &buflen, "/proc", 5);
47646+ else
47647+ ret = strcpy(buf, "<path too long>");
47648+ br_read_unlock(vfsmount_lock);
47649+ write_sequnlock(&rename_lock);
47650+ return ret;
47651+}
47652+
47653+char *
47654+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
47655+{
47656+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47657+ PAGE_SIZE);
47658+}
47659+
47660+char *
47661+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
47662+{
47663+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
47664+ PAGE_SIZE);
47665+}
47666+
47667+char *
47668+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
47669+{
47670+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
47671+ PAGE_SIZE);
47672+}
47673+
47674+char *
47675+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
47676+{
47677+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
47678+ PAGE_SIZE);
47679+}
47680+
47681+char *
47682+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
47683+{
47684+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
47685+ PAGE_SIZE);
47686+}
47687+
47688+__inline__ __u32
47689+to_gr_audit(const __u32 reqmode)
47690+{
47691+ /* masks off auditable permission flags, then shifts them to create
47692+ auditing flags, and adds the special case of append auditing if
47693+ we're requesting write */
47694+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
47695+}
47696+
47697+struct acl_subject_label *
47698+lookup_subject_map(const struct acl_subject_label *userp)
47699+{
47700+ unsigned int index = shash(userp, subj_map_set.s_size);
47701+ struct subject_map *match;
47702+
47703+ match = subj_map_set.s_hash[index];
47704+
47705+ while (match && match->user != userp)
47706+ match = match->next;
47707+
47708+ if (match != NULL)
47709+ return match->kernel;
47710+ else
47711+ return NULL;
47712+}
47713+
47714+static void
47715+insert_subj_map_entry(struct subject_map *subjmap)
47716+{
47717+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
47718+ struct subject_map **curr;
47719+
47720+ subjmap->prev = NULL;
47721+
47722+ curr = &subj_map_set.s_hash[index];
47723+ if (*curr != NULL)
47724+ (*curr)->prev = subjmap;
47725+
47726+ subjmap->next = *curr;
47727+ *curr = subjmap;
47728+
47729+ return;
47730+}
47731+
47732+static struct acl_role_label *
47733+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
47734+ const gid_t gid)
47735+{
47736+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
47737+ struct acl_role_label *match;
47738+ struct role_allowed_ip *ipp;
47739+ unsigned int x;
47740+ u32 curr_ip = task->signal->curr_ip;
47741+
47742+ task->signal->saved_ip = curr_ip;
47743+
47744+ match = acl_role_set.r_hash[index];
47745+
47746+ while (match) {
47747+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
47748+ for (x = 0; x < match->domain_child_num; x++) {
47749+ if (match->domain_children[x] == uid)
47750+ goto found;
47751+ }
47752+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
47753+ break;
47754+ match = match->next;
47755+ }
47756+found:
47757+ if (match == NULL) {
47758+ try_group:
47759+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
47760+ match = acl_role_set.r_hash[index];
47761+
47762+ while (match) {
47763+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
47764+ for (x = 0; x < match->domain_child_num; x++) {
47765+ if (match->domain_children[x] == gid)
47766+ goto found2;
47767+ }
47768+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
47769+ break;
47770+ match = match->next;
47771+ }
47772+found2:
47773+ if (match == NULL)
47774+ match = default_role;
47775+ if (match->allowed_ips == NULL)
47776+ return match;
47777+ else {
47778+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47779+ if (likely
47780+ ((ntohl(curr_ip) & ipp->netmask) ==
47781+ (ntohl(ipp->addr) & ipp->netmask)))
47782+ return match;
47783+ }
47784+ match = default_role;
47785+ }
47786+ } else if (match->allowed_ips == NULL) {
47787+ return match;
47788+ } else {
47789+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47790+ if (likely
47791+ ((ntohl(curr_ip) & ipp->netmask) ==
47792+ (ntohl(ipp->addr) & ipp->netmask)))
47793+ return match;
47794+ }
47795+ goto try_group;
47796+ }
47797+
47798+ return match;
47799+}
47800+
47801+struct acl_subject_label *
47802+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
47803+ const struct acl_role_label *role)
47804+{
47805+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
47806+ struct acl_subject_label *match;
47807+
47808+ match = role->subj_hash[index];
47809+
47810+ while (match && (match->inode != ino || match->device != dev ||
47811+ (match->mode & GR_DELETED))) {
47812+ match = match->next;
47813+ }
47814+
47815+ if (match && !(match->mode & GR_DELETED))
47816+ return match;
47817+ else
47818+ return NULL;
47819+}
47820+
47821+struct acl_subject_label *
47822+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
47823+ const struct acl_role_label *role)
47824+{
47825+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
47826+ struct acl_subject_label *match;
47827+
47828+ match = role->subj_hash[index];
47829+
47830+ while (match && (match->inode != ino || match->device != dev ||
47831+ !(match->mode & GR_DELETED))) {
47832+ match = match->next;
47833+ }
47834+
47835+ if (match && (match->mode & GR_DELETED))
47836+ return match;
47837+ else
47838+ return NULL;
47839+}
47840+
47841+static struct acl_object_label *
47842+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
47843+ const struct acl_subject_label *subj)
47844+{
47845+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47846+ struct acl_object_label *match;
47847+
47848+ match = subj->obj_hash[index];
47849+
47850+ while (match && (match->inode != ino || match->device != dev ||
47851+ (match->mode & GR_DELETED))) {
47852+ match = match->next;
47853+ }
47854+
47855+ if (match && !(match->mode & GR_DELETED))
47856+ return match;
47857+ else
47858+ return NULL;
47859+}
47860+
47861+static struct acl_object_label *
47862+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
47863+ const struct acl_subject_label *subj)
47864+{
47865+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47866+ struct acl_object_label *match;
47867+
47868+ match = subj->obj_hash[index];
47869+
47870+ while (match && (match->inode != ino || match->device != dev ||
47871+ !(match->mode & GR_DELETED))) {
47872+ match = match->next;
47873+ }
47874+
47875+ if (match && (match->mode & GR_DELETED))
47876+ return match;
47877+
47878+ match = subj->obj_hash[index];
47879+
47880+ while (match && (match->inode != ino || match->device != dev ||
47881+ (match->mode & GR_DELETED))) {
47882+ match = match->next;
47883+ }
47884+
47885+ if (match && !(match->mode & GR_DELETED))
47886+ return match;
47887+ else
47888+ return NULL;
47889+}
47890+
47891+static struct name_entry *
47892+lookup_name_entry(const char *name)
47893+{
47894+ unsigned int len = strlen(name);
47895+ unsigned int key = full_name_hash(name, len);
47896+ unsigned int index = key % name_set.n_size;
47897+ struct name_entry *match;
47898+
47899+ match = name_set.n_hash[index];
47900+
47901+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
47902+ match = match->next;
47903+
47904+ return match;
47905+}
47906+
47907+static struct name_entry *
47908+lookup_name_entry_create(const char *name)
47909+{
47910+ unsigned int len = strlen(name);
47911+ unsigned int key = full_name_hash(name, len);
47912+ unsigned int index = key % name_set.n_size;
47913+ struct name_entry *match;
47914+
47915+ match = name_set.n_hash[index];
47916+
47917+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
47918+ !match->deleted))
47919+ match = match->next;
47920+
47921+ if (match && match->deleted)
47922+ return match;
47923+
47924+ match = name_set.n_hash[index];
47925+
47926+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
47927+ match->deleted))
47928+ match = match->next;
47929+
47930+ if (match && !match->deleted)
47931+ return match;
47932+ else
47933+ return NULL;
47934+}
47935+
47936+static struct inodev_entry *
47937+lookup_inodev_entry(const ino_t ino, const dev_t dev)
47938+{
47939+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
47940+ struct inodev_entry *match;
47941+
47942+ match = inodev_set.i_hash[index];
47943+
47944+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
47945+ match = match->next;
47946+
47947+ return match;
47948+}
47949+
47950+static void
47951+insert_inodev_entry(struct inodev_entry *entry)
47952+{
47953+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
47954+ inodev_set.i_size);
47955+ struct inodev_entry **curr;
47956+
47957+ entry->prev = NULL;
47958+
47959+ curr = &inodev_set.i_hash[index];
47960+ if (*curr != NULL)
47961+ (*curr)->prev = entry;
47962+
47963+ entry->next = *curr;
47964+ *curr = entry;
47965+
47966+ return;
47967+}
47968+
47969+static void
47970+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
47971+{
47972+ unsigned int index =
47973+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
47974+ struct acl_role_label **curr;
47975+ struct acl_role_label *tmp;
47976+
47977+ curr = &acl_role_set.r_hash[index];
47978+
47979+ /* if role was already inserted due to domains and already has
47980+ a role in the same bucket as it attached, then we need to
47981+ combine these two buckets
47982+ */
47983+ if (role->next) {
47984+ tmp = role->next;
47985+ while (tmp->next)
47986+ tmp = tmp->next;
47987+ tmp->next = *curr;
47988+ } else
47989+ role->next = *curr;
47990+ *curr = role;
47991+
47992+ return;
47993+}
47994+
47995+static void
47996+insert_acl_role_label(struct acl_role_label *role)
47997+{
47998+ int i;
47999+
48000+ if (role_list == NULL) {
48001+ role_list = role;
48002+ role->prev = NULL;
48003+ } else {
48004+ role->prev = role_list;
48005+ role_list = role;
48006+ }
48007+
48008+ /* used for hash chains */
48009+ role->next = NULL;
48010+
48011+ if (role->roletype & GR_ROLE_DOMAIN) {
48012+ for (i = 0; i < role->domain_child_num; i++)
48013+ __insert_acl_role_label(role, role->domain_children[i]);
48014+ } else
48015+ __insert_acl_role_label(role, role->uidgid);
48016+}
48017+
48018+static int
48019+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
48020+{
48021+ struct name_entry **curr, *nentry;
48022+ struct inodev_entry *ientry;
48023+ unsigned int len = strlen(name);
48024+ unsigned int key = full_name_hash(name, len);
48025+ unsigned int index = key % name_set.n_size;
48026+
48027+ curr = &name_set.n_hash[index];
48028+
48029+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
48030+ curr = &((*curr)->next);
48031+
48032+ if (*curr != NULL)
48033+ return 1;
48034+
48035+ nentry = acl_alloc(sizeof (struct name_entry));
48036+ if (nentry == NULL)
48037+ return 0;
48038+ ientry = acl_alloc(sizeof (struct inodev_entry));
48039+ if (ientry == NULL)
48040+ return 0;
48041+ ientry->nentry = nentry;
48042+
48043+ nentry->key = key;
48044+ nentry->name = name;
48045+ nentry->inode = inode;
48046+ nentry->device = device;
48047+ nentry->len = len;
48048+ nentry->deleted = deleted;
48049+
48050+ nentry->prev = NULL;
48051+ curr = &name_set.n_hash[index];
48052+ if (*curr != NULL)
48053+ (*curr)->prev = nentry;
48054+ nentry->next = *curr;
48055+ *curr = nentry;
48056+
48057+ /* insert us into the table searchable by inode/dev */
48058+ insert_inodev_entry(ientry);
48059+
48060+ return 1;
48061+}
48062+
48063+static void
48064+insert_acl_obj_label(struct acl_object_label *obj,
48065+ struct acl_subject_label *subj)
48066+{
48067+ unsigned int index =
48068+ fhash(obj->inode, obj->device, subj->obj_hash_size);
48069+ struct acl_object_label **curr;
48070+
48071+
48072+ obj->prev = NULL;
48073+
48074+ curr = &subj->obj_hash[index];
48075+ if (*curr != NULL)
48076+ (*curr)->prev = obj;
48077+
48078+ obj->next = *curr;
48079+ *curr = obj;
48080+
48081+ return;
48082+}
48083+
48084+static void
48085+insert_acl_subj_label(struct acl_subject_label *obj,
48086+ struct acl_role_label *role)
48087+{
48088+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
48089+ struct acl_subject_label **curr;
48090+
48091+ obj->prev = NULL;
48092+
48093+ curr = &role->subj_hash[index];
48094+ if (*curr != NULL)
48095+ (*curr)->prev = obj;
48096+
48097+ obj->next = *curr;
48098+ *curr = obj;
48099+
48100+ return;
48101+}
48102+
48103+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
48104+
48105+static void *
48106+create_table(__u32 * len, int elementsize)
48107+{
48108+ unsigned int table_sizes[] = {
48109+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
48110+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
48111+ 4194301, 8388593, 16777213, 33554393, 67108859
48112+ };
48113+ void *newtable = NULL;
48114+ unsigned int pwr = 0;
48115+
48116+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
48117+ table_sizes[pwr] <= *len)
48118+ pwr++;
48119+
48120+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
48121+ return newtable;
48122+
48123+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
48124+ newtable =
48125+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
48126+ else
48127+ newtable = vmalloc(table_sizes[pwr] * elementsize);
48128+
48129+ *len = table_sizes[pwr];
48130+
48131+ return newtable;
48132+}
48133+
48134+static int
48135+init_variables(const struct gr_arg *arg)
48136+{
48137+ struct task_struct *reaper = &init_task;
48138+ unsigned int stacksize;
48139+
48140+ subj_map_set.s_size = arg->role_db.num_subjects;
48141+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
48142+ name_set.n_size = arg->role_db.num_objects;
48143+ inodev_set.i_size = arg->role_db.num_objects;
48144+
48145+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
48146+ !name_set.n_size || !inodev_set.i_size)
48147+ return 1;
48148+
48149+ if (!gr_init_uidset())
48150+ return 1;
48151+
48152+ /* set up the stack that holds allocation info */
48153+
48154+ stacksize = arg->role_db.num_pointers + 5;
48155+
48156+ if (!acl_alloc_stack_init(stacksize))
48157+ return 1;
48158+
48159+ /* grab reference for the real root dentry and vfsmount */
48160+ get_fs_root(reaper->fs, &real_root);
48161+
48162+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48163+ printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
48164+#endif
48165+
48166+ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
48167+ if (fakefs_obj_rw == NULL)
48168+ return 1;
48169+ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
48170+
48171+ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
48172+ if (fakefs_obj_rwx == NULL)
48173+ return 1;
48174+ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
48175+
48176+ subj_map_set.s_hash =
48177+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
48178+ acl_role_set.r_hash =
48179+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
48180+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
48181+ inodev_set.i_hash =
48182+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
48183+
48184+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
48185+ !name_set.n_hash || !inodev_set.i_hash)
48186+ return 1;
48187+
48188+ memset(subj_map_set.s_hash, 0,
48189+ sizeof(struct subject_map *) * subj_map_set.s_size);
48190+ memset(acl_role_set.r_hash, 0,
48191+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
48192+ memset(name_set.n_hash, 0,
48193+ sizeof (struct name_entry *) * name_set.n_size);
48194+ memset(inodev_set.i_hash, 0,
48195+ sizeof (struct inodev_entry *) * inodev_set.i_size);
48196+
48197+ return 0;
48198+}
48199+
48200+/* free information not needed after startup
48201+ currently contains user->kernel pointer mappings for subjects
48202+*/
48203+
48204+static void
48205+free_init_variables(void)
48206+{
48207+ __u32 i;
48208+
48209+ if (subj_map_set.s_hash) {
48210+ for (i = 0; i < subj_map_set.s_size; i++) {
48211+ if (subj_map_set.s_hash[i]) {
48212+ kfree(subj_map_set.s_hash[i]);
48213+ subj_map_set.s_hash[i] = NULL;
48214+ }
48215+ }
48216+
48217+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
48218+ PAGE_SIZE)
48219+ kfree(subj_map_set.s_hash);
48220+ else
48221+ vfree(subj_map_set.s_hash);
48222+ }
48223+
48224+ return;
48225+}
48226+
48227+static void
48228+free_variables(void)
48229+{
48230+ struct acl_subject_label *s;
48231+ struct acl_role_label *r;
48232+ struct task_struct *task, *task2;
48233+ unsigned int x;
48234+
48235+ gr_clear_learn_entries();
48236+
48237+ read_lock(&tasklist_lock);
48238+ do_each_thread(task2, task) {
48239+ task->acl_sp_role = 0;
48240+ task->acl_role_id = 0;
48241+ task->acl = NULL;
48242+ task->role = NULL;
48243+ } while_each_thread(task2, task);
48244+ read_unlock(&tasklist_lock);
48245+
48246+ /* release the reference to the real root dentry and vfsmount */
48247+ path_put(&real_root);
48248+
48249+ /* free all object hash tables */
48250+
48251+ FOR_EACH_ROLE_START(r)
48252+ if (r->subj_hash == NULL)
48253+ goto next_role;
48254+ FOR_EACH_SUBJECT_START(r, s, x)
48255+ if (s->obj_hash == NULL)
48256+ break;
48257+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48258+ kfree(s->obj_hash);
48259+ else
48260+ vfree(s->obj_hash);
48261+ FOR_EACH_SUBJECT_END(s, x)
48262+ FOR_EACH_NESTED_SUBJECT_START(r, s)
48263+ if (s->obj_hash == NULL)
48264+ break;
48265+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
48266+ kfree(s->obj_hash);
48267+ else
48268+ vfree(s->obj_hash);
48269+ FOR_EACH_NESTED_SUBJECT_END(s)
48270+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
48271+ kfree(r->subj_hash);
48272+ else
48273+ vfree(r->subj_hash);
48274+ r->subj_hash = NULL;
48275+next_role:
48276+ FOR_EACH_ROLE_END(r)
48277+
48278+ acl_free_all();
48279+
48280+ if (acl_role_set.r_hash) {
48281+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
48282+ PAGE_SIZE)
48283+ kfree(acl_role_set.r_hash);
48284+ else
48285+ vfree(acl_role_set.r_hash);
48286+ }
48287+ if (name_set.n_hash) {
48288+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
48289+ PAGE_SIZE)
48290+ kfree(name_set.n_hash);
48291+ else
48292+ vfree(name_set.n_hash);
48293+ }
48294+
48295+ if (inodev_set.i_hash) {
48296+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
48297+ PAGE_SIZE)
48298+ kfree(inodev_set.i_hash);
48299+ else
48300+ vfree(inodev_set.i_hash);
48301+ }
48302+
48303+ gr_free_uidset();
48304+
48305+ memset(&name_set, 0, sizeof (struct name_db));
48306+ memset(&inodev_set, 0, sizeof (struct inodev_db));
48307+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
48308+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
48309+
48310+ default_role = NULL;
48311+ role_list = NULL;
48312+
48313+ return;
48314+}
48315+
48316+static __u32
48317+count_user_objs(struct acl_object_label *userp)
48318+{
48319+ struct acl_object_label o_tmp;
48320+ __u32 num = 0;
48321+
48322+ while (userp) {
48323+ if (copy_from_user(&o_tmp, userp,
48324+ sizeof (struct acl_object_label)))
48325+ break;
48326+
48327+ userp = o_tmp.prev;
48328+ num++;
48329+ }
48330+
48331+ return num;
48332+}
48333+
48334+static struct acl_subject_label *
48335+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
48336+
48337+static int
48338+copy_user_glob(struct acl_object_label *obj)
48339+{
48340+ struct acl_object_label *g_tmp, **guser;
48341+ unsigned int len;
48342+ char *tmp;
48343+
48344+ if (obj->globbed == NULL)
48345+ return 0;
48346+
48347+ guser = &obj->globbed;
48348+ while (*guser) {
48349+ g_tmp = (struct acl_object_label *)
48350+ acl_alloc(sizeof (struct acl_object_label));
48351+ if (g_tmp == NULL)
48352+ return -ENOMEM;
48353+
48354+ if (copy_from_user(g_tmp, *guser,
48355+ sizeof (struct acl_object_label)))
48356+ return -EFAULT;
48357+
48358+ len = strnlen_user(g_tmp->filename, PATH_MAX);
48359+
48360+ if (!len || len >= PATH_MAX)
48361+ return -EINVAL;
48362+
48363+ if ((tmp = (char *) acl_alloc(len)) == NULL)
48364+ return -ENOMEM;
48365+
48366+ if (copy_from_user(tmp, g_tmp->filename, len))
48367+ return -EFAULT;
48368+ tmp[len-1] = '\0';
48369+ g_tmp->filename = tmp;
48370+
48371+ *guser = g_tmp;
48372+ guser = &(g_tmp->next);
48373+ }
48374+
48375+ return 0;
48376+}
48377+
48378+static int
48379+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
48380+ struct acl_role_label *role)
48381+{
48382+ struct acl_object_label *o_tmp;
48383+ unsigned int len;
48384+ int ret;
48385+ char *tmp;
48386+
48387+ while (userp) {
48388+ if ((o_tmp = (struct acl_object_label *)
48389+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
48390+ return -ENOMEM;
48391+
48392+ if (copy_from_user(o_tmp, userp,
48393+ sizeof (struct acl_object_label)))
48394+ return -EFAULT;
48395+
48396+ userp = o_tmp->prev;
48397+
48398+ len = strnlen_user(o_tmp->filename, PATH_MAX);
48399+
48400+ if (!len || len >= PATH_MAX)
48401+ return -EINVAL;
48402+
48403+ if ((tmp = (char *) acl_alloc(len)) == NULL)
48404+ return -ENOMEM;
48405+
48406+ if (copy_from_user(tmp, o_tmp->filename, len))
48407+ return -EFAULT;
48408+ tmp[len-1] = '\0';
48409+ o_tmp->filename = tmp;
48410+
48411+ insert_acl_obj_label(o_tmp, subj);
48412+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
48413+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
48414+ return -ENOMEM;
48415+
48416+ ret = copy_user_glob(o_tmp);
48417+ if (ret)
48418+ return ret;
48419+
48420+ if (o_tmp->nested) {
48421+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
48422+ if (IS_ERR(o_tmp->nested))
48423+ return PTR_ERR(o_tmp->nested);
48424+
48425+ /* insert into nested subject list */
48426+ o_tmp->nested->next = role->hash->first;
48427+ role->hash->first = o_tmp->nested;
48428+ }
48429+ }
48430+
48431+ return 0;
48432+}
48433+
48434+static __u32
48435+count_user_subjs(struct acl_subject_label *userp)
48436+{
48437+ struct acl_subject_label s_tmp;
48438+ __u32 num = 0;
48439+
48440+ while (userp) {
48441+ if (copy_from_user(&s_tmp, userp,
48442+ sizeof (struct acl_subject_label)))
48443+ break;
48444+
48445+ userp = s_tmp.prev;
48446+ /* do not count nested subjects against this count, since
48447+ they are not included in the hash table, but are
48448+ attached to objects. We have already counted
48449+ the subjects in userspace for the allocation
48450+ stack
48451+ */
48452+ if (!(s_tmp.mode & GR_NESTED))
48453+ num++;
48454+ }
48455+
48456+ return num;
48457+}
48458+
48459+static int
48460+copy_user_allowedips(struct acl_role_label *rolep)
48461+{
48462+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
48463+
48464+ ruserip = rolep->allowed_ips;
48465+
48466+ while (ruserip) {
48467+ rlast = rtmp;
48468+
48469+ if ((rtmp = (struct role_allowed_ip *)
48470+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
48471+ return -ENOMEM;
48472+
48473+ if (copy_from_user(rtmp, ruserip,
48474+ sizeof (struct role_allowed_ip)))
48475+ return -EFAULT;
48476+
48477+ ruserip = rtmp->prev;
48478+
48479+ if (!rlast) {
48480+ rtmp->prev = NULL;
48481+ rolep->allowed_ips = rtmp;
48482+ } else {
48483+ rlast->next = rtmp;
48484+ rtmp->prev = rlast;
48485+ }
48486+
48487+ if (!ruserip)
48488+ rtmp->next = NULL;
48489+ }
48490+
48491+ return 0;
48492+}
48493+
48494+static int
48495+copy_user_transitions(struct acl_role_label *rolep)
48496+{
48497+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
48498+
48499+ unsigned int len;
48500+ char *tmp;
48501+
48502+ rusertp = rolep->transitions;
48503+
48504+ while (rusertp) {
48505+ rlast = rtmp;
48506+
48507+ if ((rtmp = (struct role_transition *)
48508+ acl_alloc(sizeof (struct role_transition))) == NULL)
48509+ return -ENOMEM;
48510+
48511+ if (copy_from_user(rtmp, rusertp,
48512+ sizeof (struct role_transition)))
48513+ return -EFAULT;
48514+
48515+ rusertp = rtmp->prev;
48516+
48517+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
48518+
48519+ if (!len || len >= GR_SPROLE_LEN)
48520+ return -EINVAL;
48521+
48522+ if ((tmp = (char *) acl_alloc(len)) == NULL)
48523+ return -ENOMEM;
48524+
48525+ if (copy_from_user(tmp, rtmp->rolename, len))
48526+ return -EFAULT;
48527+ tmp[len-1] = '\0';
48528+ rtmp->rolename = tmp;
48529+
48530+ if (!rlast) {
48531+ rtmp->prev = NULL;
48532+ rolep->transitions = rtmp;
48533+ } else {
48534+ rlast->next = rtmp;
48535+ rtmp->prev = rlast;
48536+ }
48537+
48538+ if (!rusertp)
48539+ rtmp->next = NULL;
48540+ }
48541+
48542+ return 0;
48543+}
48544+
48545+static struct acl_subject_label *
48546+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
48547+{
48548+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
48549+ unsigned int len;
48550+ char *tmp;
48551+ __u32 num_objs;
48552+ struct acl_ip_label **i_tmp, *i_utmp2;
48553+ struct gr_hash_struct ghash;
48554+ struct subject_map *subjmap;
48555+ unsigned int i_num;
48556+ int err;
48557+
48558+ s_tmp = lookup_subject_map(userp);
48559+
48560+ /* we've already copied this subject into the kernel, just return
48561+ the reference to it, and don't copy it over again
48562+ */
48563+ if (s_tmp)
48564+ return(s_tmp);
48565+
48566+ if ((s_tmp = (struct acl_subject_label *)
48567+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
48568+ return ERR_PTR(-ENOMEM);
48569+
48570+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
48571+ if (subjmap == NULL)
48572+ return ERR_PTR(-ENOMEM);
48573+
48574+ subjmap->user = userp;
48575+ subjmap->kernel = s_tmp;
48576+ insert_subj_map_entry(subjmap);
48577+
48578+ if (copy_from_user(s_tmp, userp,
48579+ sizeof (struct acl_subject_label)))
48580+ return ERR_PTR(-EFAULT);
48581+
48582+ len = strnlen_user(s_tmp->filename, PATH_MAX);
48583+
48584+ if (!len || len >= PATH_MAX)
48585+ return ERR_PTR(-EINVAL);
48586+
48587+ if ((tmp = (char *) acl_alloc(len)) == NULL)
48588+ return ERR_PTR(-ENOMEM);
48589+
48590+ if (copy_from_user(tmp, s_tmp->filename, len))
48591+ return ERR_PTR(-EFAULT);
48592+ tmp[len-1] = '\0';
48593+ s_tmp->filename = tmp;
48594+
48595+ if (!strcmp(s_tmp->filename, "/"))
48596+ role->root_label = s_tmp;
48597+
48598+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
48599+ return ERR_PTR(-EFAULT);
48600+
48601+ /* copy user and group transition tables */
48602+
48603+ if (s_tmp->user_trans_num) {
48604+ uid_t *uidlist;
48605+
48606+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
48607+ if (uidlist == NULL)
48608+ return ERR_PTR(-ENOMEM);
48609+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
48610+ return ERR_PTR(-EFAULT);
48611+
48612+ s_tmp->user_transitions = uidlist;
48613+ }
48614+
48615+ if (s_tmp->group_trans_num) {
48616+ gid_t *gidlist;
48617+
48618+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
48619+ if (gidlist == NULL)
48620+ return ERR_PTR(-ENOMEM);
48621+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
48622+ return ERR_PTR(-EFAULT);
48623+
48624+ s_tmp->group_transitions = gidlist;
48625+ }
48626+
48627+ /* set up object hash table */
48628+ num_objs = count_user_objs(ghash.first);
48629+
48630+ s_tmp->obj_hash_size = num_objs;
48631+ s_tmp->obj_hash =
48632+ (struct acl_object_label **)
48633+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
48634+
48635+ if (!s_tmp->obj_hash)
48636+ return ERR_PTR(-ENOMEM);
48637+
48638+ memset(s_tmp->obj_hash, 0,
48639+ s_tmp->obj_hash_size *
48640+ sizeof (struct acl_object_label *));
48641+
48642+ /* add in objects */
48643+ err = copy_user_objs(ghash.first, s_tmp, role);
48644+
48645+ if (err)
48646+ return ERR_PTR(err);
48647+
48648+ /* set pointer for parent subject */
48649+ if (s_tmp->parent_subject) {
48650+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
48651+
48652+ if (IS_ERR(s_tmp2))
48653+ return s_tmp2;
48654+
48655+ s_tmp->parent_subject = s_tmp2;
48656+ }
48657+
48658+ /* add in ip acls */
48659+
48660+ if (!s_tmp->ip_num) {
48661+ s_tmp->ips = NULL;
48662+ goto insert;
48663+ }
48664+
48665+ i_tmp =
48666+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
48667+ sizeof (struct acl_ip_label *));
48668+
48669+ if (!i_tmp)
48670+ return ERR_PTR(-ENOMEM);
48671+
48672+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
48673+ *(i_tmp + i_num) =
48674+ (struct acl_ip_label *)
48675+ acl_alloc(sizeof (struct acl_ip_label));
48676+ if (!*(i_tmp + i_num))
48677+ return ERR_PTR(-ENOMEM);
48678+
48679+ if (copy_from_user
48680+ (&i_utmp2, s_tmp->ips + i_num,
48681+ sizeof (struct acl_ip_label *)))
48682+ return ERR_PTR(-EFAULT);
48683+
48684+ if (copy_from_user
48685+ (*(i_tmp + i_num), i_utmp2,
48686+ sizeof (struct acl_ip_label)))
48687+ return ERR_PTR(-EFAULT);
48688+
48689+ if ((*(i_tmp + i_num))->iface == NULL)
48690+ continue;
48691+
48692+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
48693+ if (!len || len >= IFNAMSIZ)
48694+ return ERR_PTR(-EINVAL);
48695+ tmp = acl_alloc(len);
48696+ if (tmp == NULL)
48697+ return ERR_PTR(-ENOMEM);
48698+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
48699+ return ERR_PTR(-EFAULT);
48700+ (*(i_tmp + i_num))->iface = tmp;
48701+ }
48702+
48703+ s_tmp->ips = i_tmp;
48704+
48705+insert:
48706+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
48707+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
48708+ return ERR_PTR(-ENOMEM);
48709+
48710+ return s_tmp;
48711+}
48712+
48713+static int
48714+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
48715+{
48716+ struct acl_subject_label s_pre;
48717+ struct acl_subject_label * ret;
48718+ int err;
48719+
48720+ while (userp) {
48721+ if (copy_from_user(&s_pre, userp,
48722+ sizeof (struct acl_subject_label)))
48723+ return -EFAULT;
48724+
48725+ /* do not add nested subjects here, add
48726+ while parsing objects
48727+ */
48728+
48729+ if (s_pre.mode & GR_NESTED) {
48730+ userp = s_pre.prev;
48731+ continue;
48732+ }
48733+
48734+ ret = do_copy_user_subj(userp, role);
48735+
48736+ err = PTR_ERR(ret);
48737+ if (IS_ERR(ret))
48738+ return err;
48739+
48740+ insert_acl_subj_label(ret, role);
48741+
48742+ userp = s_pre.prev;
48743+ }
48744+
48745+ return 0;
48746+}
48747+
48748+static int
48749+copy_user_acl(struct gr_arg *arg)
48750+{
48751+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
48752+ struct sprole_pw *sptmp;
48753+ struct gr_hash_struct *ghash;
48754+ uid_t *domainlist;
48755+ unsigned int r_num;
48756+ unsigned int len;
48757+ char *tmp;
48758+ int err = 0;
48759+ __u16 i;
48760+ __u32 num_subjs;
48761+
48762+ /* we need a default and kernel role */
48763+ if (arg->role_db.num_roles < 2)
48764+ return -EINVAL;
48765+
48766+ /* copy special role authentication info from userspace */
48767+
48768+ num_sprole_pws = arg->num_sprole_pws;
48769+ acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
48770+
48771+ if (!acl_special_roles) {
48772+ err = -ENOMEM;
48773+ goto cleanup;
48774+ }
48775+
48776+ for (i = 0; i < num_sprole_pws; i++) {
48777+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
48778+ if (!sptmp) {
48779+ err = -ENOMEM;
48780+ goto cleanup;
48781+ }
48782+ if (copy_from_user(sptmp, arg->sprole_pws + i,
48783+ sizeof (struct sprole_pw))) {
48784+ err = -EFAULT;
48785+ goto cleanup;
48786+ }
48787+
48788+ len =
48789+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
48790+
48791+ if (!len || len >= GR_SPROLE_LEN) {
48792+ err = -EINVAL;
48793+ goto cleanup;
48794+ }
48795+
48796+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
48797+ err = -ENOMEM;
48798+ goto cleanup;
48799+ }
48800+
48801+ if (copy_from_user(tmp, sptmp->rolename, len)) {
48802+ err = -EFAULT;
48803+ goto cleanup;
48804+ }
48805+ tmp[len-1] = '\0';
48806+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48807+ printk(KERN_ALERT "Copying special role %s\n", tmp);
48808+#endif
48809+ sptmp->rolename = tmp;
48810+ acl_special_roles[i] = sptmp;
48811+ }
48812+
48813+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
48814+
48815+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
48816+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
48817+
48818+ if (!r_tmp) {
48819+ err = -ENOMEM;
48820+ goto cleanup;
48821+ }
48822+
48823+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
48824+ sizeof (struct acl_role_label *))) {
48825+ err = -EFAULT;
48826+ goto cleanup;
48827+ }
48828+
48829+ if (copy_from_user(r_tmp, r_utmp2,
48830+ sizeof (struct acl_role_label))) {
48831+ err = -EFAULT;
48832+ goto cleanup;
48833+ }
48834+
48835+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
48836+
48837+ if (!len || len >= PATH_MAX) {
48838+ err = -EINVAL;
48839+ goto cleanup;
48840+ }
48841+
48842+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
48843+ err = -ENOMEM;
48844+ goto cleanup;
48845+ }
48846+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
48847+ err = -EFAULT;
48848+ goto cleanup;
48849+ }
48850+ tmp[len-1] = '\0';
48851+ r_tmp->rolename = tmp;
48852+
48853+ if (!strcmp(r_tmp->rolename, "default")
48854+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
48855+ default_role = r_tmp;
48856+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
48857+ kernel_role = r_tmp;
48858+ }
48859+
48860+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
48861+ err = -ENOMEM;
48862+ goto cleanup;
48863+ }
48864+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
48865+ err = -EFAULT;
48866+ goto cleanup;
48867+ }
48868+
48869+ r_tmp->hash = ghash;
48870+
48871+ num_subjs = count_user_subjs(r_tmp->hash->first);
48872+
48873+ r_tmp->subj_hash_size = num_subjs;
48874+ r_tmp->subj_hash =
48875+ (struct acl_subject_label **)
48876+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
48877+
48878+ if (!r_tmp->subj_hash) {
48879+ err = -ENOMEM;
48880+ goto cleanup;
48881+ }
48882+
48883+ err = copy_user_allowedips(r_tmp);
48884+ if (err)
48885+ goto cleanup;
48886+
48887+ /* copy domain info */
48888+ if (r_tmp->domain_children != NULL) {
48889+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
48890+ if (domainlist == NULL) {
48891+ err = -ENOMEM;
48892+ goto cleanup;
48893+ }
48894+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
48895+ err = -EFAULT;
48896+ goto cleanup;
48897+ }
48898+ r_tmp->domain_children = domainlist;
48899+ }
48900+
48901+ err = copy_user_transitions(r_tmp);
48902+ if (err)
48903+ goto cleanup;
48904+
48905+ memset(r_tmp->subj_hash, 0,
48906+ r_tmp->subj_hash_size *
48907+ sizeof (struct acl_subject_label *));
48908+
48909+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
48910+
48911+ if (err)
48912+ goto cleanup;
48913+
48914+ /* set nested subject list to null */
48915+ r_tmp->hash->first = NULL;
48916+
48917+ insert_acl_role_label(r_tmp);
48918+ }
48919+
48920+ goto return_err;
48921+ cleanup:
48922+ free_variables();
48923+ return_err:
48924+ return err;
48925+
48926+}
48927+
48928+static int
48929+gracl_init(struct gr_arg *args)
48930+{
48931+ int error = 0;
48932+
48933+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
48934+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
48935+
48936+ if (init_variables(args)) {
48937+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
48938+ error = -ENOMEM;
48939+ free_variables();
48940+ goto out;
48941+ }
48942+
48943+ error = copy_user_acl(args);
48944+ free_init_variables();
48945+ if (error) {
48946+ free_variables();
48947+ goto out;
48948+ }
48949+
48950+ if ((error = gr_set_acls(0))) {
48951+ free_variables();
48952+ goto out;
48953+ }
48954+
48955+ pax_open_kernel();
48956+ gr_status |= GR_READY;
48957+ pax_close_kernel();
48958+
48959+ out:
48960+ return error;
48961+}
48962+
48963+/* derived from glibc fnmatch() 0: match, 1: no match*/
48964+
48965+static int
48966+glob_match(const char *p, const char *n)
48967+{
48968+ char c;
48969+
48970+ while ((c = *p++) != '\0') {
48971+ switch (c) {
48972+ case '?':
48973+ if (*n == '\0')
48974+ return 1;
48975+ else if (*n == '/')
48976+ return 1;
48977+ break;
48978+ case '\\':
48979+ if (*n != c)
48980+ return 1;
48981+ break;
48982+ case '*':
48983+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
48984+ if (*n == '/')
48985+ return 1;
48986+ else if (c == '?') {
48987+ if (*n == '\0')
48988+ return 1;
48989+ else
48990+ ++n;
48991+ }
48992+ }
48993+ if (c == '\0') {
48994+ return 0;
48995+ } else {
48996+ const char *endp;
48997+
48998+ if ((endp = strchr(n, '/')) == NULL)
48999+ endp = n + strlen(n);
49000+
49001+ if (c == '[') {
49002+ for (--p; n < endp; ++n)
49003+ if (!glob_match(p, n))
49004+ return 0;
49005+ } else if (c == '/') {
49006+ while (*n != '\0' && *n != '/')
49007+ ++n;
49008+ if (*n == '/' && !glob_match(p, n + 1))
49009+ return 0;
49010+ } else {
49011+ for (--p; n < endp; ++n)
49012+ if (*n == c && !glob_match(p, n))
49013+ return 0;
49014+ }
49015+
49016+ return 1;
49017+ }
49018+ case '[':
49019+ {
49020+ int not;
49021+ char cold;
49022+
49023+ if (*n == '\0' || *n == '/')
49024+ return 1;
49025+
49026+ not = (*p == '!' || *p == '^');
49027+ if (not)
49028+ ++p;
49029+
49030+ c = *p++;
49031+ for (;;) {
49032+ unsigned char fn = (unsigned char)*n;
49033+
49034+ if (c == '\0')
49035+ return 1;
49036+ else {
49037+ if (c == fn)
49038+ goto matched;
49039+ cold = c;
49040+ c = *p++;
49041+
49042+ if (c == '-' && *p != ']') {
49043+ unsigned char cend = *p++;
49044+
49045+ if (cend == '\0')
49046+ return 1;
49047+
49048+ if (cold <= fn && fn <= cend)
49049+ goto matched;
49050+
49051+ c = *p++;
49052+ }
49053+ }
49054+
49055+ if (c == ']')
49056+ break;
49057+ }
49058+ if (!not)
49059+ return 1;
49060+ break;
49061+ matched:
49062+ while (c != ']') {
49063+ if (c == '\0')
49064+ return 1;
49065+
49066+ c = *p++;
49067+ }
49068+ if (not)
49069+ return 1;
49070+ }
49071+ break;
49072+ default:
49073+ if (c != *n)
49074+ return 1;
49075+ }
49076+
49077+ ++n;
49078+ }
49079+
49080+ if (*n == '\0')
49081+ return 0;
49082+
49083+ if (*n == '/')
49084+ return 0;
49085+
49086+ return 1;
49087+}
49088+
49089+static struct acl_object_label *
49090+chk_glob_label(struct acl_object_label *globbed,
49091+ struct dentry *dentry, struct vfsmount *mnt, char **path)
49092+{
49093+ struct acl_object_label *tmp;
49094+
49095+ if (*path == NULL)
49096+ *path = gr_to_filename_nolock(dentry, mnt);
49097+
49098+ tmp = globbed;
49099+
49100+ while (tmp) {
49101+ if (!glob_match(tmp->filename, *path))
49102+ return tmp;
49103+ tmp = tmp->next;
49104+ }
49105+
49106+ return NULL;
49107+}
49108+
49109+static struct acl_object_label *
49110+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49111+ const ino_t curr_ino, const dev_t curr_dev,
49112+ const struct acl_subject_label *subj, char **path, const int checkglob)
49113+{
49114+ struct acl_subject_label *tmpsubj;
49115+ struct acl_object_label *retval;
49116+ struct acl_object_label *retval2;
49117+
49118+ tmpsubj = (struct acl_subject_label *) subj;
49119+ read_lock(&gr_inode_lock);
49120+ do {
49121+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
49122+ if (retval) {
49123+ if (checkglob && retval->globbed) {
49124+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
49125+ (struct vfsmount *)orig_mnt, path);
49126+ if (retval2)
49127+ retval = retval2;
49128+ }
49129+ break;
49130+ }
49131+ } while ((tmpsubj = tmpsubj->parent_subject));
49132+ read_unlock(&gr_inode_lock);
49133+
49134+ return retval;
49135+}
49136+
49137+static __inline__ struct acl_object_label *
49138+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
49139+ struct dentry *curr_dentry,
49140+ const struct acl_subject_label *subj, char **path, const int checkglob)
49141+{
49142+ int newglob = checkglob;
49143+ ino_t inode;
49144+ dev_t device;
49145+
49146+ /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
49147+ as we don't want a / * rule to match instead of the / object
49148+ don't do this for create lookups that call this function though, since they're looking up
49149+ on the parent and thus need globbing checks on all paths
49150+ */
49151+ if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
49152+ newglob = GR_NO_GLOB;
49153+
49154+ spin_lock(&curr_dentry->d_lock);
49155+ inode = curr_dentry->d_inode->i_ino;
49156+ device = __get_dev(curr_dentry);
49157+ spin_unlock(&curr_dentry->d_lock);
49158+
49159+ return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
49160+}
49161+
49162+static struct acl_object_label *
49163+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49164+ const struct acl_subject_label *subj, char *path, const int checkglob)
49165+{
49166+ struct dentry *dentry = (struct dentry *) l_dentry;
49167+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49168+ struct acl_object_label *retval;
49169+ struct dentry *parent;
49170+
49171+ write_seqlock(&rename_lock);
49172+ br_read_lock(vfsmount_lock);
49173+
49174+ if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
49175+#ifdef CONFIG_NET
49176+ mnt == sock_mnt ||
49177+#endif
49178+#ifdef CONFIG_HUGETLBFS
49179+ (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
49180+#endif
49181+ /* ignore Eric Biederman */
49182+ IS_PRIVATE(l_dentry->d_inode))) {
49183+ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
49184+ goto out;
49185+ }
49186+
49187+ for (;;) {
49188+ if (dentry == real_root.dentry && mnt == real_root.mnt)
49189+ break;
49190+
49191+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49192+ if (mnt->mnt_parent == mnt)
49193+ break;
49194+
49195+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49196+ if (retval != NULL)
49197+ goto out;
49198+
49199+ dentry = mnt->mnt_mountpoint;
49200+ mnt = mnt->mnt_parent;
49201+ continue;
49202+ }
49203+
49204+ parent = dentry->d_parent;
49205+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49206+ if (retval != NULL)
49207+ goto out;
49208+
49209+ dentry = parent;
49210+ }
49211+
49212+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
49213+
49214+ /* real_root is pinned so we don't have to hold a reference */
49215+ if (retval == NULL)
49216+ retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
49217+out:
49218+ br_read_unlock(vfsmount_lock);
49219+ write_sequnlock(&rename_lock);
49220+
49221+ BUG_ON(retval == NULL);
49222+
49223+ return retval;
49224+}
49225+
49226+static __inline__ struct acl_object_label *
49227+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49228+ const struct acl_subject_label *subj)
49229+{
49230+ char *path = NULL;
49231+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
49232+}
49233+
49234+static __inline__ struct acl_object_label *
49235+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49236+ const struct acl_subject_label *subj)
49237+{
49238+ char *path = NULL;
49239+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
49240+}
49241+
49242+static __inline__ struct acl_object_label *
49243+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49244+ const struct acl_subject_label *subj, char *path)
49245+{
49246+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
49247+}
49248+
49249+static struct acl_subject_label *
49250+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
49251+ const struct acl_role_label *role)
49252+{
49253+ struct dentry *dentry = (struct dentry *) l_dentry;
49254+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
49255+ struct acl_subject_label *retval;
49256+ struct dentry *parent;
49257+
49258+ write_seqlock(&rename_lock);
49259+ br_read_lock(vfsmount_lock);
49260+
49261+ for (;;) {
49262+ if (dentry == real_root.dentry && mnt == real_root.mnt)
49263+ break;
49264+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
49265+ if (mnt->mnt_parent == mnt)
49266+ break;
49267+
49268+ spin_lock(&dentry->d_lock);
49269+ read_lock(&gr_inode_lock);
49270+ retval =
49271+ lookup_acl_subj_label(dentry->d_inode->i_ino,
49272+ __get_dev(dentry), role);
49273+ read_unlock(&gr_inode_lock);
49274+ spin_unlock(&dentry->d_lock);
49275+ if (retval != NULL)
49276+ goto out;
49277+
49278+ dentry = mnt->mnt_mountpoint;
49279+ mnt = mnt->mnt_parent;
49280+ continue;
49281+ }
49282+
49283+ spin_lock(&dentry->d_lock);
49284+ read_lock(&gr_inode_lock);
49285+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
49286+ __get_dev(dentry), role);
49287+ read_unlock(&gr_inode_lock);
49288+ parent = dentry->d_parent;
49289+ spin_unlock(&dentry->d_lock);
49290+
49291+ if (retval != NULL)
49292+ goto out;
49293+
49294+ dentry = parent;
49295+ }
49296+
49297+ spin_lock(&dentry->d_lock);
49298+ read_lock(&gr_inode_lock);
49299+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
49300+ __get_dev(dentry), role);
49301+ read_unlock(&gr_inode_lock);
49302+ spin_unlock(&dentry->d_lock);
49303+
49304+ if (unlikely(retval == NULL)) {
49305+ /* real_root is pinned, we don't need to hold a reference */
49306+ read_lock(&gr_inode_lock);
49307+ retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
49308+ __get_dev(real_root.dentry), role);
49309+ read_unlock(&gr_inode_lock);
49310+ }
49311+out:
49312+ br_read_unlock(vfsmount_lock);
49313+ write_sequnlock(&rename_lock);
49314+
49315+ BUG_ON(retval == NULL);
49316+
49317+ return retval;
49318+}
49319+
49320+static void
49321+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
49322+{
49323+ struct task_struct *task = current;
49324+ const struct cred *cred = current_cred();
49325+
49326+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
49327+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49328+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49329+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
49330+
49331+ return;
49332+}
49333+
49334+static void
49335+gr_log_learn_sysctl(const char *path, const __u32 mode)
49336+{
49337+ struct task_struct *task = current;
49338+ const struct cred *cred = current_cred();
49339+
49340+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
49341+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49342+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49343+ 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
49344+
49345+ return;
49346+}
49347+
49348+static void
49349+gr_log_learn_id_change(const char type, const unsigned int real,
49350+ const unsigned int effective, const unsigned int fs)
49351+{
49352+ struct task_struct *task = current;
49353+ const struct cred *cred = current_cred();
49354+
49355+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
49356+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
49357+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
49358+ type, real, effective, fs, &task->signal->saved_ip);
49359+
49360+ return;
49361+}
49362+
49363+__u32
49364+gr_search_file(const struct dentry * dentry, const __u32 mode,
49365+ const struct vfsmount * mnt)
49366+{
49367+ __u32 retval = mode;
49368+ struct acl_subject_label *curracl;
49369+ struct acl_object_label *currobj;
49370+
49371+ if (unlikely(!(gr_status & GR_READY)))
49372+ return (mode & ~GR_AUDITS);
49373+
49374+ curracl = current->acl;
49375+
49376+ currobj = chk_obj_label(dentry, mnt, curracl);
49377+ retval = currobj->mode & mode;
49378+
49379+ /* if we're opening a specified transfer file for writing
49380+ (e.g. /dev/initctl), then transfer our role to init
49381+ */
49382+ if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
49383+ current->role->roletype & GR_ROLE_PERSIST)) {
49384+ struct task_struct *task = init_pid_ns.child_reaper;
49385+
49386+ if (task->role != current->role) {
49387+ task->acl_sp_role = 0;
49388+ task->acl_role_id = current->acl_role_id;
49389+ task->role = current->role;
49390+ rcu_read_lock();
49391+ read_lock(&grsec_exec_file_lock);
49392+ gr_apply_subject_to_task(task);
49393+ read_unlock(&grsec_exec_file_lock);
49394+ rcu_read_unlock();
49395+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
49396+ }
49397+ }
49398+
49399+ if (unlikely
49400+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
49401+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
49402+ __u32 new_mode = mode;
49403+
49404+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49405+
49406+ retval = new_mode;
49407+
49408+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
49409+ new_mode |= GR_INHERIT;
49410+
49411+ if (!(mode & GR_NOLEARN))
49412+ gr_log_learn(dentry, mnt, new_mode);
49413+ }
49414+
49415+ return retval;
49416+}
49417+
49418+struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
49419+ const struct dentry *parent,
49420+ const struct vfsmount *mnt)
49421+{
49422+ struct name_entry *match;
49423+ struct acl_object_label *matchpo;
49424+ struct acl_subject_label *curracl;
49425+ char *path;
49426+
49427+ if (unlikely(!(gr_status & GR_READY)))
49428+ return NULL;
49429+
49430+ preempt_disable();
49431+ path = gr_to_filename_rbac(new_dentry, mnt);
49432+ match = lookup_name_entry_create(path);
49433+
49434+ curracl = current->acl;
49435+
49436+ if (match) {
49437+ read_lock(&gr_inode_lock);
49438+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
49439+ read_unlock(&gr_inode_lock);
49440+
49441+ if (matchpo) {
49442+ preempt_enable();
49443+ return matchpo;
49444+ }
49445+ }
49446+
49447+ // lookup parent
49448+
49449+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
49450+
49451+ preempt_enable();
49452+ return matchpo;
49453+}
49454+
49455+__u32
49456+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
49457+ const struct vfsmount * mnt, const __u32 mode)
49458+{
49459+ struct acl_object_label *matchpo;
49460+ __u32 retval;
49461+
49462+ if (unlikely(!(gr_status & GR_READY)))
49463+ return (mode & ~GR_AUDITS);
49464+
49465+ matchpo = gr_get_create_object(new_dentry, parent, mnt);
49466+
49467+ retval = matchpo->mode & mode;
49468+
49469+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
49470+ && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
49471+ __u32 new_mode = mode;
49472+
49473+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49474+
49475+ gr_log_learn(new_dentry, mnt, new_mode);
49476+ return new_mode;
49477+ }
49478+
49479+ return retval;
49480+}
49481+
49482+__u32
49483+gr_check_link(const struct dentry * new_dentry,
49484+ const struct dentry * parent_dentry,
49485+ const struct vfsmount * parent_mnt,
49486+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
49487+{
49488+ struct acl_object_label *obj;
49489+ __u32 oldmode, newmode;
49490+ __u32 needmode;
49491+ __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
49492+ GR_DELETE | GR_INHERIT;
49493+
49494+ if (unlikely(!(gr_status & GR_READY)))
49495+ return (GR_CREATE | GR_LINK);
49496+
49497+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
49498+ oldmode = obj->mode;
49499+
49500+ obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
49501+ newmode = obj->mode;
49502+
49503+ needmode = newmode & checkmodes;
49504+
49505+ // old name for hardlink must have at least the permissions of the new name
49506+ if ((oldmode & needmode) != needmode)
49507+ goto bad;
49508+
49509+ // if old name had restrictions/auditing, make sure the new name does as well
49510+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
49511+
49512+ // don't allow hardlinking of suid/sgid files without permission
49513+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
49514+ needmode |= GR_SETID;
49515+
49516+ if ((newmode & needmode) != needmode)
49517+ goto bad;
49518+
49519+ // enforce minimum permissions
49520+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
49521+ return newmode;
49522+bad:
49523+ needmode = oldmode;
49524+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
49525+ needmode |= GR_SETID;
49526+
49527+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
49528+ gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
49529+ return (GR_CREATE | GR_LINK);
49530+ } else if (newmode & GR_SUPPRESS)
49531+ return GR_SUPPRESS;
49532+ else
49533+ return 0;
49534+}
49535+
49536+int
49537+gr_check_hidden_task(const struct task_struct *task)
49538+{
49539+ if (unlikely(!(gr_status & GR_READY)))
49540+ return 0;
49541+
49542+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
49543+ return 1;
49544+
49545+ return 0;
49546+}
49547+
49548+int
49549+gr_check_protected_task(const struct task_struct *task)
49550+{
49551+ if (unlikely(!(gr_status & GR_READY) || !task))
49552+ return 0;
49553+
49554+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49555+ task->acl != current->acl)
49556+ return 1;
49557+
49558+ return 0;
49559+}
49560+
49561+int
49562+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
49563+{
49564+ struct task_struct *p;
49565+ int ret = 0;
49566+
49567+ if (unlikely(!(gr_status & GR_READY) || !pid))
49568+ return ret;
49569+
49570+ read_lock(&tasklist_lock);
49571+ do_each_pid_task(pid, type, p) {
49572+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49573+ p->acl != current->acl) {
49574+ ret = 1;
49575+ goto out;
49576+ }
49577+ } while_each_pid_task(pid, type, p);
49578+out:
49579+ read_unlock(&tasklist_lock);
49580+
49581+ return ret;
49582+}
49583+
49584+void
49585+gr_copy_label(struct task_struct *tsk)
49586+{
49587+ tsk->signal->used_accept = 0;
49588+ tsk->acl_sp_role = 0;
49589+ tsk->acl_role_id = current->acl_role_id;
49590+ tsk->acl = current->acl;
49591+ tsk->role = current->role;
49592+ tsk->signal->curr_ip = current->signal->curr_ip;
49593+ tsk->signal->saved_ip = current->signal->saved_ip;
49594+ if (current->exec_file)
49595+ get_file(current->exec_file);
49596+ tsk->exec_file = current->exec_file;
49597+ tsk->is_writable = current->is_writable;
49598+ if (unlikely(current->signal->used_accept)) {
49599+ current->signal->curr_ip = 0;
49600+ current->signal->saved_ip = 0;
49601+ }
49602+
49603+ return;
49604+}
49605+
49606+static void
49607+gr_set_proc_res(struct task_struct *task)
49608+{
49609+ struct acl_subject_label *proc;
49610+ unsigned short i;
49611+
49612+ proc = task->acl;
49613+
49614+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
49615+ return;
49616+
49617+ for (i = 0; i < RLIM_NLIMITS; i++) {
49618+ if (!(proc->resmask & (1 << i)))
49619+ continue;
49620+
49621+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
49622+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
49623+ }
49624+
49625+ return;
49626+}
49627+
49628+extern int __gr_process_user_ban(struct user_struct *user);
49629+
49630+int
49631+gr_check_user_change(int real, int effective, int fs)
49632+{
49633+ unsigned int i;
49634+ __u16 num;
49635+ uid_t *uidlist;
49636+ int curuid;
49637+ int realok = 0;
49638+ int effectiveok = 0;
49639+ int fsok = 0;
49640+
49641+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
49642+ struct user_struct *user;
49643+
49644+ if (real == -1)
49645+ goto skipit;
49646+
49647+ user = find_user(real);
49648+ if (user == NULL)
49649+ goto skipit;
49650+
49651+ if (__gr_process_user_ban(user)) {
49652+ /* for find_user */
49653+ free_uid(user);
49654+ return 1;
49655+ }
49656+
49657+ /* for find_user */
49658+ free_uid(user);
49659+
49660+skipit:
49661+#endif
49662+
49663+ if (unlikely(!(gr_status & GR_READY)))
49664+ return 0;
49665+
49666+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49667+ gr_log_learn_id_change('u', real, effective, fs);
49668+
49669+ num = current->acl->user_trans_num;
49670+ uidlist = current->acl->user_transitions;
49671+
49672+ if (uidlist == NULL)
49673+ return 0;
49674+
49675+ if (real == -1)
49676+ realok = 1;
49677+ if (effective == -1)
49678+ effectiveok = 1;
49679+ if (fs == -1)
49680+ fsok = 1;
49681+
49682+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
49683+ for (i = 0; i < num; i++) {
49684+ curuid = (int)uidlist[i];
49685+ if (real == curuid)
49686+ realok = 1;
49687+ if (effective == curuid)
49688+ effectiveok = 1;
49689+ if (fs == curuid)
49690+ fsok = 1;
49691+ }
49692+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
49693+ for (i = 0; i < num; i++) {
49694+ curuid = (int)uidlist[i];
49695+ if (real == curuid)
49696+ break;
49697+ if (effective == curuid)
49698+ break;
49699+ if (fs == curuid)
49700+ break;
49701+ }
49702+ /* not in deny list */
49703+ if (i == num) {
49704+ realok = 1;
49705+ effectiveok = 1;
49706+ fsok = 1;
49707+ }
49708+ }
49709+
49710+ if (realok && effectiveok && fsok)
49711+ return 0;
49712+ else {
49713+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49714+ return 1;
49715+ }
49716+}
49717+
49718+int
49719+gr_check_group_change(int real, int effective, int fs)
49720+{
49721+ unsigned int i;
49722+ __u16 num;
49723+ gid_t *gidlist;
49724+ int curgid;
49725+ int realok = 0;
49726+ int effectiveok = 0;
49727+ int fsok = 0;
49728+
49729+ if (unlikely(!(gr_status & GR_READY)))
49730+ return 0;
49731+
49732+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49733+ gr_log_learn_id_change('g', real, effective, fs);
49734+
49735+ num = current->acl->group_trans_num;
49736+ gidlist = current->acl->group_transitions;
49737+
49738+ if (gidlist == NULL)
49739+ return 0;
49740+
49741+ if (real == -1)
49742+ realok = 1;
49743+ if (effective == -1)
49744+ effectiveok = 1;
49745+ if (fs == -1)
49746+ fsok = 1;
49747+
49748+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
49749+ for (i = 0; i < num; i++) {
49750+ curgid = (int)gidlist[i];
49751+ if (real == curgid)
49752+ realok = 1;
49753+ if (effective == curgid)
49754+ effectiveok = 1;
49755+ if (fs == curgid)
49756+ fsok = 1;
49757+ }
49758+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
49759+ for (i = 0; i < num; i++) {
49760+ curgid = (int)gidlist[i];
49761+ if (real == curgid)
49762+ break;
49763+ if (effective == curgid)
49764+ break;
49765+ if (fs == curgid)
49766+ break;
49767+ }
49768+ /* not in deny list */
49769+ if (i == num) {
49770+ realok = 1;
49771+ effectiveok = 1;
49772+ fsok = 1;
49773+ }
49774+ }
49775+
49776+ if (realok && effectiveok && fsok)
49777+ return 0;
49778+ else {
49779+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49780+ return 1;
49781+ }
49782+}
49783+
49784+void
49785+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
49786+{
49787+ struct acl_role_label *role = task->role;
49788+ struct acl_subject_label *subj = NULL;
49789+ struct acl_object_label *obj;
49790+ struct file *filp;
49791+
49792+ if (unlikely(!(gr_status & GR_READY)))
49793+ return;
49794+
49795+ filp = task->exec_file;
49796+
49797+ /* kernel process, we'll give them the kernel role */
49798+ if (unlikely(!filp)) {
49799+ task->role = kernel_role;
49800+ task->acl = kernel_role->root_label;
49801+ return;
49802+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
49803+ role = lookup_acl_role_label(task, uid, gid);
49804+
49805+ /* perform subject lookup in possibly new role
49806+ we can use this result below in the case where role == task->role
49807+ */
49808+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
49809+
49810+ /* if we changed uid/gid, but result in the same role
49811+ and are using inheritance, don't lose the inherited subject
49812+ if current subject is other than what normal lookup
49813+ would result in, we arrived via inheritance, don't
49814+ lose subject
49815+ */
49816+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
49817+ (subj == task->acl)))
49818+ task->acl = subj;
49819+
49820+ task->role = role;
49821+
49822+ task->is_writable = 0;
49823+
49824+ /* ignore additional mmap checks for processes that are writable
49825+ by the default ACL */
49826+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
49827+ if (unlikely(obj->mode & GR_WRITE))
49828+ task->is_writable = 1;
49829+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
49830+ if (unlikely(obj->mode & GR_WRITE))
49831+ task->is_writable = 1;
49832+
49833+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49834+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49835+#endif
49836+
49837+ gr_set_proc_res(task);
49838+
49839+ return;
49840+}
49841+
49842+int
49843+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
49844+ const int unsafe_share)
49845+{
49846+ struct task_struct *task = current;
49847+ struct acl_subject_label *newacl;
49848+ struct acl_object_label *obj;
49849+ __u32 retmode;
49850+
49851+ if (unlikely(!(gr_status & GR_READY)))
49852+ return 0;
49853+
49854+ newacl = chk_subj_label(dentry, mnt, task->role);
49855+
49856+ task_lock(task);
49857+ if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
49858+ !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
49859+ !(task->role->roletype & GR_ROLE_GOD) &&
49860+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
49861+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
49862+ task_unlock(task);
49863+ if (unsafe_share)
49864+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
49865+ else
49866+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
49867+ return -EACCES;
49868+ }
49869+ task_unlock(task);
49870+
49871+ obj = chk_obj_label(dentry, mnt, task->acl);
49872+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
49873+
49874+ if (!(task->acl->mode & GR_INHERITLEARN) &&
49875+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
49876+ if (obj->nested)
49877+ task->acl = obj->nested;
49878+ else
49879+ task->acl = newacl;
49880+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
49881+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
49882+
49883+ task->is_writable = 0;
49884+
49885+ /* ignore additional mmap checks for processes that are writable
49886+ by the default ACL */
49887+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
49888+ if (unlikely(obj->mode & GR_WRITE))
49889+ task->is_writable = 1;
49890+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
49891+ if (unlikely(obj->mode & GR_WRITE))
49892+ task->is_writable = 1;
49893+
49894+ gr_set_proc_res(task);
49895+
49896+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49897+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49898+#endif
49899+ return 0;
49900+}
49901+
49902+/* always called with valid inodev ptr */
49903+static void
49904+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
49905+{
49906+ struct acl_object_label *matchpo;
49907+ struct acl_subject_label *matchps;
49908+ struct acl_subject_label *subj;
49909+ struct acl_role_label *role;
49910+ unsigned int x;
49911+
49912+ FOR_EACH_ROLE_START(role)
49913+ FOR_EACH_SUBJECT_START(role, subj, x)
49914+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
49915+ matchpo->mode |= GR_DELETED;
49916+ FOR_EACH_SUBJECT_END(subj,x)
49917+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
49918+ if (subj->inode == ino && subj->device == dev)
49919+ subj->mode |= GR_DELETED;
49920+ FOR_EACH_NESTED_SUBJECT_END(subj)
49921+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
49922+ matchps->mode |= GR_DELETED;
49923+ FOR_EACH_ROLE_END(role)
49924+
49925+ inodev->nentry->deleted = 1;
49926+
49927+ return;
49928+}
49929+
49930+void
49931+gr_handle_delete(const ino_t ino, const dev_t dev)
49932+{
49933+ struct inodev_entry *inodev;
49934+
49935+ if (unlikely(!(gr_status & GR_READY)))
49936+ return;
49937+
49938+ write_lock(&gr_inode_lock);
49939+ inodev = lookup_inodev_entry(ino, dev);
49940+ if (inodev != NULL)
49941+ do_handle_delete(inodev, ino, dev);
49942+ write_unlock(&gr_inode_lock);
49943+
49944+ return;
49945+}
49946+
49947+static void
49948+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
49949+ const ino_t newinode, const dev_t newdevice,
49950+ struct acl_subject_label *subj)
49951+{
49952+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
49953+ struct acl_object_label *match;
49954+
49955+ match = subj->obj_hash[index];
49956+
49957+ while (match && (match->inode != oldinode ||
49958+ match->device != olddevice ||
49959+ !(match->mode & GR_DELETED)))
49960+ match = match->next;
49961+
49962+ if (match && (match->inode == oldinode)
49963+ && (match->device == olddevice)
49964+ && (match->mode & GR_DELETED)) {
49965+ if (match->prev == NULL) {
49966+ subj->obj_hash[index] = match->next;
49967+ if (match->next != NULL)
49968+ match->next->prev = NULL;
49969+ } else {
49970+ match->prev->next = match->next;
49971+ if (match->next != NULL)
49972+ match->next->prev = match->prev;
49973+ }
49974+ match->prev = NULL;
49975+ match->next = NULL;
49976+ match->inode = newinode;
49977+ match->device = newdevice;
49978+ match->mode &= ~GR_DELETED;
49979+
49980+ insert_acl_obj_label(match, subj);
49981+ }
49982+
49983+ return;
49984+}
49985+
49986+static void
49987+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
49988+ const ino_t newinode, const dev_t newdevice,
49989+ struct acl_role_label *role)
49990+{
49991+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
49992+ struct acl_subject_label *match;
49993+
49994+ match = role->subj_hash[index];
49995+
49996+ while (match && (match->inode != oldinode ||
49997+ match->device != olddevice ||
49998+ !(match->mode & GR_DELETED)))
49999+ match = match->next;
50000+
50001+ if (match && (match->inode == oldinode)
50002+ && (match->device == olddevice)
50003+ && (match->mode & GR_DELETED)) {
50004+ if (match->prev == NULL) {
50005+ role->subj_hash[index] = match->next;
50006+ if (match->next != NULL)
50007+ match->next->prev = NULL;
50008+ } else {
50009+ match->prev->next = match->next;
50010+ if (match->next != NULL)
50011+ match->next->prev = match->prev;
50012+ }
50013+ match->prev = NULL;
50014+ match->next = NULL;
50015+ match->inode = newinode;
50016+ match->device = newdevice;
50017+ match->mode &= ~GR_DELETED;
50018+
50019+ insert_acl_subj_label(match, role);
50020+ }
50021+
50022+ return;
50023+}
50024+
50025+static void
50026+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
50027+ const ino_t newinode, const dev_t newdevice)
50028+{
50029+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
50030+ struct inodev_entry *match;
50031+
50032+ match = inodev_set.i_hash[index];
50033+
50034+ while (match && (match->nentry->inode != oldinode ||
50035+ match->nentry->device != olddevice || !match->nentry->deleted))
50036+ match = match->next;
50037+
50038+ if (match && (match->nentry->inode == oldinode)
50039+ && (match->nentry->device == olddevice) &&
50040+ match->nentry->deleted) {
50041+ if (match->prev == NULL) {
50042+ inodev_set.i_hash[index] = match->next;
50043+ if (match->next != NULL)
50044+ match->next->prev = NULL;
50045+ } else {
50046+ match->prev->next = match->next;
50047+ if (match->next != NULL)
50048+ match->next->prev = match->prev;
50049+ }
50050+ match->prev = NULL;
50051+ match->next = NULL;
50052+ match->nentry->inode = newinode;
50053+ match->nentry->device = newdevice;
50054+ match->nentry->deleted = 0;
50055+
50056+ insert_inodev_entry(match);
50057+ }
50058+
50059+ return;
50060+}
50061+
50062+static void
50063+__do_handle_create(const struct name_entry *matchn, ino_t ino, dev_t dev)
50064+{
50065+ struct acl_subject_label *subj;
50066+ struct acl_role_label *role;
50067+ unsigned int x;
50068+
50069+ FOR_EACH_ROLE_START(role)
50070+ update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
50071+
50072+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
50073+ if ((subj->inode == ino) && (subj->device == dev)) {
50074+ subj->inode = ino;
50075+ subj->device = dev;
50076+ }
50077+ FOR_EACH_NESTED_SUBJECT_END(subj)
50078+ FOR_EACH_SUBJECT_START(role, subj, x)
50079+ update_acl_obj_label(matchn->inode, matchn->device,
50080+ ino, dev, subj);
50081+ FOR_EACH_SUBJECT_END(subj,x)
50082+ FOR_EACH_ROLE_END(role)
50083+
50084+ update_inodev_entry(matchn->inode, matchn->device, ino, dev);
50085+
50086+ return;
50087+}
50088+
50089+static void
50090+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
50091+ const struct vfsmount *mnt)
50092+{
50093+ ino_t ino = dentry->d_inode->i_ino;
50094+ dev_t dev = __get_dev(dentry);
50095+
50096+ __do_handle_create(matchn, ino, dev);
50097+
50098+ return;
50099+}
50100+
50101+void
50102+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
50103+{
50104+ struct name_entry *matchn;
50105+
50106+ if (unlikely(!(gr_status & GR_READY)))
50107+ return;
50108+
50109+ preempt_disable();
50110+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
50111+
50112+ if (unlikely((unsigned long)matchn)) {
50113+ write_lock(&gr_inode_lock);
50114+ do_handle_create(matchn, dentry, mnt);
50115+ write_unlock(&gr_inode_lock);
50116+ }
50117+ preempt_enable();
50118+
50119+ return;
50120+}
50121+
50122+void
50123+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
50124+{
50125+ struct name_entry *matchn;
50126+
50127+ if (unlikely(!(gr_status & GR_READY)))
50128+ return;
50129+
50130+ preempt_disable();
50131+ matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
50132+
50133+ if (unlikely((unsigned long)matchn)) {
50134+ write_lock(&gr_inode_lock);
50135+ __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
50136+ write_unlock(&gr_inode_lock);
50137+ }
50138+ preempt_enable();
50139+
50140+ return;
50141+}
50142+
50143+void
50144+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
50145+ struct dentry *old_dentry,
50146+ struct dentry *new_dentry,
50147+ struct vfsmount *mnt, const __u8 replace)
50148+{
50149+ struct name_entry *matchn;
50150+ struct inodev_entry *inodev;
50151+ struct inode *inode = new_dentry->d_inode;
50152+ ino_t old_ino = old_dentry->d_inode->i_ino;
50153+ dev_t old_dev = __get_dev(old_dentry);
50154+
50155+ /* vfs_rename swaps the name and parent link for old_dentry and
50156+ new_dentry
50157+ at this point, old_dentry has the new name, parent link, and inode
50158+ for the renamed file
50159+ if a file is being replaced by a rename, new_dentry has the inode
50160+ and name for the replaced file
50161+ */
50162+
50163+ if (unlikely(!(gr_status & GR_READY)))
50164+ return;
50165+
50166+ preempt_disable();
50167+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
50168+
50169+ /* we wouldn't have to check d_inode if it weren't for
50170+ NFS silly-renaming
50171+ */
50172+
50173+ write_lock(&gr_inode_lock);
50174+ if (unlikely(replace && inode)) {
50175+ ino_t new_ino = inode->i_ino;
50176+ dev_t new_dev = __get_dev(new_dentry);
50177+
50178+ inodev = lookup_inodev_entry(new_ino, new_dev);
50179+ if (inodev != NULL && ((inode->i_nlink <= 1) || S_ISDIR(inode->i_mode)))
50180+ do_handle_delete(inodev, new_ino, new_dev);
50181+ }
50182+
50183+ inodev = lookup_inodev_entry(old_ino, old_dev);
50184+ if (inodev != NULL && ((old_dentry->d_inode->i_nlink <= 1) || S_ISDIR(old_dentry->d_inode->i_mode)))
50185+ do_handle_delete(inodev, old_ino, old_dev);
50186+
50187+ if (unlikely((unsigned long)matchn))
50188+ do_handle_create(matchn, old_dentry, mnt);
50189+
50190+ write_unlock(&gr_inode_lock);
50191+ preempt_enable();
50192+
50193+ return;
50194+}
50195+
50196+static int
50197+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
50198+ unsigned char **sum)
50199+{
50200+ struct acl_role_label *r;
50201+ struct role_allowed_ip *ipp;
50202+ struct role_transition *trans;
50203+ unsigned int i;
50204+ int found = 0;
50205+ u32 curr_ip = current->signal->curr_ip;
50206+
50207+ current->signal->saved_ip = curr_ip;
50208+
50209+ /* check transition table */
50210+
50211+ for (trans = current->role->transitions; trans; trans = trans->next) {
50212+ if (!strcmp(rolename, trans->rolename)) {
50213+ found = 1;
50214+ break;
50215+ }
50216+ }
50217+
50218+ if (!found)
50219+ return 0;
50220+
50221+ /* handle special roles that do not require authentication
50222+ and check ip */
50223+
50224+ FOR_EACH_ROLE_START(r)
50225+ if (!strcmp(rolename, r->rolename) &&
50226+ (r->roletype & GR_ROLE_SPECIAL)) {
50227+ found = 0;
50228+ if (r->allowed_ips != NULL) {
50229+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
50230+ if ((ntohl(curr_ip) & ipp->netmask) ==
50231+ (ntohl(ipp->addr) & ipp->netmask))
50232+ found = 1;
50233+ }
50234+ } else
50235+ found = 2;
50236+ if (!found)
50237+ return 0;
50238+
50239+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
50240+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
50241+ *salt = NULL;
50242+ *sum = NULL;
50243+ return 1;
50244+ }
50245+ }
50246+ FOR_EACH_ROLE_END(r)
50247+
50248+ for (i = 0; i < num_sprole_pws; i++) {
50249+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
50250+ *salt = acl_special_roles[i]->salt;
50251+ *sum = acl_special_roles[i]->sum;
50252+ return 1;
50253+ }
50254+ }
50255+
50256+ return 0;
50257+}
50258+
50259+static void
50260+assign_special_role(char *rolename)
50261+{
50262+ struct acl_object_label *obj;
50263+ struct acl_role_label *r;
50264+ struct acl_role_label *assigned = NULL;
50265+ struct task_struct *tsk;
50266+ struct file *filp;
50267+
50268+ FOR_EACH_ROLE_START(r)
50269+ if (!strcmp(rolename, r->rolename) &&
50270+ (r->roletype & GR_ROLE_SPECIAL)) {
50271+ assigned = r;
50272+ break;
50273+ }
50274+ FOR_EACH_ROLE_END(r)
50275+
50276+ if (!assigned)
50277+ return;
50278+
50279+ read_lock(&tasklist_lock);
50280+ read_lock(&grsec_exec_file_lock);
50281+
50282+ tsk = current->real_parent;
50283+ if (tsk == NULL)
50284+ goto out_unlock;
50285+
50286+ filp = tsk->exec_file;
50287+ if (filp == NULL)
50288+ goto out_unlock;
50289+
50290+ tsk->is_writable = 0;
50291+
50292+ tsk->acl_sp_role = 1;
50293+ tsk->acl_role_id = ++acl_sp_role_value;
50294+ tsk->role = assigned;
50295+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
50296+
50297+ /* ignore additional mmap checks for processes that are writable
50298+ by the default ACL */
50299+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50300+ if (unlikely(obj->mode & GR_WRITE))
50301+ tsk->is_writable = 1;
50302+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
50303+ if (unlikely(obj->mode & GR_WRITE))
50304+ tsk->is_writable = 1;
50305+
50306+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50307+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
50308+#endif
50309+
50310+out_unlock:
50311+ read_unlock(&grsec_exec_file_lock);
50312+ read_unlock(&tasklist_lock);
50313+ return;
50314+}
50315+
50316+int gr_check_secure_terminal(struct task_struct *task)
50317+{
50318+ struct task_struct *p, *p2, *p3;
50319+ struct files_struct *files;
50320+ struct fdtable *fdt;
50321+ struct file *our_file = NULL, *file;
50322+ int i;
50323+
50324+ if (task->signal->tty == NULL)
50325+ return 1;
50326+
50327+ files = get_files_struct(task);
50328+ if (files != NULL) {
50329+ rcu_read_lock();
50330+ fdt = files_fdtable(files);
50331+ for (i=0; i < fdt->max_fds; i++) {
50332+ file = fcheck_files(files, i);
50333+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
50334+ get_file(file);
50335+ our_file = file;
50336+ }
50337+ }
50338+ rcu_read_unlock();
50339+ put_files_struct(files);
50340+ }
50341+
50342+ if (our_file == NULL)
50343+ return 1;
50344+
50345+ read_lock(&tasklist_lock);
50346+ do_each_thread(p2, p) {
50347+ files = get_files_struct(p);
50348+ if (files == NULL ||
50349+ (p->signal && p->signal->tty == task->signal->tty)) {
50350+ if (files != NULL)
50351+ put_files_struct(files);
50352+ continue;
50353+ }
50354+ rcu_read_lock();
50355+ fdt = files_fdtable(files);
50356+ for (i=0; i < fdt->max_fds; i++) {
50357+ file = fcheck_files(files, i);
50358+ if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
50359+ file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
50360+ p3 = task;
50361+ while (p3->pid > 0) {
50362+ if (p3 == p)
50363+ break;
50364+ p3 = p3->real_parent;
50365+ }
50366+ if (p3 == p)
50367+ break;
50368+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
50369+ gr_handle_alertkill(p);
50370+ rcu_read_unlock();
50371+ put_files_struct(files);
50372+ read_unlock(&tasklist_lock);
50373+ fput(our_file);
50374+ return 0;
50375+ }
50376+ }
50377+ rcu_read_unlock();
50378+ put_files_struct(files);
50379+ } while_each_thread(p2, p);
50380+ read_unlock(&tasklist_lock);
50381+
50382+ fput(our_file);
50383+ return 1;
50384+}
50385+
50386+ssize_t
50387+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
50388+{
50389+ struct gr_arg_wrapper uwrap;
50390+ unsigned char *sprole_salt = NULL;
50391+ unsigned char *sprole_sum = NULL;
50392+ int error = sizeof (struct gr_arg_wrapper);
50393+ int error2 = 0;
50394+
50395+ mutex_lock(&gr_dev_mutex);
50396+
50397+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
50398+ error = -EPERM;
50399+ goto out;
50400+ }
50401+
50402+ if (count != sizeof (struct gr_arg_wrapper)) {
50403+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
50404+ error = -EINVAL;
50405+ goto out;
50406+ }
50407+
50408+
50409+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
50410+ gr_auth_expires = 0;
50411+ gr_auth_attempts = 0;
50412+ }
50413+
50414+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
50415+ error = -EFAULT;
50416+ goto out;
50417+ }
50418+
50419+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
50420+ error = -EINVAL;
50421+ goto out;
50422+ }
50423+
50424+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
50425+ error = -EFAULT;
50426+ goto out;
50427+ }
50428+
50429+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
50430+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
50431+ time_after(gr_auth_expires, get_seconds())) {
50432+ error = -EBUSY;
50433+ goto out;
50434+ }
50435+
50436+ /* if non-root trying to do anything other than use a special role,
50437+ do not attempt authentication, do not count towards authentication
50438+ locking
50439+ */
50440+
50441+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
50442+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
50443+ current_uid()) {
50444+ error = -EPERM;
50445+ goto out;
50446+ }
50447+
50448+ /* ensure pw and special role name are null terminated */
50449+
50450+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
50451+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
50452+
50453+ /* Okay.
50454+ * We have our enough of the argument structure..(we have yet
50455+ * to copy_from_user the tables themselves) . Copy the tables
50456+ * only if we need them, i.e. for loading operations. */
50457+
50458+ switch (gr_usermode->mode) {
50459+ case GR_STATUS:
50460+ if (gr_status & GR_READY) {
50461+ error = 1;
50462+ if (!gr_check_secure_terminal(current))
50463+ error = 3;
50464+ } else
50465+ error = 2;
50466+ goto out;
50467+ case GR_SHUTDOWN:
50468+ if ((gr_status & GR_READY)
50469+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50470+ pax_open_kernel();
50471+ gr_status &= ~GR_READY;
50472+ pax_close_kernel();
50473+
50474+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
50475+ free_variables();
50476+ memset(gr_usermode, 0, sizeof (struct gr_arg));
50477+ memset(gr_system_salt, 0, GR_SALT_LEN);
50478+ memset(gr_system_sum, 0, GR_SHA_LEN);
50479+ } else if (gr_status & GR_READY) {
50480+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
50481+ error = -EPERM;
50482+ } else {
50483+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
50484+ error = -EAGAIN;
50485+ }
50486+ break;
50487+ case GR_ENABLE:
50488+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
50489+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
50490+ else {
50491+ if (gr_status & GR_READY)
50492+ error = -EAGAIN;
50493+ else
50494+ error = error2;
50495+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
50496+ }
50497+ break;
50498+ case GR_RELOAD:
50499+ if (!(gr_status & GR_READY)) {
50500+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
50501+ error = -EAGAIN;
50502+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50503+ preempt_disable();
50504+
50505+ pax_open_kernel();
50506+ gr_status &= ~GR_READY;
50507+ pax_close_kernel();
50508+
50509+ free_variables();
50510+ if (!(error2 = gracl_init(gr_usermode))) {
50511+ preempt_enable();
50512+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
50513+ } else {
50514+ preempt_enable();
50515+ error = error2;
50516+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50517+ }
50518+ } else {
50519+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50520+ error = -EPERM;
50521+ }
50522+ break;
50523+ case GR_SEGVMOD:
50524+ if (unlikely(!(gr_status & GR_READY))) {
50525+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
50526+ error = -EAGAIN;
50527+ break;
50528+ }
50529+
50530+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50531+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
50532+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
50533+ struct acl_subject_label *segvacl;
50534+ segvacl =
50535+ lookup_acl_subj_label(gr_usermode->segv_inode,
50536+ gr_usermode->segv_device,
50537+ current->role);
50538+ if (segvacl) {
50539+ segvacl->crashes = 0;
50540+ segvacl->expires = 0;
50541+ }
50542+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
50543+ gr_remove_uid(gr_usermode->segv_uid);
50544+ }
50545+ } else {
50546+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
50547+ error = -EPERM;
50548+ }
50549+ break;
50550+ case GR_SPROLE:
50551+ case GR_SPROLEPAM:
50552+ if (unlikely(!(gr_status & GR_READY))) {
50553+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
50554+ error = -EAGAIN;
50555+ break;
50556+ }
50557+
50558+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
50559+ current->role->expires = 0;
50560+ current->role->auth_attempts = 0;
50561+ }
50562+
50563+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
50564+ time_after(current->role->expires, get_seconds())) {
50565+ error = -EBUSY;
50566+ goto out;
50567+ }
50568+
50569+ if (lookup_special_role_auth
50570+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
50571+ && ((!sprole_salt && !sprole_sum)
50572+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
50573+ char *p = "";
50574+ assign_special_role(gr_usermode->sp_role);
50575+ read_lock(&tasklist_lock);
50576+ if (current->real_parent)
50577+ p = current->real_parent->role->rolename;
50578+ read_unlock(&tasklist_lock);
50579+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
50580+ p, acl_sp_role_value);
50581+ } else {
50582+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
50583+ error = -EPERM;
50584+ if(!(current->role->auth_attempts++))
50585+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50586+
50587+ goto out;
50588+ }
50589+ break;
50590+ case GR_UNSPROLE:
50591+ if (unlikely(!(gr_status & GR_READY))) {
50592+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
50593+ error = -EAGAIN;
50594+ break;
50595+ }
50596+
50597+ if (current->role->roletype & GR_ROLE_SPECIAL) {
50598+ char *p = "";
50599+ int i = 0;
50600+
50601+ read_lock(&tasklist_lock);
50602+ if (current->real_parent) {
50603+ p = current->real_parent->role->rolename;
50604+ i = current->real_parent->acl_role_id;
50605+ }
50606+ read_unlock(&tasklist_lock);
50607+
50608+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
50609+ gr_set_acls(1);
50610+ } else {
50611+ error = -EPERM;
50612+ goto out;
50613+ }
50614+ break;
50615+ default:
50616+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
50617+ error = -EINVAL;
50618+ break;
50619+ }
50620+
50621+ if (error != -EPERM)
50622+ goto out;
50623+
50624+ if(!(gr_auth_attempts++))
50625+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50626+
50627+ out:
50628+ mutex_unlock(&gr_dev_mutex);
50629+ return error;
50630+}
50631+
50632+/* must be called with
50633+ rcu_read_lock();
50634+ read_lock(&tasklist_lock);
50635+ read_lock(&grsec_exec_file_lock);
50636+*/
50637+int gr_apply_subject_to_task(struct task_struct *task)
50638+{
50639+ struct acl_object_label *obj;
50640+ char *tmpname;
50641+ struct acl_subject_label *tmpsubj;
50642+ struct file *filp;
50643+ struct name_entry *nmatch;
50644+
50645+ filp = task->exec_file;
50646+ if (filp == NULL)
50647+ return 0;
50648+
50649+ /* the following is to apply the correct subject
50650+ on binaries running when the RBAC system
50651+ is enabled, when the binaries have been
50652+ replaced or deleted since their execution
50653+ -----
50654+ when the RBAC system starts, the inode/dev
50655+ from exec_file will be one the RBAC system
50656+ is unaware of. It only knows the inode/dev
50657+ of the present file on disk, or the absence
50658+ of it.
50659+ */
50660+ preempt_disable();
50661+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
50662+
50663+ nmatch = lookup_name_entry(tmpname);
50664+ preempt_enable();
50665+ tmpsubj = NULL;
50666+ if (nmatch) {
50667+ if (nmatch->deleted)
50668+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
50669+ else
50670+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
50671+ if (tmpsubj != NULL)
50672+ task->acl = tmpsubj;
50673+ }
50674+ if (tmpsubj == NULL)
50675+ task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
50676+ task->role);
50677+ if (task->acl) {
50678+ task->is_writable = 0;
50679+ /* ignore additional mmap checks for processes that are writable
50680+ by the default ACL */
50681+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50682+ if (unlikely(obj->mode & GR_WRITE))
50683+ task->is_writable = 1;
50684+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
50685+ if (unlikely(obj->mode & GR_WRITE))
50686+ task->is_writable = 1;
50687+
50688+ gr_set_proc_res(task);
50689+
50690+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50691+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
50692+#endif
50693+ } else {
50694+ return 1;
50695+ }
50696+
50697+ return 0;
50698+}
50699+
50700+int
50701+gr_set_acls(const int type)
50702+{
50703+ struct task_struct *task, *task2;
50704+ struct acl_role_label *role = current->role;
50705+ __u16 acl_role_id = current->acl_role_id;
50706+ const struct cred *cred;
50707+ int ret;
50708+
50709+ rcu_read_lock();
50710+ read_lock(&tasklist_lock);
50711+ read_lock(&grsec_exec_file_lock);
50712+ do_each_thread(task2, task) {
50713+ /* check to see if we're called from the exit handler,
50714+ if so, only replace ACLs that have inherited the admin
50715+ ACL */
50716+
50717+ if (type && (task->role != role ||
50718+ task->acl_role_id != acl_role_id))
50719+ continue;
50720+
50721+ task->acl_role_id = 0;
50722+ task->acl_sp_role = 0;
50723+
50724+ if (task->exec_file) {
50725+ cred = __task_cred(task);
50726+ task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
50727+ ret = gr_apply_subject_to_task(task);
50728+ if (ret) {
50729+ read_unlock(&grsec_exec_file_lock);
50730+ read_unlock(&tasklist_lock);
50731+ rcu_read_unlock();
50732+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
50733+ return ret;
50734+ }
50735+ } else {
50736+ // it's a kernel process
50737+ task->role = kernel_role;
50738+ task->acl = kernel_role->root_label;
50739+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
50740+ task->acl->mode &= ~GR_PROCFIND;
50741+#endif
50742+ }
50743+ } while_each_thread(task2, task);
50744+ read_unlock(&grsec_exec_file_lock);
50745+ read_unlock(&tasklist_lock);
50746+ rcu_read_unlock();
50747+
50748+ return 0;
50749+}
50750+
50751+void
50752+gr_learn_resource(const struct task_struct *task,
50753+ const int res, const unsigned long wanted, const int gt)
50754+{
50755+ struct acl_subject_label *acl;
50756+ const struct cred *cred;
50757+
50758+ if (unlikely((gr_status & GR_READY) &&
50759+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
50760+ goto skip_reslog;
50761+
50762+#ifdef CONFIG_GRKERNSEC_RESLOG
50763+ gr_log_resource(task, res, wanted, gt);
50764+#endif
50765+ skip_reslog:
50766+
50767+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
50768+ return;
50769+
50770+ acl = task->acl;
50771+
50772+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
50773+ !(acl->resmask & (1 << (unsigned short) res))))
50774+ return;
50775+
50776+ if (wanted >= acl->res[res].rlim_cur) {
50777+ unsigned long res_add;
50778+
50779+ res_add = wanted;
50780+ switch (res) {
50781+ case RLIMIT_CPU:
50782+ res_add += GR_RLIM_CPU_BUMP;
50783+ break;
50784+ case RLIMIT_FSIZE:
50785+ res_add += GR_RLIM_FSIZE_BUMP;
50786+ break;
50787+ case RLIMIT_DATA:
50788+ res_add += GR_RLIM_DATA_BUMP;
50789+ break;
50790+ case RLIMIT_STACK:
50791+ res_add += GR_RLIM_STACK_BUMP;
50792+ break;
50793+ case RLIMIT_CORE:
50794+ res_add += GR_RLIM_CORE_BUMP;
50795+ break;
50796+ case RLIMIT_RSS:
50797+ res_add += GR_RLIM_RSS_BUMP;
50798+ break;
50799+ case RLIMIT_NPROC:
50800+ res_add += GR_RLIM_NPROC_BUMP;
50801+ break;
50802+ case RLIMIT_NOFILE:
50803+ res_add += GR_RLIM_NOFILE_BUMP;
50804+ break;
50805+ case RLIMIT_MEMLOCK:
50806+ res_add += GR_RLIM_MEMLOCK_BUMP;
50807+ break;
50808+ case RLIMIT_AS:
50809+ res_add += GR_RLIM_AS_BUMP;
50810+ break;
50811+ case RLIMIT_LOCKS:
50812+ res_add += GR_RLIM_LOCKS_BUMP;
50813+ break;
50814+ case RLIMIT_SIGPENDING:
50815+ res_add += GR_RLIM_SIGPENDING_BUMP;
50816+ break;
50817+ case RLIMIT_MSGQUEUE:
50818+ res_add += GR_RLIM_MSGQUEUE_BUMP;
50819+ break;
50820+ case RLIMIT_NICE:
50821+ res_add += GR_RLIM_NICE_BUMP;
50822+ break;
50823+ case RLIMIT_RTPRIO:
50824+ res_add += GR_RLIM_RTPRIO_BUMP;
50825+ break;
50826+ case RLIMIT_RTTIME:
50827+ res_add += GR_RLIM_RTTIME_BUMP;
50828+ break;
50829+ }
50830+
50831+ acl->res[res].rlim_cur = res_add;
50832+
50833+ if (wanted > acl->res[res].rlim_max)
50834+ acl->res[res].rlim_max = res_add;
50835+
50836+ /* only log the subject filename, since resource logging is supported for
50837+ single-subject learning only */
50838+ rcu_read_lock();
50839+ cred = __task_cred(task);
50840+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
50841+ task->role->roletype, cred->uid, cred->gid, acl->filename,
50842+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
50843+ "", (unsigned long) res, &task->signal->saved_ip);
50844+ rcu_read_unlock();
50845+ }
50846+
50847+ return;
50848+}
50849+
50850+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
50851+void
50852+pax_set_initial_flags(struct linux_binprm *bprm)
50853+{
50854+ struct task_struct *task = current;
50855+ struct acl_subject_label *proc;
50856+ unsigned long flags;
50857+
50858+ if (unlikely(!(gr_status & GR_READY)))
50859+ return;
50860+
50861+ flags = pax_get_flags(task);
50862+
50863+ proc = task->acl;
50864+
50865+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
50866+ flags &= ~MF_PAX_PAGEEXEC;
50867+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
50868+ flags &= ~MF_PAX_SEGMEXEC;
50869+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
50870+ flags &= ~MF_PAX_RANDMMAP;
50871+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
50872+ flags &= ~MF_PAX_EMUTRAMP;
50873+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
50874+ flags &= ~MF_PAX_MPROTECT;
50875+
50876+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
50877+ flags |= MF_PAX_PAGEEXEC;
50878+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
50879+ flags |= MF_PAX_SEGMEXEC;
50880+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
50881+ flags |= MF_PAX_RANDMMAP;
50882+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
50883+ flags |= MF_PAX_EMUTRAMP;
50884+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
50885+ flags |= MF_PAX_MPROTECT;
50886+
50887+ pax_set_flags(task, flags);
50888+
50889+ return;
50890+}
50891+#endif
50892+
50893+#ifdef CONFIG_SYSCTL
50894+/* Eric Biederman likes breaking userland ABI and every inode-based security
50895+ system to save 35kb of memory */
50896+
50897+/* we modify the passed in filename, but adjust it back before returning */
50898+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
50899+{
50900+ struct name_entry *nmatch;
50901+ char *p, *lastp = NULL;
50902+ struct acl_object_label *obj = NULL, *tmp;
50903+ struct acl_subject_label *tmpsubj;
50904+ char c = '\0';
50905+
50906+ read_lock(&gr_inode_lock);
50907+
50908+ p = name + len - 1;
50909+ do {
50910+ nmatch = lookup_name_entry(name);
50911+ if (lastp != NULL)
50912+ *lastp = c;
50913+
50914+ if (nmatch == NULL)
50915+ goto next_component;
50916+ tmpsubj = current->acl;
50917+ do {
50918+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
50919+ if (obj != NULL) {
50920+ tmp = obj->globbed;
50921+ while (tmp) {
50922+ if (!glob_match(tmp->filename, name)) {
50923+ obj = tmp;
50924+ goto found_obj;
50925+ }
50926+ tmp = tmp->next;
50927+ }
50928+ goto found_obj;
50929+ }
50930+ } while ((tmpsubj = tmpsubj->parent_subject));
50931+next_component:
50932+ /* end case */
50933+ if (p == name)
50934+ break;
50935+
50936+ while (*p != '/')
50937+ p--;
50938+ if (p == name)
50939+ lastp = p + 1;
50940+ else {
50941+ lastp = p;
50942+ p--;
50943+ }
50944+ c = *lastp;
50945+ *lastp = '\0';
50946+ } while (1);
50947+found_obj:
50948+ read_unlock(&gr_inode_lock);
50949+ /* obj returned will always be non-null */
50950+ return obj;
50951+}
50952+
50953+/* returns 0 when allowing, non-zero on error
50954+ op of 0 is used for readdir, so we don't log the names of hidden files
50955+*/
50956+__u32
50957+gr_handle_sysctl(const struct ctl_table *table, const int op)
50958+{
50959+ struct ctl_table *tmp;
50960+ const char *proc_sys = "/proc/sys";
50961+ char *path;
50962+ struct acl_object_label *obj;
50963+ unsigned short len = 0, pos = 0, depth = 0, i;
50964+ __u32 err = 0;
50965+ __u32 mode = 0;
50966+
50967+ if (unlikely(!(gr_status & GR_READY)))
50968+ return 0;
50969+
50970+ /* for now, ignore operations on non-sysctl entries if it's not a
50971+ readdir*/
50972+ if (table->child != NULL && op != 0)
50973+ return 0;
50974+
50975+ mode |= GR_FIND;
50976+ /* it's only a read if it's an entry, read on dirs is for readdir */
50977+ if (op & MAY_READ)
50978+ mode |= GR_READ;
50979+ if (op & MAY_WRITE)
50980+ mode |= GR_WRITE;
50981+
50982+ preempt_disable();
50983+
50984+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
50985+
50986+ /* it's only a read/write if it's an actual entry, not a dir
50987+ (which are opened for readdir)
50988+ */
50989+
50990+ /* convert the requested sysctl entry into a pathname */
50991+
50992+ for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
50993+ len += strlen(tmp->procname);
50994+ len++;
50995+ depth++;
50996+ }
50997+
50998+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
50999+ /* deny */
51000+ goto out;
51001+ }
51002+
51003+ memset(path, 0, PAGE_SIZE);
51004+
51005+ memcpy(path, proc_sys, strlen(proc_sys));
51006+
51007+ pos += strlen(proc_sys);
51008+
51009+ for (; depth > 0; depth--) {
51010+ path[pos] = '/';
51011+ pos++;
51012+ for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
51013+ if (depth == i) {
51014+ memcpy(path + pos, tmp->procname,
51015+ strlen(tmp->procname));
51016+ pos += strlen(tmp->procname);
51017+ }
51018+ i++;
51019+ }
51020+ }
51021+
51022+ obj = gr_lookup_by_name(path, pos);
51023+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
51024+
51025+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
51026+ ((err & mode) != mode))) {
51027+ __u32 new_mode = mode;
51028+
51029+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
51030+
51031+ err = 0;
51032+ gr_log_learn_sysctl(path, new_mode);
51033+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
51034+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
51035+ err = -ENOENT;
51036+ } else if (!(err & GR_FIND)) {
51037+ err = -ENOENT;
51038+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
51039+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
51040+ path, (mode & GR_READ) ? " reading" : "",
51041+ (mode & GR_WRITE) ? " writing" : "");
51042+ err = -EACCES;
51043+ } else if ((err & mode) != mode) {
51044+ err = -EACCES;
51045+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
51046+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
51047+ path, (mode & GR_READ) ? " reading" : "",
51048+ (mode & GR_WRITE) ? " writing" : "");
51049+ err = 0;
51050+ } else
51051+ err = 0;
51052+
51053+ out:
51054+ preempt_enable();
51055+
51056+ return err;
51057+}
51058+#endif
51059+
51060+int
51061+gr_handle_proc_ptrace(struct task_struct *task)
51062+{
51063+ struct file *filp;
51064+ struct task_struct *tmp = task;
51065+ struct task_struct *curtemp = current;
51066+ __u32 retmode;
51067+
51068+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51069+ if (unlikely(!(gr_status & GR_READY)))
51070+ return 0;
51071+#endif
51072+
51073+ read_lock(&tasklist_lock);
51074+ read_lock(&grsec_exec_file_lock);
51075+ filp = task->exec_file;
51076+
51077+ while (tmp->pid > 0) {
51078+ if (tmp == curtemp)
51079+ break;
51080+ tmp = tmp->real_parent;
51081+ }
51082+
51083+ if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51084+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
51085+ read_unlock(&grsec_exec_file_lock);
51086+ read_unlock(&tasklist_lock);
51087+ return 1;
51088+ }
51089+
51090+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51091+ if (!(gr_status & GR_READY)) {
51092+ read_unlock(&grsec_exec_file_lock);
51093+ read_unlock(&tasklist_lock);
51094+ return 0;
51095+ }
51096+#endif
51097+
51098+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
51099+ read_unlock(&grsec_exec_file_lock);
51100+ read_unlock(&tasklist_lock);
51101+
51102+ if (retmode & GR_NOPTRACE)
51103+ return 1;
51104+
51105+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
51106+ && (current->acl != task->acl || (current->acl != current->role->root_label
51107+ && current->pid != task->pid)))
51108+ return 1;
51109+
51110+ return 0;
51111+}
51112+
51113+void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
51114+{
51115+ if (unlikely(!(gr_status & GR_READY)))
51116+ return;
51117+
51118+ if (!(current->role->roletype & GR_ROLE_GOD))
51119+ return;
51120+
51121+ seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
51122+ p->role->rolename, gr_task_roletype_to_char(p),
51123+ p->acl->filename);
51124+}
51125+
51126+int
51127+gr_handle_ptrace(struct task_struct *task, const long request)
51128+{
51129+ struct task_struct *tmp = task;
51130+ struct task_struct *curtemp = current;
51131+ __u32 retmode;
51132+
51133+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
51134+ if (unlikely(!(gr_status & GR_READY)))
51135+ return 0;
51136+#endif
51137+
51138+ read_lock(&tasklist_lock);
51139+ while (tmp->pid > 0) {
51140+ if (tmp == curtemp)
51141+ break;
51142+ tmp = tmp->real_parent;
51143+ }
51144+
51145+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
51146+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
51147+ read_unlock(&tasklist_lock);
51148+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51149+ return 1;
51150+ }
51151+ read_unlock(&tasklist_lock);
51152+
51153+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
51154+ if (!(gr_status & GR_READY))
51155+ return 0;
51156+#endif
51157+
51158+ read_lock(&grsec_exec_file_lock);
51159+ if (unlikely(!task->exec_file)) {
51160+ read_unlock(&grsec_exec_file_lock);
51161+ return 0;
51162+ }
51163+
51164+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
51165+ read_unlock(&grsec_exec_file_lock);
51166+
51167+ if (retmode & GR_NOPTRACE) {
51168+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51169+ return 1;
51170+ }
51171+
51172+ if (retmode & GR_PTRACERD) {
51173+ switch (request) {
51174+ case PTRACE_SEIZE:
51175+ case PTRACE_POKETEXT:
51176+ case PTRACE_POKEDATA:
51177+ case PTRACE_POKEUSR:
51178+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
51179+ case PTRACE_SETREGS:
51180+ case PTRACE_SETFPREGS:
51181+#endif
51182+#ifdef CONFIG_X86
51183+ case PTRACE_SETFPXREGS:
51184+#endif
51185+#ifdef CONFIG_ALTIVEC
51186+ case PTRACE_SETVRREGS:
51187+#endif
51188+ return 1;
51189+ default:
51190+ return 0;
51191+ }
51192+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
51193+ !(current->role->roletype & GR_ROLE_GOD) &&
51194+ (current->acl != task->acl)) {
51195+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
51196+ return 1;
51197+ }
51198+
51199+ return 0;
51200+}
51201+
51202+static int is_writable_mmap(const struct file *filp)
51203+{
51204+ struct task_struct *task = current;
51205+ struct acl_object_label *obj, *obj2;
51206+
51207+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
51208+ !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
51209+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
51210+ obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
51211+ task->role->root_label);
51212+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
51213+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
51214+ return 1;
51215+ }
51216+ }
51217+ return 0;
51218+}
51219+
51220+int
51221+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
51222+{
51223+ __u32 mode;
51224+
51225+ if (unlikely(!file || !(prot & PROT_EXEC)))
51226+ return 1;
51227+
51228+ if (is_writable_mmap(file))
51229+ return 0;
51230+
51231+ mode =
51232+ gr_search_file(file->f_path.dentry,
51233+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51234+ file->f_path.mnt);
51235+
51236+ if (!gr_tpe_allow(file))
51237+ return 0;
51238+
51239+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51240+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51241+ return 0;
51242+ } else if (unlikely(!(mode & GR_EXEC))) {
51243+ return 0;
51244+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51245+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51246+ return 1;
51247+ }
51248+
51249+ return 1;
51250+}
51251+
51252+int
51253+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
51254+{
51255+ __u32 mode;
51256+
51257+ if (unlikely(!file || !(prot & PROT_EXEC)))
51258+ return 1;
51259+
51260+ if (is_writable_mmap(file))
51261+ return 0;
51262+
51263+ mode =
51264+ gr_search_file(file->f_path.dentry,
51265+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
51266+ file->f_path.mnt);
51267+
51268+ if (!gr_tpe_allow(file))
51269+ return 0;
51270+
51271+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
51272+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51273+ return 0;
51274+ } else if (unlikely(!(mode & GR_EXEC))) {
51275+ return 0;
51276+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
51277+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
51278+ return 1;
51279+ }
51280+
51281+ return 1;
51282+}
51283+
51284+void
51285+gr_acl_handle_psacct(struct task_struct *task, const long code)
51286+{
51287+ unsigned long runtime;
51288+ unsigned long cputime;
51289+ unsigned int wday, cday;
51290+ __u8 whr, chr;
51291+ __u8 wmin, cmin;
51292+ __u8 wsec, csec;
51293+ struct timespec timeval;
51294+
51295+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
51296+ !(task->acl->mode & GR_PROCACCT)))
51297+ return;
51298+
51299+ do_posix_clock_monotonic_gettime(&timeval);
51300+ runtime = timeval.tv_sec - task->start_time.tv_sec;
51301+ wday = runtime / (3600 * 24);
51302+ runtime -= wday * (3600 * 24);
51303+ whr = runtime / 3600;
51304+ runtime -= whr * 3600;
51305+ wmin = runtime / 60;
51306+ runtime -= wmin * 60;
51307+ wsec = runtime;
51308+
51309+ cputime = (task->utime + task->stime) / HZ;
51310+ cday = cputime / (3600 * 24);
51311+ cputime -= cday * (3600 * 24);
51312+ chr = cputime / 3600;
51313+ cputime -= chr * 3600;
51314+ cmin = cputime / 60;
51315+ cputime -= cmin * 60;
51316+ csec = cputime;
51317+
51318+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
51319+
51320+ return;
51321+}
51322+
51323+void gr_set_kernel_label(struct task_struct *task)
51324+{
51325+ if (gr_status & GR_READY) {
51326+ task->role = kernel_role;
51327+ task->acl = kernel_role->root_label;
51328+ }
51329+ return;
51330+}
51331+
51332+#ifdef CONFIG_TASKSTATS
51333+int gr_is_taskstats_denied(int pid)
51334+{
51335+ struct task_struct *task;
51336+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51337+ const struct cred *cred;
51338+#endif
51339+ int ret = 0;
51340+
51341+ /* restrict taskstats viewing to un-chrooted root users
51342+ who have the 'view' subject flag if the RBAC system is enabled
51343+ */
51344+
51345+ rcu_read_lock();
51346+ read_lock(&tasklist_lock);
51347+ task = find_task_by_vpid(pid);
51348+ if (task) {
51349+#ifdef CONFIG_GRKERNSEC_CHROOT
51350+ if (proc_is_chrooted(task))
51351+ ret = -EACCES;
51352+#endif
51353+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51354+ cred = __task_cred(task);
51355+#ifdef CONFIG_GRKERNSEC_PROC_USER
51356+ if (cred->uid != 0)
51357+ ret = -EACCES;
51358+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51359+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
51360+ ret = -EACCES;
51361+#endif
51362+#endif
51363+ if (gr_status & GR_READY) {
51364+ if (!(task->acl->mode & GR_VIEW))
51365+ ret = -EACCES;
51366+ }
51367+ } else
51368+ ret = -ENOENT;
51369+
51370+ read_unlock(&tasklist_lock);
51371+ rcu_read_unlock();
51372+
51373+ return ret;
51374+}
51375+#endif
51376+
51377+/* AUXV entries are filled via a descendant of search_binary_handler
51378+ after we've already applied the subject for the target
51379+*/
51380+int gr_acl_enable_at_secure(void)
51381+{
51382+ if (unlikely(!(gr_status & GR_READY)))
51383+ return 0;
51384+
51385+ if (current->acl->mode & GR_ATSECURE)
51386+ return 1;
51387+
51388+ return 0;
51389+}
51390+
51391+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
51392+{
51393+ struct task_struct *task = current;
51394+ struct dentry *dentry = file->f_path.dentry;
51395+ struct vfsmount *mnt = file->f_path.mnt;
51396+ struct acl_object_label *obj, *tmp;
51397+ struct acl_subject_label *subj;
51398+ unsigned int bufsize;
51399+ int is_not_root;
51400+ char *path;
51401+ dev_t dev = __get_dev(dentry);
51402+
51403+ if (unlikely(!(gr_status & GR_READY)))
51404+ return 1;
51405+
51406+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
51407+ return 1;
51408+
51409+ /* ignore Eric Biederman */
51410+ if (IS_PRIVATE(dentry->d_inode))
51411+ return 1;
51412+
51413+ subj = task->acl;
51414+ do {
51415+ obj = lookup_acl_obj_label(ino, dev, subj);
51416+ if (obj != NULL)
51417+ return (obj->mode & GR_FIND) ? 1 : 0;
51418+ } while ((subj = subj->parent_subject));
51419+
51420+ /* this is purely an optimization since we're looking for an object
51421+ for the directory we're doing a readdir on
51422+ if it's possible for any globbed object to match the entry we're
51423+ filling into the directory, then the object we find here will be
51424+ an anchor point with attached globbed objects
51425+ */
51426+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
51427+ if (obj->globbed == NULL)
51428+ return (obj->mode & GR_FIND) ? 1 : 0;
51429+
51430+ is_not_root = ((obj->filename[0] == '/') &&
51431+ (obj->filename[1] == '\0')) ? 0 : 1;
51432+ bufsize = PAGE_SIZE - namelen - is_not_root;
51433+
51434+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
51435+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
51436+ return 1;
51437+
51438+ preempt_disable();
51439+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
51440+ bufsize);
51441+
51442+ bufsize = strlen(path);
51443+
51444+ /* if base is "/", don't append an additional slash */
51445+ if (is_not_root)
51446+ *(path + bufsize) = '/';
51447+ memcpy(path + bufsize + is_not_root, name, namelen);
51448+ *(path + bufsize + namelen + is_not_root) = '\0';
51449+
51450+ tmp = obj->globbed;
51451+ while (tmp) {
51452+ if (!glob_match(tmp->filename, path)) {
51453+ preempt_enable();
51454+ return (tmp->mode & GR_FIND) ? 1 : 0;
51455+ }
51456+ tmp = tmp->next;
51457+ }
51458+ preempt_enable();
51459+ return (obj->mode & GR_FIND) ? 1 : 0;
51460+}
51461+
51462+#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
51463+EXPORT_SYMBOL(gr_acl_is_enabled);
51464+#endif
51465+EXPORT_SYMBOL(gr_learn_resource);
51466+EXPORT_SYMBOL(gr_set_kernel_label);
51467+#ifdef CONFIG_SECURITY
51468+EXPORT_SYMBOL(gr_check_user_change);
51469+EXPORT_SYMBOL(gr_check_group_change);
51470+#endif
51471+
51472diff -urNp linux-3.1.1/grsecurity/gracl_cap.c linux-3.1.1/grsecurity/gracl_cap.c
51473--- linux-3.1.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
51474+++ linux-3.1.1/grsecurity/gracl_cap.c 2011-11-16 18:40:31.000000000 -0500
51475@@ -0,0 +1,101 @@
51476+#include <linux/kernel.h>
51477+#include <linux/module.h>
51478+#include <linux/sched.h>
51479+#include <linux/gracl.h>
51480+#include <linux/grsecurity.h>
51481+#include <linux/grinternal.h>
51482+
51483+extern const char *captab_log[];
51484+extern int captab_log_entries;
51485+
51486+int
51487+gr_acl_is_capable(const int cap)
51488+{
51489+ struct task_struct *task = current;
51490+ const struct cred *cred = current_cred();
51491+ struct acl_subject_label *curracl;
51492+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51493+ kernel_cap_t cap_audit = __cap_empty_set;
51494+
51495+ if (!gr_acl_is_enabled())
51496+ return 1;
51497+
51498+ curracl = task->acl;
51499+
51500+ cap_drop = curracl->cap_lower;
51501+ cap_mask = curracl->cap_mask;
51502+ cap_audit = curracl->cap_invert_audit;
51503+
51504+ while ((curracl = curracl->parent_subject)) {
51505+ /* if the cap isn't specified in the current computed mask but is specified in the
51506+ current level subject, and is lowered in the current level subject, then add
51507+ it to the set of dropped capabilities
51508+ otherwise, add the current level subject's mask to the current computed mask
51509+ */
51510+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51511+ cap_raise(cap_mask, cap);
51512+ if (cap_raised(curracl->cap_lower, cap))
51513+ cap_raise(cap_drop, cap);
51514+ if (cap_raised(curracl->cap_invert_audit, cap))
51515+ cap_raise(cap_audit, cap);
51516+ }
51517+ }
51518+
51519+ if (!cap_raised(cap_drop, cap)) {
51520+ if (cap_raised(cap_audit, cap))
51521+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
51522+ return 1;
51523+ }
51524+
51525+ curracl = task->acl;
51526+
51527+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
51528+ && cap_raised(cred->cap_effective, cap)) {
51529+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
51530+ task->role->roletype, cred->uid,
51531+ cred->gid, task->exec_file ?
51532+ gr_to_filename(task->exec_file->f_path.dentry,
51533+ task->exec_file->f_path.mnt) : curracl->filename,
51534+ curracl->filename, 0UL,
51535+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
51536+ return 1;
51537+ }
51538+
51539+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
51540+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
51541+ return 0;
51542+}
51543+
51544+int
51545+gr_acl_is_capable_nolog(const int cap)
51546+{
51547+ struct acl_subject_label *curracl;
51548+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51549+
51550+ if (!gr_acl_is_enabled())
51551+ return 1;
51552+
51553+ curracl = current->acl;
51554+
51555+ cap_drop = curracl->cap_lower;
51556+ cap_mask = curracl->cap_mask;
51557+
51558+ while ((curracl = curracl->parent_subject)) {
51559+ /* if the cap isn't specified in the current computed mask but is specified in the
51560+ current level subject, and is lowered in the current level subject, then add
51561+ it to the set of dropped capabilities
51562+ otherwise, add the current level subject's mask to the current computed mask
51563+ */
51564+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51565+ cap_raise(cap_mask, cap);
51566+ if (cap_raised(curracl->cap_lower, cap))
51567+ cap_raise(cap_drop, cap);
51568+ }
51569+ }
51570+
51571+ if (!cap_raised(cap_drop, cap))
51572+ return 1;
51573+
51574+ return 0;
51575+}
51576+
51577diff -urNp linux-3.1.1/grsecurity/gracl_fs.c linux-3.1.1/grsecurity/gracl_fs.c
51578--- linux-3.1.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
51579+++ linux-3.1.1/grsecurity/gracl_fs.c 2011-11-17 00:25:32.000000000 -0500
51580@@ -0,0 +1,433 @@
51581+#include <linux/kernel.h>
51582+#include <linux/sched.h>
51583+#include <linux/types.h>
51584+#include <linux/fs.h>
51585+#include <linux/file.h>
51586+#include <linux/stat.h>
51587+#include <linux/grsecurity.h>
51588+#include <linux/grinternal.h>
51589+#include <linux/gracl.h>
51590+
51591+__u32
51592+gr_acl_handle_hidden_file(const struct dentry * dentry,
51593+ const struct vfsmount * mnt)
51594+{
51595+ __u32 mode;
51596+
51597+ if (unlikely(!dentry->d_inode))
51598+ return GR_FIND;
51599+
51600+ mode =
51601+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
51602+
51603+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
51604+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51605+ return mode;
51606+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
51607+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51608+ return 0;
51609+ } else if (unlikely(!(mode & GR_FIND)))
51610+ return 0;
51611+
51612+ return GR_FIND;
51613+}
51614+
51615+__u32
51616+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
51617+ int acc_mode)
51618+{
51619+ __u32 reqmode = GR_FIND;
51620+ __u32 mode;
51621+
51622+ if (unlikely(!dentry->d_inode))
51623+ return reqmode;
51624+
51625+ if (acc_mode & MAY_APPEND)
51626+ reqmode |= GR_APPEND;
51627+ else if (acc_mode & MAY_WRITE)
51628+ reqmode |= GR_WRITE;
51629+ if ((acc_mode & MAY_READ) && !S_ISDIR(dentry->d_inode->i_mode))
51630+ reqmode |= GR_READ;
51631+
51632+ mode =
51633+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51634+ mnt);
51635+
51636+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51637+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51638+ reqmode & GR_READ ? " reading" : "",
51639+ reqmode & GR_WRITE ? " writing" : reqmode &
51640+ GR_APPEND ? " appending" : "");
51641+ return reqmode;
51642+ } else
51643+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51644+ {
51645+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51646+ reqmode & GR_READ ? " reading" : "",
51647+ reqmode & GR_WRITE ? " writing" : reqmode &
51648+ GR_APPEND ? " appending" : "");
51649+ return 0;
51650+ } else if (unlikely((mode & reqmode) != reqmode))
51651+ return 0;
51652+
51653+ return reqmode;
51654+}
51655+
51656+__u32
51657+gr_acl_handle_creat(const struct dentry * dentry,
51658+ const struct dentry * p_dentry,
51659+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
51660+ const int imode)
51661+{
51662+ __u32 reqmode = GR_WRITE | GR_CREATE;
51663+ __u32 mode;
51664+
51665+ if (acc_mode & MAY_APPEND)
51666+ reqmode |= GR_APPEND;
51667+ // if a directory was required or the directory already exists, then
51668+ // don't count this open as a read
51669+ if ((acc_mode & MAY_READ) &&
51670+ !((open_flags & O_DIRECTORY) || (dentry->d_inode && S_ISDIR(dentry->d_inode->i_mode))))
51671+ reqmode |= GR_READ;
51672+ if ((open_flags & O_CREAT) && (imode & (S_ISUID | S_ISGID)))
51673+ reqmode |= GR_SETID;
51674+
51675+ mode =
51676+ gr_check_create(dentry, p_dentry, p_mnt,
51677+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51678+
51679+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51680+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51681+ reqmode & GR_READ ? " reading" : "",
51682+ reqmode & GR_WRITE ? " writing" : reqmode &
51683+ GR_APPEND ? " appending" : "");
51684+ return reqmode;
51685+ } else
51686+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51687+ {
51688+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51689+ reqmode & GR_READ ? " reading" : "",
51690+ reqmode & GR_WRITE ? " writing" : reqmode &
51691+ GR_APPEND ? " appending" : "");
51692+ return 0;
51693+ } else if (unlikely((mode & reqmode) != reqmode))
51694+ return 0;
51695+
51696+ return reqmode;
51697+}
51698+
51699+__u32
51700+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
51701+ const int fmode)
51702+{
51703+ __u32 mode, reqmode = GR_FIND;
51704+
51705+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
51706+ reqmode |= GR_EXEC;
51707+ if (fmode & S_IWOTH)
51708+ reqmode |= GR_WRITE;
51709+ if (fmode & S_IROTH)
51710+ reqmode |= GR_READ;
51711+
51712+ mode =
51713+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51714+ mnt);
51715+
51716+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51717+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51718+ reqmode & GR_READ ? " reading" : "",
51719+ reqmode & GR_WRITE ? " writing" : "",
51720+ reqmode & GR_EXEC ? " executing" : "");
51721+ return reqmode;
51722+ } else
51723+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51724+ {
51725+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51726+ reqmode & GR_READ ? " reading" : "",
51727+ reqmode & GR_WRITE ? " writing" : "",
51728+ reqmode & GR_EXEC ? " executing" : "");
51729+ return 0;
51730+ } else if (unlikely((mode & reqmode) != reqmode))
51731+ return 0;
51732+
51733+ return reqmode;
51734+}
51735+
51736+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
51737+{
51738+ __u32 mode;
51739+
51740+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
51741+
51742+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51743+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
51744+ return mode;
51745+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51746+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
51747+ return 0;
51748+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
51749+ return 0;
51750+
51751+ return (reqmode);
51752+}
51753+
51754+__u32
51755+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
51756+{
51757+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
51758+}
51759+
51760+__u32
51761+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
51762+{
51763+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
51764+}
51765+
51766+__u32
51767+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
51768+{
51769+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
51770+}
51771+
51772+__u32
51773+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
51774+{
51775+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
51776+}
51777+
51778+__u32
51779+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
51780+ mode_t mode)
51781+{
51782+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
51783+ return 1;
51784+
51785+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51786+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51787+ GR_FCHMOD_ACL_MSG);
51788+ } else {
51789+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
51790+ }
51791+}
51792+
51793+__u32
51794+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
51795+ mode_t mode)
51796+{
51797+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51798+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51799+ GR_CHMOD_ACL_MSG);
51800+ } else {
51801+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
51802+ }
51803+}
51804+
51805+__u32
51806+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
51807+{
51808+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
51809+}
51810+
51811+__u32
51812+gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
51813+{
51814+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
51815+}
51816+
51817+__u32
51818+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
51819+{
51820+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
51821+}
51822+
51823+__u32
51824+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
51825+{
51826+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
51827+ GR_UNIXCONNECT_ACL_MSG);
51828+}
51829+
51830+/* hardlinks require at minimum create and link permission,
51831+ any additional privilege required is based on the
51832+ privilege of the file being linked to
51833+*/
51834+__u32
51835+gr_acl_handle_link(const struct dentry * new_dentry,
51836+ const struct dentry * parent_dentry,
51837+ const struct vfsmount * parent_mnt,
51838+ const struct dentry * old_dentry,
51839+ const struct vfsmount * old_mnt, const char *to)
51840+{
51841+ __u32 mode;
51842+ __u32 needmode = GR_CREATE | GR_LINK;
51843+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
51844+
51845+ mode =
51846+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
51847+ old_mnt);
51848+
51849+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
51850+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51851+ return mode;
51852+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51853+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51854+ return 0;
51855+ } else if (unlikely((mode & needmode) != needmode))
51856+ return 0;
51857+
51858+ return 1;
51859+}
51860+
51861+__u32
51862+gr_acl_handle_symlink(const struct dentry * new_dentry,
51863+ const struct dentry * parent_dentry,
51864+ const struct vfsmount * parent_mnt, const char *from)
51865+{
51866+ __u32 needmode = GR_WRITE | GR_CREATE;
51867+ __u32 mode;
51868+
51869+ mode =
51870+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
51871+ GR_CREATE | GR_AUDIT_CREATE |
51872+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
51873+
51874+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
51875+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51876+ return mode;
51877+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51878+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51879+ return 0;
51880+ } else if (unlikely((mode & needmode) != needmode))
51881+ return 0;
51882+
51883+ return (GR_WRITE | GR_CREATE);
51884+}
51885+
51886+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
51887+{
51888+ __u32 mode;
51889+
51890+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51891+
51892+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51893+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
51894+ return mode;
51895+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51896+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
51897+ return 0;
51898+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
51899+ return 0;
51900+
51901+ return (reqmode);
51902+}
51903+
51904+__u32
51905+gr_acl_handle_mknod(const struct dentry * new_dentry,
51906+ const struct dentry * parent_dentry,
51907+ const struct vfsmount * parent_mnt,
51908+ const int mode)
51909+{
51910+ __u32 reqmode = GR_WRITE | GR_CREATE;
51911+ if (unlikely(mode & (S_ISUID | S_ISGID)))
51912+ reqmode |= GR_SETID;
51913+
51914+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
51915+ reqmode, GR_MKNOD_ACL_MSG);
51916+}
51917+
51918+__u32
51919+gr_acl_handle_mkdir(const struct dentry *new_dentry,
51920+ const struct dentry *parent_dentry,
51921+ const struct vfsmount *parent_mnt)
51922+{
51923+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
51924+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
51925+}
51926+
51927+#define RENAME_CHECK_SUCCESS(old, new) \
51928+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
51929+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
51930+
51931+int
51932+gr_acl_handle_rename(struct dentry *new_dentry,
51933+ struct dentry *parent_dentry,
51934+ const struct vfsmount *parent_mnt,
51935+ struct dentry *old_dentry,
51936+ struct inode *old_parent_inode,
51937+ struct vfsmount *old_mnt, const char *newname)
51938+{
51939+ __u32 comp1, comp2;
51940+ int error = 0;
51941+
51942+ if (unlikely(!gr_acl_is_enabled()))
51943+ return 0;
51944+
51945+ if (!new_dentry->d_inode) {
51946+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
51947+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
51948+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
51949+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
51950+ GR_DELETE | GR_AUDIT_DELETE |
51951+ GR_AUDIT_READ | GR_AUDIT_WRITE |
51952+ GR_SUPPRESS, old_mnt);
51953+ } else {
51954+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
51955+ GR_CREATE | GR_DELETE |
51956+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
51957+ GR_AUDIT_READ | GR_AUDIT_WRITE |
51958+ GR_SUPPRESS, parent_mnt);
51959+ comp2 =
51960+ gr_search_file(old_dentry,
51961+ GR_READ | GR_WRITE | GR_AUDIT_READ |
51962+ GR_DELETE | GR_AUDIT_DELETE |
51963+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
51964+ }
51965+
51966+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
51967+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
51968+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
51969+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
51970+ && !(comp2 & GR_SUPPRESS)) {
51971+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
51972+ error = -EACCES;
51973+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
51974+ error = -EACCES;
51975+
51976+ return error;
51977+}
51978+
51979+void
51980+gr_acl_handle_exit(void)
51981+{
51982+ u16 id;
51983+ char *rolename;
51984+ struct file *exec_file;
51985+
51986+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
51987+ !(current->role->roletype & GR_ROLE_PERSIST))) {
51988+ id = current->acl_role_id;
51989+ rolename = current->role->rolename;
51990+ gr_set_acls(1);
51991+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
51992+ }
51993+
51994+ write_lock(&grsec_exec_file_lock);
51995+ exec_file = current->exec_file;
51996+ current->exec_file = NULL;
51997+ write_unlock(&grsec_exec_file_lock);
51998+
51999+ if (exec_file)
52000+ fput(exec_file);
52001+}
52002+
52003+int
52004+gr_acl_handle_procpidmem(const struct task_struct *task)
52005+{
52006+ if (unlikely(!gr_acl_is_enabled()))
52007+ return 0;
52008+
52009+ if (task != current && task->acl->mode & GR_PROTPROCFD)
52010+ return -EACCES;
52011+
52012+ return 0;
52013+}
52014diff -urNp linux-3.1.1/grsecurity/gracl_ip.c linux-3.1.1/grsecurity/gracl_ip.c
52015--- linux-3.1.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
52016+++ linux-3.1.1/grsecurity/gracl_ip.c 2011-11-16 18:40:31.000000000 -0500
52017@@ -0,0 +1,381 @@
52018+#include <linux/kernel.h>
52019+#include <asm/uaccess.h>
52020+#include <asm/errno.h>
52021+#include <net/sock.h>
52022+#include <linux/file.h>
52023+#include <linux/fs.h>
52024+#include <linux/net.h>
52025+#include <linux/in.h>
52026+#include <linux/skbuff.h>
52027+#include <linux/ip.h>
52028+#include <linux/udp.h>
52029+#include <linux/types.h>
52030+#include <linux/sched.h>
52031+#include <linux/netdevice.h>
52032+#include <linux/inetdevice.h>
52033+#include <linux/gracl.h>
52034+#include <linux/grsecurity.h>
52035+#include <linux/grinternal.h>
52036+
52037+#define GR_BIND 0x01
52038+#define GR_CONNECT 0x02
52039+#define GR_INVERT 0x04
52040+#define GR_BINDOVERRIDE 0x08
52041+#define GR_CONNECTOVERRIDE 0x10
52042+#define GR_SOCK_FAMILY 0x20
52043+
52044+static const char * gr_protocols[IPPROTO_MAX] = {
52045+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
52046+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
52047+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
52048+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
52049+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
52050+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
52051+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
52052+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
52053+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
52054+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
52055+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
52056+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
52057+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
52058+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
52059+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
52060+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
52061+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
52062+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
52063+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
52064+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
52065+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
52066+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
52067+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
52068+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
52069+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
52070+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
52071+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
52072+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
52073+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
52074+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
52075+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
52076+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
52077+ };
52078+
52079+static const char * gr_socktypes[SOCK_MAX] = {
52080+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
52081+ "unknown:7", "unknown:8", "unknown:9", "packet"
52082+ };
52083+
52084+static const char * gr_sockfamilies[AF_MAX+1] = {
52085+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
52086+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
52087+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
52088+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
52089+ };
52090+
52091+const char *
52092+gr_proto_to_name(unsigned char proto)
52093+{
52094+ return gr_protocols[proto];
52095+}
52096+
52097+const char *
52098+gr_socktype_to_name(unsigned char type)
52099+{
52100+ return gr_socktypes[type];
52101+}
52102+
52103+const char *
52104+gr_sockfamily_to_name(unsigned char family)
52105+{
52106+ return gr_sockfamilies[family];
52107+}
52108+
52109+int
52110+gr_search_socket(const int domain, const int type, const int protocol)
52111+{
52112+ struct acl_subject_label *curr;
52113+ const struct cred *cred = current_cred();
52114+
52115+ if (unlikely(!gr_acl_is_enabled()))
52116+ goto exit;
52117+
52118+ if ((domain < 0) || (type < 0) || (protocol < 0) ||
52119+ (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
52120+ goto exit; // let the kernel handle it
52121+
52122+ curr = current->acl;
52123+
52124+ if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
52125+ /* the family is allowed, if this is PF_INET allow it only if
52126+ the extra sock type/protocol checks pass */
52127+ if (domain == PF_INET)
52128+ goto inet_check;
52129+ goto exit;
52130+ } else {
52131+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52132+ __u32 fakeip = 0;
52133+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52134+ current->role->roletype, cred->uid,
52135+ cred->gid, current->exec_file ?
52136+ gr_to_filename(current->exec_file->f_path.dentry,
52137+ current->exec_file->f_path.mnt) :
52138+ curr->filename, curr->filename,
52139+ &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
52140+ &current->signal->saved_ip);
52141+ goto exit;
52142+ }
52143+ goto exit_fail;
52144+ }
52145+
52146+inet_check:
52147+ /* the rest of this checking is for IPv4 only */
52148+ if (!curr->ips)
52149+ goto exit;
52150+
52151+ if ((curr->ip_type & (1 << type)) &&
52152+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
52153+ goto exit;
52154+
52155+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52156+ /* we don't place acls on raw sockets , and sometimes
52157+ dgram/ip sockets are opened for ioctl and not
52158+ bind/connect, so we'll fake a bind learn log */
52159+ if (type == SOCK_RAW || type == SOCK_PACKET) {
52160+ __u32 fakeip = 0;
52161+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52162+ current->role->roletype, cred->uid,
52163+ cred->gid, current->exec_file ?
52164+ gr_to_filename(current->exec_file->f_path.dentry,
52165+ current->exec_file->f_path.mnt) :
52166+ curr->filename, curr->filename,
52167+ &fakeip, 0, type,
52168+ protocol, GR_CONNECT, &current->signal->saved_ip);
52169+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
52170+ __u32 fakeip = 0;
52171+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52172+ current->role->roletype, cred->uid,
52173+ cred->gid, current->exec_file ?
52174+ gr_to_filename(current->exec_file->f_path.dentry,
52175+ current->exec_file->f_path.mnt) :
52176+ curr->filename, curr->filename,
52177+ &fakeip, 0, type,
52178+ protocol, GR_BIND, &current->signal->saved_ip);
52179+ }
52180+ /* we'll log when they use connect or bind */
52181+ goto exit;
52182+ }
52183+
52184+exit_fail:
52185+ if (domain == PF_INET)
52186+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
52187+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
52188+ else
52189+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
52190+ gr_socktype_to_name(type), protocol);
52191+
52192+ return 0;
52193+exit:
52194+ return 1;
52195+}
52196+
52197+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
52198+{
52199+ if ((ip->mode & mode) &&
52200+ (ip_port >= ip->low) &&
52201+ (ip_port <= ip->high) &&
52202+ ((ntohl(ip_addr) & our_netmask) ==
52203+ (ntohl(our_addr) & our_netmask))
52204+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
52205+ && (ip->type & (1 << type))) {
52206+ if (ip->mode & GR_INVERT)
52207+ return 2; // specifically denied
52208+ else
52209+ return 1; // allowed
52210+ }
52211+
52212+ return 0; // not specifically allowed, may continue parsing
52213+}
52214+
52215+static int
52216+gr_search_connectbind(const int full_mode, struct sock *sk,
52217+ struct sockaddr_in *addr, const int type)
52218+{
52219+ char iface[IFNAMSIZ] = {0};
52220+ struct acl_subject_label *curr;
52221+ struct acl_ip_label *ip;
52222+ struct inet_sock *isk;
52223+ struct net_device *dev;
52224+ struct in_device *idev;
52225+ unsigned long i;
52226+ int ret;
52227+ int mode = full_mode & (GR_BIND | GR_CONNECT);
52228+ __u32 ip_addr = 0;
52229+ __u32 our_addr;
52230+ __u32 our_netmask;
52231+ char *p;
52232+ __u16 ip_port = 0;
52233+ const struct cred *cred = current_cred();
52234+
52235+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
52236+ return 0;
52237+
52238+ curr = current->acl;
52239+ isk = inet_sk(sk);
52240+
52241+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
52242+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
52243+ addr->sin_addr.s_addr = curr->inaddr_any_override;
52244+ if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
52245+ struct sockaddr_in saddr;
52246+ int err;
52247+
52248+ saddr.sin_family = AF_INET;
52249+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
52250+ saddr.sin_port = isk->inet_sport;
52251+
52252+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
52253+ if (err)
52254+ return err;
52255+
52256+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
52257+ if (err)
52258+ return err;
52259+ }
52260+
52261+ if (!curr->ips)
52262+ return 0;
52263+
52264+ ip_addr = addr->sin_addr.s_addr;
52265+ ip_port = ntohs(addr->sin_port);
52266+
52267+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
52268+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
52269+ current->role->roletype, cred->uid,
52270+ cred->gid, current->exec_file ?
52271+ gr_to_filename(current->exec_file->f_path.dentry,
52272+ current->exec_file->f_path.mnt) :
52273+ curr->filename, curr->filename,
52274+ &ip_addr, ip_port, type,
52275+ sk->sk_protocol, mode, &current->signal->saved_ip);
52276+ return 0;
52277+ }
52278+
52279+ for (i = 0; i < curr->ip_num; i++) {
52280+ ip = *(curr->ips + i);
52281+ if (ip->iface != NULL) {
52282+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
52283+ p = strchr(iface, ':');
52284+ if (p != NULL)
52285+ *p = '\0';
52286+ dev = dev_get_by_name(sock_net(sk), iface);
52287+ if (dev == NULL)
52288+ continue;
52289+ idev = in_dev_get(dev);
52290+ if (idev == NULL) {
52291+ dev_put(dev);
52292+ continue;
52293+ }
52294+ rcu_read_lock();
52295+ for_ifa(idev) {
52296+ if (!strcmp(ip->iface, ifa->ifa_label)) {
52297+ our_addr = ifa->ifa_address;
52298+ our_netmask = 0xffffffff;
52299+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
52300+ if (ret == 1) {
52301+ rcu_read_unlock();
52302+ in_dev_put(idev);
52303+ dev_put(dev);
52304+ return 0;
52305+ } else if (ret == 2) {
52306+ rcu_read_unlock();
52307+ in_dev_put(idev);
52308+ dev_put(dev);
52309+ goto denied;
52310+ }
52311+ }
52312+ } endfor_ifa(idev);
52313+ rcu_read_unlock();
52314+ in_dev_put(idev);
52315+ dev_put(dev);
52316+ } else {
52317+ our_addr = ip->addr;
52318+ our_netmask = ip->netmask;
52319+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
52320+ if (ret == 1)
52321+ return 0;
52322+ else if (ret == 2)
52323+ goto denied;
52324+ }
52325+ }
52326+
52327+denied:
52328+ if (mode == GR_BIND)
52329+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
52330+ else if (mode == GR_CONNECT)
52331+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
52332+
52333+ return -EACCES;
52334+}
52335+
52336+int
52337+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
52338+{
52339+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
52340+}
52341+
52342+int
52343+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
52344+{
52345+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
52346+}
52347+
52348+int gr_search_listen(struct socket *sock)
52349+{
52350+ struct sock *sk = sock->sk;
52351+ struct sockaddr_in addr;
52352+
52353+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
52354+ addr.sin_port = inet_sk(sk)->inet_sport;
52355+
52356+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
52357+}
52358+
52359+int gr_search_accept(struct socket *sock)
52360+{
52361+ struct sock *sk = sock->sk;
52362+ struct sockaddr_in addr;
52363+
52364+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
52365+ addr.sin_port = inet_sk(sk)->inet_sport;
52366+
52367+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
52368+}
52369+
52370+int
52371+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
52372+{
52373+ if (addr)
52374+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
52375+ else {
52376+ struct sockaddr_in sin;
52377+ const struct inet_sock *inet = inet_sk(sk);
52378+
52379+ sin.sin_addr.s_addr = inet->inet_daddr;
52380+ sin.sin_port = inet->inet_dport;
52381+
52382+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
52383+ }
52384+}
52385+
52386+int
52387+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
52388+{
52389+ struct sockaddr_in sin;
52390+
52391+ if (unlikely(skb->len < sizeof (struct udphdr)))
52392+ return 0; // skip this packet
52393+
52394+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
52395+ sin.sin_port = udp_hdr(skb)->source;
52396+
52397+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
52398+}
52399diff -urNp linux-3.1.1/grsecurity/gracl_learn.c linux-3.1.1/grsecurity/gracl_learn.c
52400--- linux-3.1.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
52401+++ linux-3.1.1/grsecurity/gracl_learn.c 2011-11-16 18:40:31.000000000 -0500
52402@@ -0,0 +1,207 @@
52403+#include <linux/kernel.h>
52404+#include <linux/mm.h>
52405+#include <linux/sched.h>
52406+#include <linux/poll.h>
52407+#include <linux/string.h>
52408+#include <linux/file.h>
52409+#include <linux/types.h>
52410+#include <linux/vmalloc.h>
52411+#include <linux/grinternal.h>
52412+
52413+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
52414+ size_t count, loff_t *ppos);
52415+extern int gr_acl_is_enabled(void);
52416+
52417+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
52418+static int gr_learn_attached;
52419+
52420+/* use a 512k buffer */
52421+#define LEARN_BUFFER_SIZE (512 * 1024)
52422+
52423+static DEFINE_SPINLOCK(gr_learn_lock);
52424+static DEFINE_MUTEX(gr_learn_user_mutex);
52425+
52426+/* we need to maintain two buffers, so that the kernel context of grlearn
52427+ uses a semaphore around the userspace copying, and the other kernel contexts
52428+ use a spinlock when copying into the buffer, since they cannot sleep
52429+*/
52430+static char *learn_buffer;
52431+static char *learn_buffer_user;
52432+static int learn_buffer_len;
52433+static int learn_buffer_user_len;
52434+
52435+static ssize_t
52436+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
52437+{
52438+ DECLARE_WAITQUEUE(wait, current);
52439+ ssize_t retval = 0;
52440+
52441+ add_wait_queue(&learn_wait, &wait);
52442+ set_current_state(TASK_INTERRUPTIBLE);
52443+ do {
52444+ mutex_lock(&gr_learn_user_mutex);
52445+ spin_lock(&gr_learn_lock);
52446+ if (learn_buffer_len)
52447+ break;
52448+ spin_unlock(&gr_learn_lock);
52449+ mutex_unlock(&gr_learn_user_mutex);
52450+ if (file->f_flags & O_NONBLOCK) {
52451+ retval = -EAGAIN;
52452+ goto out;
52453+ }
52454+ if (signal_pending(current)) {
52455+ retval = -ERESTARTSYS;
52456+ goto out;
52457+ }
52458+
52459+ schedule();
52460+ } while (1);
52461+
52462+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
52463+ learn_buffer_user_len = learn_buffer_len;
52464+ retval = learn_buffer_len;
52465+ learn_buffer_len = 0;
52466+
52467+ spin_unlock(&gr_learn_lock);
52468+
52469+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
52470+ retval = -EFAULT;
52471+
52472+ mutex_unlock(&gr_learn_user_mutex);
52473+out:
52474+ set_current_state(TASK_RUNNING);
52475+ remove_wait_queue(&learn_wait, &wait);
52476+ return retval;
52477+}
52478+
52479+static unsigned int
52480+poll_learn(struct file * file, poll_table * wait)
52481+{
52482+ poll_wait(file, &learn_wait, wait);
52483+
52484+ if (learn_buffer_len)
52485+ return (POLLIN | POLLRDNORM);
52486+
52487+ return 0;
52488+}
52489+
52490+void
52491+gr_clear_learn_entries(void)
52492+{
52493+ char *tmp;
52494+
52495+ mutex_lock(&gr_learn_user_mutex);
52496+ spin_lock(&gr_learn_lock);
52497+ tmp = learn_buffer;
52498+ learn_buffer = NULL;
52499+ spin_unlock(&gr_learn_lock);
52500+ if (tmp)
52501+ vfree(tmp);
52502+ if (learn_buffer_user != NULL) {
52503+ vfree(learn_buffer_user);
52504+ learn_buffer_user = NULL;
52505+ }
52506+ learn_buffer_len = 0;
52507+ mutex_unlock(&gr_learn_user_mutex);
52508+
52509+ return;
52510+}
52511+
52512+void
52513+gr_add_learn_entry(const char *fmt, ...)
52514+{
52515+ va_list args;
52516+ unsigned int len;
52517+
52518+ if (!gr_learn_attached)
52519+ return;
52520+
52521+ spin_lock(&gr_learn_lock);
52522+
52523+ /* leave a gap at the end so we know when it's "full" but don't have to
52524+ compute the exact length of the string we're trying to append
52525+ */
52526+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
52527+ spin_unlock(&gr_learn_lock);
52528+ wake_up_interruptible(&learn_wait);
52529+ return;
52530+ }
52531+ if (learn_buffer == NULL) {
52532+ spin_unlock(&gr_learn_lock);
52533+ return;
52534+ }
52535+
52536+ va_start(args, fmt);
52537+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
52538+ va_end(args);
52539+
52540+ learn_buffer_len += len + 1;
52541+
52542+ spin_unlock(&gr_learn_lock);
52543+ wake_up_interruptible(&learn_wait);
52544+
52545+ return;
52546+}
52547+
52548+static int
52549+open_learn(struct inode *inode, struct file *file)
52550+{
52551+ if (file->f_mode & FMODE_READ && gr_learn_attached)
52552+ return -EBUSY;
52553+ if (file->f_mode & FMODE_READ) {
52554+ int retval = 0;
52555+ mutex_lock(&gr_learn_user_mutex);
52556+ if (learn_buffer == NULL)
52557+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
52558+ if (learn_buffer_user == NULL)
52559+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
52560+ if (learn_buffer == NULL) {
52561+ retval = -ENOMEM;
52562+ goto out_error;
52563+ }
52564+ if (learn_buffer_user == NULL) {
52565+ retval = -ENOMEM;
52566+ goto out_error;
52567+ }
52568+ learn_buffer_len = 0;
52569+ learn_buffer_user_len = 0;
52570+ gr_learn_attached = 1;
52571+out_error:
52572+ mutex_unlock(&gr_learn_user_mutex);
52573+ return retval;
52574+ }
52575+ return 0;
52576+}
52577+
52578+static int
52579+close_learn(struct inode *inode, struct file *file)
52580+{
52581+ if (file->f_mode & FMODE_READ) {
52582+ char *tmp = NULL;
52583+ mutex_lock(&gr_learn_user_mutex);
52584+ spin_lock(&gr_learn_lock);
52585+ tmp = learn_buffer;
52586+ learn_buffer = NULL;
52587+ spin_unlock(&gr_learn_lock);
52588+ if (tmp)
52589+ vfree(tmp);
52590+ if (learn_buffer_user != NULL) {
52591+ vfree(learn_buffer_user);
52592+ learn_buffer_user = NULL;
52593+ }
52594+ learn_buffer_len = 0;
52595+ learn_buffer_user_len = 0;
52596+ gr_learn_attached = 0;
52597+ mutex_unlock(&gr_learn_user_mutex);
52598+ }
52599+
52600+ return 0;
52601+}
52602+
52603+const struct file_operations grsec_fops = {
52604+ .read = read_learn,
52605+ .write = write_grsec_handler,
52606+ .open = open_learn,
52607+ .release = close_learn,
52608+ .poll = poll_learn,
52609+};
52610diff -urNp linux-3.1.1/grsecurity/gracl_res.c linux-3.1.1/grsecurity/gracl_res.c
52611--- linux-3.1.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
52612+++ linux-3.1.1/grsecurity/gracl_res.c 2011-11-16 18:40:31.000000000 -0500
52613@@ -0,0 +1,68 @@
52614+#include <linux/kernel.h>
52615+#include <linux/sched.h>
52616+#include <linux/gracl.h>
52617+#include <linux/grinternal.h>
52618+
52619+static const char *restab_log[] = {
52620+ [RLIMIT_CPU] = "RLIMIT_CPU",
52621+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
52622+ [RLIMIT_DATA] = "RLIMIT_DATA",
52623+ [RLIMIT_STACK] = "RLIMIT_STACK",
52624+ [RLIMIT_CORE] = "RLIMIT_CORE",
52625+ [RLIMIT_RSS] = "RLIMIT_RSS",
52626+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
52627+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
52628+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
52629+ [RLIMIT_AS] = "RLIMIT_AS",
52630+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
52631+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
52632+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
52633+ [RLIMIT_NICE] = "RLIMIT_NICE",
52634+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
52635+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
52636+ [GR_CRASH_RES] = "RLIMIT_CRASH"
52637+};
52638+
52639+void
52640+gr_log_resource(const struct task_struct *task,
52641+ const int res, const unsigned long wanted, const int gt)
52642+{
52643+ const struct cred *cred;
52644+ unsigned long rlim;
52645+
52646+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
52647+ return;
52648+
52649+ // not yet supported resource
52650+ if (unlikely(!restab_log[res]))
52651+ return;
52652+
52653+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
52654+ rlim = task_rlimit_max(task, res);
52655+ else
52656+ rlim = task_rlimit(task, res);
52657+
52658+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
52659+ return;
52660+
52661+ rcu_read_lock();
52662+ cred = __task_cred(task);
52663+
52664+ if (res == RLIMIT_NPROC &&
52665+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
52666+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
52667+ goto out_rcu_unlock;
52668+ else if (res == RLIMIT_MEMLOCK &&
52669+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
52670+ goto out_rcu_unlock;
52671+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
52672+ goto out_rcu_unlock;
52673+ rcu_read_unlock();
52674+
52675+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
52676+
52677+ return;
52678+out_rcu_unlock:
52679+ rcu_read_unlock();
52680+ return;
52681+}
52682diff -urNp linux-3.1.1/grsecurity/gracl_segv.c linux-3.1.1/grsecurity/gracl_segv.c
52683--- linux-3.1.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
52684+++ linux-3.1.1/grsecurity/gracl_segv.c 2011-11-16 18:40:31.000000000 -0500
52685@@ -0,0 +1,299 @@
52686+#include <linux/kernel.h>
52687+#include <linux/mm.h>
52688+#include <asm/uaccess.h>
52689+#include <asm/errno.h>
52690+#include <asm/mman.h>
52691+#include <net/sock.h>
52692+#include <linux/file.h>
52693+#include <linux/fs.h>
52694+#include <linux/net.h>
52695+#include <linux/in.h>
52696+#include <linux/slab.h>
52697+#include <linux/types.h>
52698+#include <linux/sched.h>
52699+#include <linux/timer.h>
52700+#include <linux/gracl.h>
52701+#include <linux/grsecurity.h>
52702+#include <linux/grinternal.h>
52703+
52704+static struct crash_uid *uid_set;
52705+static unsigned short uid_used;
52706+static DEFINE_SPINLOCK(gr_uid_lock);
52707+extern rwlock_t gr_inode_lock;
52708+extern struct acl_subject_label *
52709+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
52710+ struct acl_role_label *role);
52711+
52712+#ifdef CONFIG_BTRFS_FS
52713+extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
52714+extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
52715+#endif
52716+
52717+static inline dev_t __get_dev(const struct dentry *dentry)
52718+{
52719+#ifdef CONFIG_BTRFS_FS
52720+ if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
52721+ return get_btrfs_dev_from_inode(dentry->d_inode);
52722+ else
52723+#endif
52724+ return dentry->d_inode->i_sb->s_dev;
52725+}
52726+
52727+int
52728+gr_init_uidset(void)
52729+{
52730+ uid_set =
52731+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
52732+ uid_used = 0;
52733+
52734+ return uid_set ? 1 : 0;
52735+}
52736+
52737+void
52738+gr_free_uidset(void)
52739+{
52740+ if (uid_set)
52741+ kfree(uid_set);
52742+
52743+ return;
52744+}
52745+
52746+int
52747+gr_find_uid(const uid_t uid)
52748+{
52749+ struct crash_uid *tmp = uid_set;
52750+ uid_t buid;
52751+ int low = 0, high = uid_used - 1, mid;
52752+
52753+ while (high >= low) {
52754+ mid = (low + high) >> 1;
52755+ buid = tmp[mid].uid;
52756+ if (buid == uid)
52757+ return mid;
52758+ if (buid > uid)
52759+ high = mid - 1;
52760+ if (buid < uid)
52761+ low = mid + 1;
52762+ }
52763+
52764+ return -1;
52765+}
52766+
52767+static __inline__ void
52768+gr_insertsort(void)
52769+{
52770+ unsigned short i, j;
52771+ struct crash_uid index;
52772+
52773+ for (i = 1; i < uid_used; i++) {
52774+ index = uid_set[i];
52775+ j = i;
52776+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
52777+ uid_set[j] = uid_set[j - 1];
52778+ j--;
52779+ }
52780+ uid_set[j] = index;
52781+ }
52782+
52783+ return;
52784+}
52785+
52786+static __inline__ void
52787+gr_insert_uid(const uid_t uid, const unsigned long expires)
52788+{
52789+ int loc;
52790+
52791+ if (uid_used == GR_UIDTABLE_MAX)
52792+ return;
52793+
52794+ loc = gr_find_uid(uid);
52795+
52796+ if (loc >= 0) {
52797+ uid_set[loc].expires = expires;
52798+ return;
52799+ }
52800+
52801+ uid_set[uid_used].uid = uid;
52802+ uid_set[uid_used].expires = expires;
52803+ uid_used++;
52804+
52805+ gr_insertsort();
52806+
52807+ return;
52808+}
52809+
52810+void
52811+gr_remove_uid(const unsigned short loc)
52812+{
52813+ unsigned short i;
52814+
52815+ for (i = loc + 1; i < uid_used; i++)
52816+ uid_set[i - 1] = uid_set[i];
52817+
52818+ uid_used--;
52819+
52820+ return;
52821+}
52822+
52823+int
52824+gr_check_crash_uid(const uid_t uid)
52825+{
52826+ int loc;
52827+ int ret = 0;
52828+
52829+ if (unlikely(!gr_acl_is_enabled()))
52830+ return 0;
52831+
52832+ spin_lock(&gr_uid_lock);
52833+ loc = gr_find_uid(uid);
52834+
52835+ if (loc < 0)
52836+ goto out_unlock;
52837+
52838+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
52839+ gr_remove_uid(loc);
52840+ else
52841+ ret = 1;
52842+
52843+out_unlock:
52844+ spin_unlock(&gr_uid_lock);
52845+ return ret;
52846+}
52847+
52848+static __inline__ int
52849+proc_is_setxid(const struct cred *cred)
52850+{
52851+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
52852+ cred->uid != cred->fsuid)
52853+ return 1;
52854+ if (cred->gid != cred->egid || cred->gid != cred->sgid ||
52855+ cred->gid != cred->fsgid)
52856+ return 1;
52857+
52858+ return 0;
52859+}
52860+
52861+extern int gr_fake_force_sig(int sig, struct task_struct *t);
52862+
52863+void
52864+gr_handle_crash(struct task_struct *task, const int sig)
52865+{
52866+ struct acl_subject_label *curr;
52867+ struct task_struct *tsk, *tsk2;
52868+ const struct cred *cred;
52869+ const struct cred *cred2;
52870+
52871+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
52872+ return;
52873+
52874+ if (unlikely(!gr_acl_is_enabled()))
52875+ return;
52876+
52877+ curr = task->acl;
52878+
52879+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
52880+ return;
52881+
52882+ if (time_before_eq(curr->expires, get_seconds())) {
52883+ curr->expires = 0;
52884+ curr->crashes = 0;
52885+ }
52886+
52887+ curr->crashes++;
52888+
52889+ if (!curr->expires)
52890+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
52891+
52892+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
52893+ time_after(curr->expires, get_seconds())) {
52894+ rcu_read_lock();
52895+ cred = __task_cred(task);
52896+ if (cred->uid && proc_is_setxid(cred)) {
52897+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52898+ spin_lock(&gr_uid_lock);
52899+ gr_insert_uid(cred->uid, curr->expires);
52900+ spin_unlock(&gr_uid_lock);
52901+ curr->expires = 0;
52902+ curr->crashes = 0;
52903+ read_lock(&tasklist_lock);
52904+ do_each_thread(tsk2, tsk) {
52905+ cred2 = __task_cred(tsk);
52906+ if (tsk != task && cred2->uid == cred->uid)
52907+ gr_fake_force_sig(SIGKILL, tsk);
52908+ } while_each_thread(tsk2, tsk);
52909+ read_unlock(&tasklist_lock);
52910+ } else {
52911+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52912+ read_lock(&tasklist_lock);
52913+ read_lock(&grsec_exec_file_lock);
52914+ do_each_thread(tsk2, tsk) {
52915+ if (likely(tsk != task)) {
52916+ // if this thread has the same subject as the one that triggered
52917+ // RES_CRASH and it's the same binary, kill it
52918+ if (tsk->acl == task->acl && tsk->exec_file == task->exec_file)
52919+ gr_fake_force_sig(SIGKILL, tsk);
52920+ }
52921+ } while_each_thread(tsk2, tsk);
52922+ read_unlock(&grsec_exec_file_lock);
52923+ read_unlock(&tasklist_lock);
52924+ }
52925+ rcu_read_unlock();
52926+ }
52927+
52928+ return;
52929+}
52930+
52931+int
52932+gr_check_crash_exec(const struct file *filp)
52933+{
52934+ struct acl_subject_label *curr;
52935+
52936+ if (unlikely(!gr_acl_is_enabled()))
52937+ return 0;
52938+
52939+ read_lock(&gr_inode_lock);
52940+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
52941+ __get_dev(filp->f_path.dentry),
52942+ current->role);
52943+ read_unlock(&gr_inode_lock);
52944+
52945+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
52946+ (!curr->crashes && !curr->expires))
52947+ return 0;
52948+
52949+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
52950+ time_after(curr->expires, get_seconds()))
52951+ return 1;
52952+ else if (time_before_eq(curr->expires, get_seconds())) {
52953+ curr->crashes = 0;
52954+ curr->expires = 0;
52955+ }
52956+
52957+ return 0;
52958+}
52959+
52960+void
52961+gr_handle_alertkill(struct task_struct *task)
52962+{
52963+ struct acl_subject_label *curracl;
52964+ __u32 curr_ip;
52965+ struct task_struct *p, *p2;
52966+
52967+ if (unlikely(!gr_acl_is_enabled()))
52968+ return;
52969+
52970+ curracl = task->acl;
52971+ curr_ip = task->signal->curr_ip;
52972+
52973+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
52974+ read_lock(&tasklist_lock);
52975+ do_each_thread(p2, p) {
52976+ if (p->signal->curr_ip == curr_ip)
52977+ gr_fake_force_sig(SIGKILL, p);
52978+ } while_each_thread(p2, p);
52979+ read_unlock(&tasklist_lock);
52980+ } else if (curracl->mode & GR_KILLPROC)
52981+ gr_fake_force_sig(SIGKILL, task);
52982+
52983+ return;
52984+}
52985diff -urNp linux-3.1.1/grsecurity/gracl_shm.c linux-3.1.1/grsecurity/gracl_shm.c
52986--- linux-3.1.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
52987+++ linux-3.1.1/grsecurity/gracl_shm.c 2011-11-16 18:40:31.000000000 -0500
52988@@ -0,0 +1,40 @@
52989+#include <linux/kernel.h>
52990+#include <linux/mm.h>
52991+#include <linux/sched.h>
52992+#include <linux/file.h>
52993+#include <linux/ipc.h>
52994+#include <linux/gracl.h>
52995+#include <linux/grsecurity.h>
52996+#include <linux/grinternal.h>
52997+
52998+int
52999+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53000+ const time_t shm_createtime, const uid_t cuid, const int shmid)
53001+{
53002+ struct task_struct *task;
53003+
53004+ if (!gr_acl_is_enabled())
53005+ return 1;
53006+
53007+ rcu_read_lock();
53008+ read_lock(&tasklist_lock);
53009+
53010+ task = find_task_by_vpid(shm_cprid);
53011+
53012+ if (unlikely(!task))
53013+ task = find_task_by_vpid(shm_lapid);
53014+
53015+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
53016+ (task->pid == shm_lapid)) &&
53017+ (task->acl->mode & GR_PROTSHM) &&
53018+ (task->acl != current->acl))) {
53019+ read_unlock(&tasklist_lock);
53020+ rcu_read_unlock();
53021+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
53022+ return 0;
53023+ }
53024+ read_unlock(&tasklist_lock);
53025+ rcu_read_unlock();
53026+
53027+ return 1;
53028+}
53029diff -urNp linux-3.1.1/grsecurity/grsec_chdir.c linux-3.1.1/grsecurity/grsec_chdir.c
53030--- linux-3.1.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
53031+++ linux-3.1.1/grsecurity/grsec_chdir.c 2011-11-16 18:40:31.000000000 -0500
53032@@ -0,0 +1,19 @@
53033+#include <linux/kernel.h>
53034+#include <linux/sched.h>
53035+#include <linux/fs.h>
53036+#include <linux/file.h>
53037+#include <linux/grsecurity.h>
53038+#include <linux/grinternal.h>
53039+
53040+void
53041+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
53042+{
53043+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
53044+ if ((grsec_enable_chdir && grsec_enable_group &&
53045+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
53046+ !grsec_enable_group)) {
53047+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
53048+ }
53049+#endif
53050+ return;
53051+}
53052diff -urNp linux-3.1.1/grsecurity/grsec_chroot.c linux-3.1.1/grsecurity/grsec_chroot.c
53053--- linux-3.1.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
53054+++ linux-3.1.1/grsecurity/grsec_chroot.c 2011-11-16 18:40:31.000000000 -0500
53055@@ -0,0 +1,351 @@
53056+#include <linux/kernel.h>
53057+#include <linux/module.h>
53058+#include <linux/sched.h>
53059+#include <linux/file.h>
53060+#include <linux/fs.h>
53061+#include <linux/mount.h>
53062+#include <linux/types.h>
53063+#include <linux/pid_namespace.h>
53064+#include <linux/grsecurity.h>
53065+#include <linux/grinternal.h>
53066+
53067+void gr_set_chroot_entries(struct task_struct *task, struct path *path)
53068+{
53069+#ifdef CONFIG_GRKERNSEC
53070+ if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
53071+ path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
53072+ task->gr_is_chrooted = 1;
53073+ else
53074+ task->gr_is_chrooted = 0;
53075+
53076+ task->gr_chroot_dentry = path->dentry;
53077+#endif
53078+ return;
53079+}
53080+
53081+void gr_clear_chroot_entries(struct task_struct *task)
53082+{
53083+#ifdef CONFIG_GRKERNSEC
53084+ task->gr_is_chrooted = 0;
53085+ task->gr_chroot_dentry = NULL;
53086+#endif
53087+ return;
53088+}
53089+
53090+int
53091+gr_handle_chroot_unix(const pid_t pid)
53092+{
53093+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
53094+ struct task_struct *p;
53095+
53096+ if (unlikely(!grsec_enable_chroot_unix))
53097+ return 1;
53098+
53099+ if (likely(!proc_is_chrooted(current)))
53100+ return 1;
53101+
53102+ rcu_read_lock();
53103+ read_lock(&tasklist_lock);
53104+ p = find_task_by_vpid_unrestricted(pid);
53105+ if (unlikely(p && !have_same_root(current, p))) {
53106+ read_unlock(&tasklist_lock);
53107+ rcu_read_unlock();
53108+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
53109+ return 0;
53110+ }
53111+ read_unlock(&tasklist_lock);
53112+ rcu_read_unlock();
53113+#endif
53114+ return 1;
53115+}
53116+
53117+int
53118+gr_handle_chroot_nice(void)
53119+{
53120+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53121+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
53122+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
53123+ return -EPERM;
53124+ }
53125+#endif
53126+ return 0;
53127+}
53128+
53129+int
53130+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
53131+{
53132+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53133+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
53134+ && proc_is_chrooted(current)) {
53135+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
53136+ return -EACCES;
53137+ }
53138+#endif
53139+ return 0;
53140+}
53141+
53142+int
53143+gr_handle_chroot_rawio(const struct inode *inode)
53144+{
53145+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53146+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
53147+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
53148+ return 1;
53149+#endif
53150+ return 0;
53151+}
53152+
53153+int
53154+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
53155+{
53156+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53157+ struct task_struct *p;
53158+ int ret = 0;
53159+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
53160+ return ret;
53161+
53162+ read_lock(&tasklist_lock);
53163+ do_each_pid_task(pid, type, p) {
53164+ if (!have_same_root(current, p)) {
53165+ ret = 1;
53166+ goto out;
53167+ }
53168+ } while_each_pid_task(pid, type, p);
53169+out:
53170+ read_unlock(&tasklist_lock);
53171+ return ret;
53172+#endif
53173+ return 0;
53174+}
53175+
53176+int
53177+gr_pid_is_chrooted(struct task_struct *p)
53178+{
53179+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53180+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
53181+ return 0;
53182+
53183+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
53184+ !have_same_root(current, p)) {
53185+ return 1;
53186+ }
53187+#endif
53188+ return 0;
53189+}
53190+
53191+EXPORT_SYMBOL(gr_pid_is_chrooted);
53192+
53193+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
53194+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
53195+{
53196+ struct path path, currentroot;
53197+ int ret = 0;
53198+
53199+ path.dentry = (struct dentry *)u_dentry;
53200+ path.mnt = (struct vfsmount *)u_mnt;
53201+ get_fs_root(current->fs, &currentroot);
53202+ if (path_is_under(&path, &currentroot))
53203+ ret = 1;
53204+ path_put(&currentroot);
53205+
53206+ return ret;
53207+}
53208+#endif
53209+
53210+int
53211+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
53212+{
53213+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
53214+ if (!grsec_enable_chroot_fchdir)
53215+ return 1;
53216+
53217+ if (!proc_is_chrooted(current))
53218+ return 1;
53219+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
53220+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
53221+ return 0;
53222+ }
53223+#endif
53224+ return 1;
53225+}
53226+
53227+int
53228+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53229+ const time_t shm_createtime)
53230+{
53231+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
53232+ struct task_struct *p;
53233+ time_t starttime;
53234+
53235+ if (unlikely(!grsec_enable_chroot_shmat))
53236+ return 1;
53237+
53238+ if (likely(!proc_is_chrooted(current)))
53239+ return 1;
53240+
53241+ rcu_read_lock();
53242+ read_lock(&tasklist_lock);
53243+
53244+ if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
53245+ starttime = p->start_time.tv_sec;
53246+ if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
53247+ if (have_same_root(current, p)) {
53248+ goto allow;
53249+ } else {
53250+ read_unlock(&tasklist_lock);
53251+ rcu_read_unlock();
53252+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
53253+ return 0;
53254+ }
53255+ }
53256+ /* creator exited, pid reuse, fall through to next check */
53257+ }
53258+ if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
53259+ if (unlikely(!have_same_root(current, p))) {
53260+ read_unlock(&tasklist_lock);
53261+ rcu_read_unlock();
53262+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
53263+ return 0;
53264+ }
53265+ }
53266+
53267+allow:
53268+ read_unlock(&tasklist_lock);
53269+ rcu_read_unlock();
53270+#endif
53271+ return 1;
53272+}
53273+
53274+void
53275+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
53276+{
53277+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
53278+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
53279+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
53280+#endif
53281+ return;
53282+}
53283+
53284+int
53285+gr_handle_chroot_mknod(const struct dentry *dentry,
53286+ const struct vfsmount *mnt, const int mode)
53287+{
53288+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
53289+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
53290+ proc_is_chrooted(current)) {
53291+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
53292+ return -EPERM;
53293+ }
53294+#endif
53295+ return 0;
53296+}
53297+
53298+int
53299+gr_handle_chroot_mount(const struct dentry *dentry,
53300+ const struct vfsmount *mnt, const char *dev_name)
53301+{
53302+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
53303+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
53304+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
53305+ return -EPERM;
53306+ }
53307+#endif
53308+ return 0;
53309+}
53310+
53311+int
53312+gr_handle_chroot_pivot(void)
53313+{
53314+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
53315+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
53316+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
53317+ return -EPERM;
53318+ }
53319+#endif
53320+ return 0;
53321+}
53322+
53323+int
53324+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
53325+{
53326+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
53327+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
53328+ !gr_is_outside_chroot(dentry, mnt)) {
53329+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
53330+ return -EPERM;
53331+ }
53332+#endif
53333+ return 0;
53334+}
53335+
53336+extern const char *captab_log[];
53337+extern int captab_log_entries;
53338+
53339+int
53340+gr_chroot_is_capable(const int cap)
53341+{
53342+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53343+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
53344+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
53345+ if (cap_raised(chroot_caps, cap)) {
53346+ const struct cred *creds = current_cred();
53347+ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
53348+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
53349+ }
53350+ return 0;
53351+ }
53352+ }
53353+#endif
53354+ return 1;
53355+}
53356+
53357+int
53358+gr_chroot_is_capable_nolog(const int cap)
53359+{
53360+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53361+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
53362+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
53363+ if (cap_raised(chroot_caps, cap)) {
53364+ return 0;
53365+ }
53366+ }
53367+#endif
53368+ return 1;
53369+}
53370+
53371+int
53372+gr_handle_chroot_sysctl(const int op)
53373+{
53374+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
53375+ if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
53376+ proc_is_chrooted(current))
53377+ return -EACCES;
53378+#endif
53379+ return 0;
53380+}
53381+
53382+void
53383+gr_handle_chroot_chdir(struct path *path)
53384+{
53385+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
53386+ if (grsec_enable_chroot_chdir)
53387+ set_fs_pwd(current->fs, path);
53388+#endif
53389+ return;
53390+}
53391+
53392+int
53393+gr_handle_chroot_chmod(const struct dentry *dentry,
53394+ const struct vfsmount *mnt, const int mode)
53395+{
53396+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
53397+ /* allow chmod +s on directories, but not files */
53398+ if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
53399+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
53400+ proc_is_chrooted(current)) {
53401+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
53402+ return -EPERM;
53403+ }
53404+#endif
53405+ return 0;
53406+}
53407diff -urNp linux-3.1.1/grsecurity/grsec_disabled.c linux-3.1.1/grsecurity/grsec_disabled.c
53408--- linux-3.1.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
53409+++ linux-3.1.1/grsecurity/grsec_disabled.c 2011-11-17 00:16:25.000000000 -0500
53410@@ -0,0 +1,439 @@
53411+#include <linux/kernel.h>
53412+#include <linux/module.h>
53413+#include <linux/sched.h>
53414+#include <linux/file.h>
53415+#include <linux/fs.h>
53416+#include <linux/kdev_t.h>
53417+#include <linux/net.h>
53418+#include <linux/in.h>
53419+#include <linux/ip.h>
53420+#include <linux/skbuff.h>
53421+#include <linux/sysctl.h>
53422+
53423+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
53424+void
53425+pax_set_initial_flags(struct linux_binprm *bprm)
53426+{
53427+ return;
53428+}
53429+#endif
53430+
53431+#ifdef CONFIG_SYSCTL
53432+__u32
53433+gr_handle_sysctl(const struct ctl_table * table, const int op)
53434+{
53435+ return 0;
53436+}
53437+#endif
53438+
53439+#ifdef CONFIG_TASKSTATS
53440+int gr_is_taskstats_denied(int pid)
53441+{
53442+ return 0;
53443+}
53444+#endif
53445+
53446+int
53447+gr_acl_is_enabled(void)
53448+{
53449+ return 0;
53450+}
53451+
53452+void
53453+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
53454+{
53455+ return;
53456+}
53457+
53458+int
53459+gr_handle_rawio(const struct inode *inode)
53460+{
53461+ return 0;
53462+}
53463+
53464+void
53465+gr_acl_handle_psacct(struct task_struct *task, const long code)
53466+{
53467+ return;
53468+}
53469+
53470+int
53471+gr_handle_ptrace(struct task_struct *task, const long request)
53472+{
53473+ return 0;
53474+}
53475+
53476+int
53477+gr_handle_proc_ptrace(struct task_struct *task)
53478+{
53479+ return 0;
53480+}
53481+
53482+void
53483+gr_learn_resource(const struct task_struct *task,
53484+ const int res, const unsigned long wanted, const int gt)
53485+{
53486+ return;
53487+}
53488+
53489+int
53490+gr_set_acls(const int type)
53491+{
53492+ return 0;
53493+}
53494+
53495+int
53496+gr_check_hidden_task(const struct task_struct *tsk)
53497+{
53498+ return 0;
53499+}
53500+
53501+int
53502+gr_check_protected_task(const struct task_struct *task)
53503+{
53504+ return 0;
53505+}
53506+
53507+int
53508+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53509+{
53510+ return 0;
53511+}
53512+
53513+void
53514+gr_copy_label(struct task_struct *tsk)
53515+{
53516+ return;
53517+}
53518+
53519+void
53520+gr_set_pax_flags(struct task_struct *task)
53521+{
53522+ return;
53523+}
53524+
53525+int
53526+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
53527+ const int unsafe_share)
53528+{
53529+ return 0;
53530+}
53531+
53532+void
53533+gr_handle_delete(const ino_t ino, const dev_t dev)
53534+{
53535+ return;
53536+}
53537+
53538+void
53539+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
53540+{
53541+ return;
53542+}
53543+
53544+void
53545+gr_handle_crash(struct task_struct *task, const int sig)
53546+{
53547+ return;
53548+}
53549+
53550+int
53551+gr_check_crash_exec(const struct file *filp)
53552+{
53553+ return 0;
53554+}
53555+
53556+int
53557+gr_check_crash_uid(const uid_t uid)
53558+{
53559+ return 0;
53560+}
53561+
53562+void
53563+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
53564+ struct dentry *old_dentry,
53565+ struct dentry *new_dentry,
53566+ struct vfsmount *mnt, const __u8 replace)
53567+{
53568+ return;
53569+}
53570+
53571+int
53572+gr_search_socket(const int family, const int type, const int protocol)
53573+{
53574+ return 1;
53575+}
53576+
53577+int
53578+gr_search_connectbind(const int mode, const struct socket *sock,
53579+ const struct sockaddr_in *addr)
53580+{
53581+ return 0;
53582+}
53583+
53584+void
53585+gr_handle_alertkill(struct task_struct *task)
53586+{
53587+ return;
53588+}
53589+
53590+__u32
53591+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
53592+{
53593+ return 1;
53594+}
53595+
53596+__u32
53597+gr_acl_handle_hidden_file(const struct dentry * dentry,
53598+ const struct vfsmount * mnt)
53599+{
53600+ return 1;
53601+}
53602+
53603+__u32
53604+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
53605+ int acc_mode)
53606+{
53607+ return 1;
53608+}
53609+
53610+__u32
53611+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
53612+{
53613+ return 1;
53614+}
53615+
53616+__u32
53617+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
53618+{
53619+ return 1;
53620+}
53621+
53622+int
53623+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
53624+ unsigned int *vm_flags)
53625+{
53626+ return 1;
53627+}
53628+
53629+__u32
53630+gr_acl_handle_truncate(const struct dentry * dentry,
53631+ const struct vfsmount * mnt)
53632+{
53633+ return 1;
53634+}
53635+
53636+__u32
53637+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
53638+{
53639+ return 1;
53640+}
53641+
53642+__u32
53643+gr_acl_handle_access(const struct dentry * dentry,
53644+ const struct vfsmount * mnt, const int fmode)
53645+{
53646+ return 1;
53647+}
53648+
53649+__u32
53650+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
53651+ mode_t mode)
53652+{
53653+ return 1;
53654+}
53655+
53656+__u32
53657+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
53658+ mode_t mode)
53659+{
53660+ return 1;
53661+}
53662+
53663+__u32
53664+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
53665+{
53666+ return 1;
53667+}
53668+
53669+__u32
53670+gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
53671+{
53672+ return 1;
53673+}
53674+
53675+void
53676+grsecurity_init(void)
53677+{
53678+ return;
53679+}
53680+
53681+__u32
53682+gr_acl_handle_mknod(const struct dentry * new_dentry,
53683+ const struct dentry * parent_dentry,
53684+ const struct vfsmount * parent_mnt,
53685+ const int mode)
53686+{
53687+ return 1;
53688+}
53689+
53690+__u32
53691+gr_acl_handle_mkdir(const struct dentry * new_dentry,
53692+ const struct dentry * parent_dentry,
53693+ const struct vfsmount * parent_mnt)
53694+{
53695+ return 1;
53696+}
53697+
53698+__u32
53699+gr_acl_handle_symlink(const struct dentry * new_dentry,
53700+ const struct dentry * parent_dentry,
53701+ const struct vfsmount * parent_mnt, const char *from)
53702+{
53703+ return 1;
53704+}
53705+
53706+__u32
53707+gr_acl_handle_link(const struct dentry * new_dentry,
53708+ const struct dentry * parent_dentry,
53709+ const struct vfsmount * parent_mnt,
53710+ const struct dentry * old_dentry,
53711+ const struct vfsmount * old_mnt, const char *to)
53712+{
53713+ return 1;
53714+}
53715+
53716+int
53717+gr_acl_handle_rename(const struct dentry *new_dentry,
53718+ const struct dentry *parent_dentry,
53719+ const struct vfsmount *parent_mnt,
53720+ const struct dentry *old_dentry,
53721+ const struct inode *old_parent_inode,
53722+ const struct vfsmount *old_mnt, const char *newname)
53723+{
53724+ return 0;
53725+}
53726+
53727+int
53728+gr_acl_handle_filldir(const struct file *file, const char *name,
53729+ const int namelen, const ino_t ino)
53730+{
53731+ return 1;
53732+}
53733+
53734+int
53735+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53736+ const time_t shm_createtime, const uid_t cuid, const int shmid)
53737+{
53738+ return 1;
53739+}
53740+
53741+int
53742+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
53743+{
53744+ return 0;
53745+}
53746+
53747+int
53748+gr_search_accept(const struct socket *sock)
53749+{
53750+ return 0;
53751+}
53752+
53753+int
53754+gr_search_listen(const struct socket *sock)
53755+{
53756+ return 0;
53757+}
53758+
53759+int
53760+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
53761+{
53762+ return 0;
53763+}
53764+
53765+__u32
53766+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
53767+{
53768+ return 1;
53769+}
53770+
53771+__u32
53772+gr_acl_handle_creat(const struct dentry * dentry,
53773+ const struct dentry * p_dentry,
53774+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
53775+ const int imode)
53776+{
53777+ return 1;
53778+}
53779+
53780+void
53781+gr_acl_handle_exit(void)
53782+{
53783+ return;
53784+}
53785+
53786+int
53787+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
53788+{
53789+ return 1;
53790+}
53791+
53792+void
53793+gr_set_role_label(const uid_t uid, const gid_t gid)
53794+{
53795+ return;
53796+}
53797+
53798+int
53799+gr_acl_handle_procpidmem(const struct task_struct *task)
53800+{
53801+ return 0;
53802+}
53803+
53804+int
53805+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
53806+{
53807+ return 0;
53808+}
53809+
53810+int
53811+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
53812+{
53813+ return 0;
53814+}
53815+
53816+void
53817+gr_set_kernel_label(struct task_struct *task)
53818+{
53819+ return;
53820+}
53821+
53822+int
53823+gr_check_user_change(int real, int effective, int fs)
53824+{
53825+ return 0;
53826+}
53827+
53828+int
53829+gr_check_group_change(int real, int effective, int fs)
53830+{
53831+ return 0;
53832+}
53833+
53834+int gr_acl_enable_at_secure(void)
53835+{
53836+ return 0;
53837+}
53838+
53839+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
53840+{
53841+ return dentry->d_inode->i_sb->s_dev;
53842+}
53843+
53844+EXPORT_SYMBOL(gr_learn_resource);
53845+EXPORT_SYMBOL(gr_set_kernel_label);
53846+#ifdef CONFIG_SECURITY
53847+EXPORT_SYMBOL(gr_check_user_change);
53848+EXPORT_SYMBOL(gr_check_group_change);
53849+#endif
53850diff -urNp linux-3.1.1/grsecurity/grsec_exec.c linux-3.1.1/grsecurity/grsec_exec.c
53851--- linux-3.1.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
53852+++ linux-3.1.1/grsecurity/grsec_exec.c 2011-11-16 18:40:31.000000000 -0500
53853@@ -0,0 +1,146 @@
53854+#include <linux/kernel.h>
53855+#include <linux/sched.h>
53856+#include <linux/file.h>
53857+#include <linux/binfmts.h>
53858+#include <linux/fs.h>
53859+#include <linux/types.h>
53860+#include <linux/grdefs.h>
53861+#include <linux/grsecurity.h>
53862+#include <linux/grinternal.h>
53863+#include <linux/capability.h>
53864+#include <linux/module.h>
53865+
53866+#include <asm/uaccess.h>
53867+
53868+#ifdef CONFIG_GRKERNSEC_EXECLOG
53869+static char gr_exec_arg_buf[132];
53870+static DEFINE_MUTEX(gr_exec_arg_mutex);
53871+#endif
53872+
53873+extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
53874+
53875+void
53876+gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
53877+{
53878+#ifdef CONFIG_GRKERNSEC_EXECLOG
53879+ char *grarg = gr_exec_arg_buf;
53880+ unsigned int i, x, execlen = 0;
53881+ char c;
53882+
53883+ if (!((grsec_enable_execlog && grsec_enable_group &&
53884+ in_group_p(grsec_audit_gid))
53885+ || (grsec_enable_execlog && !grsec_enable_group)))
53886+ return;
53887+
53888+ mutex_lock(&gr_exec_arg_mutex);
53889+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
53890+
53891+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
53892+ const char __user *p;
53893+ unsigned int len;
53894+
53895+ p = get_user_arg_ptr(argv, i);
53896+ if (IS_ERR(p))
53897+ goto log;
53898+
53899+ len = strnlen_user(p, 128 - execlen);
53900+ if (len > 128 - execlen)
53901+ len = 128 - execlen;
53902+ else if (len > 0)
53903+ len--;
53904+ if (copy_from_user(grarg + execlen, p, len))
53905+ goto log;
53906+
53907+ /* rewrite unprintable characters */
53908+ for (x = 0; x < len; x++) {
53909+ c = *(grarg + execlen + x);
53910+ if (c < 32 || c > 126)
53911+ *(grarg + execlen + x) = ' ';
53912+ }
53913+
53914+ execlen += len;
53915+ *(grarg + execlen) = ' ';
53916+ *(grarg + execlen + 1) = '\0';
53917+ execlen++;
53918+ }
53919+
53920+ log:
53921+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
53922+ bprm->file->f_path.mnt, grarg);
53923+ mutex_unlock(&gr_exec_arg_mutex);
53924+#endif
53925+ return;
53926+}
53927+
53928+#ifdef CONFIG_GRKERNSEC
53929+extern int gr_acl_is_capable(const int cap);
53930+extern int gr_acl_is_capable_nolog(const int cap);
53931+extern int gr_chroot_is_capable(const int cap);
53932+extern int gr_chroot_is_capable_nolog(const int cap);
53933+#endif
53934+
53935+const char *captab_log[] = {
53936+ "CAP_CHOWN",
53937+ "CAP_DAC_OVERRIDE",
53938+ "CAP_DAC_READ_SEARCH",
53939+ "CAP_FOWNER",
53940+ "CAP_FSETID",
53941+ "CAP_KILL",
53942+ "CAP_SETGID",
53943+ "CAP_SETUID",
53944+ "CAP_SETPCAP",
53945+ "CAP_LINUX_IMMUTABLE",
53946+ "CAP_NET_BIND_SERVICE",
53947+ "CAP_NET_BROADCAST",
53948+ "CAP_NET_ADMIN",
53949+ "CAP_NET_RAW",
53950+ "CAP_IPC_LOCK",
53951+ "CAP_IPC_OWNER",
53952+ "CAP_SYS_MODULE",
53953+ "CAP_SYS_RAWIO",
53954+ "CAP_SYS_CHROOT",
53955+ "CAP_SYS_PTRACE",
53956+ "CAP_SYS_PACCT",
53957+ "CAP_SYS_ADMIN",
53958+ "CAP_SYS_BOOT",
53959+ "CAP_SYS_NICE",
53960+ "CAP_SYS_RESOURCE",
53961+ "CAP_SYS_TIME",
53962+ "CAP_SYS_TTY_CONFIG",
53963+ "CAP_MKNOD",
53964+ "CAP_LEASE",
53965+ "CAP_AUDIT_WRITE",
53966+ "CAP_AUDIT_CONTROL",
53967+ "CAP_SETFCAP",
53968+ "CAP_MAC_OVERRIDE",
53969+ "CAP_MAC_ADMIN",
53970+ "CAP_SYSLOG",
53971+ "CAP_WAKE_ALARM"
53972+};
53973+
53974+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
53975+
53976+int gr_is_capable(const int cap)
53977+{
53978+#ifdef CONFIG_GRKERNSEC
53979+ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
53980+ return 1;
53981+ return 0;
53982+#else
53983+ return 1;
53984+#endif
53985+}
53986+
53987+int gr_is_capable_nolog(const int cap)
53988+{
53989+#ifdef CONFIG_GRKERNSEC
53990+ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
53991+ return 1;
53992+ return 0;
53993+#else
53994+ return 1;
53995+#endif
53996+}
53997+
53998+EXPORT_SYMBOL(gr_is_capable);
53999+EXPORT_SYMBOL(gr_is_capable_nolog);
54000diff -urNp linux-3.1.1/grsecurity/grsec_fifo.c linux-3.1.1/grsecurity/grsec_fifo.c
54001--- linux-3.1.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
54002+++ linux-3.1.1/grsecurity/grsec_fifo.c 2011-11-16 18:40:31.000000000 -0500
54003@@ -0,0 +1,24 @@
54004+#include <linux/kernel.h>
54005+#include <linux/sched.h>
54006+#include <linux/fs.h>
54007+#include <linux/file.h>
54008+#include <linux/grinternal.h>
54009+
54010+int
54011+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
54012+ const struct dentry *dir, const int flag, const int acc_mode)
54013+{
54014+#ifdef CONFIG_GRKERNSEC_FIFO
54015+ const struct cred *cred = current_cred();
54016+
54017+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
54018+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
54019+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
54020+ (cred->fsuid != dentry->d_inode->i_uid)) {
54021+ if (!inode_permission(dentry->d_inode, acc_mode))
54022+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
54023+ return -EACCES;
54024+ }
54025+#endif
54026+ return 0;
54027+}
54028diff -urNp linux-3.1.1/grsecurity/grsec_fork.c linux-3.1.1/grsecurity/grsec_fork.c
54029--- linux-3.1.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
54030+++ linux-3.1.1/grsecurity/grsec_fork.c 2011-11-16 18:40:31.000000000 -0500
54031@@ -0,0 +1,23 @@
54032+#include <linux/kernel.h>
54033+#include <linux/sched.h>
54034+#include <linux/grsecurity.h>
54035+#include <linux/grinternal.h>
54036+#include <linux/errno.h>
54037+
54038+void
54039+gr_log_forkfail(const int retval)
54040+{
54041+#ifdef CONFIG_GRKERNSEC_FORKFAIL
54042+ if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
54043+ switch (retval) {
54044+ case -EAGAIN:
54045+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
54046+ break;
54047+ case -ENOMEM:
54048+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
54049+ break;
54050+ }
54051+ }
54052+#endif
54053+ return;
54054+}
54055diff -urNp linux-3.1.1/grsecurity/grsec_init.c linux-3.1.1/grsecurity/grsec_init.c
54056--- linux-3.1.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
54057+++ linux-3.1.1/grsecurity/grsec_init.c 2011-11-16 18:40:31.000000000 -0500
54058@@ -0,0 +1,269 @@
54059+#include <linux/kernel.h>
54060+#include <linux/sched.h>
54061+#include <linux/mm.h>
54062+#include <linux/gracl.h>
54063+#include <linux/slab.h>
54064+#include <linux/vmalloc.h>
54065+#include <linux/percpu.h>
54066+#include <linux/module.h>
54067+
54068+int grsec_enable_brute;
54069+int grsec_enable_link;
54070+int grsec_enable_dmesg;
54071+int grsec_enable_harden_ptrace;
54072+int grsec_enable_fifo;
54073+int grsec_enable_execlog;
54074+int grsec_enable_signal;
54075+int grsec_enable_forkfail;
54076+int grsec_enable_audit_ptrace;
54077+int grsec_enable_time;
54078+int grsec_enable_audit_textrel;
54079+int grsec_enable_group;
54080+int grsec_audit_gid;
54081+int grsec_enable_chdir;
54082+int grsec_enable_mount;
54083+int grsec_enable_rofs;
54084+int grsec_enable_chroot_findtask;
54085+int grsec_enable_chroot_mount;
54086+int grsec_enable_chroot_shmat;
54087+int grsec_enable_chroot_fchdir;
54088+int grsec_enable_chroot_double;
54089+int grsec_enable_chroot_pivot;
54090+int grsec_enable_chroot_chdir;
54091+int grsec_enable_chroot_chmod;
54092+int grsec_enable_chroot_mknod;
54093+int grsec_enable_chroot_nice;
54094+int grsec_enable_chroot_execlog;
54095+int grsec_enable_chroot_caps;
54096+int grsec_enable_chroot_sysctl;
54097+int grsec_enable_chroot_unix;
54098+int grsec_enable_tpe;
54099+int grsec_tpe_gid;
54100+int grsec_enable_blackhole;
54101+#ifdef CONFIG_IPV6_MODULE
54102+EXPORT_SYMBOL(grsec_enable_blackhole);
54103+#endif
54104+int grsec_lastack_retries;
54105+int grsec_enable_tpe_all;
54106+int grsec_enable_tpe_invert;
54107+int grsec_enable_socket_all;
54108+int grsec_socket_all_gid;
54109+int grsec_enable_socket_client;
54110+int grsec_socket_client_gid;
54111+int grsec_enable_socket_server;
54112+int grsec_socket_server_gid;
54113+int grsec_resource_logging;
54114+int grsec_disable_privio;
54115+int grsec_enable_log_rwxmaps;
54116+int grsec_lock;
54117+
54118+DEFINE_SPINLOCK(grsec_alert_lock);
54119+unsigned long grsec_alert_wtime = 0;
54120+unsigned long grsec_alert_fyet = 0;
54121+
54122+DEFINE_SPINLOCK(grsec_audit_lock);
54123+
54124+DEFINE_RWLOCK(grsec_exec_file_lock);
54125+
54126+char *gr_shared_page[4];
54127+
54128+char *gr_alert_log_fmt;
54129+char *gr_audit_log_fmt;
54130+char *gr_alert_log_buf;
54131+char *gr_audit_log_buf;
54132+
54133+extern struct gr_arg *gr_usermode;
54134+extern unsigned char *gr_system_salt;
54135+extern unsigned char *gr_system_sum;
54136+
54137+void __init
54138+grsecurity_init(void)
54139+{
54140+ int j;
54141+ /* create the per-cpu shared pages */
54142+
54143+#ifdef CONFIG_X86
54144+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
54145+#endif
54146+
54147+ for (j = 0; j < 4; j++) {
54148+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
54149+ if (gr_shared_page[j] == NULL) {
54150+ panic("Unable to allocate grsecurity shared page");
54151+ return;
54152+ }
54153+ }
54154+
54155+ /* allocate log buffers */
54156+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
54157+ if (!gr_alert_log_fmt) {
54158+ panic("Unable to allocate grsecurity alert log format buffer");
54159+ return;
54160+ }
54161+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
54162+ if (!gr_audit_log_fmt) {
54163+ panic("Unable to allocate grsecurity audit log format buffer");
54164+ return;
54165+ }
54166+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54167+ if (!gr_alert_log_buf) {
54168+ panic("Unable to allocate grsecurity alert log buffer");
54169+ return;
54170+ }
54171+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
54172+ if (!gr_audit_log_buf) {
54173+ panic("Unable to allocate grsecurity audit log buffer");
54174+ return;
54175+ }
54176+
54177+ /* allocate memory for authentication structure */
54178+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
54179+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
54180+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
54181+
54182+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
54183+ panic("Unable to allocate grsecurity authentication structure");
54184+ return;
54185+ }
54186+
54187+
54188+#ifdef CONFIG_GRKERNSEC_IO
54189+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
54190+ grsec_disable_privio = 1;
54191+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
54192+ grsec_disable_privio = 1;
54193+#else
54194+ grsec_disable_privio = 0;
54195+#endif
54196+#endif
54197+
54198+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
54199+ /* for backward compatibility, tpe_invert always defaults to on if
54200+ enabled in the kernel
54201+ */
54202+ grsec_enable_tpe_invert = 1;
54203+#endif
54204+
54205+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
54206+#ifndef CONFIG_GRKERNSEC_SYSCTL
54207+ grsec_lock = 1;
54208+#endif
54209+
54210+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
54211+ grsec_enable_audit_textrel = 1;
54212+#endif
54213+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54214+ grsec_enable_log_rwxmaps = 1;
54215+#endif
54216+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
54217+ grsec_enable_group = 1;
54218+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
54219+#endif
54220+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
54221+ grsec_enable_chdir = 1;
54222+#endif
54223+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
54224+ grsec_enable_harden_ptrace = 1;
54225+#endif
54226+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54227+ grsec_enable_mount = 1;
54228+#endif
54229+#ifdef CONFIG_GRKERNSEC_LINK
54230+ grsec_enable_link = 1;
54231+#endif
54232+#ifdef CONFIG_GRKERNSEC_BRUTE
54233+ grsec_enable_brute = 1;
54234+#endif
54235+#ifdef CONFIG_GRKERNSEC_DMESG
54236+ grsec_enable_dmesg = 1;
54237+#endif
54238+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54239+ grsec_enable_blackhole = 1;
54240+ grsec_lastack_retries = 4;
54241+#endif
54242+#ifdef CONFIG_GRKERNSEC_FIFO
54243+ grsec_enable_fifo = 1;
54244+#endif
54245+#ifdef CONFIG_GRKERNSEC_EXECLOG
54246+ grsec_enable_execlog = 1;
54247+#endif
54248+#ifdef CONFIG_GRKERNSEC_SIGNAL
54249+ grsec_enable_signal = 1;
54250+#endif
54251+#ifdef CONFIG_GRKERNSEC_FORKFAIL
54252+ grsec_enable_forkfail = 1;
54253+#endif
54254+#ifdef CONFIG_GRKERNSEC_TIME
54255+ grsec_enable_time = 1;
54256+#endif
54257+#ifdef CONFIG_GRKERNSEC_RESLOG
54258+ grsec_resource_logging = 1;
54259+#endif
54260+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
54261+ grsec_enable_chroot_findtask = 1;
54262+#endif
54263+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
54264+ grsec_enable_chroot_unix = 1;
54265+#endif
54266+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
54267+ grsec_enable_chroot_mount = 1;
54268+#endif
54269+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
54270+ grsec_enable_chroot_fchdir = 1;
54271+#endif
54272+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
54273+ grsec_enable_chroot_shmat = 1;
54274+#endif
54275+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
54276+ grsec_enable_audit_ptrace = 1;
54277+#endif
54278+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
54279+ grsec_enable_chroot_double = 1;
54280+#endif
54281+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
54282+ grsec_enable_chroot_pivot = 1;
54283+#endif
54284+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
54285+ grsec_enable_chroot_chdir = 1;
54286+#endif
54287+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
54288+ grsec_enable_chroot_chmod = 1;
54289+#endif
54290+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
54291+ grsec_enable_chroot_mknod = 1;
54292+#endif
54293+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
54294+ grsec_enable_chroot_nice = 1;
54295+#endif
54296+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
54297+ grsec_enable_chroot_execlog = 1;
54298+#endif
54299+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
54300+ grsec_enable_chroot_caps = 1;
54301+#endif
54302+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
54303+ grsec_enable_chroot_sysctl = 1;
54304+#endif
54305+#ifdef CONFIG_GRKERNSEC_TPE
54306+ grsec_enable_tpe = 1;
54307+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
54308+#ifdef CONFIG_GRKERNSEC_TPE_ALL
54309+ grsec_enable_tpe_all = 1;
54310+#endif
54311+#endif
54312+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
54313+ grsec_enable_socket_all = 1;
54314+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
54315+#endif
54316+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
54317+ grsec_enable_socket_client = 1;
54318+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
54319+#endif
54320+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
54321+ grsec_enable_socket_server = 1;
54322+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
54323+#endif
54324+#endif
54325+
54326+ return;
54327+}
54328diff -urNp linux-3.1.1/grsecurity/grsec_link.c linux-3.1.1/grsecurity/grsec_link.c
54329--- linux-3.1.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
54330+++ linux-3.1.1/grsecurity/grsec_link.c 2011-11-16 18:40:31.000000000 -0500
54331@@ -0,0 +1,43 @@
54332+#include <linux/kernel.h>
54333+#include <linux/sched.h>
54334+#include <linux/fs.h>
54335+#include <linux/file.h>
54336+#include <linux/grinternal.h>
54337+
54338+int
54339+gr_handle_follow_link(const struct inode *parent,
54340+ const struct inode *inode,
54341+ const struct dentry *dentry, const struct vfsmount *mnt)
54342+{
54343+#ifdef CONFIG_GRKERNSEC_LINK
54344+ const struct cred *cred = current_cred();
54345+
54346+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
54347+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
54348+ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
54349+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
54350+ return -EACCES;
54351+ }
54352+#endif
54353+ return 0;
54354+}
54355+
54356+int
54357+gr_handle_hardlink(const struct dentry *dentry,
54358+ const struct vfsmount *mnt,
54359+ struct inode *inode, const int mode, const char *to)
54360+{
54361+#ifdef CONFIG_GRKERNSEC_LINK
54362+ const struct cred *cred = current_cred();
54363+
54364+ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
54365+ (!S_ISREG(mode) || (mode & S_ISUID) ||
54366+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
54367+ (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
54368+ !capable(CAP_FOWNER) && cred->uid) {
54369+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
54370+ return -EPERM;
54371+ }
54372+#endif
54373+ return 0;
54374+}
54375diff -urNp linux-3.1.1/grsecurity/grsec_log.c linux-3.1.1/grsecurity/grsec_log.c
54376--- linux-3.1.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
54377+++ linux-3.1.1/grsecurity/grsec_log.c 2011-11-16 18:40:31.000000000 -0500
54378@@ -0,0 +1,322 @@
54379+#include <linux/kernel.h>
54380+#include <linux/sched.h>
54381+#include <linux/file.h>
54382+#include <linux/tty.h>
54383+#include <linux/fs.h>
54384+#include <linux/grinternal.h>
54385+
54386+#ifdef CONFIG_TREE_PREEMPT_RCU
54387+#define DISABLE_PREEMPT() preempt_disable()
54388+#define ENABLE_PREEMPT() preempt_enable()
54389+#else
54390+#define DISABLE_PREEMPT()
54391+#define ENABLE_PREEMPT()
54392+#endif
54393+
54394+#define BEGIN_LOCKS(x) \
54395+ DISABLE_PREEMPT(); \
54396+ rcu_read_lock(); \
54397+ read_lock(&tasklist_lock); \
54398+ read_lock(&grsec_exec_file_lock); \
54399+ if (x != GR_DO_AUDIT) \
54400+ spin_lock(&grsec_alert_lock); \
54401+ else \
54402+ spin_lock(&grsec_audit_lock)
54403+
54404+#define END_LOCKS(x) \
54405+ if (x != GR_DO_AUDIT) \
54406+ spin_unlock(&grsec_alert_lock); \
54407+ else \
54408+ spin_unlock(&grsec_audit_lock); \
54409+ read_unlock(&grsec_exec_file_lock); \
54410+ read_unlock(&tasklist_lock); \
54411+ rcu_read_unlock(); \
54412+ ENABLE_PREEMPT(); \
54413+ if (x == GR_DONT_AUDIT) \
54414+ gr_handle_alertkill(current)
54415+
54416+enum {
54417+ FLOODING,
54418+ NO_FLOODING
54419+};
54420+
54421+extern char *gr_alert_log_fmt;
54422+extern char *gr_audit_log_fmt;
54423+extern char *gr_alert_log_buf;
54424+extern char *gr_audit_log_buf;
54425+
54426+static int gr_log_start(int audit)
54427+{
54428+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
54429+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
54430+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54431+#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
54432+ unsigned long curr_secs = get_seconds();
54433+
54434+ if (audit == GR_DO_AUDIT)
54435+ goto set_fmt;
54436+
54437+ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
54438+ grsec_alert_wtime = curr_secs;
54439+ grsec_alert_fyet = 0;
54440+ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
54441+ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
54442+ grsec_alert_fyet++;
54443+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
54444+ grsec_alert_wtime = curr_secs;
54445+ grsec_alert_fyet++;
54446+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
54447+ return FLOODING;
54448+ }
54449+ else return FLOODING;
54450+
54451+set_fmt:
54452+#endif
54453+ memset(buf, 0, PAGE_SIZE);
54454+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
54455+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
54456+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54457+ } else if (current->signal->curr_ip) {
54458+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
54459+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
54460+ } else if (gr_acl_is_enabled()) {
54461+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
54462+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54463+ } else {
54464+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
54465+ strcpy(buf, fmt);
54466+ }
54467+
54468+ return NO_FLOODING;
54469+}
54470+
54471+static void gr_log_middle(int audit, const char *msg, va_list ap)
54472+ __attribute__ ((format (printf, 2, 0)));
54473+
54474+static void gr_log_middle(int audit, const char *msg, va_list ap)
54475+{
54476+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54477+ unsigned int len = strlen(buf);
54478+
54479+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54480+
54481+ return;
54482+}
54483+
54484+static void gr_log_middle_varargs(int audit, const char *msg, ...)
54485+ __attribute__ ((format (printf, 2, 3)));
54486+
54487+static void gr_log_middle_varargs(int audit, const char *msg, ...)
54488+{
54489+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54490+ unsigned int len = strlen(buf);
54491+ va_list ap;
54492+
54493+ va_start(ap, msg);
54494+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54495+ va_end(ap);
54496+
54497+ return;
54498+}
54499+
54500+static void gr_log_end(int audit, int append_default)
54501+{
54502+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54503+
54504+ if (append_default) {
54505+ unsigned int len = strlen(buf);
54506+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
54507+ }
54508+
54509+ printk("%s\n", buf);
54510+
54511+ return;
54512+}
54513+
54514+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
54515+{
54516+ int logtype;
54517+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
54518+ char *str1 = NULL, *str2 = NULL, *str3 = NULL;
54519+ void *voidptr = NULL;
54520+ int num1 = 0, num2 = 0;
54521+ unsigned long ulong1 = 0, ulong2 = 0;
54522+ struct dentry *dentry = NULL;
54523+ struct vfsmount *mnt = NULL;
54524+ struct file *file = NULL;
54525+ struct task_struct *task = NULL;
54526+ const struct cred *cred, *pcred;
54527+ va_list ap;
54528+
54529+ BEGIN_LOCKS(audit);
54530+ logtype = gr_log_start(audit);
54531+ if (logtype == FLOODING) {
54532+ END_LOCKS(audit);
54533+ return;
54534+ }
54535+ va_start(ap, argtypes);
54536+ switch (argtypes) {
54537+ case GR_TTYSNIFF:
54538+ task = va_arg(ap, struct task_struct *);
54539+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
54540+ break;
54541+ case GR_SYSCTL_HIDDEN:
54542+ str1 = va_arg(ap, char *);
54543+ gr_log_middle_varargs(audit, msg, result, str1);
54544+ break;
54545+ case GR_RBAC:
54546+ dentry = va_arg(ap, struct dentry *);
54547+ mnt = va_arg(ap, struct vfsmount *);
54548+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
54549+ break;
54550+ case GR_RBAC_STR:
54551+ dentry = va_arg(ap, struct dentry *);
54552+ mnt = va_arg(ap, struct vfsmount *);
54553+ str1 = va_arg(ap, char *);
54554+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
54555+ break;
54556+ case GR_STR_RBAC:
54557+ str1 = va_arg(ap, char *);
54558+ dentry = va_arg(ap, struct dentry *);
54559+ mnt = va_arg(ap, struct vfsmount *);
54560+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
54561+ break;
54562+ case GR_RBAC_MODE2:
54563+ dentry = va_arg(ap, struct dentry *);
54564+ mnt = va_arg(ap, struct vfsmount *);
54565+ str1 = va_arg(ap, char *);
54566+ str2 = va_arg(ap, char *);
54567+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
54568+ break;
54569+ case GR_RBAC_MODE3:
54570+ dentry = va_arg(ap, struct dentry *);
54571+ mnt = va_arg(ap, struct vfsmount *);
54572+ str1 = va_arg(ap, char *);
54573+ str2 = va_arg(ap, char *);
54574+ str3 = va_arg(ap, char *);
54575+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
54576+ break;
54577+ case GR_FILENAME:
54578+ dentry = va_arg(ap, struct dentry *);
54579+ mnt = va_arg(ap, struct vfsmount *);
54580+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
54581+ break;
54582+ case GR_STR_FILENAME:
54583+ str1 = va_arg(ap, char *);
54584+ dentry = va_arg(ap, struct dentry *);
54585+ mnt = va_arg(ap, struct vfsmount *);
54586+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
54587+ break;
54588+ case GR_FILENAME_STR:
54589+ dentry = va_arg(ap, struct dentry *);
54590+ mnt = va_arg(ap, struct vfsmount *);
54591+ str1 = va_arg(ap, char *);
54592+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
54593+ break;
54594+ case GR_FILENAME_TWO_INT:
54595+ dentry = va_arg(ap, struct dentry *);
54596+ mnt = va_arg(ap, struct vfsmount *);
54597+ num1 = va_arg(ap, int);
54598+ num2 = va_arg(ap, int);
54599+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
54600+ break;
54601+ case GR_FILENAME_TWO_INT_STR:
54602+ dentry = va_arg(ap, struct dentry *);
54603+ mnt = va_arg(ap, struct vfsmount *);
54604+ num1 = va_arg(ap, int);
54605+ num2 = va_arg(ap, int);
54606+ str1 = va_arg(ap, char *);
54607+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
54608+ break;
54609+ case GR_TEXTREL:
54610+ file = va_arg(ap, struct file *);
54611+ ulong1 = va_arg(ap, unsigned long);
54612+ ulong2 = va_arg(ap, unsigned long);
54613+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
54614+ break;
54615+ case GR_PTRACE:
54616+ task = va_arg(ap, struct task_struct *);
54617+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
54618+ break;
54619+ case GR_RESOURCE:
54620+ task = va_arg(ap, struct task_struct *);
54621+ cred = __task_cred(task);
54622+ pcred = __task_cred(task->real_parent);
54623+ ulong1 = va_arg(ap, unsigned long);
54624+ str1 = va_arg(ap, char *);
54625+ ulong2 = va_arg(ap, unsigned long);
54626+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54627+ break;
54628+ case GR_CAP:
54629+ task = va_arg(ap, struct task_struct *);
54630+ cred = __task_cred(task);
54631+ pcred = __task_cred(task->real_parent);
54632+ str1 = va_arg(ap, char *);
54633+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54634+ break;
54635+ case GR_SIG:
54636+ str1 = va_arg(ap, char *);
54637+ voidptr = va_arg(ap, void *);
54638+ gr_log_middle_varargs(audit, msg, str1, voidptr);
54639+ break;
54640+ case GR_SIG2:
54641+ task = va_arg(ap, struct task_struct *);
54642+ cred = __task_cred(task);
54643+ pcred = __task_cred(task->real_parent);
54644+ num1 = va_arg(ap, int);
54645+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54646+ break;
54647+ case GR_CRASH1:
54648+ task = va_arg(ap, struct task_struct *);
54649+ cred = __task_cred(task);
54650+ pcred = __task_cred(task->real_parent);
54651+ ulong1 = va_arg(ap, unsigned long);
54652+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
54653+ break;
54654+ case GR_CRASH2:
54655+ task = va_arg(ap, struct task_struct *);
54656+ cred = __task_cred(task);
54657+ pcred = __task_cred(task->real_parent);
54658+ ulong1 = va_arg(ap, unsigned long);
54659+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
54660+ break;
54661+ case GR_RWXMAP:
54662+ file = va_arg(ap, struct file *);
54663+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
54664+ break;
54665+ case GR_PSACCT:
54666+ {
54667+ unsigned int wday, cday;
54668+ __u8 whr, chr;
54669+ __u8 wmin, cmin;
54670+ __u8 wsec, csec;
54671+ char cur_tty[64] = { 0 };
54672+ char parent_tty[64] = { 0 };
54673+
54674+ task = va_arg(ap, struct task_struct *);
54675+ wday = va_arg(ap, unsigned int);
54676+ cday = va_arg(ap, unsigned int);
54677+ whr = va_arg(ap, int);
54678+ chr = va_arg(ap, int);
54679+ wmin = va_arg(ap, int);
54680+ cmin = va_arg(ap, int);
54681+ wsec = va_arg(ap, int);
54682+ csec = va_arg(ap, int);
54683+ ulong1 = va_arg(ap, unsigned long);
54684+ cred = __task_cred(task);
54685+ pcred = __task_cred(task->real_parent);
54686+
54687+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54688+ }
54689+ break;
54690+ default:
54691+ gr_log_middle(audit, msg, ap);
54692+ }
54693+ va_end(ap);
54694+ // these don't need DEFAULTSECARGS printed on the end
54695+ if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
54696+ gr_log_end(audit, 0);
54697+ else
54698+ gr_log_end(audit, 1);
54699+ END_LOCKS(audit);
54700+}
54701diff -urNp linux-3.1.1/grsecurity/grsec_mem.c linux-3.1.1/grsecurity/grsec_mem.c
54702--- linux-3.1.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
54703+++ linux-3.1.1/grsecurity/grsec_mem.c 2011-11-16 18:40:31.000000000 -0500
54704@@ -0,0 +1,33 @@
54705+#include <linux/kernel.h>
54706+#include <linux/sched.h>
54707+#include <linux/mm.h>
54708+#include <linux/mman.h>
54709+#include <linux/grinternal.h>
54710+
54711+void
54712+gr_handle_ioperm(void)
54713+{
54714+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
54715+ return;
54716+}
54717+
54718+void
54719+gr_handle_iopl(void)
54720+{
54721+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
54722+ return;
54723+}
54724+
54725+void
54726+gr_handle_mem_readwrite(u64 from, u64 to)
54727+{
54728+ gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
54729+ return;
54730+}
54731+
54732+void
54733+gr_handle_vm86(void)
54734+{
54735+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
54736+ return;
54737+}
54738diff -urNp linux-3.1.1/grsecurity/grsec_mount.c linux-3.1.1/grsecurity/grsec_mount.c
54739--- linux-3.1.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
54740+++ linux-3.1.1/grsecurity/grsec_mount.c 2011-11-16 18:40:31.000000000 -0500
54741@@ -0,0 +1,62 @@
54742+#include <linux/kernel.h>
54743+#include <linux/sched.h>
54744+#include <linux/mount.h>
54745+#include <linux/grsecurity.h>
54746+#include <linux/grinternal.h>
54747+
54748+void
54749+gr_log_remount(const char *devname, const int retval)
54750+{
54751+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54752+ if (grsec_enable_mount && (retval >= 0))
54753+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
54754+#endif
54755+ return;
54756+}
54757+
54758+void
54759+gr_log_unmount(const char *devname, const int retval)
54760+{
54761+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54762+ if (grsec_enable_mount && (retval >= 0))
54763+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
54764+#endif
54765+ return;
54766+}
54767+
54768+void
54769+gr_log_mount(const char *from, const char *to, const int retval)
54770+{
54771+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54772+ if (grsec_enable_mount && (retval >= 0))
54773+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
54774+#endif
54775+ return;
54776+}
54777+
54778+int
54779+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
54780+{
54781+#ifdef CONFIG_GRKERNSEC_ROFS
54782+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
54783+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
54784+ return -EPERM;
54785+ } else
54786+ return 0;
54787+#endif
54788+ return 0;
54789+}
54790+
54791+int
54792+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
54793+{
54794+#ifdef CONFIG_GRKERNSEC_ROFS
54795+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
54796+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
54797+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
54798+ return -EPERM;
54799+ } else
54800+ return 0;
54801+#endif
54802+ return 0;
54803+}
54804diff -urNp linux-3.1.1/grsecurity/grsec_pax.c linux-3.1.1/grsecurity/grsec_pax.c
54805--- linux-3.1.1/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
54806+++ linux-3.1.1/grsecurity/grsec_pax.c 2011-11-16 18:40:31.000000000 -0500
54807@@ -0,0 +1,36 @@
54808+#include <linux/kernel.h>
54809+#include <linux/sched.h>
54810+#include <linux/mm.h>
54811+#include <linux/file.h>
54812+#include <linux/grinternal.h>
54813+#include <linux/grsecurity.h>
54814+
54815+void
54816+gr_log_textrel(struct vm_area_struct * vma)
54817+{
54818+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
54819+ if (grsec_enable_audit_textrel)
54820+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
54821+#endif
54822+ return;
54823+}
54824+
54825+void
54826+gr_log_rwxmmap(struct file *file)
54827+{
54828+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54829+ if (grsec_enable_log_rwxmaps)
54830+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
54831+#endif
54832+ return;
54833+}
54834+
54835+void
54836+gr_log_rwxmprotect(struct file *file)
54837+{
54838+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54839+ if (grsec_enable_log_rwxmaps)
54840+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
54841+#endif
54842+ return;
54843+}
54844diff -urNp linux-3.1.1/grsecurity/grsec_ptrace.c linux-3.1.1/grsecurity/grsec_ptrace.c
54845--- linux-3.1.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
54846+++ linux-3.1.1/grsecurity/grsec_ptrace.c 2011-11-16 18:40:31.000000000 -0500
54847@@ -0,0 +1,14 @@
54848+#include <linux/kernel.h>
54849+#include <linux/sched.h>
54850+#include <linux/grinternal.h>
54851+#include <linux/grsecurity.h>
54852+
54853+void
54854+gr_audit_ptrace(struct task_struct *task)
54855+{
54856+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
54857+ if (grsec_enable_audit_ptrace)
54858+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
54859+#endif
54860+ return;
54861+}
54862diff -urNp linux-3.1.1/grsecurity/grsec_sig.c linux-3.1.1/grsecurity/grsec_sig.c
54863--- linux-3.1.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
54864+++ linux-3.1.1/grsecurity/grsec_sig.c 2011-11-16 18:40:31.000000000 -0500
54865@@ -0,0 +1,206 @@
54866+#include <linux/kernel.h>
54867+#include <linux/sched.h>
54868+#include <linux/delay.h>
54869+#include <linux/grsecurity.h>
54870+#include <linux/grinternal.h>
54871+#include <linux/hardirq.h>
54872+
54873+char *signames[] = {
54874+ [SIGSEGV] = "Segmentation fault",
54875+ [SIGILL] = "Illegal instruction",
54876+ [SIGABRT] = "Abort",
54877+ [SIGBUS] = "Invalid alignment/Bus error"
54878+};
54879+
54880+void
54881+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
54882+{
54883+#ifdef CONFIG_GRKERNSEC_SIGNAL
54884+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
54885+ (sig == SIGABRT) || (sig == SIGBUS))) {
54886+ if (t->pid == current->pid) {
54887+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
54888+ } else {
54889+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
54890+ }
54891+ }
54892+#endif
54893+ return;
54894+}
54895+
54896+int
54897+gr_handle_signal(const struct task_struct *p, const int sig)
54898+{
54899+#ifdef CONFIG_GRKERNSEC
54900+ if (current->pid > 1 && gr_check_protected_task(p)) {
54901+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
54902+ return -EPERM;
54903+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
54904+ return -EPERM;
54905+ }
54906+#endif
54907+ return 0;
54908+}
54909+
54910+#ifdef CONFIG_GRKERNSEC
54911+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
54912+
54913+int gr_fake_force_sig(int sig, struct task_struct *t)
54914+{
54915+ unsigned long int flags;
54916+ int ret, blocked, ignored;
54917+ struct k_sigaction *action;
54918+
54919+ spin_lock_irqsave(&t->sighand->siglock, flags);
54920+ action = &t->sighand->action[sig-1];
54921+ ignored = action->sa.sa_handler == SIG_IGN;
54922+ blocked = sigismember(&t->blocked, sig);
54923+ if (blocked || ignored) {
54924+ action->sa.sa_handler = SIG_DFL;
54925+ if (blocked) {
54926+ sigdelset(&t->blocked, sig);
54927+ recalc_sigpending_and_wake(t);
54928+ }
54929+ }
54930+ if (action->sa.sa_handler == SIG_DFL)
54931+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
54932+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
54933+
54934+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
54935+
54936+ return ret;
54937+}
54938+#endif
54939+
54940+#ifdef CONFIG_GRKERNSEC_BRUTE
54941+#define GR_USER_BAN_TIME (15 * 60)
54942+
54943+static int __get_dumpable(unsigned long mm_flags)
54944+{
54945+ int ret;
54946+
54947+ ret = mm_flags & MMF_DUMPABLE_MASK;
54948+ return (ret >= 2) ? 2 : ret;
54949+}
54950+#endif
54951+
54952+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
54953+{
54954+#ifdef CONFIG_GRKERNSEC_BRUTE
54955+ uid_t uid = 0;
54956+
54957+ if (!grsec_enable_brute)
54958+ return;
54959+
54960+ rcu_read_lock();
54961+ read_lock(&tasklist_lock);
54962+ read_lock(&grsec_exec_file_lock);
54963+ if (p->real_parent && p->real_parent->exec_file == p->exec_file)
54964+ p->real_parent->brute = 1;
54965+ else {
54966+ const struct cred *cred = __task_cred(p), *cred2;
54967+ struct task_struct *tsk, *tsk2;
54968+
54969+ if (!__get_dumpable(mm_flags) && cred->uid) {
54970+ struct user_struct *user;
54971+
54972+ uid = cred->uid;
54973+
54974+ /* this is put upon execution past expiration */
54975+ user = find_user(uid);
54976+ if (user == NULL)
54977+ goto unlock;
54978+ user->banned = 1;
54979+ user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
54980+ if (user->ban_expires == ~0UL)
54981+ user->ban_expires--;
54982+
54983+ do_each_thread(tsk2, tsk) {
54984+ cred2 = __task_cred(tsk);
54985+ if (tsk != p && cred2->uid == uid)
54986+ gr_fake_force_sig(SIGKILL, tsk);
54987+ } while_each_thread(tsk2, tsk);
54988+ }
54989+ }
54990+unlock:
54991+ read_unlock(&grsec_exec_file_lock);
54992+ read_unlock(&tasklist_lock);
54993+ rcu_read_unlock();
54994+
54995+ if (uid)
54996+ printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
54997+
54998+#endif
54999+ return;
55000+}
55001+
55002+void gr_handle_brute_check(void)
55003+{
55004+#ifdef CONFIG_GRKERNSEC_BRUTE
55005+ if (current->brute)
55006+ msleep(30 * 1000);
55007+#endif
55008+ return;
55009+}
55010+
55011+void gr_handle_kernel_exploit(void)
55012+{
55013+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
55014+ const struct cred *cred;
55015+ struct task_struct *tsk, *tsk2;
55016+ struct user_struct *user;
55017+ uid_t uid;
55018+
55019+ if (in_irq() || in_serving_softirq() || in_nmi())
55020+ panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
55021+
55022+ uid = current_uid();
55023+
55024+ if (uid == 0)
55025+ panic("grsec: halting the system due to suspicious kernel crash caused by root");
55026+ else {
55027+ /* kill all the processes of this user, hold a reference
55028+ to their creds struct, and prevent them from creating
55029+ another process until system reset
55030+ */
55031+ printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
55032+ /* we intentionally leak this ref */
55033+ user = get_uid(current->cred->user);
55034+ if (user) {
55035+ user->banned = 1;
55036+ user->ban_expires = ~0UL;
55037+ }
55038+
55039+ read_lock(&tasklist_lock);
55040+ do_each_thread(tsk2, tsk) {
55041+ cred = __task_cred(tsk);
55042+ if (cred->uid == uid)
55043+ gr_fake_force_sig(SIGKILL, tsk);
55044+ } while_each_thread(tsk2, tsk);
55045+ read_unlock(&tasklist_lock);
55046+ }
55047+#endif
55048+}
55049+
55050+int __gr_process_user_ban(struct user_struct *user)
55051+{
55052+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55053+ if (unlikely(user->banned)) {
55054+ if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
55055+ user->banned = 0;
55056+ user->ban_expires = 0;
55057+ free_uid(user);
55058+ } else
55059+ return -EPERM;
55060+ }
55061+#endif
55062+ return 0;
55063+}
55064+
55065+int gr_process_user_ban(void)
55066+{
55067+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
55068+ return __gr_process_user_ban(current->cred->user);
55069+#endif
55070+ return 0;
55071+}
55072diff -urNp linux-3.1.1/grsecurity/grsec_sock.c linux-3.1.1/grsecurity/grsec_sock.c
55073--- linux-3.1.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
55074+++ linux-3.1.1/grsecurity/grsec_sock.c 2011-11-16 18:40:31.000000000 -0500
55075@@ -0,0 +1,244 @@
55076+#include <linux/kernel.h>
55077+#include <linux/module.h>
55078+#include <linux/sched.h>
55079+#include <linux/file.h>
55080+#include <linux/net.h>
55081+#include <linux/in.h>
55082+#include <linux/ip.h>
55083+#include <net/sock.h>
55084+#include <net/inet_sock.h>
55085+#include <linux/grsecurity.h>
55086+#include <linux/grinternal.h>
55087+#include <linux/gracl.h>
55088+
55089+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
55090+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
55091+
55092+EXPORT_SYMBOL(gr_search_udp_recvmsg);
55093+EXPORT_SYMBOL(gr_search_udp_sendmsg);
55094+
55095+#ifdef CONFIG_UNIX_MODULE
55096+EXPORT_SYMBOL(gr_acl_handle_unix);
55097+EXPORT_SYMBOL(gr_acl_handle_mknod);
55098+EXPORT_SYMBOL(gr_handle_chroot_unix);
55099+EXPORT_SYMBOL(gr_handle_create);
55100+#endif
55101+
55102+#ifdef CONFIG_GRKERNSEC
55103+#define gr_conn_table_size 32749
55104+struct conn_table_entry {
55105+ struct conn_table_entry *next;
55106+ struct signal_struct *sig;
55107+};
55108+
55109+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
55110+DEFINE_SPINLOCK(gr_conn_table_lock);
55111+
55112+extern const char * gr_socktype_to_name(unsigned char type);
55113+extern const char * gr_proto_to_name(unsigned char proto);
55114+extern const char * gr_sockfamily_to_name(unsigned char family);
55115+
55116+static __inline__ int
55117+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
55118+{
55119+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
55120+}
55121+
55122+static __inline__ int
55123+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
55124+ __u16 sport, __u16 dport)
55125+{
55126+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
55127+ sig->gr_sport == sport && sig->gr_dport == dport))
55128+ return 1;
55129+ else
55130+ return 0;
55131+}
55132+
55133+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
55134+{
55135+ struct conn_table_entry **match;
55136+ unsigned int index;
55137+
55138+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55139+ sig->gr_sport, sig->gr_dport,
55140+ gr_conn_table_size);
55141+
55142+ newent->sig = sig;
55143+
55144+ match = &gr_conn_table[index];
55145+ newent->next = *match;
55146+ *match = newent;
55147+
55148+ return;
55149+}
55150+
55151+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
55152+{
55153+ struct conn_table_entry *match, *last = NULL;
55154+ unsigned int index;
55155+
55156+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
55157+ sig->gr_sport, sig->gr_dport,
55158+ gr_conn_table_size);
55159+
55160+ match = gr_conn_table[index];
55161+ while (match && !conn_match(match->sig,
55162+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
55163+ sig->gr_dport)) {
55164+ last = match;
55165+ match = match->next;
55166+ }
55167+
55168+ if (match) {
55169+ if (last)
55170+ last->next = match->next;
55171+ else
55172+ gr_conn_table[index] = NULL;
55173+ kfree(match);
55174+ }
55175+
55176+ return;
55177+}
55178+
55179+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
55180+ __u16 sport, __u16 dport)
55181+{
55182+ struct conn_table_entry *match;
55183+ unsigned int index;
55184+
55185+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
55186+
55187+ match = gr_conn_table[index];
55188+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
55189+ match = match->next;
55190+
55191+ if (match)
55192+ return match->sig;
55193+ else
55194+ return NULL;
55195+}
55196+
55197+#endif
55198+
55199+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
55200+{
55201+#ifdef CONFIG_GRKERNSEC
55202+ struct signal_struct *sig = task->signal;
55203+ struct conn_table_entry *newent;
55204+
55205+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
55206+ if (newent == NULL)
55207+ return;
55208+ /* no bh lock needed since we are called with bh disabled */
55209+ spin_lock(&gr_conn_table_lock);
55210+ gr_del_task_from_ip_table_nolock(sig);
55211+ sig->gr_saddr = inet->inet_rcv_saddr;
55212+ sig->gr_daddr = inet->inet_daddr;
55213+ sig->gr_sport = inet->inet_sport;
55214+ sig->gr_dport = inet->inet_dport;
55215+ gr_add_to_task_ip_table_nolock(sig, newent);
55216+ spin_unlock(&gr_conn_table_lock);
55217+#endif
55218+ return;
55219+}
55220+
55221+void gr_del_task_from_ip_table(struct task_struct *task)
55222+{
55223+#ifdef CONFIG_GRKERNSEC
55224+ spin_lock_bh(&gr_conn_table_lock);
55225+ gr_del_task_from_ip_table_nolock(task->signal);
55226+ spin_unlock_bh(&gr_conn_table_lock);
55227+#endif
55228+ return;
55229+}
55230+
55231+void
55232+gr_attach_curr_ip(const struct sock *sk)
55233+{
55234+#ifdef CONFIG_GRKERNSEC
55235+ struct signal_struct *p, *set;
55236+ const struct inet_sock *inet = inet_sk(sk);
55237+
55238+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
55239+ return;
55240+
55241+ set = current->signal;
55242+
55243+ spin_lock_bh(&gr_conn_table_lock);
55244+ p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
55245+ inet->inet_dport, inet->inet_sport);
55246+ if (unlikely(p != NULL)) {
55247+ set->curr_ip = p->curr_ip;
55248+ set->used_accept = 1;
55249+ gr_del_task_from_ip_table_nolock(p);
55250+ spin_unlock_bh(&gr_conn_table_lock);
55251+ return;
55252+ }
55253+ spin_unlock_bh(&gr_conn_table_lock);
55254+
55255+ set->curr_ip = inet->inet_daddr;
55256+ set->used_accept = 1;
55257+#endif
55258+ return;
55259+}
55260+
55261+int
55262+gr_handle_sock_all(const int family, const int type, const int protocol)
55263+{
55264+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55265+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
55266+ (family != AF_UNIX)) {
55267+ if (family == AF_INET)
55268+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
55269+ else
55270+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
55271+ return -EACCES;
55272+ }
55273+#endif
55274+ return 0;
55275+}
55276+
55277+int
55278+gr_handle_sock_server(const struct sockaddr *sck)
55279+{
55280+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55281+ if (grsec_enable_socket_server &&
55282+ in_group_p(grsec_socket_server_gid) &&
55283+ sck && (sck->sa_family != AF_UNIX) &&
55284+ (sck->sa_family != AF_LOCAL)) {
55285+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
55286+ return -EACCES;
55287+ }
55288+#endif
55289+ return 0;
55290+}
55291+
55292+int
55293+gr_handle_sock_server_other(const struct sock *sck)
55294+{
55295+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55296+ if (grsec_enable_socket_server &&
55297+ in_group_p(grsec_socket_server_gid) &&
55298+ sck && (sck->sk_family != AF_UNIX) &&
55299+ (sck->sk_family != AF_LOCAL)) {
55300+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
55301+ return -EACCES;
55302+ }
55303+#endif
55304+ return 0;
55305+}
55306+
55307+int
55308+gr_handle_sock_client(const struct sockaddr *sck)
55309+{
55310+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55311+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
55312+ sck && (sck->sa_family != AF_UNIX) &&
55313+ (sck->sa_family != AF_LOCAL)) {
55314+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
55315+ return -EACCES;
55316+ }
55317+#endif
55318+ return 0;
55319+}
55320diff -urNp linux-3.1.1/grsecurity/grsec_sysctl.c linux-3.1.1/grsecurity/grsec_sysctl.c
55321--- linux-3.1.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
55322+++ linux-3.1.1/grsecurity/grsec_sysctl.c 2011-11-16 18:40:31.000000000 -0500
55323@@ -0,0 +1,433 @@
55324+#include <linux/kernel.h>
55325+#include <linux/sched.h>
55326+#include <linux/sysctl.h>
55327+#include <linux/grsecurity.h>
55328+#include <linux/grinternal.h>
55329+
55330+int
55331+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
55332+{
55333+#ifdef CONFIG_GRKERNSEC_SYSCTL
55334+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
55335+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
55336+ return -EACCES;
55337+ }
55338+#endif
55339+ return 0;
55340+}
55341+
55342+#ifdef CONFIG_GRKERNSEC_ROFS
55343+static int __maybe_unused one = 1;
55344+#endif
55345+
55346+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
55347+struct ctl_table grsecurity_table[] = {
55348+#ifdef CONFIG_GRKERNSEC_SYSCTL
55349+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
55350+#ifdef CONFIG_GRKERNSEC_IO
55351+ {
55352+ .procname = "disable_priv_io",
55353+ .data = &grsec_disable_privio,
55354+ .maxlen = sizeof(int),
55355+ .mode = 0600,
55356+ .proc_handler = &proc_dointvec,
55357+ },
55358+#endif
55359+#endif
55360+#ifdef CONFIG_GRKERNSEC_LINK
55361+ {
55362+ .procname = "linking_restrictions",
55363+ .data = &grsec_enable_link,
55364+ .maxlen = sizeof(int),
55365+ .mode = 0600,
55366+ .proc_handler = &proc_dointvec,
55367+ },
55368+#endif
55369+#ifdef CONFIG_GRKERNSEC_BRUTE
55370+ {
55371+ .procname = "deter_bruteforce",
55372+ .data = &grsec_enable_brute,
55373+ .maxlen = sizeof(int),
55374+ .mode = 0600,
55375+ .proc_handler = &proc_dointvec,
55376+ },
55377+#endif
55378+#ifdef CONFIG_GRKERNSEC_FIFO
55379+ {
55380+ .procname = "fifo_restrictions",
55381+ .data = &grsec_enable_fifo,
55382+ .maxlen = sizeof(int),
55383+ .mode = 0600,
55384+ .proc_handler = &proc_dointvec,
55385+ },
55386+#endif
55387+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55388+ {
55389+ .procname = "ip_blackhole",
55390+ .data = &grsec_enable_blackhole,
55391+ .maxlen = sizeof(int),
55392+ .mode = 0600,
55393+ .proc_handler = &proc_dointvec,
55394+ },
55395+ {
55396+ .procname = "lastack_retries",
55397+ .data = &grsec_lastack_retries,
55398+ .maxlen = sizeof(int),
55399+ .mode = 0600,
55400+ .proc_handler = &proc_dointvec,
55401+ },
55402+#endif
55403+#ifdef CONFIG_GRKERNSEC_EXECLOG
55404+ {
55405+ .procname = "exec_logging",
55406+ .data = &grsec_enable_execlog,
55407+ .maxlen = sizeof(int),
55408+ .mode = 0600,
55409+ .proc_handler = &proc_dointvec,
55410+ },
55411+#endif
55412+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
55413+ {
55414+ .procname = "rwxmap_logging",
55415+ .data = &grsec_enable_log_rwxmaps,
55416+ .maxlen = sizeof(int),
55417+ .mode = 0600,
55418+ .proc_handler = &proc_dointvec,
55419+ },
55420+#endif
55421+#ifdef CONFIG_GRKERNSEC_SIGNAL
55422+ {
55423+ .procname = "signal_logging",
55424+ .data = &grsec_enable_signal,
55425+ .maxlen = sizeof(int),
55426+ .mode = 0600,
55427+ .proc_handler = &proc_dointvec,
55428+ },
55429+#endif
55430+#ifdef CONFIG_GRKERNSEC_FORKFAIL
55431+ {
55432+ .procname = "forkfail_logging",
55433+ .data = &grsec_enable_forkfail,
55434+ .maxlen = sizeof(int),
55435+ .mode = 0600,
55436+ .proc_handler = &proc_dointvec,
55437+ },
55438+#endif
55439+#ifdef CONFIG_GRKERNSEC_TIME
55440+ {
55441+ .procname = "timechange_logging",
55442+ .data = &grsec_enable_time,
55443+ .maxlen = sizeof(int),
55444+ .mode = 0600,
55445+ .proc_handler = &proc_dointvec,
55446+ },
55447+#endif
55448+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
55449+ {
55450+ .procname = "chroot_deny_shmat",
55451+ .data = &grsec_enable_chroot_shmat,
55452+ .maxlen = sizeof(int),
55453+ .mode = 0600,
55454+ .proc_handler = &proc_dointvec,
55455+ },
55456+#endif
55457+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55458+ {
55459+ .procname = "chroot_deny_unix",
55460+ .data = &grsec_enable_chroot_unix,
55461+ .maxlen = sizeof(int),
55462+ .mode = 0600,
55463+ .proc_handler = &proc_dointvec,
55464+ },
55465+#endif
55466+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
55467+ {
55468+ .procname = "chroot_deny_mount",
55469+ .data = &grsec_enable_chroot_mount,
55470+ .maxlen = sizeof(int),
55471+ .mode = 0600,
55472+ .proc_handler = &proc_dointvec,
55473+ },
55474+#endif
55475+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
55476+ {
55477+ .procname = "chroot_deny_fchdir",
55478+ .data = &grsec_enable_chroot_fchdir,
55479+ .maxlen = sizeof(int),
55480+ .mode = 0600,
55481+ .proc_handler = &proc_dointvec,
55482+ },
55483+#endif
55484+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
55485+ {
55486+ .procname = "chroot_deny_chroot",
55487+ .data = &grsec_enable_chroot_double,
55488+ .maxlen = sizeof(int),
55489+ .mode = 0600,
55490+ .proc_handler = &proc_dointvec,
55491+ },
55492+#endif
55493+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
55494+ {
55495+ .procname = "chroot_deny_pivot",
55496+ .data = &grsec_enable_chroot_pivot,
55497+ .maxlen = sizeof(int),
55498+ .mode = 0600,
55499+ .proc_handler = &proc_dointvec,
55500+ },
55501+#endif
55502+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
55503+ {
55504+ .procname = "chroot_enforce_chdir",
55505+ .data = &grsec_enable_chroot_chdir,
55506+ .maxlen = sizeof(int),
55507+ .mode = 0600,
55508+ .proc_handler = &proc_dointvec,
55509+ },
55510+#endif
55511+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
55512+ {
55513+ .procname = "chroot_deny_chmod",
55514+ .data = &grsec_enable_chroot_chmod,
55515+ .maxlen = sizeof(int),
55516+ .mode = 0600,
55517+ .proc_handler = &proc_dointvec,
55518+ },
55519+#endif
55520+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
55521+ {
55522+ .procname = "chroot_deny_mknod",
55523+ .data = &grsec_enable_chroot_mknod,
55524+ .maxlen = sizeof(int),
55525+ .mode = 0600,
55526+ .proc_handler = &proc_dointvec,
55527+ },
55528+#endif
55529+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
55530+ {
55531+ .procname = "chroot_restrict_nice",
55532+ .data = &grsec_enable_chroot_nice,
55533+ .maxlen = sizeof(int),
55534+ .mode = 0600,
55535+ .proc_handler = &proc_dointvec,
55536+ },
55537+#endif
55538+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
55539+ {
55540+ .procname = "chroot_execlog",
55541+ .data = &grsec_enable_chroot_execlog,
55542+ .maxlen = sizeof(int),
55543+ .mode = 0600,
55544+ .proc_handler = &proc_dointvec,
55545+ },
55546+#endif
55547+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
55548+ {
55549+ .procname = "chroot_caps",
55550+ .data = &grsec_enable_chroot_caps,
55551+ .maxlen = sizeof(int),
55552+ .mode = 0600,
55553+ .proc_handler = &proc_dointvec,
55554+ },
55555+#endif
55556+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
55557+ {
55558+ .procname = "chroot_deny_sysctl",
55559+ .data = &grsec_enable_chroot_sysctl,
55560+ .maxlen = sizeof(int),
55561+ .mode = 0600,
55562+ .proc_handler = &proc_dointvec,
55563+ },
55564+#endif
55565+#ifdef CONFIG_GRKERNSEC_TPE
55566+ {
55567+ .procname = "tpe",
55568+ .data = &grsec_enable_tpe,
55569+ .maxlen = sizeof(int),
55570+ .mode = 0600,
55571+ .proc_handler = &proc_dointvec,
55572+ },
55573+ {
55574+ .procname = "tpe_gid",
55575+ .data = &grsec_tpe_gid,
55576+ .maxlen = sizeof(int),
55577+ .mode = 0600,
55578+ .proc_handler = &proc_dointvec,
55579+ },
55580+#endif
55581+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55582+ {
55583+ .procname = "tpe_invert",
55584+ .data = &grsec_enable_tpe_invert,
55585+ .maxlen = sizeof(int),
55586+ .mode = 0600,
55587+ .proc_handler = &proc_dointvec,
55588+ },
55589+#endif
55590+#ifdef CONFIG_GRKERNSEC_TPE_ALL
55591+ {
55592+ .procname = "tpe_restrict_all",
55593+ .data = &grsec_enable_tpe_all,
55594+ .maxlen = sizeof(int),
55595+ .mode = 0600,
55596+ .proc_handler = &proc_dointvec,
55597+ },
55598+#endif
55599+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55600+ {
55601+ .procname = "socket_all",
55602+ .data = &grsec_enable_socket_all,
55603+ .maxlen = sizeof(int),
55604+ .mode = 0600,
55605+ .proc_handler = &proc_dointvec,
55606+ },
55607+ {
55608+ .procname = "socket_all_gid",
55609+ .data = &grsec_socket_all_gid,
55610+ .maxlen = sizeof(int),
55611+ .mode = 0600,
55612+ .proc_handler = &proc_dointvec,
55613+ },
55614+#endif
55615+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55616+ {
55617+ .procname = "socket_client",
55618+ .data = &grsec_enable_socket_client,
55619+ .maxlen = sizeof(int),
55620+ .mode = 0600,
55621+ .proc_handler = &proc_dointvec,
55622+ },
55623+ {
55624+ .procname = "socket_client_gid",
55625+ .data = &grsec_socket_client_gid,
55626+ .maxlen = sizeof(int),
55627+ .mode = 0600,
55628+ .proc_handler = &proc_dointvec,
55629+ },
55630+#endif
55631+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55632+ {
55633+ .procname = "socket_server",
55634+ .data = &grsec_enable_socket_server,
55635+ .maxlen = sizeof(int),
55636+ .mode = 0600,
55637+ .proc_handler = &proc_dointvec,
55638+ },
55639+ {
55640+ .procname = "socket_server_gid",
55641+ .data = &grsec_socket_server_gid,
55642+ .maxlen = sizeof(int),
55643+ .mode = 0600,
55644+ .proc_handler = &proc_dointvec,
55645+ },
55646+#endif
55647+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
55648+ {
55649+ .procname = "audit_group",
55650+ .data = &grsec_enable_group,
55651+ .maxlen = sizeof(int),
55652+ .mode = 0600,
55653+ .proc_handler = &proc_dointvec,
55654+ },
55655+ {
55656+ .procname = "audit_gid",
55657+ .data = &grsec_audit_gid,
55658+ .maxlen = sizeof(int),
55659+ .mode = 0600,
55660+ .proc_handler = &proc_dointvec,
55661+ },
55662+#endif
55663+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
55664+ {
55665+ .procname = "audit_chdir",
55666+ .data = &grsec_enable_chdir,
55667+ .maxlen = sizeof(int),
55668+ .mode = 0600,
55669+ .proc_handler = &proc_dointvec,
55670+ },
55671+#endif
55672+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55673+ {
55674+ .procname = "audit_mount",
55675+ .data = &grsec_enable_mount,
55676+ .maxlen = sizeof(int),
55677+ .mode = 0600,
55678+ .proc_handler = &proc_dointvec,
55679+ },
55680+#endif
55681+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
55682+ {
55683+ .procname = "audit_textrel",
55684+ .data = &grsec_enable_audit_textrel,
55685+ .maxlen = sizeof(int),
55686+ .mode = 0600,
55687+ .proc_handler = &proc_dointvec,
55688+ },
55689+#endif
55690+#ifdef CONFIG_GRKERNSEC_DMESG
55691+ {
55692+ .procname = "dmesg",
55693+ .data = &grsec_enable_dmesg,
55694+ .maxlen = sizeof(int),
55695+ .mode = 0600,
55696+ .proc_handler = &proc_dointvec,
55697+ },
55698+#endif
55699+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
55700+ {
55701+ .procname = "chroot_findtask",
55702+ .data = &grsec_enable_chroot_findtask,
55703+ .maxlen = sizeof(int),
55704+ .mode = 0600,
55705+ .proc_handler = &proc_dointvec,
55706+ },
55707+#endif
55708+#ifdef CONFIG_GRKERNSEC_RESLOG
55709+ {
55710+ .procname = "resource_logging",
55711+ .data = &grsec_resource_logging,
55712+ .maxlen = sizeof(int),
55713+ .mode = 0600,
55714+ .proc_handler = &proc_dointvec,
55715+ },
55716+#endif
55717+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
55718+ {
55719+ .procname = "audit_ptrace",
55720+ .data = &grsec_enable_audit_ptrace,
55721+ .maxlen = sizeof(int),
55722+ .mode = 0600,
55723+ .proc_handler = &proc_dointvec,
55724+ },
55725+#endif
55726+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55727+ {
55728+ .procname = "harden_ptrace",
55729+ .data = &grsec_enable_harden_ptrace,
55730+ .maxlen = sizeof(int),
55731+ .mode = 0600,
55732+ .proc_handler = &proc_dointvec,
55733+ },
55734+#endif
55735+ {
55736+ .procname = "grsec_lock",
55737+ .data = &grsec_lock,
55738+ .maxlen = sizeof(int),
55739+ .mode = 0600,
55740+ .proc_handler = &proc_dointvec,
55741+ },
55742+#endif
55743+#ifdef CONFIG_GRKERNSEC_ROFS
55744+ {
55745+ .procname = "romount_protect",
55746+ .data = &grsec_enable_rofs,
55747+ .maxlen = sizeof(int),
55748+ .mode = 0600,
55749+ .proc_handler = &proc_dointvec_minmax,
55750+ .extra1 = &one,
55751+ .extra2 = &one,
55752+ },
55753+#endif
55754+ { }
55755+};
55756+#endif
55757diff -urNp linux-3.1.1/grsecurity/grsec_time.c linux-3.1.1/grsecurity/grsec_time.c
55758--- linux-3.1.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
55759+++ linux-3.1.1/grsecurity/grsec_time.c 2011-11-16 18:40:31.000000000 -0500
55760@@ -0,0 +1,16 @@
55761+#include <linux/kernel.h>
55762+#include <linux/sched.h>
55763+#include <linux/grinternal.h>
55764+#include <linux/module.h>
55765+
55766+void
55767+gr_log_timechange(void)
55768+{
55769+#ifdef CONFIG_GRKERNSEC_TIME
55770+ if (grsec_enable_time)
55771+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
55772+#endif
55773+ return;
55774+}
55775+
55776+EXPORT_SYMBOL(gr_log_timechange);
55777diff -urNp linux-3.1.1/grsecurity/grsec_tpe.c linux-3.1.1/grsecurity/grsec_tpe.c
55778--- linux-3.1.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
55779+++ linux-3.1.1/grsecurity/grsec_tpe.c 2011-11-16 18:40:31.000000000 -0500
55780@@ -0,0 +1,39 @@
55781+#include <linux/kernel.h>
55782+#include <linux/sched.h>
55783+#include <linux/file.h>
55784+#include <linux/fs.h>
55785+#include <linux/grinternal.h>
55786+
55787+extern int gr_acl_tpe_check(void);
55788+
55789+int
55790+gr_tpe_allow(const struct file *file)
55791+{
55792+#ifdef CONFIG_GRKERNSEC
55793+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
55794+ const struct cred *cred = current_cred();
55795+
55796+ if (cred->uid && ((grsec_enable_tpe &&
55797+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55798+ ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
55799+ (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
55800+#else
55801+ in_group_p(grsec_tpe_gid)
55802+#endif
55803+ ) || gr_acl_tpe_check()) &&
55804+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
55805+ (inode->i_mode & S_IWOTH))))) {
55806+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55807+ return 0;
55808+ }
55809+#ifdef CONFIG_GRKERNSEC_TPE_ALL
55810+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
55811+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
55812+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
55813+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55814+ return 0;
55815+ }
55816+#endif
55817+#endif
55818+ return 1;
55819+}
55820diff -urNp linux-3.1.1/grsecurity/grsum.c linux-3.1.1/grsecurity/grsum.c
55821--- linux-3.1.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
55822+++ linux-3.1.1/grsecurity/grsum.c 2011-11-16 18:40:31.000000000 -0500
55823@@ -0,0 +1,61 @@
55824+#include <linux/err.h>
55825+#include <linux/kernel.h>
55826+#include <linux/sched.h>
55827+#include <linux/mm.h>
55828+#include <linux/scatterlist.h>
55829+#include <linux/crypto.h>
55830+#include <linux/gracl.h>
55831+
55832+
55833+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
55834+#error "crypto and sha256 must be built into the kernel"
55835+#endif
55836+
55837+int
55838+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
55839+{
55840+ char *p;
55841+ struct crypto_hash *tfm;
55842+ struct hash_desc desc;
55843+ struct scatterlist sg;
55844+ unsigned char temp_sum[GR_SHA_LEN];
55845+ volatile int retval = 0;
55846+ volatile int dummy = 0;
55847+ unsigned int i;
55848+
55849+ sg_init_table(&sg, 1);
55850+
55851+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
55852+ if (IS_ERR(tfm)) {
55853+ /* should never happen, since sha256 should be built in */
55854+ return 1;
55855+ }
55856+
55857+ desc.tfm = tfm;
55858+ desc.flags = 0;
55859+
55860+ crypto_hash_init(&desc);
55861+
55862+ p = salt;
55863+ sg_set_buf(&sg, p, GR_SALT_LEN);
55864+ crypto_hash_update(&desc, &sg, sg.length);
55865+
55866+ p = entry->pw;
55867+ sg_set_buf(&sg, p, strlen(p));
55868+
55869+ crypto_hash_update(&desc, &sg, sg.length);
55870+
55871+ crypto_hash_final(&desc, temp_sum);
55872+
55873+ memset(entry->pw, 0, GR_PW_LEN);
55874+
55875+ for (i = 0; i < GR_SHA_LEN; i++)
55876+ if (sum[i] != temp_sum[i])
55877+ retval = 1;
55878+ else
55879+ dummy = 1; // waste a cycle
55880+
55881+ crypto_free_hash(tfm);
55882+
55883+ return retval;
55884+}
55885diff -urNp linux-3.1.1/grsecurity/Kconfig linux-3.1.1/grsecurity/Kconfig
55886--- linux-3.1.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
55887+++ linux-3.1.1/grsecurity/Kconfig 2011-11-16 18:40:31.000000000 -0500
55888@@ -0,0 +1,1037 @@
55889+#
55890+# grecurity configuration
55891+#
55892+
55893+menu "Grsecurity"
55894+
55895+config GRKERNSEC
55896+ bool "Grsecurity"
55897+ select CRYPTO
55898+ select CRYPTO_SHA256
55899+ help
55900+ If you say Y here, you will be able to configure many features
55901+ that will enhance the security of your system. It is highly
55902+ recommended that you say Y here and read through the help
55903+ for each option so that you fully understand the features and
55904+ can evaluate their usefulness for your machine.
55905+
55906+choice
55907+ prompt "Security Level"
55908+ depends on GRKERNSEC
55909+ default GRKERNSEC_CUSTOM
55910+
55911+config GRKERNSEC_LOW
55912+ bool "Low"
55913+ select GRKERNSEC_LINK
55914+ select GRKERNSEC_FIFO
55915+ select GRKERNSEC_RANDNET
55916+ select GRKERNSEC_DMESG
55917+ select GRKERNSEC_CHROOT
55918+ select GRKERNSEC_CHROOT_CHDIR
55919+
55920+ help
55921+ If you choose this option, several of the grsecurity options will
55922+ be enabled that will give you greater protection against a number
55923+ of attacks, while assuring that none of your software will have any
55924+ conflicts with the additional security measures. If you run a lot
55925+ of unusual software, or you are having problems with the higher
55926+ security levels, you should say Y here. With this option, the
55927+ following features are enabled:
55928+
55929+ - Linking restrictions
55930+ - FIFO restrictions
55931+ - Restricted dmesg
55932+ - Enforced chdir("/") on chroot
55933+ - Runtime module disabling
55934+
55935+config GRKERNSEC_MEDIUM
55936+ bool "Medium"
55937+ select PAX
55938+ select PAX_EI_PAX
55939+ select PAX_PT_PAX_FLAGS
55940+ select PAX_HAVE_ACL_FLAGS
55941+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
55942+ select GRKERNSEC_CHROOT
55943+ select GRKERNSEC_CHROOT_SYSCTL
55944+ select GRKERNSEC_LINK
55945+ select GRKERNSEC_FIFO
55946+ select GRKERNSEC_DMESG
55947+ select GRKERNSEC_RANDNET
55948+ select GRKERNSEC_FORKFAIL
55949+ select GRKERNSEC_TIME
55950+ select GRKERNSEC_SIGNAL
55951+ select GRKERNSEC_CHROOT
55952+ select GRKERNSEC_CHROOT_UNIX
55953+ select GRKERNSEC_CHROOT_MOUNT
55954+ select GRKERNSEC_CHROOT_PIVOT
55955+ select GRKERNSEC_CHROOT_DOUBLE
55956+ select GRKERNSEC_CHROOT_CHDIR
55957+ select GRKERNSEC_CHROOT_MKNOD
55958+ select GRKERNSEC_PROC
55959+ select GRKERNSEC_PROC_USERGROUP
55960+ select PAX_RANDUSTACK
55961+ select PAX_ASLR
55962+ select PAX_RANDMMAP
55963+ select PAX_REFCOUNT if (X86 || SPARC64)
55964+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
55965+
55966+ help
55967+ If you say Y here, several features in addition to those included
55968+ in the low additional security level will be enabled. These
55969+ features provide even more security to your system, though in rare
55970+ cases they may be incompatible with very old or poorly written
55971+ software. If you enable this option, make sure that your auth
55972+ service (identd) is running as gid 1001. With this option,
55973+ the following features (in addition to those provided in the
55974+ low additional security level) will be enabled:
55975+
55976+ - Failed fork logging
55977+ - Time change logging
55978+ - Signal logging
55979+ - Deny mounts in chroot
55980+ - Deny double chrooting
55981+ - Deny sysctl writes in chroot
55982+ - Deny mknod in chroot
55983+ - Deny access to abstract AF_UNIX sockets out of chroot
55984+ - Deny pivot_root in chroot
55985+ - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port
55986+ - /proc restrictions with special GID set to 10 (usually wheel)
55987+ - Address Space Layout Randomization (ASLR)
55988+ - Prevent exploitation of most refcount overflows
55989+ - Bounds checking of copying between the kernel and userland
55990+
55991+config GRKERNSEC_HIGH
55992+ bool "High"
55993+ select GRKERNSEC_LINK
55994+ select GRKERNSEC_FIFO
55995+ select GRKERNSEC_DMESG
55996+ select GRKERNSEC_FORKFAIL
55997+ select GRKERNSEC_TIME
55998+ select GRKERNSEC_SIGNAL
55999+ select GRKERNSEC_CHROOT
56000+ select GRKERNSEC_CHROOT_SHMAT
56001+ select GRKERNSEC_CHROOT_UNIX
56002+ select GRKERNSEC_CHROOT_MOUNT
56003+ select GRKERNSEC_CHROOT_FCHDIR
56004+ select GRKERNSEC_CHROOT_PIVOT
56005+ select GRKERNSEC_CHROOT_DOUBLE
56006+ select GRKERNSEC_CHROOT_CHDIR
56007+ select GRKERNSEC_CHROOT_MKNOD
56008+ select GRKERNSEC_CHROOT_CAPS
56009+ select GRKERNSEC_CHROOT_SYSCTL
56010+ select GRKERNSEC_CHROOT_FINDTASK
56011+ select GRKERNSEC_SYSFS_RESTRICT
56012+ select GRKERNSEC_PROC
56013+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
56014+ select GRKERNSEC_HIDESYM
56015+ select GRKERNSEC_BRUTE
56016+ select GRKERNSEC_PROC_USERGROUP
56017+ select GRKERNSEC_KMEM
56018+ select GRKERNSEC_RESLOG
56019+ select GRKERNSEC_RANDNET
56020+ select GRKERNSEC_PROC_ADD
56021+ select GRKERNSEC_CHROOT_CHMOD
56022+ select GRKERNSEC_CHROOT_NICE
56023+ select GRKERNSEC_AUDIT_MOUNT
56024+ select GRKERNSEC_MODHARDEN if (MODULES)
56025+ select GRKERNSEC_HARDEN_PTRACE
56026+ select GRKERNSEC_VM86 if (X86_32)
56027+ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
56028+ select PAX
56029+ select PAX_RANDUSTACK
56030+ select PAX_ASLR
56031+ select PAX_RANDMMAP
56032+ select PAX_NOEXEC
56033+ select PAX_MPROTECT
56034+ select PAX_EI_PAX
56035+ select PAX_PT_PAX_FLAGS
56036+ select PAX_HAVE_ACL_FLAGS
56037+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
56038+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
56039+ select PAX_RANDKSTACK if (X86_TSC && X86)
56040+ select PAX_SEGMEXEC if (X86_32)
56041+ select PAX_PAGEEXEC
56042+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
56043+ select PAX_EMUTRAMP if (PARISC)
56044+ select PAX_EMUSIGRT if (PARISC)
56045+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
56046+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
56047+ select PAX_REFCOUNT if (X86 || SPARC64)
56048+ select PAX_USERCOPY if ((X86 || PPC || SPARC || ARM) && (SLAB || SLUB || SLOB))
56049+ help
56050+ If you say Y here, many of the features of grsecurity will be
56051+ enabled, which will protect you against many kinds of attacks
56052+ against your system. The heightened security comes at a cost
56053+ of an increased chance of incompatibilities with rare software
56054+ on your machine. Since this security level enables PaX, you should
56055+ view <http://pax.grsecurity.net> and read about the PaX
56056+ project. While you are there, download chpax and run it on
56057+ binaries that cause problems with PaX. Also remember that
56058+ since the /proc restrictions are enabled, you must run your
56059+ identd as gid 1001. This security level enables the following
56060+ features in addition to those listed in the low and medium
56061+ security levels:
56062+
56063+ - Additional /proc restrictions
56064+ - Chmod restrictions in chroot
56065+ - No signals, ptrace, or viewing of processes outside of chroot
56066+ - Capability restrictions in chroot
56067+ - Deny fchdir out of chroot
56068+ - Priority restrictions in chroot
56069+ - Segmentation-based implementation of PaX
56070+ - Mprotect restrictions
56071+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
56072+ - Kernel stack randomization
56073+ - Mount/unmount/remount logging
56074+ - Kernel symbol hiding
56075+ - Hardening of module auto-loading
56076+ - Ptrace restrictions
56077+ - Restricted vm86 mode
56078+ - Restricted sysfs/debugfs
56079+ - Active kernel exploit response
56080+
56081+config GRKERNSEC_CUSTOM
56082+ bool "Custom"
56083+ help
56084+ If you say Y here, you will be able to configure every grsecurity
56085+ option, which allows you to enable many more features that aren't
56086+ covered in the basic security levels. These additional features
56087+ include TPE, socket restrictions, and the sysctl system for
56088+ grsecurity. It is advised that you read through the help for
56089+ each option to determine its usefulness in your situation.
56090+
56091+endchoice
56092+
56093+menu "Address Space Protection"
56094+depends on GRKERNSEC
56095+
56096+config GRKERNSEC_KMEM
56097+ bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
56098+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
56099+ help
56100+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
56101+ be written to or read from to modify or leak the contents of the running
56102+ kernel. /dev/port will also not be allowed to be opened. If you have module
56103+ support disabled, enabling this will close up four ways that are
56104+ currently used to insert malicious code into the running kernel.
56105+ Even with all these features enabled, we still highly recommend that
56106+ you use the RBAC system, as it is still possible for an attacker to
56107+ modify the running kernel through privileged I/O granted by ioperm/iopl.
56108+ If you are not using XFree86, you may be able to stop this additional
56109+ case by enabling the 'Disable privileged I/O' option. Though nothing
56110+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
56111+ but only to video memory, which is the only writing we allow in this
56112+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
56113+ not be allowed to mprotect it with PROT_WRITE later.
56114+ It is highly recommended that you say Y here if you meet all the
56115+ conditions above.
56116+
56117+config GRKERNSEC_VM86
56118+ bool "Restrict VM86 mode"
56119+ depends on X86_32
56120+
56121+ help
56122+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
56123+ make use of a special execution mode on 32bit x86 processors called
56124+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
56125+ video cards and will still work with this option enabled. The purpose
56126+ of the option is to prevent exploitation of emulation errors in
56127+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
56128+ Nearly all users should be able to enable this option.
56129+
56130+config GRKERNSEC_IO
56131+ bool "Disable privileged I/O"
56132+ depends on X86
56133+ select RTC_CLASS
56134+ select RTC_INTF_DEV
56135+ select RTC_DRV_CMOS
56136+
56137+ help
56138+ If you say Y here, all ioperm and iopl calls will return an error.
56139+ Ioperm and iopl can be used to modify the running kernel.
56140+ Unfortunately, some programs need this access to operate properly,
56141+ the most notable of which are XFree86 and hwclock. hwclock can be
56142+ remedied by having RTC support in the kernel, so real-time
56143+ clock support is enabled if this option is enabled, to ensure
56144+ that hwclock operates correctly. XFree86 still will not
56145+ operate correctly with this option enabled, so DO NOT CHOOSE Y
56146+ IF YOU USE XFree86. If you use XFree86 and you still want to
56147+ protect your kernel against modification, use the RBAC system.
56148+
56149+config GRKERNSEC_PROC_MEMMAP
56150+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
56151+ default y if (PAX_NOEXEC || PAX_ASLR)
56152+ depends on PAX_NOEXEC || PAX_ASLR
56153+ help
56154+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
56155+ give no information about the addresses of its mappings if
56156+ PaX features that rely on random addresses are enabled on the task.
56157+ If you use PaX it is greatly recommended that you say Y here as it
56158+ closes up a hole that makes the full ASLR useless for suid
56159+ binaries.
56160+
56161+config GRKERNSEC_BRUTE
56162+ bool "Deter exploit bruteforcing"
56163+ help
56164+ If you say Y here, attempts to bruteforce exploits against forking
56165+ daemons such as apache or sshd, as well as against suid/sgid binaries
56166+ will be deterred. When a child of a forking daemon is killed by PaX
56167+ or crashes due to an illegal instruction or other suspicious signal,
56168+ the parent process will be delayed 30 seconds upon every subsequent
56169+ fork until the administrator is able to assess the situation and
56170+ restart the daemon.
56171+ In the suid/sgid case, the attempt is logged, the user has all their
56172+ processes terminated, and they are prevented from executing any further
56173+ processes for 15 minutes.
56174+ It is recommended that you also enable signal logging in the auditing
56175+ section so that logs are generated when a process triggers a suspicious
56176+ signal.
56177+ If the sysctl option is enabled, a sysctl option with name
56178+ "deter_bruteforce" is created.
56179+
56180+
56181+config GRKERNSEC_MODHARDEN
56182+ bool "Harden module auto-loading"
56183+ depends on MODULES
56184+ help
56185+ If you say Y here, module auto-loading in response to use of some
56186+ feature implemented by an unloaded module will be restricted to
56187+ root users. Enabling this option helps defend against attacks
56188+ by unprivileged users who abuse the auto-loading behavior to
56189+ cause a vulnerable module to load that is then exploited.
56190+
56191+ If this option prevents a legitimate use of auto-loading for a
56192+ non-root user, the administrator can execute modprobe manually
56193+ with the exact name of the module mentioned in the alert log.
56194+ Alternatively, the administrator can add the module to the list
56195+ of modules loaded at boot by modifying init scripts.
56196+
56197+ Modification of init scripts will most likely be needed on
56198+ Ubuntu servers with encrypted home directory support enabled,
56199+ as the first non-root user logging in will cause the ecb(aes),
56200+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
56201+
56202+config GRKERNSEC_HIDESYM
56203+ bool "Hide kernel symbols"
56204+ help
56205+ If you say Y here, getting information on loaded modules, and
56206+ displaying all kernel symbols through a syscall will be restricted
56207+ to users with CAP_SYS_MODULE. For software compatibility reasons,
56208+ /proc/kallsyms will be restricted to the root user. The RBAC
56209+ system can hide that entry even from root.
56210+
56211+ This option also prevents leaking of kernel addresses through
56212+ several /proc entries.
56213+
56214+ Note that this option is only effective provided the following
56215+ conditions are met:
56216+ 1) The kernel using grsecurity is not precompiled by some distribution
56217+ 2) You have also enabled GRKERNSEC_DMESG
56218+ 3) You are using the RBAC system and hiding other files such as your
56219+ kernel image and System.map. Alternatively, enabling this option
56220+ causes the permissions on /boot, /lib/modules, and the kernel
56221+ source directory to change at compile time to prevent
56222+ reading by non-root users.
56223+ If the above conditions are met, this option will aid in providing a
56224+ useful protection against local kernel exploitation of overflows
56225+ and arbitrary read/write vulnerabilities.
56226+
56227+config GRKERNSEC_KERN_LOCKOUT
56228+ bool "Active kernel exploit response"
56229+ depends on X86 || ARM || PPC || SPARC
56230+ help
56231+ If you say Y here, when a PaX alert is triggered due to suspicious
56232+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
56233+ or an OOPs occurs due to bad memory accesses, instead of just
56234+ terminating the offending process (and potentially allowing
56235+ a subsequent exploit from the same user), we will take one of two
56236+ actions:
56237+ If the user was root, we will panic the system
56238+ If the user was non-root, we will log the attempt, terminate
56239+ all processes owned by the user, then prevent them from creating
56240+ any new processes until the system is restarted
56241+ This deters repeated kernel exploitation/bruteforcing attempts
56242+ and is useful for later forensics.
56243+
56244+endmenu
56245+menu "Role Based Access Control Options"
56246+depends on GRKERNSEC
56247+
56248+config GRKERNSEC_RBAC_DEBUG
56249+ bool
56250+
56251+config GRKERNSEC_NO_RBAC
56252+ bool "Disable RBAC system"
56253+ help
56254+ If you say Y here, the /dev/grsec device will be removed from the kernel,
56255+ preventing the RBAC system from being enabled. You should only say Y
56256+ here if you have no intention of using the RBAC system, so as to prevent
56257+ an attacker with root access from misusing the RBAC system to hide files
56258+ and processes when loadable module support and /dev/[k]mem have been
56259+ locked down.
56260+
56261+config GRKERNSEC_ACL_HIDEKERN
56262+ bool "Hide kernel processes"
56263+ help
56264+ If you say Y here, all kernel threads will be hidden to all
56265+ processes but those whose subject has the "view hidden processes"
56266+ flag.
56267+
56268+config GRKERNSEC_ACL_MAXTRIES
56269+ int "Maximum tries before password lockout"
56270+ default 3
56271+ help
56272+ This option enforces the maximum number of times a user can attempt
56273+ to authorize themselves with the grsecurity RBAC system before being
56274+ denied the ability to attempt authorization again for a specified time.
56275+ The lower the number, the harder it will be to brute-force a password.
56276+
56277+config GRKERNSEC_ACL_TIMEOUT
56278+ int "Time to wait after max password tries, in seconds"
56279+ default 30
56280+ help
56281+ This option specifies the time the user must wait after attempting to
56282+ authorize to the RBAC system with the maximum number of invalid
56283+ passwords. The higher the number, the harder it will be to brute-force
56284+ a password.
56285+
56286+endmenu
56287+menu "Filesystem Protections"
56288+depends on GRKERNSEC
56289+
56290+config GRKERNSEC_PROC
56291+ bool "Proc restrictions"
56292+ help
56293+ If you say Y here, the permissions of the /proc filesystem
56294+ will be altered to enhance system security and privacy. You MUST
56295+ choose either a user only restriction or a user and group restriction.
56296+ Depending upon the option you choose, you can either restrict users to
56297+ see only the processes they themselves run, or choose a group that can
56298+ view all processes and files normally restricted to root if you choose
56299+ the "restrict to user only" option. NOTE: If you're running identd as
56300+ a non-root user, you will have to run it as the group you specify here.
56301+
56302+config GRKERNSEC_PROC_USER
56303+ bool "Restrict /proc to user only"
56304+ depends on GRKERNSEC_PROC
56305+ help
56306+ If you say Y here, non-root users will only be able to view their own
56307+ processes, and restricts them from viewing network-related information,
56308+ and viewing kernel symbol and module information.
56309+
56310+config GRKERNSEC_PROC_USERGROUP
56311+ bool "Allow special group"
56312+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
56313+ help
56314+ If you say Y here, you will be able to select a group that will be
56315+ able to view all processes and network-related information. If you've
56316+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
56317+ remain hidden. This option is useful if you want to run identd as
56318+ a non-root user.
56319+
56320+config GRKERNSEC_PROC_GID
56321+ int "GID for special group"
56322+ depends on GRKERNSEC_PROC_USERGROUP
56323+ default 1001
56324+
56325+config GRKERNSEC_PROC_ADD
56326+ bool "Additional restrictions"
56327+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
56328+ help
56329+ If you say Y here, additional restrictions will be placed on
56330+ /proc that keep normal users from viewing device information and
56331+ slabinfo information that could be useful for exploits.
56332+
56333+config GRKERNSEC_LINK
56334+ bool "Linking restrictions"
56335+ help
56336+ If you say Y here, /tmp race exploits will be prevented, since users
56337+ will no longer be able to follow symlinks owned by other users in
56338+ world-writable +t directories (e.g. /tmp), unless the owner of the
56339+ symlink is the owner of the directory. users will also not be
56340+ able to hardlink to files they do not own. If the sysctl option is
56341+ enabled, a sysctl option with name "linking_restrictions" is created.
56342+
56343+config GRKERNSEC_FIFO
56344+ bool "FIFO restrictions"
56345+ help
56346+ If you say Y here, users will not be able to write to FIFOs they don't
56347+ own in world-writable +t directories (e.g. /tmp), unless the owner of
56348+ the FIFO is the same owner of the directory it's held in. If the sysctl
56349+ option is enabled, a sysctl option with name "fifo_restrictions" is
56350+ created.
56351+
56352+config GRKERNSEC_SYSFS_RESTRICT
56353+ bool "Sysfs/debugfs restriction"
56354+ depends on SYSFS
56355+ help
56356+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
56357+ any filesystem normally mounted under it (e.g. debugfs) will only
56358+ be accessible by root. These filesystems generally provide access
56359+ to hardware and debug information that isn't appropriate for unprivileged
56360+ users of the system. Sysfs and debugfs have also become a large source
56361+ of new vulnerabilities, ranging from infoleaks to local compromise.
56362+ There has been very little oversight with an eye toward security involved
56363+ in adding new exporters of information to these filesystems, so their
56364+ use is discouraged.
56365+ This option is equivalent to a chmod 0700 of the mount paths.
56366+
56367+config GRKERNSEC_ROFS
56368+ bool "Runtime read-only mount protection"
56369+ help
56370+ If you say Y here, a sysctl option with name "romount_protect" will
56371+ be created. By setting this option to 1 at runtime, filesystems
56372+ will be protected in the following ways:
56373+ * No new writable mounts will be allowed
56374+ * Existing read-only mounts won't be able to be remounted read/write
56375+ * Write operations will be denied on all block devices
56376+ This option acts independently of grsec_lock: once it is set to 1,
56377+ it cannot be turned off. Therefore, please be mindful of the resulting
56378+ behavior if this option is enabled in an init script on a read-only
56379+ filesystem. This feature is mainly intended for secure embedded systems.
56380+
56381+config GRKERNSEC_CHROOT
56382+ bool "Chroot jail restrictions"
56383+ help
56384+ If you say Y here, you will be able to choose several options that will
56385+ make breaking out of a chrooted jail much more difficult. If you
56386+ encounter no software incompatibilities with the following options, it
56387+ is recommended that you enable each one.
56388+
56389+config GRKERNSEC_CHROOT_MOUNT
56390+ bool "Deny mounts"
56391+ depends on GRKERNSEC_CHROOT
56392+ help
56393+ If you say Y here, processes inside a chroot will not be able to
56394+ mount or remount filesystems. If the sysctl option is enabled, a
56395+ sysctl option with name "chroot_deny_mount" is created.
56396+
56397+config GRKERNSEC_CHROOT_DOUBLE
56398+ bool "Deny double-chroots"
56399+ depends on GRKERNSEC_CHROOT
56400+ help
56401+ If you say Y here, processes inside a chroot will not be able to chroot
56402+ again outside the chroot. This is a widely used method of breaking
56403+ out of a chroot jail and should not be allowed. If the sysctl
56404+ option is enabled, a sysctl option with name
56405+ "chroot_deny_chroot" is created.
56406+
56407+config GRKERNSEC_CHROOT_PIVOT
56408+ bool "Deny pivot_root in chroot"
56409+ depends on GRKERNSEC_CHROOT
56410+ help
56411+ If you say Y here, processes inside a chroot will not be able to use
56412+ a function called pivot_root() that was introduced in Linux 2.3.41. It
56413+ works similar to chroot in that it changes the root filesystem. This
56414+ function could be misused in a chrooted process to attempt to break out
56415+ of the chroot, and therefore should not be allowed. If the sysctl
56416+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
56417+ created.
56418+
56419+config GRKERNSEC_CHROOT_CHDIR
56420+ bool "Enforce chdir(\"/\") on all chroots"
56421+ depends on GRKERNSEC_CHROOT
56422+ help
56423+ If you say Y here, the current working directory of all newly-chrooted
56424+ applications will be set to the the root directory of the chroot.
56425+ The man page on chroot(2) states:
56426+ Note that this call does not change the current working
56427+ directory, so that `.' can be outside the tree rooted at
56428+ `/'. In particular, the super-user can escape from a
56429+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
56430+
56431+ It is recommended that you say Y here, since it's not known to break
56432+ any software. If the sysctl option is enabled, a sysctl option with
56433+ name "chroot_enforce_chdir" is created.
56434+
56435+config GRKERNSEC_CHROOT_CHMOD
56436+ bool "Deny (f)chmod +s"
56437+ depends on GRKERNSEC_CHROOT
56438+ help
56439+ If you say Y here, processes inside a chroot will not be able to chmod
56440+ or fchmod files to make them have suid or sgid bits. This protects
56441+ against another published method of breaking a chroot. If the sysctl
56442+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
56443+ created.
56444+
56445+config GRKERNSEC_CHROOT_FCHDIR
56446+ bool "Deny fchdir out of chroot"
56447+ depends on GRKERNSEC_CHROOT
56448+ help
56449+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
56450+ to a file descriptor of the chrooting process that points to a directory
56451+ outside the filesystem will be stopped. If the sysctl option
56452+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
56453+
56454+config GRKERNSEC_CHROOT_MKNOD
56455+ bool "Deny mknod"
56456+ depends on GRKERNSEC_CHROOT
56457+ help
56458+ If you say Y here, processes inside a chroot will not be allowed to
56459+ mknod. The problem with using mknod inside a chroot is that it
56460+ would allow an attacker to create a device entry that is the same
56461+ as one on the physical root of your system, which could range from
56462+ anything from the console device to a device for your harddrive (which
56463+ they could then use to wipe the drive or steal data). It is recommended
56464+ that you say Y here, unless you run into software incompatibilities.
56465+ If the sysctl option is enabled, a sysctl option with name
56466+ "chroot_deny_mknod" is created.
56467+
56468+config GRKERNSEC_CHROOT_SHMAT
56469+ bool "Deny shmat() out of chroot"
56470+ depends on GRKERNSEC_CHROOT
56471+ help
56472+ If you say Y here, processes inside a chroot will not be able to attach
56473+ to shared memory segments that were created outside of the chroot jail.
56474+ It is recommended that you say Y here. If the sysctl option is enabled,
56475+ a sysctl option with name "chroot_deny_shmat" is created.
56476+
56477+config GRKERNSEC_CHROOT_UNIX
56478+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
56479+ depends on GRKERNSEC_CHROOT
56480+ help
56481+ If you say Y here, processes inside a chroot will not be able to
56482+ connect to abstract (meaning not belonging to a filesystem) Unix
56483+ domain sockets that were bound outside of a chroot. It is recommended
56484+ that you say Y here. If the sysctl option is enabled, a sysctl option
56485+ with name "chroot_deny_unix" is created.
56486+
56487+config GRKERNSEC_CHROOT_FINDTASK
56488+ bool "Protect outside processes"
56489+ depends on GRKERNSEC_CHROOT
56490+ help
56491+ If you say Y here, processes inside a chroot will not be able to
56492+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
56493+ getsid, or view any process outside of the chroot. If the sysctl
56494+ option is enabled, a sysctl option with name "chroot_findtask" is
56495+ created.
56496+
56497+config GRKERNSEC_CHROOT_NICE
56498+ bool "Restrict priority changes"
56499+ depends on GRKERNSEC_CHROOT
56500+ help
56501+ If you say Y here, processes inside a chroot will not be able to raise
56502+ the priority of processes in the chroot, or alter the priority of
56503+ processes outside the chroot. This provides more security than simply
56504+ removing CAP_SYS_NICE from the process' capability set. If the
56505+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
56506+ is created.
56507+
56508+config GRKERNSEC_CHROOT_SYSCTL
56509+ bool "Deny sysctl writes"
56510+ depends on GRKERNSEC_CHROOT
56511+ help
56512+ If you say Y here, an attacker in a chroot will not be able to
56513+ write to sysctl entries, either by sysctl(2) or through a /proc
56514+ interface. It is strongly recommended that you say Y here. If the
56515+ sysctl option is enabled, a sysctl option with name
56516+ "chroot_deny_sysctl" is created.
56517+
56518+config GRKERNSEC_CHROOT_CAPS
56519+ bool "Capability restrictions"
56520+ depends on GRKERNSEC_CHROOT
56521+ help
56522+ If you say Y here, the capabilities on all processes within a
56523+ chroot jail will be lowered to stop module insertion, raw i/o,
56524+ system and net admin tasks, rebooting the system, modifying immutable
56525+ files, modifying IPC owned by another, and changing the system time.
56526+ This is left an option because it can break some apps. Disable this
56527+ if your chrooted apps are having problems performing those kinds of
56528+ tasks. If the sysctl option is enabled, a sysctl option with
56529+ name "chroot_caps" is created.
56530+
56531+endmenu
56532+menu "Kernel Auditing"
56533+depends on GRKERNSEC
56534+
56535+config GRKERNSEC_AUDIT_GROUP
56536+ bool "Single group for auditing"
56537+ help
56538+ If you say Y here, the exec, chdir, and (un)mount logging features
56539+ will only operate on a group you specify. This option is recommended
56540+ if you only want to watch certain users instead of having a large
56541+ amount of logs from the entire system. If the sysctl option is enabled,
56542+ a sysctl option with name "audit_group" is created.
56543+
56544+config GRKERNSEC_AUDIT_GID
56545+ int "GID for auditing"
56546+ depends on GRKERNSEC_AUDIT_GROUP
56547+ default 1007
56548+
56549+config GRKERNSEC_EXECLOG
56550+ bool "Exec logging"
56551+ help
56552+ If you say Y here, all execve() calls will be logged (since the
56553+ other exec*() calls are frontends to execve(), all execution
56554+ will be logged). Useful for shell-servers that like to keep track
56555+ of their users. If the sysctl option is enabled, a sysctl option with
56556+ name "exec_logging" is created.
56557+ WARNING: This option when enabled will produce a LOT of logs, especially
56558+ on an active system.
56559+
56560+config GRKERNSEC_RESLOG
56561+ bool "Resource logging"
56562+ help
56563+ If you say Y here, all attempts to overstep resource limits will
56564+ be logged with the resource name, the requested size, and the current
56565+ limit. It is highly recommended that you say Y here. If the sysctl
56566+ option is enabled, a sysctl option with name "resource_logging" is
56567+ created. If the RBAC system is enabled, the sysctl value is ignored.
56568+
56569+config GRKERNSEC_CHROOT_EXECLOG
56570+ bool "Log execs within chroot"
56571+ help
56572+ If you say Y here, all executions inside a chroot jail will be logged
56573+ to syslog. This can cause a large amount of logs if certain
56574+ applications (eg. djb's daemontools) are installed on the system, and
56575+ is therefore left as an option. If the sysctl option is enabled, a
56576+ sysctl option with name "chroot_execlog" is created.
56577+
56578+config GRKERNSEC_AUDIT_PTRACE
56579+ bool "Ptrace logging"
56580+ help
56581+ If you say Y here, all attempts to attach to a process via ptrace
56582+ will be logged. If the sysctl option is enabled, a sysctl option
56583+ with name "audit_ptrace" is created.
56584+
56585+config GRKERNSEC_AUDIT_CHDIR
56586+ bool "Chdir logging"
56587+ help
56588+ If you say Y here, all chdir() calls will be logged. If the sysctl
56589+ option is enabled, a sysctl option with name "audit_chdir" is created.
56590+
56591+config GRKERNSEC_AUDIT_MOUNT
56592+ bool "(Un)Mount logging"
56593+ help
56594+ If you say Y here, all mounts and unmounts will be logged. If the
56595+ sysctl option is enabled, a sysctl option with name "audit_mount" is
56596+ created.
56597+
56598+config GRKERNSEC_SIGNAL
56599+ bool "Signal logging"
56600+ help
56601+ If you say Y here, certain important signals will be logged, such as
56602+ SIGSEGV, which will as a result inform you of when a error in a program
56603+ occurred, which in some cases could mean a possible exploit attempt.
56604+ If the sysctl option is enabled, a sysctl option with name
56605+ "signal_logging" is created.
56606+
56607+config GRKERNSEC_FORKFAIL
56608+ bool "Fork failure logging"
56609+ help
56610+ If you say Y here, all failed fork() attempts will be logged.
56611+ This could suggest a fork bomb, or someone attempting to overstep
56612+ their process limit. If the sysctl option is enabled, a sysctl option
56613+ with name "forkfail_logging" is created.
56614+
56615+config GRKERNSEC_TIME
56616+ bool "Time change logging"
56617+ help
56618+ If you say Y here, any changes of the system clock will be logged.
56619+ If the sysctl option is enabled, a sysctl option with name
56620+ "timechange_logging" is created.
56621+
56622+config GRKERNSEC_PROC_IPADDR
56623+ bool "/proc/<pid>/ipaddr support"
56624+ help
56625+ If you say Y here, a new entry will be added to each /proc/<pid>
56626+ directory that contains the IP address of the person using the task.
56627+ The IP is carried across local TCP and AF_UNIX stream sockets.
56628+ This information can be useful for IDS/IPSes to perform remote response
56629+ to a local attack. The entry is readable by only the owner of the
56630+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
56631+ the RBAC system), and thus does not create privacy concerns.
56632+
56633+config GRKERNSEC_RWXMAP_LOG
56634+ bool 'Denied RWX mmap/mprotect logging'
56635+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
56636+ help
56637+ If you say Y here, calls to mmap() and mprotect() with explicit
56638+ usage of PROT_WRITE and PROT_EXEC together will be logged when
56639+ denied by the PAX_MPROTECT feature. If the sysctl option is
56640+ enabled, a sysctl option with name "rwxmap_logging" is created.
56641+
56642+config GRKERNSEC_AUDIT_TEXTREL
56643+ bool 'ELF text relocations logging (READ HELP)'
56644+ depends on PAX_MPROTECT
56645+ help
56646+ If you say Y here, text relocations will be logged with the filename
56647+ of the offending library or binary. The purpose of the feature is
56648+ to help Linux distribution developers get rid of libraries and
56649+ binaries that need text relocations which hinder the future progress
56650+ of PaX. Only Linux distribution developers should say Y here, and
56651+ never on a production machine, as this option creates an information
56652+ leak that could aid an attacker in defeating the randomization of
56653+ a single memory region. If the sysctl option is enabled, a sysctl
56654+ option with name "audit_textrel" is created.
56655+
56656+endmenu
56657+
56658+menu "Executable Protections"
56659+depends on GRKERNSEC
56660+
56661+config GRKERNSEC_DMESG
56662+ bool "Dmesg(8) restriction"
56663+ help
56664+ If you say Y here, non-root users will not be able to use dmesg(8)
56665+ to view up to the last 4kb of messages in the kernel's log buffer.
56666+ The kernel's log buffer often contains kernel addresses and other
56667+ identifying information useful to an attacker in fingerprinting a
56668+ system for a targeted exploit.
56669+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
56670+ created.
56671+
56672+config GRKERNSEC_HARDEN_PTRACE
56673+ bool "Deter ptrace-based process snooping"
56674+ help
56675+ If you say Y here, TTY sniffers and other malicious monitoring
56676+ programs implemented through ptrace will be defeated. If you
56677+ have been using the RBAC system, this option has already been
56678+ enabled for several years for all users, with the ability to make
56679+ fine-grained exceptions.
56680+
56681+ This option only affects the ability of non-root users to ptrace
56682+ processes that are not a descendent of the ptracing process.
56683+ This means that strace ./binary and gdb ./binary will still work,
56684+ but attaching to arbitrary processes will not. If the sysctl
56685+ option is enabled, a sysctl option with name "harden_ptrace" is
56686+ created.
56687+
56688+config GRKERNSEC_TPE
56689+ bool "Trusted Path Execution (TPE)"
56690+ help
56691+ If you say Y here, you will be able to choose a gid to add to the
56692+ supplementary groups of users you want to mark as "untrusted."
56693+ These users will not be able to execute any files that are not in
56694+ root-owned directories writable only by root. If the sysctl option
56695+ is enabled, a sysctl option with name "tpe" is created.
56696+
56697+config GRKERNSEC_TPE_ALL
56698+ bool "Partially restrict all non-root users"
56699+ depends on GRKERNSEC_TPE
56700+ help
56701+ If you say Y here, all non-root users will be covered under
56702+ a weaker TPE restriction. This is separate from, and in addition to,
56703+ the main TPE options that you have selected elsewhere. Thus, if a
56704+ "trusted" GID is chosen, this restriction applies to even that GID.
56705+ Under this restriction, all non-root users will only be allowed to
56706+ execute files in directories they own that are not group or
56707+ world-writable, or in directories owned by root and writable only by
56708+ root. If the sysctl option is enabled, a sysctl option with name
56709+ "tpe_restrict_all" is created.
56710+
56711+config GRKERNSEC_TPE_INVERT
56712+ bool "Invert GID option"
56713+ depends on GRKERNSEC_TPE
56714+ help
56715+ If you say Y here, the group you specify in the TPE configuration will
56716+ decide what group TPE restrictions will be *disabled* for. This
56717+ option is useful if you want TPE restrictions to be applied to most
56718+ users on the system. If the sysctl option is enabled, a sysctl option
56719+ with name "tpe_invert" is created. Unlike other sysctl options, this
56720+ entry will default to on for backward-compatibility.
56721+
56722+config GRKERNSEC_TPE_GID
56723+ int "GID for untrusted users"
56724+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
56725+ default 1005
56726+ help
56727+ Setting this GID determines what group TPE restrictions will be
56728+ *enabled* for. If the sysctl option is enabled, a sysctl option
56729+ with name "tpe_gid" is created.
56730+
56731+config GRKERNSEC_TPE_GID
56732+ int "GID for trusted users"
56733+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
56734+ default 1005
56735+ help
56736+ Setting this GID determines what group TPE restrictions will be
56737+ *disabled* for. If the sysctl option is enabled, a sysctl option
56738+ with name "tpe_gid" is created.
56739+
56740+endmenu
56741+menu "Network Protections"
56742+depends on GRKERNSEC
56743+
56744+config GRKERNSEC_RANDNET
56745+ bool "Larger entropy pools"
56746+ help
56747+ If you say Y here, the entropy pools used for many features of Linux
56748+ and grsecurity will be doubled in size. Since several grsecurity
56749+ features use additional randomness, it is recommended that you say Y
56750+ here. Saying Y here has a similar effect as modifying
56751+ /proc/sys/kernel/random/poolsize.
56752+
56753+config GRKERNSEC_BLACKHOLE
56754+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
56755+ depends on NET
56756+ help
56757+ If you say Y here, neither TCP resets nor ICMP
56758+ destination-unreachable packets will be sent in response to packets
56759+ sent to ports for which no associated listening process exists.
56760+ This feature supports both IPV4 and IPV6 and exempts the
56761+ loopback interface from blackholing. Enabling this feature
56762+ makes a host more resilient to DoS attacks and reduces network
56763+ visibility against scanners.
56764+
56765+ The blackhole feature as-implemented is equivalent to the FreeBSD
56766+ blackhole feature, as it prevents RST responses to all packets, not
56767+ just SYNs. Under most application behavior this causes no
56768+ problems, but applications (like haproxy) may not close certain
56769+ connections in a way that cleanly terminates them on the remote
56770+ end, leaving the remote host in LAST_ACK state. Because of this
56771+ side-effect and to prevent intentional LAST_ACK DoSes, this
56772+ feature also adds automatic mitigation against such attacks.
56773+ The mitigation drastically reduces the amount of time a socket
56774+ can spend in LAST_ACK state. If you're using haproxy and not
56775+ all servers it connects to have this option enabled, consider
56776+ disabling this feature on the haproxy host.
56777+
56778+ If the sysctl option is enabled, two sysctl options with names
56779+ "ip_blackhole" and "lastack_retries" will be created.
56780+ While "ip_blackhole" takes the standard zero/non-zero on/off
56781+ toggle, "lastack_retries" uses the same kinds of values as
56782+ "tcp_retries1" and "tcp_retries2". The default value of 4
56783+ prevents a socket from lasting more than 45 seconds in LAST_ACK
56784+ state.
56785+
56786+config GRKERNSEC_SOCKET
56787+ bool "Socket restrictions"
56788+ depends on NET
56789+ help
56790+ If you say Y here, you will be able to choose from several options.
56791+ If you assign a GID on your system and add it to the supplementary
56792+ groups of users you want to restrict socket access to, this patch
56793+ will perform up to three things, based on the option(s) you choose.
56794+
56795+config GRKERNSEC_SOCKET_ALL
56796+ bool "Deny any sockets to group"
56797+ depends on GRKERNSEC_SOCKET
56798+ help
56799+ If you say Y here, you will be able to choose a GID of whose users will
56800+ be unable to connect to other hosts from your machine or run server
56801+ applications from your machine. If the sysctl option is enabled, a
56802+ sysctl option with name "socket_all" is created.
56803+
56804+config GRKERNSEC_SOCKET_ALL_GID
56805+ int "GID to deny all sockets for"
56806+ depends on GRKERNSEC_SOCKET_ALL
56807+ default 1004
56808+ help
56809+ Here you can choose the GID to disable socket access for. Remember to
56810+ add the users you want socket access disabled for to the GID
56811+ specified here. If the sysctl option is enabled, a sysctl option
56812+ with name "socket_all_gid" is created.
56813+
56814+config GRKERNSEC_SOCKET_CLIENT
56815+ bool "Deny client sockets to group"
56816+ depends on GRKERNSEC_SOCKET
56817+ help
56818+ If you say Y here, you will be able to choose a GID of whose users will
56819+ be unable to connect to other hosts from your machine, but will be
56820+ able to run servers. If this option is enabled, all users in the group
56821+ you specify will have to use passive mode when initiating ftp transfers
56822+ from the shell on your machine. If the sysctl option is enabled, a
56823+ sysctl option with name "socket_client" is created.
56824+
56825+config GRKERNSEC_SOCKET_CLIENT_GID
56826+ int "GID to deny client sockets for"
56827+ depends on GRKERNSEC_SOCKET_CLIENT
56828+ default 1003
56829+ help
56830+ Here you can choose the GID to disable client socket access for.
56831+ Remember to add the users you want client socket access disabled for to
56832+ the GID specified here. If the sysctl option is enabled, a sysctl
56833+ option with name "socket_client_gid" is created.
56834+
56835+config GRKERNSEC_SOCKET_SERVER
56836+ bool "Deny server sockets to group"
56837+ depends on GRKERNSEC_SOCKET
56838+ help
56839+ If you say Y here, you will be able to choose a GID of whose users will
56840+ be unable to run server applications from your machine. If the sysctl
56841+ option is enabled, a sysctl option with name "socket_server" is created.
56842+
56843+config GRKERNSEC_SOCKET_SERVER_GID
56844+ int "GID to deny server sockets for"
56845+ depends on GRKERNSEC_SOCKET_SERVER
56846+ default 1002
56847+ help
56848+ Here you can choose the GID to disable server socket access for.
56849+ Remember to add the users you want server socket access disabled for to
56850+ the GID specified here. If the sysctl option is enabled, a sysctl
56851+ option with name "socket_server_gid" is created.
56852+
56853+endmenu
56854+menu "Sysctl support"
56855+depends on GRKERNSEC && SYSCTL
56856+
56857+config GRKERNSEC_SYSCTL
56858+ bool "Sysctl support"
56859+ help
56860+ If you say Y here, you will be able to change the options that
56861+ grsecurity runs with at bootup, without having to recompile your
56862+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
56863+ to enable (1) or disable (0) various features. All the sysctl entries
56864+ are mutable until the "grsec_lock" entry is set to a non-zero value.
56865+ All features enabled in the kernel configuration are disabled at boot
56866+ if you do not say Y to the "Turn on features by default" option.
56867+ All options should be set at startup, and the grsec_lock entry should
56868+ be set to a non-zero value after all the options are set.
56869+ *THIS IS EXTREMELY IMPORTANT*
56870+
56871+config GRKERNSEC_SYSCTL_DISTRO
56872+ bool "Extra sysctl support for distro makers (READ HELP)"
56873+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
56874+ help
56875+ If you say Y here, additional sysctl options will be created
56876+ for features that affect processes running as root. Therefore,
56877+ it is critical when using this option that the grsec_lock entry be
56878+ enabled after boot. Only distros with prebuilt kernel packages
56879+ with this option enabled that can ensure grsec_lock is enabled
56880+ after boot should use this option.
56881+ *Failure to set grsec_lock after boot makes all grsec features
56882+ this option covers useless*
56883+
56884+ Currently this option creates the following sysctl entries:
56885+ "Disable Privileged I/O": "disable_priv_io"
56886+
56887+config GRKERNSEC_SYSCTL_ON
56888+ bool "Turn on features by default"
56889+ depends on GRKERNSEC_SYSCTL
56890+ help
56891+ If you say Y here, instead of having all features enabled in the
56892+ kernel configuration disabled at boot time, the features will be
56893+ enabled at boot time. It is recommended you say Y here unless
56894+ there is some reason you would want all sysctl-tunable features to
56895+ be disabled by default. As mentioned elsewhere, it is important
56896+ to enable the grsec_lock entry once you have finished modifying
56897+ the sysctl entries.
56898+
56899+endmenu
56900+menu "Logging Options"
56901+depends on GRKERNSEC
56902+
56903+config GRKERNSEC_FLOODTIME
56904+ int "Seconds in between log messages (minimum)"
56905+ default 10
56906+ help
56907+ This option allows you to enforce the number of seconds between
56908+ grsecurity log messages. The default should be suitable for most
56909+ people, however, if you choose to change it, choose a value small enough
56910+ to allow informative logs to be produced, but large enough to
56911+ prevent flooding.
56912+
56913+config GRKERNSEC_FLOODBURST
56914+ int "Number of messages in a burst (maximum)"
56915+ default 6
56916+ help
56917+ This option allows you to choose the maximum number of messages allowed
56918+ within the flood time interval you chose in a separate option. The
56919+ default should be suitable for most people, however if you find that
56920+ many of your logs are being interpreted as flooding, you may want to
56921+ raise this value.
56922+
56923+endmenu
56924+
56925+endmenu
56926diff -urNp linux-3.1.1/grsecurity/Makefile linux-3.1.1/grsecurity/Makefile
56927--- linux-3.1.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
56928+++ linux-3.1.1/grsecurity/Makefile 2011-11-16 18:40:31.000000000 -0500
56929@@ -0,0 +1,36 @@
56930+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
56931+# during 2001-2009 it has been completely redesigned by Brad Spengler
56932+# into an RBAC system
56933+#
56934+# All code in this directory and various hooks inserted throughout the kernel
56935+# are copyright Brad Spengler - Open Source Security, Inc., and released
56936+# under the GPL v2 or higher
56937+
56938+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
56939+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
56940+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
56941+
56942+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
56943+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
56944+ gracl_learn.o grsec_log.o
56945+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
56946+
56947+ifdef CONFIG_NET
56948+obj-y += grsec_sock.o
56949+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
56950+endif
56951+
56952+ifndef CONFIG_GRKERNSEC
56953+obj-y += grsec_disabled.o
56954+endif
56955+
56956+ifdef CONFIG_GRKERNSEC_HIDESYM
56957+extra-y := grsec_hidesym.o
56958+$(obj)/grsec_hidesym.o:
56959+ @-chmod -f 500 /boot
56960+ @-chmod -f 500 /lib/modules
56961+ @-chmod -f 500 /lib64/modules
56962+ @-chmod -f 500 /lib32/modules
56963+ @-chmod -f 700 .
56964+ @echo ' grsec: protected kernel image paths'
56965+endif
56966diff -urNp linux-3.1.1/include/acpi/acpi_bus.h linux-3.1.1/include/acpi/acpi_bus.h
56967--- linux-3.1.1/include/acpi/acpi_bus.h 2011-11-11 15:19:27.000000000 -0500
56968+++ linux-3.1.1/include/acpi/acpi_bus.h 2011-11-16 18:39:08.000000000 -0500
56969@@ -107,7 +107,7 @@ struct acpi_device_ops {
56970 acpi_op_bind bind;
56971 acpi_op_unbind unbind;
56972 acpi_op_notify notify;
56973-};
56974+} __no_const;
56975
56976 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
56977
56978diff -urNp linux-3.1.1/include/asm-generic/atomic-long.h linux-3.1.1/include/asm-generic/atomic-long.h
56979--- linux-3.1.1/include/asm-generic/atomic-long.h 2011-11-11 15:19:27.000000000 -0500
56980+++ linux-3.1.1/include/asm-generic/atomic-long.h 2011-11-16 18:39:08.000000000 -0500
56981@@ -22,6 +22,12 @@
56982
56983 typedef atomic64_t atomic_long_t;
56984
56985+#ifdef CONFIG_PAX_REFCOUNT
56986+typedef atomic64_unchecked_t atomic_long_unchecked_t;
56987+#else
56988+typedef atomic64_t atomic_long_unchecked_t;
56989+#endif
56990+
56991 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
56992
56993 static inline long atomic_long_read(atomic_long_t *l)
56994@@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
56995 return (long)atomic64_read(v);
56996 }
56997
56998+#ifdef CONFIG_PAX_REFCOUNT
56999+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
57000+{
57001+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57002+
57003+ return (long)atomic64_read_unchecked(v);
57004+}
57005+#endif
57006+
57007 static inline void atomic_long_set(atomic_long_t *l, long i)
57008 {
57009 atomic64_t *v = (atomic64_t *)l;
57010@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
57011 atomic64_set(v, i);
57012 }
57013
57014+#ifdef CONFIG_PAX_REFCOUNT
57015+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
57016+{
57017+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57018+
57019+ atomic64_set_unchecked(v, i);
57020+}
57021+#endif
57022+
57023 static inline void atomic_long_inc(atomic_long_t *l)
57024 {
57025 atomic64_t *v = (atomic64_t *)l;
57026@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
57027 atomic64_inc(v);
57028 }
57029
57030+#ifdef CONFIG_PAX_REFCOUNT
57031+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
57032+{
57033+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57034+
57035+ atomic64_inc_unchecked(v);
57036+}
57037+#endif
57038+
57039 static inline void atomic_long_dec(atomic_long_t *l)
57040 {
57041 atomic64_t *v = (atomic64_t *)l;
57042@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
57043 atomic64_dec(v);
57044 }
57045
57046+#ifdef CONFIG_PAX_REFCOUNT
57047+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
57048+{
57049+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57050+
57051+ atomic64_dec_unchecked(v);
57052+}
57053+#endif
57054+
57055 static inline void atomic_long_add(long i, atomic_long_t *l)
57056 {
57057 atomic64_t *v = (atomic64_t *)l;
57058@@ -59,6 +101,15 @@ static inline void atomic_long_add(long
57059 atomic64_add(i, v);
57060 }
57061
57062+#ifdef CONFIG_PAX_REFCOUNT
57063+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
57064+{
57065+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57066+
57067+ atomic64_add_unchecked(i, v);
57068+}
57069+#endif
57070+
57071 static inline void atomic_long_sub(long i, atomic_long_t *l)
57072 {
57073 atomic64_t *v = (atomic64_t *)l;
57074@@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
57075 atomic64_sub(i, v);
57076 }
57077
57078+#ifdef CONFIG_PAX_REFCOUNT
57079+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
57080+{
57081+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57082+
57083+ atomic64_sub_unchecked(i, v);
57084+}
57085+#endif
57086+
57087 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
57088 {
57089 atomic64_t *v = (atomic64_t *)l;
57090@@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
57091 return (long)atomic64_inc_return(v);
57092 }
57093
57094+#ifdef CONFIG_PAX_REFCOUNT
57095+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
57096+{
57097+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
57098+
57099+ return (long)atomic64_inc_return_unchecked(v);
57100+}
57101+#endif
57102+
57103 static inline long atomic_long_dec_return(atomic_long_t *l)
57104 {
57105 atomic64_t *v = (atomic64_t *)l;
57106@@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
57107
57108 typedef atomic_t atomic_long_t;
57109
57110+#ifdef CONFIG_PAX_REFCOUNT
57111+typedef atomic_unchecked_t atomic_long_unchecked_t;
57112+#else
57113+typedef atomic_t atomic_long_unchecked_t;
57114+#endif
57115+
57116 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
57117 static inline long atomic_long_read(atomic_long_t *l)
57118 {
57119@@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
57120 return (long)atomic_read(v);
57121 }
57122
57123+#ifdef CONFIG_PAX_REFCOUNT
57124+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
57125+{
57126+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57127+
57128+ return (long)atomic_read_unchecked(v);
57129+}
57130+#endif
57131+
57132 static inline void atomic_long_set(atomic_long_t *l, long i)
57133 {
57134 atomic_t *v = (atomic_t *)l;
57135@@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
57136 atomic_set(v, i);
57137 }
57138
57139+#ifdef CONFIG_PAX_REFCOUNT
57140+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
57141+{
57142+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57143+
57144+ atomic_set_unchecked(v, i);
57145+}
57146+#endif
57147+
57148 static inline void atomic_long_inc(atomic_long_t *l)
57149 {
57150 atomic_t *v = (atomic_t *)l;
57151@@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
57152 atomic_inc(v);
57153 }
57154
57155+#ifdef CONFIG_PAX_REFCOUNT
57156+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
57157+{
57158+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57159+
57160+ atomic_inc_unchecked(v);
57161+}
57162+#endif
57163+
57164 static inline void atomic_long_dec(atomic_long_t *l)
57165 {
57166 atomic_t *v = (atomic_t *)l;
57167@@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
57168 atomic_dec(v);
57169 }
57170
57171+#ifdef CONFIG_PAX_REFCOUNT
57172+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
57173+{
57174+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57175+
57176+ atomic_dec_unchecked(v);
57177+}
57178+#endif
57179+
57180 static inline void atomic_long_add(long i, atomic_long_t *l)
57181 {
57182 atomic_t *v = (atomic_t *)l;
57183@@ -176,6 +287,15 @@ static inline void atomic_long_add(long
57184 atomic_add(i, v);
57185 }
57186
57187+#ifdef CONFIG_PAX_REFCOUNT
57188+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
57189+{
57190+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57191+
57192+ atomic_add_unchecked(i, v);
57193+}
57194+#endif
57195+
57196 static inline void atomic_long_sub(long i, atomic_long_t *l)
57197 {
57198 atomic_t *v = (atomic_t *)l;
57199@@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
57200 atomic_sub(i, v);
57201 }
57202
57203+#ifdef CONFIG_PAX_REFCOUNT
57204+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
57205+{
57206+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57207+
57208+ atomic_sub_unchecked(i, v);
57209+}
57210+#endif
57211+
57212 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
57213 {
57214 atomic_t *v = (atomic_t *)l;
57215@@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
57216 return (long)atomic_inc_return(v);
57217 }
57218
57219+#ifdef CONFIG_PAX_REFCOUNT
57220+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
57221+{
57222+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
57223+
57224+ return (long)atomic_inc_return_unchecked(v);
57225+}
57226+#endif
57227+
57228 static inline long atomic_long_dec_return(atomic_long_t *l)
57229 {
57230 atomic_t *v = (atomic_t *)l;
57231@@ -255,4 +393,49 @@ static inline long atomic_long_add_unles
57232
57233 #endif /* BITS_PER_LONG == 64 */
57234
57235+#ifdef CONFIG_PAX_REFCOUNT
57236+static inline void pax_refcount_needs_these_functions(void)
57237+{
57238+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
57239+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
57240+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
57241+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
57242+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
57243+ (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
57244+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
57245+ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
57246+ atomic_dec_unchecked((atomic_unchecked_t *)NULL);
57247+ atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
57248+ (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
57249+
57250+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
57251+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
57252+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
57253+ atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
57254+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
57255+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
57256+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
57257+}
57258+#else
57259+#define atomic_read_unchecked(v) atomic_read(v)
57260+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
57261+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
57262+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
57263+#define atomic_inc_unchecked(v) atomic_inc(v)
57264+#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
57265+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
57266+#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
57267+#define atomic_dec_unchecked(v) atomic_dec(v)
57268+#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
57269+#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
57270+
57271+#define atomic_long_read_unchecked(v) atomic_long_read(v)
57272+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
57273+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
57274+#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
57275+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
57276+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
57277+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
57278+#endif
57279+
57280 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
57281diff -urNp linux-3.1.1/include/asm-generic/cache.h linux-3.1.1/include/asm-generic/cache.h
57282--- linux-3.1.1/include/asm-generic/cache.h 2011-11-11 15:19:27.000000000 -0500
57283+++ linux-3.1.1/include/asm-generic/cache.h 2011-11-16 18:39:08.000000000 -0500
57284@@ -6,7 +6,7 @@
57285 * cache lines need to provide their own cache.h.
57286 */
57287
57288-#define L1_CACHE_SHIFT 5
57289-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
57290+#define L1_CACHE_SHIFT 5UL
57291+#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
57292
57293 #endif /* __ASM_GENERIC_CACHE_H */
57294diff -urNp linux-3.1.1/include/asm-generic/int-l64.h linux-3.1.1/include/asm-generic/int-l64.h
57295--- linux-3.1.1/include/asm-generic/int-l64.h 2011-11-11 15:19:27.000000000 -0500
57296+++ linux-3.1.1/include/asm-generic/int-l64.h 2011-11-16 18:39:08.000000000 -0500
57297@@ -46,6 +46,8 @@ typedef unsigned int u32;
57298 typedef signed long s64;
57299 typedef unsigned long u64;
57300
57301+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
57302+
57303 #define S8_C(x) x
57304 #define U8_C(x) x ## U
57305 #define S16_C(x) x
57306diff -urNp linux-3.1.1/include/asm-generic/int-ll64.h linux-3.1.1/include/asm-generic/int-ll64.h
57307--- linux-3.1.1/include/asm-generic/int-ll64.h 2011-11-11 15:19:27.000000000 -0500
57308+++ linux-3.1.1/include/asm-generic/int-ll64.h 2011-11-16 18:39:08.000000000 -0500
57309@@ -51,6 +51,8 @@ typedef unsigned int u32;
57310 typedef signed long long s64;
57311 typedef unsigned long long u64;
57312
57313+typedef unsigned long long intoverflow_t;
57314+
57315 #define S8_C(x) x
57316 #define U8_C(x) x ## U
57317 #define S16_C(x) x
57318diff -urNp linux-3.1.1/include/asm-generic/kmap_types.h linux-3.1.1/include/asm-generic/kmap_types.h
57319--- linux-3.1.1/include/asm-generic/kmap_types.h 2011-11-11 15:19:27.000000000 -0500
57320+++ linux-3.1.1/include/asm-generic/kmap_types.h 2011-11-16 18:39:08.000000000 -0500
57321@@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
57322 KMAP_D(17) KM_NMI,
57323 KMAP_D(18) KM_NMI_PTE,
57324 KMAP_D(19) KM_KDB,
57325+KMAP_D(20) KM_CLEARPAGE,
57326 /*
57327 * Remember to update debug_kmap_atomic() when adding new kmap types!
57328 */
57329-KMAP_D(20) KM_TYPE_NR
57330+KMAP_D(21) KM_TYPE_NR
57331 };
57332
57333 #undef KMAP_D
57334diff -urNp linux-3.1.1/include/asm-generic/pgtable.h linux-3.1.1/include/asm-generic/pgtable.h
57335--- linux-3.1.1/include/asm-generic/pgtable.h 2011-11-11 15:19:27.000000000 -0500
57336+++ linux-3.1.1/include/asm-generic/pgtable.h 2011-11-16 18:39:08.000000000 -0500
57337@@ -443,6 +443,14 @@ static inline int pmd_write(pmd_t pmd)
57338 #endif /* __HAVE_ARCH_PMD_WRITE */
57339 #endif
57340
57341+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
57342+static inline unsigned long pax_open_kernel(void) { return 0; }
57343+#endif
57344+
57345+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
57346+static inline unsigned long pax_close_kernel(void) { return 0; }
57347+#endif
57348+
57349 #endif /* !__ASSEMBLY__ */
57350
57351 #endif /* _ASM_GENERIC_PGTABLE_H */
57352diff -urNp linux-3.1.1/include/asm-generic/pgtable-nopmd.h linux-3.1.1/include/asm-generic/pgtable-nopmd.h
57353--- linux-3.1.1/include/asm-generic/pgtable-nopmd.h 2011-11-11 15:19:27.000000000 -0500
57354+++ linux-3.1.1/include/asm-generic/pgtable-nopmd.h 2011-11-16 18:39:08.000000000 -0500
57355@@ -1,14 +1,19 @@
57356 #ifndef _PGTABLE_NOPMD_H
57357 #define _PGTABLE_NOPMD_H
57358
57359-#ifndef __ASSEMBLY__
57360-
57361 #include <asm-generic/pgtable-nopud.h>
57362
57363-struct mm_struct;
57364-
57365 #define __PAGETABLE_PMD_FOLDED
57366
57367+#define PMD_SHIFT PUD_SHIFT
57368+#define PTRS_PER_PMD 1
57369+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
57370+#define PMD_MASK (~(PMD_SIZE-1))
57371+
57372+#ifndef __ASSEMBLY__
57373+
57374+struct mm_struct;
57375+
57376 /*
57377 * Having the pmd type consist of a pud gets the size right, and allows
57378 * us to conceptually access the pud entry that this pmd is folded into
57379@@ -16,11 +21,6 @@ struct mm_struct;
57380 */
57381 typedef struct { pud_t pud; } pmd_t;
57382
57383-#define PMD_SHIFT PUD_SHIFT
57384-#define PTRS_PER_PMD 1
57385-#define PMD_SIZE (1UL << PMD_SHIFT)
57386-#define PMD_MASK (~(PMD_SIZE-1))
57387-
57388 /*
57389 * The "pud_xxx()" functions here are trivial for a folded two-level
57390 * setup: the pmd is never bad, and a pmd always exists (as it's folded
57391diff -urNp linux-3.1.1/include/asm-generic/pgtable-nopud.h linux-3.1.1/include/asm-generic/pgtable-nopud.h
57392--- linux-3.1.1/include/asm-generic/pgtable-nopud.h 2011-11-11 15:19:27.000000000 -0500
57393+++ linux-3.1.1/include/asm-generic/pgtable-nopud.h 2011-11-16 18:39:08.000000000 -0500
57394@@ -1,10 +1,15 @@
57395 #ifndef _PGTABLE_NOPUD_H
57396 #define _PGTABLE_NOPUD_H
57397
57398-#ifndef __ASSEMBLY__
57399-
57400 #define __PAGETABLE_PUD_FOLDED
57401
57402+#define PUD_SHIFT PGDIR_SHIFT
57403+#define PTRS_PER_PUD 1
57404+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
57405+#define PUD_MASK (~(PUD_SIZE-1))
57406+
57407+#ifndef __ASSEMBLY__
57408+
57409 /*
57410 * Having the pud type consist of a pgd gets the size right, and allows
57411 * us to conceptually access the pgd entry that this pud is folded into
57412@@ -12,11 +17,6 @@
57413 */
57414 typedef struct { pgd_t pgd; } pud_t;
57415
57416-#define PUD_SHIFT PGDIR_SHIFT
57417-#define PTRS_PER_PUD 1
57418-#define PUD_SIZE (1UL << PUD_SHIFT)
57419-#define PUD_MASK (~(PUD_SIZE-1))
57420-
57421 /*
57422 * The "pgd_xxx()" functions here are trivial for a folded two-level
57423 * setup: the pud is never bad, and a pud always exists (as it's folded
57424diff -urNp linux-3.1.1/include/asm-generic/vmlinux.lds.h linux-3.1.1/include/asm-generic/vmlinux.lds.h
57425--- linux-3.1.1/include/asm-generic/vmlinux.lds.h 2011-11-11 15:19:27.000000000 -0500
57426+++ linux-3.1.1/include/asm-generic/vmlinux.lds.h 2011-11-16 18:39:08.000000000 -0500
57427@@ -217,6 +217,7 @@
57428 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
57429 VMLINUX_SYMBOL(__start_rodata) = .; \
57430 *(.rodata) *(.rodata.*) \
57431+ *(.data..read_only) \
57432 *(__vermagic) /* Kernel version magic */ \
57433 . = ALIGN(8); \
57434 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
57435@@ -723,17 +724,18 @@
57436 * section in the linker script will go there too. @phdr should have
57437 * a leading colon.
57438 *
57439- * Note that this macros defines __per_cpu_load as an absolute symbol.
57440+ * Note that this macros defines per_cpu_load as an absolute symbol.
57441 * If there is no need to put the percpu section at a predetermined
57442 * address, use PERCPU_SECTION.
57443 */
57444 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
57445- VMLINUX_SYMBOL(__per_cpu_load) = .; \
57446- .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
57447+ per_cpu_load = .; \
57448+ .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
57449 - LOAD_OFFSET) { \
57450+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
57451 PERCPU_INPUT(cacheline) \
57452 } phdr \
57453- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
57454+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
57455
57456 /**
57457 * PERCPU_SECTION - define output section for percpu area, simple version
57458diff -urNp linux-3.1.1/include/drm/drm_crtc_helper.h linux-3.1.1/include/drm/drm_crtc_helper.h
57459--- linux-3.1.1/include/drm/drm_crtc_helper.h 2011-11-11 15:19:27.000000000 -0500
57460+++ linux-3.1.1/include/drm/drm_crtc_helper.h 2011-11-16 18:39:08.000000000 -0500
57461@@ -74,7 +74,7 @@ struct drm_crtc_helper_funcs {
57462
57463 /* disable crtc when not in use - more explicit than dpms off */
57464 void (*disable)(struct drm_crtc *crtc);
57465-};
57466+} __no_const;
57467
57468 struct drm_encoder_helper_funcs {
57469 void (*dpms)(struct drm_encoder *encoder, int mode);
57470@@ -95,7 +95,7 @@ struct drm_encoder_helper_funcs {
57471 struct drm_connector *connector);
57472 /* disable encoder when not in use - more explicit than dpms off */
57473 void (*disable)(struct drm_encoder *encoder);
57474-};
57475+} __no_const;
57476
57477 struct drm_connector_helper_funcs {
57478 int (*get_modes)(struct drm_connector *connector);
57479diff -urNp linux-3.1.1/include/drm/drmP.h linux-3.1.1/include/drm/drmP.h
57480--- linux-3.1.1/include/drm/drmP.h 2011-11-11 15:19:27.000000000 -0500
57481+++ linux-3.1.1/include/drm/drmP.h 2011-11-16 18:39:08.000000000 -0500
57482@@ -73,6 +73,7 @@
57483 #include <linux/workqueue.h>
57484 #include <linux/poll.h>
57485 #include <asm/pgalloc.h>
57486+#include <asm/local.h>
57487 #include "drm.h"
57488
57489 #include <linux/idr.h>
57490@@ -1035,7 +1036,7 @@ struct drm_device {
57491
57492 /** \name Usage Counters */
57493 /*@{ */
57494- int open_count; /**< Outstanding files open */
57495+ local_t open_count; /**< Outstanding files open */
57496 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
57497 atomic_t vma_count; /**< Outstanding vma areas open */
57498 int buf_use; /**< Buffers in use -- cannot alloc */
57499@@ -1046,7 +1047,7 @@ struct drm_device {
57500 /*@{ */
57501 unsigned long counters;
57502 enum drm_stat_type types[15];
57503- atomic_t counts[15];
57504+ atomic_unchecked_t counts[15];
57505 /*@} */
57506
57507 struct list_head filelist;
57508diff -urNp linux-3.1.1/include/drm/ttm/ttm_memory.h linux-3.1.1/include/drm/ttm/ttm_memory.h
57509--- linux-3.1.1/include/drm/ttm/ttm_memory.h 2011-11-11 15:19:27.000000000 -0500
57510+++ linux-3.1.1/include/drm/ttm/ttm_memory.h 2011-11-16 18:39:08.000000000 -0500
57511@@ -47,7 +47,7 @@
57512
57513 struct ttm_mem_shrink {
57514 int (*do_shrink) (struct ttm_mem_shrink *);
57515-};
57516+} __no_const;
57517
57518 /**
57519 * struct ttm_mem_global - Global memory accounting structure.
57520diff -urNp linux-3.1.1/include/linux/a.out.h linux-3.1.1/include/linux/a.out.h
57521--- linux-3.1.1/include/linux/a.out.h 2011-11-11 15:19:27.000000000 -0500
57522+++ linux-3.1.1/include/linux/a.out.h 2011-11-16 18:39:08.000000000 -0500
57523@@ -39,6 +39,14 @@ enum machine_type {
57524 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
57525 };
57526
57527+/* Constants for the N_FLAGS field */
57528+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57529+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
57530+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
57531+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
57532+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57533+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57534+
57535 #if !defined (N_MAGIC)
57536 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
57537 #endif
57538diff -urNp linux-3.1.1/include/linux/atmdev.h linux-3.1.1/include/linux/atmdev.h
57539--- linux-3.1.1/include/linux/atmdev.h 2011-11-11 15:19:27.000000000 -0500
57540+++ linux-3.1.1/include/linux/atmdev.h 2011-11-16 18:39:08.000000000 -0500
57541@@ -237,7 +237,7 @@ struct compat_atm_iobuf {
57542 #endif
57543
57544 struct k_atm_aal_stats {
57545-#define __HANDLE_ITEM(i) atomic_t i
57546+#define __HANDLE_ITEM(i) atomic_unchecked_t i
57547 __AAL_STAT_ITEMS
57548 #undef __HANDLE_ITEM
57549 };
57550diff -urNp linux-3.1.1/include/linux/binfmts.h linux-3.1.1/include/linux/binfmts.h
57551--- linux-3.1.1/include/linux/binfmts.h 2011-11-11 15:19:27.000000000 -0500
57552+++ linux-3.1.1/include/linux/binfmts.h 2011-11-16 18:39:08.000000000 -0500
57553@@ -88,6 +88,7 @@ struct linux_binfmt {
57554 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
57555 int (*load_shlib)(struct file *);
57556 int (*core_dump)(struct coredump_params *cprm);
57557+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
57558 unsigned long min_coredump; /* minimal dump size */
57559 };
57560
57561diff -urNp linux-3.1.1/include/linux/blkdev.h linux-3.1.1/include/linux/blkdev.h
57562--- linux-3.1.1/include/linux/blkdev.h 2011-11-11 15:19:27.000000000 -0500
57563+++ linux-3.1.1/include/linux/blkdev.h 2011-11-16 18:39:08.000000000 -0500
57564@@ -1321,7 +1321,7 @@ struct block_device_operations {
57565 /* this callback is with swap_lock and sometimes page table lock held */
57566 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
57567 struct module *owner;
57568-};
57569+} __do_const;
57570
57571 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
57572 unsigned long);
57573diff -urNp linux-3.1.1/include/linux/blktrace_api.h linux-3.1.1/include/linux/blktrace_api.h
57574--- linux-3.1.1/include/linux/blktrace_api.h 2011-11-11 15:19:27.000000000 -0500
57575+++ linux-3.1.1/include/linux/blktrace_api.h 2011-11-16 18:39:08.000000000 -0500
57576@@ -162,7 +162,7 @@ struct blk_trace {
57577 struct dentry *dir;
57578 struct dentry *dropped_file;
57579 struct dentry *msg_file;
57580- atomic_t dropped;
57581+ atomic_unchecked_t dropped;
57582 };
57583
57584 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
57585diff -urNp linux-3.1.1/include/linux/byteorder/little_endian.h linux-3.1.1/include/linux/byteorder/little_endian.h
57586--- linux-3.1.1/include/linux/byteorder/little_endian.h 2011-11-11 15:19:27.000000000 -0500
57587+++ linux-3.1.1/include/linux/byteorder/little_endian.h 2011-11-16 18:39:08.000000000 -0500
57588@@ -42,51 +42,51 @@
57589
57590 static inline __le64 __cpu_to_le64p(const __u64 *p)
57591 {
57592- return (__force __le64)*p;
57593+ return (__force const __le64)*p;
57594 }
57595 static inline __u64 __le64_to_cpup(const __le64 *p)
57596 {
57597- return (__force __u64)*p;
57598+ return (__force const __u64)*p;
57599 }
57600 static inline __le32 __cpu_to_le32p(const __u32 *p)
57601 {
57602- return (__force __le32)*p;
57603+ return (__force const __le32)*p;
57604 }
57605 static inline __u32 __le32_to_cpup(const __le32 *p)
57606 {
57607- return (__force __u32)*p;
57608+ return (__force const __u32)*p;
57609 }
57610 static inline __le16 __cpu_to_le16p(const __u16 *p)
57611 {
57612- return (__force __le16)*p;
57613+ return (__force const __le16)*p;
57614 }
57615 static inline __u16 __le16_to_cpup(const __le16 *p)
57616 {
57617- return (__force __u16)*p;
57618+ return (__force const __u16)*p;
57619 }
57620 static inline __be64 __cpu_to_be64p(const __u64 *p)
57621 {
57622- return (__force __be64)__swab64p(p);
57623+ return (__force const __be64)__swab64p(p);
57624 }
57625 static inline __u64 __be64_to_cpup(const __be64 *p)
57626 {
57627- return __swab64p((__u64 *)p);
57628+ return __swab64p((const __u64 *)p);
57629 }
57630 static inline __be32 __cpu_to_be32p(const __u32 *p)
57631 {
57632- return (__force __be32)__swab32p(p);
57633+ return (__force const __be32)__swab32p(p);
57634 }
57635 static inline __u32 __be32_to_cpup(const __be32 *p)
57636 {
57637- return __swab32p((__u32 *)p);
57638+ return __swab32p((const __u32 *)p);
57639 }
57640 static inline __be16 __cpu_to_be16p(const __u16 *p)
57641 {
57642- return (__force __be16)__swab16p(p);
57643+ return (__force const __be16)__swab16p(p);
57644 }
57645 static inline __u16 __be16_to_cpup(const __be16 *p)
57646 {
57647- return __swab16p((__u16 *)p);
57648+ return __swab16p((const __u16 *)p);
57649 }
57650 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
57651 #define __le64_to_cpus(x) do { (void)(x); } while (0)
57652diff -urNp linux-3.1.1/include/linux/cache.h linux-3.1.1/include/linux/cache.h
57653--- linux-3.1.1/include/linux/cache.h 2011-11-11 15:19:27.000000000 -0500
57654+++ linux-3.1.1/include/linux/cache.h 2011-11-16 18:39:08.000000000 -0500
57655@@ -16,6 +16,10 @@
57656 #define __read_mostly
57657 #endif
57658
57659+#ifndef __read_only
57660+#define __read_only __read_mostly
57661+#endif
57662+
57663 #ifndef ____cacheline_aligned
57664 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
57665 #endif
57666diff -urNp linux-3.1.1/include/linux/capability.h linux-3.1.1/include/linux/capability.h
57667--- linux-3.1.1/include/linux/capability.h 2011-11-11 15:19:27.000000000 -0500
57668+++ linux-3.1.1/include/linux/capability.h 2011-11-16 18:40:31.000000000 -0500
57669@@ -547,6 +547,9 @@ extern bool capable(int cap);
57670 extern bool ns_capable(struct user_namespace *ns, int cap);
57671 extern bool task_ns_capable(struct task_struct *t, int cap);
57672 extern bool nsown_capable(int cap);
57673+extern bool task_ns_capable_nolog(struct task_struct *t, int cap);
57674+extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
57675+extern bool capable_nolog(int cap);
57676
57677 /* audit system wants to get cap info from files as well */
57678 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
57679diff -urNp linux-3.1.1/include/linux/cleancache.h linux-3.1.1/include/linux/cleancache.h
57680--- linux-3.1.1/include/linux/cleancache.h 2011-11-11 15:19:27.000000000 -0500
57681+++ linux-3.1.1/include/linux/cleancache.h 2011-11-16 18:39:08.000000000 -0500
57682@@ -31,7 +31,7 @@ struct cleancache_ops {
57683 void (*flush_page)(int, struct cleancache_filekey, pgoff_t);
57684 void (*flush_inode)(int, struct cleancache_filekey);
57685 void (*flush_fs)(int);
57686-};
57687+} __no_const;
57688
57689 extern struct cleancache_ops
57690 cleancache_register_ops(struct cleancache_ops *ops);
57691diff -urNp linux-3.1.1/include/linux/compiler-gcc4.h linux-3.1.1/include/linux/compiler-gcc4.h
57692--- linux-3.1.1/include/linux/compiler-gcc4.h 2011-11-11 15:19:27.000000000 -0500
57693+++ linux-3.1.1/include/linux/compiler-gcc4.h 2011-11-16 18:39:08.000000000 -0500
57694@@ -31,6 +31,12 @@
57695
57696
57697 #if __GNUC_MINOR__ >= 5
57698+
57699+#ifdef CONSTIFY_PLUGIN
57700+#define __no_const __attribute__((no_const))
57701+#define __do_const __attribute__((do_const))
57702+#endif
57703+
57704 /*
57705 * Mark a position in code as unreachable. This can be used to
57706 * suppress control flow warnings after asm blocks that transfer
57707@@ -46,6 +52,11 @@
57708 #define __noclone __attribute__((__noclone__))
57709
57710 #endif
57711+
57712+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
57713+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
57714+#define __bos0(ptr) __bos((ptr), 0)
57715+#define __bos1(ptr) __bos((ptr), 1)
57716 #endif
57717
57718 #if __GNUC_MINOR__ > 0
57719diff -urNp linux-3.1.1/include/linux/compiler.h linux-3.1.1/include/linux/compiler.h
57720--- linux-3.1.1/include/linux/compiler.h 2011-11-11 15:19:27.000000000 -0500
57721+++ linux-3.1.1/include/linux/compiler.h 2011-11-16 18:39:08.000000000 -0500
57722@@ -5,31 +5,62 @@
57723
57724 #ifdef __CHECKER__
57725 # define __user __attribute__((noderef, address_space(1)))
57726+# define __force_user __force __user
57727 # define __kernel __attribute__((address_space(0)))
57728+# define __force_kernel __force __kernel
57729 # define __safe __attribute__((safe))
57730 # define __force __attribute__((force))
57731 # define __nocast __attribute__((nocast))
57732 # define __iomem __attribute__((noderef, address_space(2)))
57733+# define __force_iomem __force __iomem
57734 # define __acquires(x) __attribute__((context(x,0,1)))
57735 # define __releases(x) __attribute__((context(x,1,0)))
57736 # define __acquire(x) __context__(x,1)
57737 # define __release(x) __context__(x,-1)
57738 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
57739 # define __percpu __attribute__((noderef, address_space(3)))
57740+# define __force_percpu __force __percpu
57741 #ifdef CONFIG_SPARSE_RCU_POINTER
57742 # define __rcu __attribute__((noderef, address_space(4)))
57743+# define __force_rcu __force __rcu
57744 #else
57745 # define __rcu
57746+# define __force_rcu
57747 #endif
57748 extern void __chk_user_ptr(const volatile void __user *);
57749 extern void __chk_io_ptr(const volatile void __iomem *);
57750+#elif defined(CHECKER_PLUGIN)
57751+//# define __user
57752+//# define __force_user
57753+//# define __kernel
57754+//# define __force_kernel
57755+# define __safe
57756+# define __force
57757+# define __nocast
57758+# define __iomem
57759+# define __force_iomem
57760+# define __chk_user_ptr(x) (void)0
57761+# define __chk_io_ptr(x) (void)0
57762+# define __builtin_warning(x, y...) (1)
57763+# define __acquires(x)
57764+# define __releases(x)
57765+# define __acquire(x) (void)0
57766+# define __release(x) (void)0
57767+# define __cond_lock(x,c) (c)
57768+# define __percpu
57769+# define __force_percpu
57770+# define __rcu
57771+# define __force_rcu
57772 #else
57773 # define __user
57774+# define __force_user
57775 # define __kernel
57776+# define __force_kernel
57777 # define __safe
57778 # define __force
57779 # define __nocast
57780 # define __iomem
57781+# define __force_iomem
57782 # define __chk_user_ptr(x) (void)0
57783 # define __chk_io_ptr(x) (void)0
57784 # define __builtin_warning(x, y...) (1)
57785@@ -39,7 +70,9 @@ extern void __chk_io_ptr(const volatile
57786 # define __release(x) (void)0
57787 # define __cond_lock(x,c) (c)
57788 # define __percpu
57789+# define __force_percpu
57790 # define __rcu
57791+# define __force_rcu
57792 #endif
57793
57794 #ifdef __KERNEL__
57795@@ -264,6 +297,14 @@ void ftrace_likely_update(struct ftrace_
57796 # define __attribute_const__ /* unimplemented */
57797 #endif
57798
57799+#ifndef __no_const
57800+# define __no_const
57801+#endif
57802+
57803+#ifndef __do_const
57804+# define __do_const
57805+#endif
57806+
57807 /*
57808 * Tell gcc if a function is cold. The compiler will assume any path
57809 * directly leading to the call is unlikely.
57810@@ -273,6 +314,22 @@ void ftrace_likely_update(struct ftrace_
57811 #define __cold
57812 #endif
57813
57814+#ifndef __alloc_size
57815+#define __alloc_size(...)
57816+#endif
57817+
57818+#ifndef __bos
57819+#define __bos(ptr, arg)
57820+#endif
57821+
57822+#ifndef __bos0
57823+#define __bos0(ptr)
57824+#endif
57825+
57826+#ifndef __bos1
57827+#define __bos1(ptr)
57828+#endif
57829+
57830 /* Simple shorthand for a section definition */
57831 #ifndef __section
57832 # define __section(S) __attribute__ ((__section__(#S)))
57833@@ -306,6 +363,7 @@ void ftrace_likely_update(struct ftrace_
57834 * use is to mediate communication between process-level code and irq/NMI
57835 * handlers, all running on the same CPU.
57836 */
57837-#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
57838+#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
57839+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
57840
57841 #endif /* __LINUX_COMPILER_H */
57842diff -urNp linux-3.1.1/include/linux/cpuset.h linux-3.1.1/include/linux/cpuset.h
57843--- linux-3.1.1/include/linux/cpuset.h 2011-11-11 15:19:27.000000000 -0500
57844+++ linux-3.1.1/include/linux/cpuset.h 2011-11-16 18:39:08.000000000 -0500
57845@@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
57846 * nodemask.
57847 */
57848 smp_mb();
57849- --ACCESS_ONCE(current->mems_allowed_change_disable);
57850+ --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
57851 }
57852
57853 static inline void set_mems_allowed(nodemask_t nodemask)
57854diff -urNp linux-3.1.1/include/linux/crypto.h linux-3.1.1/include/linux/crypto.h
57855--- linux-3.1.1/include/linux/crypto.h 2011-11-11 15:19:27.000000000 -0500
57856+++ linux-3.1.1/include/linux/crypto.h 2011-11-16 18:39:08.000000000 -0500
57857@@ -361,7 +361,7 @@ struct cipher_tfm {
57858 const u8 *key, unsigned int keylen);
57859 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57860 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57861-};
57862+} __no_const;
57863
57864 struct hash_tfm {
57865 int (*init)(struct hash_desc *desc);
57866@@ -382,13 +382,13 @@ struct compress_tfm {
57867 int (*cot_decompress)(struct crypto_tfm *tfm,
57868 const u8 *src, unsigned int slen,
57869 u8 *dst, unsigned int *dlen);
57870-};
57871+} __no_const;
57872
57873 struct rng_tfm {
57874 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
57875 unsigned int dlen);
57876 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
57877-};
57878+} __no_const;
57879
57880 #define crt_ablkcipher crt_u.ablkcipher
57881 #define crt_aead crt_u.aead
57882diff -urNp linux-3.1.1/include/linux/decompress/mm.h linux-3.1.1/include/linux/decompress/mm.h
57883--- linux-3.1.1/include/linux/decompress/mm.h 2011-11-11 15:19:27.000000000 -0500
57884+++ linux-3.1.1/include/linux/decompress/mm.h 2011-11-16 18:39:08.000000000 -0500
57885@@ -77,7 +77,7 @@ static void free(void *where)
57886 * warnings when not needed (indeed large_malloc / large_free are not
57887 * needed by inflate */
57888
57889-#define malloc(a) kmalloc(a, GFP_KERNEL)
57890+#define malloc(a) kmalloc((a), GFP_KERNEL)
57891 #define free(a) kfree(a)
57892
57893 #define large_malloc(a) vmalloc(a)
57894diff -urNp linux-3.1.1/include/linux/dma-mapping.h linux-3.1.1/include/linux/dma-mapping.h
57895--- linux-3.1.1/include/linux/dma-mapping.h 2011-11-11 15:19:27.000000000 -0500
57896+++ linux-3.1.1/include/linux/dma-mapping.h 2011-11-16 18:39:08.000000000 -0500
57897@@ -42,7 +42,7 @@ struct dma_map_ops {
57898 int (*dma_supported)(struct device *dev, u64 mask);
57899 int (*set_dma_mask)(struct device *dev, u64 mask);
57900 int is_phys;
57901-};
57902+} __do_const;
57903
57904 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
57905
57906diff -urNp linux-3.1.1/include/linux/efi.h linux-3.1.1/include/linux/efi.h
57907--- linux-3.1.1/include/linux/efi.h 2011-11-11 15:19:27.000000000 -0500
57908+++ linux-3.1.1/include/linux/efi.h 2011-11-16 18:39:08.000000000 -0500
57909@@ -446,7 +446,7 @@ struct efivar_operations {
57910 efi_get_variable_t *get_variable;
57911 efi_get_next_variable_t *get_next_variable;
57912 efi_set_variable_t *set_variable;
57913-};
57914+} __no_const;
57915
57916 struct efivars {
57917 /*
57918diff -urNp linux-3.1.1/include/linux/elf.h linux-3.1.1/include/linux/elf.h
57919--- linux-3.1.1/include/linux/elf.h 2011-11-11 15:19:27.000000000 -0500
57920+++ linux-3.1.1/include/linux/elf.h 2011-11-16 18:39:08.000000000 -0500
57921@@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
57922 #define PT_GNU_EH_FRAME 0x6474e550
57923
57924 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
57925+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
57926+
57927+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
57928+
57929+/* Constants for the e_flags field */
57930+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57931+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
57932+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
57933+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
57934+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57935+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57936
57937 /*
57938 * Extended Numbering
57939@@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
57940 #define DT_DEBUG 21
57941 #define DT_TEXTREL 22
57942 #define DT_JMPREL 23
57943+#define DT_FLAGS 30
57944+ #define DF_TEXTREL 0x00000004
57945 #define DT_ENCODING 32
57946 #define OLD_DT_LOOS 0x60000000
57947 #define DT_LOOS 0x6000000d
57948@@ -252,6 +265,19 @@ typedef struct elf64_hdr {
57949 #define PF_W 0x2
57950 #define PF_X 0x1
57951
57952+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
57953+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
57954+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
57955+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
57956+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
57957+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
57958+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
57959+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
57960+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
57961+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
57962+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
57963+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
57964+
57965 typedef struct elf32_phdr{
57966 Elf32_Word p_type;
57967 Elf32_Off p_offset;
57968@@ -344,6 +370,8 @@ typedef struct elf64_shdr {
57969 #define EI_OSABI 7
57970 #define EI_PAD 8
57971
57972+#define EI_PAX 14
57973+
57974 #define ELFMAG0 0x7f /* EI_MAG */
57975 #define ELFMAG1 'E'
57976 #define ELFMAG2 'L'
57977@@ -422,6 +450,7 @@ extern Elf32_Dyn _DYNAMIC [];
57978 #define elf_note elf32_note
57979 #define elf_addr_t Elf32_Off
57980 #define Elf_Half Elf32_Half
57981+#define elf_dyn Elf32_Dyn
57982
57983 #else
57984
57985@@ -432,6 +461,7 @@ extern Elf64_Dyn _DYNAMIC [];
57986 #define elf_note elf64_note
57987 #define elf_addr_t Elf64_Off
57988 #define Elf_Half Elf64_Half
57989+#define elf_dyn Elf64_Dyn
57990
57991 #endif
57992
57993diff -urNp linux-3.1.1/include/linux/firewire.h linux-3.1.1/include/linux/firewire.h
57994--- linux-3.1.1/include/linux/firewire.h 2011-11-11 15:19:27.000000000 -0500
57995+++ linux-3.1.1/include/linux/firewire.h 2011-11-16 18:39:08.000000000 -0500
57996@@ -428,7 +428,7 @@ struct fw_iso_context {
57997 union {
57998 fw_iso_callback_t sc;
57999 fw_iso_mc_callback_t mc;
58000- } callback;
58001+ } __no_const callback;
58002 void *callback_data;
58003 };
58004
58005diff -urNp linux-3.1.1/include/linux/fscache-cache.h linux-3.1.1/include/linux/fscache-cache.h
58006--- linux-3.1.1/include/linux/fscache-cache.h 2011-11-11 15:19:27.000000000 -0500
58007+++ linux-3.1.1/include/linux/fscache-cache.h 2011-11-16 18:39:08.000000000 -0500
58008@@ -102,7 +102,7 @@ struct fscache_operation {
58009 fscache_operation_release_t release;
58010 };
58011
58012-extern atomic_t fscache_op_debug_id;
58013+extern atomic_unchecked_t fscache_op_debug_id;
58014 extern void fscache_op_work_func(struct work_struct *work);
58015
58016 extern void fscache_enqueue_operation(struct fscache_operation *);
58017@@ -122,7 +122,7 @@ static inline void fscache_operation_ini
58018 {
58019 INIT_WORK(&op->work, fscache_op_work_func);
58020 atomic_set(&op->usage, 1);
58021- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
58022+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
58023 op->processor = processor;
58024 op->release = release;
58025 INIT_LIST_HEAD(&op->pend_link);
58026diff -urNp linux-3.1.1/include/linux/fs.h linux-3.1.1/include/linux/fs.h
58027--- linux-3.1.1/include/linux/fs.h 2011-11-11 15:19:27.000000000 -0500
58028+++ linux-3.1.1/include/linux/fs.h 2011-11-16 23:39:39.000000000 -0500
58029@@ -1588,7 +1588,8 @@ struct file_operations {
58030 int (*setlease)(struct file *, long, struct file_lock **);
58031 long (*fallocate)(struct file *file, int mode, loff_t offset,
58032 loff_t len);
58033-};
58034+} __do_const;
58035+typedef struct file_operations __no_const file_operations_no_const;
58036
58037 struct inode_operations {
58038 struct dentry * (*lookup) (struct inode *,struct dentry *, struct nameidata *);
58039diff -urNp linux-3.1.1/include/linux/fsnotify.h linux-3.1.1/include/linux/fsnotify.h
58040--- linux-3.1.1/include/linux/fsnotify.h 2011-11-11 15:19:27.000000000 -0500
58041+++ linux-3.1.1/include/linux/fsnotify.h 2011-11-16 18:39:08.000000000 -0500
58042@@ -314,7 +314,7 @@ static inline void fsnotify_change(struc
58043 */
58044 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
58045 {
58046- return kstrdup(name, GFP_KERNEL);
58047+ return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
58048 }
58049
58050 /*
58051diff -urNp linux-3.1.1/include/linux/fs_struct.h linux-3.1.1/include/linux/fs_struct.h
58052--- linux-3.1.1/include/linux/fs_struct.h 2011-11-11 15:19:27.000000000 -0500
58053+++ linux-3.1.1/include/linux/fs_struct.h 2011-11-16 18:39:08.000000000 -0500
58054@@ -6,7 +6,7 @@
58055 #include <linux/seqlock.h>
58056
58057 struct fs_struct {
58058- int users;
58059+ atomic_t users;
58060 spinlock_t lock;
58061 seqcount_t seq;
58062 int umask;
58063diff -urNp linux-3.1.1/include/linux/ftrace_event.h linux-3.1.1/include/linux/ftrace_event.h
58064--- linux-3.1.1/include/linux/ftrace_event.h 2011-11-11 15:19:27.000000000 -0500
58065+++ linux-3.1.1/include/linux/ftrace_event.h 2011-11-16 18:39:08.000000000 -0500
58066@@ -97,7 +97,7 @@ struct trace_event_functions {
58067 trace_print_func raw;
58068 trace_print_func hex;
58069 trace_print_func binary;
58070-};
58071+} __no_const;
58072
58073 struct trace_event {
58074 struct hlist_node node;
58075@@ -252,7 +252,7 @@ extern int trace_define_field(struct ftr
58076 extern int trace_add_event_call(struct ftrace_event_call *call);
58077 extern void trace_remove_event_call(struct ftrace_event_call *call);
58078
58079-#define is_signed_type(type) (((type)(-1)) < 0)
58080+#define is_signed_type(type) (((type)(-1)) < (type)1)
58081
58082 int trace_set_clr_event(const char *system, const char *event, int set);
58083
58084diff -urNp linux-3.1.1/include/linux/genhd.h linux-3.1.1/include/linux/genhd.h
58085--- linux-3.1.1/include/linux/genhd.h 2011-11-11 15:19:27.000000000 -0500
58086+++ linux-3.1.1/include/linux/genhd.h 2011-11-16 18:39:08.000000000 -0500
58087@@ -184,7 +184,7 @@ struct gendisk {
58088 struct kobject *slave_dir;
58089
58090 struct timer_rand_state *random;
58091- atomic_t sync_io; /* RAID */
58092+ atomic_unchecked_t sync_io; /* RAID */
58093 struct disk_events *ev;
58094 #ifdef CONFIG_BLK_DEV_INTEGRITY
58095 struct blk_integrity *integrity;
58096diff -urNp linux-3.1.1/include/linux/gracl.h linux-3.1.1/include/linux/gracl.h
58097--- linux-3.1.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
58098+++ linux-3.1.1/include/linux/gracl.h 2011-11-16 18:40:31.000000000 -0500
58099@@ -0,0 +1,317 @@
58100+#ifndef GR_ACL_H
58101+#define GR_ACL_H
58102+
58103+#include <linux/grdefs.h>
58104+#include <linux/resource.h>
58105+#include <linux/capability.h>
58106+#include <linux/dcache.h>
58107+#include <asm/resource.h>
58108+
58109+/* Major status information */
58110+
58111+#define GR_VERSION "grsecurity 2.2.2"
58112+#define GRSECURITY_VERSION 0x2202
58113+
58114+enum {
58115+ GR_SHUTDOWN = 0,
58116+ GR_ENABLE = 1,
58117+ GR_SPROLE = 2,
58118+ GR_RELOAD = 3,
58119+ GR_SEGVMOD = 4,
58120+ GR_STATUS = 5,
58121+ GR_UNSPROLE = 6,
58122+ GR_PASSSET = 7,
58123+ GR_SPROLEPAM = 8,
58124+};
58125+
58126+/* Password setup definitions
58127+ * kernel/grhash.c */
58128+enum {
58129+ GR_PW_LEN = 128,
58130+ GR_SALT_LEN = 16,
58131+ GR_SHA_LEN = 32,
58132+};
58133+
58134+enum {
58135+ GR_SPROLE_LEN = 64,
58136+};
58137+
58138+enum {
58139+ GR_NO_GLOB = 0,
58140+ GR_REG_GLOB,
58141+ GR_CREATE_GLOB
58142+};
58143+
58144+#define GR_NLIMITS 32
58145+
58146+/* Begin Data Structures */
58147+
58148+struct sprole_pw {
58149+ unsigned char *rolename;
58150+ unsigned char salt[GR_SALT_LEN];
58151+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
58152+};
58153+
58154+struct name_entry {
58155+ __u32 key;
58156+ ino_t inode;
58157+ dev_t device;
58158+ char *name;
58159+ __u16 len;
58160+ __u8 deleted;
58161+ struct name_entry *prev;
58162+ struct name_entry *next;
58163+};
58164+
58165+struct inodev_entry {
58166+ struct name_entry *nentry;
58167+ struct inodev_entry *prev;
58168+ struct inodev_entry *next;
58169+};
58170+
58171+struct acl_role_db {
58172+ struct acl_role_label **r_hash;
58173+ __u32 r_size;
58174+};
58175+
58176+struct inodev_db {
58177+ struct inodev_entry **i_hash;
58178+ __u32 i_size;
58179+};
58180+
58181+struct name_db {
58182+ struct name_entry **n_hash;
58183+ __u32 n_size;
58184+};
58185+
58186+struct crash_uid {
58187+ uid_t uid;
58188+ unsigned long expires;
58189+};
58190+
58191+struct gr_hash_struct {
58192+ void **table;
58193+ void **nametable;
58194+ void *first;
58195+ __u32 table_size;
58196+ __u32 used_size;
58197+ int type;
58198+};
58199+
58200+/* Userspace Grsecurity ACL data structures */
58201+
58202+struct acl_subject_label {
58203+ char *filename;
58204+ ino_t inode;
58205+ dev_t device;
58206+ __u32 mode;
58207+ kernel_cap_t cap_mask;
58208+ kernel_cap_t cap_lower;
58209+ kernel_cap_t cap_invert_audit;
58210+
58211+ struct rlimit res[GR_NLIMITS];
58212+ __u32 resmask;
58213+
58214+ __u8 user_trans_type;
58215+ __u8 group_trans_type;
58216+ uid_t *user_transitions;
58217+ gid_t *group_transitions;
58218+ __u16 user_trans_num;
58219+ __u16 group_trans_num;
58220+
58221+ __u32 sock_families[2];
58222+ __u32 ip_proto[8];
58223+ __u32 ip_type;
58224+ struct acl_ip_label **ips;
58225+ __u32 ip_num;
58226+ __u32 inaddr_any_override;
58227+
58228+ __u32 crashes;
58229+ unsigned long expires;
58230+
58231+ struct acl_subject_label *parent_subject;
58232+ struct gr_hash_struct *hash;
58233+ struct acl_subject_label *prev;
58234+ struct acl_subject_label *next;
58235+
58236+ struct acl_object_label **obj_hash;
58237+ __u32 obj_hash_size;
58238+ __u16 pax_flags;
58239+};
58240+
58241+struct role_allowed_ip {
58242+ __u32 addr;
58243+ __u32 netmask;
58244+
58245+ struct role_allowed_ip *prev;
58246+ struct role_allowed_ip *next;
58247+};
58248+
58249+struct role_transition {
58250+ char *rolename;
58251+
58252+ struct role_transition *prev;
58253+ struct role_transition *next;
58254+};
58255+
58256+struct acl_role_label {
58257+ char *rolename;
58258+ uid_t uidgid;
58259+ __u16 roletype;
58260+
58261+ __u16 auth_attempts;
58262+ unsigned long expires;
58263+
58264+ struct acl_subject_label *root_label;
58265+ struct gr_hash_struct *hash;
58266+
58267+ struct acl_role_label *prev;
58268+ struct acl_role_label *next;
58269+
58270+ struct role_transition *transitions;
58271+ struct role_allowed_ip *allowed_ips;
58272+ uid_t *domain_children;
58273+ __u16 domain_child_num;
58274+
58275+ struct acl_subject_label **subj_hash;
58276+ __u32 subj_hash_size;
58277+};
58278+
58279+struct user_acl_role_db {
58280+ struct acl_role_label **r_table;
58281+ __u32 num_pointers; /* Number of allocations to track */
58282+ __u32 num_roles; /* Number of roles */
58283+ __u32 num_domain_children; /* Number of domain children */
58284+ __u32 num_subjects; /* Number of subjects */
58285+ __u32 num_objects; /* Number of objects */
58286+};
58287+
58288+struct acl_object_label {
58289+ char *filename;
58290+ ino_t inode;
58291+ dev_t device;
58292+ __u32 mode;
58293+
58294+ struct acl_subject_label *nested;
58295+ struct acl_object_label *globbed;
58296+
58297+ /* next two structures not used */
58298+
58299+ struct acl_object_label *prev;
58300+ struct acl_object_label *next;
58301+};
58302+
58303+struct acl_ip_label {
58304+ char *iface;
58305+ __u32 addr;
58306+ __u32 netmask;
58307+ __u16 low, high;
58308+ __u8 mode;
58309+ __u32 type;
58310+ __u32 proto[8];
58311+
58312+ /* next two structures not used */
58313+
58314+ struct acl_ip_label *prev;
58315+ struct acl_ip_label *next;
58316+};
58317+
58318+struct gr_arg {
58319+ struct user_acl_role_db role_db;
58320+ unsigned char pw[GR_PW_LEN];
58321+ unsigned char salt[GR_SALT_LEN];
58322+ unsigned char sum[GR_SHA_LEN];
58323+ unsigned char sp_role[GR_SPROLE_LEN];
58324+ struct sprole_pw *sprole_pws;
58325+ dev_t segv_device;
58326+ ino_t segv_inode;
58327+ uid_t segv_uid;
58328+ __u16 num_sprole_pws;
58329+ __u16 mode;
58330+};
58331+
58332+struct gr_arg_wrapper {
58333+ struct gr_arg *arg;
58334+ __u32 version;
58335+ __u32 size;
58336+};
58337+
58338+struct subject_map {
58339+ struct acl_subject_label *user;
58340+ struct acl_subject_label *kernel;
58341+ struct subject_map *prev;
58342+ struct subject_map *next;
58343+};
58344+
58345+struct acl_subj_map_db {
58346+ struct subject_map **s_hash;
58347+ __u32 s_size;
58348+};
58349+
58350+/* End Data Structures Section */
58351+
58352+/* Hash functions generated by empirical testing by Brad Spengler
58353+ Makes good use of the low bits of the inode. Generally 0-1 times
58354+ in loop for successful match. 0-3 for unsuccessful match.
58355+ Shift/add algorithm with modulus of table size and an XOR*/
58356+
58357+static __inline__ unsigned int
58358+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
58359+{
58360+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
58361+}
58362+
58363+ static __inline__ unsigned int
58364+shash(const struct acl_subject_label *userp, const unsigned int sz)
58365+{
58366+ return ((const unsigned long)userp % sz);
58367+}
58368+
58369+static __inline__ unsigned int
58370+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
58371+{
58372+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
58373+}
58374+
58375+static __inline__ unsigned int
58376+nhash(const char *name, const __u16 len, const unsigned int sz)
58377+{
58378+ return full_name_hash((const unsigned char *)name, len) % sz;
58379+}
58380+
58381+#define FOR_EACH_ROLE_START(role) \
58382+ role = role_list; \
58383+ while (role) {
58384+
58385+#define FOR_EACH_ROLE_END(role) \
58386+ role = role->prev; \
58387+ }
58388+
58389+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
58390+ subj = NULL; \
58391+ iter = 0; \
58392+ while (iter < role->subj_hash_size) { \
58393+ if (subj == NULL) \
58394+ subj = role->subj_hash[iter]; \
58395+ if (subj == NULL) { \
58396+ iter++; \
58397+ continue; \
58398+ }
58399+
58400+#define FOR_EACH_SUBJECT_END(subj,iter) \
58401+ subj = subj->next; \
58402+ if (subj == NULL) \
58403+ iter++; \
58404+ }
58405+
58406+
58407+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
58408+ subj = role->hash->first; \
58409+ while (subj != NULL) {
58410+
58411+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
58412+ subj = subj->next; \
58413+ }
58414+
58415+#endif
58416+
58417diff -urNp linux-3.1.1/include/linux/gralloc.h linux-3.1.1/include/linux/gralloc.h
58418--- linux-3.1.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
58419+++ linux-3.1.1/include/linux/gralloc.h 2011-11-16 18:40:31.000000000 -0500
58420@@ -0,0 +1,9 @@
58421+#ifndef __GRALLOC_H
58422+#define __GRALLOC_H
58423+
58424+void acl_free_all(void);
58425+int acl_alloc_stack_init(unsigned long size);
58426+void *acl_alloc(unsigned long len);
58427+void *acl_alloc_num(unsigned long num, unsigned long len);
58428+
58429+#endif
58430diff -urNp linux-3.1.1/include/linux/grdefs.h linux-3.1.1/include/linux/grdefs.h
58431--- linux-3.1.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
58432+++ linux-3.1.1/include/linux/grdefs.h 2011-11-16 18:40:31.000000000 -0500
58433@@ -0,0 +1,140 @@
58434+#ifndef GRDEFS_H
58435+#define GRDEFS_H
58436+
58437+/* Begin grsecurity status declarations */
58438+
58439+enum {
58440+ GR_READY = 0x01,
58441+ GR_STATUS_INIT = 0x00 // disabled state
58442+};
58443+
58444+/* Begin ACL declarations */
58445+
58446+/* Role flags */
58447+
58448+enum {
58449+ GR_ROLE_USER = 0x0001,
58450+ GR_ROLE_GROUP = 0x0002,
58451+ GR_ROLE_DEFAULT = 0x0004,
58452+ GR_ROLE_SPECIAL = 0x0008,
58453+ GR_ROLE_AUTH = 0x0010,
58454+ GR_ROLE_NOPW = 0x0020,
58455+ GR_ROLE_GOD = 0x0040,
58456+ GR_ROLE_LEARN = 0x0080,
58457+ GR_ROLE_TPE = 0x0100,
58458+ GR_ROLE_DOMAIN = 0x0200,
58459+ GR_ROLE_PAM = 0x0400,
58460+ GR_ROLE_PERSIST = 0x0800
58461+};
58462+
58463+/* ACL Subject and Object mode flags */
58464+enum {
58465+ GR_DELETED = 0x80000000
58466+};
58467+
58468+/* ACL Object-only mode flags */
58469+enum {
58470+ GR_READ = 0x00000001,
58471+ GR_APPEND = 0x00000002,
58472+ GR_WRITE = 0x00000004,
58473+ GR_EXEC = 0x00000008,
58474+ GR_FIND = 0x00000010,
58475+ GR_INHERIT = 0x00000020,
58476+ GR_SETID = 0x00000040,
58477+ GR_CREATE = 0x00000080,
58478+ GR_DELETE = 0x00000100,
58479+ GR_LINK = 0x00000200,
58480+ GR_AUDIT_READ = 0x00000400,
58481+ GR_AUDIT_APPEND = 0x00000800,
58482+ GR_AUDIT_WRITE = 0x00001000,
58483+ GR_AUDIT_EXEC = 0x00002000,
58484+ GR_AUDIT_FIND = 0x00004000,
58485+ GR_AUDIT_INHERIT= 0x00008000,
58486+ GR_AUDIT_SETID = 0x00010000,
58487+ GR_AUDIT_CREATE = 0x00020000,
58488+ GR_AUDIT_DELETE = 0x00040000,
58489+ GR_AUDIT_LINK = 0x00080000,
58490+ GR_PTRACERD = 0x00100000,
58491+ GR_NOPTRACE = 0x00200000,
58492+ GR_SUPPRESS = 0x00400000,
58493+ GR_NOLEARN = 0x00800000,
58494+ GR_INIT_TRANSFER= 0x01000000
58495+};
58496+
58497+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
58498+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
58499+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
58500+
58501+/* ACL subject-only mode flags */
58502+enum {
58503+ GR_KILL = 0x00000001,
58504+ GR_VIEW = 0x00000002,
58505+ GR_PROTECTED = 0x00000004,
58506+ GR_LEARN = 0x00000008,
58507+ GR_OVERRIDE = 0x00000010,
58508+ /* just a placeholder, this mode is only used in userspace */
58509+ GR_DUMMY = 0x00000020,
58510+ GR_PROTSHM = 0x00000040,
58511+ GR_KILLPROC = 0x00000080,
58512+ GR_KILLIPPROC = 0x00000100,
58513+ /* just a placeholder, this mode is only used in userspace */
58514+ GR_NOTROJAN = 0x00000200,
58515+ GR_PROTPROCFD = 0x00000400,
58516+ GR_PROCACCT = 0x00000800,
58517+ GR_RELAXPTRACE = 0x00001000,
58518+ GR_NESTED = 0x00002000,
58519+ GR_INHERITLEARN = 0x00004000,
58520+ GR_PROCFIND = 0x00008000,
58521+ GR_POVERRIDE = 0x00010000,
58522+ GR_KERNELAUTH = 0x00020000,
58523+ GR_ATSECURE = 0x00040000,
58524+ GR_SHMEXEC = 0x00080000
58525+};
58526+
58527+enum {
58528+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
58529+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
58530+ GR_PAX_ENABLE_MPROTECT = 0x0004,
58531+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
58532+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
58533+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
58534+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
58535+ GR_PAX_DISABLE_MPROTECT = 0x0400,
58536+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
58537+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
58538+};
58539+
58540+enum {
58541+ GR_ID_USER = 0x01,
58542+ GR_ID_GROUP = 0x02,
58543+};
58544+
58545+enum {
58546+ GR_ID_ALLOW = 0x01,
58547+ GR_ID_DENY = 0x02,
58548+};
58549+
58550+#define GR_CRASH_RES 31
58551+#define GR_UIDTABLE_MAX 500
58552+
58553+/* begin resource learning section */
58554+enum {
58555+ GR_RLIM_CPU_BUMP = 60,
58556+ GR_RLIM_FSIZE_BUMP = 50000,
58557+ GR_RLIM_DATA_BUMP = 10000,
58558+ GR_RLIM_STACK_BUMP = 1000,
58559+ GR_RLIM_CORE_BUMP = 10000,
58560+ GR_RLIM_RSS_BUMP = 500000,
58561+ GR_RLIM_NPROC_BUMP = 1,
58562+ GR_RLIM_NOFILE_BUMP = 5,
58563+ GR_RLIM_MEMLOCK_BUMP = 50000,
58564+ GR_RLIM_AS_BUMP = 500000,
58565+ GR_RLIM_LOCKS_BUMP = 2,
58566+ GR_RLIM_SIGPENDING_BUMP = 5,
58567+ GR_RLIM_MSGQUEUE_BUMP = 10000,
58568+ GR_RLIM_NICE_BUMP = 1,
58569+ GR_RLIM_RTPRIO_BUMP = 1,
58570+ GR_RLIM_RTTIME_BUMP = 1000000
58571+};
58572+
58573+#endif
58574diff -urNp linux-3.1.1/include/linux/grinternal.h linux-3.1.1/include/linux/grinternal.h
58575--- linux-3.1.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
58576+++ linux-3.1.1/include/linux/grinternal.h 2011-11-16 18:40:31.000000000 -0500
58577@@ -0,0 +1,220 @@
58578+#ifndef __GRINTERNAL_H
58579+#define __GRINTERNAL_H
58580+
58581+#ifdef CONFIG_GRKERNSEC
58582+
58583+#include <linux/fs.h>
58584+#include <linux/mnt_namespace.h>
58585+#include <linux/nsproxy.h>
58586+#include <linux/gracl.h>
58587+#include <linux/grdefs.h>
58588+#include <linux/grmsg.h>
58589+
58590+void gr_add_learn_entry(const char *fmt, ...)
58591+ __attribute__ ((format (printf, 1, 2)));
58592+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
58593+ const struct vfsmount *mnt);
58594+__u32 gr_check_create(const struct dentry *new_dentry,
58595+ const struct dentry *parent,
58596+ const struct vfsmount *mnt, const __u32 mode);
58597+int gr_check_protected_task(const struct task_struct *task);
58598+__u32 to_gr_audit(const __u32 reqmode);
58599+int gr_set_acls(const int type);
58600+int gr_apply_subject_to_task(struct task_struct *task);
58601+int gr_acl_is_enabled(void);
58602+char gr_roletype_to_char(void);
58603+
58604+void gr_handle_alertkill(struct task_struct *task);
58605+char *gr_to_filename(const struct dentry *dentry,
58606+ const struct vfsmount *mnt);
58607+char *gr_to_filename1(const struct dentry *dentry,
58608+ const struct vfsmount *mnt);
58609+char *gr_to_filename2(const struct dentry *dentry,
58610+ const struct vfsmount *mnt);
58611+char *gr_to_filename3(const struct dentry *dentry,
58612+ const struct vfsmount *mnt);
58613+
58614+extern int grsec_enable_harden_ptrace;
58615+extern int grsec_enable_link;
58616+extern int grsec_enable_fifo;
58617+extern int grsec_enable_execve;
58618+extern int grsec_enable_shm;
58619+extern int grsec_enable_execlog;
58620+extern int grsec_enable_signal;
58621+extern int grsec_enable_audit_ptrace;
58622+extern int grsec_enable_forkfail;
58623+extern int grsec_enable_time;
58624+extern int grsec_enable_rofs;
58625+extern int grsec_enable_chroot_shmat;
58626+extern int grsec_enable_chroot_mount;
58627+extern int grsec_enable_chroot_double;
58628+extern int grsec_enable_chroot_pivot;
58629+extern int grsec_enable_chroot_chdir;
58630+extern int grsec_enable_chroot_chmod;
58631+extern int grsec_enable_chroot_mknod;
58632+extern int grsec_enable_chroot_fchdir;
58633+extern int grsec_enable_chroot_nice;
58634+extern int grsec_enable_chroot_execlog;
58635+extern int grsec_enable_chroot_caps;
58636+extern int grsec_enable_chroot_sysctl;
58637+extern int grsec_enable_chroot_unix;
58638+extern int grsec_enable_tpe;
58639+extern int grsec_tpe_gid;
58640+extern int grsec_enable_tpe_all;
58641+extern int grsec_enable_tpe_invert;
58642+extern int grsec_enable_socket_all;
58643+extern int grsec_socket_all_gid;
58644+extern int grsec_enable_socket_client;
58645+extern int grsec_socket_client_gid;
58646+extern int grsec_enable_socket_server;
58647+extern int grsec_socket_server_gid;
58648+extern int grsec_audit_gid;
58649+extern int grsec_enable_group;
58650+extern int grsec_enable_audit_textrel;
58651+extern int grsec_enable_log_rwxmaps;
58652+extern int grsec_enable_mount;
58653+extern int grsec_enable_chdir;
58654+extern int grsec_resource_logging;
58655+extern int grsec_enable_blackhole;
58656+extern int grsec_lastack_retries;
58657+extern int grsec_enable_brute;
58658+extern int grsec_lock;
58659+
58660+extern spinlock_t grsec_alert_lock;
58661+extern unsigned long grsec_alert_wtime;
58662+extern unsigned long grsec_alert_fyet;
58663+
58664+extern spinlock_t grsec_audit_lock;
58665+
58666+extern rwlock_t grsec_exec_file_lock;
58667+
58668+#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
58669+ gr_to_filename2((tsk)->exec_file->f_path.dentry, \
58670+ (tsk)->exec_file->f_vfsmnt) : "/")
58671+
58672+#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
58673+ gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
58674+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58675+
58676+#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
58677+ gr_to_filename((tsk)->exec_file->f_path.dentry, \
58678+ (tsk)->exec_file->f_vfsmnt) : "/")
58679+
58680+#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
58681+ gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
58682+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58683+
58684+#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
58685+
58686+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
58687+
58688+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
58689+ (task)->pid, (cred)->uid, \
58690+ (cred)->euid, (cred)->gid, (cred)->egid, \
58691+ gr_parent_task_fullpath(task), \
58692+ (task)->real_parent->comm, (task)->real_parent->pid, \
58693+ (pcred)->uid, (pcred)->euid, \
58694+ (pcred)->gid, (pcred)->egid
58695+
58696+#define GR_CHROOT_CAPS {{ \
58697+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
58698+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
58699+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
58700+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
58701+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
58702+ CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
58703+ CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_MAC_ADMIN) }}
58704+
58705+#define security_learn(normal_msg,args...) \
58706+({ \
58707+ read_lock(&grsec_exec_file_lock); \
58708+ gr_add_learn_entry(normal_msg "\n", ## args); \
58709+ read_unlock(&grsec_exec_file_lock); \
58710+})
58711+
58712+enum {
58713+ GR_DO_AUDIT,
58714+ GR_DONT_AUDIT,
58715+ /* used for non-audit messages that we shouldn't kill the task on */
58716+ GR_DONT_AUDIT_GOOD
58717+};
58718+
58719+enum {
58720+ GR_TTYSNIFF,
58721+ GR_RBAC,
58722+ GR_RBAC_STR,
58723+ GR_STR_RBAC,
58724+ GR_RBAC_MODE2,
58725+ GR_RBAC_MODE3,
58726+ GR_FILENAME,
58727+ GR_SYSCTL_HIDDEN,
58728+ GR_NOARGS,
58729+ GR_ONE_INT,
58730+ GR_ONE_INT_TWO_STR,
58731+ GR_ONE_STR,
58732+ GR_STR_INT,
58733+ GR_TWO_STR_INT,
58734+ GR_TWO_INT,
58735+ GR_TWO_U64,
58736+ GR_THREE_INT,
58737+ GR_FIVE_INT_TWO_STR,
58738+ GR_TWO_STR,
58739+ GR_THREE_STR,
58740+ GR_FOUR_STR,
58741+ GR_STR_FILENAME,
58742+ GR_FILENAME_STR,
58743+ GR_FILENAME_TWO_INT,
58744+ GR_FILENAME_TWO_INT_STR,
58745+ GR_TEXTREL,
58746+ GR_PTRACE,
58747+ GR_RESOURCE,
58748+ GR_CAP,
58749+ GR_SIG,
58750+ GR_SIG2,
58751+ GR_CRASH1,
58752+ GR_CRASH2,
58753+ GR_PSACCT,
58754+ GR_RWXMAP
58755+};
58756+
58757+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
58758+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
58759+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
58760+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
58761+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
58762+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
58763+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
58764+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
58765+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
58766+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
58767+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
58768+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
58769+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
58770+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
58771+#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
58772+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
58773+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
58774+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
58775+#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
58776+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
58777+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
58778+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
58779+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
58780+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
58781+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
58782+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
58783+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
58784+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
58785+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
58786+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
58787+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
58788+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
58789+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
58790+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
58791+#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
58792+
58793+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
58794+
58795+#endif
58796+
58797+#endif
58798diff -urNp linux-3.1.1/include/linux/grmsg.h linux-3.1.1/include/linux/grmsg.h
58799--- linux-3.1.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
58800+++ linux-3.1.1/include/linux/grmsg.h 2011-11-16 18:40:31.000000000 -0500
58801@@ -0,0 +1,108 @@
58802+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
58803+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
58804+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
58805+#define GR_STOPMOD_MSG "denied modification of module state by "
58806+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
58807+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
58808+#define GR_IOPERM_MSG "denied use of ioperm() by "
58809+#define GR_IOPL_MSG "denied use of iopl() by "
58810+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
58811+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
58812+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
58813+#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
58814+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
58815+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
58816+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
58817+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
58818+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
58819+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
58820+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
58821+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
58822+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
58823+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
58824+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
58825+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
58826+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
58827+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
58828+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
58829+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
58830+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
58831+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
58832+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
58833+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
58834+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
58835+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
58836+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
58837+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
58838+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
58839+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
58840+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
58841+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
58842+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
58843+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
58844+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
58845+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
58846+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
58847+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
58848+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
58849+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
58850+#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
58851+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
58852+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
58853+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
58854+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
58855+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
58856+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
58857+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
58858+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
58859+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
58860+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
58861+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
58862+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
58863+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
58864+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
58865+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
58866+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
58867+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
58868+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
58869+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
58870+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
58871+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
58872+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
58873+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
58874+#define GR_FAILFORK_MSG "failed fork with errno %s by "
58875+#define GR_NICE_CHROOT_MSG "denied priority change by "
58876+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
58877+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
58878+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
58879+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
58880+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
58881+#define GR_TIME_MSG "time set by "
58882+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
58883+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
58884+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
58885+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
58886+#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
58887+#define GR_BIND_MSG "denied bind() by "
58888+#define GR_CONNECT_MSG "denied connect() by "
58889+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
58890+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
58891+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
58892+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
58893+#define GR_CAP_ACL_MSG "use of %s denied for "
58894+#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
58895+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
58896+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
58897+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
58898+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
58899+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
58900+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
58901+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
58902+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
58903+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
58904+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
58905+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
58906+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
58907+#define GR_VM86_MSG "denied use of vm86 by "
58908+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
58909+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
58910diff -urNp linux-3.1.1/include/linux/grsecurity.h linux-3.1.1/include/linux/grsecurity.h
58911--- linux-3.1.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
58912+++ linux-3.1.1/include/linux/grsecurity.h 2011-11-17 00:16:10.000000000 -0500
58913@@ -0,0 +1,228 @@
58914+#ifndef GR_SECURITY_H
58915+#define GR_SECURITY_H
58916+#include <linux/fs.h>
58917+#include <linux/fs_struct.h>
58918+#include <linux/binfmts.h>
58919+#include <linux/gracl.h>
58920+
58921+/* notify of brain-dead configs */
58922+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58923+#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
58924+#endif
58925+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
58926+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
58927+#endif
58928+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58929+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58930+#endif
58931+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58932+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58933+#endif
58934+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
58935+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
58936+#endif
58937+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
58938+#error "CONFIG_PAX enabled, but no PaX options are enabled."
58939+#endif
58940+
58941+#include <linux/compat.h>
58942+
58943+struct user_arg_ptr {
58944+#ifdef CONFIG_COMPAT
58945+ bool is_compat;
58946+#endif
58947+ union {
58948+ const char __user *const __user *native;
58949+#ifdef CONFIG_COMPAT
58950+ compat_uptr_t __user *compat;
58951+#endif
58952+ } ptr;
58953+};
58954+
58955+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
58956+void gr_handle_brute_check(void);
58957+void gr_handle_kernel_exploit(void);
58958+int gr_process_user_ban(void);
58959+
58960+char gr_roletype_to_char(void);
58961+
58962+int gr_acl_enable_at_secure(void);
58963+
58964+int gr_check_user_change(int real, int effective, int fs);
58965+int gr_check_group_change(int real, int effective, int fs);
58966+
58967+void gr_del_task_from_ip_table(struct task_struct *p);
58968+
58969+int gr_pid_is_chrooted(struct task_struct *p);
58970+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
58971+int gr_handle_chroot_nice(void);
58972+int gr_handle_chroot_sysctl(const int op);
58973+int gr_handle_chroot_setpriority(struct task_struct *p,
58974+ const int niceval);
58975+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
58976+int gr_handle_chroot_chroot(const struct dentry *dentry,
58977+ const struct vfsmount *mnt);
58978+void gr_handle_chroot_chdir(struct path *path);
58979+int gr_handle_chroot_chmod(const struct dentry *dentry,
58980+ const struct vfsmount *mnt, const int mode);
58981+int gr_handle_chroot_mknod(const struct dentry *dentry,
58982+ const struct vfsmount *mnt, const int mode);
58983+int gr_handle_chroot_mount(const struct dentry *dentry,
58984+ const struct vfsmount *mnt,
58985+ const char *dev_name);
58986+int gr_handle_chroot_pivot(void);
58987+int gr_handle_chroot_unix(const pid_t pid);
58988+
58989+int gr_handle_rawio(const struct inode *inode);
58990+
58991+void gr_handle_ioperm(void);
58992+void gr_handle_iopl(void);
58993+
58994+int gr_tpe_allow(const struct file *file);
58995+
58996+void gr_set_chroot_entries(struct task_struct *task, struct path *path);
58997+void gr_clear_chroot_entries(struct task_struct *task);
58998+
58999+void gr_log_forkfail(const int retval);
59000+void gr_log_timechange(void);
59001+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
59002+void gr_log_chdir(const struct dentry *dentry,
59003+ const struct vfsmount *mnt);
59004+void gr_log_chroot_exec(const struct dentry *dentry,
59005+ const struct vfsmount *mnt);
59006+void gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv);
59007+void gr_log_remount(const char *devname, const int retval);
59008+void gr_log_unmount(const char *devname, const int retval);
59009+void gr_log_mount(const char *from, const char *to, const int retval);
59010+void gr_log_textrel(struct vm_area_struct *vma);
59011+void gr_log_rwxmmap(struct file *file);
59012+void gr_log_rwxmprotect(struct file *file);
59013+
59014+int gr_handle_follow_link(const struct inode *parent,
59015+ const struct inode *inode,
59016+ const struct dentry *dentry,
59017+ const struct vfsmount *mnt);
59018+int gr_handle_fifo(const struct dentry *dentry,
59019+ const struct vfsmount *mnt,
59020+ const struct dentry *dir, const int flag,
59021+ const int acc_mode);
59022+int gr_handle_hardlink(const struct dentry *dentry,
59023+ const struct vfsmount *mnt,
59024+ struct inode *inode,
59025+ const int mode, const char *to);
59026+
59027+int gr_is_capable(const int cap);
59028+int gr_is_capable_nolog(const int cap);
59029+void gr_learn_resource(const struct task_struct *task, const int limit,
59030+ const unsigned long wanted, const int gt);
59031+void gr_copy_label(struct task_struct *tsk);
59032+void gr_handle_crash(struct task_struct *task, const int sig);
59033+int gr_handle_signal(const struct task_struct *p, const int sig);
59034+int gr_check_crash_uid(const uid_t uid);
59035+int gr_check_protected_task(const struct task_struct *task);
59036+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
59037+int gr_acl_handle_mmap(const struct file *file,
59038+ const unsigned long prot);
59039+int gr_acl_handle_mprotect(const struct file *file,
59040+ const unsigned long prot);
59041+int gr_check_hidden_task(const struct task_struct *tsk);
59042+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
59043+ const struct vfsmount *mnt);
59044+__u32 gr_acl_handle_utime(const struct dentry *dentry,
59045+ const struct vfsmount *mnt);
59046+__u32 gr_acl_handle_access(const struct dentry *dentry,
59047+ const struct vfsmount *mnt, const int fmode);
59048+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
59049+ const struct vfsmount *mnt, mode_t mode);
59050+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
59051+ const struct vfsmount *mnt, mode_t mode);
59052+__u32 gr_acl_handle_chown(const struct dentry *dentry,
59053+ const struct vfsmount *mnt);
59054+__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
59055+ const struct vfsmount *mnt);
59056+int gr_handle_ptrace(struct task_struct *task, const long request);
59057+int gr_handle_proc_ptrace(struct task_struct *task);
59058+__u32 gr_acl_handle_execve(const struct dentry *dentry,
59059+ const struct vfsmount *mnt);
59060+int gr_check_crash_exec(const struct file *filp);
59061+int gr_acl_is_enabled(void);
59062+void gr_set_kernel_label(struct task_struct *task);
59063+void gr_set_role_label(struct task_struct *task, const uid_t uid,
59064+ const gid_t gid);
59065+int gr_set_proc_label(const struct dentry *dentry,
59066+ const struct vfsmount *mnt,
59067+ const int unsafe_share);
59068+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
59069+ const struct vfsmount *mnt);
59070+__u32 gr_acl_handle_open(const struct dentry *dentry,
59071+ const struct vfsmount *mnt, int acc_mode);
59072+__u32 gr_acl_handle_creat(const struct dentry *dentry,
59073+ const struct dentry *p_dentry,
59074+ const struct vfsmount *p_mnt,
59075+ int open_flags, int acc_mode, const int imode);
59076+void gr_handle_create(const struct dentry *dentry,
59077+ const struct vfsmount *mnt);
59078+void gr_handle_proc_create(const struct dentry *dentry,
59079+ const struct inode *inode);
59080+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
59081+ const struct dentry *parent_dentry,
59082+ const struct vfsmount *parent_mnt,
59083+ const int mode);
59084+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
59085+ const struct dentry *parent_dentry,
59086+ const struct vfsmount *parent_mnt);
59087+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
59088+ const struct vfsmount *mnt);
59089+void gr_handle_delete(const ino_t ino, const dev_t dev);
59090+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
59091+ const struct vfsmount *mnt);
59092+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
59093+ const struct dentry *parent_dentry,
59094+ const struct vfsmount *parent_mnt,
59095+ const char *from);
59096+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
59097+ const struct dentry *parent_dentry,
59098+ const struct vfsmount *parent_mnt,
59099+ const struct dentry *old_dentry,
59100+ const struct vfsmount *old_mnt, const char *to);
59101+int gr_acl_handle_rename(struct dentry *new_dentry,
59102+ struct dentry *parent_dentry,
59103+ const struct vfsmount *parent_mnt,
59104+ struct dentry *old_dentry,
59105+ struct inode *old_parent_inode,
59106+ struct vfsmount *old_mnt, const char *newname);
59107+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
59108+ struct dentry *old_dentry,
59109+ struct dentry *new_dentry,
59110+ struct vfsmount *mnt, const __u8 replace);
59111+__u32 gr_check_link(const struct dentry *new_dentry,
59112+ const struct dentry *parent_dentry,
59113+ const struct vfsmount *parent_mnt,
59114+ const struct dentry *old_dentry,
59115+ const struct vfsmount *old_mnt);
59116+int gr_acl_handle_filldir(const struct file *file, const char *name,
59117+ const unsigned int namelen, const ino_t ino);
59118+
59119+__u32 gr_acl_handle_unix(const struct dentry *dentry,
59120+ const struct vfsmount *mnt);
59121+void gr_acl_handle_exit(void);
59122+void gr_acl_handle_psacct(struct task_struct *task, const long code);
59123+int gr_acl_handle_procpidmem(const struct task_struct *task);
59124+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
59125+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
59126+void gr_audit_ptrace(struct task_struct *task);
59127+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
59128+
59129+#ifdef CONFIG_GRKERNSEC
59130+void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
59131+void gr_handle_vm86(void);
59132+void gr_handle_mem_readwrite(u64 from, u64 to);
59133+
59134+extern int grsec_enable_dmesg;
59135+extern int grsec_disable_privio;
59136+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59137+extern int grsec_enable_chroot_findtask;
59138+#endif
59139+#endif
59140+
59141+#endif
59142diff -urNp linux-3.1.1/include/linux/grsock.h linux-3.1.1/include/linux/grsock.h
59143--- linux-3.1.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
59144+++ linux-3.1.1/include/linux/grsock.h 2011-11-16 18:40:31.000000000 -0500
59145@@ -0,0 +1,19 @@
59146+#ifndef __GRSOCK_H
59147+#define __GRSOCK_H
59148+
59149+extern void gr_attach_curr_ip(const struct sock *sk);
59150+extern int gr_handle_sock_all(const int family, const int type,
59151+ const int protocol);
59152+extern int gr_handle_sock_server(const struct sockaddr *sck);
59153+extern int gr_handle_sock_server_other(const struct sock *sck);
59154+extern int gr_handle_sock_client(const struct sockaddr *sck);
59155+extern int gr_search_connect(struct socket * sock,
59156+ struct sockaddr_in * addr);
59157+extern int gr_search_bind(struct socket * sock,
59158+ struct sockaddr_in * addr);
59159+extern int gr_search_listen(struct socket * sock);
59160+extern int gr_search_accept(struct socket * sock);
59161+extern int gr_search_socket(const int domain, const int type,
59162+ const int protocol);
59163+
59164+#endif
59165diff -urNp linux-3.1.1/include/linux/hid.h linux-3.1.1/include/linux/hid.h
59166--- linux-3.1.1/include/linux/hid.h 2011-11-11 15:19:27.000000000 -0500
59167+++ linux-3.1.1/include/linux/hid.h 2011-11-16 18:39:08.000000000 -0500
59168@@ -676,7 +676,7 @@ struct hid_ll_driver {
59169 unsigned int code, int value);
59170
59171 int (*parse)(struct hid_device *hdev);
59172-};
59173+} __no_const;
59174
59175 #define PM_HINT_FULLON 1<<5
59176 #define PM_HINT_NORMAL 1<<1
59177diff -urNp linux-3.1.1/include/linux/highmem.h linux-3.1.1/include/linux/highmem.h
59178--- linux-3.1.1/include/linux/highmem.h 2011-11-11 15:19:27.000000000 -0500
59179+++ linux-3.1.1/include/linux/highmem.h 2011-11-16 18:39:08.000000000 -0500
59180@@ -185,6 +185,18 @@ static inline void clear_highpage(struct
59181 kunmap_atomic(kaddr, KM_USER0);
59182 }
59183
59184+static inline void sanitize_highpage(struct page *page)
59185+{
59186+ void *kaddr;
59187+ unsigned long flags;
59188+
59189+ local_irq_save(flags);
59190+ kaddr = kmap_atomic(page, KM_CLEARPAGE);
59191+ clear_page(kaddr);
59192+ kunmap_atomic(kaddr, KM_CLEARPAGE);
59193+ local_irq_restore(flags);
59194+}
59195+
59196 static inline void zero_user_segments(struct page *page,
59197 unsigned start1, unsigned end1,
59198 unsigned start2, unsigned end2)
59199diff -urNp linux-3.1.1/include/linux/i2c.h linux-3.1.1/include/linux/i2c.h
59200--- linux-3.1.1/include/linux/i2c.h 2011-11-11 15:19:27.000000000 -0500
59201+++ linux-3.1.1/include/linux/i2c.h 2011-11-16 18:39:08.000000000 -0500
59202@@ -346,6 +346,7 @@ struct i2c_algorithm {
59203 /* To determine what the adapter supports */
59204 u32 (*functionality) (struct i2c_adapter *);
59205 };
59206+typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
59207
59208 /*
59209 * i2c_adapter is the structure used to identify a physical i2c bus along
59210diff -urNp linux-3.1.1/include/linux/i2o.h linux-3.1.1/include/linux/i2o.h
59211--- linux-3.1.1/include/linux/i2o.h 2011-11-11 15:19:27.000000000 -0500
59212+++ linux-3.1.1/include/linux/i2o.h 2011-11-16 18:39:08.000000000 -0500
59213@@ -564,7 +564,7 @@ struct i2o_controller {
59214 struct i2o_device *exec; /* Executive */
59215 #if BITS_PER_LONG == 64
59216 spinlock_t context_list_lock; /* lock for context_list */
59217- atomic_t context_list_counter; /* needed for unique contexts */
59218+ atomic_unchecked_t context_list_counter; /* needed for unique contexts */
59219 struct list_head context_list; /* list of context id's
59220 and pointers */
59221 #endif
59222diff -urNp linux-3.1.1/include/linux/init.h linux-3.1.1/include/linux/init.h
59223--- linux-3.1.1/include/linux/init.h 2011-11-11 15:19:27.000000000 -0500
59224+++ linux-3.1.1/include/linux/init.h 2011-11-16 18:39:08.000000000 -0500
59225@@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
59226
59227 /* Each module must use one module_init(). */
59228 #define module_init(initfn) \
59229- static inline initcall_t __inittest(void) \
59230+ static inline __used initcall_t __inittest(void) \
59231 { return initfn; } \
59232 int init_module(void) __attribute__((alias(#initfn)));
59233
59234 /* This is only required if you want to be unloadable. */
59235 #define module_exit(exitfn) \
59236- static inline exitcall_t __exittest(void) \
59237+ static inline __used exitcall_t __exittest(void) \
59238 { return exitfn; } \
59239 void cleanup_module(void) __attribute__((alias(#exitfn)));
59240
59241diff -urNp linux-3.1.1/include/linux/init_task.h linux-3.1.1/include/linux/init_task.h
59242--- linux-3.1.1/include/linux/init_task.h 2011-11-11 15:19:27.000000000 -0500
59243+++ linux-3.1.1/include/linux/init_task.h 2011-11-16 18:39:08.000000000 -0500
59244@@ -126,6 +126,12 @@ extern struct cred init_cred;
59245 # define INIT_PERF_EVENTS(tsk)
59246 #endif
59247
59248+#ifdef CONFIG_X86
59249+#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
59250+#else
59251+#define INIT_TASK_THREAD_INFO
59252+#endif
59253+
59254 /*
59255 * INIT_TASK is used to set up the first task table, touch at
59256 * your own risk!. Base=0, limit=0x1fffff (=2MB)
59257@@ -164,6 +170,7 @@ extern struct cred init_cred;
59258 RCU_INIT_POINTER(.cred, &init_cred), \
59259 .comm = "swapper", \
59260 .thread = INIT_THREAD, \
59261+ INIT_TASK_THREAD_INFO \
59262 .fs = &init_fs, \
59263 .files = &init_files, \
59264 .signal = &init_signals, \
59265diff -urNp linux-3.1.1/include/linux/intel-iommu.h linux-3.1.1/include/linux/intel-iommu.h
59266--- linux-3.1.1/include/linux/intel-iommu.h 2011-11-11 15:19:27.000000000 -0500
59267+++ linux-3.1.1/include/linux/intel-iommu.h 2011-11-16 18:39:08.000000000 -0500
59268@@ -296,7 +296,7 @@ struct iommu_flush {
59269 u8 fm, u64 type);
59270 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
59271 unsigned int size_order, u64 type);
59272-};
59273+} __no_const;
59274
59275 enum {
59276 SR_DMAR_FECTL_REG,
59277diff -urNp linux-3.1.1/include/linux/interrupt.h linux-3.1.1/include/linux/interrupt.h
59278--- linux-3.1.1/include/linux/interrupt.h 2011-11-11 15:19:27.000000000 -0500
59279+++ linux-3.1.1/include/linux/interrupt.h 2011-11-16 18:39:08.000000000 -0500
59280@@ -425,7 +425,7 @@ enum
59281 /* map softirq index to softirq name. update 'softirq_to_name' in
59282 * kernel/softirq.c when adding a new softirq.
59283 */
59284-extern char *softirq_to_name[NR_SOFTIRQS];
59285+extern const char * const softirq_to_name[NR_SOFTIRQS];
59286
59287 /* softirq mask and active fields moved to irq_cpustat_t in
59288 * asm/hardirq.h to get better cache usage. KAO
59289@@ -433,12 +433,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
59290
59291 struct softirq_action
59292 {
59293- void (*action)(struct softirq_action *);
59294+ void (*action)(void);
59295 };
59296
59297 asmlinkage void do_softirq(void);
59298 asmlinkage void __do_softirq(void);
59299-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
59300+extern void open_softirq(int nr, void (*action)(void));
59301 extern void softirq_init(void);
59302 static inline void __raise_softirq_irqoff(unsigned int nr)
59303 {
59304diff -urNp linux-3.1.1/include/linux/kallsyms.h linux-3.1.1/include/linux/kallsyms.h
59305--- linux-3.1.1/include/linux/kallsyms.h 2011-11-11 15:19:27.000000000 -0500
59306+++ linux-3.1.1/include/linux/kallsyms.h 2011-11-16 18:40:31.000000000 -0500
59307@@ -15,7 +15,8 @@
59308
59309 struct module;
59310
59311-#ifdef CONFIG_KALLSYMS
59312+#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
59313+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
59314 /* Lookup the address for a symbol. Returns 0 if not found. */
59315 unsigned long kallsyms_lookup_name(const char *name);
59316
59317@@ -99,6 +100,16 @@ static inline int lookup_symbol_attrs(un
59318 /* Stupid that this does nothing, but I didn't create this mess. */
59319 #define __print_symbol(fmt, addr)
59320 #endif /*CONFIG_KALLSYMS*/
59321+#else /* when included by kallsyms.c, vsnprintf.c, or
59322+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
59323+extern void __print_symbol(const char *fmt, unsigned long address);
59324+extern int sprint_backtrace(char *buffer, unsigned long address);
59325+extern int sprint_symbol(char *buffer, unsigned long address);
59326+const char *kallsyms_lookup(unsigned long addr,
59327+ unsigned long *symbolsize,
59328+ unsigned long *offset,
59329+ char **modname, char *namebuf);
59330+#endif
59331
59332 /* This macro allows us to keep printk typechecking */
59333 static void __check_printsym_format(const char *fmt, ...)
59334diff -urNp linux-3.1.1/include/linux/kgdb.h linux-3.1.1/include/linux/kgdb.h
59335--- linux-3.1.1/include/linux/kgdb.h 2011-11-11 15:19:27.000000000 -0500
59336+++ linux-3.1.1/include/linux/kgdb.h 2011-11-16 18:39:08.000000000 -0500
59337@@ -53,7 +53,7 @@ extern int kgdb_connected;
59338 extern int kgdb_io_module_registered;
59339
59340 extern atomic_t kgdb_setting_breakpoint;
59341-extern atomic_t kgdb_cpu_doing_single_step;
59342+extern atomic_unchecked_t kgdb_cpu_doing_single_step;
59343
59344 extern struct task_struct *kgdb_usethread;
59345 extern struct task_struct *kgdb_contthread;
59346@@ -251,7 +251,7 @@ struct kgdb_arch {
59347 void (*disable_hw_break)(struct pt_regs *regs);
59348 void (*remove_all_hw_break)(void);
59349 void (*correct_hw_break)(void);
59350-};
59351+} __do_const;
59352
59353 /**
59354 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
59355@@ -276,7 +276,7 @@ struct kgdb_io {
59356 void (*pre_exception) (void);
59357 void (*post_exception) (void);
59358 int is_console;
59359-};
59360+} __do_const;
59361
59362 extern struct kgdb_arch arch_kgdb_ops;
59363
59364diff -urNp linux-3.1.1/include/linux/kmod.h linux-3.1.1/include/linux/kmod.h
59365--- linux-3.1.1/include/linux/kmod.h 2011-11-11 15:19:27.000000000 -0500
59366+++ linux-3.1.1/include/linux/kmod.h 2011-11-16 18:40:31.000000000 -0500
59367@@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysc
59368 * usually useless though. */
59369 extern int __request_module(bool wait, const char *name, ...) \
59370 __attribute__((format(printf, 2, 3)));
59371+extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
59372+ __attribute__((format(printf, 3, 4)));
59373 #define request_module(mod...) __request_module(true, mod)
59374 #define request_module_nowait(mod...) __request_module(false, mod)
59375 #define try_then_request_module(x, mod...) \
59376diff -urNp linux-3.1.1/include/linux/kvm_host.h linux-3.1.1/include/linux/kvm_host.h
59377--- linux-3.1.1/include/linux/kvm_host.h 2011-11-11 15:19:27.000000000 -0500
59378+++ linux-3.1.1/include/linux/kvm_host.h 2011-11-16 18:39:08.000000000 -0500
59379@@ -308,7 +308,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
59380 void vcpu_load(struct kvm_vcpu *vcpu);
59381 void vcpu_put(struct kvm_vcpu *vcpu);
59382
59383-int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59384+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59385 struct module *module);
59386 void kvm_exit(void);
59387
59388@@ -454,7 +454,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
59389 struct kvm_guest_debug *dbg);
59390 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
59391
59392-int kvm_arch_init(void *opaque);
59393+int kvm_arch_init(const void *opaque);
59394 void kvm_arch_exit(void);
59395
59396 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
59397diff -urNp linux-3.1.1/include/linux/libata.h linux-3.1.1/include/linux/libata.h
59398--- linux-3.1.1/include/linux/libata.h 2011-11-11 15:19:27.000000000 -0500
59399+++ linux-3.1.1/include/linux/libata.h 2011-11-16 18:39:08.000000000 -0500
59400@@ -909,7 +909,7 @@ struct ata_port_operations {
59401 * fields must be pointers.
59402 */
59403 const struct ata_port_operations *inherits;
59404-};
59405+} __do_const;
59406
59407 struct ata_port_info {
59408 unsigned long flags;
59409diff -urNp linux-3.1.1/include/linux/mca.h linux-3.1.1/include/linux/mca.h
59410--- linux-3.1.1/include/linux/mca.h 2011-11-11 15:19:27.000000000 -0500
59411+++ linux-3.1.1/include/linux/mca.h 2011-11-16 18:39:08.000000000 -0500
59412@@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
59413 int region);
59414 void * (*mca_transform_memory)(struct mca_device *,
59415 void *memory);
59416-};
59417+} __no_const;
59418
59419 struct mca_bus {
59420 u64 default_dma_mask;
59421diff -urNp linux-3.1.1/include/linux/memory.h linux-3.1.1/include/linux/memory.h
59422--- linux-3.1.1/include/linux/memory.h 2011-11-11 15:19:27.000000000 -0500
59423+++ linux-3.1.1/include/linux/memory.h 2011-11-16 18:39:08.000000000 -0500
59424@@ -144,7 +144,7 @@ struct memory_accessor {
59425 size_t count);
59426 ssize_t (*write)(struct memory_accessor *, const char *buf,
59427 off_t offset, size_t count);
59428-};
59429+} __no_const;
59430
59431 /*
59432 * Kernel text modification mutex, used for code patching. Users of this lock
59433diff -urNp linux-3.1.1/include/linux/mfd/abx500.h linux-3.1.1/include/linux/mfd/abx500.h
59434--- linux-3.1.1/include/linux/mfd/abx500.h 2011-11-11 15:19:27.000000000 -0500
59435+++ linux-3.1.1/include/linux/mfd/abx500.h 2011-11-16 18:39:08.000000000 -0500
59436@@ -234,6 +234,7 @@ struct abx500_ops {
59437 int (*event_registers_startup_state_get) (struct device *, u8 *);
59438 int (*startup_irq_enabled) (struct device *, unsigned int);
59439 };
59440+typedef struct abx500_ops __no_const abx500_ops_no_const;
59441
59442 int abx500_register_ops(struct device *core_dev, struct abx500_ops *ops);
59443 void abx500_remove_ops(struct device *dev);
59444diff -urNp linux-3.1.1/include/linux/mm.h linux-3.1.1/include/linux/mm.h
59445--- linux-3.1.1/include/linux/mm.h 2011-11-11 15:19:27.000000000 -0500
59446+++ linux-3.1.1/include/linux/mm.h 2011-11-16 18:39:08.000000000 -0500
59447@@ -114,7 +114,14 @@ extern unsigned int kobjsize(const void
59448
59449 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
59450 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
59451+
59452+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
59453+#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
59454+#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
59455+#else
59456 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
59457+#endif
59458+
59459 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
59460 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
59461
59462@@ -1011,34 +1018,6 @@ int set_page_dirty(struct page *page);
59463 int set_page_dirty_lock(struct page *page);
59464 int clear_page_dirty_for_io(struct page *page);
59465
59466-/* Is the vma a continuation of the stack vma above it? */
59467-static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
59468-{
59469- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
59470-}
59471-
59472-static inline int stack_guard_page_start(struct vm_area_struct *vma,
59473- unsigned long addr)
59474-{
59475- return (vma->vm_flags & VM_GROWSDOWN) &&
59476- (vma->vm_start == addr) &&
59477- !vma_growsdown(vma->vm_prev, addr);
59478-}
59479-
59480-/* Is the vma a continuation of the stack vma below it? */
59481-static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
59482-{
59483- return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
59484-}
59485-
59486-static inline int stack_guard_page_end(struct vm_area_struct *vma,
59487- unsigned long addr)
59488-{
59489- return (vma->vm_flags & VM_GROWSUP) &&
59490- (vma->vm_end == addr) &&
59491- !vma_growsup(vma->vm_next, addr);
59492-}
59493-
59494 extern unsigned long move_page_tables(struct vm_area_struct *vma,
59495 unsigned long old_addr, struct vm_area_struct *new_vma,
59496 unsigned long new_addr, unsigned long len);
59497@@ -1133,6 +1112,15 @@ static inline void sync_mm_rss(struct ta
59498 }
59499 #endif
59500
59501+#ifdef CONFIG_MMU
59502+pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
59503+#else
59504+static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
59505+{
59506+ return __pgprot(0);
59507+}
59508+#endif
59509+
59510 int vma_wants_writenotify(struct vm_area_struct *vma);
59511
59512 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
59513@@ -1417,6 +1405,7 @@ out:
59514 }
59515
59516 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
59517+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
59518
59519 extern unsigned long do_brk(unsigned long, unsigned long);
59520
59521@@ -1474,6 +1463,10 @@ extern struct vm_area_struct * find_vma(
59522 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
59523 struct vm_area_struct **pprev);
59524
59525+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
59526+extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
59527+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
59528+
59529 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
59530 NULL if none. Assume start_addr < end_addr. */
59531 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
59532@@ -1490,15 +1483,6 @@ static inline unsigned long vma_pages(st
59533 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
59534 }
59535
59536-#ifdef CONFIG_MMU
59537-pgprot_t vm_get_page_prot(unsigned long vm_flags);
59538-#else
59539-static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
59540-{
59541- return __pgprot(0);
59542-}
59543-#endif
59544-
59545 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
59546 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
59547 unsigned long pfn, unsigned long size, pgprot_t);
59548@@ -1612,7 +1596,7 @@ extern int unpoison_memory(unsigned long
59549 extern int sysctl_memory_failure_early_kill;
59550 extern int sysctl_memory_failure_recovery;
59551 extern void shake_page(struct page *p, int access);
59552-extern atomic_long_t mce_bad_pages;
59553+extern atomic_long_unchecked_t mce_bad_pages;
59554 extern int soft_offline_page(struct page *page, int flags);
59555
59556 extern void dump_page(struct page *page);
59557@@ -1626,5 +1610,11 @@ extern void copy_user_huge_page(struct p
59558 unsigned int pages_per_huge_page);
59559 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
59560
59561+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
59562+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
59563+#else
59564+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
59565+#endif
59566+
59567 #endif /* __KERNEL__ */
59568 #endif /* _LINUX_MM_H */
59569diff -urNp linux-3.1.1/include/linux/mm_types.h linux-3.1.1/include/linux/mm_types.h
59570--- linux-3.1.1/include/linux/mm_types.h 2011-11-11 15:19:27.000000000 -0500
59571+++ linux-3.1.1/include/linux/mm_types.h 2011-11-16 18:39:08.000000000 -0500
59572@@ -230,6 +230,8 @@ struct vm_area_struct {
59573 #ifdef CONFIG_NUMA
59574 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
59575 #endif
59576+
59577+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
59578 };
59579
59580 struct core_thread {
59581@@ -362,6 +364,24 @@ struct mm_struct {
59582 #ifdef CONFIG_CPUMASK_OFFSTACK
59583 struct cpumask cpumask_allocation;
59584 #endif
59585+
59586+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
59587+ unsigned long pax_flags;
59588+#endif
59589+
59590+#ifdef CONFIG_PAX_DLRESOLVE
59591+ unsigned long call_dl_resolve;
59592+#endif
59593+
59594+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
59595+ unsigned long call_syscall;
59596+#endif
59597+
59598+#ifdef CONFIG_PAX_ASLR
59599+ unsigned long delta_mmap; /* randomized offset */
59600+ unsigned long delta_stack; /* randomized offset */
59601+#endif
59602+
59603 };
59604
59605 static inline void mm_init_cpumask(struct mm_struct *mm)
59606diff -urNp linux-3.1.1/include/linux/mmu_notifier.h linux-3.1.1/include/linux/mmu_notifier.h
59607--- linux-3.1.1/include/linux/mmu_notifier.h 2011-11-11 15:19:27.000000000 -0500
59608+++ linux-3.1.1/include/linux/mmu_notifier.h 2011-11-16 18:39:08.000000000 -0500
59609@@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
59610 */
59611 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
59612 ({ \
59613- pte_t __pte; \
59614+ pte_t ___pte; \
59615 struct vm_area_struct *___vma = __vma; \
59616 unsigned long ___address = __address; \
59617- __pte = ptep_clear_flush(___vma, ___address, __ptep); \
59618+ ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
59619 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
59620- __pte; \
59621+ ___pte; \
59622 })
59623
59624 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
59625diff -urNp linux-3.1.1/include/linux/mmzone.h linux-3.1.1/include/linux/mmzone.h
59626--- linux-3.1.1/include/linux/mmzone.h 2011-11-11 15:19:27.000000000 -0500
59627+++ linux-3.1.1/include/linux/mmzone.h 2011-11-16 18:39:08.000000000 -0500
59628@@ -356,7 +356,7 @@ struct zone {
59629 unsigned long flags; /* zone flags, see below */
59630
59631 /* Zone statistics */
59632- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59633+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59634
59635 /*
59636 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
59637diff -urNp linux-3.1.1/include/linux/mod_devicetable.h linux-3.1.1/include/linux/mod_devicetable.h
59638--- linux-3.1.1/include/linux/mod_devicetable.h 2011-11-11 15:19:27.000000000 -0500
59639+++ linux-3.1.1/include/linux/mod_devicetable.h 2011-11-16 18:39:08.000000000 -0500
59640@@ -12,7 +12,7 @@
59641 typedef unsigned long kernel_ulong_t;
59642 #endif
59643
59644-#define PCI_ANY_ID (~0)
59645+#define PCI_ANY_ID ((__u16)~0)
59646
59647 struct pci_device_id {
59648 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
59649@@ -131,7 +131,7 @@ struct usb_device_id {
59650 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
59651 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
59652
59653-#define HID_ANY_ID (~0)
59654+#define HID_ANY_ID (~0U)
59655
59656 struct hid_device_id {
59657 __u16 bus;
59658diff -urNp linux-3.1.1/include/linux/module.h linux-3.1.1/include/linux/module.h
59659--- linux-3.1.1/include/linux/module.h 2011-11-11 15:19:27.000000000 -0500
59660+++ linux-3.1.1/include/linux/module.h 2011-11-16 18:39:08.000000000 -0500
59661@@ -16,6 +16,7 @@
59662 #include <linux/kobject.h>
59663 #include <linux/moduleparam.h>
59664 #include <linux/tracepoint.h>
59665+#include <linux/fs.h>
59666
59667 #include <linux/percpu.h>
59668 #include <asm/module.h>
59669@@ -327,19 +328,16 @@ struct module
59670 int (*init)(void);
59671
59672 /* If this is non-NULL, vfree after init() returns */
59673- void *module_init;
59674+ void *module_init_rx, *module_init_rw;
59675
59676 /* Here is the actual code + data, vfree'd on unload. */
59677- void *module_core;
59678+ void *module_core_rx, *module_core_rw;
59679
59680 /* Here are the sizes of the init and core sections */
59681- unsigned int init_size, core_size;
59682+ unsigned int init_size_rw, core_size_rw;
59683
59684 /* The size of the executable code in each section. */
59685- unsigned int init_text_size, core_text_size;
59686-
59687- /* Size of RO sections of the module (text+rodata) */
59688- unsigned int init_ro_size, core_ro_size;
59689+ unsigned int init_size_rx, core_size_rx;
59690
59691 /* Arch-specific module values */
59692 struct mod_arch_specific arch;
59693@@ -395,6 +393,10 @@ struct module
59694 #ifdef CONFIG_EVENT_TRACING
59695 struct ftrace_event_call **trace_events;
59696 unsigned int num_trace_events;
59697+ struct file_operations trace_id;
59698+ struct file_operations trace_enable;
59699+ struct file_operations trace_format;
59700+ struct file_operations trace_filter;
59701 #endif
59702 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
59703 unsigned int num_ftrace_callsites;
59704@@ -445,16 +447,46 @@ bool is_module_address(unsigned long add
59705 bool is_module_percpu_address(unsigned long addr);
59706 bool is_module_text_address(unsigned long addr);
59707
59708+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
59709+{
59710+
59711+#ifdef CONFIG_PAX_KERNEXEC
59712+ if (ktla_ktva(addr) >= (unsigned long)start &&
59713+ ktla_ktva(addr) < (unsigned long)start + size)
59714+ return 1;
59715+#endif
59716+
59717+ return ((void *)addr >= start && (void *)addr < start + size);
59718+}
59719+
59720+static inline int within_module_core_rx(unsigned long addr, struct module *mod)
59721+{
59722+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
59723+}
59724+
59725+static inline int within_module_core_rw(unsigned long addr, struct module *mod)
59726+{
59727+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
59728+}
59729+
59730+static inline int within_module_init_rx(unsigned long addr, struct module *mod)
59731+{
59732+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
59733+}
59734+
59735+static inline int within_module_init_rw(unsigned long addr, struct module *mod)
59736+{
59737+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
59738+}
59739+
59740 static inline int within_module_core(unsigned long addr, struct module *mod)
59741 {
59742- return (unsigned long)mod->module_core <= addr &&
59743- addr < (unsigned long)mod->module_core + mod->core_size;
59744+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
59745 }
59746
59747 static inline int within_module_init(unsigned long addr, struct module *mod)
59748 {
59749- return (unsigned long)mod->module_init <= addr &&
59750- addr < (unsigned long)mod->module_init + mod->init_size;
59751+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
59752 }
59753
59754 /* Search for module by name: must hold module_mutex. */
59755diff -urNp linux-3.1.1/include/linux/moduleloader.h linux-3.1.1/include/linux/moduleloader.h
59756--- linux-3.1.1/include/linux/moduleloader.h 2011-11-11 15:19:27.000000000 -0500
59757+++ linux-3.1.1/include/linux/moduleloader.h 2011-11-16 18:39:08.000000000 -0500
59758@@ -25,9 +25,21 @@ unsigned int arch_mod_section_prepend(st
59759 sections. Returns NULL on failure. */
59760 void *module_alloc(unsigned long size);
59761
59762+#ifdef CONFIG_PAX_KERNEXEC
59763+void *module_alloc_exec(unsigned long size);
59764+#else
59765+#define module_alloc_exec(x) module_alloc(x)
59766+#endif
59767+
59768 /* Free memory returned from module_alloc. */
59769 void module_free(struct module *mod, void *module_region);
59770
59771+#ifdef CONFIG_PAX_KERNEXEC
59772+void module_free_exec(struct module *mod, void *module_region);
59773+#else
59774+#define module_free_exec(x, y) module_free((x), (y))
59775+#endif
59776+
59777 /* Apply the given relocation to the (simplified) ELF. Return -error
59778 or 0. */
59779 int apply_relocate(Elf_Shdr *sechdrs,
59780diff -urNp linux-3.1.1/include/linux/moduleparam.h linux-3.1.1/include/linux/moduleparam.h
59781--- linux-3.1.1/include/linux/moduleparam.h 2011-11-11 15:19:27.000000000 -0500
59782+++ linux-3.1.1/include/linux/moduleparam.h 2011-11-16 18:39:08.000000000 -0500
59783@@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
59784 * @len is usually just sizeof(string).
59785 */
59786 #define module_param_string(name, string, len, perm) \
59787- static const struct kparam_string __param_string_##name \
59788+ static const struct kparam_string __param_string_##name __used \
59789 = { len, string }; \
59790 __module_param_call(MODULE_PARAM_PREFIX, name, \
59791 &param_ops_string, \
59792@@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
59793 * module_param_named() for why this might be necessary.
59794 */
59795 #define module_param_array_named(name, array, type, nump, perm) \
59796- static const struct kparam_array __param_arr_##name \
59797+ static const struct kparam_array __param_arr_##name __used \
59798 = { .max = ARRAY_SIZE(array), .num = nump, \
59799 .ops = &param_ops_##type, \
59800 .elemsize = sizeof(array[0]), .elem = array }; \
59801diff -urNp linux-3.1.1/include/linux/namei.h linux-3.1.1/include/linux/namei.h
59802--- linux-3.1.1/include/linux/namei.h 2011-11-11 15:19:27.000000000 -0500
59803+++ linux-3.1.1/include/linux/namei.h 2011-11-16 18:39:08.000000000 -0500
59804@@ -24,7 +24,7 @@ struct nameidata {
59805 unsigned seq;
59806 int last_type;
59807 unsigned depth;
59808- char *saved_names[MAX_NESTED_LINKS + 1];
59809+ const char *saved_names[MAX_NESTED_LINKS + 1];
59810
59811 /* Intent data */
59812 union {
59813@@ -94,12 +94,12 @@ extern int follow_up(struct path *);
59814 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
59815 extern void unlock_rename(struct dentry *, struct dentry *);
59816
59817-static inline void nd_set_link(struct nameidata *nd, char *path)
59818+static inline void nd_set_link(struct nameidata *nd, const char *path)
59819 {
59820 nd->saved_names[nd->depth] = path;
59821 }
59822
59823-static inline char *nd_get_link(struct nameidata *nd)
59824+static inline const char *nd_get_link(const struct nameidata *nd)
59825 {
59826 return nd->saved_names[nd->depth];
59827 }
59828diff -urNp linux-3.1.1/include/linux/netdevice.h linux-3.1.1/include/linux/netdevice.h
59829--- linux-3.1.1/include/linux/netdevice.h 2011-11-11 15:19:27.000000000 -0500
59830+++ linux-3.1.1/include/linux/netdevice.h 2011-11-16 18:39:08.000000000 -0500
59831@@ -944,6 +944,7 @@ struct net_device_ops {
59832 int (*ndo_set_features)(struct net_device *dev,
59833 u32 features);
59834 };
59835+typedef struct net_device_ops __no_const net_device_ops_no_const;
59836
59837 /*
59838 * The DEVICE structure.
59839diff -urNp linux-3.1.1/include/linux/netfilter/xt_gradm.h linux-3.1.1/include/linux/netfilter/xt_gradm.h
59840--- linux-3.1.1/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
59841+++ linux-3.1.1/include/linux/netfilter/xt_gradm.h 2011-11-16 18:40:31.000000000 -0500
59842@@ -0,0 +1,9 @@
59843+#ifndef _LINUX_NETFILTER_XT_GRADM_H
59844+#define _LINUX_NETFILTER_XT_GRADM_H 1
59845+
59846+struct xt_gradm_mtinfo {
59847+ __u16 flags;
59848+ __u16 invflags;
59849+};
59850+
59851+#endif
59852diff -urNp linux-3.1.1/include/linux/of_pdt.h linux-3.1.1/include/linux/of_pdt.h
59853--- linux-3.1.1/include/linux/of_pdt.h 2011-11-11 15:19:27.000000000 -0500
59854+++ linux-3.1.1/include/linux/of_pdt.h 2011-11-16 18:39:08.000000000 -0500
59855@@ -32,7 +32,7 @@ struct of_pdt_ops {
59856
59857 /* return 0 on success; fill in 'len' with number of bytes in path */
59858 int (*pkg2path)(phandle node, char *buf, const int buflen, int *len);
59859-};
59860+} __no_const;
59861
59862 extern void *prom_early_alloc(unsigned long size);
59863
59864diff -urNp linux-3.1.1/include/linux/oprofile.h linux-3.1.1/include/linux/oprofile.h
59865--- linux-3.1.1/include/linux/oprofile.h 2011-11-11 15:19:27.000000000 -0500
59866+++ linux-3.1.1/include/linux/oprofile.h 2011-11-16 18:39:08.000000000 -0500
59867@@ -139,9 +139,9 @@ int oprofilefs_create_ulong(struct super
59868 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
59869 char const * name, ulong * val);
59870
59871-/** Create a file for read-only access to an atomic_t. */
59872+/** Create a file for read-only access to an atomic_unchecked_t. */
59873 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
59874- char const * name, atomic_t * val);
59875+ char const * name, atomic_unchecked_t * val);
59876
59877 /** create a directory */
59878 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
59879diff -urNp linux-3.1.1/include/linux/padata.h linux-3.1.1/include/linux/padata.h
59880--- linux-3.1.1/include/linux/padata.h 2011-11-11 15:19:27.000000000 -0500
59881+++ linux-3.1.1/include/linux/padata.h 2011-11-16 18:39:08.000000000 -0500
59882@@ -129,7 +129,7 @@ struct parallel_data {
59883 struct padata_instance *pinst;
59884 struct padata_parallel_queue __percpu *pqueue;
59885 struct padata_serial_queue __percpu *squeue;
59886- atomic_t seq_nr;
59887+ atomic_unchecked_t seq_nr;
59888 atomic_t reorder_objects;
59889 atomic_t refcnt;
59890 unsigned int max_seq_nr;
59891diff -urNp linux-3.1.1/include/linux/perf_event.h linux-3.1.1/include/linux/perf_event.h
59892--- linux-3.1.1/include/linux/perf_event.h 2011-11-11 15:19:27.000000000 -0500
59893+++ linux-3.1.1/include/linux/perf_event.h 2011-11-16 18:39:08.000000000 -0500
59894@@ -745,8 +745,8 @@ struct perf_event {
59895
59896 enum perf_event_active_state state;
59897 unsigned int attach_state;
59898- local64_t count;
59899- atomic64_t child_count;
59900+ local64_t count; /* PaX: fix it one day */
59901+ atomic64_unchecked_t child_count;
59902
59903 /*
59904 * These are the total time in nanoseconds that the event
59905@@ -797,8 +797,8 @@ struct perf_event {
59906 * These accumulate total time (in nanoseconds) that children
59907 * events have been enabled and running, respectively.
59908 */
59909- atomic64_t child_total_time_enabled;
59910- atomic64_t child_total_time_running;
59911+ atomic64_unchecked_t child_total_time_enabled;
59912+ atomic64_unchecked_t child_total_time_running;
59913
59914 /*
59915 * Protect attach/detach and child_list:
59916diff -urNp linux-3.1.1/include/linux/pipe_fs_i.h linux-3.1.1/include/linux/pipe_fs_i.h
59917--- linux-3.1.1/include/linux/pipe_fs_i.h 2011-11-11 15:19:27.000000000 -0500
59918+++ linux-3.1.1/include/linux/pipe_fs_i.h 2011-11-16 18:39:08.000000000 -0500
59919@@ -46,9 +46,9 @@ struct pipe_buffer {
59920 struct pipe_inode_info {
59921 wait_queue_head_t wait;
59922 unsigned int nrbufs, curbuf, buffers;
59923- unsigned int readers;
59924- unsigned int writers;
59925- unsigned int waiting_writers;
59926+ atomic_t readers;
59927+ atomic_t writers;
59928+ atomic_t waiting_writers;
59929 unsigned int r_counter;
59930 unsigned int w_counter;
59931 struct page *tmp_page;
59932diff -urNp linux-3.1.1/include/linux/pm_runtime.h linux-3.1.1/include/linux/pm_runtime.h
59933--- linux-3.1.1/include/linux/pm_runtime.h 2011-11-11 15:19:27.000000000 -0500
59934+++ linux-3.1.1/include/linux/pm_runtime.h 2011-11-16 18:39:08.000000000 -0500
59935@@ -99,7 +99,7 @@ static inline bool pm_runtime_callbacks_
59936
59937 static inline void pm_runtime_mark_last_busy(struct device *dev)
59938 {
59939- ACCESS_ONCE(dev->power.last_busy) = jiffies;
59940+ ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
59941 }
59942
59943 #else /* !CONFIG_PM_RUNTIME */
59944diff -urNp linux-3.1.1/include/linux/poison.h linux-3.1.1/include/linux/poison.h
59945--- linux-3.1.1/include/linux/poison.h 2011-11-11 15:19:27.000000000 -0500
59946+++ linux-3.1.1/include/linux/poison.h 2011-11-16 18:39:08.000000000 -0500
59947@@ -19,8 +19,8 @@
59948 * under normal circumstances, used to verify that nobody uses
59949 * non-initialized list entries.
59950 */
59951-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
59952-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
59953+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
59954+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
59955
59956 /********** include/linux/timer.h **********/
59957 /*
59958diff -urNp linux-3.1.1/include/linux/preempt.h linux-3.1.1/include/linux/preempt.h
59959--- linux-3.1.1/include/linux/preempt.h 2011-11-11 15:19:27.000000000 -0500
59960+++ linux-3.1.1/include/linux/preempt.h 2011-11-16 18:39:08.000000000 -0500
59961@@ -123,7 +123,7 @@ struct preempt_ops {
59962 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
59963 void (*sched_out)(struct preempt_notifier *notifier,
59964 struct task_struct *next);
59965-};
59966+} __no_const;
59967
59968 /**
59969 * preempt_notifier - key for installing preemption notifiers
59970diff -urNp linux-3.1.1/include/linux/proc_fs.h linux-3.1.1/include/linux/proc_fs.h
59971--- linux-3.1.1/include/linux/proc_fs.h 2011-11-11 15:19:27.000000000 -0500
59972+++ linux-3.1.1/include/linux/proc_fs.h 2011-11-16 18:40:31.000000000 -0500
59973@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
59974 return proc_create_data(name, mode, parent, proc_fops, NULL);
59975 }
59976
59977+static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
59978+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
59979+{
59980+#ifdef CONFIG_GRKERNSEC_PROC_USER
59981+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
59982+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
59983+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
59984+#else
59985+ return proc_create_data(name, mode, parent, proc_fops, NULL);
59986+#endif
59987+}
59988+
59989+
59990 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
59991 mode_t mode, struct proc_dir_entry *base,
59992 read_proc_t *read_proc, void * data)
59993@@ -258,7 +271,7 @@ union proc_op {
59994 int (*proc_show)(struct seq_file *m,
59995 struct pid_namespace *ns, struct pid *pid,
59996 struct task_struct *task);
59997-};
59998+} __no_const;
59999
60000 struct ctl_table_header;
60001 struct ctl_table;
60002diff -urNp linux-3.1.1/include/linux/ptrace.h linux-3.1.1/include/linux/ptrace.h
60003--- linux-3.1.1/include/linux/ptrace.h 2011-11-11 15:19:27.000000000 -0500
60004+++ linux-3.1.1/include/linux/ptrace.h 2011-11-16 18:40:31.000000000 -0500
60005@@ -129,10 +129,10 @@ extern void __ptrace_unlink(struct task_
60006 extern void exit_ptrace(struct task_struct *tracer);
60007 #define PTRACE_MODE_READ 1
60008 #define PTRACE_MODE_ATTACH 2
60009-/* Returns 0 on success, -errno on denial. */
60010-extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
60011 /* Returns true on success, false on denial. */
60012 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
60013+/* Returns true on success, false on denial. */
60014+extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
60015
60016 static inline int ptrace_reparented(struct task_struct *child)
60017 {
60018diff -urNp linux-3.1.1/include/linux/random.h linux-3.1.1/include/linux/random.h
60019--- linux-3.1.1/include/linux/random.h 2011-11-11 15:19:27.000000000 -0500
60020+++ linux-3.1.1/include/linux/random.h 2011-11-16 18:39:08.000000000 -0500
60021@@ -69,12 +69,17 @@ void srandom32(u32 seed);
60022
60023 u32 prandom32(struct rnd_state *);
60024
60025+static inline unsigned long pax_get_random_long(void)
60026+{
60027+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
60028+}
60029+
60030 /*
60031 * Handle minimum values for seeds
60032 */
60033 static inline u32 __seed(u32 x, u32 m)
60034 {
60035- return (x < m) ? x + m : x;
60036+ return (x <= m) ? x + m + 1 : x;
60037 }
60038
60039 /**
60040diff -urNp linux-3.1.1/include/linux/reboot.h linux-3.1.1/include/linux/reboot.h
60041--- linux-3.1.1/include/linux/reboot.h 2011-11-11 15:19:27.000000000 -0500
60042+++ linux-3.1.1/include/linux/reboot.h 2011-11-16 18:39:08.000000000 -0500
60043@@ -52,9 +52,9 @@ extern int unregister_reboot_notifier(st
60044 * Architecture-specific implementations of sys_reboot commands.
60045 */
60046
60047-extern void machine_restart(char *cmd);
60048-extern void machine_halt(void);
60049-extern void machine_power_off(void);
60050+extern void machine_restart(char *cmd) __noreturn;
60051+extern void machine_halt(void) __noreturn;
60052+extern void machine_power_off(void) __noreturn;
60053
60054 extern void machine_shutdown(void);
60055 struct pt_regs;
60056@@ -65,9 +65,9 @@ extern void machine_crash_shutdown(struc
60057 */
60058
60059 extern void kernel_restart_prepare(char *cmd);
60060-extern void kernel_restart(char *cmd);
60061-extern void kernel_halt(void);
60062-extern void kernel_power_off(void);
60063+extern void kernel_restart(char *cmd) __noreturn;
60064+extern void kernel_halt(void) __noreturn;
60065+extern void kernel_power_off(void) __noreturn;
60066
60067 extern int C_A_D; /* for sysctl */
60068 void ctrl_alt_del(void);
60069@@ -81,7 +81,7 @@ extern int orderly_poweroff(bool force);
60070 * Emergency restart, callable from an interrupt handler.
60071 */
60072
60073-extern void emergency_restart(void);
60074+extern void emergency_restart(void) __noreturn;
60075 #include <asm/emergency-restart.h>
60076
60077 #endif
60078diff -urNp linux-3.1.1/include/linux/reiserfs_fs.h linux-3.1.1/include/linux/reiserfs_fs.h
60079--- linux-3.1.1/include/linux/reiserfs_fs.h 2011-11-11 15:19:27.000000000 -0500
60080+++ linux-3.1.1/include/linux/reiserfs_fs.h 2011-11-16 18:39:08.000000000 -0500
60081@@ -1406,7 +1406,7 @@ static inline loff_t max_reiserfs_offset
60082 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
60083
60084 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
60085-#define get_generation(s) atomic_read (&fs_generation(s))
60086+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
60087 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
60088 #define __fs_changed(gen,s) (gen != get_generation (s))
60089 #define fs_changed(gen,s) \
60090diff -urNp linux-3.1.1/include/linux/reiserfs_fs_sb.h linux-3.1.1/include/linux/reiserfs_fs_sb.h
60091--- linux-3.1.1/include/linux/reiserfs_fs_sb.h 2011-11-11 15:19:27.000000000 -0500
60092+++ linux-3.1.1/include/linux/reiserfs_fs_sb.h 2011-11-16 18:39:08.000000000 -0500
60093@@ -386,7 +386,7 @@ struct reiserfs_sb_info {
60094 /* Comment? -Hans */
60095 wait_queue_head_t s_wait;
60096 /* To be obsoleted soon by per buffer seals.. -Hans */
60097- atomic_t s_generation_counter; // increased by one every time the
60098+ atomic_unchecked_t s_generation_counter; // increased by one every time the
60099 // tree gets re-balanced
60100 unsigned long s_properties; /* File system properties. Currently holds
60101 on-disk FS format */
60102diff -urNp linux-3.1.1/include/linux/relay.h linux-3.1.1/include/linux/relay.h
60103--- linux-3.1.1/include/linux/relay.h 2011-11-11 15:19:27.000000000 -0500
60104+++ linux-3.1.1/include/linux/relay.h 2011-11-16 18:39:08.000000000 -0500
60105@@ -159,7 +159,7 @@ struct rchan_callbacks
60106 * The callback should return 0 if successful, negative if not.
60107 */
60108 int (*remove_buf_file)(struct dentry *dentry);
60109-};
60110+} __no_const;
60111
60112 /*
60113 * CONFIG_RELAY kernel API, kernel/relay.c
60114diff -urNp linux-3.1.1/include/linux/rfkill.h linux-3.1.1/include/linux/rfkill.h
60115--- linux-3.1.1/include/linux/rfkill.h 2011-11-11 15:19:27.000000000 -0500
60116+++ linux-3.1.1/include/linux/rfkill.h 2011-11-16 18:39:08.000000000 -0500
60117@@ -147,6 +147,7 @@ struct rfkill_ops {
60118 void (*query)(struct rfkill *rfkill, void *data);
60119 int (*set_block)(void *data, bool blocked);
60120 };
60121+typedef struct rfkill_ops __no_const rfkill_ops_no_const;
60122
60123 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
60124 /**
60125diff -urNp linux-3.1.1/include/linux/rmap.h linux-3.1.1/include/linux/rmap.h
60126--- linux-3.1.1/include/linux/rmap.h 2011-11-11 15:19:27.000000000 -0500
60127+++ linux-3.1.1/include/linux/rmap.h 2011-11-16 18:39:08.000000000 -0500
60128@@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
60129 void anon_vma_init(void); /* create anon_vma_cachep */
60130 int anon_vma_prepare(struct vm_area_struct *);
60131 void unlink_anon_vmas(struct vm_area_struct *);
60132-int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
60133-int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
60134+int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
60135+int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
60136 void __anon_vma_link(struct vm_area_struct *);
60137
60138 static inline void anon_vma_merge(struct vm_area_struct *vma,
60139diff -urNp linux-3.1.1/include/linux/sched.h linux-3.1.1/include/linux/sched.h
60140--- linux-3.1.1/include/linux/sched.h 2011-11-11 15:19:27.000000000 -0500
60141+++ linux-3.1.1/include/linux/sched.h 2011-11-16 18:40:31.000000000 -0500
60142@@ -100,6 +100,7 @@ struct bio_list;
60143 struct fs_struct;
60144 struct perf_event_context;
60145 struct blk_plug;
60146+struct linux_binprm;
60147
60148 /*
60149 * List of flags we want to share for kernel threads,
60150@@ -380,10 +381,13 @@ struct user_namespace;
60151 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
60152
60153 extern int sysctl_max_map_count;
60154+extern unsigned long sysctl_heap_stack_gap;
60155
60156 #include <linux/aio.h>
60157
60158 #ifdef CONFIG_MMU
60159+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
60160+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
60161 extern void arch_pick_mmap_layout(struct mm_struct *mm);
60162 extern unsigned long
60163 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
60164@@ -629,6 +633,17 @@ struct signal_struct {
60165 #ifdef CONFIG_TASKSTATS
60166 struct taskstats *stats;
60167 #endif
60168+
60169+#ifdef CONFIG_GRKERNSEC
60170+ u32 curr_ip;
60171+ u32 saved_ip;
60172+ u32 gr_saddr;
60173+ u32 gr_daddr;
60174+ u16 gr_sport;
60175+ u16 gr_dport;
60176+ u8 used_accept:1;
60177+#endif
60178+
60179 #ifdef CONFIG_AUDIT
60180 unsigned audit_tty;
60181 struct tty_audit_buf *tty_audit_buf;
60182@@ -710,6 +725,11 @@ struct user_struct {
60183 struct key *session_keyring; /* UID's default session keyring */
60184 #endif
60185
60186+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60187+ unsigned int banned;
60188+ unsigned long ban_expires;
60189+#endif
60190+
60191 /* Hash table maintenance information */
60192 struct hlist_node uidhash_node;
60193 uid_t uid;
60194@@ -1340,8 +1360,8 @@ struct task_struct {
60195 struct list_head thread_group;
60196
60197 struct completion *vfork_done; /* for vfork() */
60198- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
60199- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60200+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
60201+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60202
60203 cputime_t utime, stime, utimescaled, stimescaled;
60204 cputime_t gtime;
60205@@ -1357,13 +1377,6 @@ struct task_struct {
60206 struct task_cputime cputime_expires;
60207 struct list_head cpu_timers[3];
60208
60209-/* process credentials */
60210- const struct cred __rcu *real_cred; /* objective and real subjective task
60211- * credentials (COW) */
60212- const struct cred __rcu *cred; /* effective (overridable) subjective task
60213- * credentials (COW) */
60214- struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60215-
60216 char comm[TASK_COMM_LEN]; /* executable name excluding path
60217 - access with [gs]et_task_comm (which lock
60218 it with task_lock())
60219@@ -1380,8 +1393,16 @@ struct task_struct {
60220 #endif
60221 /* CPU-specific state of this task */
60222 struct thread_struct thread;
60223+/* thread_info moved to task_struct */
60224+#ifdef CONFIG_X86
60225+ struct thread_info tinfo;
60226+#endif
60227 /* filesystem information */
60228 struct fs_struct *fs;
60229+
60230+ const struct cred __rcu *cred; /* effective (overridable) subjective task
60231+ * credentials (COW) */
60232+
60233 /* open file information */
60234 struct files_struct *files;
60235 /* namespaces */
60236@@ -1428,6 +1449,11 @@ struct task_struct {
60237 struct rt_mutex_waiter *pi_blocked_on;
60238 #endif
60239
60240+/* process credentials */
60241+ const struct cred __rcu *real_cred; /* objective and real subjective task
60242+ * credentials (COW) */
60243+ struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60244+
60245 #ifdef CONFIG_DEBUG_MUTEXES
60246 /* mutex deadlock detection */
60247 struct mutex_waiter *blocked_on;
60248@@ -1537,6 +1563,21 @@ struct task_struct {
60249 unsigned long default_timer_slack_ns;
60250
60251 struct list_head *scm_work_list;
60252+
60253+#ifdef CONFIG_GRKERNSEC
60254+ /* grsecurity */
60255+ struct dentry *gr_chroot_dentry;
60256+ struct acl_subject_label *acl;
60257+ struct acl_role_label *role;
60258+ struct file *exec_file;
60259+ u16 acl_role_id;
60260+ /* is this the task that authenticated to the special role */
60261+ u8 acl_sp_role;
60262+ u8 is_writable;
60263+ u8 brute;
60264+ u8 gr_is_chrooted;
60265+#endif
60266+
60267 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
60268 /* Index of current stored address in ret_stack */
60269 int curr_ret_stack;
60270@@ -1571,6 +1612,57 @@ struct task_struct {
60271 #endif
60272 };
60273
60274+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
60275+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
60276+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
60277+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
60278+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
60279+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
60280+
60281+#ifdef CONFIG_PAX_SOFTMODE
60282+extern int pax_softmode;
60283+#endif
60284+
60285+extern int pax_check_flags(unsigned long *);
60286+
60287+/* if tsk != current then task_lock must be held on it */
60288+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
60289+static inline unsigned long pax_get_flags(struct task_struct *tsk)
60290+{
60291+ if (likely(tsk->mm))
60292+ return tsk->mm->pax_flags;
60293+ else
60294+ return 0UL;
60295+}
60296+
60297+/* if tsk != current then task_lock must be held on it */
60298+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
60299+{
60300+ if (likely(tsk->mm)) {
60301+ tsk->mm->pax_flags = flags;
60302+ return 0;
60303+ }
60304+ return -EINVAL;
60305+}
60306+#endif
60307+
60308+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
60309+extern void pax_set_initial_flags(struct linux_binprm *bprm);
60310+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
60311+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
60312+#endif
60313+
60314+extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
60315+extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
60316+extern void pax_report_refcount_overflow(struct pt_regs *regs);
60317+extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
60318+
60319+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
60320+extern void pax_track_stack(void);
60321+#else
60322+static inline void pax_track_stack(void) {}
60323+#endif
60324+
60325 /* Future-safe accessor for struct task_struct's cpus_allowed. */
60326 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
60327
60328@@ -2074,7 +2166,9 @@ void yield(void);
60329 extern struct exec_domain default_exec_domain;
60330
60331 union thread_union {
60332+#ifndef CONFIG_X86
60333 struct thread_info thread_info;
60334+#endif
60335 unsigned long stack[THREAD_SIZE/sizeof(long)];
60336 };
60337
60338@@ -2107,6 +2201,7 @@ extern struct pid_namespace init_pid_ns;
60339 */
60340
60341 extern struct task_struct *find_task_by_vpid(pid_t nr);
60342+extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
60343 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
60344 struct pid_namespace *ns);
60345
60346@@ -2243,7 +2338,7 @@ extern void __cleanup_sighand(struct sig
60347 extern void exit_itimers(struct signal_struct *);
60348 extern void flush_itimer_signals(void);
60349
60350-extern NORET_TYPE void do_group_exit(int);
60351+extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
60352
60353 extern void daemonize(const char *, ...);
60354 extern int allow_signal(int);
60355@@ -2408,13 +2503,17 @@ static inline unsigned long *end_of_stac
60356
60357 #endif
60358
60359-static inline int object_is_on_stack(void *obj)
60360+static inline int object_starts_on_stack(void *obj)
60361 {
60362- void *stack = task_stack_page(current);
60363+ const void *stack = task_stack_page(current);
60364
60365 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
60366 }
60367
60368+#ifdef CONFIG_PAX_USERCOPY
60369+extern int object_is_on_stack(const void *obj, unsigned long len);
60370+#endif
60371+
60372 extern void thread_info_cache_init(void);
60373
60374 #ifdef CONFIG_DEBUG_STACK_USAGE
60375diff -urNp linux-3.1.1/include/linux/screen_info.h linux-3.1.1/include/linux/screen_info.h
60376--- linux-3.1.1/include/linux/screen_info.h 2011-11-11 15:19:27.000000000 -0500
60377+++ linux-3.1.1/include/linux/screen_info.h 2011-11-16 18:39:08.000000000 -0500
60378@@ -43,7 +43,8 @@ struct screen_info {
60379 __u16 pages; /* 0x32 */
60380 __u16 vesa_attributes; /* 0x34 */
60381 __u32 capabilities; /* 0x36 */
60382- __u8 _reserved[6]; /* 0x3a */
60383+ __u16 vesapm_size; /* 0x3a */
60384+ __u8 _reserved[4]; /* 0x3c */
60385 } __attribute__((packed));
60386
60387 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
60388diff -urNp linux-3.1.1/include/linux/security.h linux-3.1.1/include/linux/security.h
60389--- linux-3.1.1/include/linux/security.h 2011-11-11 15:19:27.000000000 -0500
60390+++ linux-3.1.1/include/linux/security.h 2011-11-16 18:40:31.000000000 -0500
60391@@ -36,6 +36,7 @@
60392 #include <linux/key.h>
60393 #include <linux/xfrm.h>
60394 #include <linux/slab.h>
60395+#include <linux/grsecurity.h>
60396 #include <net/flow.h>
60397
60398 /* Maximum number of letters for an LSM name string */
60399diff -urNp linux-3.1.1/include/linux/seq_file.h linux-3.1.1/include/linux/seq_file.h
60400--- linux-3.1.1/include/linux/seq_file.h 2011-11-11 15:19:27.000000000 -0500
60401+++ linux-3.1.1/include/linux/seq_file.h 2011-11-16 18:39:08.000000000 -0500
60402@@ -33,6 +33,7 @@ struct seq_operations {
60403 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
60404 int (*show) (struct seq_file *m, void *v);
60405 };
60406+typedef struct seq_operations __no_const seq_operations_no_const;
60407
60408 #define SEQ_SKIP 1
60409
60410diff -urNp linux-3.1.1/include/linux/shm.h linux-3.1.1/include/linux/shm.h
60411--- linux-3.1.1/include/linux/shm.h 2011-11-11 15:19:27.000000000 -0500
60412+++ linux-3.1.1/include/linux/shm.h 2011-11-16 18:59:58.000000000 -0500
60413@@ -98,6 +98,10 @@ struct shmid_kernel /* private to the ke
60414
60415 /* The task created the shm object. NULL if the task is dead. */
60416 struct task_struct *shm_creator;
60417+#ifdef CONFIG_GRKERNSEC
60418+ time_t shm_createtime;
60419+ pid_t shm_lapid;
60420+#endif
60421 };
60422
60423 /* shm_mode upper byte flags */
60424diff -urNp linux-3.1.1/include/linux/skbuff.h linux-3.1.1/include/linux/skbuff.h
60425--- linux-3.1.1/include/linux/skbuff.h 2011-11-11 15:19:27.000000000 -0500
60426+++ linux-3.1.1/include/linux/skbuff.h 2011-11-16 18:39:08.000000000 -0500
60427@@ -610,7 +610,7 @@ static inline struct skb_shared_hwtstamp
60428 */
60429 static inline int skb_queue_empty(const struct sk_buff_head *list)
60430 {
60431- return list->next == (struct sk_buff *)list;
60432+ return list->next == (const struct sk_buff *)list;
60433 }
60434
60435 /**
60436@@ -623,7 +623,7 @@ static inline int skb_queue_empty(const
60437 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
60438 const struct sk_buff *skb)
60439 {
60440- return skb->next == (struct sk_buff *)list;
60441+ return skb->next == (const struct sk_buff *)list;
60442 }
60443
60444 /**
60445@@ -636,7 +636,7 @@ static inline bool skb_queue_is_last(con
60446 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
60447 const struct sk_buff *skb)
60448 {
60449- return skb->prev == (struct sk_buff *)list;
60450+ return skb->prev == (const struct sk_buff *)list;
60451 }
60452
60453 /**
60454@@ -1458,7 +1458,7 @@ static inline int pskb_network_may_pull(
60455 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
60456 */
60457 #ifndef NET_SKB_PAD
60458-#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
60459+#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
60460 #endif
60461
60462 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
60463diff -urNp linux-3.1.1/include/linux/slab_def.h linux-3.1.1/include/linux/slab_def.h
60464--- linux-3.1.1/include/linux/slab_def.h 2011-11-11 15:19:27.000000000 -0500
60465+++ linux-3.1.1/include/linux/slab_def.h 2011-11-16 18:39:08.000000000 -0500
60466@@ -68,10 +68,10 @@ struct kmem_cache {
60467 unsigned long node_allocs;
60468 unsigned long node_frees;
60469 unsigned long node_overflow;
60470- atomic_t allochit;
60471- atomic_t allocmiss;
60472- atomic_t freehit;
60473- atomic_t freemiss;
60474+ atomic_unchecked_t allochit;
60475+ atomic_unchecked_t allocmiss;
60476+ atomic_unchecked_t freehit;
60477+ atomic_unchecked_t freemiss;
60478
60479 /*
60480 * If debugging is enabled, then the allocator can add additional
60481diff -urNp linux-3.1.1/include/linux/slab.h linux-3.1.1/include/linux/slab.h
60482--- linux-3.1.1/include/linux/slab.h 2011-11-11 15:19:27.000000000 -0500
60483+++ linux-3.1.1/include/linux/slab.h 2011-11-16 18:39:08.000000000 -0500
60484@@ -11,12 +11,20 @@
60485
60486 #include <linux/gfp.h>
60487 #include <linux/types.h>
60488+#include <linux/err.h>
60489
60490 /*
60491 * Flags to pass to kmem_cache_create().
60492 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
60493 */
60494 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
60495+
60496+#ifdef CONFIG_PAX_USERCOPY
60497+#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
60498+#else
60499+#define SLAB_USERCOPY 0x00000000UL
60500+#endif
60501+
60502 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
60503 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
60504 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
60505@@ -87,10 +95,13 @@
60506 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
60507 * Both make kfree a no-op.
60508 */
60509-#define ZERO_SIZE_PTR ((void *)16)
60510+#define ZERO_SIZE_PTR \
60511+({ \
60512+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
60513+ (void *)(-MAX_ERRNO-1L); \
60514+})
60515
60516-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
60517- (unsigned long)ZERO_SIZE_PTR)
60518+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
60519
60520 /*
60521 * struct kmem_cache related prototypes
60522@@ -161,6 +172,7 @@ void * __must_check krealloc(const void
60523 void kfree(const void *);
60524 void kzfree(const void *);
60525 size_t ksize(const void *);
60526+void check_object_size(const void *ptr, unsigned long n, bool to);
60527
60528 /*
60529 * Allocator specific definitions. These are mainly used to establish optimized
60530@@ -353,4 +365,59 @@ static inline void *kzalloc_node(size_t
60531
60532 void __init kmem_cache_init_late(void);
60533
60534+#define kmalloc(x, y) \
60535+({ \
60536+ void *___retval; \
60537+ intoverflow_t ___x = (intoverflow_t)x; \
60538+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n")) \
60539+ ___retval = NULL; \
60540+ else \
60541+ ___retval = kmalloc((size_t)___x, (y)); \
60542+ ___retval; \
60543+})
60544+
60545+#define kmalloc_node(x, y, z) \
60546+({ \
60547+ void *___retval; \
60548+ intoverflow_t ___x = (intoverflow_t)x; \
60549+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
60550+ ___retval = NULL; \
60551+ else \
60552+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
60553+ ___retval; \
60554+})
60555+
60556+#define kzalloc(x, y) \
60557+({ \
60558+ void *___retval; \
60559+ intoverflow_t ___x = (intoverflow_t)x; \
60560+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n")) \
60561+ ___retval = NULL; \
60562+ else \
60563+ ___retval = kzalloc((size_t)___x, (y)); \
60564+ ___retval; \
60565+})
60566+
60567+#define __krealloc(x, y, z) \
60568+({ \
60569+ void *___retval; \
60570+ intoverflow_t ___y = (intoverflow_t)y; \
60571+ if (WARN(___y > ULONG_MAX, "__krealloc size overflow\n"))\
60572+ ___retval = NULL; \
60573+ else \
60574+ ___retval = __krealloc((x), (size_t)___y, (z)); \
60575+ ___retval; \
60576+})
60577+
60578+#define krealloc(x, y, z) \
60579+({ \
60580+ void *___retval; \
60581+ intoverflow_t ___y = (intoverflow_t)y; \
60582+ if (WARN(___y > ULONG_MAX, "krealloc size overflow\n")) \
60583+ ___retval = NULL; \
60584+ else \
60585+ ___retval = krealloc((x), (size_t)___y, (z)); \
60586+ ___retval; \
60587+})
60588+
60589 #endif /* _LINUX_SLAB_H */
60590diff -urNp linux-3.1.1/include/linux/slub_def.h linux-3.1.1/include/linux/slub_def.h
60591--- linux-3.1.1/include/linux/slub_def.h 2011-11-11 15:19:27.000000000 -0500
60592+++ linux-3.1.1/include/linux/slub_def.h 2011-11-16 18:39:08.000000000 -0500
60593@@ -85,7 +85,7 @@ struct kmem_cache {
60594 struct kmem_cache_order_objects max;
60595 struct kmem_cache_order_objects min;
60596 gfp_t allocflags; /* gfp flags to use on each alloc */
60597- int refcount; /* Refcount for slab cache destroy */
60598+ atomic_t refcount; /* Refcount for slab cache destroy */
60599 void (*ctor)(void *);
60600 int inuse; /* Offset to metadata */
60601 int align; /* Alignment */
60602@@ -211,7 +211,7 @@ static __always_inline struct kmem_cache
60603 }
60604
60605 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
60606-void *__kmalloc(size_t size, gfp_t flags);
60607+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
60608
60609 static __always_inline void *
60610 kmalloc_order(size_t size, gfp_t flags, unsigned int order)
60611diff -urNp linux-3.1.1/include/linux/sonet.h linux-3.1.1/include/linux/sonet.h
60612--- linux-3.1.1/include/linux/sonet.h 2011-11-11 15:19:27.000000000 -0500
60613+++ linux-3.1.1/include/linux/sonet.h 2011-11-16 18:39:08.000000000 -0500
60614@@ -61,7 +61,7 @@ struct sonet_stats {
60615 #include <linux/atomic.h>
60616
60617 struct k_sonet_stats {
60618-#define __HANDLE_ITEM(i) atomic_t i
60619+#define __HANDLE_ITEM(i) atomic_unchecked_t i
60620 __SONET_ITEMS
60621 #undef __HANDLE_ITEM
60622 };
60623diff -urNp linux-3.1.1/include/linux/sunrpc/clnt.h linux-3.1.1/include/linux/sunrpc/clnt.h
60624--- linux-3.1.1/include/linux/sunrpc/clnt.h 2011-11-11 15:19:27.000000000 -0500
60625+++ linux-3.1.1/include/linux/sunrpc/clnt.h 2011-11-16 18:39:08.000000000 -0500
60626@@ -169,9 +169,9 @@ static inline unsigned short rpc_get_por
60627 {
60628 switch (sap->sa_family) {
60629 case AF_INET:
60630- return ntohs(((struct sockaddr_in *)sap)->sin_port);
60631+ return ntohs(((const struct sockaddr_in *)sap)->sin_port);
60632 case AF_INET6:
60633- return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
60634+ return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
60635 }
60636 return 0;
60637 }
60638@@ -204,7 +204,7 @@ static inline bool __rpc_cmp_addr4(const
60639 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
60640 const struct sockaddr *src)
60641 {
60642- const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
60643+ const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
60644 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
60645
60646 dsin->sin_family = ssin->sin_family;
60647@@ -301,7 +301,7 @@ static inline u32 rpc_get_scope_id(const
60648 if (sa->sa_family != AF_INET6)
60649 return 0;
60650
60651- return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
60652+ return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
60653 }
60654
60655 #endif /* __KERNEL__ */
60656diff -urNp linux-3.1.1/include/linux/sunrpc/sched.h linux-3.1.1/include/linux/sunrpc/sched.h
60657--- linux-3.1.1/include/linux/sunrpc/sched.h 2011-11-11 15:19:27.000000000 -0500
60658+++ linux-3.1.1/include/linux/sunrpc/sched.h 2011-11-16 18:39:08.000000000 -0500
60659@@ -105,6 +105,7 @@ struct rpc_call_ops {
60660 void (*rpc_call_done)(struct rpc_task *, void *);
60661 void (*rpc_release)(void *);
60662 };
60663+typedef struct rpc_call_ops __no_const rpc_call_ops_no_const;
60664
60665 struct rpc_task_setup {
60666 struct rpc_task *task;
60667diff -urNp linux-3.1.1/include/linux/sunrpc/svc_rdma.h linux-3.1.1/include/linux/sunrpc/svc_rdma.h
60668--- linux-3.1.1/include/linux/sunrpc/svc_rdma.h 2011-11-11 15:19:27.000000000 -0500
60669+++ linux-3.1.1/include/linux/sunrpc/svc_rdma.h 2011-11-16 18:39:08.000000000 -0500
60670@@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
60671 extern unsigned int svcrdma_max_requests;
60672 extern unsigned int svcrdma_max_req_size;
60673
60674-extern atomic_t rdma_stat_recv;
60675-extern atomic_t rdma_stat_read;
60676-extern atomic_t rdma_stat_write;
60677-extern atomic_t rdma_stat_sq_starve;
60678-extern atomic_t rdma_stat_rq_starve;
60679-extern atomic_t rdma_stat_rq_poll;
60680-extern atomic_t rdma_stat_rq_prod;
60681-extern atomic_t rdma_stat_sq_poll;
60682-extern atomic_t rdma_stat_sq_prod;
60683+extern atomic_unchecked_t rdma_stat_recv;
60684+extern atomic_unchecked_t rdma_stat_read;
60685+extern atomic_unchecked_t rdma_stat_write;
60686+extern atomic_unchecked_t rdma_stat_sq_starve;
60687+extern atomic_unchecked_t rdma_stat_rq_starve;
60688+extern atomic_unchecked_t rdma_stat_rq_poll;
60689+extern atomic_unchecked_t rdma_stat_rq_prod;
60690+extern atomic_unchecked_t rdma_stat_sq_poll;
60691+extern atomic_unchecked_t rdma_stat_sq_prod;
60692
60693 #define RPCRDMA_VERSION 1
60694
60695diff -urNp linux-3.1.1/include/linux/sysctl.h linux-3.1.1/include/linux/sysctl.h
60696--- linux-3.1.1/include/linux/sysctl.h 2011-11-11 15:19:27.000000000 -0500
60697+++ linux-3.1.1/include/linux/sysctl.h 2011-11-16 18:40:31.000000000 -0500
60698@@ -155,7 +155,11 @@ enum
60699 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
60700 };
60701
60702-
60703+#ifdef CONFIG_PAX_SOFTMODE
60704+enum {
60705+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
60706+};
60707+#endif
60708
60709 /* CTL_VM names: */
60710 enum
60711@@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
60712
60713 extern int proc_dostring(struct ctl_table *, int,
60714 void __user *, size_t *, loff_t *);
60715+extern int proc_dostring_modpriv(struct ctl_table *, int,
60716+ void __user *, size_t *, loff_t *);
60717 extern int proc_dointvec(struct ctl_table *, int,
60718 void __user *, size_t *, loff_t *);
60719 extern int proc_dointvec_minmax(struct ctl_table *, int,
60720diff -urNp linux-3.1.1/include/linux/tty_ldisc.h linux-3.1.1/include/linux/tty_ldisc.h
60721--- linux-3.1.1/include/linux/tty_ldisc.h 2011-11-11 15:19:27.000000000 -0500
60722+++ linux-3.1.1/include/linux/tty_ldisc.h 2011-11-16 18:39:08.000000000 -0500
60723@@ -148,7 +148,7 @@ struct tty_ldisc_ops {
60724
60725 struct module *owner;
60726
60727- int refcount;
60728+ atomic_t refcount;
60729 };
60730
60731 struct tty_ldisc {
60732diff -urNp linux-3.1.1/include/linux/types.h linux-3.1.1/include/linux/types.h
60733--- linux-3.1.1/include/linux/types.h 2011-11-11 15:19:27.000000000 -0500
60734+++ linux-3.1.1/include/linux/types.h 2011-11-16 18:39:08.000000000 -0500
60735@@ -213,10 +213,26 @@ typedef struct {
60736 int counter;
60737 } atomic_t;
60738
60739+#ifdef CONFIG_PAX_REFCOUNT
60740+typedef struct {
60741+ int counter;
60742+} atomic_unchecked_t;
60743+#else
60744+typedef atomic_t atomic_unchecked_t;
60745+#endif
60746+
60747 #ifdef CONFIG_64BIT
60748 typedef struct {
60749 long counter;
60750 } atomic64_t;
60751+
60752+#ifdef CONFIG_PAX_REFCOUNT
60753+typedef struct {
60754+ long counter;
60755+} atomic64_unchecked_t;
60756+#else
60757+typedef atomic64_t atomic64_unchecked_t;
60758+#endif
60759 #endif
60760
60761 struct list_head {
60762diff -urNp linux-3.1.1/include/linux/uaccess.h linux-3.1.1/include/linux/uaccess.h
60763--- linux-3.1.1/include/linux/uaccess.h 2011-11-11 15:19:27.000000000 -0500
60764+++ linux-3.1.1/include/linux/uaccess.h 2011-11-16 18:39:08.000000000 -0500
60765@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
60766 long ret; \
60767 mm_segment_t old_fs = get_fs(); \
60768 \
60769- set_fs(KERNEL_DS); \
60770 pagefault_disable(); \
60771- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
60772- pagefault_enable(); \
60773+ set_fs(KERNEL_DS); \
60774+ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
60775 set_fs(old_fs); \
60776+ pagefault_enable(); \
60777 ret; \
60778 })
60779
60780diff -urNp linux-3.1.1/include/linux/unaligned/access_ok.h linux-3.1.1/include/linux/unaligned/access_ok.h
60781--- linux-3.1.1/include/linux/unaligned/access_ok.h 2011-11-11 15:19:27.000000000 -0500
60782+++ linux-3.1.1/include/linux/unaligned/access_ok.h 2011-11-16 18:39:08.000000000 -0500
60783@@ -6,32 +6,32 @@
60784
60785 static inline u16 get_unaligned_le16(const void *p)
60786 {
60787- return le16_to_cpup((__le16 *)p);
60788+ return le16_to_cpup((const __le16 *)p);
60789 }
60790
60791 static inline u32 get_unaligned_le32(const void *p)
60792 {
60793- return le32_to_cpup((__le32 *)p);
60794+ return le32_to_cpup((const __le32 *)p);
60795 }
60796
60797 static inline u64 get_unaligned_le64(const void *p)
60798 {
60799- return le64_to_cpup((__le64 *)p);
60800+ return le64_to_cpup((const __le64 *)p);
60801 }
60802
60803 static inline u16 get_unaligned_be16(const void *p)
60804 {
60805- return be16_to_cpup((__be16 *)p);
60806+ return be16_to_cpup((const __be16 *)p);
60807 }
60808
60809 static inline u32 get_unaligned_be32(const void *p)
60810 {
60811- return be32_to_cpup((__be32 *)p);
60812+ return be32_to_cpup((const __be32 *)p);
60813 }
60814
60815 static inline u64 get_unaligned_be64(const void *p)
60816 {
60817- return be64_to_cpup((__be64 *)p);
60818+ return be64_to_cpup((const __be64 *)p);
60819 }
60820
60821 static inline void put_unaligned_le16(u16 val, void *p)
60822diff -urNp linux-3.1.1/include/linux/vermagic.h linux-3.1.1/include/linux/vermagic.h
60823--- linux-3.1.1/include/linux/vermagic.h 2011-11-11 15:19:27.000000000 -0500
60824+++ linux-3.1.1/include/linux/vermagic.h 2011-11-16 18:54:54.000000000 -0500
60825@@ -26,9 +26,35 @@
60826 #define MODULE_ARCH_VERMAGIC ""
60827 #endif
60828
60829+#ifdef CONFIG_PAX_REFCOUNT
60830+#define MODULE_PAX_REFCOUNT "REFCOUNT "
60831+#else
60832+#define MODULE_PAX_REFCOUNT ""
60833+#endif
60834+
60835+#ifdef CONSTIFY_PLUGIN
60836+#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
60837+#else
60838+#define MODULE_CONSTIFY_PLUGIN ""
60839+#endif
60840+
60841+#ifdef STACKLEAK_PLUGIN
60842+#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
60843+#else
60844+#define MODULE_STACKLEAK_PLUGIN ""
60845+#endif
60846+
60847+#ifdef CONFIG_GRKERNSEC
60848+#define MODULE_GRSEC "GRSEC "
60849+#else
60850+#define MODULE_GRSEC ""
60851+#endif
60852+
60853 #define VERMAGIC_STRING \
60854 UTS_RELEASE " " \
60855 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
60856 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
60857- MODULE_ARCH_VERMAGIC
60858+ MODULE_ARCH_VERMAGIC \
60859+ MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
60860+ MODULE_GRSEC
60861
60862diff -urNp linux-3.1.1/include/linux/vmalloc.h linux-3.1.1/include/linux/vmalloc.h
60863--- linux-3.1.1/include/linux/vmalloc.h 2011-11-11 15:19:27.000000000 -0500
60864+++ linux-3.1.1/include/linux/vmalloc.h 2011-11-16 18:39:08.000000000 -0500
60865@@ -14,6 +14,11 @@ struct vm_area_struct; /* vma defining
60866 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
60867 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
60868 #define VM_UNLIST 0x00000020 /* vm_struct is not listed in vmlist */
60869+
60870+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
60871+#define VM_KERNEXEC 0x00000040 /* allocate from executable kernel memory range */
60872+#endif
60873+
60874 /* bits [20..32] reserved for arch specific ioremap internals */
60875
60876 /*
60877@@ -156,4 +161,103 @@ pcpu_free_vm_areas(struct vm_struct **vm
60878 # endif
60879 #endif
60880
60881+#define vmalloc(x) \
60882+({ \
60883+ void *___retval; \
60884+ intoverflow_t ___x = (intoverflow_t)x; \
60885+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
60886+ ___retval = NULL; \
60887+ else \
60888+ ___retval = vmalloc((unsigned long)___x); \
60889+ ___retval; \
60890+})
60891+
60892+#define vzalloc(x) \
60893+({ \
60894+ void *___retval; \
60895+ intoverflow_t ___x = (intoverflow_t)x; \
60896+ if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
60897+ ___retval = NULL; \
60898+ else \
60899+ ___retval = vzalloc((unsigned long)___x); \
60900+ ___retval; \
60901+})
60902+
60903+#define __vmalloc(x, y, z) \
60904+({ \
60905+ void *___retval; \
60906+ intoverflow_t ___x = (intoverflow_t)x; \
60907+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
60908+ ___retval = NULL; \
60909+ else \
60910+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
60911+ ___retval; \
60912+})
60913+
60914+#define vmalloc_user(x) \
60915+({ \
60916+ void *___retval; \
60917+ intoverflow_t ___x = (intoverflow_t)x; \
60918+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
60919+ ___retval = NULL; \
60920+ else \
60921+ ___retval = vmalloc_user((unsigned long)___x); \
60922+ ___retval; \
60923+})
60924+
60925+#define vmalloc_exec(x) \
60926+({ \
60927+ void *___retval; \
60928+ intoverflow_t ___x = (intoverflow_t)x; \
60929+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
60930+ ___retval = NULL; \
60931+ else \
60932+ ___retval = vmalloc_exec((unsigned long)___x); \
60933+ ___retval; \
60934+})
60935+
60936+#define vmalloc_node(x, y) \
60937+({ \
60938+ void *___retval; \
60939+ intoverflow_t ___x = (intoverflow_t)x; \
60940+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
60941+ ___retval = NULL; \
60942+ else \
60943+ ___retval = vmalloc_node((unsigned long)___x, (y));\
60944+ ___retval; \
60945+})
60946+
60947+#define vzalloc_node(x, y) \
60948+({ \
60949+ void *___retval; \
60950+ intoverflow_t ___x = (intoverflow_t)x; \
60951+ if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
60952+ ___retval = NULL; \
60953+ else \
60954+ ___retval = vzalloc_node((unsigned long)___x, (y));\
60955+ ___retval; \
60956+})
60957+
60958+#define vmalloc_32(x) \
60959+({ \
60960+ void *___retval; \
60961+ intoverflow_t ___x = (intoverflow_t)x; \
60962+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
60963+ ___retval = NULL; \
60964+ else \
60965+ ___retval = vmalloc_32((unsigned long)___x); \
60966+ ___retval; \
60967+})
60968+
60969+#define vmalloc_32_user(x) \
60970+({ \
60971+void *___retval; \
60972+ intoverflow_t ___x = (intoverflow_t)x; \
60973+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
60974+ ___retval = NULL; \
60975+ else \
60976+ ___retval = vmalloc_32_user((unsigned long)___x);\
60977+ ___retval; \
60978+})
60979+
60980 #endif /* _LINUX_VMALLOC_H */
60981diff -urNp linux-3.1.1/include/linux/vmstat.h linux-3.1.1/include/linux/vmstat.h
60982--- linux-3.1.1/include/linux/vmstat.h 2011-11-11 15:19:27.000000000 -0500
60983+++ linux-3.1.1/include/linux/vmstat.h 2011-11-16 18:39:08.000000000 -0500
60984@@ -87,18 +87,18 @@ static inline void vm_events_fold_cpu(in
60985 /*
60986 * Zone based page accounting with per cpu differentials.
60987 */
60988-extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
60989+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
60990
60991 static inline void zone_page_state_add(long x, struct zone *zone,
60992 enum zone_stat_item item)
60993 {
60994- atomic_long_add(x, &zone->vm_stat[item]);
60995- atomic_long_add(x, &vm_stat[item]);
60996+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
60997+ atomic_long_add_unchecked(x, &vm_stat[item]);
60998 }
60999
61000 static inline unsigned long global_page_state(enum zone_stat_item item)
61001 {
61002- long x = atomic_long_read(&vm_stat[item]);
61003+ long x = atomic_long_read_unchecked(&vm_stat[item]);
61004 #ifdef CONFIG_SMP
61005 if (x < 0)
61006 x = 0;
61007@@ -109,7 +109,7 @@ static inline unsigned long global_page_
61008 static inline unsigned long zone_page_state(struct zone *zone,
61009 enum zone_stat_item item)
61010 {
61011- long x = atomic_long_read(&zone->vm_stat[item]);
61012+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
61013 #ifdef CONFIG_SMP
61014 if (x < 0)
61015 x = 0;
61016@@ -126,7 +126,7 @@ static inline unsigned long zone_page_st
61017 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
61018 enum zone_stat_item item)
61019 {
61020- long x = atomic_long_read(&zone->vm_stat[item]);
61021+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
61022
61023 #ifdef CONFIG_SMP
61024 int cpu;
61025@@ -221,8 +221,8 @@ static inline void __mod_zone_page_state
61026
61027 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
61028 {
61029- atomic_long_inc(&zone->vm_stat[item]);
61030- atomic_long_inc(&vm_stat[item]);
61031+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
61032+ atomic_long_inc_unchecked(&vm_stat[item]);
61033 }
61034
61035 static inline void __inc_zone_page_state(struct page *page,
61036@@ -233,8 +233,8 @@ static inline void __inc_zone_page_state
61037
61038 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
61039 {
61040- atomic_long_dec(&zone->vm_stat[item]);
61041- atomic_long_dec(&vm_stat[item]);
61042+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
61043+ atomic_long_dec_unchecked(&vm_stat[item]);
61044 }
61045
61046 static inline void __dec_zone_page_state(struct page *page,
61047diff -urNp linux-3.1.1/include/media/saa7146_vv.h linux-3.1.1/include/media/saa7146_vv.h
61048--- linux-3.1.1/include/media/saa7146_vv.h 2011-11-11 15:19:27.000000000 -0500
61049+++ linux-3.1.1/include/media/saa7146_vv.h 2011-11-16 18:39:08.000000000 -0500
61050@@ -163,7 +163,7 @@ struct saa7146_ext_vv
61051 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
61052
61053 /* the extension can override this */
61054- struct v4l2_ioctl_ops ops;
61055+ v4l2_ioctl_ops_no_const ops;
61056 /* pointer to the saa7146 core ops */
61057 const struct v4l2_ioctl_ops *core_ops;
61058
61059diff -urNp linux-3.1.1/include/media/v4l2-dev.h linux-3.1.1/include/media/v4l2-dev.h
61060--- linux-3.1.1/include/media/v4l2-dev.h 2011-11-11 15:19:27.000000000 -0500
61061+++ linux-3.1.1/include/media/v4l2-dev.h 2011-11-16 18:39:08.000000000 -0500
61062@@ -56,7 +56,7 @@ int v4l2_prio_check(struct v4l2_prio_sta
61063
61064
61065 struct v4l2_file_operations {
61066- struct module *owner;
61067+ struct module * const owner;
61068 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
61069 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
61070 unsigned int (*poll) (struct file *, struct poll_table_struct *);
61071@@ -68,6 +68,7 @@ struct v4l2_file_operations {
61072 int (*open) (struct file *);
61073 int (*release) (struct file *);
61074 };
61075+typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const;
61076
61077 /*
61078 * Newer version of video_device, handled by videodev2.c
61079diff -urNp linux-3.1.1/include/media/v4l2-ioctl.h linux-3.1.1/include/media/v4l2-ioctl.h
61080--- linux-3.1.1/include/media/v4l2-ioctl.h 2011-11-11 15:19:27.000000000 -0500
61081+++ linux-3.1.1/include/media/v4l2-ioctl.h 2011-11-17 18:44:20.000000000 -0500
61082@@ -272,7 +272,7 @@ struct v4l2_ioctl_ops {
61083 long (*vidioc_default) (struct file *file, void *fh,
61084 bool valid_prio, int cmd, void *arg);
61085 };
61086-
61087+typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
61088
61089 /* v4l debugging and diagnostics */
61090
61091diff -urNp linux-3.1.1/include/net/caif/caif_hsi.h linux-3.1.1/include/net/caif/caif_hsi.h
61092--- linux-3.1.1/include/net/caif/caif_hsi.h 2011-11-11 15:19:27.000000000 -0500
61093+++ linux-3.1.1/include/net/caif/caif_hsi.h 2011-11-16 18:39:08.000000000 -0500
61094@@ -94,7 +94,7 @@ struct cfhsi_drv {
61095 void (*rx_done_cb) (struct cfhsi_drv *drv);
61096 void (*wake_up_cb) (struct cfhsi_drv *drv);
61097 void (*wake_down_cb) (struct cfhsi_drv *drv);
61098-};
61099+} __no_const;
61100
61101 /* Structure implemented by HSI device. */
61102 struct cfhsi_dev {
61103diff -urNp linux-3.1.1/include/net/caif/cfctrl.h linux-3.1.1/include/net/caif/cfctrl.h
61104--- linux-3.1.1/include/net/caif/cfctrl.h 2011-11-11 15:19:27.000000000 -0500
61105+++ linux-3.1.1/include/net/caif/cfctrl.h 2011-11-16 18:39:08.000000000 -0500
61106@@ -52,7 +52,7 @@ struct cfctrl_rsp {
61107 void (*radioset_rsp)(void);
61108 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
61109 struct cflayer *client_layer);
61110-};
61111+} __no_const;
61112
61113 /* Link Setup Parameters for CAIF-Links. */
61114 struct cfctrl_link_param {
61115@@ -101,8 +101,8 @@ struct cfctrl_request_info {
61116 struct cfctrl {
61117 struct cfsrvl serv;
61118 struct cfctrl_rsp res;
61119- atomic_t req_seq_no;
61120- atomic_t rsp_seq_no;
61121+ atomic_unchecked_t req_seq_no;
61122+ atomic_unchecked_t rsp_seq_no;
61123 struct list_head list;
61124 /* Protects from simultaneous access to first_req list */
61125 spinlock_t info_list_lock;
61126diff -urNp linux-3.1.1/include/net/flow.h linux-3.1.1/include/net/flow.h
61127--- linux-3.1.1/include/net/flow.h 2011-11-11 15:19:27.000000000 -0500
61128+++ linux-3.1.1/include/net/flow.h 2011-11-16 18:39:08.000000000 -0500
61129@@ -207,6 +207,6 @@ extern struct flow_cache_object *flow_ca
61130 u8 dir, flow_resolve_t resolver, void *ctx);
61131
61132 extern void flow_cache_flush(void);
61133-extern atomic_t flow_cache_genid;
61134+extern atomic_unchecked_t flow_cache_genid;
61135
61136 #endif
61137diff -urNp linux-3.1.1/include/net/inetpeer.h linux-3.1.1/include/net/inetpeer.h
61138--- linux-3.1.1/include/net/inetpeer.h 2011-11-11 15:19:27.000000000 -0500
61139+++ linux-3.1.1/include/net/inetpeer.h 2011-11-16 18:39:08.000000000 -0500
61140@@ -47,8 +47,8 @@ struct inet_peer {
61141 */
61142 union {
61143 struct {
61144- atomic_t rid; /* Frag reception counter */
61145- atomic_t ip_id_count; /* IP ID for the next packet */
61146+ atomic_unchecked_t rid; /* Frag reception counter */
61147+ atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
61148 __u32 tcp_ts;
61149 __u32 tcp_ts_stamp;
61150 };
61151@@ -112,11 +112,11 @@ static inline int inet_getid(struct inet
61152 more++;
61153 inet_peer_refcheck(p);
61154 do {
61155- old = atomic_read(&p->ip_id_count);
61156+ old = atomic_read_unchecked(&p->ip_id_count);
61157 new = old + more;
61158 if (!new)
61159 new = 1;
61160- } while (atomic_cmpxchg(&p->ip_id_count, old, new) != old);
61161+ } while (atomic_cmpxchg_unchecked(&p->ip_id_count, old, new) != old);
61162 return new;
61163 }
61164
61165diff -urNp linux-3.1.1/include/net/ip_fib.h linux-3.1.1/include/net/ip_fib.h
61166--- linux-3.1.1/include/net/ip_fib.h 2011-11-11 15:19:27.000000000 -0500
61167+++ linux-3.1.1/include/net/ip_fib.h 2011-11-16 18:39:08.000000000 -0500
61168@@ -146,7 +146,7 @@ extern __be32 fib_info_update_nh_saddr(s
61169
61170 #define FIB_RES_SADDR(net, res) \
61171 ((FIB_RES_NH(res).nh_saddr_genid == \
61172- atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
61173+ atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
61174 FIB_RES_NH(res).nh_saddr : \
61175 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
61176 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
61177diff -urNp linux-3.1.1/include/net/ip_vs.h linux-3.1.1/include/net/ip_vs.h
61178--- linux-3.1.1/include/net/ip_vs.h 2011-11-11 15:19:27.000000000 -0500
61179+++ linux-3.1.1/include/net/ip_vs.h 2011-11-16 18:39:08.000000000 -0500
61180@@ -509,7 +509,7 @@ struct ip_vs_conn {
61181 struct ip_vs_conn *control; /* Master control connection */
61182 atomic_t n_control; /* Number of controlled ones */
61183 struct ip_vs_dest *dest; /* real server */
61184- atomic_t in_pkts; /* incoming packet counter */
61185+ atomic_unchecked_t in_pkts; /* incoming packet counter */
61186
61187 /* packet transmitter for different forwarding methods. If it
61188 mangles the packet, it must return NF_DROP or better NF_STOLEN,
61189@@ -647,7 +647,7 @@ struct ip_vs_dest {
61190 __be16 port; /* port number of the server */
61191 union nf_inet_addr addr; /* IP address of the server */
61192 volatile unsigned flags; /* dest status flags */
61193- atomic_t conn_flags; /* flags to copy to conn */
61194+ atomic_unchecked_t conn_flags; /* flags to copy to conn */
61195 atomic_t weight; /* server weight */
61196
61197 atomic_t refcnt; /* reference counter */
61198diff -urNp linux-3.1.1/include/net/irda/ircomm_core.h linux-3.1.1/include/net/irda/ircomm_core.h
61199--- linux-3.1.1/include/net/irda/ircomm_core.h 2011-11-11 15:19:27.000000000 -0500
61200+++ linux-3.1.1/include/net/irda/ircomm_core.h 2011-11-16 18:39:08.000000000 -0500
61201@@ -51,7 +51,7 @@ typedef struct {
61202 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
61203 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
61204 struct ircomm_info *);
61205-} call_t;
61206+} __no_const call_t;
61207
61208 struct ircomm_cb {
61209 irda_queue_t queue;
61210diff -urNp linux-3.1.1/include/net/irda/ircomm_tty.h linux-3.1.1/include/net/irda/ircomm_tty.h
61211--- linux-3.1.1/include/net/irda/ircomm_tty.h 2011-11-11 15:19:27.000000000 -0500
61212+++ linux-3.1.1/include/net/irda/ircomm_tty.h 2011-11-16 18:39:08.000000000 -0500
61213@@ -35,6 +35,7 @@
61214 #include <linux/termios.h>
61215 #include <linux/timer.h>
61216 #include <linux/tty.h> /* struct tty_struct */
61217+#include <asm/local.h>
61218
61219 #include <net/irda/irias_object.h>
61220 #include <net/irda/ircomm_core.h>
61221@@ -105,8 +106,8 @@ struct ircomm_tty_cb {
61222 unsigned short close_delay;
61223 unsigned short closing_wait; /* time to wait before closing */
61224
61225- int open_count;
61226- int blocked_open; /* # of blocked opens */
61227+ local_t open_count;
61228+ local_t blocked_open; /* # of blocked opens */
61229
61230 /* Protect concurent access to :
61231 * o self->open_count
61232diff -urNp linux-3.1.1/include/net/iucv/af_iucv.h linux-3.1.1/include/net/iucv/af_iucv.h
61233--- linux-3.1.1/include/net/iucv/af_iucv.h 2011-11-11 15:19:27.000000000 -0500
61234+++ linux-3.1.1/include/net/iucv/af_iucv.h 2011-11-16 18:39:08.000000000 -0500
61235@@ -87,7 +87,7 @@ struct iucv_sock {
61236 struct iucv_sock_list {
61237 struct hlist_head head;
61238 rwlock_t lock;
61239- atomic_t autobind_name;
61240+ atomic_unchecked_t autobind_name;
61241 };
61242
61243 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
61244diff -urNp linux-3.1.1/include/net/lapb.h linux-3.1.1/include/net/lapb.h
61245--- linux-3.1.1/include/net/lapb.h 2011-11-11 15:19:27.000000000 -0500
61246+++ linux-3.1.1/include/net/lapb.h 2011-11-16 18:39:08.000000000 -0500
61247@@ -95,7 +95,7 @@ struct lapb_cb {
61248 struct sk_buff_head write_queue;
61249 struct sk_buff_head ack_queue;
61250 unsigned char window;
61251- struct lapb_register_struct callbacks;
61252+ struct lapb_register_struct *callbacks;
61253
61254 /* FRMR control information */
61255 struct lapb_frame frmr_data;
61256diff -urNp linux-3.1.1/include/net/neighbour.h linux-3.1.1/include/net/neighbour.h
61257--- linux-3.1.1/include/net/neighbour.h 2011-11-11 15:19:27.000000000 -0500
61258+++ linux-3.1.1/include/net/neighbour.h 2011-11-16 18:39:08.000000000 -0500
61259@@ -122,7 +122,7 @@ struct neigh_ops {
61260 void (*error_report)(struct neighbour *, struct sk_buff *);
61261 int (*output)(struct neighbour *, struct sk_buff *);
61262 int (*connected_output)(struct neighbour *, struct sk_buff *);
61263-};
61264+} __do_const;
61265
61266 struct pneigh_entry {
61267 struct pneigh_entry *next;
61268diff -urNp linux-3.1.1/include/net/netlink.h linux-3.1.1/include/net/netlink.h
61269--- linux-3.1.1/include/net/netlink.h 2011-11-11 15:19:27.000000000 -0500
61270+++ linux-3.1.1/include/net/netlink.h 2011-11-16 18:39:08.000000000 -0500
61271@@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
61272 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
61273 {
61274 if (mark)
61275- skb_trim(skb, (unsigned char *) mark - skb->data);
61276+ skb_trim(skb, (const unsigned char *) mark - skb->data);
61277 }
61278
61279 /**
61280diff -urNp linux-3.1.1/include/net/netns/ipv4.h linux-3.1.1/include/net/netns/ipv4.h
61281--- linux-3.1.1/include/net/netns/ipv4.h 2011-11-11 15:19:27.000000000 -0500
61282+++ linux-3.1.1/include/net/netns/ipv4.h 2011-11-16 18:39:08.000000000 -0500
61283@@ -56,8 +56,8 @@ struct netns_ipv4 {
61284
61285 unsigned int sysctl_ping_group_range[2];
61286
61287- atomic_t rt_genid;
61288- atomic_t dev_addr_genid;
61289+ atomic_unchecked_t rt_genid;
61290+ atomic_unchecked_t dev_addr_genid;
61291
61292 #ifdef CONFIG_IP_MROUTE
61293 #ifndef CONFIG_IP_MROUTE_MULTIPLE_TABLES
61294diff -urNp linux-3.1.1/include/net/sctp/sctp.h linux-3.1.1/include/net/sctp/sctp.h
61295--- linux-3.1.1/include/net/sctp/sctp.h 2011-11-11 15:19:27.000000000 -0500
61296+++ linux-3.1.1/include/net/sctp/sctp.h 2011-11-16 18:39:08.000000000 -0500
61297@@ -318,9 +318,9 @@ do { \
61298
61299 #else /* SCTP_DEBUG */
61300
61301-#define SCTP_DEBUG_PRINTK(whatever...)
61302-#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
61303-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
61304+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
61305+#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
61306+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
61307 #define SCTP_ENABLE_DEBUG
61308 #define SCTP_DISABLE_DEBUG
61309 #define SCTP_ASSERT(expr, str, func)
61310diff -urNp linux-3.1.1/include/net/sock.h linux-3.1.1/include/net/sock.h
61311--- linux-3.1.1/include/net/sock.h 2011-11-11 15:19:27.000000000 -0500
61312+++ linux-3.1.1/include/net/sock.h 2011-11-16 18:39:08.000000000 -0500
61313@@ -278,7 +278,7 @@ struct sock {
61314 #ifdef CONFIG_RPS
61315 __u32 sk_rxhash;
61316 #endif
61317- atomic_t sk_drops;
61318+ atomic_unchecked_t sk_drops;
61319 int sk_rcvbuf;
61320
61321 struct sk_filter __rcu *sk_filter;
61322@@ -1391,7 +1391,7 @@ static inline void sk_nocaps_add(struct
61323 }
61324
61325 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
61326- char __user *from, char *to,
61327+ char __user *from, unsigned char *to,
61328 int copy, int offset)
61329 {
61330 if (skb->ip_summed == CHECKSUM_NONE) {
61331diff -urNp linux-3.1.1/include/net/tcp.h linux-3.1.1/include/net/tcp.h
61332--- linux-3.1.1/include/net/tcp.h 2011-11-11 15:19:27.000000000 -0500
61333+++ linux-3.1.1/include/net/tcp.h 2011-11-16 18:39:08.000000000 -0500
61334@@ -1401,8 +1401,8 @@ enum tcp_seq_states {
61335 struct tcp_seq_afinfo {
61336 char *name;
61337 sa_family_t family;
61338- struct file_operations seq_fops;
61339- struct seq_operations seq_ops;
61340+ file_operations_no_const seq_fops;
61341+ seq_operations_no_const seq_ops;
61342 };
61343
61344 struct tcp_iter_state {
61345diff -urNp linux-3.1.1/include/net/udp.h linux-3.1.1/include/net/udp.h
61346--- linux-3.1.1/include/net/udp.h 2011-11-11 15:19:27.000000000 -0500
61347+++ linux-3.1.1/include/net/udp.h 2011-11-16 18:39:08.000000000 -0500
61348@@ -234,8 +234,8 @@ struct udp_seq_afinfo {
61349 char *name;
61350 sa_family_t family;
61351 struct udp_table *udp_table;
61352- struct file_operations seq_fops;
61353- struct seq_operations seq_ops;
61354+ file_operations_no_const seq_fops;
61355+ seq_operations_no_const seq_ops;
61356 };
61357
61358 struct udp_iter_state {
61359diff -urNp linux-3.1.1/include/net/xfrm.h linux-3.1.1/include/net/xfrm.h
61360--- linux-3.1.1/include/net/xfrm.h 2011-11-11 15:19:27.000000000 -0500
61361+++ linux-3.1.1/include/net/xfrm.h 2011-11-16 18:39:08.000000000 -0500
61362@@ -505,7 +505,7 @@ struct xfrm_policy {
61363 struct timer_list timer;
61364
61365 struct flow_cache_object flo;
61366- atomic_t genid;
61367+ atomic_unchecked_t genid;
61368 u32 priority;
61369 u32 index;
61370 struct xfrm_mark mark;
61371diff -urNp linux-3.1.1/include/rdma/iw_cm.h linux-3.1.1/include/rdma/iw_cm.h
61372--- linux-3.1.1/include/rdma/iw_cm.h 2011-11-11 15:19:27.000000000 -0500
61373+++ linux-3.1.1/include/rdma/iw_cm.h 2011-11-16 18:39:08.000000000 -0500
61374@@ -120,7 +120,7 @@ struct iw_cm_verbs {
61375 int backlog);
61376
61377 int (*destroy_listen)(struct iw_cm_id *cm_id);
61378-};
61379+} __no_const;
61380
61381 /**
61382 * iw_create_cm_id - Create an IW CM identifier.
61383diff -urNp linux-3.1.1/include/scsi/libfc.h linux-3.1.1/include/scsi/libfc.h
61384--- linux-3.1.1/include/scsi/libfc.h 2011-11-11 15:19:27.000000000 -0500
61385+++ linux-3.1.1/include/scsi/libfc.h 2011-11-16 18:39:08.000000000 -0500
61386@@ -758,6 +758,7 @@ struct libfc_function_template {
61387 */
61388 void (*disc_stop_final) (struct fc_lport *);
61389 };
61390+typedef struct libfc_function_template __no_const libfc_function_template_no_const;
61391
61392 /**
61393 * struct fc_disc - Discovery context
61394@@ -861,7 +862,7 @@ struct fc_lport {
61395 struct fc_vport *vport;
61396
61397 /* Operational Information */
61398- struct libfc_function_template tt;
61399+ libfc_function_template_no_const tt;
61400 u8 link_up;
61401 u8 qfull;
61402 enum fc_lport_state state;
61403diff -urNp linux-3.1.1/include/scsi/scsi_device.h linux-3.1.1/include/scsi/scsi_device.h
61404--- linux-3.1.1/include/scsi/scsi_device.h 2011-11-11 15:19:27.000000000 -0500
61405+++ linux-3.1.1/include/scsi/scsi_device.h 2011-11-16 18:39:08.000000000 -0500
61406@@ -161,9 +161,9 @@ struct scsi_device {
61407 unsigned int max_device_blocked; /* what device_blocked counts down from */
61408 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
61409
61410- atomic_t iorequest_cnt;
61411- atomic_t iodone_cnt;
61412- atomic_t ioerr_cnt;
61413+ atomic_unchecked_t iorequest_cnt;
61414+ atomic_unchecked_t iodone_cnt;
61415+ atomic_unchecked_t ioerr_cnt;
61416
61417 struct device sdev_gendev,
61418 sdev_dev;
61419diff -urNp linux-3.1.1/include/scsi/scsi_transport_fc.h linux-3.1.1/include/scsi/scsi_transport_fc.h
61420--- linux-3.1.1/include/scsi/scsi_transport_fc.h 2011-11-11 15:19:27.000000000 -0500
61421+++ linux-3.1.1/include/scsi/scsi_transport_fc.h 2011-11-16 18:39:08.000000000 -0500
61422@@ -711,7 +711,7 @@ struct fc_function_template {
61423 unsigned long show_host_system_hostname:1;
61424
61425 unsigned long disable_target_scan:1;
61426-};
61427+} __do_const;
61428
61429
61430 /**
61431diff -urNp linux-3.1.1/include/sound/ak4xxx-adda.h linux-3.1.1/include/sound/ak4xxx-adda.h
61432--- linux-3.1.1/include/sound/ak4xxx-adda.h 2011-11-11 15:19:27.000000000 -0500
61433+++ linux-3.1.1/include/sound/ak4xxx-adda.h 2011-11-16 18:39:08.000000000 -0500
61434@@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
61435 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
61436 unsigned char val);
61437 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
61438-};
61439+} __no_const;
61440
61441 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
61442
61443diff -urNp linux-3.1.1/include/sound/hwdep.h linux-3.1.1/include/sound/hwdep.h
61444--- linux-3.1.1/include/sound/hwdep.h 2011-11-11 15:19:27.000000000 -0500
61445+++ linux-3.1.1/include/sound/hwdep.h 2011-11-16 18:39:08.000000000 -0500
61446@@ -49,7 +49,7 @@ struct snd_hwdep_ops {
61447 struct snd_hwdep_dsp_status *status);
61448 int (*dsp_load)(struct snd_hwdep *hw,
61449 struct snd_hwdep_dsp_image *image);
61450-};
61451+} __no_const;
61452
61453 struct snd_hwdep {
61454 struct snd_card *card;
61455diff -urNp linux-3.1.1/include/sound/info.h linux-3.1.1/include/sound/info.h
61456--- linux-3.1.1/include/sound/info.h 2011-11-11 15:19:27.000000000 -0500
61457+++ linux-3.1.1/include/sound/info.h 2011-11-16 18:39:08.000000000 -0500
61458@@ -44,7 +44,7 @@ struct snd_info_entry_text {
61459 struct snd_info_buffer *buffer);
61460 void (*write)(struct snd_info_entry *entry,
61461 struct snd_info_buffer *buffer);
61462-};
61463+} __no_const;
61464
61465 struct snd_info_entry_ops {
61466 int (*open)(struct snd_info_entry *entry,
61467diff -urNp linux-3.1.1/include/sound/pcm.h linux-3.1.1/include/sound/pcm.h
61468--- linux-3.1.1/include/sound/pcm.h 2011-11-11 15:19:27.000000000 -0500
61469+++ linux-3.1.1/include/sound/pcm.h 2011-11-16 18:39:08.000000000 -0500
61470@@ -81,6 +81,7 @@ struct snd_pcm_ops {
61471 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
61472 int (*ack)(struct snd_pcm_substream *substream);
61473 };
61474+typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
61475
61476 /*
61477 *
61478diff -urNp linux-3.1.1/include/sound/sb16_csp.h linux-3.1.1/include/sound/sb16_csp.h
61479--- linux-3.1.1/include/sound/sb16_csp.h 2011-11-11 15:19:27.000000000 -0500
61480+++ linux-3.1.1/include/sound/sb16_csp.h 2011-11-16 18:39:08.000000000 -0500
61481@@ -146,7 +146,7 @@ struct snd_sb_csp_ops {
61482 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
61483 int (*csp_stop) (struct snd_sb_csp * p);
61484 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
61485-};
61486+} __no_const;
61487
61488 /*
61489 * CSP private data
61490diff -urNp linux-3.1.1/include/sound/soc.h linux-3.1.1/include/sound/soc.h
61491--- linux-3.1.1/include/sound/soc.h 2011-11-11 15:19:27.000000000 -0500
61492+++ linux-3.1.1/include/sound/soc.h 2011-11-16 18:39:08.000000000 -0500
61493@@ -676,7 +676,7 @@ struct snd_soc_platform_driver {
61494 /* platform IO - used for platform DAPM */
61495 unsigned int (*read)(struct snd_soc_platform *, unsigned int);
61496 int (*write)(struct snd_soc_platform *, unsigned int, unsigned int);
61497-};
61498+} __do_const;
61499
61500 struct snd_soc_platform {
61501 const char *name;
61502diff -urNp linux-3.1.1/include/sound/ymfpci.h linux-3.1.1/include/sound/ymfpci.h
61503--- linux-3.1.1/include/sound/ymfpci.h 2011-11-11 15:19:27.000000000 -0500
61504+++ linux-3.1.1/include/sound/ymfpci.h 2011-11-16 18:39:08.000000000 -0500
61505@@ -358,7 +358,7 @@ struct snd_ymfpci {
61506 spinlock_t reg_lock;
61507 spinlock_t voice_lock;
61508 wait_queue_head_t interrupt_sleep;
61509- atomic_t interrupt_sleep_count;
61510+ atomic_unchecked_t interrupt_sleep_count;
61511 struct snd_info_entry *proc_entry;
61512 const struct firmware *dsp_microcode;
61513 const struct firmware *controller_microcode;
61514diff -urNp linux-3.1.1/include/target/target_core_base.h linux-3.1.1/include/target/target_core_base.h
61515--- linux-3.1.1/include/target/target_core_base.h 2011-11-11 15:19:27.000000000 -0500
61516+++ linux-3.1.1/include/target/target_core_base.h 2011-11-16 18:39:08.000000000 -0500
61517@@ -356,7 +356,7 @@ struct t10_reservation_ops {
61518 int (*t10_seq_non_holder)(struct se_cmd *, unsigned char *, u32);
61519 int (*t10_pr_register)(struct se_cmd *);
61520 int (*t10_pr_clear)(struct se_cmd *);
61521-};
61522+} __no_const;
61523
61524 struct t10_reservation {
61525 /* Reservation effects all target ports */
61526@@ -496,8 +496,8 @@ struct se_cmd {
61527 atomic_t t_task_cdbs_left;
61528 atomic_t t_task_cdbs_ex_left;
61529 atomic_t t_task_cdbs_timeout_left;
61530- atomic_t t_task_cdbs_sent;
61531- atomic_t t_transport_aborted;
61532+ atomic_unchecked_t t_task_cdbs_sent;
61533+ atomic_unchecked_t t_transport_aborted;
61534 atomic_t t_transport_active;
61535 atomic_t t_transport_complete;
61536 atomic_t t_transport_queue_active;
61537@@ -744,7 +744,7 @@ struct se_device {
61538 atomic_t active_cmds;
61539 atomic_t simple_cmds;
61540 atomic_t depth_left;
61541- atomic_t dev_ordered_id;
61542+ atomic_unchecked_t dev_ordered_id;
61543 atomic_t dev_tur_active;
61544 atomic_t execute_tasks;
61545 atomic_t dev_status_thr_count;
61546diff -urNp linux-3.1.1/include/trace/events/irq.h linux-3.1.1/include/trace/events/irq.h
61547--- linux-3.1.1/include/trace/events/irq.h 2011-11-11 15:19:27.000000000 -0500
61548+++ linux-3.1.1/include/trace/events/irq.h 2011-11-16 18:39:08.000000000 -0500
61549@@ -36,7 +36,7 @@ struct softirq_action;
61550 */
61551 TRACE_EVENT(irq_handler_entry,
61552
61553- TP_PROTO(int irq, struct irqaction *action),
61554+ TP_PROTO(int irq, const struct irqaction *action),
61555
61556 TP_ARGS(irq, action),
61557
61558@@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
61559 */
61560 TRACE_EVENT(irq_handler_exit,
61561
61562- TP_PROTO(int irq, struct irqaction *action, int ret),
61563+ TP_PROTO(int irq, const struct irqaction *action, int ret),
61564
61565 TP_ARGS(irq, action, ret),
61566
61567diff -urNp linux-3.1.1/include/video/udlfb.h linux-3.1.1/include/video/udlfb.h
61568--- linux-3.1.1/include/video/udlfb.h 2011-11-11 15:19:27.000000000 -0500
61569+++ linux-3.1.1/include/video/udlfb.h 2011-11-16 18:39:08.000000000 -0500
61570@@ -51,10 +51,10 @@ struct dlfb_data {
61571 int base8;
61572 u32 pseudo_palette[256];
61573 /* blit-only rendering path metrics, exposed through sysfs */
61574- atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61575- atomic_t bytes_identical; /* saved effort with backbuffer comparison */
61576- atomic_t bytes_sent; /* to usb, after compression including overhead */
61577- atomic_t cpu_kcycles_used; /* transpired during pixel processing */
61578+ atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
61579+ atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
61580+ atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
61581+ atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
61582 };
61583
61584 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
61585diff -urNp linux-3.1.1/include/video/uvesafb.h linux-3.1.1/include/video/uvesafb.h
61586--- linux-3.1.1/include/video/uvesafb.h 2011-11-11 15:19:27.000000000 -0500
61587+++ linux-3.1.1/include/video/uvesafb.h 2011-11-16 18:39:08.000000000 -0500
61588@@ -177,6 +177,7 @@ struct uvesafb_par {
61589 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
61590 u8 pmi_setpal; /* PMI for palette changes */
61591 u16 *pmi_base; /* protected mode interface location */
61592+ u8 *pmi_code; /* protected mode code location */
61593 void *pmi_start;
61594 void *pmi_pal;
61595 u8 *vbe_state_orig; /*
61596diff -urNp linux-3.1.1/init/do_mounts.c linux-3.1.1/init/do_mounts.c
61597--- linux-3.1.1/init/do_mounts.c 2011-11-11 15:19:27.000000000 -0500
61598+++ linux-3.1.1/init/do_mounts.c 2011-11-16 18:39:08.000000000 -0500
61599@@ -287,11 +287,11 @@ static void __init get_fs_names(char *pa
61600
61601 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
61602 {
61603- int err = sys_mount(name, "/root", fs, flags, data);
61604+ int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
61605 if (err)
61606 return err;
61607
61608- sys_chdir((const char __user __force *)"/root");
61609+ sys_chdir((const char __force_user*)"/root");
61610 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
61611 printk(KERN_INFO
61612 "VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
61613@@ -383,18 +383,18 @@ void __init change_floppy(char *fmt, ...
61614 va_start(args, fmt);
61615 vsprintf(buf, fmt, args);
61616 va_end(args);
61617- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
61618+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
61619 if (fd >= 0) {
61620 sys_ioctl(fd, FDEJECT, 0);
61621 sys_close(fd);
61622 }
61623 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
61624- fd = sys_open("/dev/console", O_RDWR, 0);
61625+ fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
61626 if (fd >= 0) {
61627 sys_ioctl(fd, TCGETS, (long)&termios);
61628 termios.c_lflag &= ~ICANON;
61629 sys_ioctl(fd, TCSETSF, (long)&termios);
61630- sys_read(fd, &c, 1);
61631+ sys_read(fd, (char __user *)&c, 1);
61632 termios.c_lflag |= ICANON;
61633 sys_ioctl(fd, TCSETSF, (long)&termios);
61634 sys_close(fd);
61635@@ -488,6 +488,6 @@ void __init prepare_namespace(void)
61636 mount_root();
61637 out:
61638 devtmpfs_mount("dev");
61639- sys_mount(".", "/", NULL, MS_MOVE, NULL);
61640- sys_chroot((const char __user __force *)".");
61641+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61642+ sys_chroot((const char __force_user *)".");
61643 }
61644diff -urNp linux-3.1.1/init/do_mounts.h linux-3.1.1/init/do_mounts.h
61645--- linux-3.1.1/init/do_mounts.h 2011-11-11 15:19:27.000000000 -0500
61646+++ linux-3.1.1/init/do_mounts.h 2011-11-16 18:39:08.000000000 -0500
61647@@ -15,15 +15,15 @@ extern int root_mountflags;
61648
61649 static inline int create_dev(char *name, dev_t dev)
61650 {
61651- sys_unlink(name);
61652- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
61653+ sys_unlink((char __force_user *)name);
61654+ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
61655 }
61656
61657 #if BITS_PER_LONG == 32
61658 static inline u32 bstat(char *name)
61659 {
61660 struct stat64 stat;
61661- if (sys_stat64(name, &stat) != 0)
61662+ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
61663 return 0;
61664 if (!S_ISBLK(stat.st_mode))
61665 return 0;
61666@@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
61667 static inline u32 bstat(char *name)
61668 {
61669 struct stat stat;
61670- if (sys_newstat(name, &stat) != 0)
61671+ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
61672 return 0;
61673 if (!S_ISBLK(stat.st_mode))
61674 return 0;
61675diff -urNp linux-3.1.1/init/do_mounts_initrd.c linux-3.1.1/init/do_mounts_initrd.c
61676--- linux-3.1.1/init/do_mounts_initrd.c 2011-11-11 15:19:27.000000000 -0500
61677+++ linux-3.1.1/init/do_mounts_initrd.c 2011-11-16 18:39:08.000000000 -0500
61678@@ -44,13 +44,13 @@ static void __init handle_initrd(void)
61679 create_dev("/dev/root.old", Root_RAM0);
61680 /* mount initrd on rootfs' /root */
61681 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
61682- sys_mkdir("/old", 0700);
61683- root_fd = sys_open("/", 0, 0);
61684- old_fd = sys_open("/old", 0, 0);
61685+ sys_mkdir((const char __force_user *)"/old", 0700);
61686+ root_fd = sys_open((const char __force_user *)"/", 0, 0);
61687+ old_fd = sys_open((const char __force_user *)"/old", 0, 0);
61688 /* move initrd over / and chdir/chroot in initrd root */
61689- sys_chdir("/root");
61690- sys_mount(".", "/", NULL, MS_MOVE, NULL);
61691- sys_chroot(".");
61692+ sys_chdir((const char __force_user *)"/root");
61693+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
61694+ sys_chroot((const char __force_user *)".");
61695
61696 /*
61697 * In case that a resume from disk is carried out by linuxrc or one of
61698@@ -67,15 +67,15 @@ static void __init handle_initrd(void)
61699
61700 /* move initrd to rootfs' /old */
61701 sys_fchdir(old_fd);
61702- sys_mount("/", ".", NULL, MS_MOVE, NULL);
61703+ sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
61704 /* switch root and cwd back to / of rootfs */
61705 sys_fchdir(root_fd);
61706- sys_chroot(".");
61707+ sys_chroot((const char __force_user *)".");
61708 sys_close(old_fd);
61709 sys_close(root_fd);
61710
61711 if (new_decode_dev(real_root_dev) == Root_RAM0) {
61712- sys_chdir("/old");
61713+ sys_chdir((const char __force_user *)"/old");
61714 return;
61715 }
61716
61717@@ -83,17 +83,17 @@ static void __init handle_initrd(void)
61718 mount_root();
61719
61720 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
61721- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
61722+ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
61723 if (!error)
61724 printk("okay\n");
61725 else {
61726- int fd = sys_open("/dev/root.old", O_RDWR, 0);
61727+ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
61728 if (error == -ENOENT)
61729 printk("/initrd does not exist. Ignored.\n");
61730 else
61731 printk("failed\n");
61732 printk(KERN_NOTICE "Unmounting old root\n");
61733- sys_umount("/old", MNT_DETACH);
61734+ sys_umount((char __force_user *)"/old", MNT_DETACH);
61735 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
61736 if (fd < 0) {
61737 error = fd;
61738@@ -116,11 +116,11 @@ int __init initrd_load(void)
61739 * mounted in the normal path.
61740 */
61741 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
61742- sys_unlink("/initrd.image");
61743+ sys_unlink((const char __force_user *)"/initrd.image");
61744 handle_initrd();
61745 return 1;
61746 }
61747 }
61748- sys_unlink("/initrd.image");
61749+ sys_unlink((const char __force_user *)"/initrd.image");
61750 return 0;
61751 }
61752diff -urNp linux-3.1.1/init/do_mounts_md.c linux-3.1.1/init/do_mounts_md.c
61753--- linux-3.1.1/init/do_mounts_md.c 2011-11-11 15:19:27.000000000 -0500
61754+++ linux-3.1.1/init/do_mounts_md.c 2011-11-16 18:39:08.000000000 -0500
61755@@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
61756 partitioned ? "_d" : "", minor,
61757 md_setup_args[ent].device_names);
61758
61759- fd = sys_open(name, 0, 0);
61760+ fd = sys_open((char __force_user *)name, 0, 0);
61761 if (fd < 0) {
61762 printk(KERN_ERR "md: open failed - cannot start "
61763 "array %s\n", name);
61764@@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
61765 * array without it
61766 */
61767 sys_close(fd);
61768- fd = sys_open(name, 0, 0);
61769+ fd = sys_open((char __force_user *)name, 0, 0);
61770 sys_ioctl(fd, BLKRRPART, 0);
61771 }
61772 sys_close(fd);
61773@@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
61774
61775 wait_for_device_probe();
61776
61777- fd = sys_open((const char __user __force *) "/dev/md0", 0, 0);
61778+ fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
61779 if (fd >= 0) {
61780 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
61781 sys_close(fd);
61782diff -urNp linux-3.1.1/init/initramfs.c linux-3.1.1/init/initramfs.c
61783--- linux-3.1.1/init/initramfs.c 2011-11-11 15:19:27.000000000 -0500
61784+++ linux-3.1.1/init/initramfs.c 2011-11-16 18:39:08.000000000 -0500
61785@@ -74,7 +74,7 @@ static void __init free_hash(void)
61786 }
61787 }
61788
61789-static long __init do_utime(char __user *filename, time_t mtime)
61790+static long __init do_utime(__force char __user *filename, time_t mtime)
61791 {
61792 struct timespec t[2];
61793
61794@@ -109,7 +109,7 @@ static void __init dir_utime(void)
61795 struct dir_entry *de, *tmp;
61796 list_for_each_entry_safe(de, tmp, &dir_list, list) {
61797 list_del(&de->list);
61798- do_utime(de->name, de->mtime);
61799+ do_utime((char __force_user *)de->name, de->mtime);
61800 kfree(de->name);
61801 kfree(de);
61802 }
61803@@ -271,7 +271,7 @@ static int __init maybe_link(void)
61804 if (nlink >= 2) {
61805 char *old = find_link(major, minor, ino, mode, collected);
61806 if (old)
61807- return (sys_link(old, collected) < 0) ? -1 : 1;
61808+ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
61809 }
61810 return 0;
61811 }
61812@@ -280,11 +280,11 @@ static void __init clean_path(char *path
61813 {
61814 struct stat st;
61815
61816- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
61817+ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
61818 if (S_ISDIR(st.st_mode))
61819- sys_rmdir(path);
61820+ sys_rmdir((char __force_user *)path);
61821 else
61822- sys_unlink(path);
61823+ sys_unlink((char __force_user *)path);
61824 }
61825 }
61826
61827@@ -305,7 +305,7 @@ static int __init do_name(void)
61828 int openflags = O_WRONLY|O_CREAT;
61829 if (ml != 1)
61830 openflags |= O_TRUNC;
61831- wfd = sys_open(collected, openflags, mode);
61832+ wfd = sys_open((char __force_user *)collected, openflags, mode);
61833
61834 if (wfd >= 0) {
61835 sys_fchown(wfd, uid, gid);
61836@@ -317,17 +317,17 @@ static int __init do_name(void)
61837 }
61838 }
61839 } else if (S_ISDIR(mode)) {
61840- sys_mkdir(collected, mode);
61841- sys_chown(collected, uid, gid);
61842- sys_chmod(collected, mode);
61843+ sys_mkdir((char __force_user *)collected, mode);
61844+ sys_chown((char __force_user *)collected, uid, gid);
61845+ sys_chmod((char __force_user *)collected, mode);
61846 dir_add(collected, mtime);
61847 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
61848 S_ISFIFO(mode) || S_ISSOCK(mode)) {
61849 if (maybe_link() == 0) {
61850- sys_mknod(collected, mode, rdev);
61851- sys_chown(collected, uid, gid);
61852- sys_chmod(collected, mode);
61853- do_utime(collected, mtime);
61854+ sys_mknod((char __force_user *)collected, mode, rdev);
61855+ sys_chown((char __force_user *)collected, uid, gid);
61856+ sys_chmod((char __force_user *)collected, mode);
61857+ do_utime((char __force_user *)collected, mtime);
61858 }
61859 }
61860 return 0;
61861@@ -336,15 +336,15 @@ static int __init do_name(void)
61862 static int __init do_copy(void)
61863 {
61864 if (count >= body_len) {
61865- sys_write(wfd, victim, body_len);
61866+ sys_write(wfd, (char __force_user *)victim, body_len);
61867 sys_close(wfd);
61868- do_utime(vcollected, mtime);
61869+ do_utime((char __force_user *)vcollected, mtime);
61870 kfree(vcollected);
61871 eat(body_len);
61872 state = SkipIt;
61873 return 0;
61874 } else {
61875- sys_write(wfd, victim, count);
61876+ sys_write(wfd, (char __force_user *)victim, count);
61877 body_len -= count;
61878 eat(count);
61879 return 1;
61880@@ -355,9 +355,9 @@ static int __init do_symlink(void)
61881 {
61882 collected[N_ALIGN(name_len) + body_len] = '\0';
61883 clean_path(collected, 0);
61884- sys_symlink(collected + N_ALIGN(name_len), collected);
61885- sys_lchown(collected, uid, gid);
61886- do_utime(collected, mtime);
61887+ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
61888+ sys_lchown((char __force_user *)collected, uid, gid);
61889+ do_utime((char __force_user *)collected, mtime);
61890 state = SkipIt;
61891 next_state = Reset;
61892 return 0;
61893diff -urNp linux-3.1.1/init/Kconfig linux-3.1.1/init/Kconfig
61894--- linux-3.1.1/init/Kconfig 2011-11-11 15:19:27.000000000 -0500
61895+++ linux-3.1.1/init/Kconfig 2011-11-16 18:39:08.000000000 -0500
61896@@ -1202,7 +1202,7 @@ config SLUB_DEBUG
61897
61898 config COMPAT_BRK
61899 bool "Disable heap randomization"
61900- default y
61901+ default n
61902 help
61903 Randomizing heap placement makes heap exploits harder, but it
61904 also breaks ancient binaries (including anything libc5 based).
61905diff -urNp linux-3.1.1/init/main.c linux-3.1.1/init/main.c
61906--- linux-3.1.1/init/main.c 2011-11-11 15:19:27.000000000 -0500
61907+++ linux-3.1.1/init/main.c 2011-11-16 18:40:44.000000000 -0500
61908@@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
61909 extern void tc_init(void);
61910 #endif
61911
61912+extern void grsecurity_init(void);
61913+
61914 /*
61915 * Debug helper: via this flag we know that we are in 'early bootup code'
61916 * where only the boot processor is running with IRQ disabled. This means
61917@@ -149,6 +151,49 @@ static int __init set_reset_devices(char
61918
61919 __setup("reset_devices", set_reset_devices);
61920
61921+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
61922+extern char pax_enter_kernel_user[];
61923+extern char pax_exit_kernel_user[];
61924+extern pgdval_t clone_pgd_mask;
61925+#endif
61926+
61927+#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
61928+static int __init setup_pax_nouderef(char *str)
61929+{
61930+#ifdef CONFIG_X86_32
61931+ unsigned int cpu;
61932+ struct desc_struct *gdt;
61933+
61934+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
61935+ gdt = get_cpu_gdt_table(cpu);
61936+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
61937+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
61938+ gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
61939+ gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
61940+ }
61941+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
61942+#else
61943+ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
61944+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
61945+ clone_pgd_mask = ~(pgdval_t)0UL;
61946+#endif
61947+
61948+ return 0;
61949+}
61950+early_param("pax_nouderef", setup_pax_nouderef);
61951+#endif
61952+
61953+#ifdef CONFIG_PAX_SOFTMODE
61954+int pax_softmode;
61955+
61956+static int __init setup_pax_softmode(char *str)
61957+{
61958+ get_option(&str, &pax_softmode);
61959+ return 1;
61960+}
61961+__setup("pax_softmode=", setup_pax_softmode);
61962+#endif
61963+
61964 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
61965 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
61966 static const char *panic_later, *panic_param;
61967@@ -678,6 +723,7 @@ int __init_or_module do_one_initcall(ini
61968 {
61969 int count = preempt_count();
61970 int ret;
61971+ const char *msg1 = "", *msg2 = "";
61972
61973 if (initcall_debug)
61974 ret = do_one_initcall_debug(fn);
61975@@ -690,15 +736,15 @@ int __init_or_module do_one_initcall(ini
61976 sprintf(msgbuf, "error code %d ", ret);
61977
61978 if (preempt_count() != count) {
61979- strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
61980+ msg1 = " preemption imbalance";
61981 preempt_count() = count;
61982 }
61983 if (irqs_disabled()) {
61984- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
61985+ msg2 = " disabled interrupts";
61986 local_irq_enable();
61987 }
61988- if (msgbuf[0]) {
61989- printk("initcall %pF returned with %s\n", fn, msgbuf);
61990+ if (msgbuf[0] || *msg1 || *msg2) {
61991+ printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
61992 }
61993
61994 return ret;
61995@@ -817,7 +863,7 @@ static int __init kernel_init(void * unu
61996 do_basic_setup();
61997
61998 /* Open the /dev/console on the rootfs, this should never fail */
61999- if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
62000+ if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
62001 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
62002
62003 (void) sys_dup(0);
62004@@ -830,11 +876,13 @@ static int __init kernel_init(void * unu
62005 if (!ramdisk_execute_command)
62006 ramdisk_execute_command = "/init";
62007
62008- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
62009+ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
62010 ramdisk_execute_command = NULL;
62011 prepare_namespace();
62012 }
62013
62014+ grsecurity_init();
62015+
62016 /*
62017 * Ok, we have completed the initial bootup, and
62018 * we're essentially up and running. Get rid of the
62019diff -urNp linux-3.1.1/ipc/mqueue.c linux-3.1.1/ipc/mqueue.c
62020--- linux-3.1.1/ipc/mqueue.c 2011-11-11 15:19:27.000000000 -0500
62021+++ linux-3.1.1/ipc/mqueue.c 2011-11-16 18:40:44.000000000 -0500
62022@@ -156,6 +156,7 @@ static struct inode *mqueue_get_inode(st
62023 mq_bytes = (mq_msg_tblsz +
62024 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
62025
62026+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
62027 spin_lock(&mq_lock);
62028 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
62029 u->mq_bytes + mq_bytes > task_rlimit(p, RLIMIT_MSGQUEUE)) {
62030diff -urNp linux-3.1.1/ipc/msg.c linux-3.1.1/ipc/msg.c
62031--- linux-3.1.1/ipc/msg.c 2011-11-11 15:19:27.000000000 -0500
62032+++ linux-3.1.1/ipc/msg.c 2011-11-16 18:39:08.000000000 -0500
62033@@ -309,18 +309,19 @@ static inline int msg_security(struct ke
62034 return security_msg_queue_associate(msq, msgflg);
62035 }
62036
62037+static struct ipc_ops msg_ops = {
62038+ .getnew = newque,
62039+ .associate = msg_security,
62040+ .more_checks = NULL
62041+};
62042+
62043 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
62044 {
62045 struct ipc_namespace *ns;
62046- struct ipc_ops msg_ops;
62047 struct ipc_params msg_params;
62048
62049 ns = current->nsproxy->ipc_ns;
62050
62051- msg_ops.getnew = newque;
62052- msg_ops.associate = msg_security;
62053- msg_ops.more_checks = NULL;
62054-
62055 msg_params.key = key;
62056 msg_params.flg = msgflg;
62057
62058diff -urNp linux-3.1.1/ipc/sem.c linux-3.1.1/ipc/sem.c
62059--- linux-3.1.1/ipc/sem.c 2011-11-11 15:19:27.000000000 -0500
62060+++ linux-3.1.1/ipc/sem.c 2011-11-16 18:40:44.000000000 -0500
62061@@ -318,10 +318,15 @@ static inline int sem_more_checks(struct
62062 return 0;
62063 }
62064
62065+static struct ipc_ops sem_ops = {
62066+ .getnew = newary,
62067+ .associate = sem_security,
62068+ .more_checks = sem_more_checks
62069+};
62070+
62071 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
62072 {
62073 struct ipc_namespace *ns;
62074- struct ipc_ops sem_ops;
62075 struct ipc_params sem_params;
62076
62077 ns = current->nsproxy->ipc_ns;
62078@@ -329,10 +334,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
62079 if (nsems < 0 || nsems > ns->sc_semmsl)
62080 return -EINVAL;
62081
62082- sem_ops.getnew = newary;
62083- sem_ops.associate = sem_security;
62084- sem_ops.more_checks = sem_more_checks;
62085-
62086 sem_params.key = key;
62087 sem_params.flg = semflg;
62088 sem_params.u.nsems = nsems;
62089@@ -848,6 +849,8 @@ static int semctl_main(struct ipc_namesp
62090 int nsems;
62091 struct list_head tasks;
62092
62093+ pax_track_stack();
62094+
62095 sma = sem_lock_check(ns, semid);
62096 if (IS_ERR(sma))
62097 return PTR_ERR(sma);
62098@@ -1295,6 +1298,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
62099 struct ipc_namespace *ns;
62100 struct list_head tasks;
62101
62102+ pax_track_stack();
62103+
62104 ns = current->nsproxy->ipc_ns;
62105
62106 if (nsops < 1 || semid < 0)
62107diff -urNp linux-3.1.1/ipc/shm.c linux-3.1.1/ipc/shm.c
62108--- linux-3.1.1/ipc/shm.c 2011-11-11 15:19:27.000000000 -0500
62109+++ linux-3.1.1/ipc/shm.c 2011-11-16 18:40:44.000000000 -0500
62110@@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
62111 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
62112 #endif
62113
62114+#ifdef CONFIG_GRKERNSEC
62115+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62116+ const time_t shm_createtime, const uid_t cuid,
62117+ const int shmid);
62118+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62119+ const time_t shm_createtime);
62120+#endif
62121+
62122 void shm_init_ns(struct ipc_namespace *ns)
62123 {
62124 ns->shm_ctlmax = SHMMAX;
62125@@ -508,6 +516,14 @@ static int newseg(struct ipc_namespace *
62126 shp->shm_lprid = 0;
62127 shp->shm_atim = shp->shm_dtim = 0;
62128 shp->shm_ctim = get_seconds();
62129+#ifdef CONFIG_GRKERNSEC
62130+ {
62131+ struct timespec timeval;
62132+ do_posix_clock_monotonic_gettime(&timeval);
62133+
62134+ shp->shm_createtime = timeval.tv_sec;
62135+ }
62136+#endif
62137 shp->shm_segsz = size;
62138 shp->shm_nattch = 0;
62139 shp->shm_file = file;
62140@@ -559,18 +575,19 @@ static inline int shm_more_checks(struct
62141 return 0;
62142 }
62143
62144+static struct ipc_ops shm_ops = {
62145+ .getnew = newseg,
62146+ .associate = shm_security,
62147+ .more_checks = shm_more_checks
62148+};
62149+
62150 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
62151 {
62152 struct ipc_namespace *ns;
62153- struct ipc_ops shm_ops;
62154 struct ipc_params shm_params;
62155
62156 ns = current->nsproxy->ipc_ns;
62157
62158- shm_ops.getnew = newseg;
62159- shm_ops.associate = shm_security;
62160- shm_ops.more_checks = shm_more_checks;
62161-
62162 shm_params.key = key;
62163 shm_params.flg = shmflg;
62164 shm_params.u.size = size;
62165@@ -870,8 +887,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
62166 case SHM_LOCK:
62167 case SHM_UNLOCK:
62168 {
62169- struct file *uninitialized_var(shm_file);
62170-
62171 lru_add_drain_all(); /* drain pagevecs to lru lists */
62172
62173 shp = shm_lock_check(ns, shmid);
62174@@ -1004,9 +1019,21 @@ long do_shmat(int shmid, char __user *sh
62175 if (err)
62176 goto out_unlock;
62177
62178+#ifdef CONFIG_GRKERNSEC
62179+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
62180+ shp->shm_perm.cuid, shmid) ||
62181+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
62182+ err = -EACCES;
62183+ goto out_unlock;
62184+ }
62185+#endif
62186+
62187 path = shp->shm_file->f_path;
62188 path_get(&path);
62189 shp->shm_nattch++;
62190+#ifdef CONFIG_GRKERNSEC
62191+ shp->shm_lapid = current->pid;
62192+#endif
62193 size = i_size_read(path.dentry->d_inode);
62194 shm_unlock(shp);
62195
62196diff -urNp linux-3.1.1/kernel/acct.c linux-3.1.1/kernel/acct.c
62197--- linux-3.1.1/kernel/acct.c 2011-11-11 15:19:27.000000000 -0500
62198+++ linux-3.1.1/kernel/acct.c 2011-11-16 18:39:08.000000000 -0500
62199@@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
62200 */
62201 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
62202 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
62203- file->f_op->write(file, (char *)&ac,
62204+ file->f_op->write(file, (char __force_user *)&ac,
62205 sizeof(acct_t), &file->f_pos);
62206 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
62207 set_fs(fs);
62208diff -urNp linux-3.1.1/kernel/audit.c linux-3.1.1/kernel/audit.c
62209--- linux-3.1.1/kernel/audit.c 2011-11-11 15:19:27.000000000 -0500
62210+++ linux-3.1.1/kernel/audit.c 2011-11-16 18:39:08.000000000 -0500
62211@@ -115,7 +115,7 @@ u32 audit_sig_sid = 0;
62212 3) suppressed due to audit_rate_limit
62213 4) suppressed due to audit_backlog_limit
62214 */
62215-static atomic_t audit_lost = ATOMIC_INIT(0);
62216+static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
62217
62218 /* The netlink socket. */
62219 static struct sock *audit_sock;
62220@@ -237,7 +237,7 @@ void audit_log_lost(const char *message)
62221 unsigned long now;
62222 int print;
62223
62224- atomic_inc(&audit_lost);
62225+ atomic_inc_unchecked(&audit_lost);
62226
62227 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
62228
62229@@ -256,7 +256,7 @@ void audit_log_lost(const char *message)
62230 printk(KERN_WARNING
62231 "audit: audit_lost=%d audit_rate_limit=%d "
62232 "audit_backlog_limit=%d\n",
62233- atomic_read(&audit_lost),
62234+ atomic_read_unchecked(&audit_lost),
62235 audit_rate_limit,
62236 audit_backlog_limit);
62237 audit_panic(message);
62238@@ -689,7 +689,7 @@ static int audit_receive_msg(struct sk_b
62239 status_set.pid = audit_pid;
62240 status_set.rate_limit = audit_rate_limit;
62241 status_set.backlog_limit = audit_backlog_limit;
62242- status_set.lost = atomic_read(&audit_lost);
62243+ status_set.lost = atomic_read_unchecked(&audit_lost);
62244 status_set.backlog = skb_queue_len(&audit_skb_queue);
62245 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
62246 &status_set, sizeof(status_set));
62247diff -urNp linux-3.1.1/kernel/auditsc.c linux-3.1.1/kernel/auditsc.c
62248--- linux-3.1.1/kernel/auditsc.c 2011-11-11 15:19:27.000000000 -0500
62249+++ linux-3.1.1/kernel/auditsc.c 2011-11-16 18:39:08.000000000 -0500
62250@@ -2118,7 +2118,7 @@ int auditsc_get_stamp(struct audit_conte
62251 }
62252
62253 /* global counter which is incremented every time something logs in */
62254-static atomic_t session_id = ATOMIC_INIT(0);
62255+static atomic_unchecked_t session_id = ATOMIC_INIT(0);
62256
62257 /**
62258 * audit_set_loginuid - set a task's audit_context loginuid
62259@@ -2131,7 +2131,7 @@ static atomic_t session_id = ATOMIC_INIT
62260 */
62261 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
62262 {
62263- unsigned int sessionid = atomic_inc_return(&session_id);
62264+ unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
62265 struct audit_context *context = task->audit_context;
62266
62267 if (context && context->in_syscall) {
62268diff -urNp linux-3.1.1/kernel/capability.c linux-3.1.1/kernel/capability.c
62269--- linux-3.1.1/kernel/capability.c 2011-11-11 15:19:27.000000000 -0500
62270+++ linux-3.1.1/kernel/capability.c 2011-11-16 18:40:44.000000000 -0500
62271@@ -202,6 +202,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
62272 * before modification is attempted and the application
62273 * fails.
62274 */
62275+ if (tocopy > ARRAY_SIZE(kdata))
62276+ return -EFAULT;
62277+
62278 if (copy_to_user(dataptr, kdata, tocopy
62279 * sizeof(struct __user_cap_data_struct))) {
62280 return -EFAULT;
62281@@ -374,7 +377,7 @@ bool ns_capable(struct user_namespace *n
62282 BUG();
62283 }
62284
62285- if (security_capable(ns, current_cred(), cap) == 0) {
62286+ if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable(cap)) {
62287 current->flags |= PF_SUPERPRIV;
62288 return true;
62289 }
62290@@ -382,6 +385,27 @@ bool ns_capable(struct user_namespace *n
62291 }
62292 EXPORT_SYMBOL(ns_capable);
62293
62294+bool ns_capable_nolog(struct user_namespace *ns, int cap)
62295+{
62296+ if (unlikely(!cap_valid(cap))) {
62297+ printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
62298+ BUG();
62299+ }
62300+
62301+ if (security_capable(ns, current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
62302+ current->flags |= PF_SUPERPRIV;
62303+ return true;
62304+ }
62305+ return false;
62306+}
62307+EXPORT_SYMBOL(ns_capable_nolog);
62308+
62309+bool capable_nolog(int cap)
62310+{
62311+ return ns_capable_nolog(&init_user_ns, cap);
62312+}
62313+EXPORT_SYMBOL(capable_nolog);
62314+
62315 /**
62316 * task_ns_capable - Determine whether current task has a superior
62317 * capability targeted at a specific task's user namespace.
62318@@ -396,6 +420,12 @@ bool task_ns_capable(struct task_struct
62319 }
62320 EXPORT_SYMBOL(task_ns_capable);
62321
62322+bool task_ns_capable_nolog(struct task_struct *t, int cap)
62323+{
62324+ return ns_capable_nolog(task_cred_xxx(t, user)->user_ns, cap);
62325+}
62326+EXPORT_SYMBOL(task_ns_capable_nolog);
62327+
62328 /**
62329 * nsown_capable - Check superior capability to one's own user_ns
62330 * @cap: The capability in question
62331diff -urNp linux-3.1.1/kernel/cgroup.c linux-3.1.1/kernel/cgroup.c
62332--- linux-3.1.1/kernel/cgroup.c 2011-11-11 15:19:27.000000000 -0500
62333+++ linux-3.1.1/kernel/cgroup.c 2011-11-16 18:40:44.000000000 -0500
62334@@ -595,6 +595,8 @@ static struct css_set *find_css_set(
62335 struct hlist_head *hhead;
62336 struct cg_cgroup_link *link;
62337
62338+ pax_track_stack();
62339+
62340 /* First see if we already have a cgroup group that matches
62341 * the desired set */
62342 read_lock(&css_set_lock);
62343diff -urNp linux-3.1.1/kernel/compat.c linux-3.1.1/kernel/compat.c
62344--- linux-3.1.1/kernel/compat.c 2011-11-11 15:19:27.000000000 -0500
62345+++ linux-3.1.1/kernel/compat.c 2011-11-16 18:40:44.000000000 -0500
62346@@ -13,6 +13,7 @@
62347
62348 #include <linux/linkage.h>
62349 #include <linux/compat.h>
62350+#include <linux/module.h>
62351 #include <linux/errno.h>
62352 #include <linux/time.h>
62353 #include <linux/signal.h>
62354@@ -167,7 +168,7 @@ static long compat_nanosleep_restart(str
62355 mm_segment_t oldfs;
62356 long ret;
62357
62358- restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
62359+ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
62360 oldfs = get_fs();
62361 set_fs(KERNEL_DS);
62362 ret = hrtimer_nanosleep_restart(restart);
62363@@ -199,7 +200,7 @@ asmlinkage long compat_sys_nanosleep(str
62364 oldfs = get_fs();
62365 set_fs(KERNEL_DS);
62366 ret = hrtimer_nanosleep(&tu,
62367- rmtp ? (struct timespec __user *)&rmt : NULL,
62368+ rmtp ? (struct timespec __force_user *)&rmt : NULL,
62369 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
62370 set_fs(oldfs);
62371
62372@@ -308,7 +309,7 @@ asmlinkage long compat_sys_sigpending(co
62373 mm_segment_t old_fs = get_fs();
62374
62375 set_fs(KERNEL_DS);
62376- ret = sys_sigpending((old_sigset_t __user *) &s);
62377+ ret = sys_sigpending((old_sigset_t __force_user *) &s);
62378 set_fs(old_fs);
62379 if (ret == 0)
62380 ret = put_user(s, set);
62381@@ -331,8 +332,8 @@ asmlinkage long compat_sys_sigprocmask(i
62382 old_fs = get_fs();
62383 set_fs(KERNEL_DS);
62384 ret = sys_sigprocmask(how,
62385- set ? (old_sigset_t __user *) &s : NULL,
62386- oset ? (old_sigset_t __user *) &s : NULL);
62387+ set ? (old_sigset_t __force_user *) &s : NULL,
62388+ oset ? (old_sigset_t __force_user *) &s : NULL);
62389 set_fs(old_fs);
62390 if (ret == 0)
62391 if (oset)
62392@@ -369,7 +370,7 @@ asmlinkage long compat_sys_old_getrlimit
62393 mm_segment_t old_fs = get_fs();
62394
62395 set_fs(KERNEL_DS);
62396- ret = sys_old_getrlimit(resource, &r);
62397+ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
62398 set_fs(old_fs);
62399
62400 if (!ret) {
62401@@ -441,7 +442,7 @@ asmlinkage long compat_sys_getrusage(int
62402 mm_segment_t old_fs = get_fs();
62403
62404 set_fs(KERNEL_DS);
62405- ret = sys_getrusage(who, (struct rusage __user *) &r);
62406+ ret = sys_getrusage(who, (struct rusage __force_user *) &r);
62407 set_fs(old_fs);
62408
62409 if (ret)
62410@@ -468,8 +469,8 @@ compat_sys_wait4(compat_pid_t pid, compa
62411 set_fs (KERNEL_DS);
62412 ret = sys_wait4(pid,
62413 (stat_addr ?
62414- (unsigned int __user *) &status : NULL),
62415- options, (struct rusage __user *) &r);
62416+ (unsigned int __force_user *) &status : NULL),
62417+ options, (struct rusage __force_user *) &r);
62418 set_fs (old_fs);
62419
62420 if (ret > 0) {
62421@@ -494,8 +495,8 @@ asmlinkage long compat_sys_waitid(int wh
62422 memset(&info, 0, sizeof(info));
62423
62424 set_fs(KERNEL_DS);
62425- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
62426- uru ? (struct rusage __user *)&ru : NULL);
62427+ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
62428+ uru ? (struct rusage __force_user *)&ru : NULL);
62429 set_fs(old_fs);
62430
62431 if ((ret < 0) || (info.si_signo == 0))
62432@@ -625,8 +626,8 @@ long compat_sys_timer_settime(timer_t ti
62433 oldfs = get_fs();
62434 set_fs(KERNEL_DS);
62435 err = sys_timer_settime(timer_id, flags,
62436- (struct itimerspec __user *) &newts,
62437- (struct itimerspec __user *) &oldts);
62438+ (struct itimerspec __force_user *) &newts,
62439+ (struct itimerspec __force_user *) &oldts);
62440 set_fs(oldfs);
62441 if (!err && old && put_compat_itimerspec(old, &oldts))
62442 return -EFAULT;
62443@@ -643,7 +644,7 @@ long compat_sys_timer_gettime(timer_t ti
62444 oldfs = get_fs();
62445 set_fs(KERNEL_DS);
62446 err = sys_timer_gettime(timer_id,
62447- (struct itimerspec __user *) &ts);
62448+ (struct itimerspec __force_user *) &ts);
62449 set_fs(oldfs);
62450 if (!err && put_compat_itimerspec(setting, &ts))
62451 return -EFAULT;
62452@@ -662,7 +663,7 @@ long compat_sys_clock_settime(clockid_t
62453 oldfs = get_fs();
62454 set_fs(KERNEL_DS);
62455 err = sys_clock_settime(which_clock,
62456- (struct timespec __user *) &ts);
62457+ (struct timespec __force_user *) &ts);
62458 set_fs(oldfs);
62459 return err;
62460 }
62461@@ -677,7 +678,7 @@ long compat_sys_clock_gettime(clockid_t
62462 oldfs = get_fs();
62463 set_fs(KERNEL_DS);
62464 err = sys_clock_gettime(which_clock,
62465- (struct timespec __user *) &ts);
62466+ (struct timespec __force_user *) &ts);
62467 set_fs(oldfs);
62468 if (!err && put_compat_timespec(&ts, tp))
62469 return -EFAULT;
62470@@ -697,7 +698,7 @@ long compat_sys_clock_adjtime(clockid_t
62471
62472 oldfs = get_fs();
62473 set_fs(KERNEL_DS);
62474- ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
62475+ ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
62476 set_fs(oldfs);
62477
62478 err = compat_put_timex(utp, &txc);
62479@@ -717,7 +718,7 @@ long compat_sys_clock_getres(clockid_t w
62480 oldfs = get_fs();
62481 set_fs(KERNEL_DS);
62482 err = sys_clock_getres(which_clock,
62483- (struct timespec __user *) &ts);
62484+ (struct timespec __force_user *) &ts);
62485 set_fs(oldfs);
62486 if (!err && tp && put_compat_timespec(&ts, tp))
62487 return -EFAULT;
62488@@ -729,9 +730,9 @@ static long compat_clock_nanosleep_resta
62489 long err;
62490 mm_segment_t oldfs;
62491 struct timespec tu;
62492- struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
62493+ struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
62494
62495- restart->nanosleep.rmtp = (struct timespec __user *) &tu;
62496+ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
62497 oldfs = get_fs();
62498 set_fs(KERNEL_DS);
62499 err = clock_nanosleep_restart(restart);
62500@@ -763,8 +764,8 @@ long compat_sys_clock_nanosleep(clockid_
62501 oldfs = get_fs();
62502 set_fs(KERNEL_DS);
62503 err = sys_clock_nanosleep(which_clock, flags,
62504- (struct timespec __user *) &in,
62505- (struct timespec __user *) &out);
62506+ (struct timespec __force_user *) &in,
62507+ (struct timespec __force_user *) &out);
62508 set_fs(oldfs);
62509
62510 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
62511diff -urNp linux-3.1.1/kernel/configs.c linux-3.1.1/kernel/configs.c
62512--- linux-3.1.1/kernel/configs.c 2011-11-11 15:19:27.000000000 -0500
62513+++ linux-3.1.1/kernel/configs.c 2011-11-16 18:40:44.000000000 -0500
62514@@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
62515 struct proc_dir_entry *entry;
62516
62517 /* create the current config file */
62518+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
62519+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
62520+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
62521+ &ikconfig_file_ops);
62522+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
62523+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
62524+ &ikconfig_file_ops);
62525+#endif
62526+#else
62527 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
62528 &ikconfig_file_ops);
62529+#endif
62530+
62531 if (!entry)
62532 return -ENOMEM;
62533
62534diff -urNp linux-3.1.1/kernel/cred.c linux-3.1.1/kernel/cred.c
62535--- linux-3.1.1/kernel/cred.c 2011-11-11 15:19:27.000000000 -0500
62536+++ linux-3.1.1/kernel/cred.c 2011-11-16 18:40:44.000000000 -0500
62537@@ -158,6 +158,8 @@ static void put_cred_rcu(struct rcu_head
62538 */
62539 void __put_cred(struct cred *cred)
62540 {
62541+ pax_track_stack();
62542+
62543 kdebug("__put_cred(%p{%d,%d})", cred,
62544 atomic_read(&cred->usage),
62545 read_cred_subscribers(cred));
62546@@ -182,6 +184,8 @@ void exit_creds(struct task_struct *tsk)
62547 {
62548 struct cred *cred;
62549
62550+ pax_track_stack();
62551+
62552 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
62553 atomic_read(&tsk->cred->usage),
62554 read_cred_subscribers(tsk->cred));
62555@@ -220,6 +224,8 @@ const struct cred *get_task_cred(struct
62556 {
62557 const struct cred *cred;
62558
62559+ pax_track_stack();
62560+
62561 rcu_read_lock();
62562
62563 do {
62564@@ -239,6 +245,8 @@ struct cred *cred_alloc_blank(void)
62565 {
62566 struct cred *new;
62567
62568+ pax_track_stack();
62569+
62570 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
62571 if (!new)
62572 return NULL;
62573@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
62574 const struct cred *old;
62575 struct cred *new;
62576
62577+ pax_track_stack();
62578+
62579 validate_process_creds();
62580
62581 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62582@@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
62583 struct thread_group_cred *tgcred = NULL;
62584 struct cred *new;
62585
62586+ pax_track_stack();
62587+
62588 #ifdef CONFIG_KEYS
62589 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
62590 if (!tgcred)
62591@@ -385,6 +397,8 @@ int copy_creds(struct task_struct *p, un
62592 struct cred *new;
62593 int ret;
62594
62595+ pax_track_stack();
62596+
62597 if (
62598 #ifdef CONFIG_KEYS
62599 !p->cred->thread_keyring &&
62600@@ -475,6 +489,8 @@ int commit_creds(struct cred *new)
62601 struct task_struct *task = current;
62602 const struct cred *old = task->real_cred;
62603
62604+ pax_track_stack();
62605+
62606 kdebug("commit_creds(%p{%d,%d})", new,
62607 atomic_read(&new->usage),
62608 read_cred_subscribers(new));
62609@@ -489,6 +505,8 @@ int commit_creds(struct cred *new)
62610
62611 get_cred(new); /* we will require a ref for the subj creds too */
62612
62613+ gr_set_role_label(task, new->uid, new->gid);
62614+
62615 /* dumpability changes */
62616 if (old->euid != new->euid ||
62617 old->egid != new->egid ||
62618@@ -549,6 +567,8 @@ EXPORT_SYMBOL(commit_creds);
62619 */
62620 void abort_creds(struct cred *new)
62621 {
62622+ pax_track_stack();
62623+
62624 kdebug("abort_creds(%p{%d,%d})", new,
62625 atomic_read(&new->usage),
62626 read_cred_subscribers(new));
62627@@ -572,6 +592,8 @@ const struct cred *override_creds(const
62628 {
62629 const struct cred *old = current->cred;
62630
62631+ pax_track_stack();
62632+
62633 kdebug("override_creds(%p{%d,%d})", new,
62634 atomic_read(&new->usage),
62635 read_cred_subscribers(new));
62636@@ -601,6 +623,8 @@ void revert_creds(const struct cred *old
62637 {
62638 const struct cred *override = current->cred;
62639
62640+ pax_track_stack();
62641+
62642 kdebug("revert_creds(%p{%d,%d})", old,
62643 atomic_read(&old->usage),
62644 read_cred_subscribers(old));
62645@@ -647,6 +671,8 @@ struct cred *prepare_kernel_cred(struct
62646 const struct cred *old;
62647 struct cred *new;
62648
62649+ pax_track_stack();
62650+
62651 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62652 if (!new)
62653 return NULL;
62654@@ -701,6 +727,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
62655 */
62656 int set_security_override(struct cred *new, u32 secid)
62657 {
62658+ pax_track_stack();
62659+
62660 return security_kernel_act_as(new, secid);
62661 }
62662 EXPORT_SYMBOL(set_security_override);
62663@@ -720,6 +748,8 @@ int set_security_override_from_ctx(struc
62664 u32 secid;
62665 int ret;
62666
62667+ pax_track_stack();
62668+
62669 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
62670 if (ret < 0)
62671 return ret;
62672diff -urNp linux-3.1.1/kernel/debug/debug_core.c linux-3.1.1/kernel/debug/debug_core.c
62673--- linux-3.1.1/kernel/debug/debug_core.c 2011-11-11 15:19:27.000000000 -0500
62674+++ linux-3.1.1/kernel/debug/debug_core.c 2011-11-16 18:39:08.000000000 -0500
62675@@ -119,7 +119,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_loc
62676 */
62677 static atomic_t masters_in_kgdb;
62678 static atomic_t slaves_in_kgdb;
62679-static atomic_t kgdb_break_tasklet_var;
62680+static atomic_unchecked_t kgdb_break_tasklet_var;
62681 atomic_t kgdb_setting_breakpoint;
62682
62683 struct task_struct *kgdb_usethread;
62684@@ -129,7 +129,7 @@ int kgdb_single_step;
62685 static pid_t kgdb_sstep_pid;
62686
62687 /* to keep track of the CPU which is doing the single stepping*/
62688-atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62689+atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
62690
62691 /*
62692 * If you are debugging a problem where roundup (the collection of
62693@@ -542,7 +542,7 @@ return_normal:
62694 * kernel will only try for the value of sstep_tries before
62695 * giving up and continuing on.
62696 */
62697- if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
62698+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
62699 (kgdb_info[cpu].task &&
62700 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
62701 atomic_set(&kgdb_active, -1);
62702@@ -636,8 +636,8 @@ cpu_master_loop:
62703 }
62704
62705 kgdb_restore:
62706- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
62707- int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
62708+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
62709+ int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
62710 if (kgdb_info[sstep_cpu].task)
62711 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
62712 else
62713@@ -834,18 +834,18 @@ static void kgdb_unregister_callbacks(vo
62714 static void kgdb_tasklet_bpt(unsigned long ing)
62715 {
62716 kgdb_breakpoint();
62717- atomic_set(&kgdb_break_tasklet_var, 0);
62718+ atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
62719 }
62720
62721 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
62722
62723 void kgdb_schedule_breakpoint(void)
62724 {
62725- if (atomic_read(&kgdb_break_tasklet_var) ||
62726+ if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
62727 atomic_read(&kgdb_active) != -1 ||
62728 atomic_read(&kgdb_setting_breakpoint))
62729 return;
62730- atomic_inc(&kgdb_break_tasklet_var);
62731+ atomic_inc_unchecked(&kgdb_break_tasklet_var);
62732 tasklet_schedule(&kgdb_tasklet_breakpoint);
62733 }
62734 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
62735diff -urNp linux-3.1.1/kernel/debug/kdb/kdb_main.c linux-3.1.1/kernel/debug/kdb/kdb_main.c
62736--- linux-3.1.1/kernel/debug/kdb/kdb_main.c 2011-11-11 15:19:27.000000000 -0500
62737+++ linux-3.1.1/kernel/debug/kdb/kdb_main.c 2011-11-16 18:39:08.000000000 -0500
62738@@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
62739 list_for_each_entry(mod, kdb_modules, list) {
62740
62741 kdb_printf("%-20s%8u 0x%p ", mod->name,
62742- mod->core_size, (void *)mod);
62743+ mod->core_size_rx + mod->core_size_rw, (void *)mod);
62744 #ifdef CONFIG_MODULE_UNLOAD
62745 kdb_printf("%4d ", module_refcount(mod));
62746 #endif
62747@@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
62748 kdb_printf(" (Loading)");
62749 else
62750 kdb_printf(" (Live)");
62751- kdb_printf(" 0x%p", mod->module_core);
62752+ kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
62753
62754 #ifdef CONFIG_MODULE_UNLOAD
62755 {
62756diff -urNp linux-3.1.1/kernel/events/core.c linux-3.1.1/kernel/events/core.c
62757--- linux-3.1.1/kernel/events/core.c 2011-11-11 15:19:27.000000000 -0500
62758+++ linux-3.1.1/kernel/events/core.c 2011-11-16 18:39:08.000000000 -0500
62759@@ -172,7 +172,7 @@ int perf_proc_update_handler(struct ctl_
62760 return 0;
62761 }
62762
62763-static atomic64_t perf_event_id;
62764+static atomic64_unchecked_t perf_event_id;
62765
62766 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
62767 enum event_type_t event_type);
62768@@ -2535,7 +2535,7 @@ static void __perf_event_read(void *info
62769
62770 static inline u64 perf_event_count(struct perf_event *event)
62771 {
62772- return local64_read(&event->count) + atomic64_read(&event->child_count);
62773+ return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
62774 }
62775
62776 static u64 perf_event_read(struct perf_event *event)
62777@@ -3060,9 +3060,9 @@ u64 perf_event_read_value(struct perf_ev
62778 mutex_lock(&event->child_mutex);
62779 total += perf_event_read(event);
62780 *enabled += event->total_time_enabled +
62781- atomic64_read(&event->child_total_time_enabled);
62782+ atomic64_read_unchecked(&event->child_total_time_enabled);
62783 *running += event->total_time_running +
62784- atomic64_read(&event->child_total_time_running);
62785+ atomic64_read_unchecked(&event->child_total_time_running);
62786
62787 list_for_each_entry(child, &event->child_list, child_list) {
62788 total += perf_event_read(child);
62789@@ -3448,10 +3448,10 @@ void perf_event_update_userpage(struct p
62790 userpg->offset -= local64_read(&event->hw.prev_count);
62791
62792 userpg->time_enabled = enabled +
62793- atomic64_read(&event->child_total_time_enabled);
62794+ atomic64_read_unchecked(&event->child_total_time_enabled);
62795
62796 userpg->time_running = running +
62797- atomic64_read(&event->child_total_time_running);
62798+ atomic64_read_unchecked(&event->child_total_time_running);
62799
62800 barrier();
62801 ++userpg->lock;
62802@@ -3822,11 +3822,11 @@ static void perf_output_read_one(struct
62803 values[n++] = perf_event_count(event);
62804 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
62805 values[n++] = enabled +
62806- atomic64_read(&event->child_total_time_enabled);
62807+ atomic64_read_unchecked(&event->child_total_time_enabled);
62808 }
62809 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
62810 values[n++] = running +
62811- atomic64_read(&event->child_total_time_running);
62812+ atomic64_read_unchecked(&event->child_total_time_running);
62813 }
62814 if (read_format & PERF_FORMAT_ID)
62815 values[n++] = primary_event_id(event);
62816@@ -4477,12 +4477,12 @@ static void perf_event_mmap_event(struct
62817 * need to add enough zero bytes after the string to handle
62818 * the 64bit alignment we do later.
62819 */
62820- buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
62821+ buf = kzalloc(PATH_MAX, GFP_KERNEL);
62822 if (!buf) {
62823 name = strncpy(tmp, "//enomem", sizeof(tmp));
62824 goto got_name;
62825 }
62826- name = d_path(&file->f_path, buf, PATH_MAX);
62827+ name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
62828 if (IS_ERR(name)) {
62829 name = strncpy(tmp, "//toolong", sizeof(tmp));
62830 goto got_name;
62831@@ -5833,7 +5833,7 @@ perf_event_alloc(struct perf_event_attr
62832 event->parent = parent_event;
62833
62834 event->ns = get_pid_ns(current->nsproxy->pid_ns);
62835- event->id = atomic64_inc_return(&perf_event_id);
62836+ event->id = atomic64_inc_return_unchecked(&perf_event_id);
62837
62838 event->state = PERF_EVENT_STATE_INACTIVE;
62839
62840@@ -6355,10 +6355,10 @@ static void sync_child_event(struct perf
62841 /*
62842 * Add back the child's count to the parent's count:
62843 */
62844- atomic64_add(child_val, &parent_event->child_count);
62845- atomic64_add(child_event->total_time_enabled,
62846+ atomic64_add_unchecked(child_val, &parent_event->child_count);
62847+ atomic64_add_unchecked(child_event->total_time_enabled,
62848 &parent_event->child_total_time_enabled);
62849- atomic64_add(child_event->total_time_running,
62850+ atomic64_add_unchecked(child_event->total_time_running,
62851 &parent_event->child_total_time_running);
62852
62853 /*
62854diff -urNp linux-3.1.1/kernel/exit.c linux-3.1.1/kernel/exit.c
62855--- linux-3.1.1/kernel/exit.c 2011-11-11 15:19:27.000000000 -0500
62856+++ linux-3.1.1/kernel/exit.c 2011-11-16 19:33:48.000000000 -0500
62857@@ -57,6 +57,10 @@
62858 #include <asm/pgtable.h>
62859 #include <asm/mmu_context.h>
62860
62861+#ifdef CONFIG_GRKERNSEC
62862+extern rwlock_t grsec_exec_file_lock;
62863+#endif
62864+
62865 static void exit_mm(struct task_struct * tsk);
62866
62867 static void __unhash_process(struct task_struct *p, bool group_dead)
62868@@ -168,6 +172,10 @@ void release_task(struct task_struct * p
62869 struct task_struct *leader;
62870 int zap_leader;
62871 repeat:
62872+#ifdef CONFIG_NET
62873+ gr_del_task_from_ip_table(p);
62874+#endif
62875+
62876 /* don't need to get the RCU readlock here - the process is dead and
62877 * can't be modifying its own credentials. But shut RCU-lockdep up */
62878 rcu_read_lock();
62879@@ -324,11 +332,22 @@ static void reparent_to_kthreadd(void)
62880 {
62881 write_lock_irq(&tasklist_lock);
62882
62883+#ifdef CONFIG_GRKERNSEC
62884+ write_lock(&grsec_exec_file_lock);
62885+ if (current->exec_file) {
62886+ fput(current->exec_file);
62887+ current->exec_file = NULL;
62888+ }
62889+ write_unlock(&grsec_exec_file_lock);
62890+#endif
62891+
62892 ptrace_unlink(current);
62893 /* Reparent to init */
62894 current->real_parent = current->parent = kthreadd_task;
62895 list_move_tail(&current->sibling, &current->real_parent->children);
62896
62897+ gr_set_kernel_label(current);
62898+
62899 /* Set the exit signal to SIGCHLD so we signal init on exit */
62900 current->exit_signal = SIGCHLD;
62901
62902@@ -380,7 +399,7 @@ int allow_signal(int sig)
62903 * know it'll be handled, so that they don't get converted to
62904 * SIGKILL or just silently dropped.
62905 */
62906- current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
62907+ current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
62908 recalc_sigpending();
62909 spin_unlock_irq(&current->sighand->siglock);
62910 return 0;
62911@@ -416,6 +435,17 @@ void daemonize(const char *name, ...)
62912 vsnprintf(current->comm, sizeof(current->comm), name, args);
62913 va_end(args);
62914
62915+#ifdef CONFIG_GRKERNSEC
62916+ write_lock(&grsec_exec_file_lock);
62917+ if (current->exec_file) {
62918+ fput(current->exec_file);
62919+ current->exec_file = NULL;
62920+ }
62921+ write_unlock(&grsec_exec_file_lock);
62922+#endif
62923+
62924+ gr_set_kernel_label(current);
62925+
62926 /*
62927 * If we were started as result of loading a module, close all of the
62928 * user space pages. We don't need them, and if we didn't close them
62929@@ -895,6 +925,8 @@ NORET_TYPE void do_exit(long code)
62930 struct task_struct *tsk = current;
62931 int group_dead;
62932
62933+ set_fs(USER_DS);
62934+
62935 profile_task_exit(tsk);
62936
62937 WARN_ON(blk_needs_flush_plug(tsk));
62938@@ -911,7 +943,6 @@ NORET_TYPE void do_exit(long code)
62939 * mm_release()->clear_child_tid() from writing to a user-controlled
62940 * kernel address.
62941 */
62942- set_fs(USER_DS);
62943
62944 ptrace_event(PTRACE_EVENT_EXIT, code);
62945
62946@@ -973,6 +1004,9 @@ NORET_TYPE void do_exit(long code)
62947 tsk->exit_code = code;
62948 taskstats_exit(tsk, group_dead);
62949
62950+ gr_acl_handle_psacct(tsk, code);
62951+ gr_acl_handle_exit();
62952+
62953 exit_mm(tsk);
62954
62955 if (group_dead)
62956diff -urNp linux-3.1.1/kernel/fork.c linux-3.1.1/kernel/fork.c
62957--- linux-3.1.1/kernel/fork.c 2011-11-11 15:19:27.000000000 -0500
62958+++ linux-3.1.1/kernel/fork.c 2011-11-16 19:36:31.000000000 -0500
62959@@ -285,7 +285,7 @@ static struct task_struct *dup_task_stru
62960 *stackend = STACK_END_MAGIC; /* for overflow detection */
62961
62962 #ifdef CONFIG_CC_STACKPROTECTOR
62963- tsk->stack_canary = get_random_int();
62964+ tsk->stack_canary = pax_get_random_long();
62965 #endif
62966
62967 /*
62968@@ -309,13 +309,77 @@ out:
62969 }
62970
62971 #ifdef CONFIG_MMU
62972+static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
62973+{
62974+ struct vm_area_struct *tmp;
62975+ unsigned long charge;
62976+ struct mempolicy *pol;
62977+ struct file *file;
62978+
62979+ charge = 0;
62980+ if (mpnt->vm_flags & VM_ACCOUNT) {
62981+ unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
62982+ if (security_vm_enough_memory(len))
62983+ goto fail_nomem;
62984+ charge = len;
62985+ }
62986+ tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
62987+ if (!tmp)
62988+ goto fail_nomem;
62989+ *tmp = *mpnt;
62990+ tmp->vm_mm = mm;
62991+ INIT_LIST_HEAD(&tmp->anon_vma_chain);
62992+ pol = mpol_dup(vma_policy(mpnt));
62993+ if (IS_ERR(pol))
62994+ goto fail_nomem_policy;
62995+ vma_set_policy(tmp, pol);
62996+ if (anon_vma_fork(tmp, mpnt))
62997+ goto fail_nomem_anon_vma_fork;
62998+ tmp->vm_flags &= ~VM_LOCKED;
62999+ tmp->vm_next = tmp->vm_prev = NULL;
63000+ tmp->vm_mirror = NULL;
63001+ file = tmp->vm_file;
63002+ if (file) {
63003+ struct inode *inode = file->f_path.dentry->d_inode;
63004+ struct address_space *mapping = file->f_mapping;
63005+
63006+ get_file(file);
63007+ if (tmp->vm_flags & VM_DENYWRITE)
63008+ atomic_dec(&inode->i_writecount);
63009+ mutex_lock(&mapping->i_mmap_mutex);
63010+ if (tmp->vm_flags & VM_SHARED)
63011+ mapping->i_mmap_writable++;
63012+ flush_dcache_mmap_lock(mapping);
63013+ /* insert tmp into the share list, just after mpnt */
63014+ vma_prio_tree_add(tmp, mpnt);
63015+ flush_dcache_mmap_unlock(mapping);
63016+ mutex_unlock(&mapping->i_mmap_mutex);
63017+ }
63018+
63019+ /*
63020+ * Clear hugetlb-related page reserves for children. This only
63021+ * affects MAP_PRIVATE mappings. Faults generated by the child
63022+ * are not guaranteed to succeed, even if read-only
63023+ */
63024+ if (is_vm_hugetlb_page(tmp))
63025+ reset_vma_resv_huge_pages(tmp);
63026+
63027+ return tmp;
63028+
63029+fail_nomem_anon_vma_fork:
63030+ mpol_put(pol);
63031+fail_nomem_policy:
63032+ kmem_cache_free(vm_area_cachep, tmp);
63033+fail_nomem:
63034+ vm_unacct_memory(charge);
63035+ return NULL;
63036+}
63037+
63038 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
63039 {
63040 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
63041 struct rb_node **rb_link, *rb_parent;
63042 int retval;
63043- unsigned long charge;
63044- struct mempolicy *pol;
63045
63046 down_write(&oldmm->mmap_sem);
63047 flush_cache_dup_mm(oldmm);
63048@@ -327,8 +391,8 @@ static int dup_mmap(struct mm_struct *mm
63049 mm->locked_vm = 0;
63050 mm->mmap = NULL;
63051 mm->mmap_cache = NULL;
63052- mm->free_area_cache = oldmm->mmap_base;
63053- mm->cached_hole_size = ~0UL;
63054+ mm->free_area_cache = oldmm->free_area_cache;
63055+ mm->cached_hole_size = oldmm->cached_hole_size;
63056 mm->map_count = 0;
63057 cpumask_clear(mm_cpumask(mm));
63058 mm->mm_rb = RB_ROOT;
63059@@ -344,8 +408,6 @@ static int dup_mmap(struct mm_struct *mm
63060
63061 prev = NULL;
63062 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
63063- struct file *file;
63064-
63065 if (mpnt->vm_flags & VM_DONTCOPY) {
63066 long pages = vma_pages(mpnt);
63067 mm->total_vm -= pages;
63068@@ -353,55 +415,13 @@ static int dup_mmap(struct mm_struct *mm
63069 -pages);
63070 continue;
63071 }
63072- charge = 0;
63073- if (mpnt->vm_flags & VM_ACCOUNT) {
63074- unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
63075- if (security_vm_enough_memory(len))
63076- goto fail_nomem;
63077- charge = len;
63078- }
63079- tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
63080- if (!tmp)
63081- goto fail_nomem;
63082- *tmp = *mpnt;
63083- INIT_LIST_HEAD(&tmp->anon_vma_chain);
63084- pol = mpol_dup(vma_policy(mpnt));
63085- retval = PTR_ERR(pol);
63086- if (IS_ERR(pol))
63087- goto fail_nomem_policy;
63088- vma_set_policy(tmp, pol);
63089- tmp->vm_mm = mm;
63090- if (anon_vma_fork(tmp, mpnt))
63091- goto fail_nomem_anon_vma_fork;
63092- tmp->vm_flags &= ~VM_LOCKED;
63093- tmp->vm_next = tmp->vm_prev = NULL;
63094- file = tmp->vm_file;
63095- if (file) {
63096- struct inode *inode = file->f_path.dentry->d_inode;
63097- struct address_space *mapping = file->f_mapping;
63098-
63099- get_file(file);
63100- if (tmp->vm_flags & VM_DENYWRITE)
63101- atomic_dec(&inode->i_writecount);
63102- mutex_lock(&mapping->i_mmap_mutex);
63103- if (tmp->vm_flags & VM_SHARED)
63104- mapping->i_mmap_writable++;
63105- flush_dcache_mmap_lock(mapping);
63106- /* insert tmp into the share list, just after mpnt */
63107- vma_prio_tree_add(tmp, mpnt);
63108- flush_dcache_mmap_unlock(mapping);
63109- mutex_unlock(&mapping->i_mmap_mutex);
63110+ tmp = dup_vma(mm, mpnt);
63111+ if (!tmp) {
63112+ retval = -ENOMEM;
63113+ goto out;
63114 }
63115
63116 /*
63117- * Clear hugetlb-related page reserves for children. This only
63118- * affects MAP_PRIVATE mappings. Faults generated by the child
63119- * are not guaranteed to succeed, even if read-only
63120- */
63121- if (is_vm_hugetlb_page(tmp))
63122- reset_vma_resv_huge_pages(tmp);
63123-
63124- /*
63125 * Link in the new vma and copy the page table entries.
63126 */
63127 *pprev = tmp;
63128@@ -422,6 +442,31 @@ static int dup_mmap(struct mm_struct *mm
63129 if (retval)
63130 goto out;
63131 }
63132+
63133+#ifdef CONFIG_PAX_SEGMEXEC
63134+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
63135+ struct vm_area_struct *mpnt_m;
63136+
63137+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
63138+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
63139+
63140+ if (!mpnt->vm_mirror)
63141+ continue;
63142+
63143+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
63144+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
63145+ mpnt->vm_mirror = mpnt_m;
63146+ } else {
63147+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
63148+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
63149+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
63150+ mpnt->vm_mirror->vm_mirror = mpnt;
63151+ }
63152+ }
63153+ BUG_ON(mpnt_m);
63154+ }
63155+#endif
63156+
63157 /* a new mm has just been created */
63158 arch_dup_mmap(oldmm, mm);
63159 retval = 0;
63160@@ -430,14 +475,6 @@ out:
63161 flush_tlb_mm(oldmm);
63162 up_write(&oldmm->mmap_sem);
63163 return retval;
63164-fail_nomem_anon_vma_fork:
63165- mpol_put(pol);
63166-fail_nomem_policy:
63167- kmem_cache_free(vm_area_cachep, tmp);
63168-fail_nomem:
63169- retval = -ENOMEM;
63170- vm_unacct_memory(charge);
63171- goto out;
63172 }
63173
63174 static inline int mm_alloc_pgd(struct mm_struct *mm)
63175@@ -837,13 +874,14 @@ static int copy_fs(unsigned long clone_f
63176 spin_unlock(&fs->lock);
63177 return -EAGAIN;
63178 }
63179- fs->users++;
63180+ atomic_inc(&fs->users);
63181 spin_unlock(&fs->lock);
63182 return 0;
63183 }
63184 tsk->fs = copy_fs_struct(fs);
63185 if (!tsk->fs)
63186 return -ENOMEM;
63187+ gr_set_chroot_entries(tsk, &tsk->fs->root);
63188 return 0;
63189 }
63190
63191@@ -1105,6 +1143,9 @@ static struct task_struct *copy_process(
63192 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
63193 #endif
63194 retval = -EAGAIN;
63195+
63196+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
63197+
63198 if (atomic_read(&p->real_cred->user->processes) >=
63199 task_rlimit(p, RLIMIT_NPROC)) {
63200 if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
63201@@ -1264,6 +1305,8 @@ static struct task_struct *copy_process(
63202 if (clone_flags & CLONE_THREAD)
63203 p->tgid = current->tgid;
63204
63205+ gr_copy_label(p);
63206+
63207 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
63208 /*
63209 * Clear TID on mm_release()?
63210@@ -1428,6 +1471,8 @@ bad_fork_cleanup_count:
63211 bad_fork_free:
63212 free_task(p);
63213 fork_out:
63214+ gr_log_forkfail(retval);
63215+
63216 return ERR_PTR(retval);
63217 }
63218
63219@@ -1528,6 +1573,8 @@ long do_fork(unsigned long clone_flags,
63220 if (clone_flags & CLONE_PARENT_SETTID)
63221 put_user(nr, parent_tidptr);
63222
63223+ gr_handle_brute_check();
63224+
63225 if (clone_flags & CLONE_VFORK) {
63226 p->vfork_done = &vfork;
63227 init_completion(&vfork);
63228@@ -1637,7 +1684,7 @@ static int unshare_fs(unsigned long unsh
63229 return 0;
63230
63231 /* don't need lock here; in the worst case we'll do useless copy */
63232- if (fs->users == 1)
63233+ if (atomic_read(&fs->users) == 1)
63234 return 0;
63235
63236 *new_fsp = copy_fs_struct(fs);
63237@@ -1726,7 +1773,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
63238 fs = current->fs;
63239 spin_lock(&fs->lock);
63240 current->fs = new_fs;
63241- if (--fs->users)
63242+ gr_set_chroot_entries(current, &current->fs->root);
63243+ if (atomic_dec_return(&fs->users))
63244 new_fs = NULL;
63245 else
63246 new_fs = fs;
63247diff -urNp linux-3.1.1/kernel/futex.c linux-3.1.1/kernel/futex.c
63248--- linux-3.1.1/kernel/futex.c 2011-11-11 15:19:27.000000000 -0500
63249+++ linux-3.1.1/kernel/futex.c 2011-11-16 18:40:44.000000000 -0500
63250@@ -54,6 +54,7 @@
63251 #include <linux/mount.h>
63252 #include <linux/pagemap.h>
63253 #include <linux/syscalls.h>
63254+#include <linux/ptrace.h>
63255 #include <linux/signal.h>
63256 #include <linux/module.h>
63257 #include <linux/magic.h>
63258@@ -238,6 +239,11 @@ get_futex_key(u32 __user *uaddr, int fsh
63259 struct page *page, *page_head;
63260 int err, ro = 0;
63261
63262+#ifdef CONFIG_PAX_SEGMEXEC
63263+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
63264+ return -EFAULT;
63265+#endif
63266+
63267 /*
63268 * The futex address must be "naturally" aligned.
63269 */
63270@@ -1863,6 +1869,8 @@ static int futex_wait(u32 __user *uaddr,
63271 struct futex_q q = futex_q_init;
63272 int ret;
63273
63274+ pax_track_stack();
63275+
63276 if (!bitset)
63277 return -EINVAL;
63278 q.bitset = bitset;
63279@@ -2259,6 +2267,8 @@ static int futex_wait_requeue_pi(u32 __u
63280 struct futex_q q = futex_q_init;
63281 int res, ret;
63282
63283+ pax_track_stack();
63284+
63285 if (!bitset)
63286 return -EINVAL;
63287
63288@@ -2431,7 +2441,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63289 {
63290 struct robust_list_head __user *head;
63291 unsigned long ret;
63292+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
63293 const struct cred *cred = current_cred(), *pcred;
63294+#endif
63295
63296 if (!futex_cmpxchg_enabled)
63297 return -ENOSYS;
63298@@ -2447,6 +2459,10 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63299 if (!p)
63300 goto err_unlock;
63301 ret = -EPERM;
63302+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
63303+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
63304+ goto err_unlock;
63305+#else
63306 pcred = __task_cred(p);
63307 /* If victim is in different user_ns, then uids are not
63308 comparable, so we must have CAP_SYS_PTRACE */
63309@@ -2461,6 +2477,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
63310 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
63311 goto err_unlock;
63312 ok:
63313+#endif
63314 head = p->robust_list;
63315 rcu_read_unlock();
63316 }
63317@@ -2712,6 +2729,7 @@ static int __init futex_init(void)
63318 {
63319 u32 curval;
63320 int i;
63321+ mm_segment_t oldfs;
63322
63323 /*
63324 * This will fail and we want it. Some arch implementations do
63325@@ -2723,8 +2741,11 @@ static int __init futex_init(void)
63326 * implementation, the non-functional ones will return
63327 * -ENOSYS.
63328 */
63329+ oldfs = get_fs();
63330+ set_fs(USER_DS);
63331 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
63332 futex_cmpxchg_enabled = 1;
63333+ set_fs(oldfs);
63334
63335 for (i = 0; i < ARRAY_SIZE(futex_queues); i++) {
63336 plist_head_init(&futex_queues[i].chain);
63337diff -urNp linux-3.1.1/kernel/futex_compat.c linux-3.1.1/kernel/futex_compat.c
63338--- linux-3.1.1/kernel/futex_compat.c 2011-11-11 15:19:27.000000000 -0500
63339+++ linux-3.1.1/kernel/futex_compat.c 2011-11-16 18:40:44.000000000 -0500
63340@@ -10,6 +10,7 @@
63341 #include <linux/compat.h>
63342 #include <linux/nsproxy.h>
63343 #include <linux/futex.h>
63344+#include <linux/ptrace.h>
63345
63346 #include <asm/uaccess.h>
63347
63348@@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
63349 {
63350 struct compat_robust_list_head __user *head;
63351 unsigned long ret;
63352- const struct cred *cred = current_cred(), *pcred;
63353+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
63354+ const struct cred *cred = current_cred();
63355+ const struct cred *pcred;
63356+#endif
63357
63358 if (!futex_cmpxchg_enabled)
63359 return -ENOSYS;
63360@@ -152,6 +156,10 @@ compat_sys_get_robust_list(int pid, comp
63361 if (!p)
63362 goto err_unlock;
63363 ret = -EPERM;
63364+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
63365+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
63366+ goto err_unlock;
63367+#else
63368 pcred = __task_cred(p);
63369 /* If victim is in different user_ns, then uids are not
63370 comparable, so we must have CAP_SYS_PTRACE */
63371@@ -166,6 +174,7 @@ compat_sys_get_robust_list(int pid, comp
63372 !ns_capable(pcred->user->user_ns, CAP_SYS_PTRACE))
63373 goto err_unlock;
63374 ok:
63375+#endif
63376 head = p->compat_robust_list;
63377 rcu_read_unlock();
63378 }
63379diff -urNp linux-3.1.1/kernel/gcov/base.c linux-3.1.1/kernel/gcov/base.c
63380--- linux-3.1.1/kernel/gcov/base.c 2011-11-11 15:19:27.000000000 -0500
63381+++ linux-3.1.1/kernel/gcov/base.c 2011-11-16 18:39:08.000000000 -0500
63382@@ -102,11 +102,6 @@ void gcov_enable_events(void)
63383 }
63384
63385 #ifdef CONFIG_MODULES
63386-static inline int within(void *addr, void *start, unsigned long size)
63387-{
63388- return ((addr >= start) && (addr < start + size));
63389-}
63390-
63391 /* Update list and generate events when modules are unloaded. */
63392 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
63393 void *data)
63394@@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
63395 prev = NULL;
63396 /* Remove entries located in module from linked list. */
63397 for (info = gcov_info_head; info; info = info->next) {
63398- if (within(info, mod->module_core, mod->core_size)) {
63399+ if (within_module_core_rw((unsigned long)info, mod)) {
63400 if (prev)
63401 prev->next = info->next;
63402 else
63403diff -urNp linux-3.1.1/kernel/hrtimer.c linux-3.1.1/kernel/hrtimer.c
63404--- linux-3.1.1/kernel/hrtimer.c 2011-11-11 15:19:27.000000000 -0500
63405+++ linux-3.1.1/kernel/hrtimer.c 2011-11-16 18:39:08.000000000 -0500
63406@@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
63407 local_irq_restore(flags);
63408 }
63409
63410-static void run_hrtimer_softirq(struct softirq_action *h)
63411+static void run_hrtimer_softirq(void)
63412 {
63413 hrtimer_peek_ahead_timers();
63414 }
63415diff -urNp linux-3.1.1/kernel/jump_label.c linux-3.1.1/kernel/jump_label.c
63416--- linux-3.1.1/kernel/jump_label.c 2011-11-11 15:19:27.000000000 -0500
63417+++ linux-3.1.1/kernel/jump_label.c 2011-11-16 18:39:08.000000000 -0500
63418@@ -55,7 +55,9 @@ jump_label_sort_entries(struct jump_entr
63419
63420 size = (((unsigned long)stop - (unsigned long)start)
63421 / sizeof(struct jump_entry));
63422+ pax_open_kernel();
63423 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
63424+ pax_close_kernel();
63425 }
63426
63427 static void jump_label_update(struct jump_label_key *key, int enable);
63428@@ -297,10 +299,12 @@ static void jump_label_invalidate_module
63429 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
63430 struct jump_entry *iter;
63431
63432+ pax_open_kernel();
63433 for (iter = iter_start; iter < iter_stop; iter++) {
63434 if (within_module_init(iter->code, mod))
63435 iter->code = 0;
63436 }
63437+ pax_close_kernel();
63438 }
63439
63440 static int
63441diff -urNp linux-3.1.1/kernel/kallsyms.c linux-3.1.1/kernel/kallsyms.c
63442--- linux-3.1.1/kernel/kallsyms.c 2011-11-11 15:19:27.000000000 -0500
63443+++ linux-3.1.1/kernel/kallsyms.c 2011-11-16 18:40:44.000000000 -0500
63444@@ -11,6 +11,9 @@
63445 * Changed the compression method from stem compression to "table lookup"
63446 * compression (see scripts/kallsyms.c for a more complete description)
63447 */
63448+#ifdef CONFIG_GRKERNSEC_HIDESYM
63449+#define __INCLUDED_BY_HIDESYM 1
63450+#endif
63451 #include <linux/kallsyms.h>
63452 #include <linux/module.h>
63453 #include <linux/init.h>
63454@@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
63455
63456 static inline int is_kernel_inittext(unsigned long addr)
63457 {
63458+ if (system_state != SYSTEM_BOOTING)
63459+ return 0;
63460+
63461 if (addr >= (unsigned long)_sinittext
63462 && addr <= (unsigned long)_einittext)
63463 return 1;
63464 return 0;
63465 }
63466
63467+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63468+#ifdef CONFIG_MODULES
63469+static inline int is_module_text(unsigned long addr)
63470+{
63471+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
63472+ return 1;
63473+
63474+ addr = ktla_ktva(addr);
63475+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
63476+}
63477+#else
63478+static inline int is_module_text(unsigned long addr)
63479+{
63480+ return 0;
63481+}
63482+#endif
63483+#endif
63484+
63485 static inline int is_kernel_text(unsigned long addr)
63486 {
63487 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
63488@@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
63489
63490 static inline int is_kernel(unsigned long addr)
63491 {
63492+
63493+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63494+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
63495+ return 1;
63496+
63497+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
63498+#else
63499 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
63500+#endif
63501+
63502 return 1;
63503 return in_gate_area_no_mm(addr);
63504 }
63505
63506 static int is_ksym_addr(unsigned long addr)
63507 {
63508+
63509+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63510+ if (is_module_text(addr))
63511+ return 0;
63512+#endif
63513+
63514 if (all_var)
63515 return is_kernel(addr);
63516
63517@@ -454,7 +493,6 @@ static unsigned long get_ksymbol_core(st
63518
63519 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
63520 {
63521- iter->name[0] = '\0';
63522 iter->nameoff = get_symbol_offset(new_pos);
63523 iter->pos = new_pos;
63524 }
63525@@ -502,6 +540,11 @@ static int s_show(struct seq_file *m, vo
63526 {
63527 struct kallsym_iter *iter = m->private;
63528
63529+#ifdef CONFIG_GRKERNSEC_HIDESYM
63530+ if (current_uid())
63531+ return 0;
63532+#endif
63533+
63534 /* Some debugging symbols have no name. Ignore them. */
63535 if (!iter->name[0])
63536 return 0;
63537@@ -540,7 +583,7 @@ static int kallsyms_open(struct inode *i
63538 struct kallsym_iter *iter;
63539 int ret;
63540
63541- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
63542+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
63543 if (!iter)
63544 return -ENOMEM;
63545 reset_iter(iter, 0);
63546diff -urNp linux-3.1.1/kernel/kexec.c linux-3.1.1/kernel/kexec.c
63547--- linux-3.1.1/kernel/kexec.c 2011-11-11 15:19:27.000000000 -0500
63548+++ linux-3.1.1/kernel/kexec.c 2011-11-16 18:39:08.000000000 -0500
63549@@ -1033,7 +1033,8 @@ asmlinkage long compat_sys_kexec_load(un
63550 unsigned long flags)
63551 {
63552 struct compat_kexec_segment in;
63553- struct kexec_segment out, __user *ksegments;
63554+ struct kexec_segment out;
63555+ struct kexec_segment __user *ksegments;
63556 unsigned long i, result;
63557
63558 /* Don't allow clients that don't understand the native
63559diff -urNp linux-3.1.1/kernel/kmod.c linux-3.1.1/kernel/kmod.c
63560--- linux-3.1.1/kernel/kmod.c 2011-11-11 15:19:27.000000000 -0500
63561+++ linux-3.1.1/kernel/kmod.c 2011-11-16 18:40:44.000000000 -0500
63562@@ -73,13 +73,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
63563 * If module auto-loading support is disabled then this function
63564 * becomes a no-operation.
63565 */
63566-int __request_module(bool wait, const char *fmt, ...)
63567+static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
63568 {
63569- va_list args;
63570 char module_name[MODULE_NAME_LEN];
63571 unsigned int max_modprobes;
63572 int ret;
63573- char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
63574+ char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
63575 static char *envp[] = { "HOME=/",
63576 "TERM=linux",
63577 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
63578@@ -88,9 +87,7 @@ int __request_module(bool wait, const ch
63579 #define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
63580 static int kmod_loop_msg;
63581
63582- va_start(args, fmt);
63583- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
63584- va_end(args);
63585+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
63586 if (ret >= MODULE_NAME_LEN)
63587 return -ENAMETOOLONG;
63588
63589@@ -98,6 +95,20 @@ int __request_module(bool wait, const ch
63590 if (ret)
63591 return ret;
63592
63593+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63594+ if (!current_uid()) {
63595+ /* hack to workaround consolekit/udisks stupidity */
63596+ read_lock(&tasklist_lock);
63597+ if (!strcmp(current->comm, "mount") &&
63598+ current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
63599+ read_unlock(&tasklist_lock);
63600+ printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
63601+ return -EPERM;
63602+ }
63603+ read_unlock(&tasklist_lock);
63604+ }
63605+#endif
63606+
63607 /* If modprobe needs a service that is in a module, we get a recursive
63608 * loop. Limit the number of running kmod threads to max_threads/2 or
63609 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
63610@@ -133,6 +144,47 @@ int __request_module(bool wait, const ch
63611 atomic_dec(&kmod_concurrent);
63612 return ret;
63613 }
63614+
63615+int ___request_module(bool wait, char *module_param, const char *fmt, ...)
63616+{
63617+ va_list args;
63618+ int ret;
63619+
63620+ va_start(args, fmt);
63621+ ret = ____request_module(wait, module_param, fmt, args);
63622+ va_end(args);
63623+
63624+ return ret;
63625+}
63626+
63627+int __request_module(bool wait, const char *fmt, ...)
63628+{
63629+ va_list args;
63630+ int ret;
63631+
63632+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63633+ if (current_uid()) {
63634+ char module_param[MODULE_NAME_LEN];
63635+
63636+ memset(module_param, 0, sizeof(module_param));
63637+
63638+ snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
63639+
63640+ va_start(args, fmt);
63641+ ret = ____request_module(wait, module_param, fmt, args);
63642+ va_end(args);
63643+
63644+ return ret;
63645+ }
63646+#endif
63647+
63648+ va_start(args, fmt);
63649+ ret = ____request_module(wait, NULL, fmt, args);
63650+ va_end(args);
63651+
63652+ return ret;
63653+}
63654+
63655 EXPORT_SYMBOL(__request_module);
63656 #endif /* CONFIG_MODULES */
63657
63658@@ -222,7 +274,7 @@ static int wait_for_helper(void *data)
63659 *
63660 * Thus the __user pointer cast is valid here.
63661 */
63662- sys_wait4(pid, (int __user *)&ret, 0, NULL);
63663+ sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
63664
63665 /*
63666 * If ret is 0, either ____call_usermodehelper failed and the
63667diff -urNp linux-3.1.1/kernel/kprobes.c linux-3.1.1/kernel/kprobes.c
63668--- linux-3.1.1/kernel/kprobes.c 2011-11-11 15:19:27.000000000 -0500
63669+++ linux-3.1.1/kernel/kprobes.c 2011-11-16 18:39:08.000000000 -0500
63670@@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
63671 * kernel image and loaded module images reside. This is required
63672 * so x86_64 can correctly handle the %rip-relative fixups.
63673 */
63674- kip->insns = module_alloc(PAGE_SIZE);
63675+ kip->insns = module_alloc_exec(PAGE_SIZE);
63676 if (!kip->insns) {
63677 kfree(kip);
63678 return NULL;
63679@@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
63680 */
63681 if (!list_is_singular(&kip->list)) {
63682 list_del(&kip->list);
63683- module_free(NULL, kip->insns);
63684+ module_free_exec(NULL, kip->insns);
63685 kfree(kip);
63686 }
63687 return 1;
63688@@ -1949,7 +1949,7 @@ static int __init init_kprobes(void)
63689 {
63690 int i, err = 0;
63691 unsigned long offset = 0, size = 0;
63692- char *modname, namebuf[128];
63693+ char *modname, namebuf[KSYM_NAME_LEN];
63694 const char *symbol_name;
63695 void *addr;
63696 struct kprobe_blackpoint *kb;
63697@@ -2075,7 +2075,7 @@ static int __kprobes show_kprobe_addr(st
63698 const char *sym = NULL;
63699 unsigned int i = *(loff_t *) v;
63700 unsigned long offset = 0;
63701- char *modname, namebuf[128];
63702+ char *modname, namebuf[KSYM_NAME_LEN];
63703
63704 head = &kprobe_table[i];
63705 preempt_disable();
63706diff -urNp linux-3.1.1/kernel/lockdep.c linux-3.1.1/kernel/lockdep.c
63707--- linux-3.1.1/kernel/lockdep.c 2011-11-11 15:19:27.000000000 -0500
63708+++ linux-3.1.1/kernel/lockdep.c 2011-11-16 18:39:08.000000000 -0500
63709@@ -583,6 +583,10 @@ static int static_obj(void *obj)
63710 end = (unsigned long) &_end,
63711 addr = (unsigned long) obj;
63712
63713+#ifdef CONFIG_PAX_KERNEXEC
63714+ start = ktla_ktva(start);
63715+#endif
63716+
63717 /*
63718 * static variable?
63719 */
63720@@ -718,6 +722,7 @@ register_lock_class(struct lockdep_map *
63721 if (!static_obj(lock->key)) {
63722 debug_locks_off();
63723 printk("INFO: trying to register non-static key.\n");
63724+ printk("lock:%pS key:%pS.\n", lock, lock->key);
63725 printk("the code is fine but needs lockdep annotation.\n");
63726 printk("turning off the locking correctness validator.\n");
63727 dump_stack();
63728@@ -2948,7 +2953,7 @@ static int __lock_acquire(struct lockdep
63729 if (!class)
63730 return 0;
63731 }
63732- atomic_inc((atomic_t *)&class->ops);
63733+ atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
63734 if (very_verbose(class)) {
63735 printk("\nacquire class [%p] %s", class->key, class->name);
63736 if (class->name_version > 1)
63737diff -urNp linux-3.1.1/kernel/lockdep_proc.c linux-3.1.1/kernel/lockdep_proc.c
63738--- linux-3.1.1/kernel/lockdep_proc.c 2011-11-11 15:19:27.000000000 -0500
63739+++ linux-3.1.1/kernel/lockdep_proc.c 2011-11-16 18:39:08.000000000 -0500
63740@@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
63741
63742 static void print_name(struct seq_file *m, struct lock_class *class)
63743 {
63744- char str[128];
63745+ char str[KSYM_NAME_LEN];
63746 const char *name = class->name;
63747
63748 if (!name) {
63749diff -urNp linux-3.1.1/kernel/module.c linux-3.1.1/kernel/module.c
63750--- linux-3.1.1/kernel/module.c 2011-11-11 15:19:27.000000000 -0500
63751+++ linux-3.1.1/kernel/module.c 2011-11-16 18:40:44.000000000 -0500
63752@@ -58,6 +58,7 @@
63753 #include <linux/jump_label.h>
63754 #include <linux/pfn.h>
63755 #include <linux/bsearch.h>
63756+#include <linux/grsecurity.h>
63757
63758 #define CREATE_TRACE_POINTS
63759 #include <trace/events/module.h>
63760@@ -119,7 +120,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
63761
63762 /* Bounds of module allocation, for speeding __module_address.
63763 * Protected by module_mutex. */
63764-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
63765+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
63766+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
63767
63768 int register_module_notifier(struct notifier_block * nb)
63769 {
63770@@ -284,7 +286,7 @@ bool each_symbol_section(bool (*fn)(cons
63771 return true;
63772
63773 list_for_each_entry_rcu(mod, &modules, list) {
63774- struct symsearch arr[] = {
63775+ struct symsearch modarr[] = {
63776 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
63777 NOT_GPL_ONLY, false },
63778 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
63779@@ -306,7 +308,7 @@ bool each_symbol_section(bool (*fn)(cons
63780 #endif
63781 };
63782
63783- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
63784+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
63785 return true;
63786 }
63787 return false;
63788@@ -438,7 +440,7 @@ static inline void __percpu *mod_percpu(
63789 static int percpu_modalloc(struct module *mod,
63790 unsigned long size, unsigned long align)
63791 {
63792- if (align > PAGE_SIZE) {
63793+ if (align-1 >= PAGE_SIZE) {
63794 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
63795 mod->name, align, PAGE_SIZE);
63796 align = PAGE_SIZE;
63797@@ -1183,7 +1185,7 @@ resolve_symbol_wait(struct module *mod,
63798 */
63799 #ifdef CONFIG_SYSFS
63800
63801-#ifdef CONFIG_KALLSYMS
63802+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63803 static inline bool sect_empty(const Elf_Shdr *sect)
63804 {
63805 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
63806@@ -1649,21 +1651,21 @@ static void set_section_ro_nx(void *base
63807
63808 static void unset_module_core_ro_nx(struct module *mod)
63809 {
63810- set_page_attributes(mod->module_core + mod->core_text_size,
63811- mod->module_core + mod->core_size,
63812+ set_page_attributes(mod->module_core_rw,
63813+ mod->module_core_rw + mod->core_size_rw,
63814 set_memory_x);
63815- set_page_attributes(mod->module_core,
63816- mod->module_core + mod->core_ro_size,
63817+ set_page_attributes(mod->module_core_rx,
63818+ mod->module_core_rx + mod->core_size_rx,
63819 set_memory_rw);
63820 }
63821
63822 static void unset_module_init_ro_nx(struct module *mod)
63823 {
63824- set_page_attributes(mod->module_init + mod->init_text_size,
63825- mod->module_init + mod->init_size,
63826+ set_page_attributes(mod->module_init_rw,
63827+ mod->module_init_rw + mod->init_size_rw,
63828 set_memory_x);
63829- set_page_attributes(mod->module_init,
63830- mod->module_init + mod->init_ro_size,
63831+ set_page_attributes(mod->module_init_rx,
63832+ mod->module_init_rx + mod->init_size_rx,
63833 set_memory_rw);
63834 }
63835
63836@@ -1674,14 +1676,14 @@ void set_all_modules_text_rw(void)
63837
63838 mutex_lock(&module_mutex);
63839 list_for_each_entry_rcu(mod, &modules, list) {
63840- if ((mod->module_core) && (mod->core_text_size)) {
63841- set_page_attributes(mod->module_core,
63842- mod->module_core + mod->core_text_size,
63843+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
63844+ set_page_attributes(mod->module_core_rx,
63845+ mod->module_core_rx + mod->core_size_rx,
63846 set_memory_rw);
63847 }
63848- if ((mod->module_init) && (mod->init_text_size)) {
63849- set_page_attributes(mod->module_init,
63850- mod->module_init + mod->init_text_size,
63851+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
63852+ set_page_attributes(mod->module_init_rx,
63853+ mod->module_init_rx + mod->init_size_rx,
63854 set_memory_rw);
63855 }
63856 }
63857@@ -1695,14 +1697,14 @@ void set_all_modules_text_ro(void)
63858
63859 mutex_lock(&module_mutex);
63860 list_for_each_entry_rcu(mod, &modules, list) {
63861- if ((mod->module_core) && (mod->core_text_size)) {
63862- set_page_attributes(mod->module_core,
63863- mod->module_core + mod->core_text_size,
63864+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
63865+ set_page_attributes(mod->module_core_rx,
63866+ mod->module_core_rx + mod->core_size_rx,
63867 set_memory_ro);
63868 }
63869- if ((mod->module_init) && (mod->init_text_size)) {
63870- set_page_attributes(mod->module_init,
63871- mod->module_init + mod->init_text_size,
63872+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
63873+ set_page_attributes(mod->module_init_rx,
63874+ mod->module_init_rx + mod->init_size_rx,
63875 set_memory_ro);
63876 }
63877 }
63878@@ -1748,16 +1750,19 @@ static void free_module(struct module *m
63879
63880 /* This may be NULL, but that's OK */
63881 unset_module_init_ro_nx(mod);
63882- module_free(mod, mod->module_init);
63883+ module_free(mod, mod->module_init_rw);
63884+ module_free_exec(mod, mod->module_init_rx);
63885 kfree(mod->args);
63886 percpu_modfree(mod);
63887
63888 /* Free lock-classes: */
63889- lockdep_free_key_range(mod->module_core, mod->core_size);
63890+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
63891+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
63892
63893 /* Finally, free the core (containing the module structure) */
63894 unset_module_core_ro_nx(mod);
63895- module_free(mod, mod->module_core);
63896+ module_free_exec(mod, mod->module_core_rx);
63897+ module_free(mod, mod->module_core_rw);
63898
63899 #ifdef CONFIG_MPU
63900 update_protections(current->mm);
63901@@ -1826,10 +1831,31 @@ static int simplify_symbols(struct modul
63902 unsigned int i;
63903 int ret = 0;
63904 const struct kernel_symbol *ksym;
63905+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63906+ int is_fs_load = 0;
63907+ int register_filesystem_found = 0;
63908+ char *p;
63909+
63910+ p = strstr(mod->args, "grsec_modharden_fs");
63911+ if (p) {
63912+ char *endptr = p + strlen("grsec_modharden_fs");
63913+ /* copy \0 as well */
63914+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
63915+ is_fs_load = 1;
63916+ }
63917+#endif
63918
63919 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
63920 const char *name = info->strtab + sym[i].st_name;
63921
63922+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63923+ /* it's a real shame this will never get ripped and copied
63924+ upstream! ;(
63925+ */
63926+ if (is_fs_load && !strcmp(name, "register_filesystem"))
63927+ register_filesystem_found = 1;
63928+#endif
63929+
63930 switch (sym[i].st_shndx) {
63931 case SHN_COMMON:
63932 /* We compiled with -fno-common. These are not
63933@@ -1850,7 +1876,9 @@ static int simplify_symbols(struct modul
63934 ksym = resolve_symbol_wait(mod, info, name);
63935 /* Ok if resolved. */
63936 if (ksym && !IS_ERR(ksym)) {
63937+ pax_open_kernel();
63938 sym[i].st_value = ksym->value;
63939+ pax_close_kernel();
63940 break;
63941 }
63942
63943@@ -1869,11 +1897,20 @@ static int simplify_symbols(struct modul
63944 secbase = (unsigned long)mod_percpu(mod);
63945 else
63946 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
63947+ pax_open_kernel();
63948 sym[i].st_value += secbase;
63949+ pax_close_kernel();
63950 break;
63951 }
63952 }
63953
63954+#ifdef CONFIG_GRKERNSEC_MODHARDEN
63955+ if (is_fs_load && !register_filesystem_found) {
63956+ printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
63957+ ret = -EPERM;
63958+ }
63959+#endif
63960+
63961 return ret;
63962 }
63963
63964@@ -1977,22 +2014,12 @@ static void layout_sections(struct modul
63965 || s->sh_entsize != ~0UL
63966 || strstarts(sname, ".init"))
63967 continue;
63968- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
63969+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63970+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
63971+ else
63972+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
63973 DEBUGP("\t%s\n", name);
63974 }
63975- switch (m) {
63976- case 0: /* executable */
63977- mod->core_size = debug_align(mod->core_size);
63978- mod->core_text_size = mod->core_size;
63979- break;
63980- case 1: /* RO: text and ro-data */
63981- mod->core_size = debug_align(mod->core_size);
63982- mod->core_ro_size = mod->core_size;
63983- break;
63984- case 3: /* whole core */
63985- mod->core_size = debug_align(mod->core_size);
63986- break;
63987- }
63988 }
63989
63990 DEBUGP("Init section allocation order:\n");
63991@@ -2006,23 +2033,13 @@ static void layout_sections(struct modul
63992 || s->sh_entsize != ~0UL
63993 || !strstarts(sname, ".init"))
63994 continue;
63995- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
63996- | INIT_OFFSET_MASK);
63997+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63998+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
63999+ else
64000+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
64001+ s->sh_entsize |= INIT_OFFSET_MASK;
64002 DEBUGP("\t%s\n", sname);
64003 }
64004- switch (m) {
64005- case 0: /* executable */
64006- mod->init_size = debug_align(mod->init_size);
64007- mod->init_text_size = mod->init_size;
64008- break;
64009- case 1: /* RO: text and ro-data */
64010- mod->init_size = debug_align(mod->init_size);
64011- mod->init_ro_size = mod->init_size;
64012- break;
64013- case 3: /* whole init */
64014- mod->init_size = debug_align(mod->init_size);
64015- break;
64016- }
64017 }
64018 }
64019
64020@@ -2187,7 +2204,7 @@ static void layout_symtab(struct module
64021
64022 /* Put symbol section at end of init part of module. */
64023 symsect->sh_flags |= SHF_ALLOC;
64024- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
64025+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
64026 info->index.sym) | INIT_OFFSET_MASK;
64027 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
64028
64029@@ -2204,19 +2221,19 @@ static void layout_symtab(struct module
64030 }
64031
64032 /* Append room for core symbols at end of core part. */
64033- info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
64034- mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
64035+ info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
64036+ mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
64037
64038 /* Put string table section at end of init part of module. */
64039 strsect->sh_flags |= SHF_ALLOC;
64040- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
64041+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
64042 info->index.str) | INIT_OFFSET_MASK;
64043 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
64044
64045 /* Append room for core symbols' strings at end of core part. */
64046- info->stroffs = mod->core_size;
64047+ info->stroffs = mod->core_size_rx;
64048 __set_bit(0, info->strmap);
64049- mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
64050+ mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
64051 }
64052
64053 static void add_kallsyms(struct module *mod, const struct load_info *info)
64054@@ -2232,11 +2249,13 @@ static void add_kallsyms(struct module *
64055 /* Make sure we get permanent strtab: don't use info->strtab. */
64056 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
64057
64058+ pax_open_kernel();
64059+
64060 /* Set types up while we still have access to sections. */
64061 for (i = 0; i < mod->num_symtab; i++)
64062 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
64063
64064- mod->core_symtab = dst = mod->module_core + info->symoffs;
64065+ mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
64066 src = mod->symtab;
64067 *dst = *src;
64068 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
64069@@ -2249,10 +2268,12 @@ static void add_kallsyms(struct module *
64070 }
64071 mod->core_num_syms = ndst;
64072
64073- mod->core_strtab = s = mod->module_core + info->stroffs;
64074+ mod->core_strtab = s = mod->module_core_rx + info->stroffs;
64075 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
64076 if (test_bit(i, info->strmap))
64077 *++s = mod->strtab[i];
64078+
64079+ pax_close_kernel();
64080 }
64081 #else
64082 static inline void layout_symtab(struct module *mod, struct load_info *info)
64083@@ -2286,17 +2307,33 @@ void * __weak module_alloc(unsigned long
64084 return size == 0 ? NULL : vmalloc_exec(size);
64085 }
64086
64087-static void *module_alloc_update_bounds(unsigned long size)
64088+static void *module_alloc_update_bounds_rw(unsigned long size)
64089 {
64090 void *ret = module_alloc(size);
64091
64092 if (ret) {
64093 mutex_lock(&module_mutex);
64094 /* Update module bounds. */
64095- if ((unsigned long)ret < module_addr_min)
64096- module_addr_min = (unsigned long)ret;
64097- if ((unsigned long)ret + size > module_addr_max)
64098- module_addr_max = (unsigned long)ret + size;
64099+ if ((unsigned long)ret < module_addr_min_rw)
64100+ module_addr_min_rw = (unsigned long)ret;
64101+ if ((unsigned long)ret + size > module_addr_max_rw)
64102+ module_addr_max_rw = (unsigned long)ret + size;
64103+ mutex_unlock(&module_mutex);
64104+ }
64105+ return ret;
64106+}
64107+
64108+static void *module_alloc_update_bounds_rx(unsigned long size)
64109+{
64110+ void *ret = module_alloc_exec(size);
64111+
64112+ if (ret) {
64113+ mutex_lock(&module_mutex);
64114+ /* Update module bounds. */
64115+ if ((unsigned long)ret < module_addr_min_rx)
64116+ module_addr_min_rx = (unsigned long)ret;
64117+ if ((unsigned long)ret + size > module_addr_max_rx)
64118+ module_addr_max_rx = (unsigned long)ret + size;
64119 mutex_unlock(&module_mutex);
64120 }
64121 return ret;
64122@@ -2589,7 +2626,7 @@ static int move_module(struct module *mo
64123 void *ptr;
64124
64125 /* Do the allocs. */
64126- ptr = module_alloc_update_bounds(mod->core_size);
64127+ ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
64128 /*
64129 * The pointer to this block is stored in the module structure
64130 * which is inside the block. Just mark it as not being a
64131@@ -2599,23 +2636,50 @@ static int move_module(struct module *mo
64132 if (!ptr)
64133 return -ENOMEM;
64134
64135- memset(ptr, 0, mod->core_size);
64136- mod->module_core = ptr;
64137+ memset(ptr, 0, mod->core_size_rw);
64138+ mod->module_core_rw = ptr;
64139
64140- ptr = module_alloc_update_bounds(mod->init_size);
64141+ ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
64142 /*
64143 * The pointer to this block is stored in the module structure
64144 * which is inside the block. This block doesn't need to be
64145 * scanned as it contains data and code that will be freed
64146 * after the module is initialized.
64147 */
64148- kmemleak_ignore(ptr);
64149- if (!ptr && mod->init_size) {
64150- module_free(mod, mod->module_core);
64151+ kmemleak_not_leak(ptr);
64152+ if (!ptr && mod->init_size_rw) {
64153+ module_free(mod, mod->module_core_rw);
64154 return -ENOMEM;
64155 }
64156- memset(ptr, 0, mod->init_size);
64157- mod->module_init = ptr;
64158+ memset(ptr, 0, mod->init_size_rw);
64159+ mod->module_init_rw = ptr;
64160+
64161+ ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
64162+ kmemleak_not_leak(ptr);
64163+ if (!ptr) {
64164+ module_free(mod, mod->module_init_rw);
64165+ module_free(mod, mod->module_core_rw);
64166+ return -ENOMEM;
64167+ }
64168+
64169+ pax_open_kernel();
64170+ memset(ptr, 0, mod->core_size_rx);
64171+ pax_close_kernel();
64172+ mod->module_core_rx = ptr;
64173+
64174+ ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
64175+ kmemleak_not_leak(ptr);
64176+ if (!ptr && mod->init_size_rx) {
64177+ module_free_exec(mod, mod->module_core_rx);
64178+ module_free(mod, mod->module_init_rw);
64179+ module_free(mod, mod->module_core_rw);
64180+ return -ENOMEM;
64181+ }
64182+
64183+ pax_open_kernel();
64184+ memset(ptr, 0, mod->init_size_rx);
64185+ pax_close_kernel();
64186+ mod->module_init_rx = ptr;
64187
64188 /* Transfer each section which specifies SHF_ALLOC */
64189 DEBUGP("final section addresses:\n");
64190@@ -2626,16 +2690,45 @@ static int move_module(struct module *mo
64191 if (!(shdr->sh_flags & SHF_ALLOC))
64192 continue;
64193
64194- if (shdr->sh_entsize & INIT_OFFSET_MASK)
64195- dest = mod->module_init
64196- + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64197- else
64198- dest = mod->module_core + shdr->sh_entsize;
64199+ if (shdr->sh_entsize & INIT_OFFSET_MASK) {
64200+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
64201+ dest = mod->module_init_rw
64202+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64203+ else
64204+ dest = mod->module_init_rx
64205+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
64206+ } else {
64207+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
64208+ dest = mod->module_core_rw + shdr->sh_entsize;
64209+ else
64210+ dest = mod->module_core_rx + shdr->sh_entsize;
64211+ }
64212+
64213+ if (shdr->sh_type != SHT_NOBITS) {
64214+
64215+#ifdef CONFIG_PAX_KERNEXEC
64216+#ifdef CONFIG_X86_64
64217+ if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
64218+ set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
64219+#endif
64220+ if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
64221+ pax_open_kernel();
64222+ memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
64223+ pax_close_kernel();
64224+ } else
64225+#endif
64226
64227- if (shdr->sh_type != SHT_NOBITS)
64228 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
64229+ }
64230 /* Update sh_addr to point to copy in image. */
64231- shdr->sh_addr = (unsigned long)dest;
64232+
64233+#ifdef CONFIG_PAX_KERNEXEC
64234+ if (shdr->sh_flags & SHF_EXECINSTR)
64235+ shdr->sh_addr = ktva_ktla((unsigned long)dest);
64236+ else
64237+#endif
64238+
64239+ shdr->sh_addr = (unsigned long)dest;
64240 DEBUGP("\t0x%lx %s\n",
64241 shdr->sh_addr, info->secstrings + shdr->sh_name);
64242 }
64243@@ -2686,12 +2779,12 @@ static void flush_module_icache(const st
64244 * Do it before processing of module parameters, so the module
64245 * can provide parameter accessor functions of its own.
64246 */
64247- if (mod->module_init)
64248- flush_icache_range((unsigned long)mod->module_init,
64249- (unsigned long)mod->module_init
64250- + mod->init_size);
64251- flush_icache_range((unsigned long)mod->module_core,
64252- (unsigned long)mod->module_core + mod->core_size);
64253+ if (mod->module_init_rx)
64254+ flush_icache_range((unsigned long)mod->module_init_rx,
64255+ (unsigned long)mod->module_init_rx
64256+ + mod->init_size_rx);
64257+ flush_icache_range((unsigned long)mod->module_core_rx,
64258+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
64259
64260 set_fs(old_fs);
64261 }
64262@@ -2771,8 +2864,10 @@ static void module_deallocate(struct mod
64263 {
64264 kfree(info->strmap);
64265 percpu_modfree(mod);
64266- module_free(mod, mod->module_init);
64267- module_free(mod, mod->module_core);
64268+ module_free_exec(mod, mod->module_init_rx);
64269+ module_free_exec(mod, mod->module_core_rx);
64270+ module_free(mod, mod->module_init_rw);
64271+ module_free(mod, mod->module_core_rw);
64272 }
64273
64274 int __weak module_finalize(const Elf_Ehdr *hdr,
64275@@ -2836,9 +2931,38 @@ static struct module *load_module(void _
64276 if (err)
64277 goto free_unload;
64278
64279+ /* Now copy in args */
64280+ mod->args = strndup_user(uargs, ~0UL >> 1);
64281+ if (IS_ERR(mod->args)) {
64282+ err = PTR_ERR(mod->args);
64283+ goto free_unload;
64284+ }
64285+
64286 /* Set up MODINFO_ATTR fields */
64287 setup_modinfo(mod, &info);
64288
64289+#ifdef CONFIG_GRKERNSEC_MODHARDEN
64290+ {
64291+ char *p, *p2;
64292+
64293+ if (strstr(mod->args, "grsec_modharden_netdev")) {
64294+ printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
64295+ err = -EPERM;
64296+ goto free_modinfo;
64297+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
64298+ p += strlen("grsec_modharden_normal");
64299+ p2 = strstr(p, "_");
64300+ if (p2) {
64301+ *p2 = '\0';
64302+ printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
64303+ *p2 = '_';
64304+ }
64305+ err = -EPERM;
64306+ goto free_modinfo;
64307+ }
64308+ }
64309+#endif
64310+
64311 /* Fix up syms, so that st_value is a pointer to location. */
64312 err = simplify_symbols(mod, &info);
64313 if (err < 0)
64314@@ -2854,13 +2978,6 @@ static struct module *load_module(void _
64315
64316 flush_module_icache(mod);
64317
64318- /* Now copy in args */
64319- mod->args = strndup_user(uargs, ~0UL >> 1);
64320- if (IS_ERR(mod->args)) {
64321- err = PTR_ERR(mod->args);
64322- goto free_arch_cleanup;
64323- }
64324-
64325 /* Mark state as coming so strong_try_module_get() ignores us. */
64326 mod->state = MODULE_STATE_COMING;
64327
64328@@ -2920,11 +3037,10 @@ static struct module *load_module(void _
64329 unlock:
64330 mutex_unlock(&module_mutex);
64331 synchronize_sched();
64332- kfree(mod->args);
64333- free_arch_cleanup:
64334 module_arch_cleanup(mod);
64335 free_modinfo:
64336 free_modinfo(mod);
64337+ kfree(mod->args);
64338 free_unload:
64339 module_unload_free(mod);
64340 free_module:
64341@@ -2965,16 +3081,16 @@ SYSCALL_DEFINE3(init_module, void __user
64342 MODULE_STATE_COMING, mod);
64343
64344 /* Set RO and NX regions for core */
64345- set_section_ro_nx(mod->module_core,
64346- mod->core_text_size,
64347- mod->core_ro_size,
64348- mod->core_size);
64349+ set_section_ro_nx(mod->module_core_rx,
64350+ mod->core_size_rx,
64351+ mod->core_size_rx,
64352+ mod->core_size_rx);
64353
64354 /* Set RO and NX regions for init */
64355- set_section_ro_nx(mod->module_init,
64356- mod->init_text_size,
64357- mod->init_ro_size,
64358- mod->init_size);
64359+ set_section_ro_nx(mod->module_init_rx,
64360+ mod->init_size_rx,
64361+ mod->init_size_rx,
64362+ mod->init_size_rx);
64363
64364 do_mod_ctors(mod);
64365 /* Start the module */
64366@@ -3020,11 +3136,12 @@ SYSCALL_DEFINE3(init_module, void __user
64367 mod->strtab = mod->core_strtab;
64368 #endif
64369 unset_module_init_ro_nx(mod);
64370- module_free(mod, mod->module_init);
64371- mod->module_init = NULL;
64372- mod->init_size = 0;
64373- mod->init_ro_size = 0;
64374- mod->init_text_size = 0;
64375+ module_free(mod, mod->module_init_rw);
64376+ module_free_exec(mod, mod->module_init_rx);
64377+ mod->module_init_rw = NULL;
64378+ mod->module_init_rx = NULL;
64379+ mod->init_size_rw = 0;
64380+ mod->init_size_rx = 0;
64381 mutex_unlock(&module_mutex);
64382
64383 return 0;
64384@@ -3055,10 +3172,16 @@ static const char *get_ksymbol(struct mo
64385 unsigned long nextval;
64386
64387 /* At worse, next value is at end of module */
64388- if (within_module_init(addr, mod))
64389- nextval = (unsigned long)mod->module_init+mod->init_text_size;
64390+ if (within_module_init_rx(addr, mod))
64391+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
64392+ else if (within_module_init_rw(addr, mod))
64393+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
64394+ else if (within_module_core_rx(addr, mod))
64395+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
64396+ else if (within_module_core_rw(addr, mod))
64397+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
64398 else
64399- nextval = (unsigned long)mod->module_core+mod->core_text_size;
64400+ return NULL;
64401
64402 /* Scan for closest preceding symbol, and next symbol. (ELF
64403 starts real symbols at 1). */
64404@@ -3304,7 +3427,7 @@ static int m_show(struct seq_file *m, vo
64405 char buf[8];
64406
64407 seq_printf(m, "%s %u",
64408- mod->name, mod->init_size + mod->core_size);
64409+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
64410 print_unload_info(m, mod);
64411
64412 /* Informative for users. */
64413@@ -3313,7 +3436,7 @@ static int m_show(struct seq_file *m, vo
64414 mod->state == MODULE_STATE_COMING ? "Loading":
64415 "Live");
64416 /* Used by oprofile and other similar tools. */
64417- seq_printf(m, " 0x%pK", mod->module_core);
64418+ seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
64419
64420 /* Taints info */
64421 if (mod->taints)
64422@@ -3349,7 +3472,17 @@ static const struct file_operations proc
64423
64424 static int __init proc_modules_init(void)
64425 {
64426+#ifndef CONFIG_GRKERNSEC_HIDESYM
64427+#ifdef CONFIG_GRKERNSEC_PROC_USER
64428+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64429+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64430+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
64431+#else
64432 proc_create("modules", 0, NULL, &proc_modules_operations);
64433+#endif
64434+#else
64435+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64436+#endif
64437 return 0;
64438 }
64439 module_init(proc_modules_init);
64440@@ -3408,12 +3541,12 @@ struct module *__module_address(unsigned
64441 {
64442 struct module *mod;
64443
64444- if (addr < module_addr_min || addr > module_addr_max)
64445+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
64446+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
64447 return NULL;
64448
64449 list_for_each_entry_rcu(mod, &modules, list)
64450- if (within_module_core(addr, mod)
64451- || within_module_init(addr, mod))
64452+ if (within_module_init(addr, mod) || within_module_core(addr, mod))
64453 return mod;
64454 return NULL;
64455 }
64456@@ -3447,11 +3580,20 @@ bool is_module_text_address(unsigned lon
64457 */
64458 struct module *__module_text_address(unsigned long addr)
64459 {
64460- struct module *mod = __module_address(addr);
64461+ struct module *mod;
64462+
64463+#ifdef CONFIG_X86_32
64464+ addr = ktla_ktva(addr);
64465+#endif
64466+
64467+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
64468+ return NULL;
64469+
64470+ mod = __module_address(addr);
64471+
64472 if (mod) {
64473 /* Make sure it's within the text section. */
64474- if (!within(addr, mod->module_init, mod->init_text_size)
64475- && !within(addr, mod->module_core, mod->core_text_size))
64476+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
64477 mod = NULL;
64478 }
64479 return mod;
64480diff -urNp linux-3.1.1/kernel/mutex.c linux-3.1.1/kernel/mutex.c
64481--- linux-3.1.1/kernel/mutex.c 2011-11-11 15:19:27.000000000 -0500
64482+++ linux-3.1.1/kernel/mutex.c 2011-11-16 18:39:08.000000000 -0500
64483@@ -198,7 +198,7 @@ __mutex_lock_common(struct mutex *lock,
64484 spin_lock_mutex(&lock->wait_lock, flags);
64485
64486 debug_mutex_lock_common(lock, &waiter);
64487- debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
64488+ debug_mutex_add_waiter(lock, &waiter, task);
64489
64490 /* add waiting tasks to the end of the waitqueue (FIFO): */
64491 list_add_tail(&waiter.list, &lock->wait_list);
64492@@ -227,8 +227,7 @@ __mutex_lock_common(struct mutex *lock,
64493 * TASK_UNINTERRUPTIBLE case.)
64494 */
64495 if (unlikely(signal_pending_state(state, task))) {
64496- mutex_remove_waiter(lock, &waiter,
64497- task_thread_info(task));
64498+ mutex_remove_waiter(lock, &waiter, task);
64499 mutex_release(&lock->dep_map, 1, ip);
64500 spin_unlock_mutex(&lock->wait_lock, flags);
64501
64502@@ -249,7 +248,7 @@ __mutex_lock_common(struct mutex *lock,
64503 done:
64504 lock_acquired(&lock->dep_map, ip);
64505 /* got the lock - rejoice! */
64506- mutex_remove_waiter(lock, &waiter, current_thread_info());
64507+ mutex_remove_waiter(lock, &waiter, task);
64508 mutex_set_owner(lock);
64509
64510 /* set it to 0 if there are no waiters left: */
64511diff -urNp linux-3.1.1/kernel/mutex-debug.c linux-3.1.1/kernel/mutex-debug.c
64512--- linux-3.1.1/kernel/mutex-debug.c 2011-11-11 15:19:27.000000000 -0500
64513+++ linux-3.1.1/kernel/mutex-debug.c 2011-11-16 18:39:08.000000000 -0500
64514@@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
64515 }
64516
64517 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64518- struct thread_info *ti)
64519+ struct task_struct *task)
64520 {
64521 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
64522
64523 /* Mark the current thread as blocked on the lock: */
64524- ti->task->blocked_on = waiter;
64525+ task->blocked_on = waiter;
64526 }
64527
64528 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64529- struct thread_info *ti)
64530+ struct task_struct *task)
64531 {
64532 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
64533- DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
64534- DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
64535- ti->task->blocked_on = NULL;
64536+ DEBUG_LOCKS_WARN_ON(waiter->task != task);
64537+ DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
64538+ task->blocked_on = NULL;
64539
64540 list_del_init(&waiter->list);
64541 waiter->task = NULL;
64542diff -urNp linux-3.1.1/kernel/mutex-debug.h linux-3.1.1/kernel/mutex-debug.h
64543--- linux-3.1.1/kernel/mutex-debug.h 2011-11-11 15:19:27.000000000 -0500
64544+++ linux-3.1.1/kernel/mutex-debug.h 2011-11-16 18:39:08.000000000 -0500
64545@@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(stru
64546 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
64547 extern void debug_mutex_add_waiter(struct mutex *lock,
64548 struct mutex_waiter *waiter,
64549- struct thread_info *ti);
64550+ struct task_struct *task);
64551 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64552- struct thread_info *ti);
64553+ struct task_struct *task);
64554 extern void debug_mutex_unlock(struct mutex *lock);
64555 extern void debug_mutex_init(struct mutex *lock, const char *name,
64556 struct lock_class_key *key);
64557diff -urNp linux-3.1.1/kernel/padata.c linux-3.1.1/kernel/padata.c
64558--- linux-3.1.1/kernel/padata.c 2011-11-11 15:19:27.000000000 -0500
64559+++ linux-3.1.1/kernel/padata.c 2011-11-16 18:39:08.000000000 -0500
64560@@ -132,10 +132,10 @@ int padata_do_parallel(struct padata_ins
64561 padata->pd = pd;
64562 padata->cb_cpu = cb_cpu;
64563
64564- if (unlikely(atomic_read(&pd->seq_nr) == pd->max_seq_nr))
64565- atomic_set(&pd->seq_nr, -1);
64566+ if (unlikely(atomic_read_unchecked(&pd->seq_nr) == pd->max_seq_nr))
64567+ atomic_set_unchecked(&pd->seq_nr, -1);
64568
64569- padata->seq_nr = atomic_inc_return(&pd->seq_nr);
64570+ padata->seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
64571
64572 target_cpu = padata_cpu_hash(padata);
64573 queue = per_cpu_ptr(pd->pqueue, target_cpu);
64574@@ -444,7 +444,7 @@ static struct parallel_data *padata_allo
64575 padata_init_pqueues(pd);
64576 padata_init_squeues(pd);
64577 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
64578- atomic_set(&pd->seq_nr, -1);
64579+ atomic_set_unchecked(&pd->seq_nr, -1);
64580 atomic_set(&pd->reorder_objects, 0);
64581 atomic_set(&pd->refcnt, 0);
64582 pd->pinst = pinst;
64583diff -urNp linux-3.1.1/kernel/panic.c linux-3.1.1/kernel/panic.c
64584--- linux-3.1.1/kernel/panic.c 2011-11-11 15:19:27.000000000 -0500
64585+++ linux-3.1.1/kernel/panic.c 2011-11-16 18:40:44.000000000 -0500
64586@@ -371,7 +371,7 @@ static void warn_slowpath_common(const c
64587 const char *board;
64588
64589 printk(KERN_WARNING "------------[ cut here ]------------\n");
64590- printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
64591+ printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
64592 board = dmi_get_system_info(DMI_PRODUCT_NAME);
64593 if (board)
64594 printk(KERN_WARNING "Hardware name: %s\n", board);
64595@@ -426,7 +426,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
64596 */
64597 void __stack_chk_fail(void)
64598 {
64599- panic("stack-protector: Kernel stack is corrupted in: %p\n",
64600+ dump_stack();
64601+ panic("stack-protector: Kernel stack is corrupted in: %pA\n",
64602 __builtin_return_address(0));
64603 }
64604 EXPORT_SYMBOL(__stack_chk_fail);
64605diff -urNp linux-3.1.1/kernel/pid.c linux-3.1.1/kernel/pid.c
64606--- linux-3.1.1/kernel/pid.c 2011-11-11 15:19:27.000000000 -0500
64607+++ linux-3.1.1/kernel/pid.c 2011-11-16 18:40:44.000000000 -0500
64608@@ -33,6 +33,7 @@
64609 #include <linux/rculist.h>
64610 #include <linux/bootmem.h>
64611 #include <linux/hash.h>
64612+#include <linux/security.h>
64613 #include <linux/pid_namespace.h>
64614 #include <linux/init_task.h>
64615 #include <linux/syscalls.h>
64616@@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
64617
64618 int pid_max = PID_MAX_DEFAULT;
64619
64620-#define RESERVED_PIDS 300
64621+#define RESERVED_PIDS 500
64622
64623 int pid_max_min = RESERVED_PIDS + 1;
64624 int pid_max_max = PID_MAX_LIMIT;
64625@@ -418,8 +419,15 @@ EXPORT_SYMBOL(pid_task);
64626 */
64627 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
64628 {
64629+ struct task_struct *task;
64630+
64631 rcu_lockdep_assert(rcu_read_lock_held());
64632- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
64633+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
64634+
64635+ if (gr_pid_is_chrooted(task))
64636+ return NULL;
64637+
64638+ return task;
64639 }
64640
64641 struct task_struct *find_task_by_vpid(pid_t vnr)
64642@@ -427,6 +435,12 @@ struct task_struct *find_task_by_vpid(pi
64643 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
64644 }
64645
64646+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
64647+{
64648+ rcu_lockdep_assert(rcu_read_lock_held());
64649+ return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
64650+}
64651+
64652 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
64653 {
64654 struct pid *pid;
64655diff -urNp linux-3.1.1/kernel/posix-cpu-timers.c linux-3.1.1/kernel/posix-cpu-timers.c
64656--- linux-3.1.1/kernel/posix-cpu-timers.c 2011-11-11 15:19:27.000000000 -0500
64657+++ linux-3.1.1/kernel/posix-cpu-timers.c 2011-11-16 18:40:44.000000000 -0500
64658@@ -6,6 +6,7 @@
64659 #include <linux/posix-timers.h>
64660 #include <linux/errno.h>
64661 #include <linux/math64.h>
64662+#include <linux/security.h>
64663 #include <asm/uaccess.h>
64664 #include <linux/kernel_stat.h>
64665 #include <trace/events/timer.h>
64666@@ -1606,14 +1607,14 @@ struct k_clock clock_posix_cpu = {
64667
64668 static __init int init_posix_cpu_timers(void)
64669 {
64670- struct k_clock process = {
64671+ static struct k_clock process = {
64672 .clock_getres = process_cpu_clock_getres,
64673 .clock_get = process_cpu_clock_get,
64674 .timer_create = process_cpu_timer_create,
64675 .nsleep = process_cpu_nsleep,
64676 .nsleep_restart = process_cpu_nsleep_restart,
64677 };
64678- struct k_clock thread = {
64679+ static struct k_clock thread = {
64680 .clock_getres = thread_cpu_clock_getres,
64681 .clock_get = thread_cpu_clock_get,
64682 .timer_create = thread_cpu_timer_create,
64683diff -urNp linux-3.1.1/kernel/posix-timers.c linux-3.1.1/kernel/posix-timers.c
64684--- linux-3.1.1/kernel/posix-timers.c 2011-11-11 15:19:27.000000000 -0500
64685+++ linux-3.1.1/kernel/posix-timers.c 2011-11-16 18:40:44.000000000 -0500
64686@@ -43,6 +43,7 @@
64687 #include <linux/idr.h>
64688 #include <linux/posix-clock.h>
64689 #include <linux/posix-timers.h>
64690+#include <linux/grsecurity.h>
64691 #include <linux/syscalls.h>
64692 #include <linux/wait.h>
64693 #include <linux/workqueue.h>
64694@@ -129,7 +130,7 @@ static DEFINE_SPINLOCK(idr_lock);
64695 * which we beg off on and pass to do_sys_settimeofday().
64696 */
64697
64698-static struct k_clock posix_clocks[MAX_CLOCKS];
64699+static struct k_clock *posix_clocks[MAX_CLOCKS];
64700
64701 /*
64702 * These ones are defined below.
64703@@ -227,7 +228,7 @@ static int posix_get_boottime(const cloc
64704 */
64705 static __init int init_posix_timers(void)
64706 {
64707- struct k_clock clock_realtime = {
64708+ static struct k_clock clock_realtime = {
64709 .clock_getres = hrtimer_get_res,
64710 .clock_get = posix_clock_realtime_get,
64711 .clock_set = posix_clock_realtime_set,
64712@@ -239,7 +240,7 @@ static __init int init_posix_timers(void
64713 .timer_get = common_timer_get,
64714 .timer_del = common_timer_del,
64715 };
64716- struct k_clock clock_monotonic = {
64717+ static struct k_clock clock_monotonic = {
64718 .clock_getres = hrtimer_get_res,
64719 .clock_get = posix_ktime_get_ts,
64720 .nsleep = common_nsleep,
64721@@ -249,19 +250,19 @@ static __init int init_posix_timers(void
64722 .timer_get = common_timer_get,
64723 .timer_del = common_timer_del,
64724 };
64725- struct k_clock clock_monotonic_raw = {
64726+ static struct k_clock clock_monotonic_raw = {
64727 .clock_getres = hrtimer_get_res,
64728 .clock_get = posix_get_monotonic_raw,
64729 };
64730- struct k_clock clock_realtime_coarse = {
64731+ static struct k_clock clock_realtime_coarse = {
64732 .clock_getres = posix_get_coarse_res,
64733 .clock_get = posix_get_realtime_coarse,
64734 };
64735- struct k_clock clock_monotonic_coarse = {
64736+ static struct k_clock clock_monotonic_coarse = {
64737 .clock_getres = posix_get_coarse_res,
64738 .clock_get = posix_get_monotonic_coarse,
64739 };
64740- struct k_clock clock_boottime = {
64741+ static struct k_clock clock_boottime = {
64742 .clock_getres = hrtimer_get_res,
64743 .clock_get = posix_get_boottime,
64744 .nsleep = common_nsleep,
64745@@ -272,6 +273,8 @@ static __init int init_posix_timers(void
64746 .timer_del = common_timer_del,
64747 };
64748
64749+ pax_track_stack();
64750+
64751 posix_timers_register_clock(CLOCK_REALTIME, &clock_realtime);
64752 posix_timers_register_clock(CLOCK_MONOTONIC, &clock_monotonic);
64753 posix_timers_register_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
64754@@ -473,7 +476,7 @@ void posix_timers_register_clock(const c
64755 return;
64756 }
64757
64758- posix_clocks[clock_id] = *new_clock;
64759+ posix_clocks[clock_id] = new_clock;
64760 }
64761 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
64762
64763@@ -519,9 +522,9 @@ static struct k_clock *clockid_to_kclock
64764 return (id & CLOCKFD_MASK) == CLOCKFD ?
64765 &clock_posix_dynamic : &clock_posix_cpu;
64766
64767- if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
64768+ if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
64769 return NULL;
64770- return &posix_clocks[id];
64771+ return posix_clocks[id];
64772 }
64773
64774 static int common_timer_create(struct k_itimer *new_timer)
64775@@ -959,6 +962,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
64776 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
64777 return -EFAULT;
64778
64779+ /* only the CLOCK_REALTIME clock can be set, all other clocks
64780+ have their clock_set fptr set to a nosettime dummy function
64781+ CLOCK_REALTIME has a NULL clock_set fptr which causes it to
64782+ call common_clock_set, which calls do_sys_settimeofday, which
64783+ we hook
64784+ */
64785+
64786 return kc->clock_set(which_clock, &new_tp);
64787 }
64788
64789diff -urNp linux-3.1.1/kernel/power/poweroff.c linux-3.1.1/kernel/power/poweroff.c
64790--- linux-3.1.1/kernel/power/poweroff.c 2011-11-11 15:19:27.000000000 -0500
64791+++ linux-3.1.1/kernel/power/poweroff.c 2011-11-16 18:39:08.000000000 -0500
64792@@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
64793 .enable_mask = SYSRQ_ENABLE_BOOT,
64794 };
64795
64796-static int pm_sysrq_init(void)
64797+static int __init pm_sysrq_init(void)
64798 {
64799 register_sysrq_key('o', &sysrq_poweroff_op);
64800 return 0;
64801diff -urNp linux-3.1.1/kernel/power/process.c linux-3.1.1/kernel/power/process.c
64802--- linux-3.1.1/kernel/power/process.c 2011-11-11 15:19:27.000000000 -0500
64803+++ linux-3.1.1/kernel/power/process.c 2011-11-16 18:39:08.000000000 -0500
64804@@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
64805 u64 elapsed_csecs64;
64806 unsigned int elapsed_csecs;
64807 bool wakeup = false;
64808+ bool timedout = false;
64809
64810 do_gettimeofday(&start);
64811
64812@@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
64813
64814 while (true) {
64815 todo = 0;
64816+ if (time_after(jiffies, end_time))
64817+ timedout = true;
64818 read_lock(&tasklist_lock);
64819 do_each_thread(g, p) {
64820 if (frozen(p) || !freezable(p))
64821@@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
64822 * try_to_stop() after schedule() in ptrace/signal
64823 * stop sees TIF_FREEZE.
64824 */
64825- if (!task_is_stopped_or_traced(p) &&
64826- !freezer_should_skip(p))
64827+ if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
64828 todo++;
64829+ if (timedout) {
64830+ printk(KERN_ERR "Task refusing to freeze:\n");
64831+ sched_show_task(p);
64832+ }
64833+ }
64834 } while_each_thread(g, p);
64835 read_unlock(&tasklist_lock);
64836
64837@@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
64838 todo += wq_busy;
64839 }
64840
64841- if (!todo || time_after(jiffies, end_time))
64842+ if (!todo || timedout)
64843 break;
64844
64845 if (pm_wakeup_pending()) {
64846diff -urNp linux-3.1.1/kernel/printk.c linux-3.1.1/kernel/printk.c
64847--- linux-3.1.1/kernel/printk.c 2011-11-11 15:19:27.000000000 -0500
64848+++ linux-3.1.1/kernel/printk.c 2011-11-16 19:38:11.000000000 -0500
64849@@ -313,6 +313,11 @@ static int check_syslog_permissions(int
64850 if (from_file && type != SYSLOG_ACTION_OPEN)
64851 return 0;
64852
64853+#ifdef CONFIG_GRKERNSEC_DMESG
64854+ if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
64855+ return -EPERM;
64856+#endif
64857+
64858 if (syslog_action_restricted(type)) {
64859 if (capable(CAP_SYSLOG))
64860 return 0;
64861diff -urNp linux-3.1.1/kernel/profile.c linux-3.1.1/kernel/profile.c
64862--- linux-3.1.1/kernel/profile.c 2011-11-11 15:19:27.000000000 -0500
64863+++ linux-3.1.1/kernel/profile.c 2011-11-16 18:39:08.000000000 -0500
64864@@ -39,7 +39,7 @@ struct profile_hit {
64865 /* Oprofile timer tick hook */
64866 static int (*timer_hook)(struct pt_regs *) __read_mostly;
64867
64868-static atomic_t *prof_buffer;
64869+static atomic_unchecked_t *prof_buffer;
64870 static unsigned long prof_len, prof_shift;
64871
64872 int prof_on __read_mostly;
64873@@ -281,7 +281,7 @@ static void profile_flip_buffers(void)
64874 hits[i].pc = 0;
64875 continue;
64876 }
64877- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64878+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64879 hits[i].hits = hits[i].pc = 0;
64880 }
64881 }
64882@@ -342,9 +342,9 @@ static void do_profile_hits(int type, vo
64883 * Add the current hit(s) and flush the write-queue out
64884 * to the global buffer:
64885 */
64886- atomic_add(nr_hits, &prof_buffer[pc]);
64887+ atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
64888 for (i = 0; i < NR_PROFILE_HIT; ++i) {
64889- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64890+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64891 hits[i].pc = hits[i].hits = 0;
64892 }
64893 out:
64894@@ -419,7 +419,7 @@ static void do_profile_hits(int type, vo
64895 {
64896 unsigned long pc;
64897 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
64898- atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64899+ atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64900 }
64901 #endif /* !CONFIG_SMP */
64902
64903@@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
64904 return -EFAULT;
64905 buf++; p++; count--; read++;
64906 }
64907- pnt = (char *)prof_buffer + p - sizeof(atomic_t);
64908+ pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
64909 if (copy_to_user(buf, (void *)pnt, count))
64910 return -EFAULT;
64911 read += count;
64912@@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
64913 }
64914 #endif
64915 profile_discard_flip_buffers();
64916- memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
64917+ memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
64918 return count;
64919 }
64920
64921diff -urNp linux-3.1.1/kernel/ptrace.c linux-3.1.1/kernel/ptrace.c
64922--- linux-3.1.1/kernel/ptrace.c 2011-11-11 15:19:27.000000000 -0500
64923+++ linux-3.1.1/kernel/ptrace.c 2011-11-16 19:50:22.000000000 -0500
64924@@ -161,7 +161,8 @@ int ptrace_check_attach(struct task_stru
64925 return ret;
64926 }
64927
64928-int __ptrace_may_access(struct task_struct *task, unsigned int mode)
64929+static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
64930+ unsigned int log)
64931 {
64932 const struct cred *cred = current_cred(), *tcred;
64933
64934@@ -187,7 +188,8 @@ int __ptrace_may_access(struct task_stru
64935 cred->gid == tcred->sgid &&
64936 cred->gid == tcred->gid))
64937 goto ok;
64938- if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
64939+ if ((!log && ns_capable_nolog(tcred->user->user_ns, CAP_SYS_PTRACE)) ||
64940+ (log && ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)))
64941 goto ok;
64942 rcu_read_unlock();
64943 return -EPERM;
64944@@ -196,7 +198,9 @@ ok:
64945 smp_rmb();
64946 if (task->mm)
64947 dumpable = get_dumpable(task->mm);
64948- if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
64949+ if (!dumpable &&
64950+ ((!log && !task_ns_capable_nolog(task, CAP_SYS_PTRACE)) ||
64951+ (log && !task_ns_capable(task, CAP_SYS_PTRACE))))
64952 return -EPERM;
64953
64954 return security_ptrace_access_check(task, mode);
64955@@ -206,7 +210,16 @@ bool ptrace_may_access(struct task_struc
64956 {
64957 int err;
64958 task_lock(task);
64959- err = __ptrace_may_access(task, mode);
64960+ err = __ptrace_may_access(task, mode, 0);
64961+ task_unlock(task);
64962+ return !err;
64963+}
64964+
64965+bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
64966+{
64967+ int err;
64968+ task_lock(task);
64969+ err = __ptrace_may_access(task, mode, 1);
64970 task_unlock(task);
64971 return !err;
64972 }
64973@@ -251,7 +264,7 @@ static int ptrace_attach(struct task_str
64974 goto out;
64975
64976 task_lock(task);
64977- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
64978+ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
64979 task_unlock(task);
64980 if (retval)
64981 goto unlock_creds;
64982@@ -266,7 +279,7 @@ static int ptrace_attach(struct task_str
64983 task->ptrace = PT_PTRACED;
64984 if (seize)
64985 task->ptrace |= PT_SEIZED;
64986- if (task_ns_capable(task, CAP_SYS_PTRACE))
64987+ if (task_ns_capable_nolog(task, CAP_SYS_PTRACE))
64988 task->ptrace |= PT_PTRACE_CAP;
64989
64990 __ptrace_link(task, current);
64991@@ -461,6 +474,8 @@ int ptrace_readdata(struct task_struct *
64992 {
64993 int copied = 0;
64994
64995+ pax_track_stack();
64996+
64997 while (len > 0) {
64998 char buf[128];
64999 int this_len, retval;
65000@@ -472,7 +487,7 @@ int ptrace_readdata(struct task_struct *
65001 break;
65002 return -EIO;
65003 }
65004- if (copy_to_user(dst, buf, retval))
65005+ if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
65006 return -EFAULT;
65007 copied += retval;
65008 src += retval;
65009@@ -486,6 +501,8 @@ int ptrace_writedata(struct task_struct
65010 {
65011 int copied = 0;
65012
65013+ pax_track_stack();
65014+
65015 while (len > 0) {
65016 char buf[128];
65017 int this_len, retval;
65018@@ -669,10 +686,12 @@ int ptrace_request(struct task_struct *c
65019 bool seized = child->ptrace & PT_SEIZED;
65020 int ret = -EIO;
65021 siginfo_t siginfo, *si;
65022- void __user *datavp = (void __user *) data;
65023+ void __user *datavp = (__force void __user *) data;
65024 unsigned long __user *datalp = datavp;
65025 unsigned long flags;
65026
65027+ pax_track_stack();
65028+
65029 switch (request) {
65030 case PTRACE_PEEKTEXT:
65031 case PTRACE_PEEKDATA:
65032@@ -871,14 +890,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
65033 goto out;
65034 }
65035
65036+ if (gr_handle_ptrace(child, request)) {
65037+ ret = -EPERM;
65038+ goto out_put_task_struct;
65039+ }
65040+
65041 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
65042 ret = ptrace_attach(child, request, data);
65043 /*
65044 * Some architectures need to do book-keeping after
65045 * a ptrace attach.
65046 */
65047- if (!ret)
65048+ if (!ret) {
65049 arch_ptrace_attach(child);
65050+ gr_audit_ptrace(child);
65051+ }
65052 goto out_put_task_struct;
65053 }
65054
65055@@ -904,7 +930,7 @@ int generic_ptrace_peekdata(struct task_
65056 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
65057 if (copied != sizeof(tmp))
65058 return -EIO;
65059- return put_user(tmp, (unsigned long __user *)data);
65060+ return put_user(tmp, (__force unsigned long __user *)data);
65061 }
65062
65063 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
65064@@ -927,6 +953,8 @@ int compat_ptrace_request(struct task_st
65065 siginfo_t siginfo;
65066 int ret;
65067
65068+ pax_track_stack();
65069+
65070 switch (request) {
65071 case PTRACE_PEEKTEXT:
65072 case PTRACE_PEEKDATA:
65073@@ -1014,14 +1042,21 @@ asmlinkage long compat_sys_ptrace(compat
65074 goto out;
65075 }
65076
65077+ if (gr_handle_ptrace(child, request)) {
65078+ ret = -EPERM;
65079+ goto out_put_task_struct;
65080+ }
65081+
65082 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
65083 ret = ptrace_attach(child, request, data);
65084 /*
65085 * Some architectures need to do book-keeping after
65086 * a ptrace attach.
65087 */
65088- if (!ret)
65089+ if (!ret) {
65090 arch_ptrace_attach(child);
65091+ gr_audit_ptrace(child);
65092+ }
65093 goto out_put_task_struct;
65094 }
65095
65096diff -urNp linux-3.1.1/kernel/rcutorture.c linux-3.1.1/kernel/rcutorture.c
65097--- linux-3.1.1/kernel/rcutorture.c 2011-11-11 15:19:27.000000000 -0500
65098+++ linux-3.1.1/kernel/rcutorture.c 2011-11-16 18:39:08.000000000 -0500
65099@@ -138,12 +138,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
65100 { 0 };
65101 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
65102 { 0 };
65103-static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65104-static atomic_t n_rcu_torture_alloc;
65105-static atomic_t n_rcu_torture_alloc_fail;
65106-static atomic_t n_rcu_torture_free;
65107-static atomic_t n_rcu_torture_mberror;
65108-static atomic_t n_rcu_torture_error;
65109+static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65110+static atomic_unchecked_t n_rcu_torture_alloc;
65111+static atomic_unchecked_t n_rcu_torture_alloc_fail;
65112+static atomic_unchecked_t n_rcu_torture_free;
65113+static atomic_unchecked_t n_rcu_torture_mberror;
65114+static atomic_unchecked_t n_rcu_torture_error;
65115 static long n_rcu_torture_boost_ktrerror;
65116 static long n_rcu_torture_boost_rterror;
65117 static long n_rcu_torture_boost_failure;
65118@@ -223,11 +223,11 @@ rcu_torture_alloc(void)
65119
65120 spin_lock_bh(&rcu_torture_lock);
65121 if (list_empty(&rcu_torture_freelist)) {
65122- atomic_inc(&n_rcu_torture_alloc_fail);
65123+ atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
65124 spin_unlock_bh(&rcu_torture_lock);
65125 return NULL;
65126 }
65127- atomic_inc(&n_rcu_torture_alloc);
65128+ atomic_inc_unchecked(&n_rcu_torture_alloc);
65129 p = rcu_torture_freelist.next;
65130 list_del_init(p);
65131 spin_unlock_bh(&rcu_torture_lock);
65132@@ -240,7 +240,7 @@ rcu_torture_alloc(void)
65133 static void
65134 rcu_torture_free(struct rcu_torture *p)
65135 {
65136- atomic_inc(&n_rcu_torture_free);
65137+ atomic_inc_unchecked(&n_rcu_torture_free);
65138 spin_lock_bh(&rcu_torture_lock);
65139 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
65140 spin_unlock_bh(&rcu_torture_lock);
65141@@ -360,7 +360,7 @@ rcu_torture_cb(struct rcu_head *p)
65142 i = rp->rtort_pipe_count;
65143 if (i > RCU_TORTURE_PIPE_LEN)
65144 i = RCU_TORTURE_PIPE_LEN;
65145- atomic_inc(&rcu_torture_wcount[i]);
65146+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
65147 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65148 rp->rtort_mbtest = 0;
65149 rcu_torture_free(rp);
65150@@ -407,7 +407,7 @@ static void rcu_sync_torture_deferred_fr
65151 i = rp->rtort_pipe_count;
65152 if (i > RCU_TORTURE_PIPE_LEN)
65153 i = RCU_TORTURE_PIPE_LEN;
65154- atomic_inc(&rcu_torture_wcount[i]);
65155+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
65156 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65157 rp->rtort_mbtest = 0;
65158 list_del(&rp->rtort_free);
65159@@ -882,7 +882,7 @@ rcu_torture_writer(void *arg)
65160 i = old_rp->rtort_pipe_count;
65161 if (i > RCU_TORTURE_PIPE_LEN)
65162 i = RCU_TORTURE_PIPE_LEN;
65163- atomic_inc(&rcu_torture_wcount[i]);
65164+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
65165 old_rp->rtort_pipe_count++;
65166 cur_ops->deferred_free(old_rp);
65167 }
65168@@ -950,7 +950,7 @@ static void rcu_torture_timer(unsigned l
65169 return;
65170 }
65171 if (p->rtort_mbtest == 0)
65172- atomic_inc(&n_rcu_torture_mberror);
65173+ atomic_inc_unchecked(&n_rcu_torture_mberror);
65174 spin_lock(&rand_lock);
65175 cur_ops->read_delay(&rand);
65176 n_rcu_torture_timers++;
65177@@ -1011,7 +1011,7 @@ rcu_torture_reader(void *arg)
65178 continue;
65179 }
65180 if (p->rtort_mbtest == 0)
65181- atomic_inc(&n_rcu_torture_mberror);
65182+ atomic_inc_unchecked(&n_rcu_torture_mberror);
65183 cur_ops->read_delay(&rand);
65184 preempt_disable();
65185 pipe_count = p->rtort_pipe_count;
65186@@ -1070,16 +1070,16 @@ rcu_torture_printk(char *page)
65187 rcu_torture_current,
65188 rcu_torture_current_version,
65189 list_empty(&rcu_torture_freelist),
65190- atomic_read(&n_rcu_torture_alloc),
65191- atomic_read(&n_rcu_torture_alloc_fail),
65192- atomic_read(&n_rcu_torture_free),
65193- atomic_read(&n_rcu_torture_mberror),
65194+ atomic_read_unchecked(&n_rcu_torture_alloc),
65195+ atomic_read_unchecked(&n_rcu_torture_alloc_fail),
65196+ atomic_read_unchecked(&n_rcu_torture_free),
65197+ atomic_read_unchecked(&n_rcu_torture_mberror),
65198 n_rcu_torture_boost_ktrerror,
65199 n_rcu_torture_boost_rterror,
65200 n_rcu_torture_boost_failure,
65201 n_rcu_torture_boosts,
65202 n_rcu_torture_timers);
65203- if (atomic_read(&n_rcu_torture_mberror) != 0 ||
65204+ if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
65205 n_rcu_torture_boost_ktrerror != 0 ||
65206 n_rcu_torture_boost_rterror != 0 ||
65207 n_rcu_torture_boost_failure != 0)
65208@@ -1087,7 +1087,7 @@ rcu_torture_printk(char *page)
65209 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
65210 if (i > 1) {
65211 cnt += sprintf(&page[cnt], "!!! ");
65212- atomic_inc(&n_rcu_torture_error);
65213+ atomic_inc_unchecked(&n_rcu_torture_error);
65214 WARN_ON_ONCE(1);
65215 }
65216 cnt += sprintf(&page[cnt], "Reader Pipe: ");
65217@@ -1101,7 +1101,7 @@ rcu_torture_printk(char *page)
65218 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
65219 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65220 cnt += sprintf(&page[cnt], " %d",
65221- atomic_read(&rcu_torture_wcount[i]));
65222+ atomic_read_unchecked(&rcu_torture_wcount[i]));
65223 }
65224 cnt += sprintf(&page[cnt], "\n");
65225 if (cur_ops->stats)
65226@@ -1410,7 +1410,7 @@ rcu_torture_cleanup(void)
65227
65228 if (cur_ops->cleanup)
65229 cur_ops->cleanup();
65230- if (atomic_read(&n_rcu_torture_error))
65231+ if (atomic_read_unchecked(&n_rcu_torture_error))
65232 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
65233 else
65234 rcu_torture_print_module_parms(cur_ops, "End of test: SUCCESS");
65235@@ -1474,17 +1474,17 @@ rcu_torture_init(void)
65236
65237 rcu_torture_current = NULL;
65238 rcu_torture_current_version = 0;
65239- atomic_set(&n_rcu_torture_alloc, 0);
65240- atomic_set(&n_rcu_torture_alloc_fail, 0);
65241- atomic_set(&n_rcu_torture_free, 0);
65242- atomic_set(&n_rcu_torture_mberror, 0);
65243- atomic_set(&n_rcu_torture_error, 0);
65244+ atomic_set_unchecked(&n_rcu_torture_alloc, 0);
65245+ atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
65246+ atomic_set_unchecked(&n_rcu_torture_free, 0);
65247+ atomic_set_unchecked(&n_rcu_torture_mberror, 0);
65248+ atomic_set_unchecked(&n_rcu_torture_error, 0);
65249 n_rcu_torture_boost_ktrerror = 0;
65250 n_rcu_torture_boost_rterror = 0;
65251 n_rcu_torture_boost_failure = 0;
65252 n_rcu_torture_boosts = 0;
65253 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
65254- atomic_set(&rcu_torture_wcount[i], 0);
65255+ atomic_set_unchecked(&rcu_torture_wcount[i], 0);
65256 for_each_possible_cpu(cpu) {
65257 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65258 per_cpu(rcu_torture_count, cpu)[i] = 0;
65259diff -urNp linux-3.1.1/kernel/rcutree.c linux-3.1.1/kernel/rcutree.c
65260--- linux-3.1.1/kernel/rcutree.c 2011-11-11 15:19:27.000000000 -0500
65261+++ linux-3.1.1/kernel/rcutree.c 2011-11-16 18:39:08.000000000 -0500
65262@@ -356,9 +356,9 @@ void rcu_enter_nohz(void)
65263 }
65264 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65265 smp_mb__before_atomic_inc(); /* See above. */
65266- atomic_inc(&rdtp->dynticks);
65267+ atomic_inc_unchecked(&rdtp->dynticks);
65268 smp_mb__after_atomic_inc(); /* Force ordering with next sojourn. */
65269- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65270+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65271 local_irq_restore(flags);
65272
65273 /* If the interrupt queued a callback, get out of dyntick mode. */
65274@@ -387,10 +387,10 @@ void rcu_exit_nohz(void)
65275 return;
65276 }
65277 smp_mb__before_atomic_inc(); /* Force ordering w/previous sojourn. */
65278- atomic_inc(&rdtp->dynticks);
65279+ atomic_inc_unchecked(&rdtp->dynticks);
65280 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65281 smp_mb__after_atomic_inc(); /* See above. */
65282- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65283+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65284 local_irq_restore(flags);
65285 }
65286
65287@@ -406,14 +406,14 @@ void rcu_nmi_enter(void)
65288 struct rcu_dynticks *rdtp = &__get_cpu_var(rcu_dynticks);
65289
65290 if (rdtp->dynticks_nmi_nesting == 0 &&
65291- (atomic_read(&rdtp->dynticks) & 0x1))
65292+ (atomic_read_unchecked(&rdtp->dynticks) & 0x1))
65293 return;
65294 rdtp->dynticks_nmi_nesting++;
65295 smp_mb__before_atomic_inc(); /* Force delay from prior write. */
65296- atomic_inc(&rdtp->dynticks);
65297+ atomic_inc_unchecked(&rdtp->dynticks);
65298 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
65299 smp_mb__after_atomic_inc(); /* See above. */
65300- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
65301+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
65302 }
65303
65304 /**
65305@@ -432,9 +432,9 @@ void rcu_nmi_exit(void)
65306 return;
65307 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
65308 smp_mb__before_atomic_inc(); /* See above. */
65309- atomic_inc(&rdtp->dynticks);
65310+ atomic_inc_unchecked(&rdtp->dynticks);
65311 smp_mb__after_atomic_inc(); /* Force delay to next write. */
65312- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
65313+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
65314 }
65315
65316 /**
65317@@ -469,7 +469,7 @@ void rcu_irq_exit(void)
65318 */
65319 static int dyntick_save_progress_counter(struct rcu_data *rdp)
65320 {
65321- rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
65322+ rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65323 return 0;
65324 }
65325
65326@@ -484,7 +484,7 @@ static int rcu_implicit_dynticks_qs(stru
65327 unsigned long curr;
65328 unsigned long snap;
65329
65330- curr = (unsigned long)atomic_add_return(0, &rdp->dynticks->dynticks);
65331+ curr = (unsigned long)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
65332 snap = (unsigned long)rdp->dynticks_snap;
65333
65334 /*
65335@@ -1470,7 +1470,7 @@ __rcu_process_callbacks(struct rcu_state
65336 /*
65337 * Do softirq processing for the current CPU.
65338 */
65339-static void rcu_process_callbacks(struct softirq_action *unused)
65340+static void rcu_process_callbacks(void)
65341 {
65342 __rcu_process_callbacks(&rcu_sched_state,
65343 &__get_cpu_var(rcu_sched_data));
65344diff -urNp linux-3.1.1/kernel/rcutree.h linux-3.1.1/kernel/rcutree.h
65345--- linux-3.1.1/kernel/rcutree.h 2011-11-11 15:19:27.000000000 -0500
65346+++ linux-3.1.1/kernel/rcutree.h 2011-11-16 18:39:08.000000000 -0500
65347@@ -86,7 +86,7 @@
65348 struct rcu_dynticks {
65349 int dynticks_nesting; /* Track irq/process nesting level. */
65350 int dynticks_nmi_nesting; /* Track NMI nesting level. */
65351- atomic_t dynticks; /* Even value for dynticks-idle, else odd. */
65352+ atomic_unchecked_t dynticks; /* Even value for dynticks-idle, else odd. */
65353 };
65354
65355 /* RCU's kthread states for tracing. */
65356diff -urNp linux-3.1.1/kernel/rcutree_plugin.h linux-3.1.1/kernel/rcutree_plugin.h
65357--- linux-3.1.1/kernel/rcutree_plugin.h 2011-11-11 15:19:27.000000000 -0500
65358+++ linux-3.1.1/kernel/rcutree_plugin.h 2011-11-16 18:39:08.000000000 -0500
65359@@ -822,7 +822,7 @@ void synchronize_rcu_expedited(void)
65360
65361 /* Clean up and exit. */
65362 smp_mb(); /* ensure expedited GP seen before counter increment. */
65363- ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
65364+ ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
65365 unlock_mb_ret:
65366 mutex_unlock(&sync_rcu_preempt_exp_mutex);
65367 mb_ret:
65368@@ -1774,8 +1774,8 @@ EXPORT_SYMBOL_GPL(synchronize_sched_expe
65369
65370 #else /* #ifndef CONFIG_SMP */
65371
65372-static atomic_t sync_sched_expedited_started = ATOMIC_INIT(0);
65373-static atomic_t sync_sched_expedited_done = ATOMIC_INIT(0);
65374+static atomic_unchecked_t sync_sched_expedited_started = ATOMIC_INIT(0);
65375+static atomic_unchecked_t sync_sched_expedited_done = ATOMIC_INIT(0);
65376
65377 static int synchronize_sched_expedited_cpu_stop(void *data)
65378 {
65379@@ -1830,7 +1830,7 @@ void synchronize_sched_expedited(void)
65380 int firstsnap, s, snap, trycount = 0;
65381
65382 /* Note that atomic_inc_return() implies full memory barrier. */
65383- firstsnap = snap = atomic_inc_return(&sync_sched_expedited_started);
65384+ firstsnap = snap = atomic_inc_return_unchecked(&sync_sched_expedited_started);
65385 get_online_cpus();
65386
65387 /*
65388@@ -1851,7 +1851,7 @@ void synchronize_sched_expedited(void)
65389 }
65390
65391 /* Check to see if someone else did our work for us. */
65392- s = atomic_read(&sync_sched_expedited_done);
65393+ s = atomic_read_unchecked(&sync_sched_expedited_done);
65394 if (UINT_CMP_GE((unsigned)s, (unsigned)firstsnap)) {
65395 smp_mb(); /* ensure test happens before caller kfree */
65396 return;
65397@@ -1866,7 +1866,7 @@ void synchronize_sched_expedited(void)
65398 * grace period works for us.
65399 */
65400 get_online_cpus();
65401- snap = atomic_read(&sync_sched_expedited_started) - 1;
65402+ snap = atomic_read_unchecked(&sync_sched_expedited_started) - 1;
65403 smp_mb(); /* ensure read is before try_stop_cpus(). */
65404 }
65405
65406@@ -1877,12 +1877,12 @@ void synchronize_sched_expedited(void)
65407 * than we did beat us to the punch.
65408 */
65409 do {
65410- s = atomic_read(&sync_sched_expedited_done);
65411+ s = atomic_read_unchecked(&sync_sched_expedited_done);
65412 if (UINT_CMP_GE((unsigned)s, (unsigned)snap)) {
65413 smp_mb(); /* ensure test happens before caller kfree */
65414 break;
65415 }
65416- } while (atomic_cmpxchg(&sync_sched_expedited_done, s, snap) != s);
65417+ } while (atomic_cmpxchg_unchecked(&sync_sched_expedited_done, s, snap) != s);
65418
65419 put_online_cpus();
65420 }
65421diff -urNp linux-3.1.1/kernel/relay.c linux-3.1.1/kernel/relay.c
65422--- linux-3.1.1/kernel/relay.c 2011-11-11 15:19:27.000000000 -0500
65423+++ linux-3.1.1/kernel/relay.c 2011-11-16 18:40:44.000000000 -0500
65424@@ -1236,6 +1236,8 @@ static ssize_t subbuf_splice_actor(struc
65425 };
65426 ssize_t ret;
65427
65428+ pax_track_stack();
65429+
65430 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
65431 return 0;
65432 if (splice_grow_spd(pipe, &spd))
65433diff -urNp linux-3.1.1/kernel/resource.c linux-3.1.1/kernel/resource.c
65434--- linux-3.1.1/kernel/resource.c 2011-11-11 15:19:27.000000000 -0500
65435+++ linux-3.1.1/kernel/resource.c 2011-11-16 18:40:44.000000000 -0500
65436@@ -141,8 +141,18 @@ static const struct file_operations proc
65437
65438 static int __init ioresources_init(void)
65439 {
65440+#ifdef CONFIG_GRKERNSEC_PROC_ADD
65441+#ifdef CONFIG_GRKERNSEC_PROC_USER
65442+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
65443+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
65444+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
65445+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
65446+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
65447+#endif
65448+#else
65449 proc_create("ioports", 0, NULL, &proc_ioports_operations);
65450 proc_create("iomem", 0, NULL, &proc_iomem_operations);
65451+#endif
65452 return 0;
65453 }
65454 __initcall(ioresources_init);
65455diff -urNp linux-3.1.1/kernel/rtmutex-tester.c linux-3.1.1/kernel/rtmutex-tester.c
65456--- linux-3.1.1/kernel/rtmutex-tester.c 2011-11-11 15:19:27.000000000 -0500
65457+++ linux-3.1.1/kernel/rtmutex-tester.c 2011-11-16 18:39:08.000000000 -0500
65458@@ -20,7 +20,7 @@
65459 #define MAX_RT_TEST_MUTEXES 8
65460
65461 static spinlock_t rttest_lock;
65462-static atomic_t rttest_event;
65463+static atomic_unchecked_t rttest_event;
65464
65465 struct test_thread_data {
65466 int opcode;
65467@@ -61,7 +61,7 @@ static int handle_op(struct test_thread_
65468
65469 case RTTEST_LOCKCONT:
65470 td->mutexes[td->opdata] = 1;
65471- td->event = atomic_add_return(1, &rttest_event);
65472+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65473 return 0;
65474
65475 case RTTEST_RESET:
65476@@ -74,7 +74,7 @@ static int handle_op(struct test_thread_
65477 return 0;
65478
65479 case RTTEST_RESETEVENT:
65480- atomic_set(&rttest_event, 0);
65481+ atomic_set_unchecked(&rttest_event, 0);
65482 return 0;
65483
65484 default:
65485@@ -91,9 +91,9 @@ static int handle_op(struct test_thread_
65486 return ret;
65487
65488 td->mutexes[id] = 1;
65489- td->event = atomic_add_return(1, &rttest_event);
65490+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65491 rt_mutex_lock(&mutexes[id]);
65492- td->event = atomic_add_return(1, &rttest_event);
65493+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65494 td->mutexes[id] = 4;
65495 return 0;
65496
65497@@ -104,9 +104,9 @@ static int handle_op(struct test_thread_
65498 return ret;
65499
65500 td->mutexes[id] = 1;
65501- td->event = atomic_add_return(1, &rttest_event);
65502+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65503 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
65504- td->event = atomic_add_return(1, &rttest_event);
65505+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65506 td->mutexes[id] = ret ? 0 : 4;
65507 return ret ? -EINTR : 0;
65508
65509@@ -115,9 +115,9 @@ static int handle_op(struct test_thread_
65510 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
65511 return ret;
65512
65513- td->event = atomic_add_return(1, &rttest_event);
65514+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65515 rt_mutex_unlock(&mutexes[id]);
65516- td->event = atomic_add_return(1, &rttest_event);
65517+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65518 td->mutexes[id] = 0;
65519 return 0;
65520
65521@@ -164,7 +164,7 @@ void schedule_rt_mutex_test(struct rt_mu
65522 break;
65523
65524 td->mutexes[dat] = 2;
65525- td->event = atomic_add_return(1, &rttest_event);
65526+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65527 break;
65528
65529 default:
65530@@ -184,7 +184,7 @@ void schedule_rt_mutex_test(struct rt_mu
65531 return;
65532
65533 td->mutexes[dat] = 3;
65534- td->event = atomic_add_return(1, &rttest_event);
65535+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65536 break;
65537
65538 case RTTEST_LOCKNOWAIT:
65539@@ -196,7 +196,7 @@ void schedule_rt_mutex_test(struct rt_mu
65540 return;
65541
65542 td->mutexes[dat] = 1;
65543- td->event = atomic_add_return(1, &rttest_event);
65544+ td->event = atomic_add_return_unchecked(1, &rttest_event);
65545 return;
65546
65547 default:
65548diff -urNp linux-3.1.1/kernel/sched_autogroup.c linux-3.1.1/kernel/sched_autogroup.c
65549--- linux-3.1.1/kernel/sched_autogroup.c 2011-11-11 15:19:27.000000000 -0500
65550+++ linux-3.1.1/kernel/sched_autogroup.c 2011-11-16 18:39:08.000000000 -0500
65551@@ -7,7 +7,7 @@
65552
65553 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
65554 static struct autogroup autogroup_default;
65555-static atomic_t autogroup_seq_nr;
65556+static atomic_unchecked_t autogroup_seq_nr;
65557
65558 static void __init autogroup_init(struct task_struct *init_task)
65559 {
65560@@ -78,7 +78,7 @@ static inline struct autogroup *autogrou
65561
65562 kref_init(&ag->kref);
65563 init_rwsem(&ag->lock);
65564- ag->id = atomic_inc_return(&autogroup_seq_nr);
65565+ ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
65566 ag->tg = tg;
65567 #ifdef CONFIG_RT_GROUP_SCHED
65568 /*
65569diff -urNp linux-3.1.1/kernel/sched.c linux-3.1.1/kernel/sched.c
65570--- linux-3.1.1/kernel/sched.c 2011-11-11 15:19:27.000000000 -0500
65571+++ linux-3.1.1/kernel/sched.c 2011-11-16 18:40:44.000000000 -0500
65572@@ -4264,6 +4264,8 @@ static void __sched __schedule(void)
65573 struct rq *rq;
65574 int cpu;
65575
65576+ pax_track_stack();
65577+
65578 need_resched:
65579 preempt_disable();
65580 cpu = smp_processor_id();
65581@@ -4950,6 +4952,8 @@ int can_nice(const struct task_struct *p
65582 /* convert nice value [19,-20] to rlimit style value [1,40] */
65583 int nice_rlim = 20 - nice;
65584
65585+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
65586+
65587 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
65588 capable(CAP_SYS_NICE));
65589 }
65590@@ -4983,7 +4987,8 @@ SYSCALL_DEFINE1(nice, int, increment)
65591 if (nice > 19)
65592 nice = 19;
65593
65594- if (increment < 0 && !can_nice(current, nice))
65595+ if (increment < 0 && (!can_nice(current, nice) ||
65596+ gr_handle_chroot_nice()))
65597 return -EPERM;
65598
65599 retval = security_task_setnice(current, nice);
65600@@ -5127,6 +5132,7 @@ recheck:
65601 unsigned long rlim_rtprio =
65602 task_rlimit(p, RLIMIT_RTPRIO);
65603
65604+ gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
65605 /* can't set/change the rt policy */
65606 if (policy != p->policy && !rlim_rtprio)
65607 return -EPERM;
65608diff -urNp linux-3.1.1/kernel/sched_fair.c linux-3.1.1/kernel/sched_fair.c
65609--- linux-3.1.1/kernel/sched_fair.c 2011-11-11 15:19:27.000000000 -0500
65610+++ linux-3.1.1/kernel/sched_fair.c 2011-11-16 18:39:08.000000000 -0500
65611@@ -4062,7 +4062,7 @@ static void nohz_idle_balance(int this_c
65612 * run_rebalance_domains is triggered when needed from the scheduler tick.
65613 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
65614 */
65615-static void run_rebalance_domains(struct softirq_action *h)
65616+static void run_rebalance_domains(void)
65617 {
65618 int this_cpu = smp_processor_id();
65619 struct rq *this_rq = cpu_rq(this_cpu);
65620diff -urNp linux-3.1.1/kernel/signal.c linux-3.1.1/kernel/signal.c
65621--- linux-3.1.1/kernel/signal.c 2011-11-11 15:19:27.000000000 -0500
65622+++ linux-3.1.1/kernel/signal.c 2011-11-16 19:30:04.000000000 -0500
65623@@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
65624
65625 int print_fatal_signals __read_mostly;
65626
65627-static void __user *sig_handler(struct task_struct *t, int sig)
65628+static __sighandler_t sig_handler(struct task_struct *t, int sig)
65629 {
65630 return t->sighand->action[sig - 1].sa.sa_handler;
65631 }
65632
65633-static int sig_handler_ignored(void __user *handler, int sig)
65634+static int sig_handler_ignored(__sighandler_t handler, int sig)
65635 {
65636 /* Is it explicitly or implicitly ignored? */
65637 return handler == SIG_IGN ||
65638@@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
65639 static int sig_task_ignored(struct task_struct *t, int sig,
65640 int from_ancestor_ns)
65641 {
65642- void __user *handler;
65643+ __sighandler_t handler;
65644
65645 handler = sig_handler(t, sig);
65646
65647@@ -364,6 +364,9 @@ __sigqueue_alloc(int sig, struct task_st
65648 atomic_inc(&user->sigpending);
65649 rcu_read_unlock();
65650
65651+ if (!override_rlimit)
65652+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
65653+
65654 if (override_rlimit ||
65655 atomic_read(&user->sigpending) <=
65656 task_rlimit(t, RLIMIT_SIGPENDING)) {
65657@@ -488,7 +491,7 @@ flush_signal_handlers(struct task_struct
65658
65659 int unhandled_signal(struct task_struct *tsk, int sig)
65660 {
65661- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
65662+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
65663 if (is_global_init(tsk))
65664 return 1;
65665 if (handler != SIG_IGN && handler != SIG_DFL)
65666@@ -815,6 +818,13 @@ static int check_kill_permission(int sig
65667 }
65668 }
65669
65670+ /* allow glibc communication via tgkill to other threads in our
65671+ thread group */
65672+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
65673+ sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
65674+ && gr_handle_signal(t, sig))
65675+ return -EPERM;
65676+
65677 return security_task_kill(t, info, sig, 0);
65678 }
65679
65680@@ -1165,7 +1175,7 @@ __group_send_sig_info(int sig, struct si
65681 return send_signal(sig, info, p, 1);
65682 }
65683
65684-static int
65685+int
65686 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
65687 {
65688 return send_signal(sig, info, t, 0);
65689@@ -1202,6 +1212,7 @@ force_sig_info(int sig, struct siginfo *
65690 unsigned long int flags;
65691 int ret, blocked, ignored;
65692 struct k_sigaction *action;
65693+ int is_unhandled = 0;
65694
65695 spin_lock_irqsave(&t->sighand->siglock, flags);
65696 action = &t->sighand->action[sig-1];
65697@@ -1216,9 +1227,18 @@ force_sig_info(int sig, struct siginfo *
65698 }
65699 if (action->sa.sa_handler == SIG_DFL)
65700 t->signal->flags &= ~SIGNAL_UNKILLABLE;
65701+ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
65702+ is_unhandled = 1;
65703 ret = specific_send_sig_info(sig, info, t);
65704 spin_unlock_irqrestore(&t->sighand->siglock, flags);
65705
65706+ /* only deal with unhandled signals, java etc trigger SIGSEGV during
65707+ normal operation */
65708+ if (is_unhandled) {
65709+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
65710+ gr_handle_crash(t, sig);
65711+ }
65712+
65713 return ret;
65714 }
65715
65716@@ -1285,8 +1305,11 @@ int group_send_sig_info(int sig, struct
65717 ret = check_kill_permission(sig, info, p);
65718 rcu_read_unlock();
65719
65720- if (!ret && sig)
65721+ if (!ret && sig) {
65722 ret = do_send_sig_info(sig, info, p, true);
65723+ if (!ret)
65724+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
65725+ }
65726
65727 return ret;
65728 }
65729@@ -1909,6 +1932,8 @@ static void ptrace_do_notify(int signr,
65730 {
65731 siginfo_t info;
65732
65733+ pax_track_stack();
65734+
65735 memset(&info, 0, sizeof info);
65736 info.si_signo = signr;
65737 info.si_code = exit_code;
65738@@ -2748,7 +2773,15 @@ do_send_specific(pid_t tgid, pid_t pid,
65739 int error = -ESRCH;
65740
65741 rcu_read_lock();
65742- p = find_task_by_vpid(pid);
65743+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
65744+ /* allow glibc communication via tgkill to other threads in our
65745+ thread group */
65746+ if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
65747+ sig == (SIGRTMIN+1) && tgid == info->si_pid)
65748+ p = find_task_by_vpid_unrestricted(pid);
65749+ else
65750+#endif
65751+ p = find_task_by_vpid(pid);
65752 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
65753 error = check_kill_permission(sig, info, p);
65754 /*
65755diff -urNp linux-3.1.1/kernel/smp.c linux-3.1.1/kernel/smp.c
65756--- linux-3.1.1/kernel/smp.c 2011-11-11 15:19:27.000000000 -0500
65757+++ linux-3.1.1/kernel/smp.c 2011-11-16 18:39:08.000000000 -0500
65758@@ -580,22 +580,22 @@ int smp_call_function(smp_call_func_t fu
65759 }
65760 EXPORT_SYMBOL(smp_call_function);
65761
65762-void ipi_call_lock(void)
65763+void ipi_call_lock(void) __acquires(call_function.lock)
65764 {
65765 raw_spin_lock(&call_function.lock);
65766 }
65767
65768-void ipi_call_unlock(void)
65769+void ipi_call_unlock(void) __releases(call_function.lock)
65770 {
65771 raw_spin_unlock(&call_function.lock);
65772 }
65773
65774-void ipi_call_lock_irq(void)
65775+void ipi_call_lock_irq(void) __acquires(call_function.lock)
65776 {
65777 raw_spin_lock_irq(&call_function.lock);
65778 }
65779
65780-void ipi_call_unlock_irq(void)
65781+void ipi_call_unlock_irq(void) __releases(call_function.lock)
65782 {
65783 raw_spin_unlock_irq(&call_function.lock);
65784 }
65785diff -urNp linux-3.1.1/kernel/softirq.c linux-3.1.1/kernel/softirq.c
65786--- linux-3.1.1/kernel/softirq.c 2011-11-11 15:19:27.000000000 -0500
65787+++ linux-3.1.1/kernel/softirq.c 2011-11-16 18:39:08.000000000 -0500
65788@@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
65789
65790 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
65791
65792-char *softirq_to_name[NR_SOFTIRQS] = {
65793+const char * const softirq_to_name[NR_SOFTIRQS] = {
65794 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
65795 "TASKLET", "SCHED", "HRTIMER", "RCU"
65796 };
65797@@ -235,7 +235,7 @@ restart:
65798 kstat_incr_softirqs_this_cpu(vec_nr);
65799
65800 trace_softirq_entry(vec_nr);
65801- h->action(h);
65802+ h->action();
65803 trace_softirq_exit(vec_nr);
65804 if (unlikely(prev_count != preempt_count())) {
65805 printk(KERN_ERR "huh, entered softirq %u %s %p"
65806@@ -385,9 +385,11 @@ void raise_softirq(unsigned int nr)
65807 local_irq_restore(flags);
65808 }
65809
65810-void open_softirq(int nr, void (*action)(struct softirq_action *))
65811+void open_softirq(int nr, void (*action)(void))
65812 {
65813- softirq_vec[nr].action = action;
65814+ pax_open_kernel();
65815+ *(void **)&softirq_vec[nr].action = action;
65816+ pax_close_kernel();
65817 }
65818
65819 /*
65820@@ -441,7 +443,7 @@ void __tasklet_hi_schedule_first(struct
65821
65822 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
65823
65824-static void tasklet_action(struct softirq_action *a)
65825+static void tasklet_action(void)
65826 {
65827 struct tasklet_struct *list;
65828
65829@@ -476,7 +478,7 @@ static void tasklet_action(struct softir
65830 }
65831 }
65832
65833-static void tasklet_hi_action(struct softirq_action *a)
65834+static void tasklet_hi_action(void)
65835 {
65836 struct tasklet_struct *list;
65837
65838diff -urNp linux-3.1.1/kernel/sys.c linux-3.1.1/kernel/sys.c
65839--- linux-3.1.1/kernel/sys.c 2011-11-11 15:19:27.000000000 -0500
65840+++ linux-3.1.1/kernel/sys.c 2011-11-16 18:40:44.000000000 -0500
65841@@ -157,6 +157,12 @@ static int set_one_prio(struct task_stru
65842 error = -EACCES;
65843 goto out;
65844 }
65845+
65846+ if (gr_handle_chroot_setpriority(p, niceval)) {
65847+ error = -EACCES;
65848+ goto out;
65849+ }
65850+
65851 no_nice = security_task_setnice(p, niceval);
65852 if (no_nice) {
65853 error = no_nice;
65854@@ -571,6 +577,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
65855 goto error;
65856 }
65857
65858+ if (gr_check_group_change(new->gid, new->egid, -1))
65859+ goto error;
65860+
65861 if (rgid != (gid_t) -1 ||
65862 (egid != (gid_t) -1 && egid != old->gid))
65863 new->sgid = new->egid;
65864@@ -600,6 +609,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
65865 old = current_cred();
65866
65867 retval = -EPERM;
65868+
65869+ if (gr_check_group_change(gid, gid, gid))
65870+ goto error;
65871+
65872 if (nsown_capable(CAP_SETGID))
65873 new->gid = new->egid = new->sgid = new->fsgid = gid;
65874 else if (gid == old->gid || gid == old->sgid)
65875@@ -687,6 +700,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
65876 goto error;
65877 }
65878
65879+ if (gr_check_user_change(new->uid, new->euid, -1))
65880+ goto error;
65881+
65882 if (new->uid != old->uid) {
65883 retval = set_user(new);
65884 if (retval < 0)
65885@@ -731,6 +747,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
65886 old = current_cred();
65887
65888 retval = -EPERM;
65889+
65890+ if (gr_check_crash_uid(uid))
65891+ goto error;
65892+ if (gr_check_user_change(uid, uid, uid))
65893+ goto error;
65894+
65895 if (nsown_capable(CAP_SETUID)) {
65896 new->suid = new->uid = uid;
65897 if (uid != old->uid) {
65898@@ -785,6 +807,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
65899 goto error;
65900 }
65901
65902+ if (gr_check_user_change(ruid, euid, -1))
65903+ goto error;
65904+
65905 if (ruid != (uid_t) -1) {
65906 new->uid = ruid;
65907 if (ruid != old->uid) {
65908@@ -849,6 +874,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
65909 goto error;
65910 }
65911
65912+ if (gr_check_group_change(rgid, egid, -1))
65913+ goto error;
65914+
65915 if (rgid != (gid_t) -1)
65916 new->gid = rgid;
65917 if (egid != (gid_t) -1)
65918@@ -895,6 +923,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65919 old = current_cred();
65920 old_fsuid = old->fsuid;
65921
65922+ if (gr_check_user_change(-1, -1, uid))
65923+ goto error;
65924+
65925 if (uid == old->uid || uid == old->euid ||
65926 uid == old->suid || uid == old->fsuid ||
65927 nsown_capable(CAP_SETUID)) {
65928@@ -905,6 +936,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65929 }
65930 }
65931
65932+error:
65933 abort_creds(new);
65934 return old_fsuid;
65935
65936@@ -931,12 +963,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
65937 if (gid == old->gid || gid == old->egid ||
65938 gid == old->sgid || gid == old->fsgid ||
65939 nsown_capable(CAP_SETGID)) {
65940+ if (gr_check_group_change(-1, -1, gid))
65941+ goto error;
65942+
65943 if (gid != old_fsgid) {
65944 new->fsgid = gid;
65945 goto change_okay;
65946 }
65947 }
65948
65949+error:
65950 abort_creds(new);
65951 return old_fsgid;
65952
65953@@ -1242,19 +1278,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_
65954 return -EFAULT;
65955
65956 down_read(&uts_sem);
65957- error = __copy_to_user(&name->sysname, &utsname()->sysname,
65958+ error = __copy_to_user(name->sysname, &utsname()->sysname,
65959 __OLD_UTS_LEN);
65960 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
65961- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
65962+ error |= __copy_to_user(name->nodename, &utsname()->nodename,
65963 __OLD_UTS_LEN);
65964 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
65965- error |= __copy_to_user(&name->release, &utsname()->release,
65966+ error |= __copy_to_user(name->release, &utsname()->release,
65967 __OLD_UTS_LEN);
65968 error |= __put_user(0, name->release + __OLD_UTS_LEN);
65969- error |= __copy_to_user(&name->version, &utsname()->version,
65970+ error |= __copy_to_user(name->version, &utsname()->version,
65971 __OLD_UTS_LEN);
65972 error |= __put_user(0, name->version + __OLD_UTS_LEN);
65973- error |= __copy_to_user(&name->machine, &utsname()->machine,
65974+ error |= __copy_to_user(name->machine, &utsname()->machine,
65975 __OLD_UTS_LEN);
65976 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
65977 up_read(&uts_sem);
65978@@ -1717,7 +1753,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
65979 error = get_dumpable(me->mm);
65980 break;
65981 case PR_SET_DUMPABLE:
65982- if (arg2 < 0 || arg2 > 1) {
65983+ if (arg2 > 1) {
65984 error = -EINVAL;
65985 break;
65986 }
65987diff -urNp linux-3.1.1/kernel/sysctl_binary.c linux-3.1.1/kernel/sysctl_binary.c
65988--- linux-3.1.1/kernel/sysctl_binary.c 2011-11-11 15:19:27.000000000 -0500
65989+++ linux-3.1.1/kernel/sysctl_binary.c 2011-11-16 18:39:08.000000000 -0500
65990@@ -989,7 +989,7 @@ static ssize_t bin_intvec(struct file *f
65991 int i;
65992
65993 set_fs(KERNEL_DS);
65994- result = vfs_read(file, buffer, BUFSZ - 1, &pos);
65995+ result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
65996 set_fs(old_fs);
65997 if (result < 0)
65998 goto out_kfree;
65999@@ -1034,7 +1034,7 @@ static ssize_t bin_intvec(struct file *f
66000 }
66001
66002 set_fs(KERNEL_DS);
66003- result = vfs_write(file, buffer, str - buffer, &pos);
66004+ result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
66005 set_fs(old_fs);
66006 if (result < 0)
66007 goto out_kfree;
66008@@ -1067,7 +1067,7 @@ static ssize_t bin_ulongvec(struct file
66009 int i;
66010
66011 set_fs(KERNEL_DS);
66012- result = vfs_read(file, buffer, BUFSZ - 1, &pos);
66013+ result = vfs_read(file, (char __force_user *)buffer, BUFSZ - 1, &pos);
66014 set_fs(old_fs);
66015 if (result < 0)
66016 goto out_kfree;
66017@@ -1112,7 +1112,7 @@ static ssize_t bin_ulongvec(struct file
66018 }
66019
66020 set_fs(KERNEL_DS);
66021- result = vfs_write(file, buffer, str - buffer, &pos);
66022+ result = vfs_write(file, (const char __force_user *)buffer, str - buffer, &pos);
66023 set_fs(old_fs);
66024 if (result < 0)
66025 goto out_kfree;
66026@@ -1138,7 +1138,7 @@ static ssize_t bin_uuid(struct file *fil
66027 int i;
66028
66029 set_fs(KERNEL_DS);
66030- result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
66031+ result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
66032 set_fs(old_fs);
66033 if (result < 0)
66034 goto out;
66035@@ -1185,7 +1185,7 @@ static ssize_t bin_dn_node_address(struc
66036 __le16 dnaddr;
66037
66038 set_fs(KERNEL_DS);
66039- result = vfs_read(file, buf, sizeof(buf) - 1, &pos);
66040+ result = vfs_read(file, (char __force_user *)buf, sizeof(buf) - 1, &pos);
66041 set_fs(old_fs);
66042 if (result < 0)
66043 goto out;
66044@@ -1233,7 +1233,7 @@ static ssize_t bin_dn_node_address(struc
66045 le16_to_cpu(dnaddr) & 0x3ff);
66046
66047 set_fs(KERNEL_DS);
66048- result = vfs_write(file, buf, len, &pos);
66049+ result = vfs_write(file, (const char __force_user *)buf, len, &pos);
66050 set_fs(old_fs);
66051 if (result < 0)
66052 goto out;
66053diff -urNp linux-3.1.1/kernel/sysctl.c linux-3.1.1/kernel/sysctl.c
66054--- linux-3.1.1/kernel/sysctl.c 2011-11-11 15:19:27.000000000 -0500
66055+++ linux-3.1.1/kernel/sysctl.c 2011-11-16 18:40:44.000000000 -0500
66056@@ -85,6 +85,13 @@
66057
66058
66059 #if defined(CONFIG_SYSCTL)
66060+#include <linux/grsecurity.h>
66061+#include <linux/grinternal.h>
66062+
66063+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
66064+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
66065+ const int op);
66066+extern int gr_handle_chroot_sysctl(const int op);
66067
66068 /* External variables not in a header file. */
66069 extern int sysctl_overcommit_memory;
66070@@ -197,6 +204,7 @@ static int sysrq_sysctl_handler(ctl_tabl
66071 }
66072
66073 #endif
66074+extern struct ctl_table grsecurity_table[];
66075
66076 static struct ctl_table root_table[];
66077 static struct ctl_table_root sysctl_table_root;
66078@@ -226,6 +234,20 @@ extern struct ctl_table epoll_table[];
66079 int sysctl_legacy_va_layout;
66080 #endif
66081
66082+#ifdef CONFIG_PAX_SOFTMODE
66083+static ctl_table pax_table[] = {
66084+ {
66085+ .procname = "softmode",
66086+ .data = &pax_softmode,
66087+ .maxlen = sizeof(unsigned int),
66088+ .mode = 0600,
66089+ .proc_handler = &proc_dointvec,
66090+ },
66091+
66092+ { }
66093+};
66094+#endif
66095+
66096 /* The default sysctl tables: */
66097
66098 static struct ctl_table root_table[] = {
66099@@ -272,6 +294,22 @@ static int max_extfrag_threshold = 1000;
66100 #endif
66101
66102 static struct ctl_table kern_table[] = {
66103+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
66104+ {
66105+ .procname = "grsecurity",
66106+ .mode = 0500,
66107+ .child = grsecurity_table,
66108+ },
66109+#endif
66110+
66111+#ifdef CONFIG_PAX_SOFTMODE
66112+ {
66113+ .procname = "pax",
66114+ .mode = 0500,
66115+ .child = pax_table,
66116+ },
66117+#endif
66118+
66119 {
66120 .procname = "sched_child_runs_first",
66121 .data = &sysctl_sched_child_runs_first,
66122@@ -546,7 +584,7 @@ static struct ctl_table kern_table[] = {
66123 .data = &modprobe_path,
66124 .maxlen = KMOD_PATH_LEN,
66125 .mode = 0644,
66126- .proc_handler = proc_dostring,
66127+ .proc_handler = proc_dostring_modpriv,
66128 },
66129 {
66130 .procname = "modules_disabled",
66131@@ -713,16 +751,20 @@ static struct ctl_table kern_table[] = {
66132 .extra1 = &zero,
66133 .extra2 = &one,
66134 },
66135+#endif
66136 {
66137 .procname = "kptr_restrict",
66138 .data = &kptr_restrict,
66139 .maxlen = sizeof(int),
66140 .mode = 0644,
66141 .proc_handler = proc_dmesg_restrict,
66142+#ifdef CONFIG_GRKERNSEC_HIDESYM
66143+ .extra1 = &two,
66144+#else
66145 .extra1 = &zero,
66146+#endif
66147 .extra2 = &two,
66148 },
66149-#endif
66150 {
66151 .procname = "ngroups_max",
66152 .data = &ngroups_max,
66153@@ -1205,6 +1247,13 @@ static struct ctl_table vm_table[] = {
66154 .proc_handler = proc_dointvec_minmax,
66155 .extra1 = &zero,
66156 },
66157+ {
66158+ .procname = "heap_stack_gap",
66159+ .data = &sysctl_heap_stack_gap,
66160+ .maxlen = sizeof(sysctl_heap_stack_gap),
66161+ .mode = 0644,
66162+ .proc_handler = proc_doulongvec_minmax,
66163+ },
66164 #else
66165 {
66166 .procname = "nr_trim_pages",
66167@@ -1709,6 +1758,17 @@ static int test_perm(int mode, int op)
66168 int sysctl_perm(struct ctl_table_root *root, struct ctl_table *table, int op)
66169 {
66170 int mode;
66171+ int error;
66172+
66173+ if (table->parent != NULL && table->parent->procname != NULL &&
66174+ table->procname != NULL &&
66175+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
66176+ return -EACCES;
66177+ if (gr_handle_chroot_sysctl(op))
66178+ return -EACCES;
66179+ error = gr_handle_sysctl(table, op);
66180+ if (error)
66181+ return error;
66182
66183 if (root->permissions)
66184 mode = root->permissions(root, current->nsproxy, table);
66185@@ -2113,6 +2173,16 @@ int proc_dostring(struct ctl_table *tabl
66186 buffer, lenp, ppos);
66187 }
66188
66189+int proc_dostring_modpriv(struct ctl_table *table, int write,
66190+ void __user *buffer, size_t *lenp, loff_t *ppos)
66191+{
66192+ if (write && !capable(CAP_SYS_MODULE))
66193+ return -EPERM;
66194+
66195+ return _proc_do_string(table->data, table->maxlen, write,
66196+ buffer, lenp, ppos);
66197+}
66198+
66199 static size_t proc_skip_spaces(char **buf)
66200 {
66201 size_t ret;
66202@@ -2218,6 +2288,8 @@ static int proc_put_long(void __user **b
66203 len = strlen(tmp);
66204 if (len > *size)
66205 len = *size;
66206+ if (len > sizeof(tmp))
66207+ len = sizeof(tmp);
66208 if (copy_to_user(*buf, tmp, len))
66209 return -EFAULT;
66210 *size -= len;
66211@@ -2534,8 +2606,11 @@ static int __do_proc_doulongvec_minmax(v
66212 *i = val;
66213 } else {
66214 val = convdiv * (*i) / convmul;
66215- if (!first)
66216+ if (!first) {
66217 err = proc_put_char(&buffer, &left, '\t');
66218+ if (err)
66219+ break;
66220+ }
66221 err = proc_put_long(&buffer, &left, val, false);
66222 if (err)
66223 break;
66224@@ -2930,6 +3005,12 @@ int proc_dostring(struct ctl_table *tabl
66225 return -ENOSYS;
66226 }
66227
66228+int proc_dostring_modpriv(struct ctl_table *table, int write,
66229+ void __user *buffer, size_t *lenp, loff_t *ppos)
66230+{
66231+ return -ENOSYS;
66232+}
66233+
66234 int proc_dointvec(struct ctl_table *table, int write,
66235 void __user *buffer, size_t *lenp, loff_t *ppos)
66236 {
66237@@ -2986,6 +3067,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
66238 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
66239 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
66240 EXPORT_SYMBOL(proc_dostring);
66241+EXPORT_SYMBOL(proc_dostring_modpriv);
66242 EXPORT_SYMBOL(proc_doulongvec_minmax);
66243 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
66244 EXPORT_SYMBOL(register_sysctl_table);
66245diff -urNp linux-3.1.1/kernel/sysctl_check.c linux-3.1.1/kernel/sysctl_check.c
66246--- linux-3.1.1/kernel/sysctl_check.c 2011-11-11 15:19:27.000000000 -0500
66247+++ linux-3.1.1/kernel/sysctl_check.c 2011-11-16 18:40:44.000000000 -0500
66248@@ -129,6 +129,7 @@ int sysctl_check_table(struct nsproxy *n
66249 set_fail(&fail, table, "Directory with extra2");
66250 } else {
66251 if ((table->proc_handler == proc_dostring) ||
66252+ (table->proc_handler == proc_dostring_modpriv) ||
66253 (table->proc_handler == proc_dointvec) ||
66254 (table->proc_handler == proc_dointvec_minmax) ||
66255 (table->proc_handler == proc_dointvec_jiffies) ||
66256diff -urNp linux-3.1.1/kernel/taskstats.c linux-3.1.1/kernel/taskstats.c
66257--- linux-3.1.1/kernel/taskstats.c 2011-11-11 15:19:27.000000000 -0500
66258+++ linux-3.1.1/kernel/taskstats.c 2011-11-16 19:35:09.000000000 -0500
66259@@ -27,9 +27,12 @@
66260 #include <linux/cgroup.h>
66261 #include <linux/fs.h>
66262 #include <linux/file.h>
66263+#include <linux/grsecurity.h>
66264 #include <net/genetlink.h>
66265 #include <linux/atomic.h>
66266
66267+extern int gr_is_taskstats_denied(int pid);
66268+
66269 /*
66270 * Maximum length of a cpumask that can be specified in
66271 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
66272@@ -556,6 +559,9 @@ err:
66273
66274 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
66275 {
66276+ if (gr_is_taskstats_denied(current->pid))
66277+ return -EACCES;
66278+
66279 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
66280 return cmd_attr_register_cpumask(info);
66281 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
66282diff -urNp linux-3.1.1/kernel/time/alarmtimer.c linux-3.1.1/kernel/time/alarmtimer.c
66283--- linux-3.1.1/kernel/time/alarmtimer.c 2011-11-11 15:19:27.000000000 -0500
66284+++ linux-3.1.1/kernel/time/alarmtimer.c 2011-11-16 18:39:08.000000000 -0500
66285@@ -693,7 +693,7 @@ static int __init alarmtimer_init(void)
66286 {
66287 int error = 0;
66288 int i;
66289- struct k_clock alarm_clock = {
66290+ static struct k_clock alarm_clock = {
66291 .clock_getres = alarm_clock_getres,
66292 .clock_get = alarm_clock_get,
66293 .timer_create = alarm_timer_create,
66294diff -urNp linux-3.1.1/kernel/time/tick-broadcast.c linux-3.1.1/kernel/time/tick-broadcast.c
66295--- linux-3.1.1/kernel/time/tick-broadcast.c 2011-11-11 15:19:27.000000000 -0500
66296+++ linux-3.1.1/kernel/time/tick-broadcast.c 2011-11-16 18:39:08.000000000 -0500
66297@@ -115,7 +115,7 @@ int tick_device_uses_broadcast(struct cl
66298 * then clear the broadcast bit.
66299 */
66300 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
66301- int cpu = smp_processor_id();
66302+ cpu = smp_processor_id();
66303
66304 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
66305 tick_broadcast_clear_oneshot(cpu);
66306diff -urNp linux-3.1.1/kernel/time/timekeeping.c linux-3.1.1/kernel/time/timekeeping.c
66307--- linux-3.1.1/kernel/time/timekeeping.c 2011-11-11 15:19:27.000000000 -0500
66308+++ linux-3.1.1/kernel/time/timekeeping.c 2011-11-16 18:40:44.000000000 -0500
66309@@ -14,6 +14,7 @@
66310 #include <linux/init.h>
66311 #include <linux/mm.h>
66312 #include <linux/sched.h>
66313+#include <linux/grsecurity.h>
66314 #include <linux/syscore_ops.h>
66315 #include <linux/clocksource.h>
66316 #include <linux/jiffies.h>
66317@@ -361,6 +362,8 @@ int do_settimeofday(const struct timespe
66318 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
66319 return -EINVAL;
66320
66321+ gr_log_timechange();
66322+
66323 write_seqlock_irqsave(&xtime_lock, flags);
66324
66325 timekeeping_forward_now();
66326diff -urNp linux-3.1.1/kernel/time/timer_list.c linux-3.1.1/kernel/time/timer_list.c
66327--- linux-3.1.1/kernel/time/timer_list.c 2011-11-11 15:19:27.000000000 -0500
66328+++ linux-3.1.1/kernel/time/timer_list.c 2011-11-16 18:40:44.000000000 -0500
66329@@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
66330
66331 static void print_name_offset(struct seq_file *m, void *sym)
66332 {
66333+#ifdef CONFIG_GRKERNSEC_HIDESYM
66334+ SEQ_printf(m, "<%p>", NULL);
66335+#else
66336 char symname[KSYM_NAME_LEN];
66337
66338 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
66339 SEQ_printf(m, "<%pK>", sym);
66340 else
66341 SEQ_printf(m, "%s", symname);
66342+#endif
66343 }
66344
66345 static void
66346@@ -112,7 +116,11 @@ next_one:
66347 static void
66348 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
66349 {
66350+#ifdef CONFIG_GRKERNSEC_HIDESYM
66351+ SEQ_printf(m, " .base: %p\n", NULL);
66352+#else
66353 SEQ_printf(m, " .base: %pK\n", base);
66354+#endif
66355 SEQ_printf(m, " .index: %d\n",
66356 base->index);
66357 SEQ_printf(m, " .resolution: %Lu nsecs\n",
66358@@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
66359 {
66360 struct proc_dir_entry *pe;
66361
66362+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66363+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
66364+#else
66365 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
66366+#endif
66367 if (!pe)
66368 return -ENOMEM;
66369 return 0;
66370diff -urNp linux-3.1.1/kernel/time/timer_stats.c linux-3.1.1/kernel/time/timer_stats.c
66371--- linux-3.1.1/kernel/time/timer_stats.c 2011-11-11 15:19:27.000000000 -0500
66372+++ linux-3.1.1/kernel/time/timer_stats.c 2011-11-16 18:40:44.000000000 -0500
66373@@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
66374 static unsigned long nr_entries;
66375 static struct entry entries[MAX_ENTRIES];
66376
66377-static atomic_t overflow_count;
66378+static atomic_unchecked_t overflow_count;
66379
66380 /*
66381 * The entries are in a hash-table, for fast lookup:
66382@@ -140,7 +140,7 @@ static void reset_entries(void)
66383 nr_entries = 0;
66384 memset(entries, 0, sizeof(entries));
66385 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
66386- atomic_set(&overflow_count, 0);
66387+ atomic_set_unchecked(&overflow_count, 0);
66388 }
66389
66390 static struct entry *alloc_entry(void)
66391@@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
66392 if (likely(entry))
66393 entry->count++;
66394 else
66395- atomic_inc(&overflow_count);
66396+ atomic_inc_unchecked(&overflow_count);
66397
66398 out_unlock:
66399 raw_spin_unlock_irqrestore(lock, flags);
66400@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
66401
66402 static void print_name_offset(struct seq_file *m, unsigned long addr)
66403 {
66404+#ifdef CONFIG_GRKERNSEC_HIDESYM
66405+ seq_printf(m, "<%p>", NULL);
66406+#else
66407 char symname[KSYM_NAME_LEN];
66408
66409 if (lookup_symbol_name(addr, symname) < 0)
66410 seq_printf(m, "<%p>", (void *)addr);
66411 else
66412 seq_printf(m, "%s", symname);
66413+#endif
66414 }
66415
66416 static int tstats_show(struct seq_file *m, void *v)
66417@@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
66418
66419 seq_puts(m, "Timer Stats Version: v0.2\n");
66420 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
66421- if (atomic_read(&overflow_count))
66422+ if (atomic_read_unchecked(&overflow_count))
66423 seq_printf(m, "Overflow: %d entries\n",
66424- atomic_read(&overflow_count));
66425+ atomic_read_unchecked(&overflow_count));
66426
66427 for (i = 0; i < nr_entries; i++) {
66428 entry = entries + i;
66429@@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
66430 {
66431 struct proc_dir_entry *pe;
66432
66433+#ifdef CONFIG_GRKERNSEC_PROC_ADD
66434+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
66435+#else
66436 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
66437+#endif
66438 if (!pe)
66439 return -ENOMEM;
66440 return 0;
66441diff -urNp linux-3.1.1/kernel/time.c linux-3.1.1/kernel/time.c
66442--- linux-3.1.1/kernel/time.c 2011-11-11 15:19:27.000000000 -0500
66443+++ linux-3.1.1/kernel/time.c 2011-11-16 18:40:44.000000000 -0500
66444@@ -163,6 +163,11 @@ int do_sys_settimeofday(const struct tim
66445 return error;
66446
66447 if (tz) {
66448+ /* we log in do_settimeofday called below, so don't log twice
66449+ */
66450+ if (!tv)
66451+ gr_log_timechange();
66452+
66453 /* SMP safe, global irq locking makes it work. */
66454 sys_tz = *tz;
66455 update_vsyscall_tz();
66456diff -urNp linux-3.1.1/kernel/timer.c linux-3.1.1/kernel/timer.c
66457--- linux-3.1.1/kernel/timer.c 2011-11-11 15:19:27.000000000 -0500
66458+++ linux-3.1.1/kernel/timer.c 2011-11-16 18:39:08.000000000 -0500
66459@@ -1304,7 +1304,7 @@ void update_process_times(int user_tick)
66460 /*
66461 * This function runs timers and the timer-tq in bottom half context.
66462 */
66463-static void run_timer_softirq(struct softirq_action *h)
66464+static void run_timer_softirq(void)
66465 {
66466 struct tvec_base *base = __this_cpu_read(tvec_bases);
66467
66468diff -urNp linux-3.1.1/kernel/trace/blktrace.c linux-3.1.1/kernel/trace/blktrace.c
66469--- linux-3.1.1/kernel/trace/blktrace.c 2011-11-11 15:19:27.000000000 -0500
66470+++ linux-3.1.1/kernel/trace/blktrace.c 2011-11-16 18:39:08.000000000 -0500
66471@@ -323,7 +323,7 @@ static ssize_t blk_dropped_read(struct f
66472 struct blk_trace *bt = filp->private_data;
66473 char buf[16];
66474
66475- snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
66476+ snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
66477
66478 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
66479 }
66480@@ -388,7 +388,7 @@ static int blk_subbuf_start_callback(str
66481 return 1;
66482
66483 bt = buf->chan->private_data;
66484- atomic_inc(&bt->dropped);
66485+ atomic_inc_unchecked(&bt->dropped);
66486 return 0;
66487 }
66488
66489@@ -489,7 +489,7 @@ int do_blk_trace_setup(struct request_qu
66490
66491 bt->dir = dir;
66492 bt->dev = dev;
66493- atomic_set(&bt->dropped, 0);
66494+ atomic_set_unchecked(&bt->dropped, 0);
66495
66496 ret = -EIO;
66497 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
66498diff -urNp linux-3.1.1/kernel/trace/ftrace.c linux-3.1.1/kernel/trace/ftrace.c
66499--- linux-3.1.1/kernel/trace/ftrace.c 2011-11-11 15:19:27.000000000 -0500
66500+++ linux-3.1.1/kernel/trace/ftrace.c 2011-11-16 18:39:08.000000000 -0500
66501@@ -1585,12 +1585,17 @@ ftrace_code_disable(struct module *mod,
66502 if (unlikely(ftrace_disabled))
66503 return 0;
66504
66505+ ret = ftrace_arch_code_modify_prepare();
66506+ FTRACE_WARN_ON(ret);
66507+ if (ret)
66508+ return 0;
66509+
66510 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
66511+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
66512 if (ret) {
66513 ftrace_bug(ret, ip);
66514- return 0;
66515 }
66516- return 1;
66517+ return ret ? 0 : 1;
66518 }
66519
66520 /*
66521@@ -2607,7 +2612,7 @@ static void ftrace_free_entry_rcu(struct
66522
66523 int
66524 register_ftrace_function_probe(char *glob, struct ftrace_probe_ops *ops,
66525- void *data)
66526+ void *data)
66527 {
66528 struct ftrace_func_probe *entry;
66529 struct ftrace_page *pg;
66530diff -urNp linux-3.1.1/kernel/trace/trace.c linux-3.1.1/kernel/trace/trace.c
66531--- linux-3.1.1/kernel/trace/trace.c 2011-11-11 15:19:27.000000000 -0500
66532+++ linux-3.1.1/kernel/trace/trace.c 2011-11-16 18:40:44.000000000 -0500
66533@@ -3451,6 +3451,8 @@ static ssize_t tracing_splice_read_pipe(
66534 size_t rem;
66535 unsigned int i;
66536
66537+ pax_track_stack();
66538+
66539 if (splice_grow_spd(pipe, &spd))
66540 return -ENOMEM;
66541
66542@@ -3926,6 +3928,8 @@ tracing_buffers_splice_read(struct file
66543 int entries, size, i;
66544 size_t ret;
66545
66546+ pax_track_stack();
66547+
66548 if (splice_grow_spd(pipe, &spd))
66549 return -ENOMEM;
66550
66551@@ -4093,10 +4097,9 @@ static const struct file_operations trac
66552 };
66553 #endif
66554
66555-static struct dentry *d_tracer;
66556-
66557 struct dentry *tracing_init_dentry(void)
66558 {
66559+ static struct dentry *d_tracer;
66560 static int once;
66561
66562 if (d_tracer)
66563@@ -4116,10 +4119,9 @@ struct dentry *tracing_init_dentry(void)
66564 return d_tracer;
66565 }
66566
66567-static struct dentry *d_percpu;
66568-
66569 struct dentry *tracing_dentry_percpu(void)
66570 {
66571+ static struct dentry *d_percpu;
66572 static int once;
66573 struct dentry *d_tracer;
66574
66575diff -urNp linux-3.1.1/kernel/trace/trace_events.c linux-3.1.1/kernel/trace/trace_events.c
66576--- linux-3.1.1/kernel/trace/trace_events.c 2011-11-11 15:19:27.000000000 -0500
66577+++ linux-3.1.1/kernel/trace/trace_events.c 2011-11-16 18:39:08.000000000 -0500
66578@@ -1300,10 +1300,6 @@ static LIST_HEAD(ftrace_module_file_list
66579 struct ftrace_module_file_ops {
66580 struct list_head list;
66581 struct module *mod;
66582- struct file_operations id;
66583- struct file_operations enable;
66584- struct file_operations format;
66585- struct file_operations filter;
66586 };
66587
66588 static struct ftrace_module_file_ops *
66589@@ -1324,17 +1320,12 @@ trace_create_file_ops(struct module *mod
66590
66591 file_ops->mod = mod;
66592
66593- file_ops->id = ftrace_event_id_fops;
66594- file_ops->id.owner = mod;
66595-
66596- file_ops->enable = ftrace_enable_fops;
66597- file_ops->enable.owner = mod;
66598-
66599- file_ops->filter = ftrace_event_filter_fops;
66600- file_ops->filter.owner = mod;
66601-
66602- file_ops->format = ftrace_event_format_fops;
66603- file_ops->format.owner = mod;
66604+ pax_open_kernel();
66605+ *(void **)&mod->trace_id.owner = mod;
66606+ *(void **)&mod->trace_enable.owner = mod;
66607+ *(void **)&mod->trace_filter.owner = mod;
66608+ *(void **)&mod->trace_format.owner = mod;
66609+ pax_close_kernel();
66610
66611 list_add(&file_ops->list, &ftrace_module_file_list);
66612
66613@@ -1358,8 +1349,8 @@ static void trace_module_add_events(stru
66614
66615 for_each_event(call, start, end) {
66616 __trace_add_event_call(*call, mod,
66617- &file_ops->id, &file_ops->enable,
66618- &file_ops->filter, &file_ops->format);
66619+ &mod->trace_id, &mod->trace_enable,
66620+ &mod->trace_filter, &mod->trace_format);
66621 }
66622 }
66623
66624diff -urNp linux-3.1.1/kernel/trace/trace_kprobe.c linux-3.1.1/kernel/trace/trace_kprobe.c
66625--- linux-3.1.1/kernel/trace/trace_kprobe.c 2011-11-11 15:19:27.000000000 -0500
66626+++ linux-3.1.1/kernel/trace/trace_kprobe.c 2011-11-16 18:39:08.000000000 -0500
66627@@ -217,7 +217,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66628 long ret;
66629 int maxlen = get_rloc_len(*(u32 *)dest);
66630 u8 *dst = get_rloc_data(dest);
66631- u8 *src = addr;
66632+ const u8 __user *src = (const u8 __force_user *)addr;
66633 mm_segment_t old_fs = get_fs();
66634 if (!maxlen)
66635 return;
66636@@ -229,7 +229,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66637 pagefault_disable();
66638 do
66639 ret = __copy_from_user_inatomic(dst++, src++, 1);
66640- while (dst[-1] && ret == 0 && src - (u8 *)addr < maxlen);
66641+ while (dst[-1] && ret == 0 && src - (const u8 __force_user *)addr < maxlen);
66642 dst[-1] = '\0';
66643 pagefault_enable();
66644 set_fs(old_fs);
66645@@ -238,7 +238,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66646 ((u8 *)get_rloc_data(dest))[0] = '\0';
66647 *(u32 *)dest = make_data_rloc(0, get_rloc_offs(*(u32 *)dest));
66648 } else
66649- *(u32 *)dest = make_data_rloc(src - (u8 *)addr,
66650+ *(u32 *)dest = make_data_rloc(src - (const u8 __force_user *)addr,
66651 get_rloc_offs(*(u32 *)dest));
66652 }
66653 /* Return the length of string -- including null terminal byte */
66654@@ -252,7 +252,7 @@ static __kprobes void FETCH_FUNC_NAME(me
66655 set_fs(KERNEL_DS);
66656 pagefault_disable();
66657 do {
66658- ret = __copy_from_user_inatomic(&c, (u8 *)addr + len, 1);
66659+ ret = __copy_from_user_inatomic(&c, (const u8 __force_user *)addr + len, 1);
66660 len++;
66661 } while (c && ret == 0 && len < MAX_STRING_SIZE);
66662 pagefault_enable();
66663diff -urNp linux-3.1.1/kernel/trace/trace_mmiotrace.c linux-3.1.1/kernel/trace/trace_mmiotrace.c
66664--- linux-3.1.1/kernel/trace/trace_mmiotrace.c 2011-11-11 15:19:27.000000000 -0500
66665+++ linux-3.1.1/kernel/trace/trace_mmiotrace.c 2011-11-16 18:39:08.000000000 -0500
66666@@ -24,7 +24,7 @@ struct header_iter {
66667 static struct trace_array *mmio_trace_array;
66668 static bool overrun_detected;
66669 static unsigned long prev_overruns;
66670-static atomic_t dropped_count;
66671+static atomic_unchecked_t dropped_count;
66672
66673 static void mmio_reset_data(struct trace_array *tr)
66674 {
66675@@ -127,7 +127,7 @@ static void mmio_close(struct trace_iter
66676
66677 static unsigned long count_overruns(struct trace_iterator *iter)
66678 {
66679- unsigned long cnt = atomic_xchg(&dropped_count, 0);
66680+ unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
66681 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
66682
66683 if (over > prev_overruns)
66684@@ -317,7 +317,7 @@ static void __trace_mmiotrace_rw(struct
66685 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
66686 sizeof(*entry), 0, pc);
66687 if (!event) {
66688- atomic_inc(&dropped_count);
66689+ atomic_inc_unchecked(&dropped_count);
66690 return;
66691 }
66692 entry = ring_buffer_event_data(event);
66693@@ -347,7 +347,7 @@ static void __trace_mmiotrace_map(struct
66694 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
66695 sizeof(*entry), 0, pc);
66696 if (!event) {
66697- atomic_inc(&dropped_count);
66698+ atomic_inc_unchecked(&dropped_count);
66699 return;
66700 }
66701 entry = ring_buffer_event_data(event);
66702diff -urNp linux-3.1.1/kernel/trace/trace_output.c linux-3.1.1/kernel/trace/trace_output.c
66703--- linux-3.1.1/kernel/trace/trace_output.c 2011-11-11 15:19:27.000000000 -0500
66704+++ linux-3.1.1/kernel/trace/trace_output.c 2011-11-16 18:39:08.000000000 -0500
66705@@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
66706
66707 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
66708 if (!IS_ERR(p)) {
66709- p = mangle_path(s->buffer + s->len, p, "\n");
66710+ p = mangle_path(s->buffer + s->len, p, "\n\\");
66711 if (p) {
66712 s->len = p - s->buffer;
66713 return 1;
66714diff -urNp linux-3.1.1/kernel/trace/trace_stack.c linux-3.1.1/kernel/trace/trace_stack.c
66715--- linux-3.1.1/kernel/trace/trace_stack.c 2011-11-11 15:19:27.000000000 -0500
66716+++ linux-3.1.1/kernel/trace/trace_stack.c 2011-11-16 18:39:08.000000000 -0500
66717@@ -50,7 +50,7 @@ static inline void check_stack(void)
66718 return;
66719
66720 /* we do not handle interrupt stacks yet */
66721- if (!object_is_on_stack(&this_size))
66722+ if (!object_starts_on_stack(&this_size))
66723 return;
66724
66725 local_irq_save(flags);
66726diff -urNp linux-3.1.1/kernel/trace/trace_workqueue.c linux-3.1.1/kernel/trace/trace_workqueue.c
66727--- linux-3.1.1/kernel/trace/trace_workqueue.c 2011-11-11 15:19:27.000000000 -0500
66728+++ linux-3.1.1/kernel/trace/trace_workqueue.c 2011-11-16 18:39:08.000000000 -0500
66729@@ -22,7 +22,7 @@ struct cpu_workqueue_stats {
66730 int cpu;
66731 pid_t pid;
66732 /* Can be inserted from interrupt or user context, need to be atomic */
66733- atomic_t inserted;
66734+ atomic_unchecked_t inserted;
66735 /*
66736 * Don't need to be atomic, works are serialized in a single workqueue thread
66737 * on a single CPU.
66738@@ -60,7 +60,7 @@ probe_workqueue_insertion(void *ignore,
66739 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
66740 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
66741 if (node->pid == wq_thread->pid) {
66742- atomic_inc(&node->inserted);
66743+ atomic_inc_unchecked(&node->inserted);
66744 goto found;
66745 }
66746 }
66747@@ -210,7 +210,7 @@ static int workqueue_stat_show(struct se
66748 tsk = get_pid_task(pid, PIDTYPE_PID);
66749 if (tsk) {
66750 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
66751- atomic_read(&cws->inserted), cws->executed,
66752+ atomic_read_unchecked(&cws->inserted), cws->executed,
66753 tsk->comm);
66754 put_task_struct(tsk);
66755 }
66756diff -urNp linux-3.1.1/lib/bitmap.c linux-3.1.1/lib/bitmap.c
66757--- linux-3.1.1/lib/bitmap.c 2011-11-11 15:19:27.000000000 -0500
66758+++ linux-3.1.1/lib/bitmap.c 2011-11-16 18:39:08.000000000 -0500
66759@@ -419,7 +419,7 @@ int __bitmap_parse(const char *buf, unsi
66760 {
66761 int c, old_c, totaldigits, ndigits, nchunks, nbits;
66762 u32 chunk;
66763- const char __user *ubuf = buf;
66764+ const char __user *ubuf = (const char __force_user *)buf;
66765
66766 bitmap_zero(maskp, nmaskbits);
66767
66768@@ -504,7 +504,7 @@ int bitmap_parse_user(const char __user
66769 {
66770 if (!access_ok(VERIFY_READ, ubuf, ulen))
66771 return -EFAULT;
66772- return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
66773+ return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
66774 }
66775 EXPORT_SYMBOL(bitmap_parse_user);
66776
66777@@ -594,7 +594,7 @@ static int __bitmap_parselist(const char
66778 {
66779 unsigned a, b;
66780 int c, old_c, totaldigits;
66781- const char __user *ubuf = buf;
66782+ const char __user *ubuf = (const char __force_user *)buf;
66783 int exp_digit, in_range;
66784
66785 totaldigits = c = 0;
66786@@ -694,7 +694,7 @@ int bitmap_parselist_user(const char __u
66787 {
66788 if (!access_ok(VERIFY_READ, ubuf, ulen))
66789 return -EFAULT;
66790- return __bitmap_parselist((const char *)ubuf,
66791+ return __bitmap_parselist((const char __force_kernel *)ubuf,
66792 ulen, 1, maskp, nmaskbits);
66793 }
66794 EXPORT_SYMBOL(bitmap_parselist_user);
66795diff -urNp linux-3.1.1/lib/bug.c linux-3.1.1/lib/bug.c
66796--- linux-3.1.1/lib/bug.c 2011-11-11 15:19:27.000000000 -0500
66797+++ linux-3.1.1/lib/bug.c 2011-11-16 18:39:08.000000000 -0500
66798@@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
66799 return BUG_TRAP_TYPE_NONE;
66800
66801 bug = find_bug(bugaddr);
66802+ if (!bug)
66803+ return BUG_TRAP_TYPE_NONE;
66804
66805 file = NULL;
66806 line = 0;
66807diff -urNp linux-3.1.1/lib/debugobjects.c linux-3.1.1/lib/debugobjects.c
66808--- linux-3.1.1/lib/debugobjects.c 2011-11-11 15:19:27.000000000 -0500
66809+++ linux-3.1.1/lib/debugobjects.c 2011-11-16 18:39:08.000000000 -0500
66810@@ -284,7 +284,7 @@ static void debug_object_is_on_stack(voi
66811 if (limit > 4)
66812 return;
66813
66814- is_on_stack = object_is_on_stack(addr);
66815+ is_on_stack = object_starts_on_stack(addr);
66816 if (is_on_stack == onstack)
66817 return;
66818
66819diff -urNp linux-3.1.1/lib/devres.c linux-3.1.1/lib/devres.c
66820--- linux-3.1.1/lib/devres.c 2011-11-11 15:19:27.000000000 -0500
66821+++ linux-3.1.1/lib/devres.c 2011-11-16 18:39:08.000000000 -0500
66822@@ -80,7 +80,7 @@ EXPORT_SYMBOL(devm_ioremap_nocache);
66823 void devm_iounmap(struct device *dev, void __iomem *addr)
66824 {
66825 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
66826- (void *)addr));
66827+ (void __force *)addr));
66828 iounmap(addr);
66829 }
66830 EXPORT_SYMBOL(devm_iounmap);
66831@@ -141,7 +141,7 @@ void devm_ioport_unmap(struct device *de
66832 {
66833 ioport_unmap(addr);
66834 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
66835- devm_ioport_map_match, (void *)addr));
66836+ devm_ioport_map_match, (void __force *)addr));
66837 }
66838 EXPORT_SYMBOL(devm_ioport_unmap);
66839
66840diff -urNp linux-3.1.1/lib/dma-debug.c linux-3.1.1/lib/dma-debug.c
66841--- linux-3.1.1/lib/dma-debug.c 2011-11-11 15:19:27.000000000 -0500
66842+++ linux-3.1.1/lib/dma-debug.c 2011-11-16 18:39:08.000000000 -0500
66843@@ -870,7 +870,7 @@ out:
66844
66845 static void check_for_stack(struct device *dev, void *addr)
66846 {
66847- if (object_is_on_stack(addr))
66848+ if (object_starts_on_stack(addr))
66849 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
66850 "stack [addr=%p]\n", addr);
66851 }
66852diff -urNp linux-3.1.1/lib/extable.c linux-3.1.1/lib/extable.c
66853--- linux-3.1.1/lib/extable.c 2011-11-11 15:19:27.000000000 -0500
66854+++ linux-3.1.1/lib/extable.c 2011-11-16 18:39:08.000000000 -0500
66855@@ -13,6 +13,7 @@
66856 #include <linux/init.h>
66857 #include <linux/sort.h>
66858 #include <asm/uaccess.h>
66859+#include <asm/pgtable.h>
66860
66861 #ifndef ARCH_HAS_SORT_EXTABLE
66862 /*
66863@@ -36,8 +37,10 @@ static int cmp_ex(const void *a, const v
66864 void sort_extable(struct exception_table_entry *start,
66865 struct exception_table_entry *finish)
66866 {
66867+ pax_open_kernel();
66868 sort(start, finish - start, sizeof(struct exception_table_entry),
66869 cmp_ex, NULL);
66870+ pax_close_kernel();
66871 }
66872
66873 #ifdef CONFIG_MODULES
66874diff -urNp linux-3.1.1/lib/inflate.c linux-3.1.1/lib/inflate.c
66875--- linux-3.1.1/lib/inflate.c 2011-11-11 15:19:27.000000000 -0500
66876+++ linux-3.1.1/lib/inflate.c 2011-11-16 18:39:08.000000000 -0500
66877@@ -269,7 +269,7 @@ static void free(void *where)
66878 malloc_ptr = free_mem_ptr;
66879 }
66880 #else
66881-#define malloc(a) kmalloc(a, GFP_KERNEL)
66882+#define malloc(a) kmalloc((a), GFP_KERNEL)
66883 #define free(a) kfree(a)
66884 #endif
66885
66886diff -urNp linux-3.1.1/lib/Kconfig.debug linux-3.1.1/lib/Kconfig.debug
66887--- linux-3.1.1/lib/Kconfig.debug 2011-11-11 15:19:27.000000000 -0500
66888+++ linux-3.1.1/lib/Kconfig.debug 2011-11-16 18:40:44.000000000 -0500
66889@@ -1091,6 +1091,7 @@ config LATENCYTOP
66890 depends on DEBUG_KERNEL
66891 depends on STACKTRACE_SUPPORT
66892 depends on PROC_FS
66893+ depends on !GRKERNSEC_HIDESYM
66894 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
66895 select KALLSYMS
66896 select KALLSYMS_ALL
66897diff -urNp linux-3.1.1/lib/kref.c linux-3.1.1/lib/kref.c
66898--- linux-3.1.1/lib/kref.c 2011-11-11 15:19:27.000000000 -0500
66899+++ linux-3.1.1/lib/kref.c 2011-11-16 18:39:08.000000000 -0500
66900@@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
66901 */
66902 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
66903 {
66904- WARN_ON(release == NULL);
66905+ BUG_ON(release == NULL);
66906 WARN_ON(release == (void (*)(struct kref *))kfree);
66907
66908 if (atomic_dec_and_test(&kref->refcount)) {
66909diff -urNp linux-3.1.1/lib/radix-tree.c linux-3.1.1/lib/radix-tree.c
66910--- linux-3.1.1/lib/radix-tree.c 2011-11-11 15:19:27.000000000 -0500
66911+++ linux-3.1.1/lib/radix-tree.c 2011-11-16 18:39:08.000000000 -0500
66912@@ -80,7 +80,7 @@ struct radix_tree_preload {
66913 int nr;
66914 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
66915 };
66916-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
66917+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
66918
66919 static inline void *ptr_to_indirect(void *ptr)
66920 {
66921diff -urNp linux-3.1.1/lib/vsprintf.c linux-3.1.1/lib/vsprintf.c
66922--- linux-3.1.1/lib/vsprintf.c 2011-11-11 15:19:27.000000000 -0500
66923+++ linux-3.1.1/lib/vsprintf.c 2011-11-16 18:40:44.000000000 -0500
66924@@ -16,6 +16,9 @@
66925 * - scnprintf and vscnprintf
66926 */
66927
66928+#ifdef CONFIG_GRKERNSEC_HIDESYM
66929+#define __INCLUDED_BY_HIDESYM 1
66930+#endif
66931 #include <stdarg.h>
66932 #include <linux/module.h>
66933 #include <linux/types.h>
66934@@ -432,7 +435,7 @@ char *symbol_string(char *buf, char *end
66935 char sym[KSYM_SYMBOL_LEN];
66936 if (ext == 'B')
66937 sprint_backtrace(sym, value);
66938- else if (ext != 'f' && ext != 's')
66939+ else if (ext != 'f' && ext != 's' && ext != 'a')
66940 sprint_symbol(sym, value);
66941 else
66942 kallsyms_lookup(value, NULL, NULL, NULL, sym);
66943@@ -796,7 +799,11 @@ char *uuid_string(char *buf, char *end,
66944 return string(buf, end, uuid, spec);
66945 }
66946
66947+#ifdef CONFIG_GRKERNSEC_HIDESYM
66948+int kptr_restrict __read_mostly = 2;
66949+#else
66950 int kptr_restrict __read_mostly;
66951+#endif
66952
66953 /*
66954 * Show a '%p' thing. A kernel extension is that the '%p' is followed
66955@@ -810,6 +817,8 @@ int kptr_restrict __read_mostly;
66956 * - 'S' For symbolic direct pointers with offset
66957 * - 's' For symbolic direct pointers without offset
66958 * - 'B' For backtraced symbolic direct pointers with offset
66959+ * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
66960+ * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
66961 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
66962 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
66963 * - 'M' For a 6-byte MAC address, it prints the address in the
66964@@ -854,12 +863,12 @@ char *pointer(const char *fmt, char *buf
66965 {
66966 if (!ptr && *fmt != 'K') {
66967 /*
66968- * Print (null) with the same width as a pointer so it makes
66969+ * Print (nil) with the same width as a pointer so it makes
66970 * tabular output look nice.
66971 */
66972 if (spec.field_width == -1)
66973 spec.field_width = 2 * sizeof(void *);
66974- return string(buf, end, "(null)", spec);
66975+ return string(buf, end, "(nil)", spec);
66976 }
66977
66978 switch (*fmt) {
66979@@ -869,6 +878,13 @@ char *pointer(const char *fmt, char *buf
66980 /* Fallthrough */
66981 case 'S':
66982 case 's':
66983+#ifdef CONFIG_GRKERNSEC_HIDESYM
66984+ break;
66985+#else
66986+ return symbol_string(buf, end, ptr, spec, *fmt);
66987+#endif
66988+ case 'A':
66989+ case 'a':
66990 case 'B':
66991 return symbol_string(buf, end, ptr, spec, *fmt);
66992 case 'R':
66993@@ -1627,11 +1643,11 @@ int bstr_printf(char *buf, size_t size,
66994 typeof(type) value; \
66995 if (sizeof(type) == 8) { \
66996 args = PTR_ALIGN(args, sizeof(u32)); \
66997- *(u32 *)&value = *(u32 *)args; \
66998- *((u32 *)&value + 1) = *(u32 *)(args + 4); \
66999+ *(u32 *)&value = *(const u32 *)args; \
67000+ *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
67001 } else { \
67002 args = PTR_ALIGN(args, sizeof(type)); \
67003- value = *(typeof(type) *)args; \
67004+ value = *(const typeof(type) *)args; \
67005 } \
67006 args += sizeof(type); \
67007 value; \
67008@@ -1694,7 +1710,7 @@ int bstr_printf(char *buf, size_t size,
67009 case FORMAT_TYPE_STR: {
67010 const char *str_arg = args;
67011 args += strlen(str_arg) + 1;
67012- str = string(str, end, (char *)str_arg, spec);
67013+ str = string(str, end, str_arg, spec);
67014 break;
67015 }
67016
67017diff -urNp linux-3.1.1/localversion-grsec linux-3.1.1/localversion-grsec
67018--- linux-3.1.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
67019+++ linux-3.1.1/localversion-grsec 2011-11-16 18:40:44.000000000 -0500
67020@@ -0,0 +1 @@
67021+-grsec
67022diff -urNp linux-3.1.1/Makefile linux-3.1.1/Makefile
67023--- linux-3.1.1/Makefile 2011-11-11 15:19:27.000000000 -0500
67024+++ linux-3.1.1/Makefile 2011-11-17 18:56:01.000000000 -0500
67025@@ -245,8 +245,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
67026
67027 HOSTCC = gcc
67028 HOSTCXX = g++
67029-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
67030-HOSTCXXFLAGS = -O2
67031+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
67032+HOSTCLFAGS += $(call cc-option, -Wno-empty-body)
67033+HOSTCXXFLAGS = -O2 -Wall -W -fno-delete-null-pointer-checks
67034
67035 # Decide whether to build built-in, modular, or both.
67036 # Normally, just do built-in.
67037@@ -407,8 +408,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
67038 # Rules shared between *config targets and build targets
67039
67040 # Basic helpers built in scripts/
67041-PHONY += scripts_basic
67042-scripts_basic:
67043+PHONY += scripts_basic gcc-plugins
67044+scripts_basic: gcc-plugins
67045 $(Q)$(MAKE) $(build)=scripts/basic
67046 $(Q)rm -f .tmp_quiet_recordmcount
67047
67048@@ -564,6 +565,37 @@ else
67049 KBUILD_CFLAGS += -O2
67050 endif
67051
67052+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
67053+CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
67054+ifdef CONFIG_PAX_MEMORY_STACKLEAK
67055+STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
67056+STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
67057+endif
67058+ifdef CONFIG_KALLOCSTAT_PLUGIN
67059+KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
67060+endif
67061+ifdef CONFIG_PAX_KERNEXEC_PLUGIN
67062+KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
67063+endif
67064+ifdef CONFIG_CHECKER_PLUGIN
67065+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
67066+CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
67067+endif
67068+endif
67069+GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
67070+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
67071+gcc-plugins:
67072+ $(Q)$(MAKE) $(build)=tools/gcc
67073+else
67074+gcc-plugins:
67075+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
67076+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
67077+else
67078+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
67079+endif
67080+ $(Q)echo "PAX_MEMORY_STACKLEAK and other features will be less secure"
67081+endif
67082+
67083 include $(srctree)/arch/$(SRCARCH)/Makefile
67084
67085 ifneq ($(CONFIG_FRAME_WARN),0)
67086@@ -708,7 +740,7 @@ export mod_strip_cmd
67087
67088
67089 ifeq ($(KBUILD_EXTMOD),)
67090-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
67091+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
67092
67093 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
67094 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
67095@@ -932,6 +964,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-mai
67096
67097 # The actual objects are generated when descending,
67098 # make sure no implicit rule kicks in
67099+$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS)
67100 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
67101
67102 # Handle descending into subdirectories listed in $(vmlinux-dirs)
67103@@ -941,7 +974,7 @@ $(sort $(vmlinux-init) $(vmlinux-main))
67104 # Error messages still appears in the original language
67105
67106 PHONY += $(vmlinux-dirs)
67107-$(vmlinux-dirs): prepare scripts
67108+$(vmlinux-dirs): gcc-plugins prepare scripts
67109 $(Q)$(MAKE) $(build)=$@
67110
67111 # Store (new) KERNELRELASE string in include/config/kernel.release
67112@@ -986,6 +1019,7 @@ prepare0: archprepare FORCE
67113 $(Q)$(MAKE) $(build)=. missing-syscalls
67114
67115 # All the preparing..
67116+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
67117 prepare: prepare0
67118
67119 # Generate some files
67120@@ -1087,6 +1121,7 @@ all: modules
67121 # using awk while concatenating to the final file.
67122
67123 PHONY += modules
67124+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
67125 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
67126 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
67127 @$(kecho) ' Building modules, stage 2.';
67128@@ -1102,7 +1137,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modu
67129
67130 # Target to prepare building external modules
67131 PHONY += modules_prepare
67132-modules_prepare: prepare scripts
67133+modules_prepare: gcc-plugins prepare scripts
67134
67135 # Target to install modules
67136 PHONY += modules_install
67137@@ -1198,7 +1233,7 @@ distclean: mrproper
67138 @find $(srctree) $(RCS_FIND_IGNORE) \
67139 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
67140 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
67141- -o -name '.*.rej' -o -size 0 \
67142+ -o -name '.*.rej' -o -name '*.so' -o -size 0 \
67143 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
67144 -type f -print | xargs rm -f
67145
67146@@ -1360,6 +1395,7 @@ PHONY += $(module-dirs) modules
67147 $(module-dirs): crmodverdir $(objtree)/Module.symvers
67148 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
67149
67150+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
67151 modules: $(module-dirs)
67152 @$(kecho) ' Building modules, stage 2.';
67153 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
67154@@ -1486,17 +1522,19 @@ else
67155 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
67156 endif
67157
67158-%.s: %.c prepare scripts FORCE
67159+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
67160+%.s: %.c gcc-plugins prepare scripts FORCE
67161 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67162 %.i: %.c prepare scripts FORCE
67163 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67164-%.o: %.c prepare scripts FORCE
67165+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
67166+%.o: %.c gcc-plugins prepare scripts FORCE
67167 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67168 %.lst: %.c prepare scripts FORCE
67169 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67170-%.s: %.S prepare scripts FORCE
67171+%.s: %.S gcc-plugins prepare scripts FORCE
67172 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67173-%.o: %.S prepare scripts FORCE
67174+%.o: %.S gcc-plugins prepare scripts FORCE
67175 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67176 %.symtypes: %.c prepare scripts FORCE
67177 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
67178@@ -1506,11 +1544,13 @@ endif
67179 $(cmd_crmodverdir)
67180 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67181 $(build)=$(build-dir)
67182-%/: prepare scripts FORCE
67183+%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
67184+%/: gcc-plugins prepare scripts FORCE
67185 $(cmd_crmodverdir)
67186 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67187 $(build)=$(build-dir)
67188-%.ko: prepare scripts FORCE
67189+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
67190+%.ko: gcc-plugins prepare scripts FORCE
67191 $(cmd_crmodverdir)
67192 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
67193 $(build)=$(build-dir) $(@:.ko=.o)
67194diff -urNp linux-3.1.1/mm/filemap.c linux-3.1.1/mm/filemap.c
67195--- linux-3.1.1/mm/filemap.c 2011-11-11 15:19:27.000000000 -0500
67196+++ linux-3.1.1/mm/filemap.c 2011-11-16 18:40:44.000000000 -0500
67197@@ -1784,7 +1784,7 @@ int generic_file_mmap(struct file * file
67198 struct address_space *mapping = file->f_mapping;
67199
67200 if (!mapping->a_ops->readpage)
67201- return -ENOEXEC;
67202+ return -ENODEV;
67203 file_accessed(file);
67204 vma->vm_ops = &generic_file_vm_ops;
67205 vma->vm_flags |= VM_CAN_NONLINEAR;
67206@@ -2190,6 +2190,7 @@ inline int generic_write_checks(struct f
67207 *pos = i_size_read(inode);
67208
67209 if (limit != RLIM_INFINITY) {
67210+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
67211 if (*pos >= limit) {
67212 send_sig(SIGXFSZ, current, 0);
67213 return -EFBIG;
67214diff -urNp linux-3.1.1/mm/fremap.c linux-3.1.1/mm/fremap.c
67215--- linux-3.1.1/mm/fremap.c 2011-11-11 15:19:27.000000000 -0500
67216+++ linux-3.1.1/mm/fremap.c 2011-11-16 18:39:08.000000000 -0500
67217@@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
67218 retry:
67219 vma = find_vma(mm, start);
67220
67221+#ifdef CONFIG_PAX_SEGMEXEC
67222+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
67223+ goto out;
67224+#endif
67225+
67226 /*
67227 * Make sure the vma is shared, that it supports prefaulting,
67228 * and that the remapped range is valid and fully within
67229diff -urNp linux-3.1.1/mm/highmem.c linux-3.1.1/mm/highmem.c
67230--- linux-3.1.1/mm/highmem.c 2011-11-11 15:19:27.000000000 -0500
67231+++ linux-3.1.1/mm/highmem.c 2011-11-16 18:39:08.000000000 -0500
67232@@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
67233 * So no dangers, even with speculative execution.
67234 */
67235 page = pte_page(pkmap_page_table[i]);
67236+ pax_open_kernel();
67237 pte_clear(&init_mm, (unsigned long)page_address(page),
67238 &pkmap_page_table[i]);
67239-
67240+ pax_close_kernel();
67241 set_page_address(page, NULL);
67242 need_flush = 1;
67243 }
67244@@ -186,9 +187,11 @@ start:
67245 }
67246 }
67247 vaddr = PKMAP_ADDR(last_pkmap_nr);
67248+
67249+ pax_open_kernel();
67250 set_pte_at(&init_mm, vaddr,
67251 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
67252-
67253+ pax_close_kernel();
67254 pkmap_count[last_pkmap_nr] = 1;
67255 set_page_address(page, (void *)vaddr);
67256
67257diff -urNp linux-3.1.1/mm/huge_memory.c linux-3.1.1/mm/huge_memory.c
67258--- linux-3.1.1/mm/huge_memory.c 2011-11-11 15:19:27.000000000 -0500
67259+++ linux-3.1.1/mm/huge_memory.c 2011-11-16 18:39:08.000000000 -0500
67260@@ -702,7 +702,7 @@ out:
67261 * run pte_offset_map on the pmd, if an huge pmd could
67262 * materialize from under us from a different thread.
67263 */
67264- if (unlikely(__pte_alloc(mm, vma, pmd, address)))
67265+ if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
67266 return VM_FAULT_OOM;
67267 /* if an huge pmd materialized from under us just retry later */
67268 if (unlikely(pmd_trans_huge(*pmd)))
67269diff -urNp linux-3.1.1/mm/hugetlb.c linux-3.1.1/mm/hugetlb.c
67270--- linux-3.1.1/mm/hugetlb.c 2011-11-11 15:19:27.000000000 -0500
67271+++ linux-3.1.1/mm/hugetlb.c 2011-11-16 18:39:08.000000000 -0500
67272@@ -2346,6 +2346,27 @@ static int unmap_ref_private(struct mm_s
67273 return 1;
67274 }
67275
67276+#ifdef CONFIG_PAX_SEGMEXEC
67277+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
67278+{
67279+ struct mm_struct *mm = vma->vm_mm;
67280+ struct vm_area_struct *vma_m;
67281+ unsigned long address_m;
67282+ pte_t *ptep_m;
67283+
67284+ vma_m = pax_find_mirror_vma(vma);
67285+ if (!vma_m)
67286+ return;
67287+
67288+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67289+ address_m = address + SEGMEXEC_TASK_SIZE;
67290+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
67291+ get_page(page_m);
67292+ hugepage_add_anon_rmap(page_m, vma_m, address_m);
67293+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
67294+}
67295+#endif
67296+
67297 /*
67298 * Hugetlb_cow() should be called with page lock of the original hugepage held.
67299 */
67300@@ -2447,6 +2468,11 @@ retry_avoidcopy:
67301 make_huge_pte(vma, new_page, 1));
67302 page_remove_rmap(old_page);
67303 hugepage_add_new_anon_rmap(new_page, vma, address);
67304+
67305+#ifdef CONFIG_PAX_SEGMEXEC
67306+ pax_mirror_huge_pte(vma, address, new_page);
67307+#endif
67308+
67309 /* Make the old page be freed below */
67310 new_page = old_page;
67311 mmu_notifier_invalidate_range_end(mm,
67312@@ -2598,6 +2624,10 @@ retry:
67313 && (vma->vm_flags & VM_SHARED)));
67314 set_huge_pte_at(mm, address, ptep, new_pte);
67315
67316+#ifdef CONFIG_PAX_SEGMEXEC
67317+ pax_mirror_huge_pte(vma, address, page);
67318+#endif
67319+
67320 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
67321 /* Optimization, do the COW without a second fault */
67322 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
67323@@ -2627,6 +2657,10 @@ int hugetlb_fault(struct mm_struct *mm,
67324 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
67325 struct hstate *h = hstate_vma(vma);
67326
67327+#ifdef CONFIG_PAX_SEGMEXEC
67328+ struct vm_area_struct *vma_m;
67329+#endif
67330+
67331 ptep = huge_pte_offset(mm, address);
67332 if (ptep) {
67333 entry = huge_ptep_get(ptep);
67334@@ -2638,6 +2672,26 @@ int hugetlb_fault(struct mm_struct *mm,
67335 VM_FAULT_SET_HINDEX(h - hstates);
67336 }
67337
67338+#ifdef CONFIG_PAX_SEGMEXEC
67339+ vma_m = pax_find_mirror_vma(vma);
67340+ if (vma_m) {
67341+ unsigned long address_m;
67342+
67343+ if (vma->vm_start > vma_m->vm_start) {
67344+ address_m = address;
67345+ address -= SEGMEXEC_TASK_SIZE;
67346+ vma = vma_m;
67347+ h = hstate_vma(vma);
67348+ } else
67349+ address_m = address + SEGMEXEC_TASK_SIZE;
67350+
67351+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
67352+ return VM_FAULT_OOM;
67353+ address_m &= HPAGE_MASK;
67354+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
67355+ }
67356+#endif
67357+
67358 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
67359 if (!ptep)
67360 return VM_FAULT_OOM;
67361diff -urNp linux-3.1.1/mm/internal.h linux-3.1.1/mm/internal.h
67362--- linux-3.1.1/mm/internal.h 2011-11-11 15:19:27.000000000 -0500
67363+++ linux-3.1.1/mm/internal.h 2011-11-16 18:39:08.000000000 -0500
67364@@ -95,6 +95,7 @@ extern void putback_lru_page(struct page
67365 * in mm/page_alloc.c
67366 */
67367 extern void __free_pages_bootmem(struct page *page, unsigned int order);
67368+extern void free_compound_page(struct page *page);
67369 extern void prep_compound_page(struct page *page, unsigned long order);
67370 #ifdef CONFIG_MEMORY_FAILURE
67371 extern bool is_free_buddy_page(struct page *page);
67372diff -urNp linux-3.1.1/mm/Kconfig linux-3.1.1/mm/Kconfig
67373--- linux-3.1.1/mm/Kconfig 2011-11-11 15:19:27.000000000 -0500
67374+++ linux-3.1.1/mm/Kconfig 2011-11-17 18:57:00.000000000 -0500
67375@@ -238,10 +238,10 @@ config KSM
67376 root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
67377
67378 config DEFAULT_MMAP_MIN_ADDR
67379- int "Low address space to protect from user allocation"
67380+ int "Low address space to protect from user allocation"
67381 depends on MMU
67382- default 4096
67383- help
67384+ default 65536
67385+ help
67386 This is the portion of low virtual memory which should be protected
67387 from userspace allocation. Keeping a user from writing to low pages
67388 can help reduce the impact of kernel NULL pointer bugs.
67389diff -urNp linux-3.1.1/mm/kmemleak.c linux-3.1.1/mm/kmemleak.c
67390--- linux-3.1.1/mm/kmemleak.c 2011-11-11 15:19:27.000000000 -0500
67391+++ linux-3.1.1/mm/kmemleak.c 2011-11-16 18:40:44.000000000 -0500
67392@@ -357,7 +357,7 @@ static void print_unreferenced(struct se
67393
67394 for (i = 0; i < object->trace_len; i++) {
67395 void *ptr = (void *)object->trace[i];
67396- seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
67397+ seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
67398 }
67399 }
67400
67401diff -urNp linux-3.1.1/mm/maccess.c linux-3.1.1/mm/maccess.c
67402--- linux-3.1.1/mm/maccess.c 2011-11-11 15:19:27.000000000 -0500
67403+++ linux-3.1.1/mm/maccess.c 2011-11-16 18:39:08.000000000 -0500
67404@@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, cons
67405 set_fs(KERNEL_DS);
67406 pagefault_disable();
67407 ret = __copy_from_user_inatomic(dst,
67408- (__force const void __user *)src, size);
67409+ (const void __force_user *)src, size);
67410 pagefault_enable();
67411 set_fs(old_fs);
67412
67413@@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, con
67414
67415 set_fs(KERNEL_DS);
67416 pagefault_disable();
67417- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
67418+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
67419 pagefault_enable();
67420 set_fs(old_fs);
67421
67422diff -urNp linux-3.1.1/mm/madvise.c linux-3.1.1/mm/madvise.c
67423--- linux-3.1.1/mm/madvise.c 2011-11-11 15:19:27.000000000 -0500
67424+++ linux-3.1.1/mm/madvise.c 2011-11-16 18:39:08.000000000 -0500
67425@@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
67426 pgoff_t pgoff;
67427 unsigned long new_flags = vma->vm_flags;
67428
67429+#ifdef CONFIG_PAX_SEGMEXEC
67430+ struct vm_area_struct *vma_m;
67431+#endif
67432+
67433 switch (behavior) {
67434 case MADV_NORMAL:
67435 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
67436@@ -110,6 +114,13 @@ success:
67437 /*
67438 * vm_flags is protected by the mmap_sem held in write mode.
67439 */
67440+
67441+#ifdef CONFIG_PAX_SEGMEXEC
67442+ vma_m = pax_find_mirror_vma(vma);
67443+ if (vma_m)
67444+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
67445+#endif
67446+
67447 vma->vm_flags = new_flags;
67448
67449 out:
67450@@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
67451 struct vm_area_struct ** prev,
67452 unsigned long start, unsigned long end)
67453 {
67454+
67455+#ifdef CONFIG_PAX_SEGMEXEC
67456+ struct vm_area_struct *vma_m;
67457+#endif
67458+
67459 *prev = vma;
67460 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
67461 return -EINVAL;
67462@@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
67463 zap_page_range(vma, start, end - start, &details);
67464 } else
67465 zap_page_range(vma, start, end - start, NULL);
67466+
67467+#ifdef CONFIG_PAX_SEGMEXEC
67468+ vma_m = pax_find_mirror_vma(vma);
67469+ if (vma_m) {
67470+ if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
67471+ struct zap_details details = {
67472+ .nonlinear_vma = vma_m,
67473+ .last_index = ULONG_MAX,
67474+ };
67475+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
67476+ } else
67477+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
67478+ }
67479+#endif
67480+
67481 return 0;
67482 }
67483
67484@@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
67485 if (end < start)
67486 goto out;
67487
67488+#ifdef CONFIG_PAX_SEGMEXEC
67489+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
67490+ if (end > SEGMEXEC_TASK_SIZE)
67491+ goto out;
67492+ } else
67493+#endif
67494+
67495+ if (end > TASK_SIZE)
67496+ goto out;
67497+
67498 error = 0;
67499 if (end == start)
67500 goto out;
67501diff -urNp linux-3.1.1/mm/memory.c linux-3.1.1/mm/memory.c
67502--- linux-3.1.1/mm/memory.c 2011-11-11 15:19:27.000000000 -0500
67503+++ linux-3.1.1/mm/memory.c 2011-11-16 18:39:08.000000000 -0500
67504@@ -457,8 +457,12 @@ static inline void free_pmd_range(struct
67505 return;
67506
67507 pmd = pmd_offset(pud, start);
67508+
67509+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
67510 pud_clear(pud);
67511 pmd_free_tlb(tlb, pmd, start);
67512+#endif
67513+
67514 }
67515
67516 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
67517@@ -489,9 +493,12 @@ static inline void free_pud_range(struct
67518 if (end - 1 > ceiling - 1)
67519 return;
67520
67521+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
67522 pud = pud_offset(pgd, start);
67523 pgd_clear(pgd);
67524 pud_free_tlb(tlb, pud, start);
67525+#endif
67526+
67527 }
67528
67529 /*
67530@@ -1566,12 +1573,6 @@ no_page_table:
67531 return page;
67532 }
67533
67534-static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
67535-{
67536- return stack_guard_page_start(vma, addr) ||
67537- stack_guard_page_end(vma, addr+PAGE_SIZE);
67538-}
67539-
67540 /**
67541 * __get_user_pages() - pin user pages in memory
67542 * @tsk: task_struct of target task
67543@@ -1644,10 +1645,10 @@ int __get_user_pages(struct task_struct
67544 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
67545 i = 0;
67546
67547- do {
67548+ while (nr_pages) {
67549 struct vm_area_struct *vma;
67550
67551- vma = find_extend_vma(mm, start);
67552+ vma = find_vma(mm, start);
67553 if (!vma && in_gate_area(mm, start)) {
67554 unsigned long pg = start & PAGE_MASK;
67555 pgd_t *pgd;
67556@@ -1695,7 +1696,7 @@ int __get_user_pages(struct task_struct
67557 goto next_page;
67558 }
67559
67560- if (!vma ||
67561+ if (!vma || start < vma->vm_start ||
67562 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
67563 !(vm_flags & vma->vm_flags))
67564 return i ? : -EFAULT;
67565@@ -1722,11 +1723,6 @@ int __get_user_pages(struct task_struct
67566 int ret;
67567 unsigned int fault_flags = 0;
67568
67569- /* For mlock, just skip the stack guard page. */
67570- if (foll_flags & FOLL_MLOCK) {
67571- if (stack_guard_page(vma, start))
67572- goto next_page;
67573- }
67574 if (foll_flags & FOLL_WRITE)
67575 fault_flags |= FAULT_FLAG_WRITE;
67576 if (nonblocking)
67577@@ -1800,7 +1796,7 @@ next_page:
67578 start += PAGE_SIZE;
67579 nr_pages--;
67580 } while (nr_pages && start < vma->vm_end);
67581- } while (nr_pages);
67582+ }
67583 return i;
67584 }
67585 EXPORT_SYMBOL(__get_user_pages);
67586@@ -2007,6 +2003,10 @@ static int insert_page(struct vm_area_st
67587 page_add_file_rmap(page);
67588 set_pte_at(mm, addr, pte, mk_pte(page, prot));
67589
67590+#ifdef CONFIG_PAX_SEGMEXEC
67591+ pax_mirror_file_pte(vma, addr, page, ptl);
67592+#endif
67593+
67594 retval = 0;
67595 pte_unmap_unlock(pte, ptl);
67596 return retval;
67597@@ -2041,10 +2041,22 @@ out:
67598 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
67599 struct page *page)
67600 {
67601+
67602+#ifdef CONFIG_PAX_SEGMEXEC
67603+ struct vm_area_struct *vma_m;
67604+#endif
67605+
67606 if (addr < vma->vm_start || addr >= vma->vm_end)
67607 return -EFAULT;
67608 if (!page_count(page))
67609 return -EINVAL;
67610+
67611+#ifdef CONFIG_PAX_SEGMEXEC
67612+ vma_m = pax_find_mirror_vma(vma);
67613+ if (vma_m)
67614+ vma_m->vm_flags |= VM_INSERTPAGE;
67615+#endif
67616+
67617 vma->vm_flags |= VM_INSERTPAGE;
67618 return insert_page(vma, addr, page, vma->vm_page_prot);
67619 }
67620@@ -2130,6 +2142,7 @@ int vm_insert_mixed(struct vm_area_struc
67621 unsigned long pfn)
67622 {
67623 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
67624+ BUG_ON(vma->vm_mirror);
67625
67626 if (addr < vma->vm_start || addr >= vma->vm_end)
67627 return -EFAULT;
67628@@ -2445,6 +2458,186 @@ static inline void cow_user_page(struct
67629 copy_user_highpage(dst, src, va, vma);
67630 }
67631
67632+#ifdef CONFIG_PAX_SEGMEXEC
67633+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
67634+{
67635+ struct mm_struct *mm = vma->vm_mm;
67636+ spinlock_t *ptl;
67637+ pte_t *pte, entry;
67638+
67639+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
67640+ entry = *pte;
67641+ if (!pte_present(entry)) {
67642+ if (!pte_none(entry)) {
67643+ BUG_ON(pte_file(entry));
67644+ free_swap_and_cache(pte_to_swp_entry(entry));
67645+ pte_clear_not_present_full(mm, address, pte, 0);
67646+ }
67647+ } else {
67648+ struct page *page;
67649+
67650+ flush_cache_page(vma, address, pte_pfn(entry));
67651+ entry = ptep_clear_flush(vma, address, pte);
67652+ BUG_ON(pte_dirty(entry));
67653+ page = vm_normal_page(vma, address, entry);
67654+ if (page) {
67655+ update_hiwater_rss(mm);
67656+ if (PageAnon(page))
67657+ dec_mm_counter_fast(mm, MM_ANONPAGES);
67658+ else
67659+ dec_mm_counter_fast(mm, MM_FILEPAGES);
67660+ page_remove_rmap(page);
67661+ page_cache_release(page);
67662+ }
67663+ }
67664+ pte_unmap_unlock(pte, ptl);
67665+}
67666+
67667+/* PaX: if vma is mirrored, synchronize the mirror's PTE
67668+ *
67669+ * the ptl of the lower mapped page is held on entry and is not released on exit
67670+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
67671+ */
67672+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67673+{
67674+ struct mm_struct *mm = vma->vm_mm;
67675+ unsigned long address_m;
67676+ spinlock_t *ptl_m;
67677+ struct vm_area_struct *vma_m;
67678+ pmd_t *pmd_m;
67679+ pte_t *pte_m, entry_m;
67680+
67681+ BUG_ON(!page_m || !PageAnon(page_m));
67682+
67683+ vma_m = pax_find_mirror_vma(vma);
67684+ if (!vma_m)
67685+ return;
67686+
67687+ BUG_ON(!PageLocked(page_m));
67688+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67689+ address_m = address + SEGMEXEC_TASK_SIZE;
67690+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67691+ pte_m = pte_offset_map(pmd_m, address_m);
67692+ ptl_m = pte_lockptr(mm, pmd_m);
67693+ if (ptl != ptl_m) {
67694+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67695+ if (!pte_none(*pte_m))
67696+ goto out;
67697+ }
67698+
67699+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67700+ page_cache_get(page_m);
67701+ page_add_anon_rmap(page_m, vma_m, address_m);
67702+ inc_mm_counter_fast(mm, MM_ANONPAGES);
67703+ set_pte_at(mm, address_m, pte_m, entry_m);
67704+ update_mmu_cache(vma_m, address_m, entry_m);
67705+out:
67706+ if (ptl != ptl_m)
67707+ spin_unlock(ptl_m);
67708+ pte_unmap(pte_m);
67709+ unlock_page(page_m);
67710+}
67711+
67712+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67713+{
67714+ struct mm_struct *mm = vma->vm_mm;
67715+ unsigned long address_m;
67716+ spinlock_t *ptl_m;
67717+ struct vm_area_struct *vma_m;
67718+ pmd_t *pmd_m;
67719+ pte_t *pte_m, entry_m;
67720+
67721+ BUG_ON(!page_m || PageAnon(page_m));
67722+
67723+ vma_m = pax_find_mirror_vma(vma);
67724+ if (!vma_m)
67725+ return;
67726+
67727+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67728+ address_m = address + SEGMEXEC_TASK_SIZE;
67729+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67730+ pte_m = pte_offset_map(pmd_m, address_m);
67731+ ptl_m = pte_lockptr(mm, pmd_m);
67732+ if (ptl != ptl_m) {
67733+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67734+ if (!pte_none(*pte_m))
67735+ goto out;
67736+ }
67737+
67738+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67739+ page_cache_get(page_m);
67740+ page_add_file_rmap(page_m);
67741+ inc_mm_counter_fast(mm, MM_FILEPAGES);
67742+ set_pte_at(mm, address_m, pte_m, entry_m);
67743+ update_mmu_cache(vma_m, address_m, entry_m);
67744+out:
67745+ if (ptl != ptl_m)
67746+ spin_unlock(ptl_m);
67747+ pte_unmap(pte_m);
67748+}
67749+
67750+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
67751+{
67752+ struct mm_struct *mm = vma->vm_mm;
67753+ unsigned long address_m;
67754+ spinlock_t *ptl_m;
67755+ struct vm_area_struct *vma_m;
67756+ pmd_t *pmd_m;
67757+ pte_t *pte_m, entry_m;
67758+
67759+ vma_m = pax_find_mirror_vma(vma);
67760+ if (!vma_m)
67761+ return;
67762+
67763+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67764+ address_m = address + SEGMEXEC_TASK_SIZE;
67765+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67766+ pte_m = pte_offset_map(pmd_m, address_m);
67767+ ptl_m = pte_lockptr(mm, pmd_m);
67768+ if (ptl != ptl_m) {
67769+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67770+ if (!pte_none(*pte_m))
67771+ goto out;
67772+ }
67773+
67774+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
67775+ set_pte_at(mm, address_m, pte_m, entry_m);
67776+out:
67777+ if (ptl != ptl_m)
67778+ spin_unlock(ptl_m);
67779+ pte_unmap(pte_m);
67780+}
67781+
67782+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
67783+{
67784+ struct page *page_m;
67785+ pte_t entry;
67786+
67787+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
67788+ goto out;
67789+
67790+ entry = *pte;
67791+ page_m = vm_normal_page(vma, address, entry);
67792+ if (!page_m)
67793+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
67794+ else if (PageAnon(page_m)) {
67795+ if (pax_find_mirror_vma(vma)) {
67796+ pte_unmap_unlock(pte, ptl);
67797+ lock_page(page_m);
67798+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
67799+ if (pte_same(entry, *pte))
67800+ pax_mirror_anon_pte(vma, address, page_m, ptl);
67801+ else
67802+ unlock_page(page_m);
67803+ }
67804+ } else
67805+ pax_mirror_file_pte(vma, address, page_m, ptl);
67806+
67807+out:
67808+ pte_unmap_unlock(pte, ptl);
67809+}
67810+#endif
67811+
67812 /*
67813 * This routine handles present pages, when users try to write
67814 * to a shared page. It is done by copying the page to a new address
67815@@ -2656,6 +2849,12 @@ gotten:
67816 */
67817 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67818 if (likely(pte_same(*page_table, orig_pte))) {
67819+
67820+#ifdef CONFIG_PAX_SEGMEXEC
67821+ if (pax_find_mirror_vma(vma))
67822+ BUG_ON(!trylock_page(new_page));
67823+#endif
67824+
67825 if (old_page) {
67826 if (!PageAnon(old_page)) {
67827 dec_mm_counter_fast(mm, MM_FILEPAGES);
67828@@ -2707,6 +2906,10 @@ gotten:
67829 page_remove_rmap(old_page);
67830 }
67831
67832+#ifdef CONFIG_PAX_SEGMEXEC
67833+ pax_mirror_anon_pte(vma, address, new_page, ptl);
67834+#endif
67835+
67836 /* Free the old page.. */
67837 new_page = old_page;
67838 ret |= VM_FAULT_WRITE;
67839@@ -2986,6 +3189,11 @@ static int do_swap_page(struct mm_struct
67840 swap_free(entry);
67841 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
67842 try_to_free_swap(page);
67843+
67844+#ifdef CONFIG_PAX_SEGMEXEC
67845+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
67846+#endif
67847+
67848 unlock_page(page);
67849 if (swapcache) {
67850 /*
67851@@ -3009,6 +3217,11 @@ static int do_swap_page(struct mm_struct
67852
67853 /* No need to invalidate - it was non-present before */
67854 update_mmu_cache(vma, address, page_table);
67855+
67856+#ifdef CONFIG_PAX_SEGMEXEC
67857+ pax_mirror_anon_pte(vma, address, page, ptl);
67858+#endif
67859+
67860 unlock:
67861 pte_unmap_unlock(page_table, ptl);
67862 out:
67863@@ -3028,40 +3241,6 @@ out_release:
67864 }
67865
67866 /*
67867- * This is like a special single-page "expand_{down|up}wards()",
67868- * except we must first make sure that 'address{-|+}PAGE_SIZE'
67869- * doesn't hit another vma.
67870- */
67871-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
67872-{
67873- address &= PAGE_MASK;
67874- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
67875- struct vm_area_struct *prev = vma->vm_prev;
67876-
67877- /*
67878- * Is there a mapping abutting this one below?
67879- *
67880- * That's only ok if it's the same stack mapping
67881- * that has gotten split..
67882- */
67883- if (prev && prev->vm_end == address)
67884- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
67885-
67886- expand_downwards(vma, address - PAGE_SIZE);
67887- }
67888- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
67889- struct vm_area_struct *next = vma->vm_next;
67890-
67891- /* As VM_GROWSDOWN but s/below/above/ */
67892- if (next && next->vm_start == address + PAGE_SIZE)
67893- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
67894-
67895- expand_upwards(vma, address + PAGE_SIZE);
67896- }
67897- return 0;
67898-}
67899-
67900-/*
67901 * We enter with non-exclusive mmap_sem (to exclude vma changes,
67902 * but allow concurrent faults), and pte mapped but not yet locked.
67903 * We return with mmap_sem still held, but pte unmapped and unlocked.
67904@@ -3070,27 +3249,23 @@ static int do_anonymous_page(struct mm_s
67905 unsigned long address, pte_t *page_table, pmd_t *pmd,
67906 unsigned int flags)
67907 {
67908- struct page *page;
67909+ struct page *page = NULL;
67910 spinlock_t *ptl;
67911 pte_t entry;
67912
67913- pte_unmap(page_table);
67914-
67915- /* Check if we need to add a guard page to the stack */
67916- if (check_stack_guard_page(vma, address) < 0)
67917- return VM_FAULT_SIGBUS;
67918-
67919- /* Use the zero-page for reads */
67920 if (!(flags & FAULT_FLAG_WRITE)) {
67921 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
67922 vma->vm_page_prot));
67923- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67924+ ptl = pte_lockptr(mm, pmd);
67925+ spin_lock(ptl);
67926 if (!pte_none(*page_table))
67927 goto unlock;
67928 goto setpte;
67929 }
67930
67931 /* Allocate our own private page. */
67932+ pte_unmap(page_table);
67933+
67934 if (unlikely(anon_vma_prepare(vma)))
67935 goto oom;
67936 page = alloc_zeroed_user_highpage_movable(vma, address);
67937@@ -3109,6 +3284,11 @@ static int do_anonymous_page(struct mm_s
67938 if (!pte_none(*page_table))
67939 goto release;
67940
67941+#ifdef CONFIG_PAX_SEGMEXEC
67942+ if (pax_find_mirror_vma(vma))
67943+ BUG_ON(!trylock_page(page));
67944+#endif
67945+
67946 inc_mm_counter_fast(mm, MM_ANONPAGES);
67947 page_add_new_anon_rmap(page, vma, address);
67948 setpte:
67949@@ -3116,6 +3296,12 @@ setpte:
67950
67951 /* No need to invalidate - it was non-present before */
67952 update_mmu_cache(vma, address, page_table);
67953+
67954+#ifdef CONFIG_PAX_SEGMEXEC
67955+ if (page)
67956+ pax_mirror_anon_pte(vma, address, page, ptl);
67957+#endif
67958+
67959 unlock:
67960 pte_unmap_unlock(page_table, ptl);
67961 return 0;
67962@@ -3259,6 +3445,12 @@ static int __do_fault(struct mm_struct *
67963 */
67964 /* Only go through if we didn't race with anybody else... */
67965 if (likely(pte_same(*page_table, orig_pte))) {
67966+
67967+#ifdef CONFIG_PAX_SEGMEXEC
67968+ if (anon && pax_find_mirror_vma(vma))
67969+ BUG_ON(!trylock_page(page));
67970+#endif
67971+
67972 flush_icache_page(vma, page);
67973 entry = mk_pte(page, vma->vm_page_prot);
67974 if (flags & FAULT_FLAG_WRITE)
67975@@ -3278,6 +3470,14 @@ static int __do_fault(struct mm_struct *
67976
67977 /* no need to invalidate: a not-present page won't be cached */
67978 update_mmu_cache(vma, address, page_table);
67979+
67980+#ifdef CONFIG_PAX_SEGMEXEC
67981+ if (anon)
67982+ pax_mirror_anon_pte(vma, address, page, ptl);
67983+ else
67984+ pax_mirror_file_pte(vma, address, page, ptl);
67985+#endif
67986+
67987 } else {
67988 if (cow_page)
67989 mem_cgroup_uncharge_page(cow_page);
67990@@ -3431,6 +3631,12 @@ int handle_pte_fault(struct mm_struct *m
67991 if (flags & FAULT_FLAG_WRITE)
67992 flush_tlb_fix_spurious_fault(vma, address);
67993 }
67994+
67995+#ifdef CONFIG_PAX_SEGMEXEC
67996+ pax_mirror_pte(vma, address, pte, pmd, ptl);
67997+ return 0;
67998+#endif
67999+
68000 unlock:
68001 pte_unmap_unlock(pte, ptl);
68002 return 0;
68003@@ -3447,6 +3653,10 @@ int handle_mm_fault(struct mm_struct *mm
68004 pmd_t *pmd;
68005 pte_t *pte;
68006
68007+#ifdef CONFIG_PAX_SEGMEXEC
68008+ struct vm_area_struct *vma_m;
68009+#endif
68010+
68011 __set_current_state(TASK_RUNNING);
68012
68013 count_vm_event(PGFAULT);
68014@@ -3458,6 +3668,34 @@ int handle_mm_fault(struct mm_struct *mm
68015 if (unlikely(is_vm_hugetlb_page(vma)))
68016 return hugetlb_fault(mm, vma, address, flags);
68017
68018+#ifdef CONFIG_PAX_SEGMEXEC
68019+ vma_m = pax_find_mirror_vma(vma);
68020+ if (vma_m) {
68021+ unsigned long address_m;
68022+ pgd_t *pgd_m;
68023+ pud_t *pud_m;
68024+ pmd_t *pmd_m;
68025+
68026+ if (vma->vm_start > vma_m->vm_start) {
68027+ address_m = address;
68028+ address -= SEGMEXEC_TASK_SIZE;
68029+ vma = vma_m;
68030+ } else
68031+ address_m = address + SEGMEXEC_TASK_SIZE;
68032+
68033+ pgd_m = pgd_offset(mm, address_m);
68034+ pud_m = pud_alloc(mm, pgd_m, address_m);
68035+ if (!pud_m)
68036+ return VM_FAULT_OOM;
68037+ pmd_m = pmd_alloc(mm, pud_m, address_m);
68038+ if (!pmd_m)
68039+ return VM_FAULT_OOM;
68040+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
68041+ return VM_FAULT_OOM;
68042+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
68043+ }
68044+#endif
68045+
68046 pgd = pgd_offset(mm, address);
68047 pud = pud_alloc(mm, pgd, address);
68048 if (!pud)
68049@@ -3487,7 +3725,7 @@ int handle_mm_fault(struct mm_struct *mm
68050 * run pte_offset_map on the pmd, if an huge pmd could
68051 * materialize from under us from a different thread.
68052 */
68053- if (unlikely(pmd_none(*pmd)) && __pte_alloc(mm, vma, pmd, address))
68054+ if (unlikely(pmd_none(*pmd) && __pte_alloc(mm, vma, pmd, address)))
68055 return VM_FAULT_OOM;
68056 /* if an huge pmd materialized from under us just retry later */
68057 if (unlikely(pmd_trans_huge(*pmd)))
68058@@ -3591,7 +3829,7 @@ static int __init gate_vma_init(void)
68059 gate_vma.vm_start = FIXADDR_USER_START;
68060 gate_vma.vm_end = FIXADDR_USER_END;
68061 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
68062- gate_vma.vm_page_prot = __P101;
68063+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
68064 /*
68065 * Make sure the vDSO gets into every core dump.
68066 * Dumping its contents makes post-mortem fully interpretable later
68067diff -urNp linux-3.1.1/mm/memory-failure.c linux-3.1.1/mm/memory-failure.c
68068--- linux-3.1.1/mm/memory-failure.c 2011-11-11 15:19:27.000000000 -0500
68069+++ linux-3.1.1/mm/memory-failure.c 2011-11-16 18:39:08.000000000 -0500
68070@@ -60,7 +60,7 @@ int sysctl_memory_failure_early_kill __r
68071
68072 int sysctl_memory_failure_recovery __read_mostly = 1;
68073
68074-atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
68075+atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
68076
68077 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
68078
68079@@ -201,7 +201,7 @@ static int kill_proc_ao(struct task_stru
68080 si.si_signo = SIGBUS;
68081 si.si_errno = 0;
68082 si.si_code = BUS_MCEERR_AO;
68083- si.si_addr = (void *)addr;
68084+ si.si_addr = (void __user *)addr;
68085 #ifdef __ARCH_SI_TRAPNO
68086 si.si_trapno = trapno;
68087 #endif
68088@@ -1009,7 +1009,7 @@ int __memory_failure(unsigned long pfn,
68089 }
68090
68091 nr_pages = 1 << compound_trans_order(hpage);
68092- atomic_long_add(nr_pages, &mce_bad_pages);
68093+ atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
68094
68095 /*
68096 * We need/can do nothing about count=0 pages.
68097@@ -1039,7 +1039,7 @@ int __memory_failure(unsigned long pfn,
68098 if (!PageHWPoison(hpage)
68099 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
68100 || (p != hpage && TestSetPageHWPoison(hpage))) {
68101- atomic_long_sub(nr_pages, &mce_bad_pages);
68102+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68103 return 0;
68104 }
68105 set_page_hwpoison_huge_page(hpage);
68106@@ -1097,7 +1097,7 @@ int __memory_failure(unsigned long pfn,
68107 }
68108 if (hwpoison_filter(p)) {
68109 if (TestClearPageHWPoison(p))
68110- atomic_long_sub(nr_pages, &mce_bad_pages);
68111+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68112 unlock_page(hpage);
68113 put_page(hpage);
68114 return 0;
68115@@ -1314,7 +1314,7 @@ int unpoison_memory(unsigned long pfn)
68116 return 0;
68117 }
68118 if (TestClearPageHWPoison(p))
68119- atomic_long_sub(nr_pages, &mce_bad_pages);
68120+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68121 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
68122 return 0;
68123 }
68124@@ -1328,7 +1328,7 @@ int unpoison_memory(unsigned long pfn)
68125 */
68126 if (TestClearPageHWPoison(page)) {
68127 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
68128- atomic_long_sub(nr_pages, &mce_bad_pages);
68129+ atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
68130 freeit = 1;
68131 if (PageHuge(page))
68132 clear_page_hwpoison_huge_page(page);
68133@@ -1441,7 +1441,7 @@ static int soft_offline_huge_page(struct
68134 }
68135 done:
68136 if (!PageHWPoison(hpage))
68137- atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
68138+ atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
68139 set_page_hwpoison_huge_page(hpage);
68140 dequeue_hwpoisoned_huge_page(hpage);
68141 /* keep elevated page count for bad page */
68142@@ -1572,7 +1572,7 @@ int soft_offline_page(struct page *page,
68143 return ret;
68144
68145 done:
68146- atomic_long_add(1, &mce_bad_pages);
68147+ atomic_long_add_unchecked(1, &mce_bad_pages);
68148 SetPageHWPoison(page);
68149 /* keep elevated page count for bad page */
68150 return ret;
68151diff -urNp linux-3.1.1/mm/mempolicy.c linux-3.1.1/mm/mempolicy.c
68152--- linux-3.1.1/mm/mempolicy.c 2011-11-11 15:19:27.000000000 -0500
68153+++ linux-3.1.1/mm/mempolicy.c 2011-11-16 18:40:44.000000000 -0500
68154@@ -639,6 +639,10 @@ static int mbind_range(struct mm_struct
68155 unsigned long vmstart;
68156 unsigned long vmend;
68157
68158+#ifdef CONFIG_PAX_SEGMEXEC
68159+ struct vm_area_struct *vma_m;
68160+#endif
68161+
68162 vma = find_vma_prev(mm, start, &prev);
68163 if (!vma || vma->vm_start > start)
68164 return -EFAULT;
68165@@ -669,6 +673,16 @@ static int mbind_range(struct mm_struct
68166 err = policy_vma(vma, new_pol);
68167 if (err)
68168 goto out;
68169+
68170+#ifdef CONFIG_PAX_SEGMEXEC
68171+ vma_m = pax_find_mirror_vma(vma);
68172+ if (vma_m) {
68173+ err = policy_vma(vma_m, new_pol);
68174+ if (err)
68175+ goto out;
68176+ }
68177+#endif
68178+
68179 }
68180
68181 out:
68182@@ -1102,6 +1116,17 @@ static long do_mbind(unsigned long start
68183
68184 if (end < start)
68185 return -EINVAL;
68186+
68187+#ifdef CONFIG_PAX_SEGMEXEC
68188+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
68189+ if (end > SEGMEXEC_TASK_SIZE)
68190+ return -EINVAL;
68191+ } else
68192+#endif
68193+
68194+ if (end > TASK_SIZE)
68195+ return -EINVAL;
68196+
68197 if (end == start)
68198 return 0;
68199
68200@@ -1320,6 +1345,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
68201 if (!mm)
68202 goto out;
68203
68204+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68205+ if (mm != current->mm &&
68206+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
68207+ err = -EPERM;
68208+ goto out;
68209+ }
68210+#endif
68211+
68212 /*
68213 * Check if this process has the right to modify the specified
68214 * process. The right exists if the process has administrative
68215@@ -1329,8 +1362,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
68216 rcu_read_lock();
68217 tcred = __task_cred(task);
68218 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
68219- cred->uid != tcred->suid && cred->uid != tcred->uid &&
68220- !capable(CAP_SYS_NICE)) {
68221+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
68222 rcu_read_unlock();
68223 err = -EPERM;
68224 goto out;
68225diff -urNp linux-3.1.1/mm/migrate.c linux-3.1.1/mm/migrate.c
68226--- linux-3.1.1/mm/migrate.c 2011-11-11 15:19:27.000000000 -0500
68227+++ linux-3.1.1/mm/migrate.c 2011-11-16 18:40:44.000000000 -0500
68228@@ -1124,6 +1124,8 @@ static int do_pages_move(struct mm_struc
68229 unsigned long chunk_start;
68230 int err;
68231
68232+ pax_track_stack();
68233+
68234 task_nodes = cpuset_mems_allowed(task);
68235
68236 err = -ENOMEM;
68237@@ -1308,6 +1310,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
68238 if (!mm)
68239 return -EINVAL;
68240
68241+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68242+ if (mm != current->mm &&
68243+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
68244+ err = -EPERM;
68245+ goto out;
68246+ }
68247+#endif
68248+
68249 /*
68250 * Check if this process has the right to modify the specified
68251 * process. The right exists if the process has administrative
68252@@ -1317,8 +1327,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
68253 rcu_read_lock();
68254 tcred = __task_cred(task);
68255 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
68256- cred->uid != tcred->suid && cred->uid != tcred->uid &&
68257- !capable(CAP_SYS_NICE)) {
68258+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
68259 rcu_read_unlock();
68260 err = -EPERM;
68261 goto out;
68262diff -urNp linux-3.1.1/mm/mlock.c linux-3.1.1/mm/mlock.c
68263--- linux-3.1.1/mm/mlock.c 2011-11-11 15:19:27.000000000 -0500
68264+++ linux-3.1.1/mm/mlock.c 2011-11-16 18:40:44.000000000 -0500
68265@@ -13,6 +13,7 @@
68266 #include <linux/pagemap.h>
68267 #include <linux/mempolicy.h>
68268 #include <linux/syscalls.h>
68269+#include <linux/security.h>
68270 #include <linux/sched.h>
68271 #include <linux/module.h>
68272 #include <linux/rmap.h>
68273@@ -377,6 +378,9 @@ static int do_mlock(unsigned long start,
68274 return -EINVAL;
68275 if (end == start)
68276 return 0;
68277+ if (end > TASK_SIZE)
68278+ return -EINVAL;
68279+
68280 vma = find_vma_prev(current->mm, start, &prev);
68281 if (!vma || vma->vm_start > start)
68282 return -ENOMEM;
68283@@ -387,6 +391,11 @@ static int do_mlock(unsigned long start,
68284 for (nstart = start ; ; ) {
68285 vm_flags_t newflags;
68286
68287+#ifdef CONFIG_PAX_SEGMEXEC
68288+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68289+ break;
68290+#endif
68291+
68292 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
68293
68294 newflags = vma->vm_flags | VM_LOCKED;
68295@@ -492,6 +501,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
68296 lock_limit >>= PAGE_SHIFT;
68297
68298 /* check against resource limits */
68299+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
68300 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
68301 error = do_mlock(start, len, 1);
68302 up_write(&current->mm->mmap_sem);
68303@@ -515,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
68304 static int do_mlockall(int flags)
68305 {
68306 struct vm_area_struct * vma, * prev = NULL;
68307- unsigned int def_flags = 0;
68308
68309 if (flags & MCL_FUTURE)
68310- def_flags = VM_LOCKED;
68311- current->mm->def_flags = def_flags;
68312+ current->mm->def_flags |= VM_LOCKED;
68313+ else
68314+ current->mm->def_flags &= ~VM_LOCKED;
68315 if (flags == MCL_FUTURE)
68316 goto out;
68317
68318 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
68319 vm_flags_t newflags;
68320
68321+#ifdef CONFIG_PAX_SEGMEXEC
68322+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68323+ break;
68324+#endif
68325+
68326+ BUG_ON(vma->vm_end > TASK_SIZE);
68327 newflags = vma->vm_flags | VM_LOCKED;
68328 if (!(flags & MCL_CURRENT))
68329 newflags &= ~VM_LOCKED;
68330@@ -557,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
68331 lock_limit >>= PAGE_SHIFT;
68332
68333 ret = -ENOMEM;
68334+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
68335 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
68336 capable(CAP_IPC_LOCK))
68337 ret = do_mlockall(flags);
68338diff -urNp linux-3.1.1/mm/mmap.c linux-3.1.1/mm/mmap.c
68339--- linux-3.1.1/mm/mmap.c 2011-11-11 15:19:27.000000000 -0500
68340+++ linux-3.1.1/mm/mmap.c 2011-11-16 18:40:44.000000000 -0500
68341@@ -46,6 +46,16 @@
68342 #define arch_rebalance_pgtables(addr, len) (addr)
68343 #endif
68344
68345+static inline void verify_mm_writelocked(struct mm_struct *mm)
68346+{
68347+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
68348+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
68349+ up_read(&mm->mmap_sem);
68350+ BUG();
68351+ }
68352+#endif
68353+}
68354+
68355 static void unmap_region(struct mm_struct *mm,
68356 struct vm_area_struct *vma, struct vm_area_struct *prev,
68357 unsigned long start, unsigned long end);
68358@@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
68359 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
68360 *
68361 */
68362-pgprot_t protection_map[16] = {
68363+pgprot_t protection_map[16] __read_only = {
68364 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
68365 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
68366 };
68367
68368-pgprot_t vm_get_page_prot(unsigned long vm_flags)
68369+pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
68370 {
68371- return __pgprot(pgprot_val(protection_map[vm_flags &
68372+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
68373 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
68374 pgprot_val(arch_vm_get_page_prot(vm_flags)));
68375+
68376+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68377+ if (!(__supported_pte_mask & _PAGE_NX) &&
68378+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
68379+ (vm_flags & (VM_READ | VM_WRITE)))
68380+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
68381+#endif
68382+
68383+ return prot;
68384 }
68385 EXPORT_SYMBOL(vm_get_page_prot);
68386
68387 int sysctl_overcommit_memory __read_mostly = OVERCOMMIT_GUESS; /* heuristic overcommit */
68388 int sysctl_overcommit_ratio __read_mostly = 50; /* default is 50% */
68389 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
68390+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
68391 /*
68392 * Make sure vm_committed_as in one cacheline and not cacheline shared with
68393 * other variables. It can be updated by several CPUs frequently.
68394@@ -228,6 +248,7 @@ static struct vm_area_struct *remove_vma
68395 struct vm_area_struct *next = vma->vm_next;
68396
68397 might_sleep();
68398+ BUG_ON(vma->vm_mirror);
68399 if (vma->vm_ops && vma->vm_ops->close)
68400 vma->vm_ops->close(vma);
68401 if (vma->vm_file) {
68402@@ -272,6 +293,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
68403 * not page aligned -Ram Gupta
68404 */
68405 rlim = rlimit(RLIMIT_DATA);
68406+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
68407 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
68408 (mm->end_data - mm->start_data) > rlim)
68409 goto out;
68410@@ -689,6 +711,12 @@ static int
68411 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
68412 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68413 {
68414+
68415+#ifdef CONFIG_PAX_SEGMEXEC
68416+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
68417+ return 0;
68418+#endif
68419+
68420 if (is_mergeable_vma(vma, file, vm_flags) &&
68421 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68422 if (vma->vm_pgoff == vm_pgoff)
68423@@ -708,6 +736,12 @@ static int
68424 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
68425 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68426 {
68427+
68428+#ifdef CONFIG_PAX_SEGMEXEC
68429+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
68430+ return 0;
68431+#endif
68432+
68433 if (is_mergeable_vma(vma, file, vm_flags) &&
68434 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
68435 pgoff_t vm_pglen;
68436@@ -750,13 +784,20 @@ can_vma_merge_after(struct vm_area_struc
68437 struct vm_area_struct *vma_merge(struct mm_struct *mm,
68438 struct vm_area_struct *prev, unsigned long addr,
68439 unsigned long end, unsigned long vm_flags,
68440- struct anon_vma *anon_vma, struct file *file,
68441+ struct anon_vma *anon_vma, struct file *file,
68442 pgoff_t pgoff, struct mempolicy *policy)
68443 {
68444 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
68445 struct vm_area_struct *area, *next;
68446 int err;
68447
68448+#ifdef CONFIG_PAX_SEGMEXEC
68449+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
68450+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
68451+
68452+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
68453+#endif
68454+
68455 /*
68456 * We later require that vma->vm_flags == vm_flags,
68457 * so this tests vma->vm_flags & VM_SPECIAL, too.
68458@@ -772,6 +813,15 @@ struct vm_area_struct *vma_merge(struct
68459 if (next && next->vm_end == end) /* cases 6, 7, 8 */
68460 next = next->vm_next;
68461
68462+#ifdef CONFIG_PAX_SEGMEXEC
68463+ if (prev)
68464+ prev_m = pax_find_mirror_vma(prev);
68465+ if (area)
68466+ area_m = pax_find_mirror_vma(area);
68467+ if (next)
68468+ next_m = pax_find_mirror_vma(next);
68469+#endif
68470+
68471 /*
68472 * Can it merge with the predecessor?
68473 */
68474@@ -791,9 +841,24 @@ struct vm_area_struct *vma_merge(struct
68475 /* cases 1, 6 */
68476 err = vma_adjust(prev, prev->vm_start,
68477 next->vm_end, prev->vm_pgoff, NULL);
68478- } else /* cases 2, 5, 7 */
68479+
68480+#ifdef CONFIG_PAX_SEGMEXEC
68481+ if (!err && prev_m)
68482+ err = vma_adjust(prev_m, prev_m->vm_start,
68483+ next_m->vm_end, prev_m->vm_pgoff, NULL);
68484+#endif
68485+
68486+ } else { /* cases 2, 5, 7 */
68487 err = vma_adjust(prev, prev->vm_start,
68488 end, prev->vm_pgoff, NULL);
68489+
68490+#ifdef CONFIG_PAX_SEGMEXEC
68491+ if (!err && prev_m)
68492+ err = vma_adjust(prev_m, prev_m->vm_start,
68493+ end_m, prev_m->vm_pgoff, NULL);
68494+#endif
68495+
68496+ }
68497 if (err)
68498 return NULL;
68499 khugepaged_enter_vma_merge(prev);
68500@@ -807,12 +872,27 @@ struct vm_area_struct *vma_merge(struct
68501 mpol_equal(policy, vma_policy(next)) &&
68502 can_vma_merge_before(next, vm_flags,
68503 anon_vma, file, pgoff+pglen)) {
68504- if (prev && addr < prev->vm_end) /* case 4 */
68505+ if (prev && addr < prev->vm_end) { /* case 4 */
68506 err = vma_adjust(prev, prev->vm_start,
68507 addr, prev->vm_pgoff, NULL);
68508- else /* cases 3, 8 */
68509+
68510+#ifdef CONFIG_PAX_SEGMEXEC
68511+ if (!err && prev_m)
68512+ err = vma_adjust(prev_m, prev_m->vm_start,
68513+ addr_m, prev_m->vm_pgoff, NULL);
68514+#endif
68515+
68516+ } else { /* cases 3, 8 */
68517 err = vma_adjust(area, addr, next->vm_end,
68518 next->vm_pgoff - pglen, NULL);
68519+
68520+#ifdef CONFIG_PAX_SEGMEXEC
68521+ if (!err && area_m)
68522+ err = vma_adjust(area_m, addr_m, next_m->vm_end,
68523+ next_m->vm_pgoff - pglen, NULL);
68524+#endif
68525+
68526+ }
68527 if (err)
68528 return NULL;
68529 khugepaged_enter_vma_merge(area);
68530@@ -921,14 +1001,11 @@ none:
68531 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
68532 struct file *file, long pages)
68533 {
68534- const unsigned long stack_flags
68535- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
68536-
68537 if (file) {
68538 mm->shared_vm += pages;
68539 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
68540 mm->exec_vm += pages;
68541- } else if (flags & stack_flags)
68542+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
68543 mm->stack_vm += pages;
68544 if (flags & (VM_RESERVED|VM_IO))
68545 mm->reserved_vm += pages;
68546@@ -955,7 +1032,7 @@ unsigned long do_mmap_pgoff(struct file
68547 * (the exception is when the underlying filesystem is noexec
68548 * mounted, in which case we dont add PROT_EXEC.)
68549 */
68550- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
68551+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
68552 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
68553 prot |= PROT_EXEC;
68554
68555@@ -981,7 +1058,7 @@ unsigned long do_mmap_pgoff(struct file
68556 /* Obtain the address to map to. we verify (or select) it and ensure
68557 * that it represents a valid section of the address space.
68558 */
68559- addr = get_unmapped_area(file, addr, len, pgoff, flags);
68560+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
68561 if (addr & ~PAGE_MASK)
68562 return addr;
68563
68564@@ -992,6 +1069,36 @@ unsigned long do_mmap_pgoff(struct file
68565 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
68566 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
68567
68568+#ifdef CONFIG_PAX_MPROTECT
68569+ if (mm->pax_flags & MF_PAX_MPROTECT) {
68570+#ifndef CONFIG_PAX_MPROTECT_COMPAT
68571+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
68572+ gr_log_rwxmmap(file);
68573+
68574+#ifdef CONFIG_PAX_EMUPLT
68575+ vm_flags &= ~VM_EXEC;
68576+#else
68577+ return -EPERM;
68578+#endif
68579+
68580+ }
68581+
68582+ if (!(vm_flags & VM_EXEC))
68583+ vm_flags &= ~VM_MAYEXEC;
68584+#else
68585+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
68586+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
68587+#endif
68588+ else
68589+ vm_flags &= ~VM_MAYWRITE;
68590+ }
68591+#endif
68592+
68593+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68594+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
68595+ vm_flags &= ~VM_PAGEEXEC;
68596+#endif
68597+
68598 if (flags & MAP_LOCKED)
68599 if (!can_do_mlock())
68600 return -EPERM;
68601@@ -1003,6 +1110,7 @@ unsigned long do_mmap_pgoff(struct file
68602 locked += mm->locked_vm;
68603 lock_limit = rlimit(RLIMIT_MEMLOCK);
68604 lock_limit >>= PAGE_SHIFT;
68605+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68606 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
68607 return -EAGAIN;
68608 }
68609@@ -1073,6 +1181,9 @@ unsigned long do_mmap_pgoff(struct file
68610 if (error)
68611 return error;
68612
68613+ if (!gr_acl_handle_mmap(file, prot))
68614+ return -EACCES;
68615+
68616 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
68617 }
68618 EXPORT_SYMBOL(do_mmap_pgoff);
68619@@ -1153,7 +1264,7 @@ int vma_wants_writenotify(struct vm_area
68620 vm_flags_t vm_flags = vma->vm_flags;
68621
68622 /* If it was private or non-writable, the write bit is already clear */
68623- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
68624+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
68625 return 0;
68626
68627 /* The backer wishes to know when pages are first written to? */
68628@@ -1202,14 +1313,24 @@ unsigned long mmap_region(struct file *f
68629 unsigned long charged = 0;
68630 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
68631
68632+#ifdef CONFIG_PAX_SEGMEXEC
68633+ struct vm_area_struct *vma_m = NULL;
68634+#endif
68635+
68636+ /*
68637+ * mm->mmap_sem is required to protect against another thread
68638+ * changing the mappings in case we sleep.
68639+ */
68640+ verify_mm_writelocked(mm);
68641+
68642 /* Clear old maps */
68643 error = -ENOMEM;
68644-munmap_back:
68645 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68646 if (vma && vma->vm_start < addr + len) {
68647 if (do_munmap(mm, addr, len))
68648 return -ENOMEM;
68649- goto munmap_back;
68650+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68651+ BUG_ON(vma && vma->vm_start < addr + len);
68652 }
68653
68654 /* Check against address space limit. */
68655@@ -1258,6 +1379,16 @@ munmap_back:
68656 goto unacct_error;
68657 }
68658
68659+#ifdef CONFIG_PAX_SEGMEXEC
68660+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
68661+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
68662+ if (!vma_m) {
68663+ error = -ENOMEM;
68664+ goto free_vma;
68665+ }
68666+ }
68667+#endif
68668+
68669 vma->vm_mm = mm;
68670 vma->vm_start = addr;
68671 vma->vm_end = addr + len;
68672@@ -1281,6 +1412,19 @@ munmap_back:
68673 error = file->f_op->mmap(file, vma);
68674 if (error)
68675 goto unmap_and_free_vma;
68676+
68677+#ifdef CONFIG_PAX_SEGMEXEC
68678+ if (vma_m && (vm_flags & VM_EXECUTABLE))
68679+ added_exe_file_vma(mm);
68680+#endif
68681+
68682+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68683+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
68684+ vma->vm_flags |= VM_PAGEEXEC;
68685+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
68686+ }
68687+#endif
68688+
68689 if (vm_flags & VM_EXECUTABLE)
68690 added_exe_file_vma(mm);
68691
68692@@ -1316,6 +1460,11 @@ munmap_back:
68693 vma_link(mm, vma, prev, rb_link, rb_parent);
68694 file = vma->vm_file;
68695
68696+#ifdef CONFIG_PAX_SEGMEXEC
68697+ if (vma_m)
68698+ BUG_ON(pax_mirror_vma(vma_m, vma));
68699+#endif
68700+
68701 /* Once vma denies write, undo our temporary denial count */
68702 if (correct_wcount)
68703 atomic_inc(&inode->i_writecount);
68704@@ -1324,6 +1473,7 @@ out:
68705
68706 mm->total_vm += len >> PAGE_SHIFT;
68707 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
68708+ track_exec_limit(mm, addr, addr + len, vm_flags);
68709 if (vm_flags & VM_LOCKED) {
68710 if (!mlock_vma_pages_range(vma, addr, addr + len))
68711 mm->locked_vm += (len >> PAGE_SHIFT);
68712@@ -1341,6 +1491,12 @@ unmap_and_free_vma:
68713 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
68714 charged = 0;
68715 free_vma:
68716+
68717+#ifdef CONFIG_PAX_SEGMEXEC
68718+ if (vma_m)
68719+ kmem_cache_free(vm_area_cachep, vma_m);
68720+#endif
68721+
68722 kmem_cache_free(vm_area_cachep, vma);
68723 unacct_error:
68724 if (charged)
68725@@ -1348,6 +1504,44 @@ unacct_error:
68726 return error;
68727 }
68728
68729+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
68730+{
68731+ if (!vma) {
68732+#ifdef CONFIG_STACK_GROWSUP
68733+ if (addr > sysctl_heap_stack_gap)
68734+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
68735+ else
68736+ vma = find_vma(current->mm, 0);
68737+ if (vma && (vma->vm_flags & VM_GROWSUP))
68738+ return false;
68739+#endif
68740+ return true;
68741+ }
68742+
68743+ if (addr + len > vma->vm_start)
68744+ return false;
68745+
68746+ if (vma->vm_flags & VM_GROWSDOWN)
68747+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
68748+#ifdef CONFIG_STACK_GROWSUP
68749+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
68750+ return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
68751+#endif
68752+
68753+ return true;
68754+}
68755+
68756+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
68757+{
68758+ if (vma->vm_start < len)
68759+ return -ENOMEM;
68760+ if (!(vma->vm_flags & VM_GROWSDOWN))
68761+ return vma->vm_start - len;
68762+ if (sysctl_heap_stack_gap <= vma->vm_start - len)
68763+ return vma->vm_start - len - sysctl_heap_stack_gap;
68764+ return -ENOMEM;
68765+}
68766+
68767 /* Get an address range which is currently unmapped.
68768 * For shmat() with addr=0.
68769 *
68770@@ -1374,18 +1568,23 @@ arch_get_unmapped_area(struct file *filp
68771 if (flags & MAP_FIXED)
68772 return addr;
68773
68774+#ifdef CONFIG_PAX_RANDMMAP
68775+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68776+#endif
68777+
68778 if (addr) {
68779 addr = PAGE_ALIGN(addr);
68780- vma = find_vma(mm, addr);
68781- if (TASK_SIZE - len >= addr &&
68782- (!vma || addr + len <= vma->vm_start))
68783- return addr;
68784+ if (TASK_SIZE - len >= addr) {
68785+ vma = find_vma(mm, addr);
68786+ if (check_heap_stack_gap(vma, addr, len))
68787+ return addr;
68788+ }
68789 }
68790 if (len > mm->cached_hole_size) {
68791- start_addr = addr = mm->free_area_cache;
68792+ start_addr = addr = mm->free_area_cache;
68793 } else {
68794- start_addr = addr = TASK_UNMAPPED_BASE;
68795- mm->cached_hole_size = 0;
68796+ start_addr = addr = mm->mmap_base;
68797+ mm->cached_hole_size = 0;
68798 }
68799
68800 full_search:
68801@@ -1396,34 +1595,40 @@ full_search:
68802 * Start a new search - just in case we missed
68803 * some holes.
68804 */
68805- if (start_addr != TASK_UNMAPPED_BASE) {
68806- addr = TASK_UNMAPPED_BASE;
68807- start_addr = addr;
68808+ if (start_addr != mm->mmap_base) {
68809+ start_addr = addr = mm->mmap_base;
68810 mm->cached_hole_size = 0;
68811 goto full_search;
68812 }
68813 return -ENOMEM;
68814 }
68815- if (!vma || addr + len <= vma->vm_start) {
68816- /*
68817- * Remember the place where we stopped the search:
68818- */
68819- mm->free_area_cache = addr + len;
68820- return addr;
68821- }
68822+ if (check_heap_stack_gap(vma, addr, len))
68823+ break;
68824 if (addr + mm->cached_hole_size < vma->vm_start)
68825 mm->cached_hole_size = vma->vm_start - addr;
68826 addr = vma->vm_end;
68827 }
68828+
68829+ /*
68830+ * Remember the place where we stopped the search:
68831+ */
68832+ mm->free_area_cache = addr + len;
68833+ return addr;
68834 }
68835 #endif
68836
68837 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
68838 {
68839+
68840+#ifdef CONFIG_PAX_SEGMEXEC
68841+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68842+ return;
68843+#endif
68844+
68845 /*
68846 * Is this a new hole at the lowest possible address?
68847 */
68848- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
68849+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
68850 mm->free_area_cache = addr;
68851 mm->cached_hole_size = ~0UL;
68852 }
68853@@ -1441,7 +1646,7 @@ arch_get_unmapped_area_topdown(struct fi
68854 {
68855 struct vm_area_struct *vma;
68856 struct mm_struct *mm = current->mm;
68857- unsigned long addr = addr0;
68858+ unsigned long base = mm->mmap_base, addr = addr0;
68859
68860 /* requested length too big for entire address space */
68861 if (len > TASK_SIZE)
68862@@ -1450,13 +1655,18 @@ arch_get_unmapped_area_topdown(struct fi
68863 if (flags & MAP_FIXED)
68864 return addr;
68865
68866+#ifdef CONFIG_PAX_RANDMMAP
68867+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68868+#endif
68869+
68870 /* requesting a specific address */
68871 if (addr) {
68872 addr = PAGE_ALIGN(addr);
68873- vma = find_vma(mm, addr);
68874- if (TASK_SIZE - len >= addr &&
68875- (!vma || addr + len <= vma->vm_start))
68876- return addr;
68877+ if (TASK_SIZE - len >= addr) {
68878+ vma = find_vma(mm, addr);
68879+ if (check_heap_stack_gap(vma, addr, len))
68880+ return addr;
68881+ }
68882 }
68883
68884 /* check if free_area_cache is useful for us */
68885@@ -1471,7 +1681,7 @@ arch_get_unmapped_area_topdown(struct fi
68886 /* make sure it can fit in the remaining address space */
68887 if (addr > len) {
68888 vma = find_vma(mm, addr-len);
68889- if (!vma || addr <= vma->vm_start)
68890+ if (check_heap_stack_gap(vma, addr - len, len))
68891 /* remember the address as a hint for next time */
68892 return (mm->free_area_cache = addr-len);
68893 }
68894@@ -1488,7 +1698,7 @@ arch_get_unmapped_area_topdown(struct fi
68895 * return with success:
68896 */
68897 vma = find_vma(mm, addr);
68898- if (!vma || addr+len <= vma->vm_start)
68899+ if (check_heap_stack_gap(vma, addr, len))
68900 /* remember the address as a hint for next time */
68901 return (mm->free_area_cache = addr);
68902
68903@@ -1497,8 +1707,8 @@ arch_get_unmapped_area_topdown(struct fi
68904 mm->cached_hole_size = vma->vm_start - addr;
68905
68906 /* try just below the current vma->vm_start */
68907- addr = vma->vm_start-len;
68908- } while (len < vma->vm_start);
68909+ addr = skip_heap_stack_gap(vma, len);
68910+ } while (!IS_ERR_VALUE(addr));
68911
68912 bottomup:
68913 /*
68914@@ -1507,13 +1717,21 @@ bottomup:
68915 * can happen with large stack limits and large mmap()
68916 * allocations.
68917 */
68918+ mm->mmap_base = TASK_UNMAPPED_BASE;
68919+
68920+#ifdef CONFIG_PAX_RANDMMAP
68921+ if (mm->pax_flags & MF_PAX_RANDMMAP)
68922+ mm->mmap_base += mm->delta_mmap;
68923+#endif
68924+
68925+ mm->free_area_cache = mm->mmap_base;
68926 mm->cached_hole_size = ~0UL;
68927- mm->free_area_cache = TASK_UNMAPPED_BASE;
68928 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
68929 /*
68930 * Restore the topdown base:
68931 */
68932- mm->free_area_cache = mm->mmap_base;
68933+ mm->mmap_base = base;
68934+ mm->free_area_cache = base;
68935 mm->cached_hole_size = ~0UL;
68936
68937 return addr;
68938@@ -1522,6 +1740,12 @@ bottomup:
68939
68940 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
68941 {
68942+
68943+#ifdef CONFIG_PAX_SEGMEXEC
68944+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68945+ return;
68946+#endif
68947+
68948 /*
68949 * Is this a new hole at the highest possible address?
68950 */
68951@@ -1529,8 +1753,10 @@ void arch_unmap_area_topdown(struct mm_s
68952 mm->free_area_cache = addr;
68953
68954 /* dont allow allocations above current base */
68955- if (mm->free_area_cache > mm->mmap_base)
68956+ if (mm->free_area_cache > mm->mmap_base) {
68957 mm->free_area_cache = mm->mmap_base;
68958+ mm->cached_hole_size = ~0UL;
68959+ }
68960 }
68961
68962 unsigned long
68963@@ -1638,6 +1864,28 @@ out:
68964 return prev ? prev->vm_next : vma;
68965 }
68966
68967+#ifdef CONFIG_PAX_SEGMEXEC
68968+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
68969+{
68970+ struct vm_area_struct *vma_m;
68971+
68972+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
68973+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
68974+ BUG_ON(vma->vm_mirror);
68975+ return NULL;
68976+ }
68977+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
68978+ vma_m = vma->vm_mirror;
68979+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
68980+ BUG_ON(vma->vm_file != vma_m->vm_file);
68981+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
68982+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
68983+ BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
68984+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
68985+ return vma_m;
68986+}
68987+#endif
68988+
68989 /*
68990 * Verify that the stack growth is acceptable and
68991 * update accounting. This is shared with both the
68992@@ -1654,6 +1902,7 @@ static int acct_stack_growth(struct vm_a
68993 return -ENOMEM;
68994
68995 /* Stack limit test */
68996+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
68997 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
68998 return -ENOMEM;
68999
69000@@ -1664,6 +1913,7 @@ static int acct_stack_growth(struct vm_a
69001 locked = mm->locked_vm + grow;
69002 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
69003 limit >>= PAGE_SHIFT;
69004+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
69005 if (locked > limit && !capable(CAP_IPC_LOCK))
69006 return -ENOMEM;
69007 }
69008@@ -1694,37 +1944,48 @@ static int acct_stack_growth(struct vm_a
69009 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
69010 * vma is the last one with address > vma->vm_end. Have to extend vma.
69011 */
69012+#ifndef CONFIG_IA64
69013+static
69014+#endif
69015 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
69016 {
69017 int error;
69018+ bool locknext;
69019
69020 if (!(vma->vm_flags & VM_GROWSUP))
69021 return -EFAULT;
69022
69023+ /* Also guard against wrapping around to address 0. */
69024+ if (address < PAGE_ALIGN(address+1))
69025+ address = PAGE_ALIGN(address+1);
69026+ else
69027+ return -ENOMEM;
69028+
69029 /*
69030 * We must make sure the anon_vma is allocated
69031 * so that the anon_vma locking is not a noop.
69032 */
69033 if (unlikely(anon_vma_prepare(vma)))
69034 return -ENOMEM;
69035+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
69036+ if (locknext && anon_vma_prepare(vma->vm_next))
69037+ return -ENOMEM;
69038 vma_lock_anon_vma(vma);
69039+ if (locknext)
69040+ vma_lock_anon_vma(vma->vm_next);
69041
69042 /*
69043 * vma->vm_start/vm_end cannot change under us because the caller
69044 * is required to hold the mmap_sem in read mode. We need the
69045- * anon_vma lock to serialize against concurrent expand_stacks.
69046- * Also guard against wrapping around to address 0.
69047+ * anon_vma locks to serialize against concurrent expand_stacks
69048+ * and expand_upwards.
69049 */
69050- if (address < PAGE_ALIGN(address+4))
69051- address = PAGE_ALIGN(address+4);
69052- else {
69053- vma_unlock_anon_vma(vma);
69054- return -ENOMEM;
69055- }
69056 error = 0;
69057
69058 /* Somebody else might have raced and expanded it already */
69059- if (address > vma->vm_end) {
69060+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
69061+ error = -ENOMEM;
69062+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
69063 unsigned long size, grow;
69064
69065 size = address - vma->vm_start;
69066@@ -1739,6 +2000,8 @@ int expand_upwards(struct vm_area_struct
69067 }
69068 }
69069 }
69070+ if (locknext)
69071+ vma_unlock_anon_vma(vma->vm_next);
69072 vma_unlock_anon_vma(vma);
69073 khugepaged_enter_vma_merge(vma);
69074 return error;
69075@@ -1752,6 +2015,8 @@ int expand_downwards(struct vm_area_stru
69076 unsigned long address)
69077 {
69078 int error;
69079+ bool lockprev = false;
69080+ struct vm_area_struct *prev;
69081
69082 /*
69083 * We must make sure the anon_vma is allocated
69084@@ -1765,6 +2030,15 @@ int expand_downwards(struct vm_area_stru
69085 if (error)
69086 return error;
69087
69088+ prev = vma->vm_prev;
69089+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
69090+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
69091+#endif
69092+ if (lockprev && anon_vma_prepare(prev))
69093+ return -ENOMEM;
69094+ if (lockprev)
69095+ vma_lock_anon_vma(prev);
69096+
69097 vma_lock_anon_vma(vma);
69098
69099 /*
69100@@ -1774,9 +2048,17 @@ int expand_downwards(struct vm_area_stru
69101 */
69102
69103 /* Somebody else might have raced and expanded it already */
69104- if (address < vma->vm_start) {
69105+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
69106+ error = -ENOMEM;
69107+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
69108 unsigned long size, grow;
69109
69110+#ifdef CONFIG_PAX_SEGMEXEC
69111+ struct vm_area_struct *vma_m;
69112+
69113+ vma_m = pax_find_mirror_vma(vma);
69114+#endif
69115+
69116 size = vma->vm_end - address;
69117 grow = (vma->vm_start - address) >> PAGE_SHIFT;
69118
69119@@ -1786,11 +2068,22 @@ int expand_downwards(struct vm_area_stru
69120 if (!error) {
69121 vma->vm_start = address;
69122 vma->vm_pgoff -= grow;
69123+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
69124+
69125+#ifdef CONFIG_PAX_SEGMEXEC
69126+ if (vma_m) {
69127+ vma_m->vm_start -= grow << PAGE_SHIFT;
69128+ vma_m->vm_pgoff -= grow;
69129+ }
69130+#endif
69131+
69132 perf_event_mmap(vma);
69133 }
69134 }
69135 }
69136 vma_unlock_anon_vma(vma);
69137+ if (lockprev)
69138+ vma_unlock_anon_vma(prev);
69139 khugepaged_enter_vma_merge(vma);
69140 return error;
69141 }
69142@@ -1860,6 +2153,13 @@ static void remove_vma_list(struct mm_st
69143 do {
69144 long nrpages = vma_pages(vma);
69145
69146+#ifdef CONFIG_PAX_SEGMEXEC
69147+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
69148+ vma = remove_vma(vma);
69149+ continue;
69150+ }
69151+#endif
69152+
69153 mm->total_vm -= nrpages;
69154 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
69155 vma = remove_vma(vma);
69156@@ -1905,6 +2205,16 @@ detach_vmas_to_be_unmapped(struct mm_str
69157 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
69158 vma->vm_prev = NULL;
69159 do {
69160+
69161+#ifdef CONFIG_PAX_SEGMEXEC
69162+ if (vma->vm_mirror) {
69163+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
69164+ vma->vm_mirror->vm_mirror = NULL;
69165+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
69166+ vma->vm_mirror = NULL;
69167+ }
69168+#endif
69169+
69170 rb_erase(&vma->vm_rb, &mm->mm_rb);
69171 mm->map_count--;
69172 tail_vma = vma;
69173@@ -1933,14 +2243,33 @@ static int __split_vma(struct mm_struct
69174 struct vm_area_struct *new;
69175 int err = -ENOMEM;
69176
69177+#ifdef CONFIG_PAX_SEGMEXEC
69178+ struct vm_area_struct *vma_m, *new_m = NULL;
69179+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
69180+#endif
69181+
69182 if (is_vm_hugetlb_page(vma) && (addr &
69183 ~(huge_page_mask(hstate_vma(vma)))))
69184 return -EINVAL;
69185
69186+#ifdef CONFIG_PAX_SEGMEXEC
69187+ vma_m = pax_find_mirror_vma(vma);
69188+#endif
69189+
69190 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69191 if (!new)
69192 goto out_err;
69193
69194+#ifdef CONFIG_PAX_SEGMEXEC
69195+ if (vma_m) {
69196+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
69197+ if (!new_m) {
69198+ kmem_cache_free(vm_area_cachep, new);
69199+ goto out_err;
69200+ }
69201+ }
69202+#endif
69203+
69204 /* most fields are the same, copy all, and then fixup */
69205 *new = *vma;
69206
69207@@ -1953,6 +2282,22 @@ static int __split_vma(struct mm_struct
69208 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
69209 }
69210
69211+#ifdef CONFIG_PAX_SEGMEXEC
69212+ if (vma_m) {
69213+ *new_m = *vma_m;
69214+ INIT_LIST_HEAD(&new_m->anon_vma_chain);
69215+ new_m->vm_mirror = new;
69216+ new->vm_mirror = new_m;
69217+
69218+ if (new_below)
69219+ new_m->vm_end = addr_m;
69220+ else {
69221+ new_m->vm_start = addr_m;
69222+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
69223+ }
69224+ }
69225+#endif
69226+
69227 pol = mpol_dup(vma_policy(vma));
69228 if (IS_ERR(pol)) {
69229 err = PTR_ERR(pol);
69230@@ -1978,6 +2323,42 @@ static int __split_vma(struct mm_struct
69231 else
69232 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
69233
69234+#ifdef CONFIG_PAX_SEGMEXEC
69235+ if (!err && vma_m) {
69236+ if (anon_vma_clone(new_m, vma_m))
69237+ goto out_free_mpol;
69238+
69239+ mpol_get(pol);
69240+ vma_set_policy(new_m, pol);
69241+
69242+ if (new_m->vm_file) {
69243+ get_file(new_m->vm_file);
69244+ if (vma_m->vm_flags & VM_EXECUTABLE)
69245+ added_exe_file_vma(mm);
69246+ }
69247+
69248+ if (new_m->vm_ops && new_m->vm_ops->open)
69249+ new_m->vm_ops->open(new_m);
69250+
69251+ if (new_below)
69252+ err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
69253+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
69254+ else
69255+ err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
69256+
69257+ if (err) {
69258+ if (new_m->vm_ops && new_m->vm_ops->close)
69259+ new_m->vm_ops->close(new_m);
69260+ if (new_m->vm_file) {
69261+ if (vma_m->vm_flags & VM_EXECUTABLE)
69262+ removed_exe_file_vma(mm);
69263+ fput(new_m->vm_file);
69264+ }
69265+ mpol_put(pol);
69266+ }
69267+ }
69268+#endif
69269+
69270 /* Success. */
69271 if (!err)
69272 return 0;
69273@@ -1990,10 +2371,18 @@ static int __split_vma(struct mm_struct
69274 removed_exe_file_vma(mm);
69275 fput(new->vm_file);
69276 }
69277- unlink_anon_vmas(new);
69278 out_free_mpol:
69279 mpol_put(pol);
69280 out_free_vma:
69281+
69282+#ifdef CONFIG_PAX_SEGMEXEC
69283+ if (new_m) {
69284+ unlink_anon_vmas(new_m);
69285+ kmem_cache_free(vm_area_cachep, new_m);
69286+ }
69287+#endif
69288+
69289+ unlink_anon_vmas(new);
69290 kmem_cache_free(vm_area_cachep, new);
69291 out_err:
69292 return err;
69293@@ -2006,6 +2395,15 @@ static int __split_vma(struct mm_struct
69294 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
69295 unsigned long addr, int new_below)
69296 {
69297+
69298+#ifdef CONFIG_PAX_SEGMEXEC
69299+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
69300+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
69301+ if (mm->map_count >= sysctl_max_map_count-1)
69302+ return -ENOMEM;
69303+ } else
69304+#endif
69305+
69306 if (mm->map_count >= sysctl_max_map_count)
69307 return -ENOMEM;
69308
69309@@ -2017,11 +2415,30 @@ int split_vma(struct mm_struct *mm, stru
69310 * work. This now handles partial unmappings.
69311 * Jeremy Fitzhardinge <jeremy@goop.org>
69312 */
69313+#ifdef CONFIG_PAX_SEGMEXEC
69314 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69315 {
69316+ int ret = __do_munmap(mm, start, len);
69317+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
69318+ return ret;
69319+
69320+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
69321+}
69322+
69323+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69324+#else
69325+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
69326+#endif
69327+{
69328 unsigned long end;
69329 struct vm_area_struct *vma, *prev, *last;
69330
69331+ /*
69332+ * mm->mmap_sem is required to protect against another thread
69333+ * changing the mappings in case we sleep.
69334+ */
69335+ verify_mm_writelocked(mm);
69336+
69337 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
69338 return -EINVAL;
69339
69340@@ -2096,6 +2513,8 @@ int do_munmap(struct mm_struct *mm, unsi
69341 /* Fix up all other VM information */
69342 remove_vma_list(mm, vma);
69343
69344+ track_exec_limit(mm, start, end, 0UL);
69345+
69346 return 0;
69347 }
69348
69349@@ -2108,22 +2527,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
69350
69351 profile_munmap(addr);
69352
69353+#ifdef CONFIG_PAX_SEGMEXEC
69354+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
69355+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
69356+ return -EINVAL;
69357+#endif
69358+
69359 down_write(&mm->mmap_sem);
69360 ret = do_munmap(mm, addr, len);
69361 up_write(&mm->mmap_sem);
69362 return ret;
69363 }
69364
69365-static inline void verify_mm_writelocked(struct mm_struct *mm)
69366-{
69367-#ifdef CONFIG_DEBUG_VM
69368- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
69369- WARN_ON(1);
69370- up_read(&mm->mmap_sem);
69371- }
69372-#endif
69373-}
69374-
69375 /*
69376 * this is really a simplified "do_mmap". it only handles
69377 * anonymous maps. eventually we may be able to do some
69378@@ -2137,6 +2552,7 @@ unsigned long do_brk(unsigned long addr,
69379 struct rb_node ** rb_link, * rb_parent;
69380 pgoff_t pgoff = addr >> PAGE_SHIFT;
69381 int error;
69382+ unsigned long charged;
69383
69384 len = PAGE_ALIGN(len);
69385 if (!len)
69386@@ -2148,16 +2564,30 @@ unsigned long do_brk(unsigned long addr,
69387
69388 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
69389
69390+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
69391+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
69392+ flags &= ~VM_EXEC;
69393+
69394+#ifdef CONFIG_PAX_MPROTECT
69395+ if (mm->pax_flags & MF_PAX_MPROTECT)
69396+ flags &= ~VM_MAYEXEC;
69397+#endif
69398+
69399+ }
69400+#endif
69401+
69402 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
69403 if (error & ~PAGE_MASK)
69404 return error;
69405
69406+ charged = len >> PAGE_SHIFT;
69407+
69408 /*
69409 * mlock MCL_FUTURE?
69410 */
69411 if (mm->def_flags & VM_LOCKED) {
69412 unsigned long locked, lock_limit;
69413- locked = len >> PAGE_SHIFT;
69414+ locked = charged;
69415 locked += mm->locked_vm;
69416 lock_limit = rlimit(RLIMIT_MEMLOCK);
69417 lock_limit >>= PAGE_SHIFT;
69418@@ -2174,22 +2604,22 @@ unsigned long do_brk(unsigned long addr,
69419 /*
69420 * Clear old maps. this also does some error checking for us
69421 */
69422- munmap_back:
69423 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69424 if (vma && vma->vm_start < addr + len) {
69425 if (do_munmap(mm, addr, len))
69426 return -ENOMEM;
69427- goto munmap_back;
69428+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69429+ BUG_ON(vma && vma->vm_start < addr + len);
69430 }
69431
69432 /* Check against address space limits *after* clearing old maps... */
69433- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
69434+ if (!may_expand_vm(mm, charged))
69435 return -ENOMEM;
69436
69437 if (mm->map_count > sysctl_max_map_count)
69438 return -ENOMEM;
69439
69440- if (security_vm_enough_memory(len >> PAGE_SHIFT))
69441+ if (security_vm_enough_memory(charged))
69442 return -ENOMEM;
69443
69444 /* Can we just expand an old private anonymous mapping? */
69445@@ -2203,7 +2633,7 @@ unsigned long do_brk(unsigned long addr,
69446 */
69447 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69448 if (!vma) {
69449- vm_unacct_memory(len >> PAGE_SHIFT);
69450+ vm_unacct_memory(charged);
69451 return -ENOMEM;
69452 }
69453
69454@@ -2217,11 +2647,12 @@ unsigned long do_brk(unsigned long addr,
69455 vma_link(mm, vma, prev, rb_link, rb_parent);
69456 out:
69457 perf_event_mmap(vma);
69458- mm->total_vm += len >> PAGE_SHIFT;
69459+ mm->total_vm += charged;
69460 if (flags & VM_LOCKED) {
69461 if (!mlock_vma_pages_range(vma, addr, addr + len))
69462- mm->locked_vm += (len >> PAGE_SHIFT);
69463+ mm->locked_vm += charged;
69464 }
69465+ track_exec_limit(mm, addr, addr + len, flags);
69466 return addr;
69467 }
69468
69469@@ -2268,8 +2699,10 @@ void exit_mmap(struct mm_struct *mm)
69470 * Walk the list again, actually closing and freeing it,
69471 * with preemption enabled, without holding any MM locks.
69472 */
69473- while (vma)
69474+ while (vma) {
69475+ vma->vm_mirror = NULL;
69476 vma = remove_vma(vma);
69477+ }
69478
69479 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
69480 }
69481@@ -2283,6 +2716,13 @@ int insert_vm_struct(struct mm_struct *
69482 struct vm_area_struct * __vma, * prev;
69483 struct rb_node ** rb_link, * rb_parent;
69484
69485+#ifdef CONFIG_PAX_SEGMEXEC
69486+ struct vm_area_struct *vma_m = NULL;
69487+#endif
69488+
69489+ if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
69490+ return -EPERM;
69491+
69492 /*
69493 * The vm_pgoff of a purely anonymous vma should be irrelevant
69494 * until its first write fault, when page's anon_vma and index
69495@@ -2305,7 +2745,22 @@ int insert_vm_struct(struct mm_struct *
69496 if ((vma->vm_flags & VM_ACCOUNT) &&
69497 security_vm_enough_memory_mm(mm, vma_pages(vma)))
69498 return -ENOMEM;
69499+
69500+#ifdef CONFIG_PAX_SEGMEXEC
69501+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
69502+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69503+ if (!vma_m)
69504+ return -ENOMEM;
69505+ }
69506+#endif
69507+
69508 vma_link(mm, vma, prev, rb_link, rb_parent);
69509+
69510+#ifdef CONFIG_PAX_SEGMEXEC
69511+ if (vma_m)
69512+ BUG_ON(pax_mirror_vma(vma_m, vma));
69513+#endif
69514+
69515 return 0;
69516 }
69517
69518@@ -2323,6 +2778,8 @@ struct vm_area_struct *copy_vma(struct v
69519 struct rb_node **rb_link, *rb_parent;
69520 struct mempolicy *pol;
69521
69522+ BUG_ON(vma->vm_mirror);
69523+
69524 /*
69525 * If anonymous vma has not yet been faulted, update new pgoff
69526 * to match new location, to increase its chance of merging.
69527@@ -2373,6 +2830,39 @@ struct vm_area_struct *copy_vma(struct v
69528 return NULL;
69529 }
69530
69531+#ifdef CONFIG_PAX_SEGMEXEC
69532+long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
69533+{
69534+ struct vm_area_struct *prev_m;
69535+ struct rb_node **rb_link_m, *rb_parent_m;
69536+ struct mempolicy *pol_m;
69537+
69538+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
69539+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
69540+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
69541+ *vma_m = *vma;
69542+ INIT_LIST_HEAD(&vma_m->anon_vma_chain);
69543+ if (anon_vma_clone(vma_m, vma))
69544+ return -ENOMEM;
69545+ pol_m = vma_policy(vma_m);
69546+ mpol_get(pol_m);
69547+ vma_set_policy(vma_m, pol_m);
69548+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
69549+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
69550+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
69551+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
69552+ if (vma_m->vm_file)
69553+ get_file(vma_m->vm_file);
69554+ if (vma_m->vm_ops && vma_m->vm_ops->open)
69555+ vma_m->vm_ops->open(vma_m);
69556+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
69557+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
69558+ vma_m->vm_mirror = vma;
69559+ vma->vm_mirror = vma_m;
69560+ return 0;
69561+}
69562+#endif
69563+
69564 /*
69565 * Return true if the calling process may expand its vm space by the passed
69566 * number of pages
69567@@ -2383,7 +2873,7 @@ int may_expand_vm(struct mm_struct *mm,
69568 unsigned long lim;
69569
69570 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
69571-
69572+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
69573 if (cur + npages > lim)
69574 return 0;
69575 return 1;
69576@@ -2454,6 +2944,22 @@ int install_special_mapping(struct mm_st
69577 vma->vm_start = addr;
69578 vma->vm_end = addr + len;
69579
69580+#ifdef CONFIG_PAX_MPROTECT
69581+ if (mm->pax_flags & MF_PAX_MPROTECT) {
69582+#ifndef CONFIG_PAX_MPROTECT_COMPAT
69583+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
69584+ return -EPERM;
69585+ if (!(vm_flags & VM_EXEC))
69586+ vm_flags &= ~VM_MAYEXEC;
69587+#else
69588+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
69589+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
69590+#endif
69591+ else
69592+ vm_flags &= ~VM_MAYWRITE;
69593+ }
69594+#endif
69595+
69596 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
69597 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
69598
69599diff -urNp linux-3.1.1/mm/mprotect.c linux-3.1.1/mm/mprotect.c
69600--- linux-3.1.1/mm/mprotect.c 2011-11-11 15:19:27.000000000 -0500
69601+++ linux-3.1.1/mm/mprotect.c 2011-11-16 18:40:44.000000000 -0500
69602@@ -23,10 +23,16 @@
69603 #include <linux/mmu_notifier.h>
69604 #include <linux/migrate.h>
69605 #include <linux/perf_event.h>
69606+
69607+#ifdef CONFIG_PAX_MPROTECT
69608+#include <linux/elf.h>
69609+#endif
69610+
69611 #include <asm/uaccess.h>
69612 #include <asm/pgtable.h>
69613 #include <asm/cacheflush.h>
69614 #include <asm/tlbflush.h>
69615+#include <asm/mmu_context.h>
69616
69617 #ifndef pgprot_modify
69618 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
69619@@ -141,6 +147,48 @@ static void change_protection(struct vm_
69620 flush_tlb_range(vma, start, end);
69621 }
69622
69623+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69624+/* called while holding the mmap semaphor for writing except stack expansion */
69625+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
69626+{
69627+ unsigned long oldlimit, newlimit = 0UL;
69628+
69629+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
69630+ return;
69631+
69632+ spin_lock(&mm->page_table_lock);
69633+ oldlimit = mm->context.user_cs_limit;
69634+ if ((prot & VM_EXEC) && oldlimit < end)
69635+ /* USER_CS limit moved up */
69636+ newlimit = end;
69637+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
69638+ /* USER_CS limit moved down */
69639+ newlimit = start;
69640+
69641+ if (newlimit) {
69642+ mm->context.user_cs_limit = newlimit;
69643+
69644+#ifdef CONFIG_SMP
69645+ wmb();
69646+ cpus_clear(mm->context.cpu_user_cs_mask);
69647+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
69648+#endif
69649+
69650+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
69651+ }
69652+ spin_unlock(&mm->page_table_lock);
69653+ if (newlimit == end) {
69654+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
69655+
69656+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
69657+ if (is_vm_hugetlb_page(vma))
69658+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
69659+ else
69660+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
69661+ }
69662+}
69663+#endif
69664+
69665 int
69666 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
69667 unsigned long start, unsigned long end, unsigned long newflags)
69668@@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
69669 int error;
69670 int dirty_accountable = 0;
69671
69672+#ifdef CONFIG_PAX_SEGMEXEC
69673+ struct vm_area_struct *vma_m = NULL;
69674+ unsigned long start_m, end_m;
69675+
69676+ start_m = start + SEGMEXEC_TASK_SIZE;
69677+ end_m = end + SEGMEXEC_TASK_SIZE;
69678+#endif
69679+
69680 if (newflags == oldflags) {
69681 *pprev = vma;
69682 return 0;
69683 }
69684
69685+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
69686+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
69687+
69688+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
69689+ return -ENOMEM;
69690+
69691+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
69692+ return -ENOMEM;
69693+ }
69694+
69695 /*
69696 * If we make a private mapping writable we increase our commit;
69697 * but (without finer accounting) cannot reduce our commit if we
69698@@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
69699 }
69700 }
69701
69702+#ifdef CONFIG_PAX_SEGMEXEC
69703+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
69704+ if (start != vma->vm_start) {
69705+ error = split_vma(mm, vma, start, 1);
69706+ if (error)
69707+ goto fail;
69708+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
69709+ *pprev = (*pprev)->vm_next;
69710+ }
69711+
69712+ if (end != vma->vm_end) {
69713+ error = split_vma(mm, vma, end, 0);
69714+ if (error)
69715+ goto fail;
69716+ }
69717+
69718+ if (pax_find_mirror_vma(vma)) {
69719+ error = __do_munmap(mm, start_m, end_m - start_m);
69720+ if (error)
69721+ goto fail;
69722+ } else {
69723+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69724+ if (!vma_m) {
69725+ error = -ENOMEM;
69726+ goto fail;
69727+ }
69728+ vma->vm_flags = newflags;
69729+ error = pax_mirror_vma(vma_m, vma);
69730+ if (error) {
69731+ vma->vm_flags = oldflags;
69732+ goto fail;
69733+ }
69734+ }
69735+ }
69736+#endif
69737+
69738 /*
69739 * First try to merge with previous and/or next vma.
69740 */
69741@@ -204,9 +306,21 @@ success:
69742 * vm_flags and vm_page_prot are protected by the mmap_sem
69743 * held in write mode.
69744 */
69745+
69746+#ifdef CONFIG_PAX_SEGMEXEC
69747+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
69748+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
69749+#endif
69750+
69751 vma->vm_flags = newflags;
69752+
69753+#ifdef CONFIG_PAX_MPROTECT
69754+ if (mm->binfmt && mm->binfmt->handle_mprotect)
69755+ mm->binfmt->handle_mprotect(vma, newflags);
69756+#endif
69757+
69758 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
69759- vm_get_page_prot(newflags));
69760+ vm_get_page_prot(vma->vm_flags));
69761
69762 if (vma_wants_writenotify(vma)) {
69763 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
69764@@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69765 end = start + len;
69766 if (end <= start)
69767 return -ENOMEM;
69768+
69769+#ifdef CONFIG_PAX_SEGMEXEC
69770+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69771+ if (end > SEGMEXEC_TASK_SIZE)
69772+ return -EINVAL;
69773+ } else
69774+#endif
69775+
69776+ if (end > TASK_SIZE)
69777+ return -EINVAL;
69778+
69779 if (!arch_validate_prot(prot))
69780 return -EINVAL;
69781
69782@@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69783 /*
69784 * Does the application expect PROT_READ to imply PROT_EXEC:
69785 */
69786- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
69787+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
69788 prot |= PROT_EXEC;
69789
69790 vm_flags = calc_vm_prot_bits(prot);
69791@@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69792 if (start > vma->vm_start)
69793 prev = vma;
69794
69795+#ifdef CONFIG_PAX_MPROTECT
69796+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
69797+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
69798+#endif
69799+
69800 for (nstart = start ; ; ) {
69801 unsigned long newflags;
69802
69803@@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69804
69805 /* newflags >> 4 shift VM_MAY% in place of VM_% */
69806 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
69807+ if (prot & (PROT_WRITE | PROT_EXEC))
69808+ gr_log_rwxmprotect(vma->vm_file);
69809+
69810+ error = -EACCES;
69811+ goto out;
69812+ }
69813+
69814+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
69815 error = -EACCES;
69816 goto out;
69817 }
69818@@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69819 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
69820 if (error)
69821 goto out;
69822+
69823+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
69824+
69825 nstart = tmp;
69826
69827 if (nstart < prev->vm_end)
69828diff -urNp linux-3.1.1/mm/mremap.c linux-3.1.1/mm/mremap.c
69829--- linux-3.1.1/mm/mremap.c 2011-11-11 15:19:27.000000000 -0500
69830+++ linux-3.1.1/mm/mremap.c 2011-11-16 18:39:08.000000000 -0500
69831@@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
69832 continue;
69833 pte = ptep_clear_flush(vma, old_addr, old_pte);
69834 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
69835+
69836+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69837+ if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
69838+ pte = pte_exprotect(pte);
69839+#endif
69840+
69841 set_pte_at(mm, new_addr, new_pte, pte);
69842 }
69843
69844@@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
69845 if (is_vm_hugetlb_page(vma))
69846 goto Einval;
69847
69848+#ifdef CONFIG_PAX_SEGMEXEC
69849+ if (pax_find_mirror_vma(vma))
69850+ goto Einval;
69851+#endif
69852+
69853 /* We can't remap across vm area boundaries */
69854 if (old_len > vma->vm_end - addr)
69855 goto Efault;
69856@@ -328,20 +339,25 @@ static unsigned long mremap_to(unsigned
69857 unsigned long ret = -EINVAL;
69858 unsigned long charged = 0;
69859 unsigned long map_flags;
69860+ unsigned long pax_task_size = TASK_SIZE;
69861
69862 if (new_addr & ~PAGE_MASK)
69863 goto out;
69864
69865- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
69866+#ifdef CONFIG_PAX_SEGMEXEC
69867+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
69868+ pax_task_size = SEGMEXEC_TASK_SIZE;
69869+#endif
69870+
69871+ pax_task_size -= PAGE_SIZE;
69872+
69873+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
69874 goto out;
69875
69876 /* Check if the location we're moving into overlaps the
69877 * old location at all, and fail if it does.
69878 */
69879- if ((new_addr <= addr) && (new_addr+new_len) > addr)
69880- goto out;
69881-
69882- if ((addr <= new_addr) && (addr+old_len) > new_addr)
69883+ if (addr + old_len > new_addr && new_addr + new_len > addr)
69884 goto out;
69885
69886 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69887@@ -413,6 +429,7 @@ unsigned long do_mremap(unsigned long ad
69888 struct vm_area_struct *vma;
69889 unsigned long ret = -EINVAL;
69890 unsigned long charged = 0;
69891+ unsigned long pax_task_size = TASK_SIZE;
69892
69893 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
69894 goto out;
69895@@ -431,6 +448,17 @@ unsigned long do_mremap(unsigned long ad
69896 if (!new_len)
69897 goto out;
69898
69899+#ifdef CONFIG_PAX_SEGMEXEC
69900+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
69901+ pax_task_size = SEGMEXEC_TASK_SIZE;
69902+#endif
69903+
69904+ pax_task_size -= PAGE_SIZE;
69905+
69906+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
69907+ old_len > pax_task_size || addr > pax_task_size-old_len)
69908+ goto out;
69909+
69910 if (flags & MREMAP_FIXED) {
69911 if (flags & MREMAP_MAYMOVE)
69912 ret = mremap_to(addr, old_len, new_addr, new_len);
69913@@ -480,6 +508,7 @@ unsigned long do_mremap(unsigned long ad
69914 addr + new_len);
69915 }
69916 ret = addr;
69917+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
69918 goto out;
69919 }
69920 }
69921@@ -506,7 +535,13 @@ unsigned long do_mremap(unsigned long ad
69922 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69923 if (ret)
69924 goto out;
69925+
69926+ map_flags = vma->vm_flags;
69927 ret = move_vma(vma, addr, old_len, new_len, new_addr);
69928+ if (!(ret & ~PAGE_MASK)) {
69929+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
69930+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
69931+ }
69932 }
69933 out:
69934 if (ret & ~PAGE_MASK)
69935diff -urNp linux-3.1.1/mm/nobootmem.c linux-3.1.1/mm/nobootmem.c
69936--- linux-3.1.1/mm/nobootmem.c 2011-11-11 15:19:27.000000000 -0500
69937+++ linux-3.1.1/mm/nobootmem.c 2011-11-16 18:39:08.000000000 -0500
69938@@ -110,19 +110,30 @@ static void __init __free_pages_memory(u
69939 unsigned long __init free_all_memory_core_early(int nodeid)
69940 {
69941 int i;
69942- u64 start, end;
69943+ u64 start, end, startrange, endrange;
69944 unsigned long count = 0;
69945- struct range *range = NULL;
69946+ struct range *range = NULL, rangerange = { 0, 0 };
69947 int nr_range;
69948
69949 nr_range = get_free_all_memory_range(&range, nodeid);
69950+ startrange = __pa(range) >> PAGE_SHIFT;
69951+ endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
69952
69953 for (i = 0; i < nr_range; i++) {
69954 start = range[i].start;
69955 end = range[i].end;
69956+ if (start <= endrange && startrange < end) {
69957+ BUG_ON(rangerange.start | rangerange.end);
69958+ rangerange = range[i];
69959+ continue;
69960+ }
69961 count += end - start;
69962 __free_pages_memory(start, end);
69963 }
69964+ start = rangerange.start;
69965+ end = rangerange.end;
69966+ count += end - start;
69967+ __free_pages_memory(start, end);
69968
69969 return count;
69970 }
69971diff -urNp linux-3.1.1/mm/nommu.c linux-3.1.1/mm/nommu.c
69972--- linux-3.1.1/mm/nommu.c 2011-11-11 15:19:27.000000000 -0500
69973+++ linux-3.1.1/mm/nommu.c 2011-11-16 18:39:08.000000000 -0500
69974@@ -62,7 +62,6 @@ int sysctl_overcommit_memory = OVERCOMMI
69975 int sysctl_overcommit_ratio = 50; /* default is 50% */
69976 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
69977 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
69978-int heap_stack_gap = 0;
69979
69980 atomic_long_t mmap_pages_allocated;
69981
69982@@ -825,15 +824,6 @@ struct vm_area_struct *find_vma(struct m
69983 EXPORT_SYMBOL(find_vma);
69984
69985 /*
69986- * find a VMA
69987- * - we don't extend stack VMAs under NOMMU conditions
69988- */
69989-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
69990-{
69991- return find_vma(mm, addr);
69992-}
69993-
69994-/*
69995 * expand a stack to a given address
69996 * - not supported under NOMMU conditions
69997 */
69998@@ -1553,6 +1543,7 @@ int split_vma(struct mm_struct *mm, stru
69999
70000 /* most fields are the same, copy all, and then fixup */
70001 *new = *vma;
70002+ INIT_LIST_HEAD(&new->anon_vma_chain);
70003 *region = *vma->vm_region;
70004 new->vm_region = region;
70005
70006diff -urNp linux-3.1.1/mm/oom_kill.c linux-3.1.1/mm/oom_kill.c
70007--- linux-3.1.1/mm/oom_kill.c 2011-11-11 15:19:27.000000000 -0500
70008+++ linux-3.1.1/mm/oom_kill.c 2011-11-18 18:44:21.000000000 -0500
70009@@ -162,7 +162,7 @@ static bool oom_unkillable_task(struct t
70010 unsigned int oom_badness(struct task_struct *p, struct mem_cgroup *mem,
70011 const nodemask_t *nodemask, unsigned long totalpages)
70012 {
70013- int points;
70014+ long points;
70015
70016 if (oom_unkillable_task(p, mem, nodemask))
70017 return 0;
70018diff -urNp linux-3.1.1/mm/page_alloc.c linux-3.1.1/mm/page_alloc.c
70019--- linux-3.1.1/mm/page_alloc.c 2011-11-11 15:19:27.000000000 -0500
70020+++ linux-3.1.1/mm/page_alloc.c 2011-11-16 18:40:44.000000000 -0500
70021@@ -340,7 +340,7 @@ out:
70022 * This usage means that zero-order pages may not be compound.
70023 */
70024
70025-static void free_compound_page(struct page *page)
70026+void free_compound_page(struct page *page)
70027 {
70028 __free_pages_ok(page, compound_order(page));
70029 }
70030@@ -653,6 +653,10 @@ static bool free_pages_prepare(struct pa
70031 int i;
70032 int bad = 0;
70033
70034+#ifdef CONFIG_PAX_MEMORY_SANITIZE
70035+ unsigned long index = 1UL << order;
70036+#endif
70037+
70038 trace_mm_page_free_direct(page, order);
70039 kmemcheck_free_shadow(page, order);
70040
70041@@ -668,6 +672,12 @@ static bool free_pages_prepare(struct pa
70042 debug_check_no_obj_freed(page_address(page),
70043 PAGE_SIZE << order);
70044 }
70045+
70046+#ifdef CONFIG_PAX_MEMORY_SANITIZE
70047+ for (; index; --index)
70048+ sanitize_highpage(page + index - 1);
70049+#endif
70050+
70051 arch_free_page(page, order);
70052 kernel_map_pages(page, 1 << order, 0);
70053
70054@@ -783,8 +793,10 @@ static int prep_new_page(struct page *pa
70055 arch_alloc_page(page, order);
70056 kernel_map_pages(page, 1 << order, 1);
70057
70058+#ifndef CONFIG_PAX_MEMORY_SANITIZE
70059 if (gfp_flags & __GFP_ZERO)
70060 prep_zero_page(page, order, gfp_flags);
70061+#endif
70062
70063 if (order && (gfp_flags & __GFP_COMP))
70064 prep_compound_page(page, order);
70065@@ -2539,6 +2551,8 @@ void show_free_areas(unsigned int filter
70066 int cpu;
70067 struct zone *zone;
70068
70069+ pax_track_stack();
70070+
70071 for_each_populated_zone(zone) {
70072 if (skip_free_areas_node(filter, zone_to_nid(zone)))
70073 continue;
70074@@ -3350,7 +3364,13 @@ static int pageblock_is_reserved(unsigne
70075 unsigned long pfn;
70076
70077 for (pfn = start_pfn; pfn < end_pfn; pfn++) {
70078+#ifdef CONFIG_X86_32
70079+ /* boot failures in VMware 8 on 32bit vanilla since
70080+ this change */
70081+ if (!pfn_valid(pfn) || PageReserved(pfn_to_page(pfn)))
70082+#else
70083 if (!pfn_valid_within(pfn) || PageReserved(pfn_to_page(pfn)))
70084+#endif
70085 return 1;
70086 }
70087 return 0;
70088diff -urNp linux-3.1.1/mm/percpu.c linux-3.1.1/mm/percpu.c
70089--- linux-3.1.1/mm/percpu.c 2011-11-11 15:19:27.000000000 -0500
70090+++ linux-3.1.1/mm/percpu.c 2011-11-16 18:39:08.000000000 -0500
70091@@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
70092 static unsigned int pcpu_last_unit_cpu __read_mostly;
70093
70094 /* the address of the first chunk which starts with the kernel static area */
70095-void *pcpu_base_addr __read_mostly;
70096+void *pcpu_base_addr __read_only;
70097 EXPORT_SYMBOL_GPL(pcpu_base_addr);
70098
70099 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
70100diff -urNp linux-3.1.1/mm/rmap.c linux-3.1.1/mm/rmap.c
70101--- linux-3.1.1/mm/rmap.c 2011-11-11 15:19:27.000000000 -0500
70102+++ linux-3.1.1/mm/rmap.c 2011-11-16 18:39:08.000000000 -0500
70103@@ -152,6 +152,10 @@ int anon_vma_prepare(struct vm_area_stru
70104 struct anon_vma *anon_vma = vma->anon_vma;
70105 struct anon_vma_chain *avc;
70106
70107+#ifdef CONFIG_PAX_SEGMEXEC
70108+ struct anon_vma_chain *avc_m = NULL;
70109+#endif
70110+
70111 might_sleep();
70112 if (unlikely(!anon_vma)) {
70113 struct mm_struct *mm = vma->vm_mm;
70114@@ -161,6 +165,12 @@ int anon_vma_prepare(struct vm_area_stru
70115 if (!avc)
70116 goto out_enomem;
70117
70118+#ifdef CONFIG_PAX_SEGMEXEC
70119+ avc_m = anon_vma_chain_alloc(GFP_KERNEL);
70120+ if (!avc_m)
70121+ goto out_enomem_free_avc;
70122+#endif
70123+
70124 anon_vma = find_mergeable_anon_vma(vma);
70125 allocated = NULL;
70126 if (!anon_vma) {
70127@@ -174,6 +184,21 @@ int anon_vma_prepare(struct vm_area_stru
70128 /* page_table_lock to protect against threads */
70129 spin_lock(&mm->page_table_lock);
70130 if (likely(!vma->anon_vma)) {
70131+
70132+#ifdef CONFIG_PAX_SEGMEXEC
70133+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
70134+
70135+ if (vma_m) {
70136+ BUG_ON(vma_m->anon_vma);
70137+ vma_m->anon_vma = anon_vma;
70138+ avc_m->anon_vma = anon_vma;
70139+ avc_m->vma = vma;
70140+ list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
70141+ list_add(&avc_m->same_anon_vma, &anon_vma->head);
70142+ avc_m = NULL;
70143+ }
70144+#endif
70145+
70146 vma->anon_vma = anon_vma;
70147 avc->anon_vma = anon_vma;
70148 avc->vma = vma;
70149@@ -187,12 +212,24 @@ int anon_vma_prepare(struct vm_area_stru
70150
70151 if (unlikely(allocated))
70152 put_anon_vma(allocated);
70153+
70154+#ifdef CONFIG_PAX_SEGMEXEC
70155+ if (unlikely(avc_m))
70156+ anon_vma_chain_free(avc_m);
70157+#endif
70158+
70159 if (unlikely(avc))
70160 anon_vma_chain_free(avc);
70161 }
70162 return 0;
70163
70164 out_enomem_free_avc:
70165+
70166+#ifdef CONFIG_PAX_SEGMEXEC
70167+ if (avc_m)
70168+ anon_vma_chain_free(avc_m);
70169+#endif
70170+
70171 anon_vma_chain_free(avc);
70172 out_enomem:
70173 return -ENOMEM;
70174@@ -243,7 +280,7 @@ static void anon_vma_chain_link(struct v
70175 * Attach the anon_vmas from src to dst.
70176 * Returns 0 on success, -ENOMEM on failure.
70177 */
70178-int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
70179+int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
70180 {
70181 struct anon_vma_chain *avc, *pavc;
70182 struct anon_vma *root = NULL;
70183@@ -276,7 +313,7 @@ int anon_vma_clone(struct vm_area_struct
70184 * the corresponding VMA in the parent process is attached to.
70185 * Returns 0 on success, non-zero on failure.
70186 */
70187-int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
70188+int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
70189 {
70190 struct anon_vma_chain *avc;
70191 struct anon_vma *anon_vma;
70192diff -urNp linux-3.1.1/mm/shmem.c linux-3.1.1/mm/shmem.c
70193--- linux-3.1.1/mm/shmem.c 2011-11-11 15:19:27.000000000 -0500
70194+++ linux-3.1.1/mm/shmem.c 2011-11-16 19:28:28.000000000 -0500
70195@@ -31,7 +31,7 @@
70196 #include <linux/module.h>
70197 #include <linux/swap.h>
70198
70199-static struct vfsmount *shm_mnt;
70200+struct vfsmount *shm_mnt;
70201
70202 #ifdef CONFIG_SHMEM
70203 /*
70204@@ -74,7 +74,7 @@ static struct vfsmount *shm_mnt;
70205 #define BOGO_DIRENT_SIZE 20
70206
70207 /* Symlink up to this size is kmalloc'ed instead of using a swappable page */
70208-#define SHORT_SYMLINK_LEN 128
70209+#define SHORT_SYMLINK_LEN 64
70210
70211 struct shmem_xattr {
70212 struct list_head list; /* anchored by shmem_inode_info->xattr_list */
70213@@ -769,6 +769,8 @@ static struct page *shmem_swapin(swp_ent
70214 struct mempolicy mpol, *spol;
70215 struct vm_area_struct pvma;
70216
70217+ pax_track_stack();
70218+
70219 spol = mpol_cond_copy(&mpol,
70220 mpol_shared_policy_lookup(&info->policy, index));
70221
70222@@ -2149,8 +2151,7 @@ int shmem_fill_super(struct super_block
70223 int err = -ENOMEM;
70224
70225 /* Round up to L1_CACHE_BYTES to resist false sharing */
70226- sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
70227- L1_CACHE_BYTES), GFP_KERNEL);
70228+ sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
70229 if (!sbinfo)
70230 return -ENOMEM;
70231
70232diff -urNp linux-3.1.1/mm/slab.c linux-3.1.1/mm/slab.c
70233--- linux-3.1.1/mm/slab.c 2011-11-11 15:19:27.000000000 -0500
70234+++ linux-3.1.1/mm/slab.c 2011-11-16 18:40:44.000000000 -0500
70235@@ -151,7 +151,7 @@
70236
70237 /* Legal flag mask for kmem_cache_create(). */
70238 #if DEBUG
70239-# define CREATE_MASK (SLAB_RED_ZONE | \
70240+# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
70241 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
70242 SLAB_CACHE_DMA | \
70243 SLAB_STORE_USER | \
70244@@ -159,7 +159,7 @@
70245 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
70246 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
70247 #else
70248-# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
70249+# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
70250 SLAB_CACHE_DMA | \
70251 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
70252 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
70253@@ -288,7 +288,7 @@ struct kmem_list3 {
70254 * Need this for bootstrapping a per node allocator.
70255 */
70256 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
70257-static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
70258+static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
70259 #define CACHE_CACHE 0
70260 #define SIZE_AC MAX_NUMNODES
70261 #define SIZE_L3 (2 * MAX_NUMNODES)
70262@@ -389,10 +389,10 @@ static void kmem_list3_init(struct kmem_
70263 if ((x)->max_freeable < i) \
70264 (x)->max_freeable = i; \
70265 } while (0)
70266-#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
70267-#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
70268-#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
70269-#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
70270+#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
70271+#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
70272+#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
70273+#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
70274 #else
70275 #define STATS_INC_ACTIVE(x) do { } while (0)
70276 #define STATS_DEC_ACTIVE(x) do { } while (0)
70277@@ -538,7 +538,7 @@ static inline void *index_to_obj(struct
70278 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
70279 */
70280 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
70281- const struct slab *slab, void *obj)
70282+ const struct slab *slab, const void *obj)
70283 {
70284 u32 offset = (obj - slab->s_mem);
70285 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
70286@@ -564,7 +564,7 @@ struct cache_names {
70287 static struct cache_names __initdata cache_names[] = {
70288 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
70289 #include <linux/kmalloc_sizes.h>
70290- {NULL,}
70291+ {NULL}
70292 #undef CACHE
70293 };
70294
70295@@ -1571,7 +1571,7 @@ void __init kmem_cache_init(void)
70296 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
70297 sizes[INDEX_AC].cs_size,
70298 ARCH_KMALLOC_MINALIGN,
70299- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70300+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70301 NULL);
70302
70303 if (INDEX_AC != INDEX_L3) {
70304@@ -1579,7 +1579,7 @@ void __init kmem_cache_init(void)
70305 kmem_cache_create(names[INDEX_L3].name,
70306 sizes[INDEX_L3].cs_size,
70307 ARCH_KMALLOC_MINALIGN,
70308- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70309+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70310 NULL);
70311 }
70312
70313@@ -1597,7 +1597,7 @@ void __init kmem_cache_init(void)
70314 sizes->cs_cachep = kmem_cache_create(names->name,
70315 sizes->cs_size,
70316 ARCH_KMALLOC_MINALIGN,
70317- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
70318+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
70319 NULL);
70320 }
70321 #ifdef CONFIG_ZONE_DMA
70322@@ -4324,10 +4324,10 @@ static int s_show(struct seq_file *m, vo
70323 }
70324 /* cpu stats */
70325 {
70326- unsigned long allochit = atomic_read(&cachep->allochit);
70327- unsigned long allocmiss = atomic_read(&cachep->allocmiss);
70328- unsigned long freehit = atomic_read(&cachep->freehit);
70329- unsigned long freemiss = atomic_read(&cachep->freemiss);
70330+ unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
70331+ unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
70332+ unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
70333+ unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
70334
70335 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
70336 allochit, allocmiss, freehit, freemiss);
70337@@ -4584,15 +4584,70 @@ static const struct file_operations proc
70338
70339 static int __init slab_proc_init(void)
70340 {
70341- proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
70342+ mode_t gr_mode = S_IRUGO;
70343+
70344+#ifdef CONFIG_GRKERNSEC_PROC_ADD
70345+ gr_mode = S_IRUSR;
70346+#endif
70347+
70348+ proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
70349 #ifdef CONFIG_DEBUG_SLAB_LEAK
70350- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
70351+ proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
70352 #endif
70353 return 0;
70354 }
70355 module_init(slab_proc_init);
70356 #endif
70357
70358+void check_object_size(const void *ptr, unsigned long n, bool to)
70359+{
70360+
70361+#ifdef CONFIG_PAX_USERCOPY
70362+ struct page *page;
70363+ struct kmem_cache *cachep = NULL;
70364+ struct slab *slabp;
70365+ unsigned int objnr;
70366+ unsigned long offset;
70367+ const char *type;
70368+
70369+ if (!n)
70370+ return;
70371+
70372+ type = "<null>";
70373+ if (ZERO_OR_NULL_PTR(ptr))
70374+ goto report;
70375+
70376+ if (!virt_addr_valid(ptr))
70377+ return;
70378+
70379+ page = virt_to_head_page(ptr);
70380+
70381+ type = "<process stack>";
70382+ if (!PageSlab(page)) {
70383+ if (object_is_on_stack(ptr, n) == -1)
70384+ goto report;
70385+ return;
70386+ }
70387+
70388+ cachep = page_get_cache(page);
70389+ type = cachep->name;
70390+ if (!(cachep->flags & SLAB_USERCOPY))
70391+ goto report;
70392+
70393+ slabp = page_get_slab(page);
70394+ objnr = obj_to_index(cachep, slabp, ptr);
70395+ BUG_ON(objnr >= cachep->num);
70396+ offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
70397+ if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
70398+ return;
70399+
70400+report:
70401+ pax_report_usercopy(ptr, n, to, type);
70402+#endif
70403+
70404+}
70405+EXPORT_SYMBOL(check_object_size);
70406+
70407 /**
70408 * ksize - get the actual amount of memory allocated for a given object
70409 * @objp: Pointer to the object
70410diff -urNp linux-3.1.1/mm/slob.c linux-3.1.1/mm/slob.c
70411--- linux-3.1.1/mm/slob.c 2011-11-11 15:19:27.000000000 -0500
70412+++ linux-3.1.1/mm/slob.c 2011-11-16 18:39:08.000000000 -0500
70413@@ -29,7 +29,7 @@
70414 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
70415 * alloc_pages() directly, allocating compound pages so the page order
70416 * does not have to be separately tracked, and also stores the exact
70417- * allocation size in page->private so that it can be used to accurately
70418+ * allocation size in slob_page->size so that it can be used to accurately
70419 * provide ksize(). These objects are detected in kfree() because slob_page()
70420 * is false for them.
70421 *
70422@@ -58,6 +58,7 @@
70423 */
70424
70425 #include <linux/kernel.h>
70426+#include <linux/sched.h>
70427 #include <linux/slab.h>
70428 #include <linux/mm.h>
70429 #include <linux/swap.h> /* struct reclaim_state */
70430@@ -102,7 +103,8 @@ struct slob_page {
70431 unsigned long flags; /* mandatory */
70432 atomic_t _count; /* mandatory */
70433 slobidx_t units; /* free units left in page */
70434- unsigned long pad[2];
70435+ unsigned long pad[1];
70436+ unsigned long size; /* size when >=PAGE_SIZE */
70437 slob_t *free; /* first free slob_t in page */
70438 struct list_head list; /* linked list of free pages */
70439 };
70440@@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
70441 */
70442 static inline int is_slob_page(struct slob_page *sp)
70443 {
70444- return PageSlab((struct page *)sp);
70445+ return PageSlab((struct page *)sp) && !sp->size;
70446 }
70447
70448 static inline void set_slob_page(struct slob_page *sp)
70449@@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
70450
70451 static inline struct slob_page *slob_page(const void *addr)
70452 {
70453- return (struct slob_page *)virt_to_page(addr);
70454+ return (struct slob_page *)virt_to_head_page(addr);
70455 }
70456
70457 /*
70458@@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
70459 /*
70460 * Return the size of a slob block.
70461 */
70462-static slobidx_t slob_units(slob_t *s)
70463+static slobidx_t slob_units(const slob_t *s)
70464 {
70465 if (s->units > 0)
70466 return s->units;
70467@@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
70468 /*
70469 * Return the next free slob block pointer after this one.
70470 */
70471-static slob_t *slob_next(slob_t *s)
70472+static slob_t *slob_next(const slob_t *s)
70473 {
70474 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
70475 slobidx_t next;
70476@@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
70477 /*
70478 * Returns true if s is the last free block in its page.
70479 */
70480-static int slob_last(slob_t *s)
70481+static int slob_last(const slob_t *s)
70482 {
70483 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
70484 }
70485@@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
70486 if (!page)
70487 return NULL;
70488
70489+ set_slob_page(page);
70490 return page_address(page);
70491 }
70492
70493@@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
70494 if (!b)
70495 return NULL;
70496 sp = slob_page(b);
70497- set_slob_page(sp);
70498
70499 spin_lock_irqsave(&slob_lock, flags);
70500 sp->units = SLOB_UNITS(PAGE_SIZE);
70501 sp->free = b;
70502+ sp->size = 0;
70503 INIT_LIST_HEAD(&sp->list);
70504 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
70505 set_slob_page_free(sp, slob_list);
70506@@ -476,10 +479,9 @@ out:
70507 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
70508 */
70509
70510-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70511+static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
70512 {
70513- unsigned int *m;
70514- int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70515+ slob_t *m;
70516 void *ret;
70517
70518 gfp &= gfp_allowed_mask;
70519@@ -494,7 +496,10 @@ void *__kmalloc_node(size_t size, gfp_t
70520
70521 if (!m)
70522 return NULL;
70523- *m = size;
70524+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
70525+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
70526+ m[0].units = size;
70527+ m[1].units = align;
70528 ret = (void *)m + align;
70529
70530 trace_kmalloc_node(_RET_IP_, ret,
70531@@ -506,16 +511,25 @@ void *__kmalloc_node(size_t size, gfp_t
70532 gfp |= __GFP_COMP;
70533 ret = slob_new_pages(gfp, order, node);
70534 if (ret) {
70535- struct page *page;
70536- page = virt_to_page(ret);
70537- page->private = size;
70538+ struct slob_page *sp;
70539+ sp = slob_page(ret);
70540+ sp->size = size;
70541 }
70542
70543 trace_kmalloc_node(_RET_IP_, ret,
70544 size, PAGE_SIZE << order, gfp, node);
70545 }
70546
70547- kmemleak_alloc(ret, size, 1, gfp);
70548+ return ret;
70549+}
70550+
70551+void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70552+{
70553+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70554+ void *ret = __kmalloc_node_align(size, gfp, node, align);
70555+
70556+ if (!ZERO_OR_NULL_PTR(ret))
70557+ kmemleak_alloc(ret, size, 1, gfp);
70558 return ret;
70559 }
70560 EXPORT_SYMBOL(__kmalloc_node);
70561@@ -533,13 +547,92 @@ void kfree(const void *block)
70562 sp = slob_page(block);
70563 if (is_slob_page(sp)) {
70564 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70565- unsigned int *m = (unsigned int *)(block - align);
70566- slob_free(m, *m + align);
70567- } else
70568+ slob_t *m = (slob_t *)(block - align);
70569+ slob_free(m, m[0].units + align);
70570+ } else {
70571+ clear_slob_page(sp);
70572+ free_slob_page(sp);
70573+ sp->size = 0;
70574 put_page(&sp->page);
70575+ }
70576 }
70577 EXPORT_SYMBOL(kfree);
70578
70579+void check_object_size(const void *ptr, unsigned long n, bool to)
70580+{
70581+
70582+#ifdef CONFIG_PAX_USERCOPY
70583+ struct slob_page *sp;
70584+ const slob_t *free;
70585+ const void *base;
70586+ unsigned long flags;
70587+ const char *type;
70588+
70589+ if (!n)
70590+ return;
70591+
70592+ type = "<null>";
70593+ if (ZERO_OR_NULL_PTR(ptr))
70594+ goto report;
70595+
70596+ if (!virt_addr_valid(ptr))
70597+ return;
70598+
70599+ type = "<process stack>";
70600+ sp = slob_page(ptr);
70601+ if (!PageSlab((struct page*)sp)) {
70602+ if (object_is_on_stack(ptr, n) == -1)
70603+ goto report;
70604+ return;
70605+ }
70606+
70607+ type = "<slob>";
70608+ if (sp->size) {
70609+ base = page_address(&sp->page);
70610+ if (base <= ptr && n <= sp->size - (ptr - base))
70611+ return;
70612+ goto report;
70613+ }
70614+
70615+ /* some tricky double walking to find the chunk */
70616+ spin_lock_irqsave(&slob_lock, flags);
70617+ base = (void *)((unsigned long)ptr & PAGE_MASK);
70618+ free = sp->free;
70619+
70620+ while (!slob_last(free) && (void *)free <= ptr) {
70621+ base = free + slob_units(free);
70622+ free = slob_next(free);
70623+ }
70624+
70625+ while (base < (void *)free) {
70626+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
70627+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
70628+ int offset;
70629+
70630+ if (ptr < base + align)
70631+ break;
70632+
70633+ offset = ptr - base - align;
70634+ if (offset >= m) {
70635+ base += size;
70636+ continue;
70637+ }
70638+
70639+ if (n > m - offset)
70640+ break;
70641+
70642+ spin_unlock_irqrestore(&slob_lock, flags);
70643+ return;
70644+ }
70645+
70646+ spin_unlock_irqrestore(&slob_lock, flags);
70647+report:
70648+ pax_report_usercopy(ptr, n, to, type);
70649+#endif
70650+
70651+}
70652+EXPORT_SYMBOL(check_object_size);
70653+
70654 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
70655 size_t ksize(const void *block)
70656 {
70657@@ -552,10 +645,10 @@ size_t ksize(const void *block)
70658 sp = slob_page(block);
70659 if (is_slob_page(sp)) {
70660 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70661- unsigned int *m = (unsigned int *)(block - align);
70662- return SLOB_UNITS(*m) * SLOB_UNIT;
70663+ slob_t *m = (slob_t *)(block - align);
70664+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
70665 } else
70666- return sp->page.private;
70667+ return sp->size;
70668 }
70669 EXPORT_SYMBOL(ksize);
70670
70671@@ -571,8 +664,13 @@ struct kmem_cache *kmem_cache_create(con
70672 {
70673 struct kmem_cache *c;
70674
70675+#ifdef CONFIG_PAX_USERCOPY
70676+ c = __kmalloc_node_align(sizeof(struct kmem_cache),
70677+ GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
70678+#else
70679 c = slob_alloc(sizeof(struct kmem_cache),
70680 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
70681+#endif
70682
70683 if (c) {
70684 c->name = name;
70685@@ -614,17 +712,25 @@ void *kmem_cache_alloc_node(struct kmem_
70686
70687 lockdep_trace_alloc(flags);
70688
70689+#ifdef CONFIG_PAX_USERCOPY
70690+ b = __kmalloc_node_align(c->size, flags, node, c->align);
70691+#else
70692 if (c->size < PAGE_SIZE) {
70693 b = slob_alloc(c->size, flags, c->align, node);
70694 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70695 SLOB_UNITS(c->size) * SLOB_UNIT,
70696 flags, node);
70697 } else {
70698+ struct slob_page *sp;
70699+
70700 b = slob_new_pages(flags, get_order(c->size), node);
70701+ sp = slob_page(b);
70702+ sp->size = c->size;
70703 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70704 PAGE_SIZE << get_order(c->size),
70705 flags, node);
70706 }
70707+#endif
70708
70709 if (c->ctor)
70710 c->ctor(b);
70711@@ -636,10 +742,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
70712
70713 static void __kmem_cache_free(void *b, int size)
70714 {
70715- if (size < PAGE_SIZE)
70716+ struct slob_page *sp = slob_page(b);
70717+
70718+ if (is_slob_page(sp))
70719 slob_free(b, size);
70720- else
70721+ else {
70722+ clear_slob_page(sp);
70723+ free_slob_page(sp);
70724+ sp->size = 0;
70725 slob_free_pages(b, get_order(size));
70726+ }
70727 }
70728
70729 static void kmem_rcu_free(struct rcu_head *head)
70730@@ -652,17 +764,31 @@ static void kmem_rcu_free(struct rcu_hea
70731
70732 void kmem_cache_free(struct kmem_cache *c, void *b)
70733 {
70734+ int size = c->size;
70735+
70736+#ifdef CONFIG_PAX_USERCOPY
70737+ if (size + c->align < PAGE_SIZE) {
70738+ size += c->align;
70739+ b -= c->align;
70740+ }
70741+#endif
70742+
70743 kmemleak_free_recursive(b, c->flags);
70744 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
70745 struct slob_rcu *slob_rcu;
70746- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
70747- slob_rcu->size = c->size;
70748+ slob_rcu = b + (size - sizeof(struct slob_rcu));
70749+ slob_rcu->size = size;
70750 call_rcu(&slob_rcu->head, kmem_rcu_free);
70751 } else {
70752- __kmem_cache_free(b, c->size);
70753+ __kmem_cache_free(b, size);
70754 }
70755
70756+#ifdef CONFIG_PAX_USERCOPY
70757+ trace_kfree(_RET_IP_, b);
70758+#else
70759 trace_kmem_cache_free(_RET_IP_, b);
70760+#endif
70761+
70762 }
70763 EXPORT_SYMBOL(kmem_cache_free);
70764
70765diff -urNp linux-3.1.1/mm/slub.c linux-3.1.1/mm/slub.c
70766--- linux-3.1.1/mm/slub.c 2011-11-11 15:19:27.000000000 -0500
70767+++ linux-3.1.1/mm/slub.c 2011-11-16 19:27:25.000000000 -0500
70768@@ -208,7 +208,7 @@ struct track {
70769
70770 enum track_item { TRACK_ALLOC, TRACK_FREE };
70771
70772-#ifdef CONFIG_SYSFS
70773+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70774 static int sysfs_slab_add(struct kmem_cache *);
70775 static int sysfs_slab_alias(struct kmem_cache *, const char *);
70776 static void sysfs_slab_remove(struct kmem_cache *);
70777@@ -556,7 +556,7 @@ static void print_track(const char *s, s
70778 if (!t->addr)
70779 return;
70780
70781- printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
70782+ printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
70783 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
70784 #ifdef CONFIG_STACKTRACE
70785 {
70786@@ -2456,6 +2456,8 @@ void kmem_cache_free(struct kmem_cache *
70787
70788 page = virt_to_head_page(x);
70789
70790+ BUG_ON(!PageSlab(page));
70791+
70792 slab_free(s, page, x, _RET_IP_);
70793
70794 trace_kmem_cache_free(_RET_IP_, x);
70795@@ -2489,7 +2491,7 @@ static int slub_min_objects;
70796 * Merge control. If this is set then no merging of slab caches will occur.
70797 * (Could be removed. This was introduced to pacify the merge skeptics.)
70798 */
70799-static int slub_nomerge;
70800+static int slub_nomerge = 1;
70801
70802 /*
70803 * Calculate the order of allocation given an slab object size.
70804@@ -2912,7 +2914,7 @@ static int kmem_cache_open(struct kmem_c
70805 * list to avoid pounding the page allocator excessively.
70806 */
70807 set_min_partial(s, ilog2(s->size));
70808- s->refcount = 1;
70809+ atomic_set(&s->refcount, 1);
70810 #ifdef CONFIG_NUMA
70811 s->remote_node_defrag_ratio = 1000;
70812 #endif
70813@@ -3017,8 +3019,7 @@ static inline int kmem_cache_close(struc
70814 void kmem_cache_destroy(struct kmem_cache *s)
70815 {
70816 down_write(&slub_lock);
70817- s->refcount--;
70818- if (!s->refcount) {
70819+ if (atomic_dec_and_test(&s->refcount)) {
70820 list_del(&s->list);
70821 if (kmem_cache_close(s)) {
70822 printk(KERN_ERR "SLUB %s: %s called for cache that "
70823@@ -3228,6 +3229,50 @@ void *__kmalloc_node(size_t size, gfp_t
70824 EXPORT_SYMBOL(__kmalloc_node);
70825 #endif
70826
70827+void check_object_size(const void *ptr, unsigned long n, bool to)
70828+{
70829+
70830+#ifdef CONFIG_PAX_USERCOPY
70831+ struct page *page;
70832+ struct kmem_cache *s = NULL;
70833+ unsigned long offset;
70834+ const char *type;
70835+
70836+ if (!n)
70837+ return;
70838+
70839+ type = "<null>";
70840+ if (ZERO_OR_NULL_PTR(ptr))
70841+ goto report;
70842+
70843+ if (!virt_addr_valid(ptr))
70844+ return;
70845+
70846+ page = virt_to_head_page(ptr);
70847+
70848+ type = "<process stack>";
70849+ if (!PageSlab(page)) {
70850+ if (object_is_on_stack(ptr, n) == -1)
70851+ goto report;
70852+ return;
70853+ }
70854+
70855+ s = page->slab;
70856+ type = s->name;
70857+ if (!(s->flags & SLAB_USERCOPY))
70858+ goto report;
70859+
70860+ offset = (ptr - page_address(page)) % s->size;
70861+ if (offset <= s->objsize && n <= s->objsize - offset)
70862+ return;
70863+
70864+report:
70865+ pax_report_usercopy(ptr, n, to, type);
70866+#endif
70867+
70868+}
70869+EXPORT_SYMBOL(check_object_size);
70870+
70871 size_t ksize(const void *object)
70872 {
70873 struct page *page;
70874@@ -3502,7 +3547,7 @@ static void __init kmem_cache_bootstrap_
70875 int node;
70876
70877 list_add(&s->list, &slab_caches);
70878- s->refcount = -1;
70879+ atomic_set(&s->refcount, -1);
70880
70881 for_each_node_state(node, N_NORMAL_MEMORY) {
70882 struct kmem_cache_node *n = get_node(s, node);
70883@@ -3619,17 +3664,17 @@ void __init kmem_cache_init(void)
70884
70885 /* Caches that are not of the two-to-the-power-of size */
70886 if (KMALLOC_MIN_SIZE <= 32) {
70887- kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, 0);
70888+ kmalloc_caches[1] = create_kmalloc_cache("kmalloc-96", 96, SLAB_USERCOPY);
70889 caches++;
70890 }
70891
70892 if (KMALLOC_MIN_SIZE <= 64) {
70893- kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, 0);
70894+ kmalloc_caches[2] = create_kmalloc_cache("kmalloc-192", 192, SLAB_USERCOPY);
70895 caches++;
70896 }
70897
70898 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
70899- kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, 0);
70900+ kmalloc_caches[i] = create_kmalloc_cache("kmalloc", 1 << i, SLAB_USERCOPY);
70901 caches++;
70902 }
70903
70904@@ -3697,7 +3742,7 @@ static int slab_unmergeable(struct kmem_
70905 /*
70906 * We may have set a slab to be unmergeable during bootstrap.
70907 */
70908- if (s->refcount < 0)
70909+ if (atomic_read(&s->refcount) < 0)
70910 return 1;
70911
70912 return 0;
70913@@ -3756,7 +3801,7 @@ struct kmem_cache *kmem_cache_create(con
70914 down_write(&slub_lock);
70915 s = find_mergeable(size, align, flags, name, ctor);
70916 if (s) {
70917- s->refcount++;
70918+ atomic_inc(&s->refcount);
70919 /*
70920 * Adjust the object sizes so that we clear
70921 * the complete object on kzalloc.
70922@@ -3765,7 +3810,7 @@ struct kmem_cache *kmem_cache_create(con
70923 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
70924
70925 if (sysfs_slab_alias(s, name)) {
70926- s->refcount--;
70927+ atomic_dec(&s->refcount);
70928 goto err;
70929 }
70930 up_write(&slub_lock);
70931@@ -3893,7 +3938,7 @@ void *__kmalloc_node_track_caller(size_t
70932 }
70933 #endif
70934
70935-#ifdef CONFIG_SYSFS
70936+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70937 static int count_inuse(struct page *page)
70938 {
70939 return page->inuse;
70940@@ -4280,12 +4325,12 @@ static void resiliency_test(void)
70941 validate_slab_cache(kmalloc_caches[9]);
70942 }
70943 #else
70944-#ifdef CONFIG_SYSFS
70945+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70946 static void resiliency_test(void) {};
70947 #endif
70948 #endif
70949
70950-#ifdef CONFIG_SYSFS
70951+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70952 enum slab_stat_type {
70953 SL_ALL, /* All slabs */
70954 SL_PARTIAL, /* Only partially allocated slabs */
70955@@ -4495,7 +4540,7 @@ SLAB_ATTR_RO(ctor);
70956
70957 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
70958 {
70959- return sprintf(buf, "%d\n", s->refcount - 1);
70960+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
70961 }
70962 SLAB_ATTR_RO(aliases);
70963
70964@@ -5025,6 +5070,7 @@ static char *create_unique_id(struct kme
70965 return name;
70966 }
70967
70968+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70969 static int sysfs_slab_add(struct kmem_cache *s)
70970 {
70971 int err;
70972@@ -5087,6 +5133,7 @@ static void sysfs_slab_remove(struct kme
70973 kobject_del(&s->kobj);
70974 kobject_put(&s->kobj);
70975 }
70976+#endif
70977
70978 /*
70979 * Need to buffer aliases during bootup until sysfs becomes
70980@@ -5100,6 +5147,7 @@ struct saved_alias {
70981
70982 static struct saved_alias *alias_list;
70983
70984+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
70985 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
70986 {
70987 struct saved_alias *al;
70988@@ -5122,6 +5170,7 @@ static int sysfs_slab_alias(struct kmem_
70989 alias_list = al;
70990 return 0;
70991 }
70992+#endif
70993
70994 static int __init slab_sysfs_init(void)
70995 {
70996@@ -5257,7 +5306,13 @@ static const struct file_operations proc
70997
70998 static int __init slab_proc_init(void)
70999 {
71000- proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
71001+ mode_t gr_mode = S_IRUGO;
71002+
71003+#ifdef CONFIG_GRKERNSEC_PROC_ADD
71004+ gr_mode = S_IRUSR;
71005+#endif
71006+
71007+ proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
71008 return 0;
71009 }
71010 module_init(slab_proc_init);
71011diff -urNp linux-3.1.1/mm/swap.c linux-3.1.1/mm/swap.c
71012--- linux-3.1.1/mm/swap.c 2011-11-11 15:19:27.000000000 -0500
71013+++ linux-3.1.1/mm/swap.c 2011-11-16 18:39:08.000000000 -0500
71014@@ -31,6 +31,7 @@
71015 #include <linux/backing-dev.h>
71016 #include <linux/memcontrol.h>
71017 #include <linux/gfp.h>
71018+#include <linux/hugetlb.h>
71019
71020 #include "internal.h"
71021
71022@@ -71,6 +72,8 @@ static void __put_compound_page(struct p
71023
71024 __page_cache_release(page);
71025 dtor = get_compound_page_dtor(page);
71026+ if (!PageHuge(page))
71027+ BUG_ON(dtor != free_compound_page);
71028 (*dtor)(page);
71029 }
71030
71031diff -urNp linux-3.1.1/mm/swapfile.c linux-3.1.1/mm/swapfile.c
71032--- linux-3.1.1/mm/swapfile.c 2011-11-11 15:19:27.000000000 -0500
71033+++ linux-3.1.1/mm/swapfile.c 2011-11-16 18:39:08.000000000 -0500
71034@@ -62,7 +62,7 @@ static DEFINE_MUTEX(swapon_mutex);
71035
71036 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
71037 /* Activity counter to indicate that a swapon or swapoff has occurred */
71038-static atomic_t proc_poll_event = ATOMIC_INIT(0);
71039+static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
71040
71041 static inline unsigned char swap_count(unsigned char ent)
71042 {
71043@@ -1671,7 +1671,7 @@ SYSCALL_DEFINE1(swapoff, const char __us
71044 }
71045 filp_close(swap_file, NULL);
71046 err = 0;
71047- atomic_inc(&proc_poll_event);
71048+ atomic_inc_unchecked(&proc_poll_event);
71049 wake_up_interruptible(&proc_poll_wait);
71050
71051 out_dput:
71052@@ -1687,8 +1687,8 @@ static unsigned swaps_poll(struct file *
71053
71054 poll_wait(file, &proc_poll_wait, wait);
71055
71056- if (seq->poll_event != atomic_read(&proc_poll_event)) {
71057- seq->poll_event = atomic_read(&proc_poll_event);
71058+ if (seq->poll_event != atomic_read_unchecked(&proc_poll_event)) {
71059+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
71060 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
71061 }
71062
71063@@ -1786,7 +1786,7 @@ static int swaps_open(struct inode *inod
71064 return ret;
71065
71066 seq = file->private_data;
71067- seq->poll_event = atomic_read(&proc_poll_event);
71068+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
71069 return 0;
71070 }
71071
71072@@ -2124,7 +2124,7 @@ SYSCALL_DEFINE2(swapon, const char __use
71073 (p->flags & SWP_DISCARDABLE) ? "D" : "");
71074
71075 mutex_unlock(&swapon_mutex);
71076- atomic_inc(&proc_poll_event);
71077+ atomic_inc_unchecked(&proc_poll_event);
71078 wake_up_interruptible(&proc_poll_wait);
71079
71080 if (S_ISREG(inode->i_mode))
71081diff -urNp linux-3.1.1/mm/util.c linux-3.1.1/mm/util.c
71082--- linux-3.1.1/mm/util.c 2011-11-11 15:19:27.000000000 -0500
71083+++ linux-3.1.1/mm/util.c 2011-11-16 18:39:08.000000000 -0500
71084@@ -114,6 +114,7 @@ EXPORT_SYMBOL(memdup_user);
71085 * allocated buffer. Use this if you don't want to free the buffer immediately
71086 * like, for example, with RCU.
71087 */
71088+#undef __krealloc
71089 void *__krealloc(const void *p, size_t new_size, gfp_t flags)
71090 {
71091 void *ret;
71092@@ -147,6 +148,7 @@ EXPORT_SYMBOL(__krealloc);
71093 * behaves exactly like kmalloc(). If @size is 0 and @p is not a
71094 * %NULL pointer, the object pointed to is freed.
71095 */
71096+#undef krealloc
71097 void *krealloc(const void *p, size_t new_size, gfp_t flags)
71098 {
71099 void *ret;
71100@@ -243,6 +245,12 @@ void __vma_link_list(struct mm_struct *m
71101 void arch_pick_mmap_layout(struct mm_struct *mm)
71102 {
71103 mm->mmap_base = TASK_UNMAPPED_BASE;
71104+
71105+#ifdef CONFIG_PAX_RANDMMAP
71106+ if (mm->pax_flags & MF_PAX_RANDMMAP)
71107+ mm->mmap_base += mm->delta_mmap;
71108+#endif
71109+
71110 mm->get_unmapped_area = arch_get_unmapped_area;
71111 mm->unmap_area = arch_unmap_area;
71112 }
71113diff -urNp linux-3.1.1/mm/vmalloc.c linux-3.1.1/mm/vmalloc.c
71114--- linux-3.1.1/mm/vmalloc.c 2011-11-11 15:19:27.000000000 -0500
71115+++ linux-3.1.1/mm/vmalloc.c 2011-11-16 18:40:44.000000000 -0500
71116@@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
71117
71118 pte = pte_offset_kernel(pmd, addr);
71119 do {
71120- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
71121- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
71122+
71123+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71124+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
71125+ BUG_ON(!pte_exec(*pte));
71126+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
71127+ continue;
71128+ }
71129+#endif
71130+
71131+ {
71132+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
71133+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
71134+ }
71135 } while (pte++, addr += PAGE_SIZE, addr != end);
71136 }
71137
71138@@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
71139 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
71140 {
71141 pte_t *pte;
71142+ int ret = -ENOMEM;
71143
71144 /*
71145 * nr is a running index into the array which helps higher level
71146@@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
71147 pte = pte_alloc_kernel(pmd, addr);
71148 if (!pte)
71149 return -ENOMEM;
71150+
71151+ pax_open_kernel();
71152 do {
71153 struct page *page = pages[*nr];
71154
71155- if (WARN_ON(!pte_none(*pte)))
71156- return -EBUSY;
71157- if (WARN_ON(!page))
71158- return -ENOMEM;
71159+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71160+ if (pgprot_val(prot) & _PAGE_NX)
71161+#endif
71162+
71163+ if (WARN_ON(!pte_none(*pte))) {
71164+ ret = -EBUSY;
71165+ goto out;
71166+ }
71167+ if (WARN_ON(!page)) {
71168+ ret = -ENOMEM;
71169+ goto out;
71170+ }
71171 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
71172 (*nr)++;
71173 } while (pte++, addr += PAGE_SIZE, addr != end);
71174- return 0;
71175+ ret = 0;
71176+out:
71177+ pax_close_kernel();
71178+ return ret;
71179 }
71180
71181 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
71182@@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
71183 * and fall back on vmalloc() if that fails. Others
71184 * just put it in the vmalloc space.
71185 */
71186-#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
71187+#ifdef CONFIG_MODULES
71188+#ifdef MODULES_VADDR
71189 unsigned long addr = (unsigned long)x;
71190 if (addr >= MODULES_VADDR && addr < MODULES_END)
71191 return 1;
71192 #endif
71193+
71194+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
71195+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
71196+ return 1;
71197+#endif
71198+
71199+#endif
71200+
71201 return is_vmalloc_addr(x);
71202 }
71203
71204@@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
71205
71206 if (!pgd_none(*pgd)) {
71207 pud_t *pud = pud_offset(pgd, addr);
71208+#ifdef CONFIG_X86
71209+ if (!pud_large(*pud))
71210+#endif
71211 if (!pud_none(*pud)) {
71212 pmd_t *pmd = pmd_offset(pud, addr);
71213+#ifdef CONFIG_X86
71214+ if (!pmd_large(*pmd))
71215+#endif
71216 if (!pmd_none(*pmd)) {
71217 pte_t *ptep, pte;
71218
71219@@ -1294,6 +1334,16 @@ static struct vm_struct *__get_vm_area_n
71220 struct vm_struct *area;
71221
71222 BUG_ON(in_interrupt());
71223+
71224+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71225+ if (flags & VM_KERNEXEC) {
71226+ if (start != VMALLOC_START || end != VMALLOC_END)
71227+ return NULL;
71228+ start = (unsigned long)MODULES_EXEC_VADDR;
71229+ end = (unsigned long)MODULES_EXEC_END;
71230+ }
71231+#endif
71232+
71233 if (flags & VM_IOREMAP) {
71234 int bit = fls(size);
71235
71236@@ -1526,6 +1576,11 @@ void *vmap(struct page **pages, unsigned
71237 if (count > totalram_pages)
71238 return NULL;
71239
71240+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71241+ if (!(pgprot_val(prot) & _PAGE_NX))
71242+ flags |= VM_KERNEXEC;
71243+#endif
71244+
71245 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
71246 __builtin_return_address(0));
71247 if (!area)
71248@@ -1627,6 +1682,13 @@ void *__vmalloc_node_range(unsigned long
71249 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
71250 return NULL;
71251
71252+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
71253+ if (!(pgprot_val(prot) & _PAGE_NX))
71254+ area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST | VM_KERNEXEC,
71255+ VMALLOC_START, VMALLOC_END, node, gfp_mask, caller);
71256+ else
71257+#endif
71258+
71259 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNLIST,
71260 start, end, node, gfp_mask, caller);
71261
71262@@ -1672,6 +1734,7 @@ static void *__vmalloc_node(unsigned lon
71263 gfp_mask, prot, node, caller);
71264 }
71265
71266+#undef __vmalloc
71267 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
71268 {
71269 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
71270@@ -1695,6 +1758,7 @@ static inline void *__vmalloc_node_flags
71271 * For tight control over page level allocator and protection flags
71272 * use __vmalloc() instead.
71273 */
71274+#undef vmalloc
71275 void *vmalloc(unsigned long size)
71276 {
71277 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
71278@@ -1711,6 +1775,7 @@ EXPORT_SYMBOL(vmalloc);
71279 * For tight control over page level allocator and protection flags
71280 * use __vmalloc() instead.
71281 */
71282+#undef vzalloc
71283 void *vzalloc(unsigned long size)
71284 {
71285 return __vmalloc_node_flags(size, -1,
71286@@ -1725,6 +1790,7 @@ EXPORT_SYMBOL(vzalloc);
71287 * The resulting memory area is zeroed so it can be mapped to userspace
71288 * without leaking data.
71289 */
71290+#undef vmalloc_user
71291 void *vmalloc_user(unsigned long size)
71292 {
71293 struct vm_struct *area;
71294@@ -1752,6 +1818,7 @@ EXPORT_SYMBOL(vmalloc_user);
71295 * For tight control over page level allocator and protection flags
71296 * use __vmalloc() instead.
71297 */
71298+#undef vmalloc_node
71299 void *vmalloc_node(unsigned long size, int node)
71300 {
71301 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
71302@@ -1771,6 +1838,7 @@ EXPORT_SYMBOL(vmalloc_node);
71303 * For tight control over page level allocator and protection flags
71304 * use __vmalloc_node() instead.
71305 */
71306+#undef vzalloc_node
71307 void *vzalloc_node(unsigned long size, int node)
71308 {
71309 return __vmalloc_node_flags(size, node,
71310@@ -1793,10 +1861,10 @@ EXPORT_SYMBOL(vzalloc_node);
71311 * For tight control over page level allocator and protection flags
71312 * use __vmalloc() instead.
71313 */
71314-
71315+#undef vmalloc_exec
71316 void *vmalloc_exec(unsigned long size)
71317 {
71318- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
71319+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
71320 -1, __builtin_return_address(0));
71321 }
71322
71323@@ -1815,6 +1883,7 @@ void *vmalloc_exec(unsigned long size)
71324 * Allocate enough 32bit PA addressable pages to cover @size from the
71325 * page level allocator and map them into contiguous kernel virtual space.
71326 */
71327+#undef vmalloc_32
71328 void *vmalloc_32(unsigned long size)
71329 {
71330 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
71331@@ -1829,6 +1898,7 @@ EXPORT_SYMBOL(vmalloc_32);
71332 * The resulting memory area is 32bit addressable and zeroed so it can be
71333 * mapped to userspace without leaking data.
71334 */
71335+#undef vmalloc_32_user
71336 void *vmalloc_32_user(unsigned long size)
71337 {
71338 struct vm_struct *area;
71339@@ -2091,6 +2161,8 @@ int remap_vmalloc_range(struct vm_area_s
71340 unsigned long uaddr = vma->vm_start;
71341 unsigned long usize = vma->vm_end - vma->vm_start;
71342
71343+ BUG_ON(vma->vm_mirror);
71344+
71345 if ((PAGE_SIZE-1) & (unsigned long)addr)
71346 return -EINVAL;
71347
71348diff -urNp linux-3.1.1/mm/vmstat.c linux-3.1.1/mm/vmstat.c
71349--- linux-3.1.1/mm/vmstat.c 2011-11-11 15:19:27.000000000 -0500
71350+++ linux-3.1.1/mm/vmstat.c 2011-11-16 18:40:44.000000000 -0500
71351@@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
71352 *
71353 * vm_stat contains the global counters
71354 */
71355-atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
71356+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
71357 EXPORT_SYMBOL(vm_stat);
71358
71359 #ifdef CONFIG_SMP
71360@@ -454,7 +454,7 @@ void refresh_cpu_vm_stats(int cpu)
71361 v = p->vm_stat_diff[i];
71362 p->vm_stat_diff[i] = 0;
71363 local_irq_restore(flags);
71364- atomic_long_add(v, &zone->vm_stat[i]);
71365+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
71366 global_diff[i] += v;
71367 #ifdef CONFIG_NUMA
71368 /* 3 seconds idle till flush */
71369@@ -492,7 +492,7 @@ void refresh_cpu_vm_stats(int cpu)
71370
71371 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
71372 if (global_diff[i])
71373- atomic_long_add(global_diff[i], &vm_stat[i]);
71374+ atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
71375 }
71376
71377 #endif
71378@@ -1207,10 +1207,20 @@ static int __init setup_vmstat(void)
71379 start_cpu_timer(cpu);
71380 #endif
71381 #ifdef CONFIG_PROC_FS
71382- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
71383- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
71384- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
71385- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
71386+ {
71387+ mode_t gr_mode = S_IRUGO;
71388+#ifdef CONFIG_GRKERNSEC_PROC_ADD
71389+ gr_mode = S_IRUSR;
71390+#endif
71391+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
71392+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
71393+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
71394+ proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
71395+#else
71396+ proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
71397+#endif
71398+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
71399+ }
71400 #endif
71401 return 0;
71402 }
71403diff -urNp linux-3.1.1/net/8021q/vlan.c linux-3.1.1/net/8021q/vlan.c
71404--- linux-3.1.1/net/8021q/vlan.c 2011-11-11 15:19:27.000000000 -0500
71405+++ linux-3.1.1/net/8021q/vlan.c 2011-11-16 18:39:08.000000000 -0500
71406@@ -588,8 +588,7 @@ static int vlan_ioctl_handler(struct net
71407 err = -EPERM;
71408 if (!capable(CAP_NET_ADMIN))
71409 break;
71410- if ((args.u.name_type >= 0) &&
71411- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
71412+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
71413 struct vlan_net *vn;
71414
71415 vn = net_generic(net, vlan_net_id);
71416diff -urNp linux-3.1.1/net/9p/trans_fd.c linux-3.1.1/net/9p/trans_fd.c
71417--- linux-3.1.1/net/9p/trans_fd.c 2011-11-11 15:19:27.000000000 -0500
71418+++ linux-3.1.1/net/9p/trans_fd.c 2011-11-16 18:39:08.000000000 -0500
71419@@ -423,7 +423,7 @@ static int p9_fd_write(struct p9_client
71420 oldfs = get_fs();
71421 set_fs(get_ds());
71422 /* The cast to a user pointer is valid due to the set_fs() */
71423- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
71424+ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
71425 set_fs(oldfs);
71426
71427 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
71428diff -urNp linux-3.1.1/net/9p/trans_virtio.c linux-3.1.1/net/9p/trans_virtio.c
71429--- linux-3.1.1/net/9p/trans_virtio.c 2011-11-11 15:19:27.000000000 -0500
71430+++ linux-3.1.1/net/9p/trans_virtio.c 2011-11-16 18:39:08.000000000 -0500
71431@@ -327,7 +327,7 @@ req_retry_pinned:
71432 } else {
71433 char *pbuf;
71434 if (req->tc->pubuf)
71435- pbuf = (__force char *) req->tc->pubuf;
71436+ pbuf = (char __force_kernel *) req->tc->pubuf;
71437 else
71438 pbuf = req->tc->pkbuf;
71439 outp = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, pbuf,
71440@@ -357,7 +357,7 @@ req_retry_pinned:
71441 } else {
71442 char *pbuf;
71443 if (req->tc->pubuf)
71444- pbuf = (__force char *) req->tc->pubuf;
71445+ pbuf = (char __force_kernel *) req->tc->pubuf;
71446 else
71447 pbuf = req->tc->pkbuf;
71448
71449diff -urNp linux-3.1.1/net/atm/atm_misc.c linux-3.1.1/net/atm/atm_misc.c
71450--- linux-3.1.1/net/atm/atm_misc.c 2011-11-11 15:19:27.000000000 -0500
71451+++ linux-3.1.1/net/atm/atm_misc.c 2011-11-16 18:39:08.000000000 -0500
71452@@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
71453 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
71454 return 1;
71455 atm_return(vcc, truesize);
71456- atomic_inc(&vcc->stats->rx_drop);
71457+ atomic_inc_unchecked(&vcc->stats->rx_drop);
71458 return 0;
71459 }
71460 EXPORT_SYMBOL(atm_charge);
71461@@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
71462 }
71463 }
71464 atm_return(vcc, guess);
71465- atomic_inc(&vcc->stats->rx_drop);
71466+ atomic_inc_unchecked(&vcc->stats->rx_drop);
71467 return NULL;
71468 }
71469 EXPORT_SYMBOL(atm_alloc_charge);
71470@@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
71471
71472 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71473 {
71474-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71475+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71476 __SONET_ITEMS
71477 #undef __HANDLE_ITEM
71478 }
71479@@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
71480
71481 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
71482 {
71483-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71484+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
71485 __SONET_ITEMS
71486 #undef __HANDLE_ITEM
71487 }
71488diff -urNp linux-3.1.1/net/atm/lec.h linux-3.1.1/net/atm/lec.h
71489--- linux-3.1.1/net/atm/lec.h 2011-11-11 15:19:27.000000000 -0500
71490+++ linux-3.1.1/net/atm/lec.h 2011-11-16 18:39:08.000000000 -0500
71491@@ -48,7 +48,7 @@ struct lane2_ops {
71492 const u8 *tlvs, u32 sizeoftlvs);
71493 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
71494 const u8 *tlvs, u32 sizeoftlvs);
71495-};
71496+} __no_const;
71497
71498 /*
71499 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
71500diff -urNp linux-3.1.1/net/atm/mpc.h linux-3.1.1/net/atm/mpc.h
71501--- linux-3.1.1/net/atm/mpc.h 2011-11-11 15:19:27.000000000 -0500
71502+++ linux-3.1.1/net/atm/mpc.h 2011-11-16 18:39:08.000000000 -0500
71503@@ -33,7 +33,7 @@ struct mpoa_client {
71504 struct mpc_parameters parameters; /* parameters for this client */
71505
71506 const struct net_device_ops *old_ops;
71507- struct net_device_ops new_ops;
71508+ net_device_ops_no_const new_ops;
71509 };
71510
71511
71512diff -urNp linux-3.1.1/net/atm/mpoa_caches.c linux-3.1.1/net/atm/mpoa_caches.c
71513--- linux-3.1.1/net/atm/mpoa_caches.c 2011-11-11 15:19:27.000000000 -0500
71514+++ linux-3.1.1/net/atm/mpoa_caches.c 2011-11-16 18:40:44.000000000 -0500
71515@@ -255,6 +255,8 @@ static void check_resolving_entries(stru
71516 struct timeval now;
71517 struct k_message msg;
71518
71519+ pax_track_stack();
71520+
71521 do_gettimeofday(&now);
71522
71523 read_lock_bh(&client->ingress_lock);
71524diff -urNp linux-3.1.1/net/atm/proc.c linux-3.1.1/net/atm/proc.c
71525--- linux-3.1.1/net/atm/proc.c 2011-11-11 15:19:27.000000000 -0500
71526+++ linux-3.1.1/net/atm/proc.c 2011-11-16 18:39:08.000000000 -0500
71527@@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
71528 const struct k_atm_aal_stats *stats)
71529 {
71530 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
71531- atomic_read(&stats->tx), atomic_read(&stats->tx_err),
71532- atomic_read(&stats->rx), atomic_read(&stats->rx_err),
71533- atomic_read(&stats->rx_drop));
71534+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
71535+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
71536+ atomic_read_unchecked(&stats->rx_drop));
71537 }
71538
71539 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
71540diff -urNp linux-3.1.1/net/atm/resources.c linux-3.1.1/net/atm/resources.c
71541--- linux-3.1.1/net/atm/resources.c 2011-11-11 15:19:27.000000000 -0500
71542+++ linux-3.1.1/net/atm/resources.c 2011-11-16 18:39:08.000000000 -0500
71543@@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
71544 static void copy_aal_stats(struct k_atm_aal_stats *from,
71545 struct atm_aal_stats *to)
71546 {
71547-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
71548+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
71549 __AAL_STAT_ITEMS
71550 #undef __HANDLE_ITEM
71551 }
71552@@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
71553 static void subtract_aal_stats(struct k_atm_aal_stats *from,
71554 struct atm_aal_stats *to)
71555 {
71556-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
71557+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
71558 __AAL_STAT_ITEMS
71559 #undef __HANDLE_ITEM
71560 }
71561diff -urNp linux-3.1.1/net/batman-adv/hard-interface.c linux-3.1.1/net/batman-adv/hard-interface.c
71562--- linux-3.1.1/net/batman-adv/hard-interface.c 2011-11-11 15:19:27.000000000 -0500
71563+++ linux-3.1.1/net/batman-adv/hard-interface.c 2011-11-16 18:39:08.000000000 -0500
71564@@ -347,8 +347,8 @@ int hardif_enable_interface(struct hard_
71565 hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
71566 dev_add_pack(&hard_iface->batman_adv_ptype);
71567
71568- atomic_set(&hard_iface->seqno, 1);
71569- atomic_set(&hard_iface->frag_seqno, 1);
71570+ atomic_set_unchecked(&hard_iface->seqno, 1);
71571+ atomic_set_unchecked(&hard_iface->frag_seqno, 1);
71572 bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
71573 hard_iface->net_dev->name);
71574
71575diff -urNp linux-3.1.1/net/batman-adv/routing.c linux-3.1.1/net/batman-adv/routing.c
71576--- linux-3.1.1/net/batman-adv/routing.c 2011-11-11 15:19:27.000000000 -0500
71577+++ linux-3.1.1/net/batman-adv/routing.c 2011-11-16 18:39:08.000000000 -0500
71578@@ -656,7 +656,7 @@ void receive_bat_packet(const struct eth
71579 return;
71580
71581 /* could be changed by schedule_own_packet() */
71582- if_incoming_seqno = atomic_read(&if_incoming->seqno);
71583+ if_incoming_seqno = atomic_read_unchecked(&if_incoming->seqno);
71584
71585 has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
71586
71587diff -urNp linux-3.1.1/net/batman-adv/send.c linux-3.1.1/net/batman-adv/send.c
71588--- linux-3.1.1/net/batman-adv/send.c 2011-11-11 15:19:27.000000000 -0500
71589+++ linux-3.1.1/net/batman-adv/send.c 2011-11-16 18:39:08.000000000 -0500
71590@@ -326,7 +326,7 @@ void schedule_own_packet(struct hard_ifa
71591
71592 /* change sequence number to network order */
71593 batman_packet->seqno =
71594- htonl((uint32_t)atomic_read(&hard_iface->seqno));
71595+ htonl((uint32_t)atomic_read_unchecked(&hard_iface->seqno));
71596
71597 batman_packet->ttvn = atomic_read(&bat_priv->ttvn);
71598 batman_packet->tt_crc = htons((uint16_t)atomic_read(&bat_priv->tt_crc));
71599@@ -343,7 +343,7 @@ void schedule_own_packet(struct hard_ifa
71600 else
71601 batman_packet->gw_flags = NO_FLAGS;
71602
71603- atomic_inc(&hard_iface->seqno);
71604+ atomic_inc_unchecked(&hard_iface->seqno);
71605
71606 slide_own_bcast_window(hard_iface);
71607 send_time = own_send_time(bat_priv);
71608diff -urNp linux-3.1.1/net/batman-adv/soft-interface.c linux-3.1.1/net/batman-adv/soft-interface.c
71609--- linux-3.1.1/net/batman-adv/soft-interface.c 2011-11-11 15:19:27.000000000 -0500
71610+++ linux-3.1.1/net/batman-adv/soft-interface.c 2011-11-16 18:39:08.000000000 -0500
71611@@ -632,7 +632,7 @@ static int interface_tx(struct sk_buff *
71612
71613 /* set broadcast sequence number */
71614 bcast_packet->seqno =
71615- htonl(atomic_inc_return(&bat_priv->bcast_seqno));
71616+ htonl(atomic_inc_return_unchecked(&bat_priv->bcast_seqno));
71617
71618 add_bcast_packet_to_list(bat_priv, skb, 1);
71619
71620@@ -824,7 +824,7 @@ struct net_device *softif_create(const c
71621 atomic_set(&bat_priv->batman_queue_left, BATMAN_QUEUE_LEN);
71622
71623 atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
71624- atomic_set(&bat_priv->bcast_seqno, 1);
71625+ atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
71626 atomic_set(&bat_priv->ttvn, 0);
71627 atomic_set(&bat_priv->tt_local_changes, 0);
71628 atomic_set(&bat_priv->tt_ogm_append_cnt, 0);
71629diff -urNp linux-3.1.1/net/batman-adv/types.h linux-3.1.1/net/batman-adv/types.h
71630--- linux-3.1.1/net/batman-adv/types.h 2011-11-11 15:19:27.000000000 -0500
71631+++ linux-3.1.1/net/batman-adv/types.h 2011-11-16 18:39:08.000000000 -0500
71632@@ -38,8 +38,8 @@ struct hard_iface {
71633 int16_t if_num;
71634 char if_status;
71635 struct net_device *net_dev;
71636- atomic_t seqno;
71637- atomic_t frag_seqno;
71638+ atomic_unchecked_t seqno;
71639+ atomic_unchecked_t frag_seqno;
71640 unsigned char *packet_buff;
71641 int packet_len;
71642 struct kobject *hardif_obj;
71643@@ -153,7 +153,7 @@ struct bat_priv {
71644 atomic_t orig_interval; /* uint */
71645 atomic_t hop_penalty; /* uint */
71646 atomic_t log_level; /* uint */
71647- atomic_t bcast_seqno;
71648+ atomic_unchecked_t bcast_seqno;
71649 atomic_t bcast_queue_left;
71650 atomic_t batman_queue_left;
71651 atomic_t ttvn; /* tranlation table version number */
71652diff -urNp linux-3.1.1/net/batman-adv/unicast.c linux-3.1.1/net/batman-adv/unicast.c
71653--- linux-3.1.1/net/batman-adv/unicast.c 2011-11-11 15:19:27.000000000 -0500
71654+++ linux-3.1.1/net/batman-adv/unicast.c 2011-11-16 18:39:08.000000000 -0500
71655@@ -264,7 +264,7 @@ int frag_send_skb(struct sk_buff *skb, s
71656 frag1->flags = UNI_FRAG_HEAD | large_tail;
71657 frag2->flags = large_tail;
71658
71659- seqno = atomic_add_return(2, &hard_iface->frag_seqno);
71660+ seqno = atomic_add_return_unchecked(2, &hard_iface->frag_seqno);
71661 frag1->seqno = htons(seqno - 1);
71662 frag2->seqno = htons(seqno);
71663
71664diff -urNp linux-3.1.1/net/bluetooth/hci_conn.c linux-3.1.1/net/bluetooth/hci_conn.c
71665--- linux-3.1.1/net/bluetooth/hci_conn.c 2011-11-11 15:19:27.000000000 -0500
71666+++ linux-3.1.1/net/bluetooth/hci_conn.c 2011-11-16 18:39:08.000000000 -0500
71667@@ -218,7 +218,7 @@ void hci_le_start_enc(struct hci_conn *c
71668 cp.handle = cpu_to_le16(conn->handle);
71669 memcpy(cp.ltk, ltk, sizeof(cp.ltk));
71670 cp.ediv = ediv;
71671- memcpy(cp.rand, rand, sizeof(rand));
71672+ memcpy(cp.rand, rand, sizeof(cp.rand));
71673
71674 hci_send_cmd(hdev, HCI_OP_LE_START_ENC, sizeof(cp), &cp);
71675 }
71676@@ -234,7 +234,7 @@ void hci_le_ltk_reply(struct hci_conn *c
71677 memset(&cp, 0, sizeof(cp));
71678
71679 cp.handle = cpu_to_le16(conn->handle);
71680- memcpy(cp.ltk, ltk, sizeof(ltk));
71681+ memcpy(cp.ltk, ltk, sizeof(cp.ltk));
71682
71683 hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
71684 }
71685diff -urNp linux-3.1.1/net/bridge/br_multicast.c linux-3.1.1/net/bridge/br_multicast.c
71686--- linux-3.1.1/net/bridge/br_multicast.c 2011-11-11 15:19:27.000000000 -0500
71687+++ linux-3.1.1/net/bridge/br_multicast.c 2011-11-16 18:39:08.000000000 -0500
71688@@ -1485,7 +1485,7 @@ static int br_multicast_ipv6_rcv(struct
71689 nexthdr = ip6h->nexthdr;
71690 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
71691
71692- if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
71693+ if (nexthdr != IPPROTO_ICMPV6)
71694 return 0;
71695
71696 /* Okay, we found ICMPv6 header */
71697diff -urNp linux-3.1.1/net/bridge/netfilter/ebtables.c linux-3.1.1/net/bridge/netfilter/ebtables.c
71698--- linux-3.1.1/net/bridge/netfilter/ebtables.c 2011-11-11 15:19:27.000000000 -0500
71699+++ linux-3.1.1/net/bridge/netfilter/ebtables.c 2011-11-16 18:40:44.000000000 -0500
71700@@ -1513,7 +1513,7 @@ static int do_ebt_get_ctl(struct sock *s
71701 tmp.valid_hooks = t->table->valid_hooks;
71702 }
71703 mutex_unlock(&ebt_mutex);
71704- if (copy_to_user(user, &tmp, *len) != 0){
71705+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
71706 BUGPRINT("c2u Didn't work\n");
71707 ret = -EFAULT;
71708 break;
71709@@ -1781,6 +1781,8 @@ static int compat_copy_everything_to_use
71710 int ret;
71711 void __user *pos;
71712
71713+ pax_track_stack();
71714+
71715 memset(&tinfo, 0, sizeof(tinfo));
71716
71717 if (cmd == EBT_SO_GET_ENTRIES) {
71718diff -urNp linux-3.1.1/net/caif/caif_socket.c linux-3.1.1/net/caif/caif_socket.c
71719--- linux-3.1.1/net/caif/caif_socket.c 2011-11-11 15:19:27.000000000 -0500
71720+++ linux-3.1.1/net/caif/caif_socket.c 2011-11-16 18:39:08.000000000 -0500
71721@@ -48,19 +48,20 @@ static struct dentry *debugfsdir;
71722 #ifdef CONFIG_DEBUG_FS
71723 struct debug_fs_counter {
71724 atomic_t caif_nr_socks;
71725- atomic_t caif_sock_create;
71726- atomic_t num_connect_req;
71727- atomic_t num_connect_resp;
71728- atomic_t num_connect_fail_resp;
71729- atomic_t num_disconnect;
71730- atomic_t num_remote_shutdown_ind;
71731- atomic_t num_tx_flow_off_ind;
71732- atomic_t num_tx_flow_on_ind;
71733- atomic_t num_rx_flow_off;
71734- atomic_t num_rx_flow_on;
71735+ atomic_unchecked_t caif_sock_create;
71736+ atomic_unchecked_t num_connect_req;
71737+ atomic_unchecked_t num_connect_resp;
71738+ atomic_unchecked_t num_connect_fail_resp;
71739+ atomic_unchecked_t num_disconnect;
71740+ atomic_unchecked_t num_remote_shutdown_ind;
71741+ atomic_unchecked_t num_tx_flow_off_ind;
71742+ atomic_unchecked_t num_tx_flow_on_ind;
71743+ atomic_unchecked_t num_rx_flow_off;
71744+ atomic_unchecked_t num_rx_flow_on;
71745 };
71746 static struct debug_fs_counter cnt;
71747 #define dbfs_atomic_inc(v) atomic_inc_return(v)
71748+#define dbfs_atomic_inc_unchecked(v) atomic_inc_return_unchecked(v)
71749 #define dbfs_atomic_dec(v) atomic_dec_return(v)
71750 #else
71751 #define dbfs_atomic_inc(v) 0
71752@@ -161,7 +162,7 @@ static int caif_queue_rcv_skb(struct soc
71753 atomic_read(&cf_sk->sk.sk_rmem_alloc),
71754 sk_rcvbuf_lowwater(cf_sk));
71755 set_rx_flow_off(cf_sk);
71756- dbfs_atomic_inc(&cnt.num_rx_flow_off);
71757+ dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71758 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71759 }
71760
71761@@ -172,7 +173,7 @@ static int caif_queue_rcv_skb(struct soc
71762 set_rx_flow_off(cf_sk);
71763 if (net_ratelimit())
71764 pr_debug("sending flow OFF due to rmem_schedule\n");
71765- dbfs_atomic_inc(&cnt.num_rx_flow_off);
71766+ dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_off);
71767 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
71768 }
71769 skb->dev = NULL;
71770@@ -233,14 +234,14 @@ static void caif_ctrl_cb(struct cflayer
71771 switch (flow) {
71772 case CAIF_CTRLCMD_FLOW_ON_IND:
71773 /* OK from modem to start sending again */
71774- dbfs_atomic_inc(&cnt.num_tx_flow_on_ind);
71775+ dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_on_ind);
71776 set_tx_flow_on(cf_sk);
71777 cf_sk->sk.sk_state_change(&cf_sk->sk);
71778 break;
71779
71780 case CAIF_CTRLCMD_FLOW_OFF_IND:
71781 /* Modem asks us to shut up */
71782- dbfs_atomic_inc(&cnt.num_tx_flow_off_ind);
71783+ dbfs_atomic_inc_unchecked(&cnt.num_tx_flow_off_ind);
71784 set_tx_flow_off(cf_sk);
71785 cf_sk->sk.sk_state_change(&cf_sk->sk);
71786 break;
71787@@ -249,7 +250,7 @@ static void caif_ctrl_cb(struct cflayer
71788 /* We're now connected */
71789 caif_client_register_refcnt(&cf_sk->layer,
71790 cfsk_hold, cfsk_put);
71791- dbfs_atomic_inc(&cnt.num_connect_resp);
71792+ dbfs_atomic_inc_unchecked(&cnt.num_connect_resp);
71793 cf_sk->sk.sk_state = CAIF_CONNECTED;
71794 set_tx_flow_on(cf_sk);
71795 cf_sk->sk.sk_state_change(&cf_sk->sk);
71796@@ -263,7 +264,7 @@ static void caif_ctrl_cb(struct cflayer
71797
71798 case CAIF_CTRLCMD_INIT_FAIL_RSP:
71799 /* Connect request failed */
71800- dbfs_atomic_inc(&cnt.num_connect_fail_resp);
71801+ dbfs_atomic_inc_unchecked(&cnt.num_connect_fail_resp);
71802 cf_sk->sk.sk_err = ECONNREFUSED;
71803 cf_sk->sk.sk_state = CAIF_DISCONNECTED;
71804 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71805@@ -277,7 +278,7 @@ static void caif_ctrl_cb(struct cflayer
71806
71807 case CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND:
71808 /* Modem has closed this connection, or device is down. */
71809- dbfs_atomic_inc(&cnt.num_remote_shutdown_ind);
71810+ dbfs_atomic_inc_unchecked(&cnt.num_remote_shutdown_ind);
71811 cf_sk->sk.sk_shutdown = SHUTDOWN_MASK;
71812 cf_sk->sk.sk_err = ECONNRESET;
71813 set_rx_flow_on(cf_sk);
71814@@ -297,7 +298,7 @@ static void caif_check_flow_release(stru
71815 return;
71816
71817 if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
71818- dbfs_atomic_inc(&cnt.num_rx_flow_on);
71819+ dbfs_atomic_inc_unchecked(&cnt.num_rx_flow_on);
71820 set_rx_flow_on(cf_sk);
71821 caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
71822 }
71823@@ -854,7 +855,7 @@ static int caif_connect(struct socket *s
71824 /*ifindex = id of the interface.*/
71825 cf_sk->conn_req.ifindex = cf_sk->sk.sk_bound_dev_if;
71826
71827- dbfs_atomic_inc(&cnt.num_connect_req);
71828+ dbfs_atomic_inc_unchecked(&cnt.num_connect_req);
71829 cf_sk->layer.receive = caif_sktrecv_cb;
71830
71831 err = caif_connect_client(sock_net(sk), &cf_sk->conn_req,
71832@@ -943,7 +944,7 @@ static int caif_release(struct socket *s
71833 spin_unlock_bh(&sk->sk_receive_queue.lock);
71834 sock->sk = NULL;
71835
71836- dbfs_atomic_inc(&cnt.num_disconnect);
71837+ dbfs_atomic_inc_unchecked(&cnt.num_disconnect);
71838
71839 WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir));
71840 if (cf_sk->debugfs_socket_dir != NULL)
71841@@ -1122,7 +1123,7 @@ static int caif_create(struct net *net,
71842 cf_sk->conn_req.protocol = protocol;
71843 /* Increase the number of sockets created. */
71844 dbfs_atomic_inc(&cnt.caif_nr_socks);
71845- num = dbfs_atomic_inc(&cnt.caif_sock_create);
71846+ num = dbfs_atomic_inc_unchecked(&cnt.caif_sock_create);
71847 #ifdef CONFIG_DEBUG_FS
71848 if (!IS_ERR(debugfsdir)) {
71849
71850diff -urNp linux-3.1.1/net/caif/cfctrl.c linux-3.1.1/net/caif/cfctrl.c
71851--- linux-3.1.1/net/caif/cfctrl.c 2011-11-11 15:19:27.000000000 -0500
71852+++ linux-3.1.1/net/caif/cfctrl.c 2011-11-16 18:40:44.000000000 -0500
71853@@ -9,6 +9,7 @@
71854 #include <linux/stddef.h>
71855 #include <linux/spinlock.h>
71856 #include <linux/slab.h>
71857+#include <linux/sched.h>
71858 #include <net/caif/caif_layer.h>
71859 #include <net/caif/cfpkt.h>
71860 #include <net/caif/cfctrl.h>
71861@@ -45,8 +46,8 @@ struct cflayer *cfctrl_create(void)
71862 dev_info.id = 0xff;
71863 memset(this, 0, sizeof(*this));
71864 cfsrvl_init(&this->serv, 0, &dev_info, false);
71865- atomic_set(&this->req_seq_no, 1);
71866- atomic_set(&this->rsp_seq_no, 1);
71867+ atomic_set_unchecked(&this->req_seq_no, 1);
71868+ atomic_set_unchecked(&this->rsp_seq_no, 1);
71869 this->serv.layer.receive = cfctrl_recv;
71870 sprintf(this->serv.layer.name, "ctrl");
71871 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
71872@@ -132,8 +133,8 @@ static void cfctrl_insert_req(struct cfc
71873 struct cfctrl_request_info *req)
71874 {
71875 spin_lock_bh(&ctrl->info_list_lock);
71876- atomic_inc(&ctrl->req_seq_no);
71877- req->sequence_no = atomic_read(&ctrl->req_seq_no);
71878+ atomic_inc_unchecked(&ctrl->req_seq_no);
71879+ req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
71880 list_add_tail(&req->list, &ctrl->list);
71881 spin_unlock_bh(&ctrl->info_list_lock);
71882 }
71883@@ -151,7 +152,7 @@ static struct cfctrl_request_info *cfctr
71884 if (p != first)
71885 pr_warn("Requests are not received in order\n");
71886
71887- atomic_set(&ctrl->rsp_seq_no,
71888+ atomic_set_unchecked(&ctrl->rsp_seq_no,
71889 p->sequence_no);
71890 list_del(&p->list);
71891 goto out;
71892@@ -364,6 +365,7 @@ static int cfctrl_recv(struct cflayer *l
71893 struct cfctrl *cfctrl = container_obj(layer);
71894 struct cfctrl_request_info rsp, *req;
71895
71896+ pax_track_stack();
71897
71898 cfpkt_extr_head(pkt, &cmdrsp, 1);
71899 cmd = cmdrsp & CFCTRL_CMD_MASK;
71900diff -urNp linux-3.1.1/net/compat.c linux-3.1.1/net/compat.c
71901--- linux-3.1.1/net/compat.c 2011-11-11 15:19:27.000000000 -0500
71902+++ linux-3.1.1/net/compat.c 2011-11-16 18:39:08.000000000 -0500
71903@@ -70,9 +70,9 @@ int get_compat_msghdr(struct msghdr *kms
71904 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
71905 __get_user(kmsg->msg_flags, &umsg->msg_flags))
71906 return -EFAULT;
71907- kmsg->msg_name = compat_ptr(tmp1);
71908- kmsg->msg_iov = compat_ptr(tmp2);
71909- kmsg->msg_control = compat_ptr(tmp3);
71910+ kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
71911+ kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
71912+ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
71913 return 0;
71914 }
71915
71916@@ -84,7 +84,7 @@ int verify_compat_iovec(struct msghdr *k
71917
71918 if (kern_msg->msg_namelen) {
71919 if (mode == VERIFY_READ) {
71920- int err = move_addr_to_kernel(kern_msg->msg_name,
71921+ int err = move_addr_to_kernel((void __force_user *)kern_msg->msg_name,
71922 kern_msg->msg_namelen,
71923 kern_address);
71924 if (err < 0)
71925@@ -95,7 +95,7 @@ int verify_compat_iovec(struct msghdr *k
71926 kern_msg->msg_name = NULL;
71927
71928 tot_len = iov_from_user_compat_to_kern(kern_iov,
71929- (struct compat_iovec __user *)kern_msg->msg_iov,
71930+ (struct compat_iovec __force_user *)kern_msg->msg_iov,
71931 kern_msg->msg_iovlen);
71932 if (tot_len >= 0)
71933 kern_msg->msg_iov = kern_iov;
71934@@ -115,20 +115,20 @@ int verify_compat_iovec(struct msghdr *k
71935
71936 #define CMSG_COMPAT_FIRSTHDR(msg) \
71937 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
71938- (struct compat_cmsghdr __user *)((msg)->msg_control) : \
71939+ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
71940 (struct compat_cmsghdr __user *)NULL)
71941
71942 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
71943 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
71944 (ucmlen) <= (unsigned long) \
71945 ((mhdr)->msg_controllen - \
71946- ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
71947+ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
71948
71949 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
71950 struct compat_cmsghdr __user *cmsg, int cmsg_len)
71951 {
71952 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
71953- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
71954+ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
71955 msg->msg_controllen)
71956 return NULL;
71957 return (struct compat_cmsghdr __user *)ptr;
71958@@ -220,7 +220,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71959 {
71960 struct compat_timeval ctv;
71961 struct compat_timespec cts[3];
71962- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71963+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71964 struct compat_cmsghdr cmhdr;
71965 int cmlen;
71966
71967@@ -272,7 +272,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
71968
71969 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
71970 {
71971- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
71972+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
71973 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
71974 int fdnum = scm->fp->count;
71975 struct file **fp = scm->fp->fp;
71976@@ -369,7 +369,7 @@ static int do_set_sock_timeout(struct so
71977 return -EFAULT;
71978 old_fs = get_fs();
71979 set_fs(KERNEL_DS);
71980- err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
71981+ err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
71982 set_fs(old_fs);
71983
71984 return err;
71985@@ -430,7 +430,7 @@ static int do_get_sock_timeout(struct so
71986 len = sizeof(ktime);
71987 old_fs = get_fs();
71988 set_fs(KERNEL_DS);
71989- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
71990+ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
71991 set_fs(old_fs);
71992
71993 if (!err) {
71994@@ -565,7 +565,7 @@ int compat_mc_setsockopt(struct sock *so
71995 case MCAST_JOIN_GROUP:
71996 case MCAST_LEAVE_GROUP:
71997 {
71998- struct compat_group_req __user *gr32 = (void *)optval;
71999+ struct compat_group_req __user *gr32 = (void __user *)optval;
72000 struct group_req __user *kgr =
72001 compat_alloc_user_space(sizeof(struct group_req));
72002 u32 interface;
72003@@ -586,7 +586,7 @@ int compat_mc_setsockopt(struct sock *so
72004 case MCAST_BLOCK_SOURCE:
72005 case MCAST_UNBLOCK_SOURCE:
72006 {
72007- struct compat_group_source_req __user *gsr32 = (void *)optval;
72008+ struct compat_group_source_req __user *gsr32 = (void __user *)optval;
72009 struct group_source_req __user *kgsr = compat_alloc_user_space(
72010 sizeof(struct group_source_req));
72011 u32 interface;
72012@@ -607,7 +607,7 @@ int compat_mc_setsockopt(struct sock *so
72013 }
72014 case MCAST_MSFILTER:
72015 {
72016- struct compat_group_filter __user *gf32 = (void *)optval;
72017+ struct compat_group_filter __user *gf32 = (void __user *)optval;
72018 struct group_filter __user *kgf;
72019 u32 interface, fmode, numsrc;
72020
72021@@ -645,7 +645,7 @@ int compat_mc_getsockopt(struct sock *so
72022 char __user *optval, int __user *optlen,
72023 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
72024 {
72025- struct compat_group_filter __user *gf32 = (void *)optval;
72026+ struct compat_group_filter __user *gf32 = (void __user *)optval;
72027 struct group_filter __user *kgf;
72028 int __user *koptlen;
72029 u32 interface, fmode, numsrc;
72030diff -urNp linux-3.1.1/net/core/datagram.c linux-3.1.1/net/core/datagram.c
72031--- linux-3.1.1/net/core/datagram.c 2011-11-11 15:19:27.000000000 -0500
72032+++ linux-3.1.1/net/core/datagram.c 2011-11-16 18:39:08.000000000 -0500
72033@@ -285,7 +285,7 @@ int skb_kill_datagram(struct sock *sk, s
72034 }
72035
72036 kfree_skb(skb);
72037- atomic_inc(&sk->sk_drops);
72038+ atomic_inc_unchecked(&sk->sk_drops);
72039 sk_mem_reclaim_partial(sk);
72040
72041 return err;
72042diff -urNp linux-3.1.1/net/core/dev.c linux-3.1.1/net/core/dev.c
72043--- linux-3.1.1/net/core/dev.c 2011-11-11 15:19:27.000000000 -0500
72044+++ linux-3.1.1/net/core/dev.c 2011-11-16 18:40:44.000000000 -0500
72045@@ -1135,10 +1135,14 @@ void dev_load(struct net *net, const cha
72046 if (no_module && capable(CAP_NET_ADMIN))
72047 no_module = request_module("netdev-%s", name);
72048 if (no_module && capable(CAP_SYS_MODULE)) {
72049+#ifdef CONFIG_GRKERNSEC_MODHARDEN
72050+ ___request_module(true, "grsec_modharden_netdev", "%s", name);
72051+#else
72052 if (!request_module("%s", name))
72053 pr_err("Loading kernel module for a network device "
72054 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
72055 "instead\n", name);
72056+#endif
72057 }
72058 }
72059 EXPORT_SYMBOL(dev_load);
72060@@ -1977,7 +1981,7 @@ static int illegal_highdma(struct net_de
72061
72062 struct dev_gso_cb {
72063 void (*destructor)(struct sk_buff *skb);
72064-};
72065+} __no_const;
72066
72067 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
72068
72069@@ -2930,7 +2934,7 @@ int netif_rx_ni(struct sk_buff *skb)
72070 }
72071 EXPORT_SYMBOL(netif_rx_ni);
72072
72073-static void net_tx_action(struct softirq_action *h)
72074+static void net_tx_action(void)
72075 {
72076 struct softnet_data *sd = &__get_cpu_var(softnet_data);
72077
72078@@ -3779,7 +3783,7 @@ void netif_napi_del(struct napi_struct *
72079 }
72080 EXPORT_SYMBOL(netif_napi_del);
72081
72082-static void net_rx_action(struct softirq_action *h)
72083+static void net_rx_action(void)
72084 {
72085 struct softnet_data *sd = &__get_cpu_var(softnet_data);
72086 unsigned long time_limit = jiffies + 2;
72087diff -urNp linux-3.1.1/net/core/flow.c linux-3.1.1/net/core/flow.c
72088--- linux-3.1.1/net/core/flow.c 2011-11-11 15:19:27.000000000 -0500
72089+++ linux-3.1.1/net/core/flow.c 2011-11-16 18:39:08.000000000 -0500
72090@@ -61,7 +61,7 @@ struct flow_cache {
72091 struct timer_list rnd_timer;
72092 };
72093
72094-atomic_t flow_cache_genid = ATOMIC_INIT(0);
72095+atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
72096 EXPORT_SYMBOL(flow_cache_genid);
72097 static struct flow_cache flow_cache_global;
72098 static struct kmem_cache *flow_cachep __read_mostly;
72099@@ -86,7 +86,7 @@ static void flow_cache_new_hashrnd(unsig
72100
72101 static int flow_entry_valid(struct flow_cache_entry *fle)
72102 {
72103- if (atomic_read(&flow_cache_genid) != fle->genid)
72104+ if (atomic_read_unchecked(&flow_cache_genid) != fle->genid)
72105 return 0;
72106 if (fle->object && !fle->object->ops->check(fle->object))
72107 return 0;
72108@@ -259,7 +259,7 @@ flow_cache_lookup(struct net *net, const
72109 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
72110 fcp->hash_count++;
72111 }
72112- } else if (likely(fle->genid == atomic_read(&flow_cache_genid))) {
72113+ } else if (likely(fle->genid == atomic_read_unchecked(&flow_cache_genid))) {
72114 flo = fle->object;
72115 if (!flo)
72116 goto ret_object;
72117@@ -280,7 +280,7 @@ nocache:
72118 }
72119 flo = resolver(net, key, family, dir, flo, ctx);
72120 if (fle) {
72121- fle->genid = atomic_read(&flow_cache_genid);
72122+ fle->genid = atomic_read_unchecked(&flow_cache_genid);
72123 if (!IS_ERR(flo))
72124 fle->object = flo;
72125 else
72126diff -urNp linux-3.1.1/net/core/iovec.c linux-3.1.1/net/core/iovec.c
72127--- linux-3.1.1/net/core/iovec.c 2011-11-11 15:19:27.000000000 -0500
72128+++ linux-3.1.1/net/core/iovec.c 2011-11-16 18:39:08.000000000 -0500
72129@@ -42,7 +42,7 @@ int verify_iovec(struct msghdr *m, struc
72130 if (m->msg_namelen) {
72131 if (mode == VERIFY_READ) {
72132 void __user *namep;
72133- namep = (void __user __force *) m->msg_name;
72134+ namep = (void __force_user *) m->msg_name;
72135 err = move_addr_to_kernel(namep, m->msg_namelen,
72136 address);
72137 if (err < 0)
72138@@ -54,7 +54,7 @@ int verify_iovec(struct msghdr *m, struc
72139 }
72140
72141 size = m->msg_iovlen * sizeof(struct iovec);
72142- if (copy_from_user(iov, (void __user __force *) m->msg_iov, size))
72143+ if (copy_from_user(iov, (void __force_user *) m->msg_iov, size))
72144 return -EFAULT;
72145
72146 m->msg_iov = iov;
72147diff -urNp linux-3.1.1/net/core/rtnetlink.c linux-3.1.1/net/core/rtnetlink.c
72148--- linux-3.1.1/net/core/rtnetlink.c 2011-11-11 15:19:27.000000000 -0500
72149+++ linux-3.1.1/net/core/rtnetlink.c 2011-11-16 18:39:08.000000000 -0500
72150@@ -57,7 +57,7 @@ struct rtnl_link {
72151 rtnl_doit_func doit;
72152 rtnl_dumpit_func dumpit;
72153 rtnl_calcit_func calcit;
72154-};
72155+} __no_const;
72156
72157 static DEFINE_MUTEX(rtnl_mutex);
72158 static u16 min_ifinfo_dump_size;
72159diff -urNp linux-3.1.1/net/core/scm.c linux-3.1.1/net/core/scm.c
72160--- linux-3.1.1/net/core/scm.c 2011-11-11 15:19:27.000000000 -0500
72161+++ linux-3.1.1/net/core/scm.c 2011-11-16 18:39:08.000000000 -0500
72162@@ -218,7 +218,7 @@ EXPORT_SYMBOL(__scm_send);
72163 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
72164 {
72165 struct cmsghdr __user *cm
72166- = (__force struct cmsghdr __user *)msg->msg_control;
72167+ = (struct cmsghdr __force_user *)msg->msg_control;
72168 struct cmsghdr cmhdr;
72169 int cmlen = CMSG_LEN(len);
72170 int err;
72171@@ -241,7 +241,7 @@ int put_cmsg(struct msghdr * msg, int le
72172 err = -EFAULT;
72173 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
72174 goto out;
72175- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
72176+ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
72177 goto out;
72178 cmlen = CMSG_SPACE(len);
72179 if (msg->msg_controllen < cmlen)
72180@@ -257,7 +257,7 @@ EXPORT_SYMBOL(put_cmsg);
72181 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
72182 {
72183 struct cmsghdr __user *cm
72184- = (__force struct cmsghdr __user*)msg->msg_control;
72185+ = (struct cmsghdr __force_user *)msg->msg_control;
72186
72187 int fdmax = 0;
72188 int fdnum = scm->fp->count;
72189@@ -277,7 +277,7 @@ void scm_detach_fds(struct msghdr *msg,
72190 if (fdnum < fdmax)
72191 fdmax = fdnum;
72192
72193- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
72194+ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
72195 i++, cmfptr++)
72196 {
72197 int new_fd;
72198diff -urNp linux-3.1.1/net/core/skbuff.c linux-3.1.1/net/core/skbuff.c
72199--- linux-3.1.1/net/core/skbuff.c 2011-11-11 15:19:27.000000000 -0500
72200+++ linux-3.1.1/net/core/skbuff.c 2011-11-16 18:40:44.000000000 -0500
72201@@ -1650,6 +1650,8 @@ int skb_splice_bits(struct sk_buff *skb,
72202 struct sock *sk = skb->sk;
72203 int ret = 0;
72204
72205+ pax_track_stack();
72206+
72207 if (splice_grow_spd(pipe, &spd))
72208 return -ENOMEM;
72209
72210diff -urNp linux-3.1.1/net/core/sock.c linux-3.1.1/net/core/sock.c
72211--- linux-3.1.1/net/core/sock.c 2011-11-11 15:19:27.000000000 -0500
72212+++ linux-3.1.1/net/core/sock.c 2011-11-16 18:40:44.000000000 -0500
72213@@ -293,7 +293,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72214 */
72215 if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
72216 (unsigned)sk->sk_rcvbuf) {
72217- atomic_inc(&sk->sk_drops);
72218+ atomic_inc_unchecked(&sk->sk_drops);
72219 trace_sock_rcvqueue_full(sk, skb);
72220 return -ENOMEM;
72221 }
72222@@ -303,7 +303,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72223 return err;
72224
72225 if (!sk_rmem_schedule(sk, skb->truesize)) {
72226- atomic_inc(&sk->sk_drops);
72227+ atomic_inc_unchecked(&sk->sk_drops);
72228 return -ENOBUFS;
72229 }
72230
72231@@ -323,7 +323,7 @@ int sock_queue_rcv_skb(struct sock *sk,
72232 skb_dst_force(skb);
72233
72234 spin_lock_irqsave(&list->lock, flags);
72235- skb->dropcount = atomic_read(&sk->sk_drops);
72236+ skb->dropcount = atomic_read_unchecked(&sk->sk_drops);
72237 __skb_queue_tail(list, skb);
72238 spin_unlock_irqrestore(&list->lock, flags);
72239
72240@@ -343,7 +343,7 @@ int sk_receive_skb(struct sock *sk, stru
72241 skb->dev = NULL;
72242
72243 if (sk_rcvqueues_full(sk, skb)) {
72244- atomic_inc(&sk->sk_drops);
72245+ atomic_inc_unchecked(&sk->sk_drops);
72246 goto discard_and_relse;
72247 }
72248 if (nested)
72249@@ -361,7 +361,7 @@ int sk_receive_skb(struct sock *sk, stru
72250 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
72251 } else if (sk_add_backlog(sk, skb)) {
72252 bh_unlock_sock(sk);
72253- atomic_inc(&sk->sk_drops);
72254+ atomic_inc_unchecked(&sk->sk_drops);
72255 goto discard_and_relse;
72256 }
72257
72258@@ -924,7 +924,7 @@ int sock_getsockopt(struct socket *sock,
72259 if (len > sizeof(peercred))
72260 len = sizeof(peercred);
72261 cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
72262- if (copy_to_user(optval, &peercred, len))
72263+ if (len > sizeof(peercred) || copy_to_user(optval, &peercred, len))
72264 return -EFAULT;
72265 goto lenout;
72266 }
72267@@ -937,7 +937,7 @@ int sock_getsockopt(struct socket *sock,
72268 return -ENOTCONN;
72269 if (lv < len)
72270 return -EINVAL;
72271- if (copy_to_user(optval, address, len))
72272+ if (len > sizeof(address) || copy_to_user(optval, address, len))
72273 return -EFAULT;
72274 goto lenout;
72275 }
72276@@ -970,7 +970,7 @@ int sock_getsockopt(struct socket *sock,
72277
72278 if (len > lv)
72279 len = lv;
72280- if (copy_to_user(optval, &v, len))
72281+ if (len > sizeof(v) || copy_to_user(optval, &v, len))
72282 return -EFAULT;
72283 lenout:
72284 if (put_user(len, optlen))
72285@@ -2029,7 +2029,7 @@ void sock_init_data(struct socket *sock,
72286 */
72287 smp_wmb();
72288 atomic_set(&sk->sk_refcnt, 1);
72289- atomic_set(&sk->sk_drops, 0);
72290+ atomic_set_unchecked(&sk->sk_drops, 0);
72291 }
72292 EXPORT_SYMBOL(sock_init_data);
72293
72294diff -urNp linux-3.1.1/net/decnet/sysctl_net_decnet.c linux-3.1.1/net/decnet/sysctl_net_decnet.c
72295--- linux-3.1.1/net/decnet/sysctl_net_decnet.c 2011-11-11 15:19:27.000000000 -0500
72296+++ linux-3.1.1/net/decnet/sysctl_net_decnet.c 2011-11-16 18:39:08.000000000 -0500
72297@@ -174,7 +174,7 @@ static int dn_node_address_handler(ctl_t
72298
72299 if (len > *lenp) len = *lenp;
72300
72301- if (copy_to_user(buffer, addr, len))
72302+ if (len > sizeof addr || copy_to_user(buffer, addr, len))
72303 return -EFAULT;
72304
72305 *lenp = len;
72306@@ -237,7 +237,7 @@ static int dn_def_dev_handler(ctl_table
72307
72308 if (len > *lenp) len = *lenp;
72309
72310- if (copy_to_user(buffer, devname, len))
72311+ if (len > sizeof devname || copy_to_user(buffer, devname, len))
72312 return -EFAULT;
72313
72314 *lenp = len;
72315diff -urNp linux-3.1.1/net/econet/Kconfig linux-3.1.1/net/econet/Kconfig
72316--- linux-3.1.1/net/econet/Kconfig 2011-11-11 15:19:27.000000000 -0500
72317+++ linux-3.1.1/net/econet/Kconfig 2011-11-16 18:40:44.000000000 -0500
72318@@ -4,7 +4,7 @@
72319
72320 config ECONET
72321 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
72322- depends on EXPERIMENTAL && INET
72323+ depends on EXPERIMENTAL && INET && BROKEN
72324 ---help---
72325 Econet is a fairly old and slow networking protocol mainly used by
72326 Acorn computers to access file and print servers. It uses native
72327diff -urNp linux-3.1.1/net/ipv4/fib_frontend.c linux-3.1.1/net/ipv4/fib_frontend.c
72328--- linux-3.1.1/net/ipv4/fib_frontend.c 2011-11-11 15:19:27.000000000 -0500
72329+++ linux-3.1.1/net/ipv4/fib_frontend.c 2011-11-16 18:39:08.000000000 -0500
72330@@ -970,12 +970,12 @@ static int fib_inetaddr_event(struct not
72331 #ifdef CONFIG_IP_ROUTE_MULTIPATH
72332 fib_sync_up(dev);
72333 #endif
72334- atomic_inc(&net->ipv4.dev_addr_genid);
72335+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72336 rt_cache_flush(dev_net(dev), -1);
72337 break;
72338 case NETDEV_DOWN:
72339 fib_del_ifaddr(ifa, NULL);
72340- atomic_inc(&net->ipv4.dev_addr_genid);
72341+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72342 if (ifa->ifa_dev->ifa_list == NULL) {
72343 /* Last address was deleted from this interface.
72344 * Disable IP.
72345@@ -1011,7 +1011,7 @@ static int fib_netdev_event(struct notif
72346 #ifdef CONFIG_IP_ROUTE_MULTIPATH
72347 fib_sync_up(dev);
72348 #endif
72349- atomic_inc(&net->ipv4.dev_addr_genid);
72350+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
72351 rt_cache_flush(dev_net(dev), -1);
72352 break;
72353 case NETDEV_DOWN:
72354diff -urNp linux-3.1.1/net/ipv4/fib_semantics.c linux-3.1.1/net/ipv4/fib_semantics.c
72355--- linux-3.1.1/net/ipv4/fib_semantics.c 2011-11-11 15:19:27.000000000 -0500
72356+++ linux-3.1.1/net/ipv4/fib_semantics.c 2011-11-16 18:39:08.000000000 -0500
72357@@ -699,7 +699,7 @@ __be32 fib_info_update_nh_saddr(struct n
72358 nh->nh_saddr = inet_select_addr(nh->nh_dev,
72359 nh->nh_gw,
72360 nh->nh_parent->fib_scope);
72361- nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
72362+ nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
72363
72364 return nh->nh_saddr;
72365 }
72366diff -urNp linux-3.1.1/net/ipv4/inet_diag.c linux-3.1.1/net/ipv4/inet_diag.c
72367--- linux-3.1.1/net/ipv4/inet_diag.c 2011-11-11 15:19:27.000000000 -0500
72368+++ linux-3.1.1/net/ipv4/inet_diag.c 2011-11-16 18:40:44.000000000 -0500
72369@@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
72370 r->idiag_retrans = 0;
72371
72372 r->id.idiag_if = sk->sk_bound_dev_if;
72373+
72374+#ifdef CONFIG_GRKERNSEC_HIDESYM
72375+ r->id.idiag_cookie[0] = 0;
72376+ r->id.idiag_cookie[1] = 0;
72377+#else
72378 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
72379 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
72380+#endif
72381
72382 r->id.idiag_sport = inet->inet_sport;
72383 r->id.idiag_dport = inet->inet_dport;
72384@@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
72385 r->idiag_family = tw->tw_family;
72386 r->idiag_retrans = 0;
72387 r->id.idiag_if = tw->tw_bound_dev_if;
72388+
72389+#ifdef CONFIG_GRKERNSEC_HIDESYM
72390+ r->id.idiag_cookie[0] = 0;
72391+ r->id.idiag_cookie[1] = 0;
72392+#else
72393 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
72394 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
72395+#endif
72396+
72397 r->id.idiag_sport = tw->tw_sport;
72398 r->id.idiag_dport = tw->tw_dport;
72399 r->id.idiag_src[0] = tw->tw_rcv_saddr;
72400@@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
72401 if (sk == NULL)
72402 goto unlock;
72403
72404+#ifndef CONFIG_GRKERNSEC_HIDESYM
72405 err = -ESTALE;
72406 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
72407 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
72408 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
72409 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
72410 goto out;
72411+#endif
72412
72413 err = -ENOMEM;
72414 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
72415@@ -580,8 +595,14 @@ static int inet_diag_fill_req(struct sk_
72416 r->idiag_retrans = req->retrans;
72417
72418 r->id.idiag_if = sk->sk_bound_dev_if;
72419+
72420+#ifdef CONFIG_GRKERNSEC_HIDESYM
72421+ r->id.idiag_cookie[0] = 0;
72422+ r->id.idiag_cookie[1] = 0;
72423+#else
72424 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
72425 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
72426+#endif
72427
72428 tmo = req->expires - jiffies;
72429 if (tmo < 0)
72430diff -urNp linux-3.1.1/net/ipv4/inet_hashtables.c linux-3.1.1/net/ipv4/inet_hashtables.c
72431--- linux-3.1.1/net/ipv4/inet_hashtables.c 2011-11-11 15:19:27.000000000 -0500
72432+++ linux-3.1.1/net/ipv4/inet_hashtables.c 2011-11-16 18:40:44.000000000 -0500
72433@@ -18,12 +18,15 @@
72434 #include <linux/sched.h>
72435 #include <linux/slab.h>
72436 #include <linux/wait.h>
72437+#include <linux/security.h>
72438
72439 #include <net/inet_connection_sock.h>
72440 #include <net/inet_hashtables.h>
72441 #include <net/secure_seq.h>
72442 #include <net/ip.h>
72443
72444+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
72445+
72446 /*
72447 * Allocate and initialize a new local port bind bucket.
72448 * The bindhash mutex for snum's hash chain must be held here.
72449@@ -530,6 +533,8 @@ ok:
72450 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
72451 spin_unlock(&head->lock);
72452
72453+ gr_update_task_in_ip_table(current, inet_sk(sk));
72454+
72455 if (tw) {
72456 inet_twsk_deschedule(tw, death_row);
72457 while (twrefcnt) {
72458diff -urNp linux-3.1.1/net/ipv4/inetpeer.c linux-3.1.1/net/ipv4/inetpeer.c
72459--- linux-3.1.1/net/ipv4/inetpeer.c 2011-11-11 15:19:27.000000000 -0500
72460+++ linux-3.1.1/net/ipv4/inetpeer.c 2011-11-16 19:18:22.000000000 -0500
72461@@ -400,6 +400,8 @@ struct inet_peer *inet_getpeer(const str
72462 unsigned int sequence;
72463 int invalidated, gccnt = 0;
72464
72465+ pax_track_stack();
72466+
72467 /* Attempt a lockless lookup first.
72468 * Because of a concurrent writer, we might not find an existing entry.
72469 */
72470@@ -436,8 +438,8 @@ relookup:
72471 if (p) {
72472 p->daddr = *daddr;
72473 atomic_set(&p->refcnt, 1);
72474- atomic_set(&p->rid, 0);
72475- atomic_set(&p->ip_id_count,
72476+ atomic_set_unchecked(&p->rid, 0);
72477+ atomic_set_unchecked(&p->ip_id_count,
72478 (daddr->family == AF_INET) ?
72479 secure_ip_id(daddr->addr.a4) :
72480 secure_ipv6_id(daddr->addr.a6));
72481diff -urNp linux-3.1.1/net/ipv4/ipconfig.c linux-3.1.1/net/ipv4/ipconfig.c
72482--- linux-3.1.1/net/ipv4/ipconfig.c 2011-11-11 15:19:27.000000000 -0500
72483+++ linux-3.1.1/net/ipv4/ipconfig.c 2011-11-16 18:39:08.000000000 -0500
72484@@ -313,7 +313,7 @@ static int __init ic_devinet_ioctl(unsig
72485
72486 mm_segment_t oldfs = get_fs();
72487 set_fs(get_ds());
72488- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72489+ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72490 set_fs(oldfs);
72491 return res;
72492 }
72493@@ -324,7 +324,7 @@ static int __init ic_dev_ioctl(unsigned
72494
72495 mm_segment_t oldfs = get_fs();
72496 set_fs(get_ds());
72497- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
72498+ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
72499 set_fs(oldfs);
72500 return res;
72501 }
72502@@ -335,7 +335,7 @@ static int __init ic_route_ioctl(unsigne
72503
72504 mm_segment_t oldfs = get_fs();
72505 set_fs(get_ds());
72506- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
72507+ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
72508 set_fs(oldfs);
72509 return res;
72510 }
72511diff -urNp linux-3.1.1/net/ipv4/ip_fragment.c linux-3.1.1/net/ipv4/ip_fragment.c
72512--- linux-3.1.1/net/ipv4/ip_fragment.c 2011-11-11 15:19:27.000000000 -0500
72513+++ linux-3.1.1/net/ipv4/ip_fragment.c 2011-11-16 18:39:08.000000000 -0500
72514@@ -316,7 +316,7 @@ static inline int ip_frag_too_far(struct
72515 return 0;
72516
72517 start = qp->rid;
72518- end = atomic_inc_return(&peer->rid);
72519+ end = atomic_inc_return_unchecked(&peer->rid);
72520 qp->rid = end;
72521
72522 rc = qp->q.fragments && (end - start) > max;
72523diff -urNp linux-3.1.1/net/ipv4/ip_sockglue.c linux-3.1.1/net/ipv4/ip_sockglue.c
72524--- linux-3.1.1/net/ipv4/ip_sockglue.c 2011-11-11 15:19:27.000000000 -0500
72525+++ linux-3.1.1/net/ipv4/ip_sockglue.c 2011-11-16 18:40:44.000000000 -0500
72526@@ -1073,6 +1073,8 @@ static int do_ip_getsockopt(struct sock
72527 int val;
72528 int len;
72529
72530+ pax_track_stack();
72531+
72532 if (level != SOL_IP)
72533 return -EOPNOTSUPP;
72534
72535@@ -1110,7 +1112,8 @@ static int do_ip_getsockopt(struct sock
72536 len = min_t(unsigned int, len, opt->optlen);
72537 if (put_user(len, optlen))
72538 return -EFAULT;
72539- if (copy_to_user(optval, opt->__data, len))
72540+ if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
72541+ copy_to_user(optval, opt->__data, len))
72542 return -EFAULT;
72543 return 0;
72544 }
72545@@ -1238,7 +1241,7 @@ static int do_ip_getsockopt(struct sock
72546 if (sk->sk_type != SOCK_STREAM)
72547 return -ENOPROTOOPT;
72548
72549- msg.msg_control = optval;
72550+ msg.msg_control = (void __force_kernel *)optval;
72551 msg.msg_controllen = len;
72552 msg.msg_flags = flags;
72553
72554diff -urNp linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c
72555--- linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-11 15:19:27.000000000 -0500
72556+++ linux-3.1.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-16 18:39:08.000000000 -0500
72557@@ -399,7 +399,7 @@ static unsigned char asn1_octets_decode(
72558
72559 *len = 0;
72560
72561- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
72562+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
72563 if (*octets == NULL) {
72564 if (net_ratelimit())
72565 pr_notice("OOM in bsalg (%d)\n", __LINE__);
72566diff -urNp linux-3.1.1/net/ipv4/ping.c linux-3.1.1/net/ipv4/ping.c
72567--- linux-3.1.1/net/ipv4/ping.c 2011-11-11 15:19:27.000000000 -0500
72568+++ linux-3.1.1/net/ipv4/ping.c 2011-11-16 18:39:08.000000000 -0500
72569@@ -837,7 +837,7 @@ static void ping_format_sock(struct sock
72570 sk_rmem_alloc_get(sp),
72571 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72572 atomic_read(&sp->sk_refcnt), sp,
72573- atomic_read(&sp->sk_drops), len);
72574+ atomic_read_unchecked(&sp->sk_drops), len);
72575 }
72576
72577 static int ping_seq_show(struct seq_file *seq, void *v)
72578diff -urNp linux-3.1.1/net/ipv4/raw.c linux-3.1.1/net/ipv4/raw.c
72579--- linux-3.1.1/net/ipv4/raw.c 2011-11-11 15:19:27.000000000 -0500
72580+++ linux-3.1.1/net/ipv4/raw.c 2011-11-17 18:58:40.000000000 -0500
72581@@ -302,7 +302,7 @@ static int raw_rcv_skb(struct sock * sk,
72582 int raw_rcv(struct sock *sk, struct sk_buff *skb)
72583 {
72584 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
72585- atomic_inc(&sk->sk_drops);
72586+ atomic_inc_unchecked(&sk->sk_drops);
72587 kfree_skb(skb);
72588 return NET_RX_DROP;
72589 }
72590@@ -737,16 +737,20 @@ static int raw_init(struct sock *sk)
72591
72592 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
72593 {
72594+ struct icmp_filter filter;
72595+
72596 if (optlen > sizeof(struct icmp_filter))
72597 optlen = sizeof(struct icmp_filter);
72598- if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
72599+ if (copy_from_user(&filter, optval, optlen))
72600 return -EFAULT;
72601+ raw_sk(sk)->filter = filter;
72602 return 0;
72603 }
72604
72605 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
72606 {
72607 int len, ret = -EFAULT;
72608+ struct icmp_filter filter;
72609
72610 if (get_user(len, optlen))
72611 goto out;
72612@@ -756,8 +760,8 @@ static int raw_geticmpfilter(struct sock
72613 if (len > sizeof(struct icmp_filter))
72614 len = sizeof(struct icmp_filter);
72615 ret = -EFAULT;
72616- if (put_user(len, optlen) ||
72617- copy_to_user(optval, &raw_sk(sk)->filter, len))
72618+ filter = raw_sk(sk)->filter;
72619+ if (put_user(len, optlen) || len > sizeof filter || copy_to_user(optval, &filter, len))
72620 goto out;
72621 ret = 0;
72622 out: return ret;
72623@@ -985,7 +989,13 @@ static void raw_sock_seq_show(struct seq
72624 sk_wmem_alloc_get(sp),
72625 sk_rmem_alloc_get(sp),
72626 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72627- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
72628+ atomic_read(&sp->sk_refcnt),
72629+#ifdef CONFIG_GRKERNSEC_HIDESYM
72630+ NULL,
72631+#else
72632+ sp,
72633+#endif
72634+ atomic_read_unchecked(&sp->sk_drops));
72635 }
72636
72637 static int raw_seq_show(struct seq_file *seq, void *v)
72638diff -urNp linux-3.1.1/net/ipv4/route.c linux-3.1.1/net/ipv4/route.c
72639--- linux-3.1.1/net/ipv4/route.c 2011-11-11 15:19:27.000000000 -0500
72640+++ linux-3.1.1/net/ipv4/route.c 2011-11-16 18:39:08.000000000 -0500
72641@@ -308,7 +308,7 @@ static inline unsigned int rt_hash(__be3
72642
72643 static inline int rt_genid(struct net *net)
72644 {
72645- return atomic_read(&net->ipv4.rt_genid);
72646+ return atomic_read_unchecked(&net->ipv4.rt_genid);
72647 }
72648
72649 #ifdef CONFIG_PROC_FS
72650@@ -837,7 +837,7 @@ static void rt_cache_invalidate(struct n
72651 unsigned char shuffle;
72652
72653 get_random_bytes(&shuffle, sizeof(shuffle));
72654- atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
72655+ atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
72656 }
72657
72658 /*
72659@@ -2872,7 +2872,7 @@ static int rt_fill_info(struct net *net,
72660 error = rt->dst.error;
72661 if (peer) {
72662 inet_peer_refcheck(rt->peer);
72663- id = atomic_read(&peer->ip_id_count) & 0xffff;
72664+ id = atomic_read_unchecked(&peer->ip_id_count) & 0xffff;
72665 if (peer->tcp_ts_stamp) {
72666 ts = peer->tcp_ts;
72667 tsage = get_seconds() - peer->tcp_ts_stamp;
72668diff -urNp linux-3.1.1/net/ipv4/tcp.c linux-3.1.1/net/ipv4/tcp.c
72669--- linux-3.1.1/net/ipv4/tcp.c 2011-11-11 15:19:27.000000000 -0500
72670+++ linux-3.1.1/net/ipv4/tcp.c 2011-11-16 18:40:44.000000000 -0500
72671@@ -2122,6 +2122,8 @@ static int do_tcp_setsockopt(struct sock
72672 int val;
72673 int err = 0;
72674
72675+ pax_track_stack();
72676+
72677 /* These are data/string values, all the others are ints */
72678 switch (optname) {
72679 case TCP_CONGESTION: {
72680@@ -2501,6 +2503,8 @@ static int do_tcp_getsockopt(struct sock
72681 struct tcp_sock *tp = tcp_sk(sk);
72682 int val, len;
72683
72684+ pax_track_stack();
72685+
72686 if (get_user(len, optlen))
72687 return -EFAULT;
72688
72689diff -urNp linux-3.1.1/net/ipv4/tcp_ipv4.c linux-3.1.1/net/ipv4/tcp_ipv4.c
72690--- linux-3.1.1/net/ipv4/tcp_ipv4.c 2011-11-11 15:19:27.000000000 -0500
72691+++ linux-3.1.1/net/ipv4/tcp_ipv4.c 2011-11-16 18:40:44.000000000 -0500
72692@@ -87,6 +87,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
72693 int sysctl_tcp_low_latency __read_mostly;
72694 EXPORT_SYMBOL(sysctl_tcp_low_latency);
72695
72696+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72697+extern int grsec_enable_blackhole;
72698+#endif
72699
72700 #ifdef CONFIG_TCP_MD5SIG
72701 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
72702@@ -1622,6 +1625,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
72703 return 0;
72704
72705 reset:
72706+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72707+ if (!grsec_enable_blackhole)
72708+#endif
72709 tcp_v4_send_reset(rsk, skb);
72710 discard:
72711 kfree_skb(skb);
72712@@ -1684,12 +1690,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
72713 TCP_SKB_CB(skb)->sacked = 0;
72714
72715 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
72716- if (!sk)
72717+ if (!sk) {
72718+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72719+ ret = 1;
72720+#endif
72721 goto no_tcp_socket;
72722-
72723+ }
72724 process:
72725- if (sk->sk_state == TCP_TIME_WAIT)
72726+ if (sk->sk_state == TCP_TIME_WAIT) {
72727+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72728+ ret = 2;
72729+#endif
72730 goto do_time_wait;
72731+ }
72732
72733 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
72734 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
72735@@ -1739,6 +1752,10 @@ no_tcp_socket:
72736 bad_packet:
72737 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
72738 } else {
72739+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72740+ if (!grsec_enable_blackhole || (ret == 1 &&
72741+ (skb->dev->flags & IFF_LOOPBACK)))
72742+#endif
72743 tcp_v4_send_reset(NULL, skb);
72744 }
72745
72746@@ -2403,7 +2420,11 @@ static void get_openreq4(struct sock *sk
72747 0, /* non standard timer */
72748 0, /* open_requests have no inode */
72749 atomic_read(&sk->sk_refcnt),
72750+#ifdef CONFIG_GRKERNSEC_HIDESYM
72751+ NULL,
72752+#else
72753 req,
72754+#endif
72755 len);
72756 }
72757
72758@@ -2453,7 +2474,12 @@ static void get_tcp4_sock(struct sock *s
72759 sock_i_uid(sk),
72760 icsk->icsk_probes_out,
72761 sock_i_ino(sk),
72762- atomic_read(&sk->sk_refcnt), sk,
72763+ atomic_read(&sk->sk_refcnt),
72764+#ifdef CONFIG_GRKERNSEC_HIDESYM
72765+ NULL,
72766+#else
72767+ sk,
72768+#endif
72769 jiffies_to_clock_t(icsk->icsk_rto),
72770 jiffies_to_clock_t(icsk->icsk_ack.ato),
72771 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
72772@@ -2481,7 +2507,13 @@ static void get_timewait4_sock(struct in
72773 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK%n",
72774 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
72775 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
72776- atomic_read(&tw->tw_refcnt), tw, len);
72777+ atomic_read(&tw->tw_refcnt),
72778+#ifdef CONFIG_GRKERNSEC_HIDESYM
72779+ NULL,
72780+#else
72781+ tw,
72782+#endif
72783+ len);
72784 }
72785
72786 #define TMPSZ 150
72787diff -urNp linux-3.1.1/net/ipv4/tcp_minisocks.c linux-3.1.1/net/ipv4/tcp_minisocks.c
72788--- linux-3.1.1/net/ipv4/tcp_minisocks.c 2011-11-11 15:19:27.000000000 -0500
72789+++ linux-3.1.1/net/ipv4/tcp_minisocks.c 2011-11-16 18:40:44.000000000 -0500
72790@@ -27,6 +27,10 @@
72791 #include <net/inet_common.h>
72792 #include <net/xfrm.h>
72793
72794+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72795+extern int grsec_enable_blackhole;
72796+#endif
72797+
72798 int sysctl_tcp_syncookies __read_mostly = 1;
72799 EXPORT_SYMBOL(sysctl_tcp_syncookies);
72800
72801@@ -750,6 +754,10 @@ listen_overflow:
72802
72803 embryonic_reset:
72804 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
72805+
72806+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72807+ if (!grsec_enable_blackhole)
72808+#endif
72809 if (!(flg & TCP_FLAG_RST))
72810 req->rsk_ops->send_reset(sk, skb);
72811
72812diff -urNp linux-3.1.1/net/ipv4/tcp_output.c linux-3.1.1/net/ipv4/tcp_output.c
72813--- linux-3.1.1/net/ipv4/tcp_output.c 2011-11-11 15:19:27.000000000 -0500
72814+++ linux-3.1.1/net/ipv4/tcp_output.c 2011-11-16 18:40:44.000000000 -0500
72815@@ -2421,6 +2421,8 @@ struct sk_buff *tcp_make_synack(struct s
72816 int mss;
72817 int s_data_desired = 0;
72818
72819+ pax_track_stack();
72820+
72821 if (cvp != NULL && cvp->s_data_constant && cvp->s_data_desired)
72822 s_data_desired = cvp->s_data_desired;
72823 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15 + s_data_desired, 1, GFP_ATOMIC);
72824diff -urNp linux-3.1.1/net/ipv4/tcp_probe.c linux-3.1.1/net/ipv4/tcp_probe.c
72825--- linux-3.1.1/net/ipv4/tcp_probe.c 2011-11-11 15:19:27.000000000 -0500
72826+++ linux-3.1.1/net/ipv4/tcp_probe.c 2011-11-16 18:39:08.000000000 -0500
72827@@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
72828 if (cnt + width >= len)
72829 break;
72830
72831- if (copy_to_user(buf + cnt, tbuf, width))
72832+ if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
72833 return -EFAULT;
72834 cnt += width;
72835 }
72836diff -urNp linux-3.1.1/net/ipv4/tcp_timer.c linux-3.1.1/net/ipv4/tcp_timer.c
72837--- linux-3.1.1/net/ipv4/tcp_timer.c 2011-11-11 15:19:27.000000000 -0500
72838+++ linux-3.1.1/net/ipv4/tcp_timer.c 2011-11-16 18:40:44.000000000 -0500
72839@@ -22,6 +22,10 @@
72840 #include <linux/gfp.h>
72841 #include <net/tcp.h>
72842
72843+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72844+extern int grsec_lastack_retries;
72845+#endif
72846+
72847 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
72848 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
72849 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
72850@@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
72851 }
72852 }
72853
72854+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72855+ if ((sk->sk_state == TCP_LAST_ACK) &&
72856+ (grsec_lastack_retries > 0) &&
72857+ (grsec_lastack_retries < retry_until))
72858+ retry_until = grsec_lastack_retries;
72859+#endif
72860+
72861 if (retransmits_timed_out(sk, retry_until,
72862 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
72863 /* Has it gone just too far? */
72864diff -urNp linux-3.1.1/net/ipv4/udp.c linux-3.1.1/net/ipv4/udp.c
72865--- linux-3.1.1/net/ipv4/udp.c 2011-11-11 15:19:27.000000000 -0500
72866+++ linux-3.1.1/net/ipv4/udp.c 2011-11-16 19:17:54.000000000 -0500
72867@@ -86,6 +86,7 @@
72868 #include <linux/types.h>
72869 #include <linux/fcntl.h>
72870 #include <linux/module.h>
72871+#include <linux/security.h>
72872 #include <linux/socket.h>
72873 #include <linux/sockios.h>
72874 #include <linux/igmp.h>
72875@@ -108,6 +109,10 @@
72876 #include <trace/events/udp.h>
72877 #include "udp_impl.h"
72878
72879+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72880+extern int grsec_enable_blackhole;
72881+#endif
72882+
72883 struct udp_table udp_table __read_mostly;
72884 EXPORT_SYMBOL(udp_table);
72885
72886@@ -565,6 +570,9 @@ found:
72887 return s;
72888 }
72889
72890+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
72891+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
72892+
72893 /*
72894 * This routine is called by the ICMP module when it gets some
72895 * sort of error condition. If err < 0 then the socket should
72896@@ -856,9 +864,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
72897 dport = usin->sin_port;
72898 if (dport == 0)
72899 return -EINVAL;
72900+
72901+ err = gr_search_udp_sendmsg(sk, usin);
72902+ if (err)
72903+ return err;
72904 } else {
72905 if (sk->sk_state != TCP_ESTABLISHED)
72906 return -EDESTADDRREQ;
72907+
72908+ err = gr_search_udp_sendmsg(sk, NULL);
72909+ if (err)
72910+ return err;
72911+
72912 daddr = inet->inet_daddr;
72913 dport = inet->inet_dport;
72914 /* Open fast path for connected socket.
72915@@ -1099,7 +1116,7 @@ static unsigned int first_packet_length(
72916 udp_lib_checksum_complete(skb)) {
72917 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72918 IS_UDPLITE(sk));
72919- atomic_inc(&sk->sk_drops);
72920+ atomic_inc_unchecked(&sk->sk_drops);
72921 __skb_unlink(skb, rcvq);
72922 __skb_queue_tail(&list_kill, skb);
72923 }
72924@@ -1185,6 +1202,10 @@ try_again:
72925 if (!skb)
72926 goto out;
72927
72928+ err = gr_search_udp_recvmsg(sk, skb);
72929+ if (err)
72930+ goto out_free;
72931+
72932 ulen = skb->len - sizeof(struct udphdr);
72933 if (len > ulen)
72934 len = ulen;
72935@@ -1485,7 +1506,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
72936
72937 drop:
72938 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
72939- atomic_inc(&sk->sk_drops);
72940+ atomic_inc_unchecked(&sk->sk_drops);
72941 kfree_skb(skb);
72942 return -1;
72943 }
72944@@ -1504,7 +1525,7 @@ static void flush_stack(struct sock **st
72945 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
72946
72947 if (!skb1) {
72948- atomic_inc(&sk->sk_drops);
72949+ atomic_inc_unchecked(&sk->sk_drops);
72950 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
72951 IS_UDPLITE(sk));
72952 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
72953@@ -1673,6 +1694,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
72954 goto csum_error;
72955
72956 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
72957+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72958+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
72959+#endif
72960 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
72961
72962 /*
72963@@ -2100,8 +2124,13 @@ static void udp4_format_sock(struct sock
72964 sk_wmem_alloc_get(sp),
72965 sk_rmem_alloc_get(sp),
72966 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
72967- atomic_read(&sp->sk_refcnt), sp,
72968- atomic_read(&sp->sk_drops), len);
72969+ atomic_read(&sp->sk_refcnt),
72970+#ifdef CONFIG_GRKERNSEC_HIDESYM
72971+ NULL,
72972+#else
72973+ sp,
72974+#endif
72975+ atomic_read_unchecked(&sp->sk_drops), len);
72976 }
72977
72978 int udp4_seq_show(struct seq_file *seq, void *v)
72979diff -urNp linux-3.1.1/net/ipv6/addrconf.c linux-3.1.1/net/ipv6/addrconf.c
72980--- linux-3.1.1/net/ipv6/addrconf.c 2011-11-11 15:19:27.000000000 -0500
72981+++ linux-3.1.1/net/ipv6/addrconf.c 2011-11-16 18:39:08.000000000 -0500
72982@@ -2083,7 +2083,7 @@ int addrconf_set_dstaddr(struct net *net
72983 p.iph.ihl = 5;
72984 p.iph.protocol = IPPROTO_IPV6;
72985 p.iph.ttl = 64;
72986- ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
72987+ ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
72988
72989 if (ops->ndo_do_ioctl) {
72990 mm_segment_t oldfs = get_fs();
72991diff -urNp linux-3.1.1/net/ipv6/inet6_connection_sock.c linux-3.1.1/net/ipv6/inet6_connection_sock.c
72992--- linux-3.1.1/net/ipv6/inet6_connection_sock.c 2011-11-11 15:19:27.000000000 -0500
72993+++ linux-3.1.1/net/ipv6/inet6_connection_sock.c 2011-11-16 18:39:08.000000000 -0500
72994@@ -178,7 +178,7 @@ void __inet6_csk_dst_store(struct sock *
72995 #ifdef CONFIG_XFRM
72996 {
72997 struct rt6_info *rt = (struct rt6_info *)dst;
72998- rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
72999+ rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
73000 }
73001 #endif
73002 }
73003@@ -193,7 +193,7 @@ struct dst_entry *__inet6_csk_dst_check(
73004 #ifdef CONFIG_XFRM
73005 if (dst) {
73006 struct rt6_info *rt = (struct rt6_info *)dst;
73007- if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
73008+ if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
73009 __sk_dst_reset(sk);
73010 dst = NULL;
73011 }
73012diff -urNp linux-3.1.1/net/ipv6/ipv6_sockglue.c linux-3.1.1/net/ipv6/ipv6_sockglue.c
73013--- linux-3.1.1/net/ipv6/ipv6_sockglue.c 2011-11-11 15:19:27.000000000 -0500
73014+++ linux-3.1.1/net/ipv6/ipv6_sockglue.c 2011-11-16 18:40:44.000000000 -0500
73015@@ -129,6 +129,8 @@ static int do_ipv6_setsockopt(struct soc
73016 int val, valbool;
73017 int retv = -ENOPROTOOPT;
73018
73019+ pax_track_stack();
73020+
73021 if (optval == NULL)
73022 val=0;
73023 else {
73024@@ -919,6 +921,8 @@ static int do_ipv6_getsockopt(struct soc
73025 int len;
73026 int val;
73027
73028+ pax_track_stack();
73029+
73030 if (ip6_mroute_opt(optname))
73031 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
73032
73033@@ -960,7 +964,7 @@ static int do_ipv6_getsockopt(struct soc
73034 if (sk->sk_type != SOCK_STREAM)
73035 return -ENOPROTOOPT;
73036
73037- msg.msg_control = optval;
73038+ msg.msg_control = (void __force_kernel *)optval;
73039 msg.msg_controllen = len;
73040 msg.msg_flags = flags;
73041
73042diff -urNp linux-3.1.1/net/ipv6/raw.c linux-3.1.1/net/ipv6/raw.c
73043--- linux-3.1.1/net/ipv6/raw.c 2011-11-11 15:19:27.000000000 -0500
73044+++ linux-3.1.1/net/ipv6/raw.c 2011-11-16 18:40:44.000000000 -0500
73045@@ -376,7 +376,7 @@ static inline int rawv6_rcv_skb(struct s
73046 {
73047 if ((raw6_sk(sk)->checksum || rcu_dereference_raw(sk->sk_filter)) &&
73048 skb_checksum_complete(skb)) {
73049- atomic_inc(&sk->sk_drops);
73050+ atomic_inc_unchecked(&sk->sk_drops);
73051 kfree_skb(skb);
73052 return NET_RX_DROP;
73053 }
73054@@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
73055 struct raw6_sock *rp = raw6_sk(sk);
73056
73057 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
73058- atomic_inc(&sk->sk_drops);
73059+ atomic_inc_unchecked(&sk->sk_drops);
73060 kfree_skb(skb);
73061 return NET_RX_DROP;
73062 }
73063@@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
73064
73065 if (inet->hdrincl) {
73066 if (skb_checksum_complete(skb)) {
73067- atomic_inc(&sk->sk_drops);
73068+ atomic_inc_unchecked(&sk->sk_drops);
73069 kfree_skb(skb);
73070 return NET_RX_DROP;
73071 }
73072@@ -601,7 +601,7 @@ out:
73073 return err;
73074 }
73075
73076-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
73077+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
73078 struct flowi6 *fl6, struct dst_entry **dstp,
73079 unsigned int flags)
73080 {
73081@@ -742,6 +742,8 @@ static int rawv6_sendmsg(struct kiocb *i
73082 u16 proto;
73083 int err;
73084
73085+ pax_track_stack();
73086+
73087 /* Rough check on arithmetic overflow,
73088 better check is made in ip6_append_data().
73089 */
73090@@ -909,12 +911,15 @@ do_confirm:
73091 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
73092 char __user *optval, int optlen)
73093 {
73094+ struct icmp6_filter filter;
73095+
73096 switch (optname) {
73097 case ICMPV6_FILTER:
73098 if (optlen > sizeof(struct icmp6_filter))
73099 optlen = sizeof(struct icmp6_filter);
73100- if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
73101+ if (copy_from_user(&filter, optval, optlen))
73102 return -EFAULT;
73103+ raw6_sk(sk)->filter = filter;
73104 return 0;
73105 default:
73106 return -ENOPROTOOPT;
73107@@ -927,6 +932,7 @@ static int rawv6_geticmpfilter(struct so
73108 char __user *optval, int __user *optlen)
73109 {
73110 int len;
73111+ struct icmp6_filter filter;
73112
73113 switch (optname) {
73114 case ICMPV6_FILTER:
73115@@ -938,7 +944,8 @@ static int rawv6_geticmpfilter(struct so
73116 len = sizeof(struct icmp6_filter);
73117 if (put_user(len, optlen))
73118 return -EFAULT;
73119- if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
73120+ filter = raw6_sk(sk)->filter;
73121+ if (len > sizeof filter || copy_to_user(optval, &filter, len))
73122 return -EFAULT;
73123 return 0;
73124 default:
73125@@ -1245,7 +1252,13 @@ static void raw6_sock_seq_show(struct se
73126 0, 0L, 0,
73127 sock_i_uid(sp), 0,
73128 sock_i_ino(sp),
73129- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
73130+ atomic_read(&sp->sk_refcnt),
73131+#ifdef CONFIG_GRKERNSEC_HIDESYM
73132+ NULL,
73133+#else
73134+ sp,
73135+#endif
73136+ atomic_read_unchecked(&sp->sk_drops));
73137 }
73138
73139 static int raw6_seq_show(struct seq_file *seq, void *v)
73140diff -urNp linux-3.1.1/net/ipv6/tcp_ipv6.c linux-3.1.1/net/ipv6/tcp_ipv6.c
73141--- linux-3.1.1/net/ipv6/tcp_ipv6.c 2011-11-11 15:19:27.000000000 -0500
73142+++ linux-3.1.1/net/ipv6/tcp_ipv6.c 2011-11-16 18:40:44.000000000 -0500
73143@@ -93,6 +93,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
73144 }
73145 #endif
73146
73147+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73148+extern int grsec_enable_blackhole;
73149+#endif
73150+
73151 static void tcp_v6_hash(struct sock *sk)
73152 {
73153 if (sk->sk_state != TCP_CLOSE) {
73154@@ -1647,6 +1651,9 @@ static int tcp_v6_do_rcv(struct sock *sk
73155 return 0;
73156
73157 reset:
73158+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73159+ if (!grsec_enable_blackhole)
73160+#endif
73161 tcp_v6_send_reset(sk, skb);
73162 discard:
73163 if (opt_skb)
73164@@ -1726,12 +1733,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
73165 TCP_SKB_CB(skb)->sacked = 0;
73166
73167 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
73168- if (!sk)
73169+ if (!sk) {
73170+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73171+ ret = 1;
73172+#endif
73173 goto no_tcp_socket;
73174+ }
73175
73176 process:
73177- if (sk->sk_state == TCP_TIME_WAIT)
73178+ if (sk->sk_state == TCP_TIME_WAIT) {
73179+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73180+ ret = 2;
73181+#endif
73182 goto do_time_wait;
73183+ }
73184
73185 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
73186 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
73187@@ -1779,6 +1794,10 @@ no_tcp_socket:
73188 bad_packet:
73189 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
73190 } else {
73191+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73192+ if (!grsec_enable_blackhole || (ret == 1 &&
73193+ (skb->dev->flags & IFF_LOOPBACK)))
73194+#endif
73195 tcp_v6_send_reset(NULL, skb);
73196 }
73197
73198@@ -2039,7 +2058,13 @@ static void get_openreq6(struct seq_file
73199 uid,
73200 0, /* non standard timer */
73201 0, /* open_requests have no inode */
73202- 0, req);
73203+ 0,
73204+#ifdef CONFIG_GRKERNSEC_HIDESYM
73205+ NULL
73206+#else
73207+ req
73208+#endif
73209+ );
73210 }
73211
73212 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
73213@@ -2089,7 +2114,12 @@ static void get_tcp6_sock(struct seq_fil
73214 sock_i_uid(sp),
73215 icsk->icsk_probes_out,
73216 sock_i_ino(sp),
73217- atomic_read(&sp->sk_refcnt), sp,
73218+ atomic_read(&sp->sk_refcnt),
73219+#ifdef CONFIG_GRKERNSEC_HIDESYM
73220+ NULL,
73221+#else
73222+ sp,
73223+#endif
73224 jiffies_to_clock_t(icsk->icsk_rto),
73225 jiffies_to_clock_t(icsk->icsk_ack.ato),
73226 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
73227@@ -2124,7 +2154,13 @@ static void get_timewait6_sock(struct se
73228 dest->s6_addr32[2], dest->s6_addr32[3], destp,
73229 tw->tw_substate, 0, 0,
73230 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
73231- atomic_read(&tw->tw_refcnt), tw);
73232+ atomic_read(&tw->tw_refcnt),
73233+#ifdef CONFIG_GRKERNSEC_HIDESYM
73234+ NULL
73235+#else
73236+ tw
73237+#endif
73238+ );
73239 }
73240
73241 static int tcp6_seq_show(struct seq_file *seq, void *v)
73242diff -urNp linux-3.1.1/net/ipv6/udp.c linux-3.1.1/net/ipv6/udp.c
73243--- linux-3.1.1/net/ipv6/udp.c 2011-11-11 15:19:27.000000000 -0500
73244+++ linux-3.1.1/net/ipv6/udp.c 2011-11-16 18:40:44.000000000 -0500
73245@@ -50,6 +50,10 @@
73246 #include <linux/seq_file.h>
73247 #include "udp_impl.h"
73248
73249+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73250+extern int grsec_enable_blackhole;
73251+#endif
73252+
73253 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
73254 {
73255 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
73256@@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
73257
73258 return 0;
73259 drop:
73260- atomic_inc(&sk->sk_drops);
73261+ atomic_inc_unchecked(&sk->sk_drops);
73262 drop_no_sk_drops_inc:
73263 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
73264 kfree_skb(skb);
73265@@ -624,7 +628,7 @@ static void flush_stack(struct sock **st
73266 continue;
73267 }
73268 drop:
73269- atomic_inc(&sk->sk_drops);
73270+ atomic_inc_unchecked(&sk->sk_drops);
73271 UDP6_INC_STATS_BH(sock_net(sk),
73272 UDP_MIB_RCVBUFERRORS, IS_UDPLITE(sk));
73273 UDP6_INC_STATS_BH(sock_net(sk),
73274@@ -779,6 +783,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
73275 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
73276 proto == IPPROTO_UDPLITE);
73277
73278+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
73279+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
73280+#endif
73281 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
73282
73283 kfree_skb(skb);
73284@@ -795,7 +802,7 @@ int __udp6_lib_rcv(struct sk_buff *skb,
73285 if (!sock_owned_by_user(sk))
73286 udpv6_queue_rcv_skb(sk, skb);
73287 else if (sk_add_backlog(sk, skb)) {
73288- atomic_inc(&sk->sk_drops);
73289+ atomic_inc_unchecked(&sk->sk_drops);
73290 bh_unlock_sock(sk);
73291 sock_put(sk);
73292 goto discard;
73293@@ -1406,8 +1413,13 @@ static void udp6_sock_seq_show(struct se
73294 0, 0L, 0,
73295 sock_i_uid(sp), 0,
73296 sock_i_ino(sp),
73297- atomic_read(&sp->sk_refcnt), sp,
73298- atomic_read(&sp->sk_drops));
73299+ atomic_read(&sp->sk_refcnt),
73300+#ifdef CONFIG_GRKERNSEC_HIDESYM
73301+ NULL,
73302+#else
73303+ sp,
73304+#endif
73305+ atomic_read_unchecked(&sp->sk_drops));
73306 }
73307
73308 int udp6_seq_show(struct seq_file *seq, void *v)
73309diff -urNp linux-3.1.1/net/irda/ircomm/ircomm_tty.c linux-3.1.1/net/irda/ircomm/ircomm_tty.c
73310--- linux-3.1.1/net/irda/ircomm/ircomm_tty.c 2011-11-11 15:19:27.000000000 -0500
73311+++ linux-3.1.1/net/irda/ircomm/ircomm_tty.c 2011-11-16 18:39:08.000000000 -0500
73312@@ -282,16 +282,16 @@ static int ircomm_tty_block_til_ready(st
73313 add_wait_queue(&self->open_wait, &wait);
73314
73315 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
73316- __FILE__,__LINE__, tty->driver->name, self->open_count );
73317+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
73318
73319 /* As far as I can see, we protect open_count - Jean II */
73320 spin_lock_irqsave(&self->spinlock, flags);
73321 if (!tty_hung_up_p(filp)) {
73322 extra_count = 1;
73323- self->open_count--;
73324+ local_dec(&self->open_count);
73325 }
73326 spin_unlock_irqrestore(&self->spinlock, flags);
73327- self->blocked_open++;
73328+ local_inc(&self->blocked_open);
73329
73330 while (1) {
73331 if (tty->termios->c_cflag & CBAUD) {
73332@@ -331,7 +331,7 @@ static int ircomm_tty_block_til_ready(st
73333 }
73334
73335 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
73336- __FILE__,__LINE__, tty->driver->name, self->open_count );
73337+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
73338
73339 schedule();
73340 }
73341@@ -342,13 +342,13 @@ static int ircomm_tty_block_til_ready(st
73342 if (extra_count) {
73343 /* ++ is not atomic, so this should be protected - Jean II */
73344 spin_lock_irqsave(&self->spinlock, flags);
73345- self->open_count++;
73346+ local_inc(&self->open_count);
73347 spin_unlock_irqrestore(&self->spinlock, flags);
73348 }
73349- self->blocked_open--;
73350+ local_dec(&self->blocked_open);
73351
73352 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
73353- __FILE__,__LINE__, tty->driver->name, self->open_count);
73354+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
73355
73356 if (!retval)
73357 self->flags |= ASYNC_NORMAL_ACTIVE;
73358@@ -417,14 +417,14 @@ static int ircomm_tty_open(struct tty_st
73359 }
73360 /* ++ is not atomic, so this should be protected - Jean II */
73361 spin_lock_irqsave(&self->spinlock, flags);
73362- self->open_count++;
73363+ local_inc(&self->open_count);
73364
73365 tty->driver_data = self;
73366 self->tty = tty;
73367 spin_unlock_irqrestore(&self->spinlock, flags);
73368
73369 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
73370- self->line, self->open_count);
73371+ self->line, local_read(&self->open_count));
73372
73373 /* Not really used by us, but lets do it anyway */
73374 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
73375@@ -510,7 +510,7 @@ static void ircomm_tty_close(struct tty_
73376 return;
73377 }
73378
73379- if ((tty->count == 1) && (self->open_count != 1)) {
73380+ if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
73381 /*
73382 * Uh, oh. tty->count is 1, which means that the tty
73383 * structure will be freed. state->count should always
73384@@ -520,16 +520,16 @@ static void ircomm_tty_close(struct tty_
73385 */
73386 IRDA_DEBUG(0, "%s(), bad serial port count; "
73387 "tty->count is 1, state->count is %d\n", __func__ ,
73388- self->open_count);
73389- self->open_count = 1;
73390+ local_read(&self->open_count));
73391+ local_set(&self->open_count, 1);
73392 }
73393
73394- if (--self->open_count < 0) {
73395+ if (local_dec_return(&self->open_count) < 0) {
73396 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
73397- __func__, self->line, self->open_count);
73398- self->open_count = 0;
73399+ __func__, self->line, local_read(&self->open_count));
73400+ local_set(&self->open_count, 0);
73401 }
73402- if (self->open_count) {
73403+ if (local_read(&self->open_count)) {
73404 spin_unlock_irqrestore(&self->spinlock, flags);
73405
73406 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
73407@@ -561,7 +561,7 @@ static void ircomm_tty_close(struct tty_
73408 tty->closing = 0;
73409 self->tty = NULL;
73410
73411- if (self->blocked_open) {
73412+ if (local_read(&self->blocked_open)) {
73413 if (self->close_delay)
73414 schedule_timeout_interruptible(self->close_delay);
73415 wake_up_interruptible(&self->open_wait);
73416@@ -1013,7 +1013,7 @@ static void ircomm_tty_hangup(struct tty
73417 spin_lock_irqsave(&self->spinlock, flags);
73418 self->flags &= ~ASYNC_NORMAL_ACTIVE;
73419 self->tty = NULL;
73420- self->open_count = 0;
73421+ local_set(&self->open_count, 0);
73422 spin_unlock_irqrestore(&self->spinlock, flags);
73423
73424 wake_up_interruptible(&self->open_wait);
73425@@ -1360,7 +1360,7 @@ static void ircomm_tty_line_info(struct
73426 seq_putc(m, '\n');
73427
73428 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
73429- seq_printf(m, "Open count: %d\n", self->open_count);
73430+ seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
73431 seq_printf(m, "Max data size: %d\n", self->max_data_size);
73432 seq_printf(m, "Max header size: %d\n", self->max_header_size);
73433
73434diff -urNp linux-3.1.1/net/iucv/af_iucv.c linux-3.1.1/net/iucv/af_iucv.c
73435--- linux-3.1.1/net/iucv/af_iucv.c 2011-11-11 15:19:27.000000000 -0500
73436+++ linux-3.1.1/net/iucv/af_iucv.c 2011-11-16 18:39:08.000000000 -0500
73437@@ -648,10 +648,10 @@ static int iucv_sock_autobind(struct soc
73438
73439 write_lock_bh(&iucv_sk_list.lock);
73440
73441- sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
73442+ sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
73443 while (__iucv_get_sock_by_name(name)) {
73444 sprintf(name, "%08x",
73445- atomic_inc_return(&iucv_sk_list.autobind_name));
73446+ atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
73447 }
73448
73449 write_unlock_bh(&iucv_sk_list.lock);
73450diff -urNp linux-3.1.1/net/Kconfig linux-3.1.1/net/Kconfig
73451--- linux-3.1.1/net/Kconfig 2011-11-11 15:19:27.000000000 -0500
73452+++ linux-3.1.1/net/Kconfig 2011-11-18 19:02:18.000000000 -0500
73453@@ -239,6 +239,7 @@ config BPF_JIT
73454 bool "enable BPF Just In Time compiler"
73455 depends on HAVE_BPF_JIT
73456 depends on MODULES
73457+ depends on !GRKERNSEC
73458 ---help---
73459 Berkeley Packet Filter filtering capabilities are normally handled
73460 by an interpreter. This option allows kernel to generate a native
73461diff -urNp linux-3.1.1/net/key/af_key.c linux-3.1.1/net/key/af_key.c
73462--- linux-3.1.1/net/key/af_key.c 2011-11-11 15:19:27.000000000 -0500
73463+++ linux-3.1.1/net/key/af_key.c 2011-11-16 18:40:44.000000000 -0500
73464@@ -2481,6 +2481,8 @@ static int pfkey_migrate(struct sock *sk
73465 struct xfrm_migrate m[XFRM_MAX_DEPTH];
73466 struct xfrm_kmaddress k;
73467
73468+ pax_track_stack();
73469+
73470 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
73471 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
73472 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
73473@@ -3016,10 +3018,10 @@ static int pfkey_send_policy_notify(stru
73474 static u32 get_acqseq(void)
73475 {
73476 u32 res;
73477- static atomic_t acqseq;
73478+ static atomic_unchecked_t acqseq;
73479
73480 do {
73481- res = atomic_inc_return(&acqseq);
73482+ res = atomic_inc_return_unchecked(&acqseq);
73483 } while (!res);
73484 return res;
73485 }
73486diff -urNp linux-3.1.1/net/lapb/lapb_iface.c linux-3.1.1/net/lapb/lapb_iface.c
73487--- linux-3.1.1/net/lapb/lapb_iface.c 2011-11-11 15:19:27.000000000 -0500
73488+++ linux-3.1.1/net/lapb/lapb_iface.c 2011-11-16 18:39:08.000000000 -0500
73489@@ -158,7 +158,7 @@ int lapb_register(struct net_device *dev
73490 goto out;
73491
73492 lapb->dev = dev;
73493- lapb->callbacks = *callbacks;
73494+ lapb->callbacks = callbacks;
73495
73496 __lapb_insert_cb(lapb);
73497
73498@@ -380,32 +380,32 @@ int lapb_data_received(struct net_device
73499
73500 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
73501 {
73502- if (lapb->callbacks.connect_confirmation)
73503- lapb->callbacks.connect_confirmation(lapb->dev, reason);
73504+ if (lapb->callbacks->connect_confirmation)
73505+ lapb->callbacks->connect_confirmation(lapb->dev, reason);
73506 }
73507
73508 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
73509 {
73510- if (lapb->callbacks.connect_indication)
73511- lapb->callbacks.connect_indication(lapb->dev, reason);
73512+ if (lapb->callbacks->connect_indication)
73513+ lapb->callbacks->connect_indication(lapb->dev, reason);
73514 }
73515
73516 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
73517 {
73518- if (lapb->callbacks.disconnect_confirmation)
73519- lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
73520+ if (lapb->callbacks->disconnect_confirmation)
73521+ lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
73522 }
73523
73524 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
73525 {
73526- if (lapb->callbacks.disconnect_indication)
73527- lapb->callbacks.disconnect_indication(lapb->dev, reason);
73528+ if (lapb->callbacks->disconnect_indication)
73529+ lapb->callbacks->disconnect_indication(lapb->dev, reason);
73530 }
73531
73532 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
73533 {
73534- if (lapb->callbacks.data_indication)
73535- return lapb->callbacks.data_indication(lapb->dev, skb);
73536+ if (lapb->callbacks->data_indication)
73537+ return lapb->callbacks->data_indication(lapb->dev, skb);
73538
73539 kfree_skb(skb);
73540 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
73541@@ -415,8 +415,8 @@ int lapb_data_transmit(struct lapb_cb *l
73542 {
73543 int used = 0;
73544
73545- if (lapb->callbacks.data_transmit) {
73546- lapb->callbacks.data_transmit(lapb->dev, skb);
73547+ if (lapb->callbacks->data_transmit) {
73548+ lapb->callbacks->data_transmit(lapb->dev, skb);
73549 used = 1;
73550 }
73551
73552diff -urNp linux-3.1.1/net/mac80211/debugfs_sta.c linux-3.1.1/net/mac80211/debugfs_sta.c
73553--- linux-3.1.1/net/mac80211/debugfs_sta.c 2011-11-11 15:19:27.000000000 -0500
73554+++ linux-3.1.1/net/mac80211/debugfs_sta.c 2011-11-16 18:40:44.000000000 -0500
73555@@ -140,6 +140,8 @@ static ssize_t sta_agg_status_read(struc
73556 struct tid_ampdu_rx *tid_rx;
73557 struct tid_ampdu_tx *tid_tx;
73558
73559+ pax_track_stack();
73560+
73561 rcu_read_lock();
73562
73563 p += scnprintf(p, sizeof(buf) + buf - p, "next dialog_token: %#02x\n",
73564@@ -240,6 +242,8 @@ static ssize_t sta_ht_capa_read(struct f
73565 struct sta_info *sta = file->private_data;
73566 struct ieee80211_sta_ht_cap *htc = &sta->sta.ht_cap;
73567
73568+ pax_track_stack();
73569+
73570 p += scnprintf(p, sizeof(buf) + buf - p, "ht %ssupported\n",
73571 htc->ht_supported ? "" : "not ");
73572 if (htc->ht_supported) {
73573diff -urNp linux-3.1.1/net/mac80211/ieee80211_i.h linux-3.1.1/net/mac80211/ieee80211_i.h
73574--- linux-3.1.1/net/mac80211/ieee80211_i.h 2011-11-11 15:19:27.000000000 -0500
73575+++ linux-3.1.1/net/mac80211/ieee80211_i.h 2011-11-16 18:39:08.000000000 -0500
73576@@ -27,6 +27,7 @@
73577 #include <net/ieee80211_radiotap.h>
73578 #include <net/cfg80211.h>
73579 #include <net/mac80211.h>
73580+#include <asm/local.h>
73581 #include "key.h"
73582 #include "sta_info.h"
73583
73584@@ -754,7 +755,7 @@ struct ieee80211_local {
73585 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
73586 spinlock_t queue_stop_reason_lock;
73587
73588- int open_count;
73589+ local_t open_count;
73590 int monitors, cooked_mntrs;
73591 /* number of interfaces with corresponding FIF_ flags */
73592 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
73593diff -urNp linux-3.1.1/net/mac80211/iface.c linux-3.1.1/net/mac80211/iface.c
73594--- linux-3.1.1/net/mac80211/iface.c 2011-11-11 15:19:27.000000000 -0500
73595+++ linux-3.1.1/net/mac80211/iface.c 2011-11-16 18:39:08.000000000 -0500
73596@@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
73597 break;
73598 }
73599
73600- if (local->open_count == 0) {
73601+ if (local_read(&local->open_count) == 0) {
73602 res = drv_start(local);
73603 if (res)
73604 goto err_del_bss;
73605@@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
73606 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
73607
73608 if (!is_valid_ether_addr(dev->dev_addr)) {
73609- if (!local->open_count)
73610+ if (!local_read(&local->open_count))
73611 drv_stop(local);
73612 return -EADDRNOTAVAIL;
73613 }
73614@@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
73615 mutex_unlock(&local->mtx);
73616
73617 if (coming_up)
73618- local->open_count++;
73619+ local_inc(&local->open_count);
73620
73621 if (hw_reconf_flags) {
73622 ieee80211_hw_config(local, hw_reconf_flags);
73623@@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
73624 err_del_interface:
73625 drv_remove_interface(local, &sdata->vif);
73626 err_stop:
73627- if (!local->open_count)
73628+ if (!local_read(&local->open_count))
73629 drv_stop(local);
73630 err_del_bss:
73631 sdata->bss = NULL;
73632@@ -474,7 +474,7 @@ static void ieee80211_do_stop(struct iee
73633 }
73634
73635 if (going_down)
73636- local->open_count--;
73637+ local_dec(&local->open_count);
73638
73639 switch (sdata->vif.type) {
73640 case NL80211_IFTYPE_AP_VLAN:
73641@@ -533,7 +533,7 @@ static void ieee80211_do_stop(struct iee
73642
73643 ieee80211_recalc_ps(local, -1);
73644
73645- if (local->open_count == 0) {
73646+ if (local_read(&local->open_count) == 0) {
73647 if (local->ops->napi_poll)
73648 napi_disable(&local->napi);
73649 ieee80211_clear_tx_pending(local);
73650diff -urNp linux-3.1.1/net/mac80211/main.c linux-3.1.1/net/mac80211/main.c
73651--- linux-3.1.1/net/mac80211/main.c 2011-11-11 15:19:27.000000000 -0500
73652+++ linux-3.1.1/net/mac80211/main.c 2011-11-16 18:39:08.000000000 -0500
73653@@ -209,7 +209,7 @@ int ieee80211_hw_config(struct ieee80211
73654 local->hw.conf.power_level = power;
73655 }
73656
73657- if (changed && local->open_count) {
73658+ if (changed && local_read(&local->open_count)) {
73659 ret = drv_config(local, changed);
73660 /*
73661 * Goal:
73662diff -urNp linux-3.1.1/net/mac80211/mlme.c linux-3.1.1/net/mac80211/mlme.c
73663--- linux-3.1.1/net/mac80211/mlme.c 2011-11-11 15:19:27.000000000 -0500
73664+++ linux-3.1.1/net/mac80211/mlme.c 2011-11-16 18:40:44.000000000 -0500
73665@@ -1464,6 +1464,8 @@ static bool ieee80211_assoc_success(stru
73666 bool have_higher_than_11mbit = false;
73667 u16 ap_ht_cap_flags;
73668
73669+ pax_track_stack();
73670+
73671 /* AssocResp and ReassocResp have identical structure */
73672
73673 aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
73674diff -urNp linux-3.1.1/net/mac80211/pm.c linux-3.1.1/net/mac80211/pm.c
73675--- linux-3.1.1/net/mac80211/pm.c 2011-11-11 15:19:27.000000000 -0500
73676+++ linux-3.1.1/net/mac80211/pm.c 2011-11-16 18:39:08.000000000 -0500
73677@@ -34,7 +34,7 @@ int __ieee80211_suspend(struct ieee80211
73678 struct ieee80211_sub_if_data *sdata;
73679 struct sta_info *sta;
73680
73681- if (!local->open_count)
73682+ if (!local_read(&local->open_count))
73683 goto suspend;
73684
73685 ieee80211_scan_cancel(local);
73686@@ -72,7 +72,7 @@ int __ieee80211_suspend(struct ieee80211
73687 cancel_work_sync(&local->dynamic_ps_enable_work);
73688 del_timer_sync(&local->dynamic_ps_timer);
73689
73690- local->wowlan = wowlan && local->open_count;
73691+ local->wowlan = wowlan && local_read(&local->open_count);
73692 if (local->wowlan) {
73693 int err = drv_suspend(local, wowlan);
73694 if (err < 0) {
73695@@ -129,7 +129,7 @@ int __ieee80211_suspend(struct ieee80211
73696 }
73697
73698 /* stop hardware - this must stop RX */
73699- if (local->open_count)
73700+ if (local_read(&local->open_count))
73701 ieee80211_stop_device(local);
73702
73703 suspend:
73704diff -urNp linux-3.1.1/net/mac80211/rate.c linux-3.1.1/net/mac80211/rate.c
73705--- linux-3.1.1/net/mac80211/rate.c 2011-11-11 15:19:27.000000000 -0500
73706+++ linux-3.1.1/net/mac80211/rate.c 2011-11-16 18:39:08.000000000 -0500
73707@@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
73708
73709 ASSERT_RTNL();
73710
73711- if (local->open_count)
73712+ if (local_read(&local->open_count))
73713 return -EBUSY;
73714
73715 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
73716diff -urNp linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c
73717--- linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c 2011-11-11 15:19:27.000000000 -0500
73718+++ linux-3.1.1/net/mac80211/rc80211_pid_debugfs.c 2011-11-16 18:39:08.000000000 -0500
73719@@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
73720
73721 spin_unlock_irqrestore(&events->lock, status);
73722
73723- if (copy_to_user(buf, pb, p))
73724+ if (p > sizeof(pb) || copy_to_user(buf, pb, p))
73725 return -EFAULT;
73726
73727 return p;
73728diff -urNp linux-3.1.1/net/mac80211/util.c linux-3.1.1/net/mac80211/util.c
73729--- linux-3.1.1/net/mac80211/util.c 2011-11-11 15:19:27.000000000 -0500
73730+++ linux-3.1.1/net/mac80211/util.c 2011-11-16 18:39:08.000000000 -0500
73731@@ -1166,7 +1166,7 @@ int ieee80211_reconfig(struct ieee80211_
73732 drv_set_coverage_class(local, hw->wiphy->coverage_class);
73733
73734 /* everything else happens only if HW was up & running */
73735- if (!local->open_count)
73736+ if (!local_read(&local->open_count))
73737 goto wake_up;
73738
73739 /*
73740diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c
73741--- linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c 2011-11-11 15:19:27.000000000 -0500
73742+++ linux-3.1.1/net/netfilter/ipvs/ip_vs_conn.c 2011-11-16 18:39:08.000000000 -0500
73743@@ -556,7 +556,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
73744 /* Increase the refcnt counter of the dest */
73745 atomic_inc(&dest->refcnt);
73746
73747- conn_flags = atomic_read(&dest->conn_flags);
73748+ conn_flags = atomic_read_unchecked(&dest->conn_flags);
73749 if (cp->protocol != IPPROTO_UDP)
73750 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
73751 /* Bind with the destination and its corresponding transmitter */
73752@@ -869,7 +869,7 @@ ip_vs_conn_new(const struct ip_vs_conn_p
73753 atomic_set(&cp->refcnt, 1);
73754
73755 atomic_set(&cp->n_control, 0);
73756- atomic_set(&cp->in_pkts, 0);
73757+ atomic_set_unchecked(&cp->in_pkts, 0);
73758
73759 atomic_inc(&ipvs->conn_count);
73760 if (flags & IP_VS_CONN_F_NO_CPORT)
73761@@ -1149,7 +1149,7 @@ static inline int todrop_entry(struct ip
73762
73763 /* Don't drop the entry if its number of incoming packets is not
73764 located in [0, 8] */
73765- i = atomic_read(&cp->in_pkts);
73766+ i = atomic_read_unchecked(&cp->in_pkts);
73767 if (i > 8 || i < 0) return 0;
73768
73769 if (!todrop_rate[i]) return 0;
73770diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c
73771--- linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c 2011-11-11 15:19:27.000000000 -0500
73772+++ linux-3.1.1/net/netfilter/ipvs/ip_vs_core.c 2011-11-16 18:39:08.000000000 -0500
73773@@ -563,7 +563,7 @@ int ip_vs_leave(struct ip_vs_service *sv
73774 ret = cp->packet_xmit(skb, cp, pd->pp);
73775 /* do not touch skb anymore */
73776
73777- atomic_inc(&cp->in_pkts);
73778+ atomic_inc_unchecked(&cp->in_pkts);
73779 ip_vs_conn_put(cp);
73780 return ret;
73781 }
73782@@ -1612,7 +1612,7 @@ ip_vs_in(unsigned int hooknum, struct sk
73783 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
73784 pkts = sysctl_sync_threshold(ipvs);
73785 else
73786- pkts = atomic_add_return(1, &cp->in_pkts);
73787+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73788
73789 if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
73790 cp->protocol == IPPROTO_SCTP) {
73791diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c
73792--- linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-11 15:19:27.000000000 -0500
73793+++ linux-3.1.1/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-16 19:13:12.000000000 -0500
73794@@ -782,7 +782,7 @@ __ip_vs_update_dest(struct ip_vs_service
73795 ip_vs_rs_hash(ipvs, dest);
73796 write_unlock_bh(&ipvs->rs_lock);
73797 }
73798- atomic_set(&dest->conn_flags, conn_flags);
73799+ atomic_set_unchecked(&dest->conn_flags, conn_flags);
73800
73801 /* bind the service */
73802 if (!dest->svc) {
73803@@ -2027,7 +2027,7 @@ static int ip_vs_info_seq_show(struct se
73804 " %-7s %-6d %-10d %-10d\n",
73805 &dest->addr.in6,
73806 ntohs(dest->port),
73807- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73808+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73809 atomic_read(&dest->weight),
73810 atomic_read(&dest->activeconns),
73811 atomic_read(&dest->inactconns));
73812@@ -2038,7 +2038,7 @@ static int ip_vs_info_seq_show(struct se
73813 "%-7s %-6d %-10d %-10d\n",
73814 ntohl(dest->addr.ip),
73815 ntohs(dest->port),
73816- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
73817+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
73818 atomic_read(&dest->weight),
73819 atomic_read(&dest->activeconns),
73820 atomic_read(&dest->inactconns));
73821@@ -2285,6 +2285,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cm
73822 struct ip_vs_dest_user_kern udest;
73823 struct netns_ipvs *ipvs = net_ipvs(net);
73824
73825+ pax_track_stack();
73826+
73827 if (!capable(CAP_NET_ADMIN))
73828 return -EPERM;
73829
73830@@ -2508,7 +2510,7 @@ __ip_vs_get_dest_entries(struct net *net
73831
73832 entry.addr = dest->addr.ip;
73833 entry.port = dest->port;
73834- entry.conn_flags = atomic_read(&dest->conn_flags);
73835+ entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
73836 entry.weight = atomic_read(&dest->weight);
73837 entry.u_threshold = dest->u_threshold;
73838 entry.l_threshold = dest->l_threshold;
73839@@ -3041,7 +3043,7 @@ static int ip_vs_genl_fill_dest(struct s
73840 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
73841
73842 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
73843- atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73844+ atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
73845 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
73846 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
73847 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
73848diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c
73849--- linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c 2011-11-11 15:19:27.000000000 -0500
73850+++ linux-3.1.1/net/netfilter/ipvs/ip_vs_sync.c 2011-11-16 18:39:08.000000000 -0500
73851@@ -649,7 +649,7 @@ control:
73852 * i.e only increment in_pkts for Templates.
73853 */
73854 if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
73855- int pkts = atomic_add_return(1, &cp->in_pkts);
73856+ int pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
73857
73858 if (pkts % sysctl_sync_period(ipvs) != 1)
73859 return;
73860@@ -795,7 +795,7 @@ static void ip_vs_proc_conn(struct net *
73861
73862 if (opt)
73863 memcpy(&cp->in_seq, opt, sizeof(*opt));
73864- atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73865+ atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
73866 cp->state = state;
73867 cp->old_state = cp->state;
73868 /*
73869diff -urNp linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c
73870--- linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-11 15:19:27.000000000 -0500
73871+++ linux-3.1.1/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-16 18:39:08.000000000 -0500
73872@@ -1151,7 +1151,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
73873 else
73874 rc = NF_ACCEPT;
73875 /* do not touch skb anymore */
73876- atomic_inc(&cp->in_pkts);
73877+ atomic_inc_unchecked(&cp->in_pkts);
73878 goto out;
73879 }
73880
73881@@ -1272,7 +1272,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
73882 else
73883 rc = NF_ACCEPT;
73884 /* do not touch skb anymore */
73885- atomic_inc(&cp->in_pkts);
73886+ atomic_inc_unchecked(&cp->in_pkts);
73887 goto out;
73888 }
73889
73890diff -urNp linux-3.1.1/net/netfilter/Kconfig linux-3.1.1/net/netfilter/Kconfig
73891--- linux-3.1.1/net/netfilter/Kconfig 2011-11-11 15:19:27.000000000 -0500
73892+++ linux-3.1.1/net/netfilter/Kconfig 2011-11-16 18:40:44.000000000 -0500
73893@@ -781,6 +781,16 @@ config NETFILTER_XT_MATCH_ESP
73894
73895 To compile it as a module, choose M here. If unsure, say N.
73896
73897+config NETFILTER_XT_MATCH_GRADM
73898+ tristate '"gradm" match support'
73899+ depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
73900+ depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
73901+ ---help---
73902+ The gradm match allows to match on grsecurity RBAC being enabled.
73903+ It is useful when iptables rules are applied early on bootup to
73904+ prevent connections to the machine (except from a trusted host)
73905+ while the RBAC system is disabled.
73906+
73907 config NETFILTER_XT_MATCH_HASHLIMIT
73908 tristate '"hashlimit" match support'
73909 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
73910diff -urNp linux-3.1.1/net/netfilter/Makefile linux-3.1.1/net/netfilter/Makefile
73911--- linux-3.1.1/net/netfilter/Makefile 2011-11-11 15:19:27.000000000 -0500
73912+++ linux-3.1.1/net/netfilter/Makefile 2011-11-16 18:40:44.000000000 -0500
73913@@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) +=
73914 obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
73915 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
73916 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
73917+obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
73918 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
73919 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
73920 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
73921diff -urNp linux-3.1.1/net/netfilter/nfnetlink_log.c linux-3.1.1/net/netfilter/nfnetlink_log.c
73922--- linux-3.1.1/net/netfilter/nfnetlink_log.c 2011-11-11 15:19:27.000000000 -0500
73923+++ linux-3.1.1/net/netfilter/nfnetlink_log.c 2011-11-16 18:39:08.000000000 -0500
73924@@ -70,7 +70,7 @@ struct nfulnl_instance {
73925 };
73926
73927 static DEFINE_SPINLOCK(instances_lock);
73928-static atomic_t global_seq;
73929+static atomic_unchecked_t global_seq;
73930
73931 #define INSTANCE_BUCKETS 16
73932 static struct hlist_head instance_table[INSTANCE_BUCKETS];
73933@@ -505,7 +505,7 @@ __build_packet_message(struct nfulnl_ins
73934 /* global sequence number */
73935 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
73936 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
73937- htonl(atomic_inc_return(&global_seq)));
73938+ htonl(atomic_inc_return_unchecked(&global_seq)));
73939
73940 if (data_len) {
73941 struct nlattr *nla;
73942diff -urNp linux-3.1.1/net/netfilter/xt_gradm.c linux-3.1.1/net/netfilter/xt_gradm.c
73943--- linux-3.1.1/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
73944+++ linux-3.1.1/net/netfilter/xt_gradm.c 2011-11-16 18:40:44.000000000 -0500
73945@@ -0,0 +1,51 @@
73946+/*
73947+ * gradm match for netfilter
73948